Invoke drm_plane_helper_funcs.end_fb_access before drm_atomic_helper_commit_hw_done(). The latter function hands over ownership of the plane state to the following commit, which might free it. Releasing resources in end_fb_access then operates on undefined state. This bug has been observed with non-blocking commits when they are being queued up quickly.
Here is an example stack trace from the bug report. The plane state has been free'd already, so the pages for drm_gem_fb_vunmap() are gone.
Unable to handle kernel paging request at virtual address 0000000100000049 [...] drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x58/0xd8 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20
For aborted commits, it is still ok to run end_fb_access as part of the plane's cleanup. Add a test to drm_atomic_helper_cleanup_planes().
Reported-by: Alyssa Ross hi@alyssa.is Closes: https://lore.kernel.org/dri-devel/87leazm0ya.fsf@alyssa.is/ Suggested-by: Daniel Vetter daniel@ffwll.ch Fixes: 94d879eaf7fb ("drm/atomic-helper: Add {begin,end}_fb_access to plane helpers") Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Cc: stable@vger.kernel.org # v6.2+ --- drivers/gpu/drm/drm_atomic_helper.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index c3f677130def0..08d0511405e90 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -2784,6 +2784,17 @@ void drm_atomic_helper_commit_planes(struct drm_device *dev,
funcs->atomic_flush(crtc, old_state); } + + /* + * Signal end of framebuffer access here before hw_done. After hw_done, + * a later commit might have already released the plane state. + */ + for_each_oldnew_plane_in_state(old_state, plane, old_plane_state, new_plane_state, i) { + const struct drm_plane_helper_funcs *funcs = plane->helper_private; + + if (funcs->end_fb_access) + funcs->end_fb_access(plane, new_plane_state); + } } EXPORT_SYMBOL(drm_atomic_helper_commit_planes);
@@ -2924,6 +2935,12 @@ void drm_atomic_helper_cleanup_planes(struct drm_device *dev, for_each_oldnew_plane_in_state(old_state, plane, old_plane_state, new_plane_state, i) { const struct drm_plane_helper_funcs *funcs = plane->helper_private;
+ /* + * Only clean up here if we're aborting the commit. + */ + if (new_plane_state == plane->state) + continue; + if (funcs->end_fb_access) funcs->end_fb_access(plane, new_plane_state); }
Thomas Zimmermann tzimmermann@suse.de writes:
Invoke drm_plane_helper_funcs.end_fb_access before drm_atomic_helper_commit_hw_done(). The latter function hands over ownership of the plane state to the following commit, which might free it. Releasing resources in end_fb_access then operates on undefined state. This bug has been observed with non-blocking commits when they are being queued up quickly.
Here is an example stack trace from the bug report. The plane state has been free'd already, so the pages for drm_gem_fb_vunmap() are gone.
Unable to handle kernel paging request at virtual address 0000000100000049 [...] drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x58/0xd8 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20
For aborted commits, it is still ok to run end_fb_access as part of the plane's cleanup. Add a test to drm_atomic_helper_cleanup_planes().
Reported-by: Alyssa Ross hi@alyssa.is Closes: https://lore.kernel.org/dri-devel/87leazm0ya.fsf@alyssa.is/ Suggested-by: Daniel Vetter daniel@ffwll.ch Fixes: 94d879eaf7fb ("drm/atomic-helper: Add {begin,end}_fb_access to plane helpers") Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Cc: stable@vger.kernel.org # v6.2+
drivers/gpu/drm/drm_atomic_helper.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
I've been trying this patch for the last couple of days. Alas the problem doesn't seem to have been resolved entirely, because I've had the following Oopses:
simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 0000000001cc7517 state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e546877a state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 0000000001cc7517 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000008cee195b state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000af08a086 nonblocking simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000d3b51954 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e7c9e6b8 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:38] for [PLANE:31:plane-0] state 00000000d3b51954 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000016b7c7e state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000d3b51954 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e7c9e6b8 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:38] for [PLANE:31:plane-0] state 00000000d3b51954 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000016b7c7e state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000f87a08e9 nonblocking Unable to handle kernel paging request at virtual address 07821098078210e0 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [07821098078210e0] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: uas usb_storage usbhid rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device bnep des_generic libdes md4 brcmfmac_wcc joydev hci_bcm4377 bluetooth brcmfmac brcmutil ecdh_generic cfg80211 hid_magicmouse ecc rfkill macsmc_power macsmc_hid snd_soc_macaudio macsmc_reboot apple_isp videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videodev videobuf2_common xt_conntrack ofpart nf_conntrack mc spi_nor nf_defrag_ipv6 clk_apple_nco apple_admac nf_defrag_ipv4 snd_soc_apple_mca snd_soc_cs42l84 snd_soc_tas2764 pwm_apple apple_soc_cpufreq leds_pwm hid_apple ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog nft_compat nf_tables nfnetlink loop tun tap macvlan bridge stp llc fuse zstd zram dm_crypt xhci_plat_hcd xhci_hcd rtc_macsmc nvmem_spmi_mfd gpio_macsmc pcie_apple simple_mfd_spmi dockchannel_hid tps6598x regmap_spmi pci_host_common phy_apple_atc dwc3 typec nvme_apple udc_core apple_sart apple_dockchannel macsmc_rtkit apple_rtkit_helper macsmc apple_rtkit mfd_core spmi_apple_controller nvmem_apple_efuses simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f87a08e9 pinctrl_apple_gpio spi_apple i2c_apple apple_dart apple_mailbox btrfs xor xor_neon simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f87a08e9 raid6_pq CPU: 3 PID: 1051504 Comm: kworker/u16:0 Tainted: G S 6.5.0-asahi #1-NixOS Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) Workqueue: events_unbound commit_work pstate: 21400009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : drm_gem_fb_vunmap+0x18/0x74 lr : drm_gem_end_shadow_fb_access+0x1c/0x2c sp : ffff800088d1bd00 x29: ffff800088d1bd00 x28: 0000000000000000 x27: 0000000000000000 x26: ffff000001f6a400 x25: 00000000fffffef7 x24: ffff00000c3a6760 x23: ffff000001fcb805 x22: 0000000000000000 x21: 0782109807821098 x20: ffff00000c3a6700 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 000000000000000a x13: 0000000000000000 x12: ffff800081310a80 x11: 0000000000000001 x10: 4547e57b44a6ff52 x9 : 55676353188274f2 x8 : ffff00039f2bc148 x7 : 0000000000000004 x6 : 0000000000000190 x5 : 0000000000000001 x4 : ffff00021312e200 x3 : ffff00000ec16000 x2 : ffff80008077889c x1 : ffff0000cbde3498 x0 : 0782109807821098 Call trace: drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x64/0xe0 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20 process_one_work+0x1e0/0x344 worker_thread+0x68/0x424 kthread+0xf4/0x100 ret_from_fork+0x10/0x20 Code: 910003fd a90153f3 f90013f5 aa0003f5 (f9402400) ---[ end trace 0000000000000000 ]---
simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000001a73352d state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007421fdc2 state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 000000001a73352d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000dabd463e state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 000000005d0bd601 nonblocking simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000008a207775 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000a7948d96 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 000000008a207775 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000005a471972 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000008a207775 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000a7948d96 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 000000008a207775 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000005a471972 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000f0e89d2d nonblocking Unable to handle kernel paging request at virtual address 0042608409c280d0 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f0e89d2d Mem abort info: ESR = 0x0000000096000004 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000018a5301 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007461d4b6 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 00000000018a5301 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000aa5a97e1 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000018a5301 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007461d4b6 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 00000000018a5301 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000aa5a97e1 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000921c84ac nonblocking EC = 0x25: DABT (current EL), IL = 32 bits simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000921c84ac SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [0042608409c280d0] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uas usb_storage usbhid xhci_plat_hcd xhci_hcd bnep des_generic libdes md4 brcmfmac_wcc hci_bcm4377 joydev brcmfmac brcmutil bluetooth cfg80211 ecdh_generic ecc hid_magicmouse rfkill apple_isp macsmc_reboot snd_soc_macaudio macsmc_hid macsmc_power videobuf2_dma_sg videobuf2_memops snd_soc_cs42l84 videobuf2_v4l2 ofpart snd_soc_tas2764 spi_nor xt_conntrack videodev videobuf2_common snd_soc_apple_mca nf_conntrack mc pwm_apple apple_admac clk_apple_nco nf_defrag_ipv6 nf_defrag_ipv4 leds_pwm apple_soc_cpufreq hid_apple ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog nft_compat nf_tables nfnetlink loop tun tap macvlan bridge stp llc fuse zstd zram dm_crypt nvmem_spmi_mfd rtc_macsmc gpio_macsmc simple_mfd_spmi tps6598x dockchannel_hid regmap_spmi pcie_apple pci_host_common dwc3 phy_apple_atc apple_rtkit_helper nvme_apple udc_core typec macsmc_rtkit apple_rtkit apple_sart macsmc apple_dockchannel mfd_core spmi_apple_controller nvmem_apple_efuses pinctrl_apple_gpio spi_apple i2c_apple apple_dart apple_mailbox btrfs xor xor_neon raid6_pq CPU: 0 PID: 1343030 Comm: kworker/u16:1 Tainted: G S 6.5.0-asahi #1-NixOS Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) Workqueue: events_unbound commit_work pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : drm_gem_fb_vunmap+0x18/0x74 lr : drm_gem_end_shadow_fb_access+0x1c/0x2c sp : ffff800089703d00 x29: ffff800089703d00 x28: 0000000000000000 x27: 0000000000000000 x26: ffff000001f6a400 x25: 00000000fffffef7 x24: ffff00001271c7e0 x23: ffff000001fc9605 x22: 0000000000000000 x21: 0942608409c28088 x20: ffff00001271c780 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000076 x13: 0000000000000000 x12: ffff800081310a80 x11: 0000000000000001 x10: 5529b6694f2ac3f6 x9 : 89a1724a7ebc1277 x8 : ffff0000133af7c8 x7 : 0000000000000004 x6 : 0000000000000190 x5 : 0000000000000001 x4 : ffff0000a3bd5a00 x3 : ffff00000dd18000 x2 : ffff80008077889c x1 : ffff000139c39c98 x0 : 0942608409c28088 Call trace: drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x64/0xe0 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20 process_one_work+0x1e0/0x344 worker_thread+0x68/0x424 kthread+0xf4/0x100 ret_from_fork+0x10/0x20 Code: 910003fd a90153f3 f90013f5 aa0003f5 (f9402400)
Hi
Am 26.11.23 um 16:08 schrieb Alyssa Ross:
Thomas Zimmermann tzimmermann@suse.de writes:
Invoke drm_plane_helper_funcs.end_fb_access before drm_atomic_helper_commit_hw_done(). The latter function hands over ownership of the plane state to the following commit, which might free it. Releasing resources in end_fb_access then operates on undefined state. This bug has been observed with non-blocking commits when they are being queued up quickly.
Here is an example stack trace from the bug report. The plane state has been free'd already, so the pages for drm_gem_fb_vunmap() are gone.
Unable to handle kernel paging request at virtual address 0000000100000049 [...] drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x58/0xd8 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20
For aborted commits, it is still ok to run end_fb_access as part of the plane's cleanup. Add a test to drm_atomic_helper_cleanup_planes().
Reported-by: Alyssa Ross hi@alyssa.is Closes: https://lore.kernel.org/dri-devel/87leazm0ya.fsf@alyssa.is/ Suggested-by: Daniel Vetter daniel@ffwll.ch Fixes: 94d879eaf7fb ("drm/atomic-helper: Add {begin,end}_fb_access to plane helpers") Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Cc: stable@vger.kernel.org # v6.2+
drivers/gpu/drm/drm_atomic_helper.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
I've been trying this patch for the last couple of days. Alas the problem doesn't seem to have been resolved entirely, because I've had the following Oopses:
Thanks for testing. I think I got the test in drm_atomic_helper_cleanup_planes() wrong. I'll seend out an update soon.
Best regards Thomas
simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 0000000001cc7517 state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e546877a state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 0000000001cc7517 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000008cee195b state to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000af08a086 nonblocking simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000af08a086 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000d3b51954 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e7c9e6b8 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:38] for [PLANE:31:plane-0] state 00000000d3b51954 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000016b7c7e state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000d3b51954 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000e7c9e6b8 state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:38] for [PLANE:31:plane-0] state 00000000d3b51954 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000016b7c7e state to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f87a08e9 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000f87a08e9 nonblocking Unable to handle kernel paging request at virtual address 07821098078210e0 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [07821098078210e0] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: uas usb_storage usbhid rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device bnep des_generic libdes md4 brcmfmac_wcc joydev hci_bcm4377 bluetooth brcmfmac brcmutil ecdh_generic cfg80211 hid_magicmouse ecc rfkill macsmc_power macsmc_hid snd_soc_macaudio macsmc_reboot apple_isp videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videodev videobuf2_common xt_conntrack ofpart nf_conntrack mc spi_nor nf_defrag_ipv6 clk_apple_nco apple_admac nf_defrag_ipv4 snd_soc_apple_mca snd_soc_cs42l84 snd_soc_tas2764 pwm_apple apple_soc_cpufreq leds_pwm hid_apple ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog nft_compat nf_tables nfnetlink loop tun tap macvlan bridge stp llc fuse zstd zram dm_crypt xhci_plat_hcd xhci_hcd rtc_macsmc nvmem_spmi_mfd gpio_macsmc pcie_apple simple_mfd_spmi dockchannel_hid tps6598x regmap_spmi pci_host_common phy_apple_atc dwc3 typec nvme_apple udc_core apple_sart apple_dockchannel macsmc_rtkit apple_rtkit_helper macsmc apple_rtkit mfd_core spmi_apple_controller nvmem_apple_efuses simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f87a08e9 pinctrl_apple_gpio spi_apple i2c_apple apple_dart apple_mailbox btrfs xor xor_neon simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f87a08e9 raid6_pq CPU: 3 PID: 1051504 Comm: kworker/u16:0 Tainted: G S 6.5.0-asahi #1-NixOS Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) Workqueue: events_unbound commit_work pstate: 21400009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : drm_gem_fb_vunmap+0x18/0x74 lr : drm_gem_end_shadow_fb_access+0x1c/0x2c sp : ffff800088d1bd00 x29: ffff800088d1bd00 x28: 0000000000000000 x27: 0000000000000000 x26: ffff000001f6a400 x25: 00000000fffffef7 x24: ffff00000c3a6760 x23: ffff000001fcb805 x22: 0000000000000000 x21: 0782109807821098 x20: ffff00000c3a6700 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 000000000000000a x13: 0000000000000000 x12: ffff800081310a80 x11: 0000000000000001 x10: 4547e57b44a6ff52 x9 : 55676353188274f2 x8 : ffff00039f2bc148 x7 : 0000000000000004 x6 : 0000000000000190 x5 : 0000000000000001 x4 : ffff00021312e200 x3 : ffff00000ec16000 x2 : ffff80008077889c x1 : ffff0000cbde3498 x0 : 0782109807821098 Call trace: drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x64/0xe0 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20 process_one_work+0x1e0/0x344 worker_thread+0x68/0x424 kthread+0xf4/0x100 ret_from_fork+0x10/0x20 Code: 910003fd a90153f3 f90013f5 aa0003f5 (f9402400) ---[ end trace 0000000000000000 ]---
simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000001a73352d state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007421fdc2 state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 000000001a73352d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000dabd463e state to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 000000005d0bd601 nonblocking simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 000000005d0bd601 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000008a207775 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000a7948d96 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 000000008a207775 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000005a471972 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 000000008a207775 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 00000000a7948d96 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:37] for [PLANE:31:plane-0] state 000000008a207775 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 000000005a471972 state to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000f0e89d2d nonblocking Unable to handle kernel paging request at virtual address 0042608409c280d0 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000f0e89d2d simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000f0e89d2d Mem abort info: ESR = 0x0000000096000004 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000018a5301 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007461d4b6 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 00000000018a5301 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000aa5a97e1 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_init] Allocated atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_plane_state] Added [PLANE:31:plane-0] 00000000018a5301 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_crtc_state] Added [CRTC:33:crtc-0] 000000007461d4b6 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_set_fb_for_plane] Set [FB:39] for [PLANE:31:plane-0] state 00000000018a5301 simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_get_connector_state] Added [CONNECTOR:35:Unknown-1] 00000000aa5a97e1 state to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_check_only] checking 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] Updating routing for [CONNECTOR:35:Unknown-1] simple-framebuffer dd53a4000.framebuffer: [drm:update_connector_routing] [CONNECTOR:35:Unknown-1] keeps [ENCODER:34:None-34], now on [CRTC:33:crtc-0] simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_add_encoder_bridges] Adding all bridges for [encoder:34:None-34] to 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_nonblocking_commit] committing 00000000921c84ac nonblocking EC = 0x25: DABT (current EL), IL = 32 bits simple-framebuffer dd53a4000.framebuffer: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000921c84ac simple-framebuffer dd53a4000.framebuffer: [drm:__drm_atomic_state_free] Freeing atomic state 00000000921c84ac SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [0042608409c280d0] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uas usb_storage usbhid xhci_plat_hcd xhci_hcd bnep des_generic libdes md4 brcmfmac_wcc hci_bcm4377 joydev brcmfmac brcmutil bluetooth cfg80211 ecdh_generic ecc hid_magicmouse rfkill apple_isp macsmc_reboot snd_soc_macaudio macsmc_hid macsmc_power videobuf2_dma_sg videobuf2_memops snd_soc_cs42l84 videobuf2_v4l2 ofpart snd_soc_tas2764 spi_nor xt_conntrack videodev videobuf2_common snd_soc_apple_mca nf_conntrack mc pwm_apple apple_admac clk_apple_nco nf_defrag_ipv6 nf_defrag_ipv4 leds_pwm apple_soc_cpufreq hid_apple ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog nft_compat nf_tables nfnetlink loop tun tap macvlan bridge stp llc fuse zstd zram dm_crypt nvmem_spmi_mfd rtc_macsmc gpio_macsmc simple_mfd_spmi tps6598x dockchannel_hid regmap_spmi pcie_apple pci_host_common dwc3 phy_apple_atc apple_rtkit_helper nvme_apple udc_core typec macsmc_rtkit apple_rtkit apple_sart macsmc apple_dockchannel mfd_core spmi_apple_controller nvmem_apple_efuses pinctrl_apple_gpio spi_apple i2c_apple apple_dart apple_mailbox btrfs xor xor_neon raid6_pq CPU: 0 PID: 1343030 Comm: kworker/u16:1 Tainted: G S 6.5.0-asahi #1-NixOS Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) Workqueue: events_unbound commit_work pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : drm_gem_fb_vunmap+0x18/0x74 lr : drm_gem_end_shadow_fb_access+0x1c/0x2c sp : ffff800089703d00 x29: ffff800089703d00 x28: 0000000000000000 x27: 0000000000000000 x26: ffff000001f6a400 x25: 00000000fffffef7 x24: ffff00001271c7e0 x23: ffff000001fc9605 x22: 0000000000000000 x21: 0942608409c28088 x20: ffff00001271c780 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000076 x13: 0000000000000000 x12: ffff800081310a80 x11: 0000000000000001 x10: 5529b6694f2ac3f6 x9 : 89a1724a7ebc1277 x8 : ffff0000133af7c8 x7 : 0000000000000004 x6 : 0000000000000190 x5 : 0000000000000001 x4 : ffff0000a3bd5a00 x3 : ffff00000dd18000 x2 : ffff80008077889c x1 : ffff000139c39c98 x0 : 0942608409c28088 Call trace: drm_gem_fb_vunmap+0x18/0x74 drm_gem_end_shadow_fb_access+0x1c/0x2c drm_atomic_helper_cleanup_planes+0x64/0xe0 drm_atomic_helper_commit_tail+0x90/0xa0 commit_tail+0x15c/0x188 commit_work+0x14/0x20 process_one_work+0x1e0/0x344 worker_thread+0x68/0x424 kthread+0xf4/0x100 ret_from_fork+0x10/0x20 Code: 910003fd a90153f3 f90013f5 aa0003f5 (f9402400)
linux-stable-mirror@lists.linaro.org
-
Alyssa Ross -
Thomas Zimmermann