BUG [vmwgfx] kernel oops atomic cursors / vmw_du_cursor_plane_cleanup_fb / KDE Plasma 6
Stefan Hoffmeister
stefan.hoffmeister at econos.de
Thu Dec 14 11:27:09 UTC 2023
Previously reported at
https://gitlab.freedesktop.org/drm/misc/-/issues/34 and
https://bugs.kde.org/show_bug.cgi?id=478308
vmwgfx runs into kernel oops related to atomic cursors with KDE Plasma
6. I am able to reproduce this with
* VMware Workstation 17.5 (on Windows 11 Professional) at CPL0
* install Fedora Rawhide (40) + KDE Plasma 6 beta 1 as offered by
Fedora (kernel 6.7.0-rc5 at the time of this writing)
* echo "KWIN_DRM_NO_AMS=0" >> /etc/environment to explicitly enable
use of atomic mode-setting from within KDE
* reboot
* log into a Wayland session
* use system (e.g. start Visual Studio Code, which is X11)
---> oops
Note that I am explicitly atomic mode-setting now, because in a few
weeks time DRM cursor plane hotspot improvements are supposed to be
released into kernel 6.8 - and then KDE Plasma 6 will automatically
switch to the atomic mode-setting code path.
Regardless of KDE does, the kernel should not oops.
Oops is
************
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference
Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
Workqueue: events_unbound commit_work
RIP: 0010:vmw_du_cursor_plane_cleanup_fb
(/usr/src/debug/kernel-6.7-rc4-111-g5e3f5b81de80/linux-6.7.0-0.rc4.20231208git5e3f5b81de80.38.fc40.x86_64/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:649)
vmwgfx
Code: 00 00 00 00 00 00 48 8b 44 24 08 65 48 2b 04 25 28 00 00 00 75
29 48 83 c4 10 5b 5d 41 5c c3 cc cc cc cc 48 8b 86 98 00 00 00 <48> 8b
78 28 e8 0a f1 00 00 c6 83 c0 00 00 00 00 e9 d2 fe ff ff e8
All code
========
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 00 add %al,(%rax)
6: 48 8b 44 24 08 mov 0x8(%rsp),%rax
b: 65 48 2b 04 25 28 00 sub %gs:0x28,%rax
12: 00 00
14: 75 29 jne 0x3f
16: 48 83 c4 10 add $0x10,%rsp
1a: 5b pop %rbx
1b: 5d pop %rbp
1c: 41 5c pop %r12
1e: c3 ret
1f: cc int3
20: cc int3
21: cc int3
22: cc int3
23: 48 8b 86 98 00 00 00 mov 0x98(%rsi),%rax
2a:* 48 8b 78 28 mov 0x28(%rax),%rdi <--
trapping instruction
2e: e8 0a f1 00 00 call 0xf13d
33: c6 83 c0 00 00 00 00 movb $0x0,0xc0(%rbx)
3a: e9 d2 fe ff ff jmp 0xffffffffffffff11
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 48 8b 78 28 mov 0x28(%rax),%rdi
4: e8 0a f1 00 00 call 0xf113
9: c6 83 c0 00 00 00 00 movb $0x0,0xc0(%rbx)
10: e9 d2 fe ff ff jmp 0xfffffffffffffee7
15: e8 .byte 0xe8
RSP: 0018:ffffc9000008be00 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88818e889300 RCX: 0000000000000000
RDX: ffff888109c10000 RSI: ffff88818e889300 RDI: ffff888111974c38
RBP: ffff888111974c38 R08: ffff88812a668ae0 R09: 0000000000000040
R10: 000000000000000f R11: fefefefefefefeff R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881001cc405 R15: ffff888106e1f4e0
FS: 0000000000000000(0000) GS:ffff88842dfc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 00000001484c0005 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? wb_over_bg_thresh+0x283/0x2a0
? exc_page_fault+0x7f/0x180
? asm_exc_page_fault+0x26/0x30
? vmw_du_cursor_plane_cleanup_fb
(/usr/src/debug/kernel-6.7-rc4-111-g5e3f5b81de80/linux-6.7.0-0.rc4.20231208git5e3f5b81de80.38.fc40.x86_64/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:649)
vmwgfx
drm_atomic_helper_cleanup_planes+0x9b/0xc0
commit_tail+0xd1/0x130
process_one_work+0x171/0x340
worker_thread+0x27b/0x3a0
? __pfx_worker_thread+0x10/0x10
kthread+0xe5/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Modules linked in: uinput snd_seq_dummy snd_hrtimer
nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet
nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4
nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr
snd_seq_midi snd_seq_midi_event sunrpc vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock
snd_ens1371 intel_rapl_msr snd_ac97_codec intel_rapl_common
snd_rawmidi vmw_balloon rapl gameport ac97_bus snd_seq snd_seq_device
snd_pcm vfat pcspkr snd_timer fat snd soundcore pktcdvd vmw_vmci
i2c_piix4 joydev loop zram crct10dif_pclmul crc32_pclmul crc32c_intel
polyval_clmulni polyval_generic ghash_clmulni_intel nvme vmwgfx
sha512_ssse3 sha256_ssse3 sha1_ssse3 nvme_core drm_ttm_helper ttm
vmxnet3 serio_raw ata_generic pata_acpi fuse
CR2: 0000000000000028
*****************
This maps to
***********
void
vmw_du_cursor_plane_cleanup_fb(struct drm_plane *plane,
struct drm_plane_state *old_state)
{
struct vmw_cursor_plane *vcp = vmw_plane_to_vcp(plane);
struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state);
bool is_iomem;
if (vps->surf_mapped) {
vmw_bo_unmap(vps->surf->res.guest_memory_bo); <------------------
affected line
vps->surf_mapped = false;
}
**************
Note that close to that oops there was also
**************
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) glamor0: GL
error: GL_OUT_OF_MEMORY in glTexSubImage
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) Backtrace:
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 0:
/usr/bin/Xwayland (0x55befed80000+0x17a432) [0x55befeefa432]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 1:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x36e0ef) [0x7f1d1a76e0ef]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 2:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1aff13) [0x7f1d1a5aff13]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 3:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1c2bf8) [0x7f1d1a5c2bf8]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 4:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1953ba) [0x7f1d1a5953ba]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 5:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x198903) [0x7f1d1a598903]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 6:
/usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x19f1b9) [0x7f1d1a59f1b9]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 7:
/usr/bin/Xwayland (0x55befed80000+0x729f7) [0x55befedf29f7]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 8:
/usr/bin/Xwayland (0x55befed80000+0x6117a) [0x55befede117a]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 9:
/usr/bin/Xwayland (0x55befed80000+0x61911) [0x55befede1911]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 10:
/usr/bin/Xwayland (0x55befed80000+0x1b9ff5) [0x55befef39ff5]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 11:
/usr/bin/Xwayland (0x55befed80000+0x1ba748) [0x55befef3a748]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 12:
/usr/bin/Xwayland (0x55befed80000+0x5cb37) [0x55befeddcb37]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 13:
/usr/bin/Xwayland (0x55befed80000+0xff76b) [0x55befee7f76b]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 14:
/usr/bin/Xwayland (0x55befed80000+0x11b17a) [0x55befee9b17a]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 15:
/usr/bin/Xwayland (0x55befed80000+0xb5887) [0x55befee35887]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 16:
/usr/bin/Xwayland (0x55befed80000+0x3b840) [0x55befedbb840]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 17:
/lib64/libc.so.6 (0x7f1d2741d000+0x2814a) [0x7f1d2744514a]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 18:
/lib64/libc.so.6 (__libc_start_main+0x8b) [0x7f1d2744520b]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 19:
/usr/bin/Xwayland (0x55befed80000+0x3d255) [0x55befedbd255]
Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
*************
0x17a432 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../os/backtrace.c:200:19
0x36e0ef is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/errors.c:326:10
0x1aff13 is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/texstore.c:1105:4
0x1c2bf8 is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/state_tracker/st_cb_texture.c:2342:4
0x1953ba is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:2893:7
0x198903 is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:3829:4
0x19f1b9 is
/usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:4055:1
0x729f7 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_transfer.c:97:17
0x6117a is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:269:9
0x61911 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:741:8
0x1b9ff5 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../mi/micopy.c:126:5
0x1ba748 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../mi/micopy.c:294:9
0x5cb37 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:753:1
0xff76b is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../miext/damage/damage.c:777:5
0x11b17a is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/pixmap.c:76:19
0xb5887 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/dispatch.c:550:20
0x3b840 is
/usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/devices.c:1124:14
0x2814a is
/usr/src/debug/glibc-2.38.9000-26.fc40.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:74:3
0x3d255 is ??:0
**********
All this is getting spammed very regularly on KDE Wayland when
interacting with an Xwayland window (above, that is Visual Studio
Code, which is running as an X11 application).
More information about the dri-devel
mailing list