epoll + dmabuf + close = Kernel BUG NULL pointer dereference

Joshua Ashton joshua at froggi.es
Fri Dec 1 21:46:23 UTC 2023 

Hello! I was rewriting the code in our compositor for Steam Deck, 
Gamescope, to use epoll for dmabuf image waits.

I found out that using epoll + dmabufs + close(...) while it is added to 
the epoll causes a NULL pointer dereference BUG in the kernel.

Using epoll_ctl with EPOLL_CTL_DEL before 'close' works fine, but 
close-ing the file descriptor to remove it from the epoll while 
epoll_wait results in the NULL pointer BUG.

I am currently on 6.5.9, but the same happens on 6.1.
I am also using AMDGPU.

Let me know I can get more info on the crash, it also should be easy to 
reproduce using Gamescope at this commit sha:

https://github.com/ValveSoftware/gamescope/commit/9a53b6eb37817ef403c89c104bcb73e617799114

Just run `gamescope -- glxgears` (probably only works properly on AMD, 
just a fyi). You should see either your system reboot or the BUG 
depending on your kernel build.

dmesg log:

[ 2829.171327] BUG: kernel NULL pointer dereference, address: 
0000000000000000
[ 2829.171332] #PF: supervisor read access in kernel mode
[ 2829.171333] #PF: error_code(0x0000) - not-present page
[ 2829.171334] PGD 0 P4D 0
[ 2829.171336] Oops: 0000 [#2] PREEMPT SMP NOPTI
[ 2829.171337] CPU: 11 PID: 14976 Comm: gamescope_img Tainted: G      D 
           6.5.9-273-tkg-linux-tkg #1 
1f8f4cb3cfc2d3f65b6974868e524278dc3e7e95
[ 2829.171339] Hardware name: Gigabyte Technology Co., Ltd. X670 AORUS 
ELITE AX/X670 AORUS ELITE AX, BIOS F7a 11/14/2022
[ 2829.171340] RIP: 0010:__ep_remove+0x8d/0x220
[ 2829.171344] Code: 8d 5e 10 48 89 df e8 f2 b8 a1 00 0f b6 45 3c 83 f0 
01 44 08 e8 0f 84 70 01 00 00 49 8b b6 d0 00 00 00 48 8b 45 50 48 8d 55 
50 <48> 39 16 0f 84 d6 00 00 00 48 8b 55 58 48 89 02 48 85 c0 74 04 48
[ 2829.171345] RSP: 0018:ffffaa25551cbe40 EFLAGS: 00010202
[ 2829.171346] RAX: 0000000000000000 RBX: ffff94b0094c3910 RCX: 
0000000000000000
[ 2829.171347] RDX: ffff94afe23e3f50 RSI: 0000000000000000 RDI: 
ffff94b0094c3910
[ 2829.171347] RBP: ffff94afe23e3f00 R08: ffff94ac88e85200 R09: 
0000000000000000
[ 2829.171348] R10: 0000000000000000 R11: 0000000000000000 R12: 
ffff94ac88e85200
[ 2829.171348] R13: 0000000000000001 R14: ffff94b0094c3900 R15: 
0000000000000000
[ 2829.171349] FS:  00007f1bc502a6c0(0000) GS:ffff94cb7dac0000(0000) 
knlGS:0000000000000000
[ 2829.171349] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2829.171350] CR2: 0000000000000000 CR3: 0000000451010000 CR4: 
0000000000750ee0
[ 2829.171350] PKRU: 55555554
[ 2829.171351] Call Trace:
[ 2829.171352]  <TASK>
[ 2829.171355]  ? __die+0x23/0x70
[ 2829.171358]  ? page_fault_oops+0x171/0x4e0
[ 2829.171361]  ? ep_poll_callback+0x246/0x290
[ 2829.171362]  ? exc_page_fault+0x7f/0x180
[ 2829.171364]  ? asm_exc_page_fault+0x26/0x30
[ 2829.171368]  ? __ep_remove+0x8d/0x220
[ 2829.171369]  eventpoll_release_file+0x5b/0xa0
[ 2829.171370]  __fput+0x223/0x290
[ 2829.171373]  task_work_run+0x5a/0x90
[ 2829.171375]  exit_to_user_mode_prepare+0x123/0x140
[ 2829.171378]  syscall_exit_to_user_mode+0x1b/0x40
[ 2829.171379]  do_syscall_64+0x6c/0x90
[ 2829.171381]  ? do_syscall_64+0x6c/0x90
[ 2829.171382]  ? do_syscall_64+0x6c/0x90
[ 2829.171383]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 2829.171384] RIP: 0033:0x7f1bc5841bf6
[ 2829.171406] Code: 10 89 7c 24 0c 89 4c 24 1c e8 96 81 f7 ff 44 8b 54 
24 1c 8b 54 24 18 41 89 c0 48 8b 74 24 10 8b 7c 24 0c b8 e8 00 00 00 0f 
05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 e6 81 f7 ff 8b 44
[ 2829.171407] RSP: 002b:00007f1bc5026a40 EFLAGS: 00000293 ORIG_RAX: 
00000000000000e8
[ 2829.171408] RAX: 0000000000000003 RBX: 000055e4732d55e0 RCX: 
00007f1bc5841bf6
[ 2829.171408] RDX: 0000000000000400 RSI: 00007f1bc5026aa0 RDI: 
0000000000000005
[ 2829.171408] RBP: 00007f1bc5029ab0 R08: 0000000000000000 R09: 
0000000000000000
[ 2829.171409] R10: 00000000ffffffff R11: 0000000000000293 R12: 
fffffffffffffd98
[ 2829.171409] R13: 0000000000000000 R14: 00007ffe4af5e240 R15: 
00007f1bc482a000
[ 2829.171410]  </TASK>
[ 2829.171411] Modules linked in: uinput nf_conntrack_netlink 
xt_addrtype br_netfilter rfcomm snd_seq_dummy snd_hrtimer snd_seq 
xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 
xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 
nf_defrag_ipv4 bridge stp llc overlay cmac algif_hash algif_skcipher 
af_alg bnep nf_tables joydev mousedev btusb btrtl btbcm btintel btmtk 
bluetooth intel_rapl_msr intel_rapl_common ecdh_generic vfat fat amdgpu 
edac_mce_amd snd_hda_codec_realtek kvm_amd snd_hda_codec_generic 
ledtrig_audio kvm mt7921e snd_hda_codec_hdmi mt7921_common snd_usb_audio 
crct10dif_pclmul mt76_connac_lib snd_hda_intel crc32_pclmul amdxcp 
polyval_clmulni mt76 snd_usbmidi_lib snd_intel_dspcfg snd_ump drm_buddy 
snd_intel_sdw_acpi polyval_generic snd_rawmidi gf128mul snd_hda_codec 
gpu_sched ghash_clmulni_intel snd_seq_device mac80211 snd_hda_core 
i2c_algo_bit sha512_ssse3 mc drm_suballoc_helper snd_hwdep aesni_intel 
drm_ttm_helper snd_pcm r8169 ttm libarc4 ucsi_ccg crypto_simd snd_timer
[ 2829.171440]  drm_display_helper cryptd typec_ucsi realtek sp5100_tco 
mdio_devres cfg80211 usbhid cec rapl gigabyte_wmi wmi_bmof ccp snd typec 
pcspkr k10temp i2c_piix4 rfkill libphy roles video soundcore wmi 
gpio_amdpt gpio_generic mac_hid usbip_host usbip_core pkcs8_key_parser 
i2c_dev sg crypto_user dm_mod fuse loop nfnetlink ip_tables x_tables 
ext4 crc16 mbcache jbd2 nvme crc32c_intel nvme_core xhci_pci 
xhci_pci_renesas nvme_common vfio_pci vfio_pci_core irqbypass 
vfio_iommu_type1 vfio iommufd
[ 2829.171459] CR2: 0000000000000000
[ 2829.171460] ---[ end trace 0000000000000000 ]---
[ 2829.171461] RIP: 0010:__ep_remove+0x8d/0x220
[ 2829.171462] Code: 8d 5e 10 48 89 df e8 f2 b8 a1 00 0f b6 45 3c 83 f0 
01 44 08 e8 0f 84 70 01 00 00 49 8b b6 d0 00 00 00 48 8b 45 50 48 8d 55 
50 <48> 39 16 0f 84 d6 00 00 00 48 8b 55 58 48 89 02 48 85 c0 74 04 48
[ 2829.171463] RSP: 0018:ffffaa2552a9bdb8 EFLAGS: 00010202
[ 2829.171463] RAX: 0000000000000000 RBX: ffff94ae3702e610 RCX: 
0000000000000000
[ 2829.171464] RDX: ffff94aeda255850 RSI: 0000000000000000 RDI: 
ffff94ae3702e610
[ 2829.171464] RBP: ffff94aeda255800 R08: ffff94ae446e4240 R09: 
0000000000000000
[ 2829.171465] R10: 0000000000000000 R11: 0000000000000000 R12: 
ffff94ae446e4240
[ 2829.171465] R13: 0000000000000001 R14: ffff94ae3702e600 R15: 
0000000000000000
[ 2829.171466] FS:  00007f1bc502a6c0(0000) GS:ffff94cb7dac0000(0000) 
knlGS:0000000000000000
[ 2829.171466] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2829.171467] CR2: 0000000000000000 CR3: 0000000451010000 CR4: 
0000000000750ee0
[ 2829.171467] PKRU: 55555554
[ 2829.171467] note: gamescope_img[14976] exited with irqs disabled
[ 2829.171468] note: gamescope_img[14976] exited with preempt_count 1

Thanks!

- Joshie 🐸✨

More information about the dri-devel mailing list