Bug 109084

Summary: [CI][DRMTIP] igt@kms_cursor_legacy@2x-long-flip-vs-cursor-legacy - incomplete - RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0
Product: DRI Reporter: Lakshmi <lakshminarayana.vudum>
Component: DRM/IntelAssignee: Clinton Taylor <clinton.a.taylor>
Status: CLOSED WORKSFORME QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: normal    
Priority: high CC: intel-gfx-bugs, james.ausmus
Version: XOrg git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: ICL i915 features: display/atomic

Description Lakshmi 2018-12-18 11:16:02 UTC 
https://intel-gfx-ci.01.org/tree/drm-tip/drmtip_173/fi-icl-u3/igt@kms_cursor_legacy@2x-long-flip-vs-cursor-legacy.html

<3> [44.734463] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99
<3> [44.734466] in_atomic(): 1, irqs_disabled(): 1, pid: 74, name: kworker/3:1
<4> [44.734468] INFO: lockdep is turned off.
<4> [44.734471] irq event stamp: 81957
<4> [44.734477] hardirqs last  enabled at (81957): [<ffffffff9f01bc62>] do_general_protection+0x182/0x1c0
<4> [44.734480] hardirqs last disabled at (81956): [<ffffffff9f0019b0>] trace_hardirqs_off_thunk+0x1a/0x1c
<4> [44.734484] softirqs last  enabled at (81634): [<ffffffff9f4a1843>] rht_deferred_worker+0x4a3/0x890
<4> [44.734487] softirqs last disabled at (81632): [<ffffffff9f4a1502>] rht_deferred_worker+0x162/0x890
<3> [44.734489] Preemption disabled at:
<4> [44.734490] [<0000000000000000>]           (null)
<4> [44.734495] CPU: 3 PID: 74 Comm: kworker/3:1 Tainted: G     UD           4.20.0-rc6-g930cc950db75-drmtip_173+ #1
<4> [44.734593] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.2402.AD3.1810170014 10/17/2018
<4> [44.734598] Workqueue: events drm_mode_rmfb_work_fn
<4> [44.734601] Call Trace:
<4> [44.734606]  dump_stack+0x67/0x9b
<4> [44.734610]  ___might_sleep+0x167/0x250
<4> [44.734614]  wait_for_common+0x40/0x1f0
<4> [44.734620]  virt_efi_query_variable_info+0x161/0x1b0
<4> [44.734625]  efi_query_variable_store+0xb3/0x1a0
<4> [44.734630]  ? efivar_entry_set_safe+0x168/0x1d0
<4> [44.734633]  ? efi_delete_dummy_variable+0x90/0x90
<4> [44.734636]  efivar_entry_set_safe+0x168/0x1d0
<4> [44.734641]  ? efi_pstore_write+0x105/0x150
<4> [44.734644]  ? efi_pstore_write+0xa2/0x150
<4> [44.734648]  efi_pstore_write+0x105/0x150
<4> [44.734659]  pstore_dump+0x12b/0x350
<4> [44.734667]  kmsg_dump+0x87/0x1c0
<4> [44.734671]  oops_end+0x3e/0x90
<4> [44.734680]  general_protection+0x1e/0x30
<4> [44.734711] RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]
<4> [44.734718] Code: 00 0f b6 85 80 00 00 00 84 c0 74 36 48 83 7d 10 00 0f 84 e3 01 00 00 48 89 ee 4c 89 ef e8 fd 7e ff ff 48 8b 55 10 48 8b 52 48 <80> 7a 06 08 0f 84 a5 01 00 00 49 8b 95 38 02 00 00 41 39 c7 44 0f
<4> [44.734726] RSP: 0018:ffffab3400257b48 EFLAGS: 00010293
<4> [44.734734] RAX: 0000000000010000 RBX: ffff8c175e550000 RCX: 0000000000010000
<4> [44.734741] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000870 RDI: 0000000008700000
<4> [44.734749] RBP: ffff8c1764c97508 R08: 0000000000000f00 R09: 0000000000000000
<4> [44.734756] R10: ffff8c175f4512a8 R11: 0000000000000000 R12: ffff8c175c160ff8
<4> [44.734762] R13: ffff8c174fba1bf8 R14: ffff8c174fba0958 R15: 0000000000010000
<4> [44.734794]  ? skl_check_pipe_max_pixel_rate+0x83/0x2d0 [i915]
<4> [44.734833]  intel_crtc_atomic_check+0x30a/0x4d0 [i915]
<4> [44.734842]  drm_atomic_helper_check_planes+0x14d/0x1f0
<4> [44.734880]  intel_atomic_check+0x642/0x1220 [i915]
<4> [44.734918]  ? intel_crtc_duplicate_state+0x1b/0x80 [i915]
<4> [44.734926]  drm_atomic_check_only+0x557/0x7f0
<4> [44.734931]  drm_atomic_commit+0xe/0x50
<4> [44.734934]  atomic_remove_fb+0x295/0x2c0
<4> [44.734940]  drm_framebuffer_remove+0x69/0x150
<4> [44.734943]  drm_mode_rmfb_work_fn+0x4a/0x60
<4> [44.734947]  process_one_work+0x262/0x630
<4> [44.734951]  worker_thread+0x1d0/0x380
<4> [44.734955]  ? process_one_work+0x630/0x630
<4> [44.734958]  kthread+0x119/0x130
<4> [44.734961]  ? kthread_park+0x80/0x80
<4> [44.734964]  ret_from_fork+0x3a/0x50
<3> [44.734980] BUG: scheduling while atomic: kworker/3:1/74/0x00000002
<4> [44.734983] INFO: lockdep is turned off.
<4> [44.734985] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic x86_pkg_temp_thermal coretemp snd_hda_intel crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 snd_hda_codec snd_hwdep snd_hda_core e1000e snd_pcm cdc_ether btusb usbnet btrtl btbcm btintel mii i2c_i801 bluetooth ecdh_generic prime_numbers
<3> [44.748056] Preemption disabled at:
<4> [44.748058] [<0000000000000000>]           (null)
<4> [44.748064] CPU: 3 PID: 74 Comm: kworker/3:1 Tainted: G     UD W         4.20.0-rc6-g930cc950db75-drmtip_173+ #1
<4> [44.748071] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.2402.AD3.1810170014 10/17/2018
<4> [44.748082] Workqueue: events drm_mode_rmfb_work_fn
<4> [44.748090] Call Trace:
<4> [44.748100]  dump_stack+0x67/0x9b
<4> [44.748108]  __schedule_bug+0x7b/0xd0
<4> [44.748117]  __schedule+0x8cf/0xb50
<4> [44.748129]  ? wait_for_common+0x116/0x1f0
<4> [44.748136]  schedule+0x2d/0x90
<4> [44.748144]  schedule_timeout+0x236/0x4f0
<4> [44.748152]  ? lock_acquire+0xa6/0x1c0
<4> [44.748160]  ? wait_for_common+0x48/0x1f0
<4> [44.748169]  ? wait_for_common+0x116/0x1f0
<4> [44.748176]  wait_for_common+0x13a/0x1f0
<4> [44.748182]  ? wake_up_q+0x70/0x70
<4> [44.748188]  virt_efi_set_variable+0x151/0x1a0
<4> [44.748194]  efivar_entry_set_safe+0xea/0x1d0
<4> [44.748200]  ? efi_pstore_write+0x105/0x150
<4> [44.748204]  ? efi_pstore_write+0xa2/0x150
<4> [44.748207]  efi_pstore_write+0x105/0x150
<4> [44.748217]  pstore_dump+0x12b/0x350
<4> [44.748226]  kmsg_dump+0x87/0x1c0
<4> [44.748231]  oops_end+0x3e/0x90
<4> [44.748235]  general_protection+0x1e/0x30
<4> [44.748280] RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]
<4> [44.748288] Code: 00 0f b6 85 80 00 00 00 84 c0 74 36 48 83 7d 10 00 0f 84 e3 01 00 00 48 89 ee 4c 89 ef e8 fd 7e ff ff 48 8b 55 10 48 8b 52 48 <80> 7a 06 08 0f 84 a5 01 00 00 49 8b 95 38 02 00 00 41 39 c7 44 0f
<4> [44.748295] RSP: 0018:ffffab3400257b48 EFLAGS: 00010293
<4> [44.748305] RAX: 0000000000010000 RBX: ffff8c175e550000 RCX: 0000000000010000
<4> [44.748312] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000870 RDI: 0000000008700000
<4> [44.748319] RBP: ffff8c1764c97508 R08: 0000000000000f00 R09: 0000000000000000
<4> [44.748326] R10: ffff8c175f4512a8 R11: 0000000000000000 R12: ffff8c175c160ff8
<4> [44.748334] R13: ffff8c174fba1bf8 R14: ffff8c174fba0958 R15: 0000000000010000
<4> [44.748376]  ? skl_check_pipe_max_pixel_rate+0x83/0x2d0 [i915]
<4> [44.748426]  intel_crtc_atomic_check+0x30a/0x4d0 [i915]
<4> [44.748439]  drm_atomic_helper_check_planes+0x14d/0x1f0
<4> [44.748487]  intel_atomic_check+0x642/0x1220 [i915]
<4> [44.748537]  ? intel_crtc_duplicate_state+0x1b/0x80 [i915]
<4> [44.748549]  drm_atomic_check_only+0x557/0x7f0
<4> [44.748559]  drm_atomic_commit+0xe/0x50
<4> [44.748564]  atomic_remove_fb+0x295/0x2c0
<4> [44.748572]  drm_framebuffer_remove+0x69/0x150
<4> [44.748577]  drm_mode_rmfb_work_fn+0x4a/0x60
<4> [44.748582]  process_one_work+0x262/0x630
<4> [44.748588]  worker_thread+0x1d0/0x380
<4> [44.748593]  ? process_one_work+0x630/0x630
<4> [44.748597]  kthread+0x119/0x130
<4> [44.748601]  ? kthread_park+0x80/0x80
<4> [44.748606]  ret_from_fork+0x3a/0x50
<4> [44.748620] WARNING: CPU: 3 PID: 74 at kernel/rcu/tree_plugin.h:337 rcu_note_context_switch+0x84/0x610
<4> [44.748622] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic x86_pkg_temp_thermal coretemp snd_hda_intel crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 snd_hda_codec snd_hwdep snd_hda_core e1000e snd_pcm cdc_ether btusb usbnet btrtl btbcm btintel mii i2c_i801 bluetooth ecdh_generic prime_numbers
<4> [44.748649] CPU: 3 PID: 74 Comm: kworker/3:1 Tainted: G     UD W         4.20.0-rc6-g930cc950db75-drmtip_173+ #1
<4> [44.748655] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.2402.AD3.1810170014 10/17/2018
<4> [44.748659] Workqueue: events drm_mode_rmfb_work_fn
<4> [44.748664] RIP: 0010:rcu_note_context_switch+0x84/0x610
<4> [44.748672] Code: 25 00 4f 01 00 8b 88 7c 08 00 00 85 c9 0f 84 c4 01 00 00 45 84 ed 8b 85 78 03 00 00 0f 85 bf 00 00 00 85 c0 0f 8e bf 00 00 00 <0f> 0b 80 bd 7c 03 00 00 00 0f 84 d3 01 00 00 48 89 ef e8 e5 fc ff
<4> [44.748679] RSP: 0018:ffffab34002575e8 EFLAGS: 00010002
<4> [44.748688] RAX: 0000000000000001 RBX: ffff8c176ffb2c00 RCX: 0000000000000002
<4> [44.748695] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffffffa00ab156
<4> [44.748702] RBP: ffff8c176ad74040 R08: 0000000000000000 R09: 0000000000000000
<4> [44.748709] R10: ffffab3400257460 R11: ffffffffa0248180 R12: ffff8c176ad74040
<4> [44.748716] R13: 0000000000000000 R14: 0000000000031ec0 R15: 0000000000000000
<4> [44.748724] FS:  0000000000000000(0000) GS:ffff8c176ff80000(0000) knlGS:0000000000000000
<4> [44.748731] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [44.748738] CR2: 00007f9ca0a62900 CR3: 00000004a80a8004 CR4: 0000000000760ee0
<4> [44.748745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
<4> [44.748752] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
<4> [44.748759] PKRU: 55555554
<4> [44.748765] Call Trace:
<4> [44.748774]  __schedule+0xbc/0xb50
<4> [44.748780]  ? wait_for_common+0x116/0x1f0
<4> [44.748784]  schedule+0x2d/0x90
<4> [44.748788]  schedule_timeout+0x236/0x4f0
<4> [44.748793]  ? lock_acquire+0xa6/0x1c0
<4> [44.748797]  ? wait_for_common+0x48/0x1f0
<4> [44.748804]  ? wait_for_common+0x116/0x1f0
<4> [44.748807]  wait_for_common+0x13a/0x1f0
<4> [44.748812]  ? wake_up_q+0x70/0x70
<4> [44.748819]  virt_efi_set_variable+0x151/0x1a0
<4> [44.748825]  efivar_entry_set_safe+0xea/0x1d0
<4> [44.748831]  ? efi_pstore_write+0x105/0x150
<4> [44.748835]  ? efi_pstore_write+0xa2/0x150
<4> [44.748842]  efi_pstore_write+0x105/0x150
<4> [44.748857]  pstore_dump+0x12b/0x350
<4> [44.748869]  kmsg_dump+0x87/0x1c0
<4> [44.748878]  oops_end+0x3e/0x90
<4> [44.748886]  general_protection+0x1e/0x30
<4> [44.748927] RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]
<4> [44.748935] Code: 00 0f b6 85 80 00 00 00 84 c0 74 36 48 83 7d 10 00 0f 84 e3 01 00 00 48 89 ee 4c 89 ef e8 fd 7e ff ff 48 8b 55 10 48 8b 52 48 <80> 7a 06 08 0f 84 a5 01 00 00 49 8b 95 38 02 00 00 41 39 c7 44 0f
<4> [44.748942] RSP: 0018:ffffab3400257b48 EFLAGS: 00010293
<4> [44.748951] RAX: 0000000000010000 RBX: ffff8c175e550000 RCX: 0000000000010000
<4> [44.748958] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000870 RDI: 0000000008700000
<4> [44.748965] RBP: ffff8c1764c97508 R08: 0000000000000f00 R09: 0000000000000000
<4> [44.748972] R10: ffff8c175f4512a8 R11: 0000000000000000 R12: ffff8c175c160ff8
<4> [44.748979] R13: ffff8c174fba1bf8 R14: ffff8c174fba0958 R15: 0000000000010000
<4> [44.749027]  ? skl_check_pipe_max_pixel_rate+0x83/0x2d0 [i915]
<4> [44.749075]  intel_crtc_atomic_check+0x30a/0x4d0 [i915]
<4> [44.749082]  drm_atomic_helper_check_planes+0x14d/0x1f0
<4> [44.749128]  intel_atomic_check+0x642/0x1220 [i915]
<4> [44.749178]  ? intel_crtc_duplicate_state+0x1b/0x80 [i915]
<4> [44.749188]  drm_atomic_check_only+0x557/0x7f0
<4> [44.749198]  drm_atomic_commit+0xe/0x50
<4> [44.749206]  atomic_remove_fb+0x295/0x2c0
<4> [44.749218]  drm_framebuffer_remove+0x69/0x150
<4> [44.749226]  drm_mode_rmfb_work_fn+0x4a/0x60
<4> [44.749233]  process_one_work+0x262/0x630
<4> [44.749243]  worker_thread+0x1d0/0x380
<4> [44.749252]  ? process_one_work+0x630/0x630
<4> [44.749259]  kthread+0x119/0x130
<4> [44.749267]  ? kthread_park+0x80/0x80
<4> [44.749274]  ret_from_fork+0x3a/0x50
<4> [44.749285] irq event stamp: 81957
<4> [44.749293] hardirqs last  enabled at (81957): [<ffffffff9f01bc62>] do_general_protection+0x182/0x1c0
<4> [44.749302] hardirqs last disabled at (81956): [<ffffffff9f0019b0>] trace_hardirqs_off_thunk+0x1a/0x1c
<4> [44.749310] softirqs last  enabled at (81634): [<ffffffff9f4a1843>] rht_deferred_worker+0x4a3/0x890
<4> [44.749318] softirqs last disabled at (81632): [<ffffffff9f4a1502>] rht_deferred_worker+0x162/0x890
<4> [44.749326] WARNING: CPU: 3 PID: 74 at kernel/rcu/tree_plugin.h:337 rcu_note_context_switch+0x84/0x610
<4> [44.749333] ---[ end trace 6ad8814924c69e23 ]---
<4> [45.167346] RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]
<4> [45.167355] Code: 00 0f b6 85 80 00 00 00 84 c0 74 36 48 83 7d 10 00 0f 84 e3 01 00 00 48 89 ee 4c 89 ef e8 fd 7e ff ff 48 8b 55 10 48 8b 52 48 <80> 7a 06 08 0f 84 a5 01 00 00 49 8b 95 38 02 00 00 41 39 c7 44 0f
<4> [45.167359] RSP: 0018:ffffab3400257b48 EFLAGS: 00010293
<4> [45.167363] RAX: 0000000000010000 RBX: ffff8c175e550000 RCX: 0000000000010000
<4> [45.167366] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000870 RDI: 0000000008700000
<4> [45.167369] RBP: ffff8c1764c97508 R08: 0000000000000f00 R09: 0000000000000000
<4> [45.167371] R10: ffff8c175f4512a8 R11: 0000000000000000 R12: ffff8c175c160ff8
<4> [45.167374] R13: ffff8c174fba1bf8 R14: ffff8c174fba0958 R15: 0000000000010000
<4> [45.167378] FS:  0000000000000000(0000) GS:ffff8c176ff80000(0000) knlGS:0000000000000000
<4> [45.167381] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [45.167384] CR2: 0000561859c35b90 CR3: 00000004a3d9c006 CR4: 0000000000760ee0
<4> [45.167387] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
<4> [45.167389] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
<4> [45.167392] PKRU: 55555554
<6> [45.167489] kworker/3:1 (74) used greatest stack depth: 11984 bytes left
<6> [344.138011] kworker/dying (167) used greatest stack depth: 11944 bytes left
Comment 1 Chris Wilson 2018-12-18 14:39:38 UTC 
A use-after-free, pipe state from drm_atomic_crtc_state_for_each_plane_state()?
Comment 2 Martin Peres 2019-04-12 12:57:45 UTC 
Still happening:

<4> [791.308567] general protection fault: 0000 [#1] PREEMPT SMP NOPTI
<4> [791.308571] CPU: 3 PID: 170 Comm: kworker/3:1 Tainted: G     U            5.0.0-g2b6425f8c26c-drmtip_243+ #1
<4> [791.308573] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3087.A00.1902250334 02/25/2019
<4> [791.308576] Workqueue: events drm_mode_rmfb_work_fn
<4> [791.308603] RIP: 0010:skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]
<4> [791.308605] Code: 00 0f b6 85 80 00 00 00 84 c0 74 36 48 83 7d 10 00 0f 84 e3 01 00 00 48 89 ee 4c 89 ef e8 ad 75 ff ff 48 8b 55 10 48 8b 52 48 <80> 7a 06 08 0f 84 a5 01 00 00 49 8b 95 f8 01 00 00 41 39 c7 44 0f
<4> [791.308607] RSP: 0018:ffffb56f80327b48 EFLAGS: 00010293
<4> [791.308609] RAX: 0000000000010000 RBX: ffff946f017d0000 RCX: 0000000000010000
<4> [791.308610] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000438 RDI: 0000000004380000
<4> [791.308611] RBP: ffff946f17108358 R08: 0000000000000780 R09: 0000000000000000
<4> [791.308613] R10: 0000000000000000 R11: 0000000000000000 R12: ffff946f0bf75fa8
<4> [791.308614] R13: ffff946f1311e7e8 R14: ffff946f1ad78958 R15: 0000000000010000
<4> [791.308615] FS:  0000000000000000(0000) GS:ffff946f1fec0000(0000) knlGS:0000000000000000
<4> [791.308617] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [791.308618] CR2: 00007f7984a8f900 CR3: 00000003e7f62002 CR4: 0000000000760ee0
<4> [791.308619] PKRU: 55555554
<4> [791.308620] Call Trace:
<4> [791.308657]  intel_crtc_atomic_check+0x374/0x540 [i915]
<4> [791.308691]  ? intel_plane_atomic_check_with_state+0x88/0x190 [i915]
<4> [791.308694]  drm_atomic_helper_check_planes+0x14d/0x1f0
<4> [791.308726]  intel_atomic_check+0x5f6/0x1300 [i915]
<4> [791.308731]  drm_atomic_check_only+0x55a/0x7f0
<4> [791.308734]  drm_atomic_commit+0xe/0x50
<4> [791.308736]  atomic_remove_fb+0x295/0x2c0
<4> [791.308741]  drm_framebuffer_remove+0x67/0x140
<4> [791.308743]  drm_mode_rmfb_work_fn+0x4a/0x60
<4> [791.308747]  process_one_work+0x245/0x610
<4> [791.308750]  worker_thread+0x1d0/0x380
<4> [791.308753]  ? process_one_work+0x610/0x610
<4> [791.308755]  kthread+0x119/0x130
<4> [791.308757]  ? kthread_park+0x80/0x80
<4> [791.308760]  ret_from_fork+0x24/0x50
<4> [791.308764] Modules linked in: vgem snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic mei_hdcp i915 x86_pkg_temp_thermal snd_hda_intel coretemp snd_hda_codec snd_hwdep snd_hda_core btusb crct10dif_pclmul btrtl crc32_pclmul btbcm ghash_clmulni_intel cdc_ether btintel usbnet snd_pcm mii bluetooth e1000e i2c_i801 ptp pps_core ecdh_generic mei_me mei prime_numbers
<0> [791.308776] Dumping ftrace buffer:
[...]
<0> [791.337932] ---------------------------------
<4> [791.337958] ---[ end trace 5730792f02f87405 ]---

Bumping the priority to highest because use after free are a security bug, and being able to crash machines from the userspace is unacceptable.

User impact is maximal even without any known userspace generating these scenarios.
Comment 3 Martin Peres 2019-04-12 12:59:20 UTC 
Seen every 2.7 drmtip runs, only on fi-icl-u2/u3, which might indicate that multiple screens are needed to get to this situation (like every 2x tests).
Comment 4 James Ausmus 2019-04-12 19:27:57 UTC 
Martin - how are you getting the "every 2.7 runs" data? From cibuglog, I'm seeing that this hasn't been seen in 4 weeks. Last seen was drmtip_243, and latest idle is drmtip_251, so 8 runs without seeing it
Comment 5 Jani Saarinen 2019-04-15 06:01:07 UTC 
ICL systems were updated (BIOS/FW's) during ww10 so might be reason why issues are not seen anymore?
Comment 6 Martin Peres 2019-04-15 08:13:11 UTC 
(In reply to James Ausmus from comment #4)
> Martin - how are you getting the "every 2.7 runs" data? From cibuglog, I'm
> seeing that this hasn't been seen in 4 weeks. Last seen was drmtip_243, and
> latest idle is drmtip_251, so 8 runs without seeing it

This is an average throughout the lifetime of the bug. With the above reproduction rate, we can only say the problem is fixed after drmtip_270.

However, I would rather prefer we stop looking at the reproduction rate and instead look at what the bug is: a general protection fault in our driver!

(In reply to Jani Saarinen from comment #5)
> ICL systems were updated (BIOS/FW's) during ww10 so might be reason why
> issues are not seen anymore?

No matter what the HW / BIOS is doing, we should not hit a general protection fault.

So, please investigate.
Comment 7 Daniel Vetter 2019-04-15 08:19:17 UTC 
First step here is most likely to improve instrumentation, at least if we can't easily reproduce. This means we need some idea/theory what could go wrong.
Comment 8 Clinton Taylor 2019-04-16 00:03:10 UTC 
Testing so far:
Ran 2x-long-flip-vs-cursor-legacy for 5 hours today without duplicating the issue. During the 5 hours the DUT had 3 CRTC's enabled and I hot-plugged DP and USB_C cables in and out at random intervals to attempt to cause an invalid CRTC to occur. 


Possible fixes to NULL de-reference:
There appears to be 2 ways to get a GP fault in skl_check_pipe_max_pixel_rate().
1. intel_crtc passed in is NULL.
2. pstate is resolving as NULL via drm_atomic_crtc_state_for_each_plane_state().

Assuming intel_crtc_state (cstate) is valid since it's already de-referenced several times in intel_crtc_atomic_check().

Based on the offset (0x8b) in the OOP message the issue is probably not intel_crtc which is de-referenced to get dev_priv in the first line of code.
GP message: skl_check_pipe_max_pixel_rate+0x8b/0x2d0 [i915]

Submit patch to protect intel_crtc in intel_display.c and pstate in intel_pm.c
Comment 9 James Ausmus 2019-04-17 22:54:42 UTC 
Not seen in 1 month on CI (since drmtip_243, currently at drmtip_256), or in multiple days of intensive local testing.

Dropping priority to High, while Clint continues to pursue a patch to guard against a use after free
Comment 10 James Ausmus 2019-04-24 22:45:13 UTC 
*** Bug 109546 has been marked as a duplicate of this bug. ***
Comment 11 James Ausmus 2019-05-03 22:10:34 UTC 
Still no reproduction in CI since drmtip_243, and we're now at drmtip_273, so we've passed the magic milestone of drmtip_270 that Martin mentioned!

Resolving as WORKSFORME.
Comment 12 Lakshmi 2019-07-31 14:13:22 UTC 
The reproduction rate of this issue is once in 3.6 runs, not seen after drmtip_243 (4 months, 2 weeks old).
Closing this issue as WORKSFORME.
Comment 13 CI Bug Log 2019-07-31 14:13:42 UTC 
The CI Bug Log issue associated to this bug has been archived.

New failures matching the above filters will not be associated to this bug anymore.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.