Bug 112256

Summary: i915, git bisect, 5.4-rc1: corrupted page table using ply-image after "drm/i915: Disregard drm_mode_config.fb_base"
Product: DRI Reporter: freedesktop
Component: DRM/IntelAssignee: Intel GFX Bugs mailing list <intel-gfx-bugs>
Status: RESOLVED FIXED QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: not set    
Priority: not set CC: freedesktop, intel-gfx-bugs
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
5.4-rc7 with corrupted page table trace
none
5.4-rc7 with bad commit reverted - no trace, png image appears
none
drm-tip with corrupted page table none

Description freedesktop 2019-11-13 08:19:12 UTC 
Created attachment 145944 [details]
5.4-rc7 with corrupted page table trace

Testing on a Skylake NUC6i5SYH.

In LibreELEC we use plymouth-lite[1] to display a splash image (png) during initrd.

Since 5.4-rc1 whenever ply-image is executed the kernel produces a corrupted page table trace and the png image does not appear (as ply-image fails):

[    1.712976] ply-image: Corrupted page table at address 7f4f8f2fffe0
[    1.712999] PGD 80000001cbe3c067 P4D 80000001cbe3c067 PUD 2727a6067 PMD 1cbcec067 PTE 800fbfa2307e8237
[    1.713024] Bad pagetable: 000f [#1] SMP PTI
[    1.713035] CPU: 2 PID: 272 Comm: ply-image Not tainted 5.4.0-rc7 #1
[    1.713052] Hardware name:  /NUC6i5SYB, BIOS SYSKLi35.86A.0063.2017.1115.1550 11/15/2017
[    1.713073] RIP: 0033:0x7f4f8fd8240e
[    1.713083] Code: ff ff 0f 18 89 40 fe ff ff c5 fe 6f 01 c5 fe 6f 49 e0 c5 fe 6f 51 c0 c5 fe 6f 59 a0 48 81 e9 80 00 00 00 48 81 ea 80 00 00 00 <c4> c1 7d e7 01 c4 c1 7d e7 49 e0 c4 c1 7d e7 51 c0 c4 c1 7d e7 59
[    1.713129] RSP: 002b:00007fff9e3a6e68 EFLAGS: 00010202
[    1.713143] RAX: 00007f4f8eb17000 RBX: 00000000006454f0 RCX: 00007f4f8eb15f70
[    1.713161] RDX: 00000000007e8f80 RSI: 00007f4f8e32d010 RDI: 00007f4f8eb17000
[    1.713178] RBP: 00000000006454f0 R08: 0000000000000000 R09: 00007f4f8f2fffe0
[    1.713195] R10: 00007f4f8f2feff0 R11: 00007f4f8f2fffe0 R12: 00000000006455d0
[    1.713213] R13: 0000000000000780 R14: 00007f4f8db43010 R15: 0000000000000000
[    1.713231] FS:  00007f4f8faea740 GS:  0000000000000000
[    1.713245] Modules linked in:
[    1.713254] ---[ end trace a347200260b0a1b5 ]---
[    1.713269] RIP: 0033:0x7f4f8fd8240e
[    1.713284] Code: ff ff 0f 18 89 40 fe ff ff c5 fe 6f 01 c5 fe 6f 49 e0 c5 fe 6f 51 c0 c5 fe 6f 59 a0 48 81 e9 80 00 00 00 48 81 ea 80 00 00 00 <c4> c1 7d e7 01 c4 c1 7d e7 49 e0 c4 c1 7d e7 51 c0 c4 c1 7d e7 59
[    1.713328] RSP: 002b:00007fff9e3a6e68 EFLAGS: 00010202
[    1.713341] RAX: 00007f4f8eb17000 RBX: 00000000006454f0 RCX: 00007f4f8eb15f70
[    1.713358] RDX: 00000000007e8f80 RSI: 00007f4f8e32d010 RDI: 00007f4f8eb17000
[    1.713375] RBP: 00000000006454f0 R08: 0000000000000000 R09: 00007f4f8f2fffe0
[    1.713392] R10: 00007f4f8f2feff0 R11: 00007f4f8f2fffe0 R12: 00000000006455d0
[    1.713410] R13: 0000000000000780 R14: 00007f4f8db43010 R15: 0000000000000000
[    1.713428] FS:  00007f4f8faea740(0000) GS:ffffa35575b00000(0000) knlGS:0000000000000000
[    1.713448] CS:  0033 DS: 0000 ES: 0000 CR0: 0000000080050033

(full log with drm.debug=0xe attached)

Bisecting the kernel from 5.3.0 (good) to 5.4-rc1 (bad) identifies the first bad commit as:

drm/i915: Disregard drm_mode_config.fb_base[2]

Reverting this commit[2] stops the trace appearing with all kernels 5.4-rc1 through to 5.4-rc7, and ply-image now successfully displays the splash image.

I have tested drm-tip[3] and this also produces the same trace as 5.4-rc with the bad commit[2] is present.

This version of plymouth-lite[1] is working fine with all kernels prior to 5.4-rc1.

Is this a plymouth-lite issue, or a kernel 5.4 issue? 

Thanks.

1. http://sources.libreelec.tv/devel/plymouth-lite-0.6.0.tar.bz2
2. https://github.com/torvalds/linux/commit/5f889b9a61dd7069e61d0328bc514f0f508328c1
3. https://cgit.freedesktop.org/drm-tip/commit/?id=dd07789205270dd69eca30ef7d123b5d2322d7a8
Comment 1 freedesktop 2019-11-13 08:20:28 UTC 
Created attachment 145945 [details]
5.4-rc7 with bad commit reverted - no trace, png image appears
Comment 2 freedesktop 2019-11-13 08:21:11 UTC 
Created attachment 145946 [details]
drm-tip with corrupted page table
Comment 3 Chris Wilson 2019-11-13 17:20:52 UTC 
Try https://patchwork.freedesktop.org/series/69415/
Comment 4 Chris Wilson 2019-11-13 18:08:26 UTC 
(In reply to Chris Wilson from comment #3)
> Try https://patchwork.freedesktop.org/series/69415/

No, it's not the leak of the address that is the immediate issue, but that we are feeding garbage into fb_mmap() [drivers/video/fbdev/core/fbmem.c].

Updated patch at https://patchwork.freedesktop.org/patch/340663/?series=69416&rev=1

Watch this space for future revisions as we try again.
Comment 5 freedesktop 2019-11-13 18:36:07 UTC 
As expected, the patch in comment#3 had no obvious effect and the 5.4-rc7 kernel continues to complain about a corrupted page table.

However the patch in comment#4 is working a treat - the kernel trace is fixed, and the image is appearing.

If you push any further revisions please ping me on this bug and I'll re-test. 

If you decide to go with the patch in comment#4 then I'm happy for you to include my details as "tested by: Neil MacLeod" etc.

Many thanks for the fix!
Comment 6 Lakshmi 2019-11-15 11:10:37 UTC 
Patch drm/i915/fbdev: Restore physical addresses for fb_mmap() landed in drmtip. 
Closing this issue as fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.