BUG [vmwgfx] kernel oops atomic cursors / vmw_du_cursor_plane_cleanup_fb / KDE Plasma 6
Stefan Hoffmeister
stefan.hoffmeister at econos.de
Tue Dec 19 15:42:12 UTC 2023
Resending with all MAINTAINTERS cc'ed because no ACK.
Quoting Stefan Hoffmeister <stefan.hoffmeister at econos.de>:
> Previously reported at
> https://gitlab.freedesktop.org/drm/misc/-/issues/34 and
> https://bugs.kde.org/show_bug.cgi?id=478308
>
> vmwgfx runs into kernel oops related to atomic cursors with KDE
> Plasma 6. I am able to reproduce this with
>
> * VMware Workstation 17.5 (on Windows 11 Professional) at CPL0
> * install Fedora Rawhide (40) + KDE Plasma 6 beta 1 as offered by
> Fedora (kernel 6.7.0-rc5 at the time of this writing)
> * echo "KWIN_DRM_NO_AMS=0" >> /etc/environment to explicitly enable
> use of atomic mode-setting from within KDE
> * reboot
> * log into a Wayland session
> * use system (e.g. start Visual Studio Code, which is X11)
>
> ---> oops
>
> Note that I am explicitly atomic mode-setting now, because in a few
> weeks time DRM cursor plane hotspot improvements are supposed to be
> released into kernel 6.8 - and then KDE Plasma 6 will automatically
> switch to the atomic mode-setting code path.
>
> Regardless of KDE does, the kernel should not oops.
>
> Oops is
> ************
> BUG: kernel NULL pointer dereference, address: 0000000000000028
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference
> Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
> Workqueue: events_unbound commit_work
> RIP: 0010:vmw_du_cursor_plane_cleanup_fb
> (/usr/src/debug/kernel-6.7-rc4-111-g5e3f5b81de80/linux-6.7.0-0.rc4.20231208git5e3f5b81de80.38.fc40.x86_64/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:649)
> vmwgfx
> Code: 00 00 00 00 00 00 48 8b 44 24 08 65 48 2b 04 25 28 00 00 00 75
> 29 48 83 c4 10 5b 5d 41 5c c3 cc cc cc cc 48 8b 86 98 00 00 00 <48>
> 8b 78 28 e8 0a f1 00 00 c6 83 c0 00 00 00 00 e9 d2 fe ff ff e8
> All code
> ========
> 0: 00 00 add %al,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: 00 00 add %al,(%rax)
> 6: 48 8b 44 24 08 mov 0x8(%rsp),%rax
> b: 65 48 2b 04 25 28 00 sub %gs:0x28,%rax
> 12: 00 00
> 14: 75 29 jne 0x3f
> 16: 48 83 c4 10 add $0x10,%rsp
> 1a: 5b pop %rbx
> 1b: 5d pop %rbp
> 1c: 41 5c pop %r12
> 1e: c3 ret
> 1f: cc int3
> 20: cc int3
> 21: cc int3
> 22: cc int3
> 23: 48 8b 86 98 00 00 00 mov 0x98(%rsi),%rax
> 2a:* 48 8b 78 28 mov 0x28(%rax),%rdi <--
> trapping instruction
> 2e: e8 0a f1 00 00 call 0xf13d
> 33: c6 83 c0 00 00 00 00 movb $0x0,0xc0(%rbx)
> 3a: e9 d2 fe ff ff jmp 0xffffffffffffff11
> 3f: e8 .byte 0xe8
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 8b 78 28 mov 0x28(%rax),%rdi
> 4: e8 0a f1 00 00 call 0xf113
> 9: c6 83 c0 00 00 00 00 movb $0x0,0xc0(%rbx)
> 10: e9 d2 fe ff ff jmp 0xfffffffffffffee7
> 15: e8 .byte 0xe8
> RSP: 0018:ffffc9000008be00 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: ffff88818e889300 RCX: 0000000000000000
> RDX: ffff888109c10000 RSI: ffff88818e889300 RDI: ffff888111974c38
> RBP: ffff888111974c38 R08: ffff88812a668ae0 R09: 0000000000000040
> R10: 000000000000000f R11: fefefefefefefeff R12: 0000000000000000
> R13: 0000000000000000 R14: ffff8881001cc405 R15: ffff888106e1f4e0
> FS: 0000000000000000(0000) GS:ffff88842dfc0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000028 CR3: 00000001484c0005 CR4: 0000000000f70ef0
> PKRU: 55555554
> Call Trace:
> <TASK>
> ? __die+0x23/0x70
> ? page_fault_oops+0x171/0x4e0
> ? wb_over_bg_thresh+0x283/0x2a0
> ? exc_page_fault+0x7f/0x180
> ? asm_exc_page_fault+0x26/0x30
> ? vmw_du_cursor_plane_cleanup_fb
> (/usr/src/debug/kernel-6.7-rc4-111-g5e3f5b81de80/linux-6.7.0-0.rc4.20231208git5e3f5b81de80.38.fc40.x86_64/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:649)
> vmwgfx
> drm_atomic_helper_cleanup_planes+0x9b/0xc0
> commit_tail+0xd1/0x130
> process_one_work+0x171/0x340
> worker_thread+0x27b/0x3a0
> ? __pfx_worker_thread+0x10/0x10
> kthread+0xe5/0x120
> ? __pfx_kthread+0x10/0x10
> ret_from_fork+0x31/0x50
> ? __pfx_kthread+0x10/0x10
> ret_from_fork_asm+0x1b/0x30
> </TASK>
> Modules linked in: uinput snd_seq_dummy snd_hrtimer
> nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet
> nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4
> nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack
> nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr
> snd_seq_midi snd_seq_midi_event sunrpc vsock_loopback
> vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock
> snd_ens1371 intel_rapl_msr snd_ac97_codec intel_rapl_common
> snd_rawmidi vmw_balloon rapl gameport ac97_bus snd_seq
> snd_seq_device snd_pcm vfat pcspkr snd_timer fat snd soundcore
> pktcdvd vmw_vmci i2c_piix4 joydev loop zram crct10dif_pclmul
> crc32_pclmul crc32c_intel polyval_clmulni polyval_generic
> ghash_clmulni_intel nvme vmwgfx sha512_ssse3 sha256_ssse3 sha1_ssse3
> nvme_core drm_ttm_helper ttm vmxnet3 serio_raw ata_generic pata_acpi
> fuse
> CR2: 0000000000000028
>
> *****************
>
> This maps to
> ***********
> void
> vmw_du_cursor_plane_cleanup_fb(struct drm_plane *plane,
> struct drm_plane_state *old_state)
> {
> struct vmw_cursor_plane *vcp = vmw_plane_to_vcp(plane);
> struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state);
> bool is_iomem;
>
> if (vps->surf_mapped) {
> vmw_bo_unmap(vps->surf->res.guest_memory_bo);
> <------------------ affected line
> vps->surf_mapped = false;
> }
>
> **************
>
> Note that close to that oops there was also
>
>
> **************
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) glamor0: GL
> error: GL_OUT_OF_MEMORY in glTexSubImage
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) Backtrace:
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 0:
> /usr/bin/Xwayland (0x55befed80000+0x17a432) [0x55befeefa432]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 1:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x36e0ef)
> [0x7f1d1a76e0ef]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 2:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1aff13)
> [0x7f1d1a5aff13]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 3:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1c2bf8)
> [0x7f1d1a5c2bf8]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 4:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x1953ba)
> [0x7f1d1a5953ba]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 5:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x198903)
> [0x7f1d1a598903]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 6:
> /usr/lib64/dri/vmwgfx_dri.so (0x7f1d1a400000+0x19f1b9)
> [0x7f1d1a59f1b9]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 7:
> /usr/bin/Xwayland (0x55befed80000+0x729f7) [0x55befedf29f7]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 8:
> /usr/bin/Xwayland (0x55befed80000+0x6117a) [0x55befede117a]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 9:
> /usr/bin/Xwayland (0x55befed80000+0x61911) [0x55befede1911]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 10:
> /usr/bin/Xwayland (0x55befed80000+0x1b9ff5) [0x55befef39ff5]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 11:
> /usr/bin/Xwayland (0x55befed80000+0x1ba748) [0x55befef3a748]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 12:
> /usr/bin/Xwayland (0x55befed80000+0x5cb37) [0x55befeddcb37]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 13:
> /usr/bin/Xwayland (0x55befed80000+0xff76b) [0x55befee7f76b]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 14:
> /usr/bin/Xwayland (0x55befed80000+0x11b17a) [0x55befee9b17a]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 15:
> /usr/bin/Xwayland (0x55befed80000+0xb5887) [0x55befee35887]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 16:
> /usr/bin/Xwayland (0x55befed80000+0x3b840) [0x55befedbb840]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 17:
> /lib64/libc.so.6 (0x7f1d2741d000+0x2814a) [0x7f1d2744514a]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 18:
> /lib64/libc.so.6 (__libc_start_main+0x8b) [0x7f1d2744520b]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE) 19:
> /usr/bin/Xwayland (0x55befed80000+0x3d255) [0x55befedbd255]
> Dec 12 12:34:58 fedora kwin_wayland_wrapper[1716]: (EE)
> *************
> 0x17a432 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../os/backtrace.c:200:19
> 0x36e0ef is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/errors.c:326:10
> 0x1aff13 is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/texstore.c:1105:4
> 0x1c2bf8 is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/state_tracker/st_cb_texture.c:2342:4
> 0x1953ba is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:2893:7
> 0x198903 is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:3829:4
> 0x19f1b9 is
> /usr/src/debug/mesa-23.3.0-1.fc40.x86_64/redhat-linux-build/../src/mesa/main/teximage.c:4055:1
> 0x729f7 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_transfer.c:97:17
> 0x6117a is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:269:9
> 0x61911 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:741:8
> 0x1b9ff5 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../mi/micopy.c:126:5
> 0x1ba748 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../mi/micopy.c:294:9
> 0x5cb37 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../glamor/glamor_copy.c:753:1
> 0xff76b is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../miext/damage/damage.c:777:5
> 0x11b17a is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/pixmap.c:76:19
> 0xb5887 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/dispatch.c:550:20
> 0x3b840 is
> /usr/src/debug/xorg-x11-server-Xwayland-23.2.2-2.fc40.x86_64/redhat-linux-build/../dix/devices.c:1124:14
> 0x2814a is
> /usr/src/debug/glibc-2.38.9000-26.fc40.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:74:3
> 0x3d255 is ??:0
> **********
>
> All this is getting spammed very regularly on KDE Wayland when
> interacting with an Xwayland window (above, that is Visual Studio
> Code, which is running as an X11 application).
More information about the dri-devel
mailing list