It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com --- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/intel_drv.h | 2 -- drivers/gpu/drm/i915/intel_sprite.c | 24 ------------------------ 3 files changed, 1 insertion(+), 27 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c index d49ed68f041e..68e0c85a17cf 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1199,7 +1199,7 @@ const struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF_DRV(I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_SET_SPRITE_COLORKEY, intel_sprite_set_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), - DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, intel_sprite_get_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), + DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, drm_noop, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_GEM_WAIT, i915_gem_wait_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_CREATE, i915_gem_context_create_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_DESTROY, i915_gem_context_destroy_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW), diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h index cb57b9c446f3..6036e3b73b7b 100644 --- a/drivers/gpu/drm/i915/intel_drv.h +++ b/drivers/gpu/drm/i915/intel_drv.h @@ -1282,8 +1282,6 @@ void intel_flush_primary_plane(struct drm_i915_private *dev_priv, int intel_plane_restore(struct drm_plane *plane); int intel_sprite_set_colorkey(struct drm_device *dev, void *data, struct drm_file *file_priv); -int intel_sprite_get_colorkey(struct drm_device *dev, void *data, - struct drm_file *file_priv); bool intel_pipe_update_start(struct intel_crtc *crtc, uint32_t *start_vbl_count); void intel_pipe_update_end(struct intel_crtc *crtc, u32 start_vbl_count); diff --git a/drivers/gpu/drm/i915/intel_sprite.c b/drivers/gpu/drm/i915/intel_sprite.c index f41e872ad858..e9ff6fc61267 100644 --- a/drivers/gpu/drm/i915/intel_sprite.c +++ b/drivers/gpu/drm/i915/intel_sprite.c @@ -1134,30 +1134,6 @@ out_unlock: return ret; }
-int intel_sprite_get_colorkey(struct drm_device *dev, void *data, - struct drm_file *file_priv) -{ - struct drm_intel_sprite_colorkey *get = data; - struct drm_plane *plane; - struct intel_plane *intel_plane; - int ret = 0; - - drm_modeset_lock_all(dev); - - plane = drm_plane_find(dev, get->plane_id); - if (!plane) { - ret = -ENOENT; - goto out_unlock; - } - - intel_plane = to_intel_plane(plane); - *get = intel_plane->ckey; - -out_unlock: - drm_modeset_unlock_all(dev); - return ret; -} - int intel_plane_restore(struct drm_plane *plane) { if (!plane->crtc || !plane->state->fb)
On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com
Hm Tommi discovered oopses in there, so I guess this should be cherry-picked to -fixes+cc: stable too? Jani? -Daniel
drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/intel_drv.h | 2 -- drivers/gpu/drm/i915/intel_sprite.c | 24 ------------------------ 3 files changed, 1 insertion(+), 27 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c index d49ed68f041e..68e0c85a17cf 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1199,7 +1199,7 @@ const struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF_DRV(I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_SET_SPRITE_COLORKEY, intel_sprite_set_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, intel_sprite_get_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, drm_noop, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_GEM_WAIT, i915_gem_wait_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_CREATE, i915_gem_context_create_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_DESTROY, i915_gem_context_destroy_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW),
diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h index cb57b9c446f3..6036e3b73b7b 100644 --- a/drivers/gpu/drm/i915/intel_drv.h +++ b/drivers/gpu/drm/i915/intel_drv.h @@ -1282,8 +1282,6 @@ void intel_flush_primary_plane(struct drm_i915_private *dev_priv, int intel_plane_restore(struct drm_plane *plane); int intel_sprite_set_colorkey(struct drm_device *dev, void *data, struct drm_file *file_priv); -int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv);bool intel_pipe_update_start(struct intel_crtc *crtc, uint32_t *start_vbl_count); void intel_pipe_update_end(struct intel_crtc *crtc, u32 start_vbl_count); diff --git a/drivers/gpu/drm/i915/intel_sprite.c b/drivers/gpu/drm/i915/intel_sprite.c index f41e872ad858..e9ff6fc61267 100644 --- a/drivers/gpu/drm/i915/intel_sprite.c +++ b/drivers/gpu/drm/i915/intel_sprite.c @@ -1134,30 +1134,6 @@ out_unlock: return ret; }
-int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv)-{
- struct drm_intel_sprite_colorkey *get = data;
- struct drm_plane *plane;
- struct intel_plane *intel_plane;
- int ret = 0;
- drm_modeset_lock_all(dev);
- plane = drm_plane_find(dev, get->plane_id);
- if (!plane) {
ret = -ENOENT;goto out_unlock;- }
- intel_plane = to_intel_plane(plane);
- *get = intel_plane->ckey;
-out_unlock:
- drm_modeset_unlock_all(dev);
- return ret;
-}
int intel_plane_restore(struct drm_plane *plane) { if (!plane->crtc || !plane->state->fb) -- 2.1.4
On Fri, 27 Mar 2015, Daniel Vetter daniel@ffwll.ch wrote:
On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com
Hm Tommi discovered oopses in there, so I guess this should be cherry-picked to -fixes+cc: stable too? Jani?
My OCD really wants to know why this blows up. The get/set functions look so similar that it feels like the set should fail just the same... Tommi, did you try just the set part of your test program [1]?
Sorry for not trying it out myself, I'm calling it a day (and week) now...
BR, Jani.
[1] http://mid.gmane.org/CA+ydwtr+bCo7LJ44JFmUkVRx144UDFgOS+aJTfK6KHtvBDVuAw@mai...
-Daniel
drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/intel_drv.h | 2 -- drivers/gpu/drm/i915/intel_sprite.c | 24 ------------------------ 3 files changed, 1 insertion(+), 27 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c index d49ed68f041e..68e0c85a17cf 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1199,7 +1199,7 @@ const struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF_DRV(I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_SET_SPRITE_COLORKEY, intel_sprite_set_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, intel_sprite_get_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, drm_noop, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_GEM_WAIT, i915_gem_wait_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_CREATE, i915_gem_context_create_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_DESTROY, i915_gem_context_destroy_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW),
diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h index cb57b9c446f3..6036e3b73b7b 100644 --- a/drivers/gpu/drm/i915/intel_drv.h +++ b/drivers/gpu/drm/i915/intel_drv.h @@ -1282,8 +1282,6 @@ void intel_flush_primary_plane(struct drm_i915_private *dev_priv, int intel_plane_restore(struct drm_plane *plane); int intel_sprite_set_colorkey(struct drm_device *dev, void *data, struct drm_file *file_priv); -int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv);bool intel_pipe_update_start(struct intel_crtc *crtc, uint32_t *start_vbl_count); void intel_pipe_update_end(struct intel_crtc *crtc, u32 start_vbl_count); diff --git a/drivers/gpu/drm/i915/intel_sprite.c b/drivers/gpu/drm/i915/intel_sprite.c index f41e872ad858..e9ff6fc61267 100644 --- a/drivers/gpu/drm/i915/intel_sprite.c +++ b/drivers/gpu/drm/i915/intel_sprite.c @@ -1134,30 +1134,6 @@ out_unlock: return ret; }
-int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv)-{
- struct drm_intel_sprite_colorkey *get = data;
- struct drm_plane *plane;
- struct intel_plane *intel_plane;
- int ret = 0;
- drm_modeset_lock_all(dev);
- plane = drm_plane_find(dev, get->plane_id);
- if (!plane) {
ret = -ENOENT;goto out_unlock;- }
- intel_plane = to_intel_plane(plane);
- *get = intel_plane->ckey;
-out_unlock:
- drm_modeset_unlock_all(dev);
- return ret;
-}
int intel_plane_restore(struct drm_plane *plane) { if (!plane->crtc || !plane->state->fb) -- 2.1.4
-- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
2015-03-27 18:42 GMT+02:00 Jani Nikula jani.nikula@linux.intel.com:
On Fri, 27 Mar 2015, Daniel Vetter daniel@ffwll.ch wrote:
On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com
Hm Tommi discovered oopses in there, so I guess this should be cherry-picked to -fixes+cc: stable too? Jani?
My OCD really wants to know why this blows up. The get/set functions look so similar that it feels like the set should fail just the same... Tommi, did you try just the set part of your test program [1]?
Yes, both the set and get ioctls crash:
[ 20.868660] BUG: unable to handle kernel NULL pointer dereference at (null) [ 20.876527] IP: [< (null)>] (null) [ 20.881573] PGD c4f7d067 PUD c2a6b067 PMD 0 [ 20.885866] Oops: 0010 [#1] SMP KASAN [ 20.889549] CPU: 1 PID: 2207 Comm: main Not tainted 4.0.0-rc5+ #89 [ 20.902805] task: ffff8800c4fad380 ti: ffff8800c2b98000 task.ti: ffff8800c2b98000 [ 20.910257] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 20.917722] RSP: 0018:ffff8800c2b9fd30 EFLAGS: 00010246 [ 20.923012] RAX: ffffed002e87c961 RBX: ffff88017463d000 RCX: 0000000000000006 [ 20.930116] RDX: dffffc0000000000 RSI: ffff8800c2b9fdd8 RDI: ffff8801743e4800 [ 20.937214] RBP: ffff8800c2b9fd68 R08: 0000000000000000 R09: 0000000000000000 [ 20.944318] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800c2b9fdd8 [ 20.951416] R13: ffff8801743e48d8 R14: 00000000fffffffe R15: ffff8801743e4800 [ 20.958524] FS: 00007f7139b3a700(0000) GS:ffff880175e00000(0000) knlGS:0000000000000000 [ 20.966575] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.972300] CR2: 0000000000000000 CR3: 00000000c2a67000 CR4: 00000000000406e0 [ 20.979407] Stack: [ 20.981414] ffffffff81b4a11d ffff8800c2b9fd68 ffff88017463d000 ffff8800c4c50c00 [ 20.988838] 0000000000000014 fffffffffffffff2 ffffffff8271c3e0 ffff8800c2b9fe88 [ 20.996238] ffffffff818acbbc ffff8800c2b9fe18 ffffffff8165d7c2 ffffffff8165d660 [ 21.003658] Call Trace: [ 21.006110] [<ffffffff81b4a11d>] ? intel_sprite_set_colorkey+0xad/0xf0 [ 21.012695] [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890 [ 21.017904] [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320 [ 21.023544] [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320 [ 21.029098] [<ffffffff81b4a070>] ? intel_pre_disable_primary+0x90/0x90 [ 21.035690] [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0 [ 21.042023] [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720 [ 21.047488] [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130 [ 21.053558] [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0 [ 21.058595] [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17 [ 21.064580] Code: Bad RIP value. [ 21.067916] RIP [< (null)>] (null) [ 21.073048] RSP <ffff8800c2b9fd30> [ 21.076524] CR2: 0000000000000000 [ 21.079863] ---[ end trace 161ba639126f6a45 ]---
[ 274.286068] BUG: unable to handle kernel NULL pointer dereference at (null) [ 274.295149] IP: [< (null)>] (null) [ 274.300242] PGD 171999067 PUD 171b93067 PMD 0 [ 274.304744] Oops: 0010 [#1] SMP KASAN [ 274.308460] CPU: 0 PID: 2202 Comm: main Not tainted 4.0.0-rc5+ #89 [ 274.321856] task: ffff8801726914e0 ti: ffff880172928000 task.ti: ffff880172928000 [ 274.329383] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 274.336924] RSP: 0018:ffff88017292fd30 EFLAGS: 00010246 [ 274.342267] RAX: ffffed002e7bc362 RBX: ffff88017442f000 RCX: 0000000000000007 [ 274.349446] RDX: 0000000000000000 RSI: ffff88017292fdd8 RDI: ffff880173de1800 [ 274.356624] RBP: ffff88017292fd68 R08: 0000000000000000 R09: 0000000000000000 [ 274.363803] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 274.370979] R13: ffff880173de18d8 R14: ffff88017292fdd8 R15: ffff880173de1800 [ 274.378157] FS: 00007f48d6b16700(0000) GS:ffff880175c00000(0000) knlGS:0000000000000000 [ 274.386297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 274.392078] CR2: 0000000000000000 CR3: 000000017188d000 CR4: 00000000000406f0 [ 274.399257] Stack: [ 274.401280] ffffffff81b4a1f7 ffff88017292fd68 ffff88017442f000 ffff880172cc7c00 [ 274.408761] 0000000000000014 fffffffffffffff2 ffffffff8271c3c0 ffff88017292fe88 [ 274.416244] ffffffff818acbbc ffff88017292fe18 ffffffff8165d7c2 ffffffff8165d660 [ 274.423727] Call Trace: [ 274.426192] [<ffffffff81b4a1f7>] ? intel_sprite_get_colorkey+0x97/0xc0 [ 274.432849] [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890 [ 274.438107] [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320 [ 274.443800] [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320 [ 274.449407] [<ffffffff81b4a160>] ? intel_sprite_set_colorkey+0xf0/0xf0 [ 274.456065] [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0 [ 274.462462] [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720 [ 274.467984] [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130 [ 274.474115] [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0 [ 274.479199] [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17 [ 274.485240] Code: Bad RIP value. [ 274.488597] RIP [< (null)>] (null) [ 274.493776] RSP <ffff88017292fd30> [ 274.497283] CR2: 0000000000000000
I debugged this a bit, and found that in intel_sprite_set_colorkey(), the "intel_plane->update_colorkey" function pointer is NULL, and in intel_sprite_get_colorkey(), the "intel_plane->get_colorkey" pointer is NULL. Hence the crash.
If I got it right, the pointers are not set for the "primary" and "cursor" planes, as initialized in intel_primary_plane_create() and intel_cursor_plane_create().
Tommi
On Fri, Mar 27, 2015 at 07:40:43PM +0200, Tommi Rantala wrote:
2015-03-27 18:42 GMT+02:00 Jani Nikula jani.nikula@linux.intel.com:
On Fri, 27 Mar 2015, Daniel Vetter daniel@ffwll.ch wrote:
On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com
Hm Tommi discovered oopses in there, so I guess this should be cherry-picked to -fixes+cc: stable too? Jani?
My OCD really wants to know why this blows up. The get/set functions look so similar that it feels like the set should fail just the same... Tommi, did you try just the set part of your test program [1]?
Yes, both the set and get ioctls crash:
[ 20.868660] BUG: unable to handle kernel NULL pointer dereference at (null) [ 20.876527] IP: [< (null)>] (null) [ 20.881573] PGD c4f7d067 PUD c2a6b067 PMD 0 [ 20.885866] Oops: 0010 [#1] SMP KASAN [ 20.889549] CPU: 1 PID: 2207 Comm: main Not tainted 4.0.0-rc5+ #89 [ 20.902805] task: ffff8800c4fad380 ti: ffff8800c2b98000 task.ti: ffff8800c2b98000 [ 20.910257] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 20.917722] RSP: 0018:ffff8800c2b9fd30 EFLAGS: 00010246 [ 20.923012] RAX: ffffed002e87c961 RBX: ffff88017463d000 RCX: 0000000000000006 [ 20.930116] RDX: dffffc0000000000 RSI: ffff8800c2b9fdd8 RDI: ffff8801743e4800 [ 20.937214] RBP: ffff8800c2b9fd68 R08: 0000000000000000 R09: 0000000000000000 [ 20.944318] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800c2b9fdd8 [ 20.951416] R13: ffff8801743e48d8 R14: 00000000fffffffe R15: ffff8801743e4800 [ 20.958524] FS: 00007f7139b3a700(0000) GS:ffff880175e00000(0000) knlGS:0000000000000000 [ 20.966575] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.972300] CR2: 0000000000000000 CR3: 00000000c2a67000 CR4: 00000000000406e0 [ 20.979407] Stack: [ 20.981414] ffffffff81b4a11d ffff8800c2b9fd68 ffff88017463d000 ffff8800c4c50c00 [ 20.988838] 0000000000000014 fffffffffffffff2 ffffffff8271c3e0 ffff8800c2b9fe88 [ 20.996238] ffffffff818acbbc ffff8800c2b9fe18 ffffffff8165d7c2 ffffffff8165d660 [ 21.003658] Call Trace: [ 21.006110] [<ffffffff81b4a11d>] ? intel_sprite_set_colorkey+0xad/0xf0 [ 21.012695] [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890 [ 21.017904] [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320 [ 21.023544] [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320 [ 21.029098] [<ffffffff81b4a070>] ? intel_pre_disable_primary+0x90/0x90 [ 21.035690] [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0 [ 21.042023] [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720 [ 21.047488] [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130 [ 21.053558] [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0 [ 21.058595] [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17 [ 21.064580] Code: Bad RIP value. [ 21.067916] RIP [< (null)>] (null) [ 21.073048] RSP <ffff8800c2b9fd30> [ 21.076524] CR2: 0000000000000000 [ 21.079863] ---[ end trace 161ba639126f6a45 ]---
[ 274.286068] BUG: unable to handle kernel NULL pointer dereference at (null) [ 274.295149] IP: [< (null)>] (null) [ 274.300242] PGD 171999067 PUD 171b93067 PMD 0 [ 274.304744] Oops: 0010 [#1] SMP KASAN [ 274.308460] CPU: 0 PID: 2202 Comm: main Not tainted 4.0.0-rc5+ #89 [ 274.321856] task: ffff8801726914e0 ti: ffff880172928000 task.ti: ffff880172928000 [ 274.329383] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 274.336924] RSP: 0018:ffff88017292fd30 EFLAGS: 00010246 [ 274.342267] RAX: ffffed002e7bc362 RBX: ffff88017442f000 RCX: 0000000000000007 [ 274.349446] RDX: 0000000000000000 RSI: ffff88017292fdd8 RDI: ffff880173de1800 [ 274.356624] RBP: ffff88017292fd68 R08: 0000000000000000 R09: 0000000000000000 [ 274.363803] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 274.370979] R13: ffff880173de18d8 R14: ffff88017292fdd8 R15: ffff880173de1800 [ 274.378157] FS: 00007f48d6b16700(0000) GS:ffff880175c00000(0000) knlGS:0000000000000000 [ 274.386297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 274.392078] CR2: 0000000000000000 CR3: 000000017188d000 CR4: 00000000000406f0 [ 274.399257] Stack: [ 274.401280] ffffffff81b4a1f7 ffff88017292fd68 ffff88017442f000 ffff880172cc7c00 [ 274.408761] 0000000000000014 fffffffffffffff2 ffffffff8271c3c0 ffff88017292fe88 [ 274.416244] ffffffff818acbbc ffff88017292fe18 ffffffff8165d7c2 ffffffff8165d660 [ 274.423727] Call Trace: [ 274.426192] [<ffffffff81b4a1f7>] ? intel_sprite_get_colorkey+0x97/0xc0 [ 274.432849] [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890 [ 274.438107] [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320 [ 274.443800] [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320 [ 274.449407] [<ffffffff81b4a160>] ? intel_sprite_set_colorkey+0xf0/0xf0 [ 274.456065] [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0 [ 274.462462] [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720 [ 274.467984] [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130 [ 274.474115] [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0 [ 274.479199] [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17 [ 274.485240] Code: Bad RIP value. [ 274.488597] RIP [< (null)>] (null) [ 274.493776] RSP <ffff88017292fd30> [ 274.497283] CR2: 0000000000000000
I debugged this a bit, and found that in intel_sprite_set_colorkey(), the "intel_plane->update_colorkey" function pointer is NULL, and in intel_sprite_get_colorkey(), the "intel_plane->get_colorkey" pointer is NULL. Hence the crash.
If I got it right, the pointers are not set for the "primary" and "cursor" planes, as initialized in intel_primary_plane_create() and intel_cursor_plane_create().
Ah true. So my patch to kill the rmw stuff should actually fix that crash. Although we should not accept these ioctls for the primary/cursor planes. I'll toss in a patch for that.
On Fri, 27 Mar 2015, Daniel Vetter daniel@ffwll.ch wrote:
On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
Cc: Tommi Rantala tt.rantala@gmail.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com
Hm Tommi discovered oopses in there, so I guess this should be cherry-picked to -fixes+cc: stable too? Jani?
I'm picking up Ville's fix [1] for the oops to fixes, cc: stable, and I think the rest is -next material.
BR, Jani.
[1] http://mid.gmane.org/1427479180-29894-1-git-send-email-ville.syrjala@linux.i...
-Daniel
drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/intel_drv.h | 2 -- drivers/gpu/drm/i915/intel_sprite.c | 24 ------------------------ 3 files changed, 1 insertion(+), 27 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c index d49ed68f041e..68e0c85a17cf 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1199,7 +1199,7 @@ const struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF_DRV(I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_SET_SPRITE_COLORKEY, intel_sprite_set_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, intel_sprite_get_colorkey, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED),
- DRM_IOCTL_DEF_DRV(I915_GET_SPRITE_COLORKEY, drm_noop, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), DRM_IOCTL_DEF_DRV(I915_GEM_WAIT, i915_gem_wait_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_CREATE, i915_gem_context_create_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW), DRM_IOCTL_DEF_DRV(I915_GEM_CONTEXT_DESTROY, i915_gem_context_destroy_ioctl, DRM_UNLOCKED|DRM_RENDER_ALLOW),
diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h index cb57b9c446f3..6036e3b73b7b 100644 --- a/drivers/gpu/drm/i915/intel_drv.h +++ b/drivers/gpu/drm/i915/intel_drv.h @@ -1282,8 +1282,6 @@ void intel_flush_primary_plane(struct drm_i915_private *dev_priv, int intel_plane_restore(struct drm_plane *plane); int intel_sprite_set_colorkey(struct drm_device *dev, void *data, struct drm_file *file_priv); -int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv);bool intel_pipe_update_start(struct intel_crtc *crtc, uint32_t *start_vbl_count); void intel_pipe_update_end(struct intel_crtc *crtc, u32 start_vbl_count); diff --git a/drivers/gpu/drm/i915/intel_sprite.c b/drivers/gpu/drm/i915/intel_sprite.c index f41e872ad858..e9ff6fc61267 100644 --- a/drivers/gpu/drm/i915/intel_sprite.c +++ b/drivers/gpu/drm/i915/intel_sprite.c @@ -1134,30 +1134,6 @@ out_unlock: return ret; }
-int intel_sprite_get_colorkey(struct drm_device *dev, void *data,
struct drm_file *file_priv)-{
- struct drm_intel_sprite_colorkey *get = data;
- struct drm_plane *plane;
- struct intel_plane *intel_plane;
- int ret = 0;
- drm_modeset_lock_all(dev);
- plane = drm_plane_find(dev, get->plane_id);
- if (!plane) {
ret = -ENOENT;goto out_unlock;- }
- intel_plane = to_intel_plane(plane);
- *get = intel_plane->ckey;
-out_unlock:
- drm_modeset_unlock_all(dev);
- return ret;
-}
int intel_plane_restore(struct drm_plane *plane) { if (!plane->crtc || !plane->state->fb) -- 2.1.4
-- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
On 27 March 2015 at 08:10, Daniel Vetter daniel.vetter@ffwll.ch wrote:
It's completely unused and Tommi noticed that the #define is borked since forever. I've done a git search in userspace and only found broken definitions and no users anywhere.
With this said, have you seen any userspace that uses the uapi/drm headers ? I'm been going through various repos and cannot see a single one. I'm contemplating on hiding them, so that: - We can stop the individual picking of changes into libdrm - Allow easier and automated sync between libdrm and the kernel. Note that I've fixed the make copy-headers target, but the headers are severely out of sync.
Although I don't know (see any document) that defines the policy on this type of changes. Would you have any tips ?
Thanks Emil
dri-devel@lists.freedesktop.org
-
Daniel Vetter -
Daniel Vetter -
Emil Velikov -
Jani Nikula -
Tommi Rantala -
Ville Syrjälä