[Intel-xe] [PATCH 27/37] drm/xe: Ensure VMA not userptr before calling xe_bo_is_stolen

Rodrigo Vivi rodrigo.vivi at intel.com
Fri Feb 3 19:56:08 UTC 2023 

On Thu, Jan 12, 2023 at 05:25:28PM -0500, Rodrigo Vivi wrote:
> From: Matthew Brost <matthew.brost at intel.com>
> 
> Fix the below splat:
> 
> [  142.510525] [IGT] xe_exec_basic: starting subtest once-userptr
> [  142.511339] BUG: kernel NULL pointer dereference, address: 0000000000000228
> [  142.518311] #PF: supervisor read access in kernel mode
> [  142.523458] #PF: error_code(0x0000) - not-present page
> [  142.528604] PGD 0 P4D 0
> [  142.531153] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [  142.535518] CPU: 4 PID: 1199 Comm: kworker/u16:8 Not tainted 6.1.0-rc1-xe+ #1
> [  142.542656] Hardware name: Intel Corporation Tiger Lake Client Platform/TigerLake U DDR4 SODIMM RVP, BIOS TGLSFWI1.R00.3243.A01.2006102133 06/10/2020
> [  142.556033] Workqueue: events_unbound async_op_work_func [xe]
> [  142.561810] RIP: 0010:xe_bo_is_stolen+0x0/0x20 [xe]
> [  142.566709] Code: 20 c8 75 05 83 fa 07 74 05 c3 cc cc cc cc 48 8b 87 08 02 00 00 0f b6 80 2c ff ff ff c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 <48> 8b 87 28 02 00 00 83 78 10 07 0f 94 c0 c3 cc cc cc cc 66 66 2e
> [  142.585447] RSP: 0018:ffffc900019eb888 EFLAGS: 00010246
> [  142.590678] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffff88813f6a2108
> [  142.597821] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> [  142.604962] RBP: ffffc900019ebbc0 R08: 0000000000000001 R09: 0000000000000000
> [  142.612101] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88814107d600
> [  142.619242] R13: ffffc900019eba20 R14: ffff888140442000 R15: 0000000000000000
> [  142.626378] FS:  0000000000000000(0000) GS:ffff88849fa00000(0000) knlGS:0000000000000000
> [  142.634468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  142.640219] CR2: 0000000000000228 CR3: 000000010a4c0006 CR4: 0000000000770ee0
> [  142.647361] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  142.654505] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [  142.661639] PKRU: 55555554
> [  142.664367] Call Trace:
> [  142.666830]  <TASK>
> [  142.668947]  __xe_pt_bind_vma+0x1a1/0xa50 [xe]
> [  142.673417]  ? unwind_next_frame+0x187/0x770
> [  142.677699]  ? __thaw_task+0xc0/0xc0
> [  142.681293]  ? __lock_acquire+0x5e4/0x26e0
> [  142.685409]  ? lockdep_hardirqs_on+0xbf/0x140
> [  142.689779]  ? lock_acquire+0xd2/0x310
> [  142.693548]  ? mark_held_locks+0x49/0x80
> [  142.697485]  ? xe_vm_bind_vma+0xf1/0x3d0 [xe]
> [  142.701866]  xe_vm_bind_vma+0xf1/0x3d0 [xe]
> [  142.706082]  xe_vm_bind+0x76/0x140 [xe]
> [  142.709944]  vm_bind_ioctl+0x26f/0xb40 [xe]
> [  142.714161]  ? async_op_work_func+0x20c/0x450 [xe]
> [  142.718974]  async_op_work_func+0x20c/0x450 [xe]
> [  142.723620]  process_one_work+0x263/0x580
> [  142.727645]  ? process_one_work+0x580/0x580
> [  142.731839]  worker_thread+0x4d/0x3b0
> [  142.735518]  ? process_one_work+0x580/0x580
> [  142.739714]  kthread+0xeb/0x120
> [  142.742872]  ? kthread_complete_and_exit+0x20/0x20
> [  142.747671]  ret_from_fork+0x1f/0x30
> [  142.751264]  </TASK>
> 
> Signed-off-by: Matthew Brost <matthew.brost at intel.com>
> Signed-off-by: Rodrigo Vivi <rodrigo.vivi at intel.com>

Reviewed-by: Rodrigo Vivi <rodrigo.vivi at intel.com>

> ---
>  drivers/gpu/drm/xe/xe_pt.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_pt.c b/drivers/gpu/drm/xe/xe_pt.c
> index c8b3b1975098..9e07ad41a007 100644
> --- a/drivers/gpu/drm/xe/xe_pt.c
> +++ b/drivers/gpu/drm/xe/xe_pt.c
> @@ -758,7 +758,7 @@ xe_pt_stage_bind(struct xe_gt *gt, struct xe_vma *vma,
>  		else
>  			xe_walk.cache = XE_CACHE_WB;
>  	}
> -	if (xe_bo_is_stolen(bo))
> +	if (!xe_vma_is_userptr(vma) && xe_bo_is_stolen(bo))
>  		xe_walk.dma_offset = xe_ttm_stolen_gpu_offset(xe_bo_device(bo));
>  
>  	xe_bo_assert_held(bo);
> -- 
> 2.38.1
>

More information about the Intel-xe mailing list