linux/drivers/gpu/drm
Ville Syrjälä 2850cfddfb drm/i915: Fix NULL plane->fb oops on SKL
In this atomic age, we can't trust the plane->fb pointer anymore.
It might get update too late. Instead we are supposed to use the
plane_state->fb pointer instead. Let's do that in
intel_plane_obj_offset() and avoid problems from dereferencing the
potentially stale plane->fb pointer.

Paulo found this with 'kms_frontbuffer_tracking --show-hidden --run-subtest nop-1p-rte'
but it can be reproduced with just plain old kms_setplane.

I was too lazy to bisect this, so not sure exactly when it broke. The
most obvious candidate
commit ce7f172856 ("drm/i915: Fix i915_ggtt_view_equal to handle rotation correctly")
was actually still fine, so it must have broken some time after that.

Here's the resulting fireworks:
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffffa02d2d9a>] intel_fill_fb_ggtt_view+0x1b/0x15a [i915]
PGD 8a5f6067 PUD 8a5f5067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm intel_gtt agpgart netconsole mousedev hid_generic psmouse usbhid atkbd libps2 coretemp hwmon efi_pstore intel_rapl iosf_mbi x86_pkg_temp_thermal efivars pcspkr e1000e sdhci_pci ptp pps_core sdhci i2c_i801 mmc_core i2c_hid hid i8042 serio evdev sch_fq_codel ip_tables x_tables ipv6 autofs4
CPU: 1 PID: 260 Comm: kms_plane Not tainted 4.4.0-skl+ #171
Hardware name: Intel Corporation Skylake Client platform/Skylake Y LPDDR3 RVP3, BIOS SKLSE2R1.R00.B104.B00.1511030553 11/03/2015
task: ffff88008bde2d80 ti: ffff88008a6ec000 task.ti: ffff88008a6ec000
RIP: 0010:[<ffffffffa02d2d9a>]  [<ffffffffa02d2d9a>] intel_fill_fb_ggtt_view+0x1b/0x15a [i915]
RSP: 0018:ffff88008a6efa10  EFLAGS: 00010086
RAX: 0000000000000001 RBX: ffff8801674f4240 RCX: 0000000000000014
RDX: ffff88008a7440c0 RSI: 0000000000000000 RDI: ffff88008a6efa40
RBP: ffff88008a6efa30 R08: ffff88008bde3598 R09: 0000000000000001
R10: ffff88008b782000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88008a7440c0 R14: 0000000000000000 R15: ffff88008a7449c0
FS:  00007fa0c07a28c0(0000) GS:ffff88016ec40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008a6ff000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801674f4240 0000000000000000 ffff88008a7440c0 0000000000000000
 ffff88008a6efaa0 ffffffffa02daf25 ffffffff814ec80e 0000000000070298
 ffff8800850d0000 ffff88008a6efaa0 ffffffffa02c49c2 0000000000000002
Call Trace:
 [<ffffffffa02daf25>] intel_plane_obj_offset+0x2d/0xa9 [i915]
 [<ffffffff814ec80e>] ? _raw_spin_unlock_irqrestore+0x4b/0x60
 [<ffffffffa02c49c2>] ? gen9_write32+0x2e8/0x3b8 [i915]
 [<ffffffffa02eecfc>] skl_update_plane+0x203/0x4c5 [i915]
 [<ffffffffa02ca1ab>] intel_plane_atomic_update+0x53/0x6a [i915]
 [<ffffffffa02494a4>] drm_atomic_helper_commit_planes_on_crtc+0x142/0x1d5 [drm_kms_helper]
 [<ffffffffa02de44b>] intel_atomic_commit+0x1262/0x1350 [i915]
 [<ffffffffa024a0ee>] ? __drm_atomic_helper_crtc_duplicate_state+0x2f/0x41 [drm_kms_helper]
 [<ffffffffa01ef089>] ? drm_atomic_check_only+0x3e3/0x552 [drm]
 [<ffffffffa01ef245>] drm_atomic_commit+0x4d/0x52 [drm]
 [<ffffffffa024996b>] drm_atomic_helper_update_plane+0xcb/0x118 [drm_kms_helper]
 [<ffffffffa01e42e8>] __setplane_internal+0x1c8/0x224 [drm]
 [<ffffffffa01e477f>] drm_mode_setplane+0x14e/0x172 [drm]
 [<ffffffffa01d8117>] drm_ioctl+0x265/0x3ad [drm]
 [<ffffffffa01e4631>] ? drm_mode_cursor_common+0x158/0x158 [drm]
 [<ffffffff810d00ab>] ? current_kernel_time64+0x5e/0x98
 [<ffffffff810a76ea>] ? trace_hardirqs_on_caller+0x17a/0x196
 [<ffffffff8119880f>] do_vfs_ioctl+0x42b/0x4ea
 [<ffffffff811a2b72>] ? __fget_light+0x4d/0x71
 [<ffffffff81198911>] SyS_ioctl+0x43/0x61
 [<ffffffff814ed057>] entry_SYSCALL_64_fastpath+0x12/0x6f

Cc: drm-intel-fixes@lists.freedesktop.org
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
Testcase: igt/kms_plane
Reported-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1453220597-28973-1-git-send-email-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit e794129444)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2016-01-29 09:13:28 +02:00
..
amd Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
armada Merge branch 'drm-armada-devel' of git://ftp.arm.linux.org.uk/~rmk/linux-arm into drm-next 2015-12-23 09:19:58 +10:00
ast drm: Pass 'name' to drm_encoder_init() 2015-12-11 09:13:20 +01:00
atmel-hlcdc drm: use dev_name as default unique name in drm_dev_alloc() 2015-12-15 13:56:06 +01:00
bochs drm/bochs: Constify function pointer structs 2015-12-15 13:42:36 +01:00
bridge Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
cirrus drm/cirrus: Constify function pointer structs 2015-12-15 13:43:59 +01:00
etnaviv drm/etnaviv: fix workaround for GC500 2016-01-07 11:57:57 +01:00
exynos Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
fsl-dcu drm: use dev_name as default unique name in drm_dev_alloc() 2015-12-15 13:56:06 +01:00
gma500 Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
i2c Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
i810
i915 drm/i915: Fix NULL plane->fb oops on SKL 2016-01-29 09:13:28 +02:00
imx dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
mga
mgag200 asm-generic changes for 4.5 2016-01-20 17:30:20 -08:00
msm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
nouveau asm-generic changes for 4.5 2016-01-20 17:30:20 -08:00
omapdrm fbdev changes for 4.5 2016-01-18 11:58:31 -08:00
panel drm/panel: simple: Add QiaoDian qd43003c0-40 2015-12-16 18:15:26 +01:00
qxl drm/qxl: use to_qxl_bo macro 2015-12-15 13:39:40 +01:00
r128
radeon Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
rcar-du dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
rockchip drm: rockchip: Support Synopsys DW MIPI DSI 2016-01-06 16:16:39 +08:00
savage
shmobile dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
sis
sti dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
tdfx
tegra Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
tilcdc dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
ttm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
udl drm/udl: Constify function pointer structs 2015-12-15 13:48:54 +01:00
vc4 dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
vgem
via
virtio virtio: barrier rework+fixes 2016-01-18 16:44:24 -08:00
vmwgfx drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates 2016-01-14 07:56:46 +10:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c drm/atomic: Remove drm_atomic_connectors_for_crtc. 2016-01-06 16:37:39 +01:00
drm_atomic.c drm/atomic: Remove drm_atomic_connectors_for_crtc. 2016-01-06 16:37:39 +01:00
drm_auth.c
drm_bridge.c drm/bridge: Improve kerneldoc 2015-12-08 16:07:53 +01:00
drm_bufs.c
drm_cache.c
drm_context.c
drm_crtc_helper.c drm: Add crtc->name and use it in debug messages 2015-12-11 09:13:48 +01:00
drm_crtc_internal.h
drm_crtc.c drm: Do not set connector->encoder in drivers 2016-01-13 13:30:53 +01:00
drm_debugfs.c
drm_dma.c
drm_dp_helper.c
drm_dp_mst_topology.c drm/dp/mst: fix in RAD element access 2016-01-04 12:11:20 -05:00
drm_drv.c drm: move MODULE_PARM_DESC to other file 2016-01-08 15:32:29 +01:00
drm_edid_load.c
drm_edid.c drm/edid: index CEA/HDMI mode tables using the VIC 2016-01-08 15:30:28 +01:00
drm_encoder_slave.c drm: Constify drm_encoder_slave_funcs 2015-12-15 13:41:17 +01:00
drm_fb_cma_helper.c drm/fb_cma_helper: Remove implicit call to disable_unused_functions 2016-01-15 11:16:15 +01:00
drm_fb_helper.c drm/fb-helper: Use proper plane mask for fb cleanup 2015-12-21 09:54:49 +01:00
drm_flip_work.c
drm_fops.c Linux 4.4-rc4 2015-12-08 11:04:26 +10:00
drm_gem_cma_helper.c drm: Use the driver's gem_object_free function from CMA helpers. 2015-12-15 10:23:44 +01:00
drm_gem.c drm: Remove opencoded drm_gem_object_release_handle() 2016-01-05 16:23:09 +01:00
drm_global.c
drm_hashtab.c tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
drm_info.c
drm_internal.h
drm_ioc32.c
drm_ioctl.c
drm_irq.c drm: move MODULE_PARM_DESC to other file 2016-01-08 15:32:29 +01:00
drm_legacy.h
drm_lock.c signals: kill block_all_signals() and unblock_all_signals() 2015-11-06 17:50:42 -08:00
drm_memory.c
drm_mipi_dsi.c drm/dsi: Add Turn On/Shutdown Peripheral command helpers 2015-11-24 10:25:14 +01:00
drm_mm.c
drm_modes.c drm/doc: Convert to markdown 2015-12-15 10:22:26 +01:00
drm_modeset_lock.c drm/doc: Convert to markdown 2015-12-15 10:22:26 +01:00
drm_of.c
drm_panel.c
drm_pci.c drm: add drm_pcie_get_max_link_width helper (v2) 2015-12-21 16:42:31 -05:00
drm_plane_helper.c drm: Pass 'name' to drm_universal_plane_init() 2015-12-11 09:13:10 +01:00
drm_platform.c
drm_prime.c drm/doc: Convert to markdown 2015-12-15 10:22:26 +01:00
drm_probe_helper.c Merge branch 'for-linus' into for-next 2015-12-23 08:33:34 +01:00
drm_rect.c drm: Add "prefix" parameter to drm_rect_debug_print() 2015-11-24 11:47:46 +01:00
drm_scatter.c
drm_sysfs.c drm/sysfs: use kobj_to_dev() 2016-01-13 16:43:07 +01:00
drm_trace_points.c
drm_trace.h
drm_vm.c
drm_vma_manager.c
Kconfig dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
Makefile Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2016-01-20 09:45:43 -08:00