[Bug 111381] [CI][DRMTIP] igt at sw_sync@sync_multi_producer_single_consumer - incomplete - BUG: kernel NULL pointer dereference, address: 0000000000000000

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=111381

--- Comment #2 from Chris Wilson <chris at chris-wilson.co.uk> ---
dma_fence_signal_locked+0x3e

int dma_fence_signal_locked(struct dma_fence *fence)
{
        struct dma_fence_cb *cur, *tmp;
        int ret = 0;

        lockdep_assert_held(fence->lock);

        if (WARN_ON(!fence))
                return -EINVAL;

        if (test_and_set_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) {
                ret = -EINVAL;

                /*
                 * we might have raced with the unlocked dma_fence_signal,
                 * still run through all callbacks
                 */
        } else {
                fence->timestamp = ktime_get();
                set_bit(DMA_FENCE_FLAG_TIMESTAMP_BIT, &fence->flags);
                trace_dma_fence_signaled(fence);
        }

        list_for_each_entry_safe(cur, tmp, &fence->cb_list, node) {
                list_del_init(&cur->node);
                cur->func(fence, cur);
        }
        return ret;
}

Doesn't make much sense to have a NULL later in the function; except at say the
fence->cb_list. However, my kernel puts 0x3e at the test_and_set_bit().

Sensible guess would be either en element was freed from the cb_list.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20190812/57c44151/attachment.html>