#include #include #include #include #include #include #include #include #include #include #include "elfconfig.h" /* On BSD-alike OSes elf.h defines these according to host's word size */ #undef ELF_ST_BIND #undef ELF_ST_TYPE #undef ELF_R_SYM #undef ELF_R_TYPE #if KERNEL_ELFCLASS == ELFCLASS32 #define Elf_Ehdr Elf32_Ehdr #define Elf_Shdr Elf32_Shdr #define Elf_Sym Elf32_Sym #define Elf_Addr Elf32_Addr #define Elf_Sword Elf64_Sword #define Elf_Section Elf32_Half #define ELF_ST_BIND ELF32_ST_BIND #define ELF_ST_TYPE ELF32_ST_TYPE #define Elf_Rel Elf32_Rel #define Elf_Rela Elf32_Rela #define ELF_R_SYM ELF32_R_SYM #define ELF_R_TYPE ELF32_R_TYPE #else #define Elf_Ehdr Elf64_Ehdr #define Elf_Shdr Elf64_Shdr #define Elf_Sym Elf64_Sym #define Elf_Addr Elf64_Addr #define Elf_Sword Elf64_Sxword #define Elf_Section Elf64_Half #define ELF_ST_BIND ELF64_ST_BIND #define ELF_ST_TYPE ELF64_ST_TYPE #define Elf_Rel Elf64_Rel #define Elf_Rela Elf64_Rela #define ELF_R_SYM ELF64_R_SYM #define ELF_R_TYPE ELF64_R_TYPE #endif /* The 64-bit MIPS ELF ABI uses an unusual reloc format. */ typedef struct { Elf32_Word r_sym; /* Symbol index */ unsigned char r_ssym; /* Special symbol for 2nd relocation */ unsigned char r_type3; /* 3rd relocation type */ unsigned char r_type2; /* 2nd relocation type */ unsigned char r_type1; /* 1st relocation type */ } _Elf64_Mips_R_Info; typedef union { Elf64_Xword r_info_number; _Elf64_Mips_R_Info r_info_fields; } _Elf64_Mips_R_Info_union; #define ELF64_MIPS_R_SYM(i) \ ((__extension__ (_Elf64_Mips_R_Info_union)(i)).r_info_fields.r_sym) #define ELF64_MIPS_R_TYPE(i) \ ((__extension__ (_Elf64_Mips_R_Info_union)(i)).r_info_fields.r_type1) #if KERNEL_ELFDATA != HOST_ELFDATA static inline void __endian(const void *src, void *dest, unsigned int size) { unsigned int i; for (i = 0; i < size; i++) ((unsigned char*)dest)[i] = ((unsigned char*)src)[size - i-1]; } #define TO_NATIVE(x) \ ({ \ typeof(x) __x; \ __endian(&(x), &(__x), sizeof(__x)); \ __x; \ }) #else /* endianness matches */ #define TO_NATIVE(x) (x) #endif #define NOFAIL(ptr) do_nofail((ptr), #ptr) void *do_nofail(void *ptr, const char *expr); struct buffer { char *p; int pos; int size; }; void __attribute__((format(printf, 2, 3))) buf_printf(struct buffer *buf, const char *fmt, ...); void buf_write(struct buffer *buf, const char *s, int len); struct module { struct module *next; const char *name; int gpl_compatible; struct symbol *unres; int seen; int skip; int has_init; int has_cleanup; struct buffer dev_table_buf; char srcversion[25]; int is_dot_o; }; struct elf_info { unsigned long size; Elf_Ehdr *hdr; Elf_Shdr *sechdrs; Elf_Sym *symtab_start; Elf_Sym *symtab_stop; Elf_Section export_sec; Elf_Section export_unused_sec; Elf_Section export_gpl_sec; Elf_Section export_unused_gpl_sec; Elf_Section export_gpl_future_sec; char *strtab; char *modinfo; unsigned int modinfo_len; /* support for 32bit section numbers */ unsigned int num_sections; /* max_secindex + 1 */ unsigned int secindex_strings; /* if Nth symbol table entry has .st_shndx = SHN_XINDEX, * take shndx from symtab_shndx_start[N] instead */ Elf32_Word *symtab_shndx_start; Elf32_Word *symtab_shndx_stop; }; static inline int is_shndx_special(unsigned int i) { return i != SHN_XINDEX && i >= SHN_LORESERVE && i <= SHN_HIRESERVE; } /* * Move reserved section indices SHN_LORESERVE..SHN_HIRESERVE out of * the way to -256..-1, to avoid conflicting with real section * indices. */ #define SPECIAL(i) ((i) - (SHN_HIRESERVE + 1)) /* Accessor for sym->st_shndx, hides ugliness of "64k sections" */ static inline unsigned int get_secindex(const struct elf_info *info, const Elf_Sym *sym) { if (is_shndx_special(sym->st_shndx)) return SPECIAL(sym->st_shndx); if (sym->st_shndx != SHN_XINDEX) return sym->st_shndx; return info->symtab_shndx_start[sym - info->symtab_start]; } /* file2alias.c */ extern unsigned int cross_build; void handle_moddevtable(struct module *mod, struct elf_info *info, Elf_Sym *sym, const char *symname); void add_moddevtable(struct buffer *buf, struct module *mod); /* sumversion.c */ void maybe_frob_rcs_version(const char *modfilename, char *version, void *modinfo, unsigned long modinfo_offset); void get_src_version(const char *modname, char sum[], unsigned sumlen); /* from modpost.c */ void *grab_file(const char *filename, unsigned long *size); char* get_next_line(unsigned long *pos, void *file, unsigned long size); void release_file(void *file, unsigned long size); void fatal(const char *fmt, ...); void warn(const char *fmt, ...); void merror(const char *fmt, ...); it/commit/net/wireless/rdev-ops.h?id=39cb2c9a316e77f6dfba96c543e55b6672d5a37e'>39cb2c9a316e77f6dfba96c543e55b6672d5a37e (patch) tree98fe974ee4e20121253de7f61fc8d01bdb3821c1 /net/wireless/rdev-ops.h parent2c5d9555d6d937966d79d4c6529a5f7b9206e405 (diff)
drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj()
I've seen this trigger twice now, where the i915_gem_object_to_ggtt() call in intel_unpin_fb_obj() returns NULL, resulting in an oops immediately afterwards as the (inlined) call to i915_vma_unpin_fence() tries to dereference it. It seems to be some race condition where the object is going away at shutdown time, since both times happened when shutting down the X server. The call chains were different: - VT ioctl(KDSETMODE, KD_TEXT): intel_cleanup_plane_fb+0x5b/0xa0 [i915] drm_atomic_helper_cleanup_planes+0x6f/0x90 [drm_kms_helper] intel_atomic_commit_tail+0x749/0xfe0 [i915] intel_atomic_commit+0x3cb/0x4f0 [i915] drm_atomic_commit+0x4b/0x50 [drm] restore_fbdev_mode+0x14c/0x2a0 [drm_kms_helper] drm_fb_helper_restore_fbdev_mode_unlocked+0x34/0x80 [drm_kms_helper] drm_fb_helper_set_par+0x2d/0x60 [drm_kms_helper] intel_fbdev_set_par+0x18/0x70 [i915] fb_set_var+0x236/0x460 fbcon_blank+0x30f/0x350 do_unblank_screen+0xd2/0x1a0 vt_ioctl+0x507/0x12a0 tty_ioctl+0x355/0xc30 do_vfs_ioctl+0xa3/0x5e0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x13/0x94 - i915 unpin_work workqueue: intel_unpin_work_fn+0x58/0x140 [i915] process_one_work+0x1f1/0x480 worker_thread+0x48/0x4d0 kthread+0x101/0x140 and this patch purely papers over the issue by adding a NULL pointer check and a WARN_ON_ONCE() to avoid the oops that would then generally make the machine unresponsive. Other callers of i915_gem_object_to_ggtt() seem to also check for the returned pointer being NULL and warn about it, so this clearly has happened before in other places. [ Reported it originally to the i915 developers on Jan 8, applying the ugly workaround on my own now after triggering the problem for the second time with no feedback. This is likely to be the same bug reported as https://bugs.freedesktop.org/show_bug.cgi?id=98829 https://bugs.freedesktop.org/show_bug.cgi?id=99134 which has a patch for the underlying problem, but it hasn't gotten to me, so I'm applying the workaround. ] Cc: Daniel Vetter <daniel.vetter@intel.com> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: Imre Deak <imre.deak@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'net/wireless/rdev-ops.h')