Re: panic in evo_wait

[Thomas Klausner <wiz%NetBSD.org@localhost>]

Hi Matt!

On Mon, Jul 18, 2022 at 01:53:49PM +1000, Matthew Green wrote:
> > [184218.xxx] warning: /usr/src/sys/external/bsd/drm2/dist/drm/nouveau/nvkm/engine/disp/nouveau_nvkm_engine_disp_headgf119.c:83: 1
> 
> can you patch this code to print the value of "data" here?
> it's probably a bad request for userland, but the BUG_ON()
> here does not give you any indication on _what_.

Ok, I'll use the attached diff for my next kernel.

> > [184218.xxx] uvm_fault(0xffffffff8191ba80, 0xffffb649e46a3000, 2) -> e
> > [184218.xxx] fatal page fault in supervisor mode
> > [184218.xxx] trap type 6 code 0x2 ...
> 
> this line's contents would have included the fault address,
> which is kinda useful for next time :-)

I've got the rip -- it's 0xffffffff8095e177.

> > [184218.xxx] curlpw 0xffffa8d4e6f36500 pid 27414.3207 lowest kstrack 0xffffb589296452c0
> > kernel: page fault trap, code=0
> > Stopped in pid 27414.3207 (mpv) at netbsd:evo_wait+0x7b: movl $0x20000
> > 000,0(%rdx,%rax,1)
> > evo_wait() at netbsd:evo_wait+0x7b
> > base507c_ntfy_set()
> > nv50_wndw_flush_set()
> > nv50_disp_atomic_commit_tail()
> > nv50_disp_atomic_commit()
> > drm_atomic_helper_set_config()
> > drm_mode_setcrtc()
> > drm_ioctl()
> 
> can you find out where evo_wait+0x7b is?  in my kernel it's
> at line 243, and the disasm seems to patch your "movl" above.
>
> 235 evo_wait(struct nv50_dmac *evoc, int nr)
> 236 {
> 237         struct nv50_dmac *dmac = evoc;
> 238         struct nvif_device *device = dmac->base.device;
> 239         u32 put = nvif_rd32(&dmac->base.user, 0x0000) / 4;
> 240
> 241         spin_lock(&dmac->lock);
> 242         if (put + nr >= (PAGE_SIZE / 4) - 8) {
> 243                 dmac->ptr[put] = 0x20000000;
> 244                 evo_flush(dmac);
> 
> Dump of assembler code for function evo_wait:
>    0xffffffff8084dfe1 <+0>:       push   %rbp
> [...]
>    0xffffffff8084e05c <+123>:     movl   $0x20000000,(%rdx,%rax,1)
> 
> (0x7b = 123)

exactly:

(gdb) 
241             spin_lock(&dmac->lock);
242             if (put + nr >= (PAGE_SIZE / 4) - 8) {
243                     dmac->ptr[put] = 0x20000000;
244                     evo_flush(dmac);
245
246                     nvif_wr32(&dmac->base.user, 0x0000, 0x00000000);
247                     if (nvif_msec(device, 2000,
248                             if (!nvif_rd32(&dmac->base.user, 0x0004))
249                                     break;
250                     ) < 0) {
(gdb) info line *(evo_wait+0x7b)
Line 243 of "/disk/6/archive/foreign/src/sys/external/bsd/drm2/dist/drm/nouveau/dispnv50/nouveau_dispnv50_disp.c" starts at address 0xffffffff8095e170 <evo_wait+116> and ends at 0xffffffff8095e17e <evo_wait+130>.

which also matches the rip:

(gdb) info line *(0xffffffff8095e177)
Line 243 of "/disk/6/archive/foreign/src/sys/external/bsd/drm2/dist/drm/nouveau/dispnv50/nouveau_dispnv50_disp.c" starts at address 0xffffffff8095e170 <evo_wait+116> and ends at 0xffffffff8095e17e <evo_wait+130>.

> probably "dmac->ptr" is invalid here.  a quick guess at the
> code indicates it's only set once in nv50_dmac_create(),
> the source from the caller(s).  at least, i can't see it
> set anywhere else right now.

 Thomas

Index: nouveau_nvkm_engine_disp_headgf119.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/drm2/dist/drm/nouveau/nvkm/engine/disp/nouveau_nvkm_engine_disp_headgf119.c,v
retrieving revision 1.2
diff -u -r1.2 nouveau_nvkm_engine_disp_headgf119.c
--- nouveau_nvkm_engine_disp_headgf119.c	18 Dec 2021 23:45:35 -0000	1.2
+++ nouveau_nvkm_engine_disp_headgf119.c	18 Jul 2022 18:36:47 -0000
@@ -80,7 +80,7 @@
 	case 0: state->or.depth = 18; break; /*XXX: "default" */
 	default:
 		state->or.depth = 18;
-		WARN_ON(1);
+		WARN_ON(data);
 		break;
 	}
 }