[Bug 111559] [CI][DRMTIP] igt at gem_eio@in-flight-suspend - crash - Received signal SIGSEGV

Thu Sep 5 11:52:55 UTC 2019

https://bugs.freedesktop.org/show_bug.cgi?id=111559

--- Comment #2 from Chris Wilson <chris at chris-wilson.co.uk> ---
Seems quite bizarre. igt_spin_free has the obligatory if (!spin) return guard,
and 0x66 does imply we got into the function before dying. On a local build,
gdb suggests 0x66 is 

(gdb) list *igt_spin_free+0x66
0x23a66 is in igt_spin_free (igt_dummyload.c:448).
443     
444             igt_spin_end(spin);
445             gem_munmap((void *)((unsigned long)spin->condition &
(~4095UL)),
446                        BATCH_SIZE);
447     
448             if (spin->poll) {
449                     gem_munmap(spin->poll, 4096);
450                     gem_close(fd, spin->poll_handle);
451             }
452

spin is not NULL, so the suggestion is either spin->condition lead to a SIGSEGV
in gem_munmap() (unlikely, it should return -EFAULT if broken) or spin->poll is
garbage. But igt_spin_t is calloc... And spin->poll is never assigned to again.

I don't see this as being a i915.ko bug, and I haven't spotted a potential
issue here, my worries turn towards random memcorruption. Hopefully a second
look can find a way igt_spin_t can be corrupt.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20190905/dce75b07/attachment.html>