Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Oh, this is just a copy and paste error, when the code was originally pasted from internal_get_user_pages_fast, which assumes a current. I'll fix this up and send a patch shortly.
Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Alright, the failing code seems to be in mm:
if (flags & FOLL_PIN)
atomic_set(>mm->has_pinned, 1);
Apparently you can't rely on current->mm being valid in this context;
it's null here, hence the +0x64 for has_pinned's offset.
This was added by 008cfe4418b3 ("mm: Introduce mm_struct.has_pinned"),
which is new for rc7 indeed.
The crash goes away when changing that to:
if ((flags & FOLL_PIN) && current->mm)
atomic_set(>mm->has_pinned, 1);
But I haven't really evaluated whether or not that's racy or if I need
to take locks to do such a thing.
Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Increasing the CC list a bit, as i915 didn't really get much churn rc6->rc7, but mm/gup.c did, and mm has had a lot of recent changes. On Mon, Sep 28, 2020 at 11:39 AM Jason A. Donenfeld wrote: > > Seeing a new crash in 5.9-rc7 I didn't have in 5.9-rc6: > > [ 1311.596896] BUG: kernel NULL pointer dereference, address: 0064 > [ 1311.596898] #PF: supervisor write access in kernel mode > [ 1311.596899] #PF: error_code(0x0002) - not-present page > [ 1311.596899] PGD 0 P4D 0 > [ 1311.596901] Oops: 0002 [#1] SMP > [ 1311.596902] CPU: 10 PID: 1431 Comm: kworker/u33:1 Tainted: P S U >O 5.9.0-rc7+ #140 > [ 1311.596903] Hardware name: LENOVO 20QTCTO1WW/20QTCTO1WW, BIOS > N2OET47W (1.34 ) 08/06/2020 > [ 1311.596955] Workqueue: i915-userptr-acquire > __i915_gem_userptr_get_pages_worker [i915] > [ 1311.596959] RIP: 0010:__get_user_pages_remote+0xd7/0x310 > [ 1311.596960] Code: f5 01 00 00 83 7d 00 01 0f 85 ed 01 00 00 f7 c1 > 00 00 04 00 0f 84 58 01 00 00 65 48 8b 04 25 00 6d 01 00 48 8b 80 40 > 03 00 00 40 64 01 00 00 00 65 48 8b 04 25 00 6d 01 00 48 c7 44 24 > 18 00 > [ 1311.596961] RSP: 0018:888fdfe47de0 EFLAGS: 00010206 > [ 1311.596962] RAX: RBX: 7fe188531000 RCX: > 00040001 > [ 1311.596962] RDX: 0001 RSI: 7fe188531000 RDI: > 888ff0748f00 > [ 1311.596963] RBP: 888fdfe47e54 R08: 888fedc7d7c8 R09: > > [ 1311.596963] R10: 0018 R11: fefefefefefefeff R12: > 888ff0748f00 > [ 1311.596963] R13: 888fedc7d7c8 R14: 888f81fe3a40 R15: > 00042003 > [ 1311.596964] FS: () GS:888ffc48() > knlGS: > [ 1311.596965] CS: 0010 DS: ES: CR0: 80050033 > [ 1311.596965] CR2: 0064 CR3: 02009003 CR4: > 003706e0 > [ 1311.596966] DR0: DR1: DR2: > > [ 1311.596966] DR3: DR6: fffe0ff0 DR7: > 0400 > [ 1311.596967] Call Trace: > [ 1311.596993] __i915_gem_userptr_get_pages_worker+0xc8/0x260 [i915] > [ 1311.596996] process_one_work+0x1ca/0x390 > [ 1311.596997] worker_thread+0x48/0x3c0 > [ 1311.596998] ? rescuer_thread+0x3d0/0x3d0 > [ 1311.597000] kthread+0x114/0x130 > [ 1311.597001] ? kthread_create_worker_on_cpu+0x40/0x40 > [ 1311.597003] ret_from_fork+0x1f/0x30 > [ 1311.597031] CR2: 0064 > [ 1311.597033] ---[ end trace e2b8ddde994a6f6d ]---
5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Seeing a new crash in 5.9-rc7 I didn't have in 5.9-rc6: [ 1311.596896] BUG: kernel NULL pointer dereference, address: 0064 [ 1311.596898] #PF: supervisor write access in kernel mode [ 1311.596899] #PF: error_code(0x0002) - not-present page [ 1311.596899] PGD 0 P4D 0 [ 1311.596901] Oops: 0002 [#1] SMP [ 1311.596902] CPU: 10 PID: 1431 Comm: kworker/u33:1 Tainted: P S U O 5.9.0-rc7+ #140 [ 1311.596903] Hardware name: LENOVO 20QTCTO1WW/20QTCTO1WW, BIOS N2OET47W (1.34 ) 08/06/2020 [ 1311.596955] Workqueue: i915-userptr-acquire __i915_gem_userptr_get_pages_worker [i915] [ 1311.596959] RIP: 0010:__get_user_pages_remote+0xd7/0x310 [ 1311.596960] Code: f5 01 00 00 83 7d 00 01 0f 85 ed 01 00 00 f7 c1 00 00 04 00 0f 84 58 01 00 00 65 48 8b 04 25 00 6d 01 00 48 8b 80 40 03 00 00 40 64 01 00 00 00 65 48 8b 04 25 00 6d 01 00 48 c7 44 24 18 00 [ 1311.596961] RSP: 0018:888fdfe47de0 EFLAGS: 00010206 [ 1311.596962] RAX: RBX: 7fe188531000 RCX: 00040001 [ 1311.596962] RDX: 0001 RSI: 7fe188531000 RDI: 888ff0748f00 [ 1311.596963] RBP: 888fdfe47e54 R08: 888fedc7d7c8 R09: [ 1311.596963] R10: 0018 R11: fefefefefefefeff R12: 888ff0748f00 [ 1311.596963] R13: 888fedc7d7c8 R14: 888f81fe3a40 R15: 00042003 [ 1311.596964] FS: () GS:888ffc48() knlGS: [ 1311.596965] CS: 0010 DS: ES: CR0: 80050033 [ 1311.596965] CR2: 0064 CR3: 02009003 CR4: 003706e0 [ 1311.596966] DR0: DR1: DR2: [ 1311.596966] DR3: DR6: fffe0ff0 DR7: 0400 [ 1311.596967] Call Trace: [ 1311.596993] __i915_gem_userptr_get_pages_worker+0xc8/0x260 [i915] [ 1311.596996] process_one_work+0x1ca/0x390 [ 1311.596997] worker_thread+0x48/0x3c0 [ 1311.596998] ? rescuer_thread+0x3d0/0x3d0 [ 1311.597000] kthread+0x114/0x130 [ 1311.597001] ? kthread_create_worker_on_cpu+0x40/0x40 [ 1311.597003] ret_from_fork+0x1f/0x30 [ 1311.597031] CR2: 0064 [ 1311.597033] ---[ end trace e2b8ddde994a6f6d ]---
