| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 May 2017 17:40:51 -0300
From: Gabriel Krisman Bertazi <krisman@...labora.co.uk>
To: Mike Galbraith <efault@....de>
Cc: LKML <linux-kernel@...r.kernel.org>,
Dave Airlie <airlied@...hat.com>,
Gerd Hoffmann <kraxel@...hat.com>,
dri-devel@...ts.freedesktop.org
Subject: Re: [drm:qxl] BUG: sleeping function called from invalid context - qxl_bo_kmap_atomic_page()...splat
Mike Galbraith <efault@....de> writes:
> On Mon, 2017-05-08 at 16:48 -0300, Gabriel Krisman Bertazi wrote:
>
>> Thanks for reporting this. Can you confirm the following patch prevents
>> the issue?
>
> Nope, it still gripes.
Oops... Thanks for checking. The following patch fixes the issue for
me. Can you please test that one?
>8
Subject: [PATCH] drm: qxl: Delay entering atomic context during cursor update
qxl_release_map will enter an atomic context, but since we still need to
alloc memory for BOs, we better delay that until we have everything we
need, in case we need to sleep inside the allocation. This avoids the
Sleep in atomic state below, which was reported by Mike.
[ 43.910362] BUG: sleeping function called from invalid context at mm/slab.h:432
[ 43.910955] in_atomic(): 1, irqs_disabled(): 0, pid: 2077, name: Xorg
[ 43.911472] Preemption disabled at:
[ 43.911478] [<ffffffffa02b1c45>] qxl_bo_kmap_atomic_page+0xa5/0x100 [qxl]
[ 43.912103] CPU: 0 PID: 2077 Comm: Xorg Tainted: G E 4.12.0-master #38
[ 43.912550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.1-0-g4adadbd-20161202_174313-build11a 04/01/2014
[ 43.913202] Call Trace:
[ 43.913371] dump_stack+0x65/0x89
[ 43.913581] ? qxl_bo_kmap_atomic_page+0xa5/0x100 [qxl]
[ 43.913876] ___might_sleep+0x11a/0x190
[ 43.914095] __might_sleep+0x4a/0x80
[ 43.914319] ? qxl_bo_create+0x50/0x190 [qxl]
[ 43.914565] kmem_cache_alloc_trace+0x46/0x180
[ 43.914836] qxl_bo_create+0x50/0x190 [qxl]
[ 43.915082] ? refcount_dec_and_test+0x11/0x20
[ 43.915332] ? ttm_mem_io_reserve+0x41/0xe0 [ttm]
[ 43.915595] qxl_alloc_bo_reserved+0x37/0xb0 [qxl]
[ 43.915884] qxl_cursor_atomic_update+0x8f/0x260 [qxl]
[ 43.916172] ? drm_atomic_helper_update_legacy_modeset_state+0x1d6/0x210 [drm_kms_helper]
[ 43.916623] drm_atomic_helper_commit_planes+0xec/0x230 [drm_kms_helper]
[ 43.916995] drm_atomic_helper_commit_tail+0x2b/0x60 [drm_kms_helper]
[ 43.917398] commit_tail+0x65/0x70 [drm_kms_helper]
[ 43.917693] drm_atomic_helper_commit+0xa9/0x100 [drm_kms_helper]
[ 43.918039] drm_atomic_commit+0x4b/0x50 [drm]
[ 43.918334] drm_atomic_helper_update_plane+0xf1/0x110 [drm_kms_helper]
[ 43.918902] __setplane_internal+0x19f/0x280 [drm]
[ 43.919240] drm_mode_cursor_universal+0x101/0x1c0 [drm]
[ 43.919541] drm_mode_cursor_common+0x15b/0x1d0 [drm]
[ 43.919858] drm_mode_cursor2_ioctl+0xe/0x10 [drm]
[ 43.920157] drm_ioctl+0x211/0x460 [drm]
[ 43.920383] ? drm_mode_cursor_ioctl+0x50/0x50 [drm]
[ 43.920664] ? handle_mm_fault+0x93/0x160
[ 43.920893] do_vfs_ioctl+0x96/0x6e0
[ 43.921117] ? __fget+0x73/0xa0
[ 43.921322] SyS_ioctl+0x41/0x70
[ 43.921545] entry_SYSCALL_64_fastpath+0x1a/0xa5
[ 43.922188] RIP: 0033:0x7f1145804bc7
[ 43.922526] RSP: 002b:00007ffcd3e50508 EFLAGS: 00003246 ORIG_RAX: 0000000000000010
[ 43.923367] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007f1145804bc7
[ 43.923852] RDX: 00007ffcd3e50540 RSI: 00000000c02464bb RDI: 000000000000000b
[ 43.924299] RBP: 0000000000000040 R08: 0000000000000040 R09: 000000000000000c
[ 43.924694] R10: 00007ffcd3e50340 R11: 0000000000003246 R12: 0000000000000018
[ 43.925128] R13: 00000000022bc390 R14: 0000000000000040 R15: 00007ffcd3e5062c
Reported-by: Mike Galbraith <efault@....de>
Signed-off-by: Gabriel Krisman Bertazi <krisman@...labora.co.uk>
---
drivers/gpu/drm/qxl/qxl_display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
index 058340a002c2..4a340efd8ba6 100644
--- a/drivers/gpu/drm/qxl/qxl_display.c
+++ b/drivers/gpu/drm/qxl/qxl_display.c
@@ -575,8 +575,6 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
if (ret)
return;
- cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
-
if (fb != old_state->fb) {
obj = to_qxl_framebuffer(fb)->obj;
user_bo = gem_to_qxl_bo(obj);
@@ -614,6 +612,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
qxl_bo_kunmap(cursor_bo);
qxl_bo_kunmap(user_bo);
+ cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
cmd->u.set.visible = 1;
cmd->u.set.shape = qxl_bo_physical_address(qdev,
cursor_bo, 0);
@@ -624,6 +623,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
if (ret)
goto out_free_release;
+ cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
cmd->type = QXL_CURSOR_MOVE;
}
--
2.11.0
Powered by blists - more mailing lists