Re: Is: virtio_gpu_object_shmem_init issues? Was:Re: upstream boot error: general protection fault in swiotlb_map

From: Thomas Tai
Date: Wed Aug 26 2020 - 21:37:32 EST


Hello,
I had a similiar panic when booting an ARM VM with kernel v5.9-rc1. git bisect identified following bad commit. After reverting the bad commit, the VM boot ok. Maybe we should look into the following commit.

d323bb44e4d23802eb25d13de1f93f2335bd60d0 is the first bad commit
commit d323bb44e4d23802eb25d13de1f93f2335bd60d0
Author: Daniel Vetter <daniel.vetter@xxxxxxxx>
Date: Mon May 11 11:35:49 2020 +0200

drm/virtio: Call the right shmem helpers

drm_gem_shmem_get_sg_table is meant to implement
obj->funcs->get_sg_table, for prime exporting. The one we want is
drm_gem_shmem_get_pages_sgt, which also handles imported dma-buf, not
just native objects.

v2: Rebase, this stuff moved around in

commit 2f2aa13724d56829d910b2fa8e80c502d388f106
Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Date: Fri Feb 7 08:46:38 2020 +0100

drm/virtio: move virtio_gpu_mem_entry initialization to new function

Acked-by: Thomas Zimmermann <tzimmermann@xxxxxxx>
Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
Cc: David Airlie <airlied@xxxxxxxx>
Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
Cc: virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://patchwork.freedesktop.org/patch/msgid/20200511093554.211493-5-daniel.vetter@xxxxxxxx

Thank you,
Thomas


On 2020-08-24 11:06 a.m., Konrad Rzeszutek Wilk wrote:
On Thu, Aug 06, 2020 at 03:46:23AM -0700, syzbot wrote:
Hello,

syzbot found the following issue on:

HEAD commit: 47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
kernel config: https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
compiler: gcc (GCC) 10.1.0-syz 20200507

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3f86afd0b1e4bf1cb64c@xxxxxxxxxxxxxxxxxxxxxxxxx

ceph: loaded (mds proto 32)
NET: Registered protocol family 38
async_tx: api initialized (async)
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Asymmetric key parser 'pkcs8' registered
Key type pkcs7_test registered
Asymmetric key parser 'tpm_parser' registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
io scheduler mq-deadline registered
io scheduler kyber registered
io scheduler bfq registered
hgafb: HGA card not detected.
hgafb: probe of hgafb.0 failed with error -22
usbcore: registered new interface driver udlfb
uvesafb: failed to execute /sbin/v86d
uvesafb: make sure that the v86d helper is installed and executable
uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
uvesafb: vbe_init() failed with -22
uvesafb: probe of uvesafb.0 failed with error -22
vga16fb: mapped to 0x000000008aac772d
Console: switching to colour frame buffer device 80x30
fb0: VGA16 VGA frame buffer device
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: Power Button [PWRF]
ioatdma: Intel(R) QuickData Technology Driver 5.00
PCI Interrupt Link [GSIF] enabled at IRQ 21
PCI Interrupt Link [GSIG] enabled at IRQ 22
PCI Interrupt Link [GSIH] enabled at IRQ 23
N_HDLC line discipline registered with maxframe=4096
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
Cyclades driver 2.6
Initializing Nozomi driver 2.1d
RocketPort device driver module, version 2.09, 12-June-2003
No rocketport ports found; unloading driver
Non-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
usbcore: registered new interface driver udl
[drm] pci: virtio-vga detected at 0000:00:01.0
fb0: switching to virtiodrmfb from VGA16 VGA
Console: switching to colour VGA+ 80x25
virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
Console: switching to colour dummy device 80x25
[drm] features: -virgl +edid
[drm] number of scanouts: 1
[drm] number of cap sets: 0
[drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
FS: 0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dma_direct_map_page include/linux/dma-direct.h:170 [inline]
dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
__drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
really_probe+0x282/0x9f0 drivers/base/dd.c:553
driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
__driver_attach drivers/base/dd.c:1090 [inline]
__driver_attach+0xda/0x240 drivers/base/dd.c:1044
bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
driver_register+0x220/0x3a0 drivers/base/driver.c:171
do_one_initcall+0x10a/0x7b0 init/main.c:1201
do_initcall_level init/main.c:1274 [inline]
do_initcalls init/main.c:1290 [inline]
do_basic_setup init/main.c:1310 [inline]
kernel_init_freeable+0x589/0x638 init/main.c:1505
kernel_init+0xd/0x1c0 init/main.c:1399
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 11a290451cfd19ed ]---
RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
FS: 0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

So it fails at

683 dev_WARN_ONCE(dev, 1,
684 "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
685 &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);


which makes no sense to me as `dev` surely exists. I can see in the console log:

virtio-pci 0000:00:01.0: vgaarb: deactivate vga console

So what gives?

Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
is
All code
========
0: 28 04 00 sub %al,(%rax,%rax,1)
3: 00 48 c1 add %cl,-0x3f(%rax)
6: ea (bad)
7: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax
d: 85 4d 01 test %ecx,0x1(%rbp)
10: 00 00 add %al,(%rax)
12: 4c 8b a5 18 04 00 00 mov 0x418(%rbp),%r12
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 1e 01 00 00 jne 0x152
34: 48 8d 7d 50 lea 0x50(%rbp),%rdi
38: 4d 8b 24 24 mov (%r12),%r12
3c: 48 rex.W
3d: b8 .byte 0xb8

So %r12 was expected to have something valid, put in %rdx, and shifted by three (line 26). Then
we fetch from
base = 0000000000000000 (%rdx) + 0xdffffc0000000000(%rax)* scale 1.

and compare against 0 (if I am reading this right).

No clue here.

I tried compiling the upstream kernel with the .config mentioned at the top
but sadly I can't find anything that similar to this code to figure out
what exactly it is trying to access and crash.

CC-ing a fellow engineer who is debugging this, but it looks to be related to VirtIO DRM.



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.