Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Tue, 23 Jan 2024 10:43:04 +0100
Christian König  wrote:

> While applying the fix a week ago I was under the impression that QXL 
> doesn't use a device structure because it doesn't have one and so can't 
> give anything meaningful for this parameter.
> 
> If QXL does have a device structure and can provide it I would rather 
> like to go down this route and make the device and with it the numa node 
> mandatory for drivers to specify.

Then at a minimum my original fix should be applied. Perhaps with a warning
too. That is, I added at the beginning of that function:

if (!dev)
return -EINVAL;

Could have that be:

if (WARN_ON_ONCE(!dev))
return -EINVAL;

In any case, it should not cause the system to crash.

-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Christian König]

Am 23.01.24 um 03:52 schrieb Steven Rostedt:

On Tue, 23 Jan 2024 12:32:39 +1000
Dave Airlie  wrote:


On Tue, 23 Jan 2024 at 12:21, Dave Airlie  wrote:

On Tue, 23 Jan 2024 at 12:15, Steven Rostedt  wrote:

On Mon, 22 Jan 2024 19:56:08 -0500
"Bhardwaj, Rajneesh"  wrote:
  

On 1/22/2024 7:43 PM, Linus Torvalds wrote:

On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  wrote:

Perhaps this is the real fix?

If you send a signed-off version, I'll apply it asap.


I think a fix might already be in flight. Please see Linux-Kernel
Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for
no-dma-device drivers (iu.edu)


Please use lore links. They are much easier to follow and use.

https://lore.kernel.org/dri-devel/20240123022015.1288588-1-airl...@gmail.com/T/#u

should also fix it, Linus please apply it directly if Steven has a
chance to give it a run.

I see Linus applied the other one, that's fine too.


They don't look mutually exclusive. I can test the other one as well.


While applying the fix a week ago I was under the impression that QXL 
doesn't use a device structure because it doesn't have one and so can't 
give anything meaningful for this parameter.


If QXL does have a device structure and can provide it I would rather 
like to go down this route and make the device and with it the numa node 
mandatory for drivers to specify.


Regards,
Christian.



-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Tue, 23 Jan 2024 12:32:39 +1000
Dave Airlie  wrote:

> On Tue, 23 Jan 2024 at 12:21, Dave Airlie  wrote:
> >
> > On Tue, 23 Jan 2024 at 12:15, Steven Rostedt  wrote:  
> > >
> > > On Mon, 22 Jan 2024 19:56:08 -0500
> > > "Bhardwaj, Rajneesh"  wrote:
> > >  
> > > >
> > > > On 1/22/2024 7:43 PM, Linus Torvalds wrote:  
> > > > > On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  
> > > > > wrote:  
> > > > >> Perhaps this is the real fix?  
> > > > > If you send a signed-off version, I'll apply it asap.  
> > > >
> > > >
> > > > I think a fix might already be in flight. Please see Linux-Kernel
> > > > Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for
> > > > no-dma-device drivers (iu.edu)
> > > >   
> > >
> > > Please use lore links. They are much easier to follow and use.  
> >
> > https://lore.kernel.org/dri-devel/20240123022015.1288588-1-airl...@gmail.com/T/#u
> >
> > should also fix it, Linus please apply it directly if Steven has a
> > chance to give it a run.  
> 
> I see Linus applied the other one, that's fine too.
> 

They don't look mutually exclusive. I can test the other one as well.

-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Dave Airlie]

On Tue, 23 Jan 2024 at 12:21, Dave Airlie  wrote:
>
> On Tue, 23 Jan 2024 at 12:15, Steven Rostedt  wrote:
> >
> > On Mon, 22 Jan 2024 19:56:08 -0500
> > "Bhardwaj, Rajneesh"  wrote:
> >
> > >
> > > On 1/22/2024 7:43 PM, Linus Torvalds wrote:
> > > > On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  
> > > > wrote:
> > > >> Perhaps this is the real fix?
> > > > If you send a signed-off version, I'll apply it asap.
> > >
> > >
> > > I think a fix might already be in flight. Please see Linux-Kernel
> > > Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for
> > > no-dma-device drivers (iu.edu)
> > > 
> >
> > Please use lore links. They are much easier to follow and use.
>
> https://lore.kernel.org/dri-devel/20240123022015.1288588-1-airl...@gmail.com/T/#u
>
> should also fix it, Linus please apply it directly if Steven has a
> chance to give it a run.

I see Linus applied the other one, that's fine too.

Dave.

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Dave Airlie]

On Tue, 23 Jan 2024 at 12:15, Steven Rostedt  wrote:
>
> On Mon, 22 Jan 2024 19:56:08 -0500
> "Bhardwaj, Rajneesh"  wrote:
>
> >
> > On 1/22/2024 7:43 PM, Linus Torvalds wrote:
> > > On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  wrote:
> > >> Perhaps this is the real fix?
> > > If you send a signed-off version, I'll apply it asap.
> >
> >
> > I think a fix might already be in flight. Please see Linux-Kernel
> > Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for
> > no-dma-device drivers (iu.edu)
> > 
>
> Please use lore links. They are much easier to follow and use.

https://lore.kernel.org/dri-devel/20240123022015.1288588-1-airl...@gmail.com/T/#u

should also fix it, Linus please apply it directly if Steven has a
chance to give it a run.

Thanks,
Dave.

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Mon, 22 Jan 2024 19:56:08 -0500
"Bhardwaj, Rajneesh"  wrote:

> 
> On 1/22/2024 7:43 PM, Linus Torvalds wrote:
> > On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  wrote:
> >> Perhaps this is the real fix?
> > If you send a signed-off version, I'll apply it asap.
> 
> 
> I think a fix might already be in flight. Please see Linux-Kernel 
> Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for 
> no-dma-device drivers (iu.edu) 
> 

Please use lore links. They are much easier to follow and use.

  https://lore.kernel.org/lkml/20240113213347.9562-1-pchel...@ispras.ru/

is the patch I believe you are referencing.

The fix doesn't need to be mine, but this should be in Linus's tree ASAP.

-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Linus Torvalds]

On Mon, 22 Jan 2024 at 16:56, Bhardwaj, Rajneesh
 wrote:
>
> I think a fix might already be in flight. Please see  Linux-Kernel Archive: 
> Re: [PATCH] drm/ttm: fix ttm pool initialization for no-dma-device drivers 
> (iu.edu)

Please use lore.kernel.org that doesn't corrupt whitespace in patches
or lose header information:

  https://lore.kernel.org/lkml/20240113213347.9562-1-pchel...@ispras.ru/

although that seems to be a strange definition of "in flight". It was
sent out 8 days ago, and apparently nobody thought to include it in
the drm fixes pile that came in last Friday.

So it made it into rc1, even though it was reported a week before.

It also looks like some mailing list there is mangling emails - if you
use 'all' instead of 'lkml', lore reports multiple emails with the
same message-id, and it all looks messier as a result.

I assume it's dri-devel@lists.freedesktop.org that messes up, mainly
because I don't tend to see this behaviour when only the usual
kernel.org mailing lists are involved.

  Linus

RE: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Bhardwaj, Rajneesh]

[AMD Official Use Only - General]

-Original Message-
From: Steven Rostedt 
Sent: Monday, January 22, 2024 6:19 PM
To: LKML 
Cc: Linus Torvalds ; Bhardwaj, Rajneesh 
; Kuehling, Felix ; Koenig, 
Christian ; dri-devel@lists.freedesktop.org
Subject: Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

On Mon, 22 Jan 2024 18:15:47 -0500
Steven Rostedt  wrote:

> > ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, 
> > use_dma32); <<<--- BUG!
> >
> > Specifically, it appears that dev is NULL and dev_to_node() doesn't
> > like having a NULL pointer passed to it.
> >
>
> Yeah, that qxl_ttm_init() has:
>
>   /* No others user of address space so set it to 0 */
>   r = ttm_device_init(>mman.bdev, _bo_driver, NULL,
>   qdev->ddev.anon_inode->i_mapping,
>   qdev->ddev.vma_offset_manager,
>   false, false);
>
> Where that NULL is "dev"!
>
> Thus that will never work here.

Perhaps this is the real fix?

I think the fix might be already applied to drm misc. Please see, 
https://lkml.iu.edu/hypermail/linux/kernel/2401.1/06778.html


-- Steve

diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c
index f5187b384ae9..bc217b4d6b04 100644
--- a/drivers/gpu/drm/ttm/ttm_device.c
+++ b/drivers/gpu/drm/ttm/ttm_device.c
@@ -215,7 +215,8 @@ int ttm_device_init(struct ttm_device *bdev, const struct 
ttm_device_funcs *func

ttm_sys_man_init(bdev);

-   ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, 
use_dma32);
+   ttm_pool_init(>pool, dev, dev ? dev_to_node(dev) : NUMA_NO_NODE,
+ use_dma_alloc, use_dma32);

bdev->vma_manager = vma_manager;
spin_lock_init(>lru_lock);

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Bhardwaj, Rajneesh]

On 1/22/2024 7:43 PM, Linus Torvalds wrote:

On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  wrote:

Perhaps this is the real fix?

If you send a signed-off version, I'll apply it asap.



I think a fix might already be in flight. Please see Linux-Kernel 
Archive: Re: [PATCH] drm/ttm: fix ttm pool initialization for 
no-dma-device drivers (iu.edu) 






Thanks,
  Linus

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Linus Torvalds]

On Mon, 22 Jan 2024 at 15:17, Steven Rostedt  wrote:
>
> Perhaps this is the real fix?

If you send a signed-off version, I'll apply it asap.

Thanks,
 Linus

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Bhardwaj, Rajneesh]

On 1/22/2024 7:34 PM, Steven Rostedt wrote:

On Mon, 22 Jan 2024 19:29:41 -0500
"Bhardwaj, Rajneesh"  wrote:


In one of my previous revisions of this patch when I was experimenting,
I used something like below. Wonder if that could work in your case
and/or in general.


diff --git a/drivers/gpu/drm/ttm/ttm_device.c
b/drivers/gpu/drm/ttm/ttm_device.c

index 43e27ab77f95..4c3902b94be4 100644

--- a/drivers/gpu/drm/ttm/ttm_device.c

+++ b/drivers/gpu/drm/ttm/ttm_device.c

@@ -195,6 +195,7 @@ int ttm_device_init(struct ttm_device *bdev, struct
ttm_device_funcs *funcs,

bool use_dma_alloc, bool use_dma32){

struct ttm_global *glob = _glob;

+bool node_has_cpu = false;

int ret;

if (WARN_ON(vma_manager == NULL))

@@ -213,7 +214,12 @@ int ttm_device_init(struct ttm_device *bdev, struct
ttm_device_funcs *funcs,

bdev->funcs = funcs;

ttm_sys_man_init(bdev);

-ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc, use_dma32);

+

+node_has_cpu = node_state(dev->numa_node, N_CPU);

Considering that qxl_ttm_init() passes in dev = NULL, the above would blow
up just the same.



I agree, I think we need something like you suggested i.e.

+   ttm_pool_init(>pool, dev, dev ? dev_to_node(dev) : NUMA_NO_NODE,
+ use_dma_alloc, use_dma32);


I am not quite sure if the above node_has_cpu change will be a better 
solution in general, along with the NULL pointer check as you suggested. 
If you prefer that, then I can send a fix otherwise, your fix looks good 
to me.





-- Steve



+if (node_has_cpu)

+ttm_pool_init(>pool, dev, dev->numa_node, use_dma_alloc, use_dma32);

+else

+ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc,

+use_dma32);

bdev->vma_manager = vma_manager;

spin_lock_init(>lru_lock);



-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Mon, 22 Jan 2024 19:29:41 -0500
"Bhardwaj, Rajneesh"  wrote:

> 
> In one of my previous revisions of this patch when I was experimenting, 
> I used something like below. Wonder if that could work in your case 
> and/or in general.
> 
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_device.c 
> b/drivers/gpu/drm/ttm/ttm_device.c
> 
> index 43e27ab77f95..4c3902b94be4 100644
> 
> --- a/drivers/gpu/drm/ttm/ttm_device.c
> 
> +++ b/drivers/gpu/drm/ttm/ttm_device.c
> 
> @@ -195,6 +195,7 @@ int ttm_device_init(struct ttm_device *bdev, struct 
> ttm_device_funcs *funcs,
> 
> bool use_dma_alloc, bool use_dma32){
> 
> struct ttm_global *glob = _glob;
> 
> +bool node_has_cpu = false;
> 
> int ret;
> 
> if (WARN_ON(vma_manager == NULL))
> 
> @@ -213,7 +214,12 @@ int ttm_device_init(struct ttm_device *bdev, struct 
> ttm_device_funcs *funcs,
> 
> bdev->funcs = funcs;
> 
> ttm_sys_man_init(bdev);
> 
> -ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc, use_dma32);
> 
> +
> 
> +node_has_cpu = node_state(dev->numa_node, N_CPU);

Considering that qxl_ttm_init() passes in dev = NULL, the above would blow
up just the same.

-- Steve


> 
> +if (node_has_cpu)
> 
> +ttm_pool_init(>pool, dev, dev->numa_node, use_dma_alloc, use_dma32);
> 
> +else
> 
> +ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc,
> 
> +use_dma32);
> 
> bdev->vma_manager = vma_manager;
> 
> spin_lock_init(>lru_lock);
> 
> 
> >
> > -- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Bhardwaj, Rajneesh]

On 1/22/2024 6:06 PM, Steven Rostedt wrote:

I just kicked off testing some patches on top of 6.8-rc1 and triggered this
immediately:

[ note this happened on both my 32 bit an 64 bit test machines, this is
   just the 32 bit output ]

  BUG: kernel NULL pointer dereference, address: 0238
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x) - not-present page
  *pdpt =  *pde = f000ff53f000ff53
  Oops:  [#1] PREEMPT SMP PTI
  CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 
6.8.0-rc1-test-1-g2b44760609e9-dirty #1056
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 
1.16.3-debian-1.16.3-2 04/01/2014
  Workqueue: events work_for_cpu_fn
  EIP: ttm_device_init+0xb4/0x274
  Code: 86 10 09 00 00 83 c4 0c 85 c0 0f 84 96 01 00 00 8b 45 ac 8d 9e 94 00 00 00 89 
46 08 89 f0 e8 27 05 00 00 8b 55 a8 0f b6 45 98 <8b> 8a 38 02 00 00 50 0f b6 45 
9c 50 89 d8 e8 95 ee ff ff 8b 45 a0
  EAX:  EBX: c135a7e4 ECX: c135a7b0 EDX: 
  ESI: c135a750 EDI: 0007bc1d EBP: c11d7e4c ESP: c11d7de4
  DS: 007b ES: 007b FS: 00d8 GS:  SS: 0068 EFLAGS: 00010246
  CR0: 80050033 CR2: 0238 CR3: 145c4000 CR4: 06f0
  Call Trace:
   ? show_regs+0x4f/0x58
   ? __die+0x1d/0x58
   ? page_fault_oops+0x171/0x330
   ? lock_acquire+0xa4/0x280
   ? kernelmode_fixup_or_oops.constprop.0+0x7c/0xcc
   ? __bad_area_nosemaphore.constprop.0+0x124/0x1b4
   ? __mutex_lock+0x17f/0xb00
   ? bad_area_nosemaphore+0xf/0x14
   ? do_user_addr_fault+0x140/0x3e4
   ? exc_page_fault+0x5b/0x1d8
   ? pvclock_clocksource_read_nowd+0x130/0x130
   ? handle_exception+0x133/0x133
   ? pvclock_clocksource_read_nowd+0x130/0x130
   ? ttm_device_init+0xb4/0x274
   ? pvclock_clocksource_read_nowd+0x130/0x130
   ? ttm_device_init+0xb4/0x274
   qxl_ttm_init+0x34/0x130
   qxl_bo_init+0xd/0x10
   qxl_device_init+0x52a/0x92c
   qxl_pci_probe+0x91/0x1ac
   local_pci_probe+0x3d/0x84
   work_for_cpu_fn+0x16/0x20
   process_one_work+0x1bc/0x4a0
   worker_thread+0x310/0x3a8
   kthread+0xea/0x110
   ? rescuer_thread+0x2f0/0x2f0
   ? kthread_complete_and_exit+0x1c/0x1c
   ret_from_fork+0x34/0x4c
   ? kthread_complete_and_exit+0x1c/0x1c
   ret_from_fork_asm+0x12/0x18
   entry_INT80_32+0xf0/0xf0
  Modules linked in:
  CR2: 0238
  ---[ end trace  ]---

The crash happened here:

int ttm_device_init(struct ttm_device *bdev, const struct ttm_device_funcs 
*funcs,
struct device *dev, struct address_space *mapping,
struct drm_vma_offset_manager *vma_manager,
bool use_dma_alloc, bool use_dma32)
{
struct ttm_global *glob = _glob;
int ret;

if (WARN_ON(vma_manager == NULL))
return -EINVAL;

ret = ttm_global_init();
if (ret)
return ret;

bdev->wq = alloc_workqueue("ttm",
   WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_UNBOUND, 
16);
if (!bdev->wq) {
ttm_global_release();
return -ENOMEM;
}

bdev->funcs = funcs;

ttm_sys_man_init(bdev);

ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, use_dma32); 
<<<--- BUG!

Specifically, it appears that dev is NULL and dev_to_node() doesn't like
having a NULL pointer passed to it.

I currently "fixed" this with a:

if (!dev)
return -EINVAL;

at the start of this function just so that I can continue running my tests,
but that is obviously incorrect.



In one of my previous revisions of this patch when I was experimenting, 
I used something like below. Wonder if that could work in your case 
and/or in general.



diff --git a/drivers/gpu/drm/ttm/ttm_device.c 
b/drivers/gpu/drm/ttm/ttm_device.c


index 43e27ab77f95..4c3902b94be4 100644

--- a/drivers/gpu/drm/ttm/ttm_device.c

+++ b/drivers/gpu/drm/ttm/ttm_device.c

@@ -195,6 +195,7 @@ int ttm_device_init(struct ttm_device *bdev, struct 
ttm_device_funcs *funcs,


bool use_dma_alloc, bool use_dma32){

struct ttm_global *glob = _glob;

+bool node_has_cpu = false;

int ret;

if (WARN_ON(vma_manager == NULL))

@@ -213,7 +214,12 @@ int ttm_device_init(struct ttm_device *bdev, struct 
ttm_device_funcs *funcs,


bdev->funcs = funcs;

ttm_sys_man_init(bdev);

-ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc, use_dma32);

+

+node_has_cpu = node_state(dev->numa_node, N_CPU);

+if (node_has_cpu)

+ttm_pool_init(>pool, dev, dev->numa_node, use_dma_alloc, use_dma32);

+else

+ttm_pool_init(>pool, dev, NUMA_NO_NODE, use_dma_alloc,

+use_dma32);

bdev->vma_manager = vma_manager;

spin_lock_init(>lru_lock);




-- Steve

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Mon, 22 Jan 2024 18:15:47 -0500
Steven Rostedt  wrote:

> > ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, 
> > use_dma32); <<<--- BUG!
> > 
> > Specifically, it appears that dev is NULL and dev_to_node() doesn't like
> > having a NULL pointer passed to it.
> >   
> 
> Yeah, that qxl_ttm_init() has:
> 
>   /* No others user of address space so set it to 0 */
>   r = ttm_device_init(>mman.bdev, _bo_driver, NULL,
>   qdev->ddev.anon_inode->i_mapping,
>   qdev->ddev.vma_offset_manager,
>   false, false);
> 
> Where that NULL is "dev"!
> 
> Thus that will never work here.

Perhaps this is the real fix?

-- Steve

diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c
index f5187b384ae9..bc217b4d6b04 100644
--- a/drivers/gpu/drm/ttm/ttm_device.c
+++ b/drivers/gpu/drm/ttm/ttm_device.c
@@ -215,7 +215,8 @@ int ttm_device_init(struct ttm_device *bdev, const struct 
ttm_device_funcs *func
 
ttm_sys_man_init(bdev);
 
-   ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, 
use_dma32);
+   ttm_pool_init(>pool, dev, dev ? dev_to_node(dev) : NUMA_NO_NODE,
+ use_dma_alloc, use_dma32);
 
bdev->vma_manager = vma_manager;
spin_lock_init(>lru_lock);

Re: [BUG] BUG: kernel NULL pointer dereference at ttm_device_init+0xb4

[Steven Rostedt]

On Mon, 22 Jan 2024 18:06:05 -0500
Steven Rostedt  wrote:


>   qxl_ttm_init+0x34/0x130


> 
> int ttm_device_init(struct ttm_device *bdev, const struct ttm_device_funcs 
> *funcs,
>   struct device *dev, struct address_space *mapping,
>   struct drm_vma_offset_manager *vma_manager,
>   bool use_dma_alloc, bool use_dma32)
> {
>   struct ttm_global *glob = _glob;
>   int ret;
> 
>   if (WARN_ON(vma_manager == NULL))
>   return -EINVAL;
> 
>   ret = ttm_global_init();
>   if (ret)
>   return ret;
> 
>   bdev->wq = alloc_workqueue("ttm",
>  WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_UNBOUND, 
> 16);
>   if (!bdev->wq) {
>   ttm_global_release();
>   return -ENOMEM;
>   }
> 
>   bdev->funcs = funcs;
> 
>   ttm_sys_man_init(bdev);
> 
>   ttm_pool_init(>pool, dev, dev_to_node(dev), use_dma_alloc, 
> use_dma32); <<<--- BUG!
> 
> Specifically, it appears that dev is NULL and dev_to_node() doesn't like
> having a NULL pointer passed to it.
> 

Yeah, that qxl_ttm_init() has:

/* No others user of address space so set it to 0 */
r = ttm_device_init(>mman.bdev, _bo_driver, NULL,
qdev->ddev.anon_inode->i_mapping,
qdev->ddev.vma_offset_manager,
false, false);

Where that NULL is "dev"!

Thus that will never work here.

-- Steve