lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAM0jSHOWwgPRWkSN22r6T_rkiVcdhYwN34vkzp0q_icgDqT52Q@mail.gmail.com>
Date:   Mon, 24 May 2021 14:38:12 +0100
From:   Matthew Auld <matthew.william.auld@...il.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     Philippe Troin <phil@...i.org>,
        Intel Graphics Development <intel-gfx@...ts.freedesktop.org>,
        kernel list <linux-kernel@...r.kernel.org>
Subject: Re: [Intel-gfx] Bug: 5.12.5 - list_add double add at __i915_gem_object_make_shrinkable+0xa6/0xe0

On Mon, 24 May 2021 at 13:05, Hillf Danton <hdanton@...a.com> wrote:
>
> On Sun, 23 May 2021 12:47:34 -0700 Philippe Troin wrote:
> > Found the following bug on a FUJITSU LIFEBOOK S6520.
> >
> > The kernel crash happens when selecting a user from the gdm login
> > screen right after boot.
> > The same hardware has no problems with 5.11.21.

The trace looks similar to something that was fixed in 8777d17b68dc
("drm/i915/gem: Pin the L-shape quirked object as unshrinkable") which
should now be in drm-tip. Could you try that? Otherwise could you
please file a new bug report at
https://gitlab.freedesktop.org/drm/intel/?

> >
> > OOPS:
> >    list_add double add: new=ffff8e785604c620, prev=ffff8e785604c620, next=ffff8e784d105b38.
> >    ------------[ cut here ]------------
> >    kernel BUG at lib/list_debug.c:29!
> >    invalid opcode: 0000 [#1] SMP PTI
> >    CPU: 0 PID: 1498 Comm: gnome-shell Not tainted 5.12.5-200.fc33.x86_64 #1
> >    Hardware name: FUJITSU LIFEBOOK S6520/FJNB1E6, BIOS Version 1.31  09/09/2009
> >    RIP: 0010:__list_add_valid.cold+0x26/0x3f
> >    Code: d8 77 a6 ff 4c 89 c1 48 c7 c7 10 52 41 b8 e8 7f 2c fe ff 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 c0 52 41 b8 e8 68 2c fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 68 52 41 b8 e8 51 2c fe
> >    RSP: 0018:ffffb84100ebfcf8 EFLAGS: 00010082
> >    RAX: 0000000000000058 RBX: ffff8e785604c340 RCX: 0000000000000000
> >    RDX: ffff8e787bc26720 RSI: ffff8e787bc185c0 RDI: ffff8e787bc185c0
> >    RBP: ffff8e784d105b38 R08: 0000000000000000 R09: ffffb84100ebfb30
> >    R10: ffffb84100ebfb28 R11: ffffffffb8b45f28 R12: ffff8e784d100000
> >    R13: 0000000000000246 R14: ffff8e784d105b20 R15: ffff8e785604c620
> >    FS:  00007fa65ebf6d40(0000) GS:ffff8e787bc00000(0000) knlGS:0000000000000000
> >    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >    CR2: 00007fa638311a10 CR3: 00000001162d0000 CR4: 00000000000006f0
> >    Call Trace:
> >     __i915_gem_object_make_shrinkable+0xa6/0xe0 [i915]
> >     i915_gem_object_set_tiling+0x4fe/0x530 [i915]
> >     ? i915_gem_object_make_unshrinkable+0x75/0xd0 [i915]
> >     i915_gem_set_tiling_ioctl+0x148/0x230 [i915]
> >     ? i915_gem_object_set_tiling+0x530/0x530 [i915]
> >     drm_ioctl_kernel+0x86/0xd0 [drm]
> >     drm_ioctl+0x20f/0x3a0 [drm]
> >     ? i915_gem_object_set_tiling+0x530/0x530 [i915]
> >     ? handle_mm_fault+0xd5/0x2b0
> >     __x64_sys_ioctl+0x83/0xb0
> >     do_syscall_64+0x33/0x40
> >     entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Update shrink_pin under lock to cut chance for races.
> If it is a cure then atomic_t will be dropped.
>
> +++ x/drivers/gpu/drm/i915/gem/i915_gem_shrinker.c
> @@ -435,6 +435,7 @@ void i915_gem_object_make_unshrinkable(s
>  {
>         struct drm_i915_private *i915 = obj_to_i915(obj);
>         unsigned long flags;
> +       int pin;
>
>         /*
>          * We can only be called while the pages are pinned or when
> @@ -442,12 +443,10 @@ void i915_gem_object_make_unshrinkable(s
>          * from a single caller under controlled conditions; and on release
>          * only one caller may release us. Neither the two may cross.
>          */
> -       if (atomic_add_unless(&obj->mm.shrink_pin, 1, 0))
> -               return;
> -
>         spin_lock_irqsave(&i915->mm.obj_lock, flags);
> -       if (!atomic_fetch_inc(&obj->mm.shrink_pin) &&
> -           !list_empty(&obj->mm.link)) {
> +       pin = atomic_read(&obj->mm.shrink_pin);
> +       atomic_inc(&obj->mm.shrink_pin);
> +       if (!pin && !list_empty(&obj->mm.link)) {
>                 list_del_init(&obj->mm.link);
>                 i915->mm.shrink_count--;
>                 i915->mm.shrink_memory -= obj->base.size;
> @@ -460,23 +459,23 @@ static void __i915_gem_object_make_shrin
>  {
>         struct drm_i915_private *i915 = obj_to_i915(obj);
>         unsigned long flags;
> +       int pin;
>
>         GEM_BUG_ON(!i915_gem_object_has_pages(obj));
>         if (!i915_gem_object_is_shrinkable(obj))
>                 return;
>
> -       if (atomic_add_unless(&obj->mm.shrink_pin, -1, 1))
> -               return;
> -
>         spin_lock_irqsave(&i915->mm.obj_lock, flags);
>         GEM_BUG_ON(!kref_read(&obj->base.refcount));
> -       if (atomic_dec_and_test(&obj->mm.shrink_pin)) {
> +
> +       pin = atomic_read(&obj->mm.shrink_pin);
> +       atomic_dec(&obj->mm.shrink_pin);
> +       if (pin == 1) {
>                 GEM_BUG_ON(!list_empty(&obj->mm.link));
>
>                 list_add_tail(&obj->mm.link, head);
>                 i915->mm.shrink_count++;
>                 i915->mm.shrink_memory += obj->base.size;
> -
>         }
>         spin_unlock_irqrestore(&i915->mm.obj_lock, flags);
>  }
> --
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@...ts.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ