In the same spirit of the fix for QXL in commit 861078381ba5 ("drm: qxl: Don't alloc fbdev if emulation is not supported"), prevent the Oops in the unbind path of Bochs if fbdev emulation is disabled.
[ 112.176009] Oops: 0002 [#1] SMP [ 112.176009] Modules linked in: bochs_drm [ 112.176009] CPU: 0 PID: 3002 Comm: bash Not tainted 4.11.0-rc1+ #111 [ 112.176009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014 [ 112.176009] task: ffff8800743bbac0 task.stack: ffffc90000b5c000 [ 112.176009] RIP: 0010:mutex_lock+0x18/0x30 [ 112.176009] RSP: 0018:ffffc90000b5fc78 EFLAGS: 00010246 [ 112.176009] RAX: 0000000000000000 RBX: 0000000000000260 RCX: 0000000000000000 [ 112.176009] RDX: ffff8800743bbac0 RSI: ffff8800787176e0 RDI: 0000000000000260 [ 112.176009] RBP: ffffc90000b5fc80 R08: ffffffff00000000 R09: 00000000ffffffff [ 112.176009] R10: ffff88007b463650 R11: 0000000000000000 R12: 0000000000000260 [ 112.176009] R13: ffff8800787176e0 R14: ffffffffa0003068 R15: 0000000000000060 [ 112.176009] FS: 00007f20564c7b40(0000) GS:ffff88007ce00000(0000) knlGS:0000000000000000 [ 112.176009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 112.176009] CR2: 0000000000000260 CR3: 000000006b89c000 CR4: 00000000000006f0 [ 112.176009] Call Trace: [ 112.176009] drm_mode_object_unregister+0x1e/0x50 [ 112.176009] drm_framebuffer_unregister_private+0x15/0x20 [ 112.176009] bochs_fbdev_fini+0x57/0x70 [bochs_drm] [ 112.176009] bochs_unload+0x16/0x50 [bochs_drm] [ 112.176009] drm_dev_unregister+0x37/0xd0 [ 112.176009] drm_put_dev+0x31/0x60 [ 112.176009] bochs_pci_remove+0x10/0x20 [bochs_drm] [ 112.176009] pci_device_remove+0x34/0xb0 [ 112.176009] device_release_driver_internal+0x150/0x200 [ 112.176009] device_release_driver+0xd/0x10 [ 112.176009] unbind_store+0x108/0x150 [ 112.176009] drv_attr_store+0x20/0x30 [ 112.176009] sysfs_kf_write+0x32/0x40 [ 112.176009] kernfs_fop_write+0x10b/0x190 [ 112.176009] __vfs_write+0x23/0x120 [ 112.176009] ? security_file_permission+0x36/0xb0 [ 112.176009] ? rw_verify_area+0x49/0xb0 [ 112.176009] vfs_write+0xb0/0x190 [ 112.176009] SyS_write+0x41/0xa0 [ 112.176009] entry_SYSCALL_64_fastpath+0x1a/0xa9 [ 112.176009] RIP: 0033:0x7f2055bd5620 [ 112.176009] RSP: 002b:00007ffed2f487d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 112.176009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2055bd5620 [ 112.176009] RDX: 000000000000000d RSI: 0000000000ee0008 RDI: 0000000000000001 [ 112.176009] RBP: 0000000000000001 R08: 00007f2055e94760 R09: 00007f20564c7b40 [ 112.176009] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000000 [ 112.176009] R13: 00007ffed2f48d70 R14: 0000000000000000 R15: 0000000000000000 [ 112.176009] Code: 00 00 00 55 be 02 00 00 00 48 89 e5 e8 62 fb ff ff 5d c3 55 48 89 e5 53 48 89 fb e8 53 e9 ff ff 65 48 8b 14 25 40 c4 00 00 31 c0 <f0> 48 0f b1 13 48 85 c0 74 08 48 89 df e8c6 ff ff ff 5b 5d c3 [ 112.176009] RIP: mutex_lock+0x18/0x30 RSP: ffffc90000b5fc78 [ 112.176009] CR2: 0000000000000260 [ 112.205622] ---[ end trace 76189cd7a9bdd155 ]---
Signed-off-by: Gabriel Krisman Bertazi krisman@collabora.co.uk --- drivers/gpu/drm/bochs/bochs_fbdev.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/bochs/bochs_fbdev.c b/drivers/gpu/drm/bochs/bochs_fbdev.c index a11debaad626..471bd588550b 100644 --- a/drivers/gpu/drm/bochs/bochs_fbdev.c +++ b/drivers/gpu/drm/bochs/bochs_fbdev.c @@ -132,6 +132,7 @@ static int bochsfb_create(struct drm_fb_helper *helper, info->fix.smem_start = 0; info->fix.smem_len = size;
+ bochs->fb.initialized = true; return 0; }
@@ -148,7 +149,6 @@ static int bochs_fbdev_destroy(struct bochs_device *bochs) gfb->obj = NULL; }
- drm_fb_helper_fini(&bochs->fb.helper); drm_framebuffer_unregister_private(&gfb->base); drm_framebuffer_cleanup(&gfb->base);
@@ -180,7 +180,6 @@ int bochs_fbdev_init(struct bochs_device *bochs) if (ret) goto fini;
- bochs->fb.initialized = true; return 0;
fini: @@ -190,9 +189,9 @@ int bochs_fbdev_init(struct bochs_device *bochs)
void bochs_fbdev_fini(struct bochs_device *bochs) { - if (!bochs->fb.initialized) - return; + if (bochs->fb.initialized) + bochs_fbdev_destroy(bochs);
- bochs_fbdev_destroy(bochs); + drm_fb_helper_fini(&bochs->fb.helper); bochs->fb.initialized = false; }
On Fr, 2017-03-17 at 15:14 -0300, Gabriel Krisman Bertazi wrote:
In the same spirit of the fix for QXL in commit 861078381ba5 ("drm: qxl: Don't alloc fbdev if emulation is not supported"), prevent the Oops in the unbind path of Bochs if fbdev emulation is disabled.
pushed to drm-misc-next
thanks, Gerd
FYI, we noticed the following commit:
commit: f04f7e3e041aab12abbf3ed7b854446af5a624a9 ("drm: bochs: Don't remove uninitialized fbdev framebuffer") url: https://github.com/0day-ci/linux/commits/Gabriel-Krisman-Bertazi/drm-bochs-D... base: git://git.kraxel.org/linux drm-qemu
in testcase: trinity with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -m 512M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-----------------------------------------------------------------------+------------+------------+ | | cbf87d6a8b | f04f7e3e04 | +-----------------------------------------------------------------------+------------+------------+ | boot_successes | 0 | 0 | | boot_failures | 6 | 8 | | WARNING:at_drivers/gpu/drm/drm_mode_config.c:#drm_mode_config_cleanup | 6 | | | kernel_BUG_at_mm/slab.c | 6 | | | invalid_opcode:#[##] | 6 | | | Kernel_panic-not_syncing:Fatal_exception | 6 | 8 | | general_protection_fault:#[##] | 0 | 8 | +-----------------------------------------------------------------------+------------+------------+
[ 9.931866] [TTM] Zone kernel: Available graphics memory: 219250 kiB [ 9.932295] [TTM] Initializing pool allocator [ 9.932599] [TTM] Initializing DMA pool allocator [ 9.937917] bochsdrmfb: enable CONFIG_FB_LITTLE_ENDIAN to support this framebuffer [ 9.938724] [drm] Initialized bochs-drm 1.0.0 20130925 for 0000:00:02.0 on minor 1 [ 9.939428] general protection fault: 0000 [#1] SMP [ 9.939813] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc8-01399-gf04f7e3 #1 [ 9.940310] task: ffff88001e468040 task.stack: ffff88001e46c000 [ 9.940708] RIP: 0010:drm_fb_helper_crtc_free+0x26/0xa0 [ 9.941060] RSP: 0018:ffff88001e46fc28 EFLAGS: 00010202 [ 9.941411] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000001 RCX: ffff88001e468ba0 [ 9.941886] RDX: 0000000000000001 RSI: ffff88001e468b68 RDI: ffff88001a7ca058 [ 9.942352] RBP: ffff88001e46fc48 R08: 0000000078532a4d R09: ae27c82000000000 [ 9.942820] R10: 0000000000000000 R11: 00000000f5cb56dd R12: ffff88001a7ca058 [ 9.943284] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 9.943759] FS: 0000000000000000(0000) GS:ffff88001f800000(0000) knlGS:0000000000000000 [ 9.944547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.944968] CR2: 00007fb16c28b820 CR3: 0000000002e11000 CR4: 00000000000006f0 [ 9.945441] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 9.945911] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 9.946376] Call Trace: [ 9.946547] drm_fb_helper_fini+0xc6/0x110 [ 9.946822] bochs_fbdev_fini+0x24/0x90 [ 9.947076] bochs_unload+0x16/0x50 [ 9.947309] drm_dev_unregister+0x37/0xd0 [ 9.947577] drm_put_dev+0x2f/0x60 [ 9.947962] bochs_pci_remove+0x10/0x20 [ 9.948475] pci_device_remove+0x34/0xb0 [ 9.948978] driver_probe_device+0xd3/0x390 [ 9.949486] __driver_attach+0x92/0xa0 [ 9.949969] ? driver_probe_device+0x390/0x390 [ 9.950525] bus_for_each_dev+0x61/0xa0 [ 9.951005] driver_attach+0x19/0x20 [ 9.951426] bus_add_driver+0x1a2/0x220 [ 9.951692] driver_register+0x5b/0xe0 [ 9.951970] __pci_register_driver+0x5b/0x60 [ 9.952253] ? qxl_init+0x33/0x33 [ 9.952472] drm_pci_init+0xe3/0xf0 [ 9.952710] ? idr_init+0x46/0x50 [ 9.952929] ? qxl_init+0x33/0x33 [ 9.953148] bochs_init+0x25/0x27 [ 9.953368] do_one_initcall+0x90/0x14f [ 9.953625] kernel_init_freeable+0x1a0/0x22c [ 9.953911] ? rest_init+0xc0/0xc0 [ 9.954136] kernel_init+0x9/0x100 [ 9.954361] ret_from_fork+0x2c/0x40 [ 9.954606] Code: 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 54 53 31 db 8b 57 20 49 89 fc 85 d2 7e 30 49 8b 44 24 28 4c 63 eb 83 c3 01 4a 8b 04 e8 <48> 8b 38 48 83 c7 28 e8 8e 0d 02 00 49 8b 44 24 28 4a 8b 3c e8 [ 9.955849] RIP: drm_fb_helper_crtc_free+0x26/0xa0 RSP: ffff88001e46fc28 [ 9.956296] ---[ end trace e4589f787553d11e ]--- [ 9.956618] Kernel panic - not syncing: Fatal exception [ 9.956979] Kernel Offset: disabled
Elapsed time: 10
initrds=(
To reproduce:
git clone https://github.com/01org/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks, Xiaolong
kernel test robot xiaolong.ye@intel.com writes:
FYI, we noticed the following commit:
commit: f04f7e3e041aab12abbf3ed7b854446af5a624a9 ("drm: bochs: Don't remove uninitialized fbdev framebuffer") url: https://github.com/0day-ci/linux/commits/Gabriel-Krisman-Bertazi/drm-bochs-D... base: git://git.kraxel.org/linux drm-qemu
in testcase: trinity with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -m 512M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
Problem is: register_framebuffer() fails with this config because of reasons, as show by this line:
[ 9.937917] bochsdrmfb: enable CONFIG_FB_LITTLE_ENDIAN to support this framebuffer
which causes drm_fb_helper_initial_config() to error out and call drm_fb_helper_fini(0 in the bochs_fbdev_init() error path. Also, since the kernel has CONFIG_DEBUG_TEST_DRIVER_REMOVE, it tries to remove the device in sequence, making a second call to drm_fb_helper_fini, because we didn't unset the initialized flag. I'll get a patch for this first thing tomorrow morning.
dri-devel@lists.freedesktop.org
-
Gabriel Krisman Bertazi -
Gerd Hoffmann -
kernel test robot