linux/drivers/gpu/drm/i915
Ville Syrjälä 2850cfddfb drm/i915: Fix NULL plane->fb oops on SKL
In this atomic age, we can't trust the plane->fb pointer anymore.
It might get update too late. Instead we are supposed to use the
plane_state->fb pointer instead. Let's do that in
intel_plane_obj_offset() and avoid problems from dereferencing the
potentially stale plane->fb pointer.

Paulo found this with 'kms_frontbuffer_tracking --show-hidden --run-subtest nop-1p-rte'
but it can be reproduced with just plain old kms_setplane.

I was too lazy to bisect this, so not sure exactly when it broke. The
most obvious candidate
commit ce7f172856 ("drm/i915: Fix i915_ggtt_view_equal to handle rotation correctly")
was actually still fine, so it must have broken some time after that.

Here's the resulting fireworks:
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffffa02d2d9a>] intel_fill_fb_ggtt_view+0x1b/0x15a [i915]
PGD 8a5f6067 PUD 8a5f5067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm intel_gtt agpgart netconsole mousedev hid_generic psmouse usbhid atkbd libps2 coretemp hwmon efi_pstore intel_rapl iosf_mbi x86_pkg_temp_thermal efivars pcspkr e1000e sdhci_pci ptp pps_core sdhci i2c_i801 mmc_core i2c_hid hid i8042 serio evdev sch_fq_codel ip_tables x_tables ipv6 autofs4
CPU: 1 PID: 260 Comm: kms_plane Not tainted 4.4.0-skl+ #171
Hardware name: Intel Corporation Skylake Client platform/Skylake Y LPDDR3 RVP3, BIOS SKLSE2R1.R00.B104.B00.1511030553 11/03/2015
task: ffff88008bde2d80 ti: ffff88008a6ec000 task.ti: ffff88008a6ec000
RIP: 0010:[<ffffffffa02d2d9a>]  [<ffffffffa02d2d9a>] intel_fill_fb_ggtt_view+0x1b/0x15a [i915]
RSP: 0018:ffff88008a6efa10  EFLAGS: 00010086
RAX: 0000000000000001 RBX: ffff8801674f4240 RCX: 0000000000000014
RDX: ffff88008a7440c0 RSI: 0000000000000000 RDI: ffff88008a6efa40
RBP: ffff88008a6efa30 R08: ffff88008bde3598 R09: 0000000000000001
R10: ffff88008b782000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88008a7440c0 R14: 0000000000000000 R15: ffff88008a7449c0
FS:  00007fa0c07a28c0(0000) GS:ffff88016ec40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008a6ff000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801674f4240 0000000000000000 ffff88008a7440c0 0000000000000000
 ffff88008a6efaa0 ffffffffa02daf25 ffffffff814ec80e 0000000000070298
 ffff8800850d0000 ffff88008a6efaa0 ffffffffa02c49c2 0000000000000002
Call Trace:
 [<ffffffffa02daf25>] intel_plane_obj_offset+0x2d/0xa9 [i915]
 [<ffffffff814ec80e>] ? _raw_spin_unlock_irqrestore+0x4b/0x60
 [<ffffffffa02c49c2>] ? gen9_write32+0x2e8/0x3b8 [i915]
 [<ffffffffa02eecfc>] skl_update_plane+0x203/0x4c5 [i915]
 [<ffffffffa02ca1ab>] intel_plane_atomic_update+0x53/0x6a [i915]
 [<ffffffffa02494a4>] drm_atomic_helper_commit_planes_on_crtc+0x142/0x1d5 [drm_kms_helper]
 [<ffffffffa02de44b>] intel_atomic_commit+0x1262/0x1350 [i915]
 [<ffffffffa024a0ee>] ? __drm_atomic_helper_crtc_duplicate_state+0x2f/0x41 [drm_kms_helper]
 [<ffffffffa01ef089>] ? drm_atomic_check_only+0x3e3/0x552 [drm]
 [<ffffffffa01ef245>] drm_atomic_commit+0x4d/0x52 [drm]
 [<ffffffffa024996b>] drm_atomic_helper_update_plane+0xcb/0x118 [drm_kms_helper]
 [<ffffffffa01e42e8>] __setplane_internal+0x1c8/0x224 [drm]
 [<ffffffffa01e477f>] drm_mode_setplane+0x14e/0x172 [drm]
 [<ffffffffa01d8117>] drm_ioctl+0x265/0x3ad [drm]
 [<ffffffffa01e4631>] ? drm_mode_cursor_common+0x158/0x158 [drm]
 [<ffffffff810d00ab>] ? current_kernel_time64+0x5e/0x98
 [<ffffffff810a76ea>] ? trace_hardirqs_on_caller+0x17a/0x196
 [<ffffffff8119880f>] do_vfs_ioctl+0x42b/0x4ea
 [<ffffffff811a2b72>] ? __fget_light+0x4d/0x71
 [<ffffffff81198911>] SyS_ioctl+0x43/0x61
 [<ffffffff814ed057>] entry_SYSCALL_64_fastpath+0x12/0x6f

Cc: drm-intel-fixes@lists.freedesktop.org
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
Testcase: igt/kms_plane
Reported-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1453220597-28973-1-git-send-email-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit e794129444)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2016-01-29 09:13:28 +02:00
..
dvo_ch7xxx.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo_ch7017.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo_ivch.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo_ns2501.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo_sil164.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo_tfp410.c drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
dvo.h drm/i915: constify intel_dvo_dev_ops structures 2015-12-09 08:21:10 +01:00
i915_cmd_parser.c drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
i915_debugfs.c drm/i915/debugfs: add a separate debugfs file for VBT 2015-12-16 11:30:24 +02:00
i915_dma.c Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
i915_drv.c drm/i915: add support for checking if we hold an RPM reference 2015-12-17 15:59:44 +02:00
i915_drv.h Merge branch 'for-linus' into for-next 2016-01-06 21:14:35 +01:00
i915_gem_batch_pool.c
i915_gem_batch_pool.h
i915_gem_context.c drm/i915: Restore inhibiting the load of the default context 2016-01-13 10:47:33 +02:00
i915_gem_debug.c
i915_gem_dmabuf.c drm/i915: remove unused has_dma_mapping flag 2015-07-13 22:42:41 +02:00
i915_gem_evict.c drm/i915: Add soft-pinning API for execbuffer 2015-12-09 10:20:17 +00:00
i915_gem_execbuffer.c drm/i915: Avoid writing relocs with addresses in non-canonical form 2016-01-13 10:41:58 +02:00
i915_gem_fence.c Linux 4.4-rc4 2015-12-08 11:04:26 +10:00
i915_gem_gtt.c Merge branch 'for-linus' into for-next 2016-01-06 21:14:35 +01:00
i915_gem_gtt.h drm/i915: eliminate 'temp' in gen8_for_each_{pdd, pdpe, pml4e} macros 2015-12-10 09:36:42 +01:00
i915_gem_render_state.c drm/i915: mark GEM object pages dirty when mapped & written by the CPU 2015-12-11 18:11:53 +01:00
i915_gem_render_state.h drm/i915: Add provision to extend Golden context batch 2015-07-21 09:30:57 +02:00
i915_gem_shrinker.c drm/i915: Fix kerneldoc for i915_gem_shrink_all 2015-10-13 16:21:03 +03:00
i915_gem_stolen.c Merge branch 'for-linus' into for-next 2016-01-06 21:14:35 +01:00
i915_gem_tiling.c drm/i915: get runtime PM reference around GEM set_tiling IOCTL 2015-11-17 18:43:30 +02:00
i915_gem_userptr.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2015-11-10 09:33:06 -08:00
i915_gem.c Merge tag 'drm-intel-next-fixes-2016-01-14' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:02:19 +10:00
i915_gpu_error.c drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
i915_guc_reg.h drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
i915_guc_submission.c drm/i915: mark GEM object pages dirty when mapped & written by the CPU 2015-12-11 18:11:53 +01:00
i915_ioc32.c Merge tag 'drm-intel-fixes-2015-07-15' into drm-intel-next-queued 2015-07-15 16:36:50 +02:00
i915_irq.c drm/i915: shut up gen8+ SDE irq dmesg noise, again 2016-01-13 10:48:11 +02:00
i915_params.c Linux 4.4-rc2 2015-11-23 09:04:05 +01:00
i915_reg.h Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
i915_suspend.c drm/i915: Separate cherryview from valleyview 2015-12-10 11:07:24 +01:00
i915_sysfs.c drm/i915: Separate cherryview from valleyview 2015-12-10 11:07:24 +01:00
i915_trace_points.c
i915_trace.h drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
i915_vgpu.c drm/i915: Turn __raw_i915_read8() & co. in to inline functions 2015-10-26 16:28:04 +02:00
i915_vgpu.h drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
intel_acpi.c drm/i915: Drop unnecessary #include <linux/vga_switcheroo.h> 2015-10-13 10:18:38 +02:00
intel_atomic_plane.c drm/i915: Wait for object idle without locks in atomic_commit, v2. 2015-11-02 15:50:31 +01:00
intel_atomic.c drm/i915: Calculate watermark related members in the crtc_state, v4. 2015-12-07 10:56:08 +01:00
intel_audio.c Add get_eld audio component for i915/HD-audio 2015-12-11 19:28:27 +01:00
intel_bios.c drm/i915/bios: reduce indent in parse_general_features 2015-12-16 18:02:05 +02:00
intel_bios.h drm/i915: move drmP.h include to i915_drv.h 2015-12-16 18:01:15 +02:00
intel_crt.c Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
intel_csr.c drm/i915/kbl: Fix DMC load on Kabylake. 2015-12-09 07:52:39 -08:00
intel_ddi.c Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
intel_display.c drm/i915: Fix NULL plane->fb oops on SKL 2016-01-29 09:13:28 +02:00
intel_dp_link_training.c drm/i915: Make intel_dp_source_supports_hbr2() take an intel_dp pointer 2015-11-05 15:14:56 +02:00
intel_dp_mst.c Merge tag 'topic/drm-misc-2016-01-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2016-01-18 07:01:16 +10:00
intel_dp.c Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
intel_drv.h drm/i915: Tune down rpm wakelock debug checks 2016-01-13 10:47:04 +02:00
intel_dsi_panel_vbt.c
intel_dsi_pll.c drm/i915: Separate cherryview from valleyview 2015-12-10 11:07:24 +01:00
intel_dsi.c Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
intel_dsi.h drm/i915: fix potential dangling else problems in for_each_ macros 2015-11-25 09:29:32 +01:00
intel_dvo.c drm: Pass 'name' to drm_encoder_init() 2015-12-11 09:13:20 +01:00
intel_fbc.c drm/i915: only recompress FBC after flushing a drawing operation 2015-12-03 11:38:11 -02:00
intel_fbdev.c drm/i915: Pin the ifbdev for the info->system_base GGTT mmapping 2015-12-17 16:59:24 +01:00
intel_fifo_underrun.c drm/i915: Introduce bdw_{update,enable,disable}_pipe_irq() 2015-11-26 18:55:39 +02:00
intel_frontbuffer.c drm/i915: fix FBC frontbuffer tracking flushing code 2015-08-05 09:59:44 +02:00
intel_guc_fwif.h drm/i915/guc: Add GuC css header parser 2015-10-21 14:31:34 +02:00
intel_guc_loader.c Linux 4.4-rc2 2015-11-23 09:04:05 +01:00
intel_guc.h drm/i915/guc: Clean up locks in GuC 2015-12-03 15:11:54 +01:00
intel_hdmi.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-01-17 13:40:25 -08:00
intel_hotplug.c drm/i915: intel_hpd_init(): Fix suspend/resume reprobing 2016-01-13 10:49:42 +02:00
intel_i2c.c drm/i915: Separate cherryview from valleyview 2015-12-10 11:07:24 +01:00
intel_lrc.c drm/i915: Make sure DC writes are coherent on flush. 2016-01-29 09:11:26 +02:00
intel_lrc.h Revert "drm/i915: Extend LRC pinning to cover GPU context writeback" 2015-12-04 17:34:40 +01:00
intel_lvds.c drm: Pass 'name' to drm_encoder_init() 2015-12-11 09:13:20 +01:00
intel_mocs.c drm/i915: Type safe register read/write 2015-11-18 15:39:11 +02:00
intel_mocs.h drm/i915: Added Programming of the MOCS 2015-07-14 17:13:14 +02:00
intel_modes.c drm/i915: Add HDMI aspect ratio property for SDVO 2015-09-30 10:20:12 +02:00
intel_opregion.c drm/i915/opregion: handle VBT sizes bigger than 6 KB 2015-12-17 11:40:57 +02:00
intel_overlay.c drm/i915: Wait for object idle without locks in atomic_commit, v2. 2015-11-02 15:50:31 +01:00
intel_panel.c drm/i915/backlight: prefer dev_priv over dev pointer 2015-12-18 11:37:44 +02:00
intel_pm.c Backmerge drm-fixes merge into Linus's tree into drm-next. 2015-12-24 08:08:47 +10:00
intel_psr.c drm/i915: PSR also doesn't have link_entry_time on SKL. 2015-12-11 16:32:56 -08:00
intel_renderstate_gen6.c
intel_renderstate_gen7.c
intel_renderstate_gen8.c
intel_renderstate_gen9.c
intel_renderstate.h
intel_ringbuffer.c drm/i915: Make sure DC writes are coherent on flush. 2016-01-29 09:11:26 +02:00
intel_ringbuffer.h drm/i915: intel_ring_initialized() must be simple and inline 2015-12-10 14:14:36 +01:00
intel_runtime_pm.c drm/i915: don't enable autosuspend on platforms without RPM support 2015-12-18 15:52:31 +02:00
intel_sdvo_regs.h
intel_sdvo.c drm: Pass 'name' to drm_encoder_init() 2015-12-11 09:13:20 +01:00
intel_sideband.c
intel_sprite.c Merge tag 'drm-intel-next-2015-12-18' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-12-23 14:22:09 +10:00
intel_tv.c drm: Pass 'name' to drm_encoder_init() 2015-12-11 09:13:20 +01:00
intel_uncore.c drm/i915: use assert_rpm_wakelock_held instead of opencoding it 2015-12-17 15:59:44 +02:00
Kconfig drm/i915: Serialise updates to GGTT with access through GGTT on Braswell 2015-11-17 17:36:01 +01:00
Makefile drm/i915: Move generic link training code to a separate file 2015-11-05 15:14:56 +02:00