Bug 112403

Summary: [CI][SHARDS]igt@gem_pwrite@big-gtt-forwards - dmesg-warn - BUG: Bad page state in process gem_pwrite pfn:490e01
Product: DRI Reporter: Lakshmi <lakshminarayana.vudum>
Component: DRM/IntelAssignee: Intel GFX Bugs mailing list <intel-gfx-bugs>
Status: RESOLVED MOVED QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: not set    
Priority: not set CC: intel-gfx-bugs
Version: DRI git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: ICL i915 features: GEM/Other

Description Lakshmi 2019-11-27 08:30:07 UTC 
https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7421/shard-iclb7/igt@gem_pwrite@big-gtt-forwards.html

6> [293.416373] Console: switching to colour dummy device 80x25
<6> [293.416415] [IGT] gem_pwrite: executing
<6> [293.422062] [IGT] gem_pwrite: starting subtest big-gtt-forwards
<1> [293.500752] BUG: Bad page state in process gem_pwrite  pfn:490e01
<4> [293.500894] page:ffffea0012438040 refcount:0 mapcount:-65280 mapping:0000000000000000 index:0x0
<4> [293.500896] raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000
<4> [293.500898] raw: 0000000000000000 0000000000000000 00000000ffff00ff 0000000000000000
<4> [293.500899] page dumped because: nonzero mapcount
<4> [293.500900] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic i915 mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul snd_hda_intel snd_intel_dspcfg snd_hda_codec cdc_ether ghash_clmulni_intel snd_hwdep usbnet snd_hda_core mii e1000e snd_pcm ptp pps_core mei_me mei intel_lpss_pci thunderbolt prime_numbers
<4> [293.500913] CPU: 2 PID: 1281 Comm: gem_pwrite Tainted: G     U            5.4.0-rc8-CI-CI_DRM_7421+ #1
<4> [293.500914] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3234.A01.1906141750 06/14/2019
<4> [293.500915] Call Trace:
<4> [293.500920]  dump_stack+0x71/0x9b
<4> [293.500923]  bad_page+0xc2/0x120
<4> [293.500926]  get_page_from_freelist+0xf9b/0x13e0
<4> [293.500936]  __alloc_pages_nodemask+0x12a/0x330
<4> [293.500940]  __get_free_pages+0xc/0x40
<4> [293.500942]  __sg_alloc_table+0x75/0x160
<4> [293.500984]  ? i915_gem_object_set_to_cpu_domain+0xc1/0x150 [i915]
<4> [293.500987]  sg_alloc_table+0x1f/0x50
<4> [293.500989]  ? sg_pcopy_to_buffer+0x10/0x10
<4> [293.501022]  shmem_get_pages+0xf5/0x710 [i915]
<4> [293.501027]  ? __mutex_lock+0x9a/0x9d0
<4> [293.501029]  ? __mutex_lock+0x396/0x9d0
<4> [293.501062]  ? __i915_gem_object_get_pages+0x1b/0xd0 [i915]
<4> [293.501066]  ? find_held_lock+0x2d/0x90
<4> [293.501096]  ? i915_gem_object_set_to_cpu_domain+0xc1/0x150 [i915]
<4> [293.501127]  ____i915_gem_object_get_pages+0x21/0xb0 [i915]
<4> [293.501157]  __i915_gem_object_get_pages+0x5c/0xd0 [i915]
<4> [293.501188]  i915_gem_set_domain_ioctl+0x376/0x4e0 [i915]
<4> [293.501219]  ? i915_gem_object_set_to_cpu_domain+0x150/0x150 [i915]
<4> [293.501223]  drm_ioctl_kernel+0xa7/0xf0
<4> [293.501227]  drm_ioctl+0x2e1/0x390
<4> [293.501257]  ? i915_gem_object_set_to_cpu_domain+0x150/0x150 [i915]
<4> [293.501262]  ? __lock_acquire+0x460/0x15d0
<4> [293.501267]  do_vfs_ioctl+0xa0/0x6f0
<4> [293.501269]  ? find_held_lock+0x2d/0x90
<4> [293.501272]  ? __task_pid_nr_ns+0xbc/0x1f0
<4> [293.501276]  ksys_ioctl+0x35/0x60
<4> [293.501279]  __x64_sys_ioctl+0x11/0x20
<4> [293.501281]  do_syscall_64+0x4f/0x210
<4> [293.501284]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
<4> [293.501286] RIP: 0033:0x7f01655175d7
<4> [293.501288] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
<4> [293.501289] RSP: 002b:00007ffc42ce7cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
<4> [293.501291] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f01655175d7
<4> [293.501293] RDX: 00007ffc42ce7cfc RSI: 00000000400c645f RDI: 0000000000000005
<4> [293.501294] RBP: 00007ffc42ce7cfc R08: 0000000000000000 R09: 000000000000002b
<4> [293.501295] R10: 0000000000000056 R11: 0000000000000246 R12: 00000000400c645f
<4> [293.501296] R13: 0000000000000005 R14: 0000000100001000 R15: 0000000000000000
<4> [293.501303] Disabling lock debugging due to kernel taint
<1> [293.501379] BUG: Bad page state in process gem_pwrite  pfn:490e03
<4> [293.501387] page:ffffea00124380c0 refcount:0 mapcount:-65280 mapping:0000000000000000 index:0x0
<4> [293.501390] raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000
<4> [293.501392] raw: 0000000000000000 0000000000000000 00000000ffff00ff 0000000000000000
<4> [293.501393] page dumped because: nonzero mapcount
<4> [293.501395] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic i915 mei_hdcp x86_pkg_temp_thermal coretemp crct10dif_pclmul crc32_pclmul snd_hda_intel snd_intel_dspcfg snd_hda_codec cdc_ether ghash_clmulni_intel snd_hwdep usbnet snd_hda_core mii e1000e snd_pcm ptp pps_core mei_me mei intel_lpss_pci thunderbolt prime_numbers
<4> [293.501406] CPU: 2 PID: 1281 Comm: gem_pwrite Tainted: G    BU            5.4.0-rc8-CI-CI_DRM_7421+ #1
<4> [293.501407] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3234.A01.1906141750 06/14/2019
<4> [293.501407] Call Trace:
<4> [293.501410]  dump_stack+0x71/0x9b
<4> [293.501413]  bad_page+0xc2/0x120
<4> [293.501415]  get_page_from_freelist+0xf9b/0x13e0
<4> [293.501421]  __alloc_pages_nodemask+0x12a/0x330
<4> [293.501425]  __get_free_pages+0xc/0x40
<4> [293.501427]  __sg_alloc_table+0x75/0x160
<4> [293.501481]  ? i915_gem_object_set_to_cpu_domain+0xc1/0x150 [i915]
<4> [293.501486]  sg_alloc_table+0x1f/0x50
<4> [293.501488]  ? sg_pcopy_to_buffer+0x10/0x10
<4> [293.501524]  shmem_get_pages+0xf5/0x710 [i915]
<4> [293.501528]  ? __mutex_lock+0x9a/0x9d0
<4> [293.501530]  ? __mutex_lock+0x396/0x9d0
<4> [293.501566]  ? __i915_gem_object_get_pages+0x1b/0xd0 [i915]
<4> [293.501569]  ? find_held_lock+0x2d/0x90
<4> [293.501602]  ? i915_gem_object_set_to_cpu_domain+0xc1/0x150 [i915]
<4> [293.501635]  ____i915_gem_object_get_pages+0x21/0xb0 [i915]
<4> [293.501664]  __i915_gem_object_get_pages+0x5c/0xd0 [i915]
<4> [293.501692]  i915_gem_set_domain_ioctl+0x376/0x4e0 [i915]
<4> [293.501719]  ? i915_gem_object_set_to_cpu_domain+0x150/0x150 [i915]
<4> [293.501721]  drm_ioctl_kernel+0xa7/0xf0
<4> [293.501724]  drm_ioctl+0x2e1/0x390
<4> [293.501770]  ? i915_gem_object_set_to_cpu_domain+0x150/0x150 [i915]
<4> [293.501773]  ? __lock_acquire+0x460/0x15d0
<4> [293.501776]  do_vfs_ioctl+0xa0/0x6f0
<4> [293.501777]  ? find_held_lock+0x2d/0x90
<4> [293.501779]  ? __task_pid_nr_ns+0xbc/0x1f0
<4> [293.501781]  ksys_ioctl+0x35/0x60
<4> [293.501783]  __x64_sys_ioctl+0x11/0x20
<4> [293.501784]  do_syscall_64+0x4f/0x210
<4> [293.501786]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
<4> [293.501787] RIP: 0033:0x7f01655175d7
<4> [293.501788] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
<4> [293.501789] RSP: 002b:00007ffc42ce7cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
<4> [293.501790] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f01655175d7
<4> [293.501791] RDX: 00007ffc42ce7cfc RSI: 00000000400c645f RDI: 0000000000000005
<4> [293.501791] RBP: 00007ffc42ce7cfc R08: 0000000000000000 R09: 000000000000002b
<4> [293.501792] R10: 0000000000000056 R11: 0000000000000246 R12: 00000000400c645f
<4> [293.501793] R13: 0000000000000005 R14: 0000000100001000 R15: 0000000000000000
<7> [296.119424] [drm:edp_panel_vdd_off_sync [i915]] Turning [ENCODER:214:DDI A] VDD off
<7> [296.119651] [drm:edp_panel_vdd_off_sync [i915]] PP_STATUS: 0x80000008 PP_CONTROL: 0x00000067
<7> [296.119686] [drm:intel_power_well_disable [i915]] disabling DC off
<7> [296.119724] [drm:skl_enable_dc6 [i915]] Enabling DC6
<7> [296.119757] [drm:gen9_set_dc_state [i915]] Setting DC state from 00 to 02
<6> [301.563665] [IGT] gem_pwrite: exiting, ret=0
<5> [301.563869] Setting dangerous option reset - tainting kernel
<6> [301.805824] Console: switching to colour frame buffer device 240x67
Comment 1 CI Bug Log 2019-11-27 08:31:48 UTC 
The CI Bug Log issue associated to this bug has been updated.

### New filters associated

* ICL: igt@gem_pwrite@big-gtt-forwards - dmesg-warn - BUG: Bad page state in process gem_pwrite  pfn:490e01
  - https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_7421/shard-iclb7/igt@gem_pwrite@big-gtt-forwards.html
Comment 2 Chris Wilson 2019-11-27 09:00:04 UTC 
Use-after-free in the page list???? Disturbing.
Comment 3 Martin Peres 2019-11-29 19:52:43 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/drm/intel/issues/651.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.