kern/57402: null pointer dereference in i915_gem_busy_ioctl

[campbell+netbsd%mumble.net@localhost]

>Number:         57402
>Category:       kern
>Synopsis:       null pointer dereference in i915_gem_busy_ioctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 12 09:55:02 +0000 2023
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
The NetBusy Faultdation
>Environment:
developing a global fever
>Description:
[ 2572521.561091] uvm_fault(0xffffd2c6273cfa08, 0x0, 1) -> e
[ 2572521.561091] fatal page fault in supervisor mode
[ 2572521.561091] trap type 6 code 0 rip 0xffffffff807b817d cs 0x8 rflags 0x13202 cr2 0x28 ilevel 0 rsp 0xffffa8909ee1fd20
[ 2572521.561091] curlwp 0xffffd2c61c51eb00 pid 1343.1343 lowest kstack 0xffffa8909ee1b2c0
[ 2572521.561091] panic: trap
[ 2572521.561091] cpu0: Begin traceback...
[ 2572521.562091] vpanic() at netbsd:vpanic+0x183
[ 2572521.564091] panic() at netbsd:panic+0x3c
[ 2572521.565091] trap() at netbsd:trap+0xb27
[ 2572521.565091] --- trap (number 6) ---
[ 2572521.566091] i915_gem_busy_ioctl() at netbsd:i915_gem_busy_ioctl+0x19b
[ 2572521.567091] drm_ioctl() at netbsd:drm_ioctl+0x23d
[ 2572521.569091] drm_ioctl_shim() at netbsd:drm_ioctl_shim+0x37
[ 2572521.570091] sys_ioctl() at netbsd:sys_ioctl+0x56d
[ 2572521.572091] syscall() at netbsd:syscall+0x196
[ 2572521.572091] --- syscall (number 54) ---
[ 2572521.573091] netbsd:syscall+0x196:
[ 2572521.573091] cpu0: End traceback...

[ 2572521.577095] dumping to dev 168,12 (offset=527151, size=16710810):


(gdb) bt
...
#4  0xffffffff8023c947 in trap (frame=0xffffa8909ee1fc30)
    at /home/riastradh/netbsd/current/src/sys/arch/amd64/amd64/trap.c:326
#5  0xffffffff802349c4 in alltraps ()
#6  0xffffffff807b817d in i915_gem_busy_ioctl (dev=<optimized out>,
    data=<optimized out>, file=<optimized out>)
    at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/i915/gem/i915_gem_busy.c:131
#7  0xffffffff80c4579f in drm_ioctl (fp=<optimized out>, cmd=<optimized out>,
    data=0xffffa8909ee1fee0)
    at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/drm_ioctl.c:978
#8  0xffffffff80c10fe6 in drm_ioctl_shim (fp=<optimized out>,
    cmd=<optimized out>, data=<optimized out>)
    at /home/riastradh/netbsd/current/src/sys/external/bsd/drm2/drm/drm_cdevsw.c:391
#9  0xffffffff80e38f15 in sys_ioctl (l=<optimized out>,
    uap=0xffffa8909ee20000, retval=<optimized out>)
    at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:675
#10 0xffffffff805a540e in sy_call (rval=0xffffa8909ee1ffb0,
    uap=0xffffa8909ee20000, l=0xffffd2c61c51eb00,
    sy=0xffffffff818868d0 <sysent+1296>)
    at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:65
#11 sy_invoke (code=54, rval=0xffffa8909ee1ffb0, uap=0xffffa8909ee20000,
    l=0xffffd2c61c51eb00, sy=0xffffffff818868d0 <sysent+1296>)
    at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:94
#12 syscall (frame=0xffffa8909ee20000)
    at /home/riastradh/netbsd/current/src/sys/arch/x86/x86/syscall.c:138
#13 0xffffffff8021025d in handle_syscall ()
(gdb) x/i 0xffffffff807b817d
   0xffffffff807b817d <i915_gem_busy_ioctl+411>:        
    cmpq   $0xffffffff81271ee0,0x28(%r12)
(gdb) info line *(0xffffffff807b817d)
Line 304 of "/home/riastradh/netbsd/current/src/sys/external/bsd/drm2/dist/drm/i915/i915_request.h"
   starts at address 0xffffffff807b817d <i915_gem_busy_ioctl+411>
   and ends at 0xffffffff807b8190 <i915_gem_busy_ioctl+430>.
(gdb) print $r12
$1 = 0
>How-To-Repeat:
no idea
>Fix:
if (read_seqcount_retry(&obj->base.resv->seq, seq))
        goto retry;