NetBSD Problem Report #57402
From www@netbsd.org Fri May 12 09:53:45 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 640F11A923B
for <gnats-bugs@gnats.NetBSD.org>; Fri, 12 May 2023 09:53:45 +0000 (UTC)
Message-Id: <20230512095343.AD6AA1A923C@mollari.NetBSD.org>
Date: Fri, 12 May 2023 09:53:43 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: null pointer dereference in i915_gem_busy_ioctl
X-Send-Pr-Version: www-1.0
>Number: 57402
>Category: kern
>Synopsis: null pointer dereference in i915_gem_busy_ioctl
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri May 12 09:55:02 +0000 2023
>Closed-Date: Wed Aug 02 13:27:56 +0000 2023
>Last-Modified: Wed Aug 02 13:27:56 +0000 2023
>Originator: Taylor R Campbell
>Release: current
>Organization:
The NetBusy Faultdation
>Environment:
developing a global fever
>Description:
[ 2572521.561091] uvm_fault(0xffffd2c6273cfa08, 0x0, 1) -> e
[ 2572521.561091] fatal page fault in supervisor mode
[ 2572521.561091] trap type 6 code 0 rip 0xffffffff807b817d cs 0x8 rflags 0x13202 cr2 0x28 ilevel 0 rsp 0xffffa8909ee1fd20
[ 2572521.561091] curlwp 0xffffd2c61c51eb00 pid 1343.1343 lowest kstack 0xffffa8909ee1b2c0
[ 2572521.561091] panic: trap
[ 2572521.561091] cpu0: Begin traceback...
[ 2572521.562091] vpanic() at netbsd:vpanic+0x183
[ 2572521.564091] panic() at netbsd:panic+0x3c
[ 2572521.565091] trap() at netbsd:trap+0xb27
[ 2572521.565091] --- trap (number 6) ---
[ 2572521.566091] i915_gem_busy_ioctl() at netbsd:i915_gem_busy_ioctl+0x19b
[ 2572521.567091] drm_ioctl() at netbsd:drm_ioctl+0x23d
[ 2572521.569091] drm_ioctl_shim() at netbsd:drm_ioctl_shim+0x37
[ 2572521.570091] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 2572521.572091] syscall() at netbsd:syscall+0x196
[ 2572521.572091] --- syscall (number 54) ---
[ 2572521.573091] netbsd:syscall+0x196:
[ 2572521.573091] cpu0: End traceback...
[ 2572521.577095] dumping to dev 168,12 (offset=527151, size=16710810):
(gdb) bt
...
#4 0xffffffff8023c947 in trap (frame=0xffffa8909ee1fc30)
at /home/riastradh/netbsd/current/src/sys/arch/amd64/amd64/trap.c:326
#5 0xffffffff802349c4 in alltraps ()
#6 0xffffffff807b817d in i915_gem_busy_ioctl (dev=<optimized out>,
data=<optimized out>, file=<optimized out>)
at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/i915/gem/i915_gem_busy.c:131
#7 0xffffffff80c4579f in drm_ioctl (fp=<optimized out>, cmd=<optimized out>,
data=0xffffa8909ee1fee0)
at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c:978
#8 0xffffffff80c10fe6 in drm_ioctl_shim (fp=<optimized out>,
cmd=<optimized out>, data=<optimized out>)
at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/drm/drm_cdevsw.c:391
#9 0xffffffff80e38f15 in sys_ioctl (l=<optimized out>,
uap=0xffffa8909ee20000, retval=<optimized out>)
at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:675
#10 0xffffffff805a540e in sy_call (rval=0xffffa8909ee1ffb0,
uap=0xffffa8909ee20000, l=0xffffd2c61c51eb00,
sy=0xffffffff818868d0 <sysent+1296>)
at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:65
#11 sy_invoke (code=54, rval=0xffffa8909ee1ffb0, uap=0xffffa8909ee20000,
l=0xffffd2c61c51eb00, sy=0xffffffff818868d0 <sysent+1296>)
at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:94
#12 syscall (frame=0xffffa8909ee20000)
at /home/riastradh/netbsd/current/src/sys/arch/x86/x86/syscall.c:138
#13 0xffffffff8021025d in handle_syscall ()
(gdb) x/i 0xffffffff807b817d
0xffffffff807b817d <i915_gem_busy_ioctl+411>:
cmpq $0xffffffff81271ee0,0x28(%r12)
(gdb) info line *(0xffffffff807b817d)
Line 304 of "/home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/i915/i915_request.h"
starts at address 0xffffffff807b817d <i915_gem_busy_ioctl+411>
and ends at 0xffffffff807b8190 <i915_gem_busy_ioctl+430>.
(gdb) print $r12
$1 = 0
>How-To-Repeat:
no idea
>Fix:
if (read_seqcount_retry(&obj->base.resv->seq, seq))
goto retry;
>Release-Note:
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57402 CVS commit: src/sys/external/bsd/drm2/dist/drm/i915/gem
Date: Fri, 12 May 2023 10:13:37 +0000
Module Name: src
Committed By: riastradh
Date: Fri May 12 10:13:37 UTC 2023
Modified Files:
src/sys/external/bsd/drm2/dist/drm/i915/gem: i915_gem_busy.c
Log Message:
i915: Avoid dereferencing null fence if resv has changed.
PR kern/57402
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/sys/external/bsd/drm2/dist/drm/i915/gem/i915_gem_busy.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 12 May 2023 10:16:42 +0000
State-Changed-Why:
candidate fix committed, needs pullup to netbsd-10
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57402 CVS commit: [netbsd-10] src/sys/external/bsd/drm2/dist/drm/i915/gem
Date: Tue, 1 Aug 2023 16:00:57 +0000
Module Name: src
Committed By: martin
Date: Tue Aug 1 16:00:57 UTC 2023
Modified Files:
src/sys/external/bsd/drm2/dist/drm/i915/gem [netbsd-10]:
i915_gem_busy.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #291):
sys/external/bsd/drm2/dist/drm/i915/gem/i915_gem_busy.c: revision 1.4
i915: Avoid dereferencing null fence if resv has changed.
PR kern/57402
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.4.1 \
src/sys/external/bsd/drm2/dist/drm/i915/gem/i915_gem_busy.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Wed, 02 Aug 2023 13:27:56 +0000
State-Changed-Why:
fixed and pulled up to 10
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.