amdgpu_cs_ioctl kernel null pointer when receiving v3d ioctl
when issuing v3d ioctl's to the amdgpu driver, the kernel has a null pointer fault:
[clever@amd-nixos:~]$ V3D_DEBUG=help MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo
name of display: :0.0
Killed
[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8
[172536.665188] #PF: supervisor read access in kernel mode
[172536.665189] #PF: error_code(0x0000) - not-present page
[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0
[172536.665195] Oops: 0000 [#1] SMP NOPTI
[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS
[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015
[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]
[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10
[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246
[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68
[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38
[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40
[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28
[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000
[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0
[172536.665287] Call Trace:
[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm]
[172536.665338] drm_ioctl+0x201/0x3b0 [drm]
[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
[172536.665372] ? selinux_file_ioctl+0x135/0x230
[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
[172536.665403] __x64_sys_ioctl+0x83/0xb0
[172536.665406] do_syscall_64+0x33/0x40
[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[172536.665411] RIP: 0033:0x7fe35e151b77
[172536.665412] Code: ff ff 48 89 d8 5b 5d 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 e8 48 f7 d8 48 39 c3 0f 92 c0 eb c9 66 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d1 72 0c 00 f7 d8 64 89 01 48
[172536.665413] RSP: 002b:00007ffdee376c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[172536.665415] RAX: ffffffffffffffda RBX: 00007ffdee376ca0 RCX: 00007fe35e151b77
[172536.665416] RDX: 00007ffdee376ca0 RSI: 00000000c0106444 RDI: 0000000000000006
[172536.665417] RBP: 00000000c0106444 R08: 0000000000c88150 R09: 0000000000b81010
[172536.665418] R10: 00007fe35e219a00 R11: 0000000000000246 R12: 0000000000000006
[172536.665419] R13: 0000000000000006 R14: 0000000000c864e4 R15: 00007fe35d4b7859
[172536.665423] Modules linked in: ftdi_sio usbserial rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace nfs_ssc fscache xfs iscsi_tcp libiscsi_tcp libiscsi xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo nft_counter xt_addrtype nft_compat nf_tables libcrc32c nfnetlink br_netfilter wireguard curve25519_x86_64 libchacha20poly1305 chacha_x86_64 poly1305_x86_64 libblake2s blake2s_x86_64 ip6_udp_tunnel udp_tunnel libcurve25519_generic libchacha libblake2s_generic af_packet cfg80211 8021q scsi_transport_iscsi sunrpc ext4 crc32c_generic crc16 mbcache jbd2 amdgpu edac_mce_amd edac_core iommu_v2 gpu_sched eeepc_wmi kvm_amd kvm asus_wmi battery sparse_keymap rfkill snd_hda_codec_realtek irqbypass crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic video wmi_bmof mxm_wmi radeon ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_usb_audio aesni_intel libaes crypto_simd cryptd glue_helper snd_hda_codec
[172536.665471] snd_usbmidi_lib snd_rawmidi fam15h_power snd_seq_device ttm snd_hda_core mc k10temp snd_hwdep sp5100_tco xpad input_leds watchdog ff_memless sch_fq_codel led_class i2c_piix4 e1000e drm_kms_helper snd_pcm joydev snd_timer i2c_algo_bit mousedev fb_sys_fops evdev atkbd snd mac_hid syscopyarea libps2 serio sysfillrect ptp soundcore sysimgblt pps_core wmi tiny_power_button button loop tun tap drm macvlan veth bridge stp llc agpgart backlight fuse i2c_core pstore configfs ip_tables x_tables autofs4 hid_generic usbhid hid sr_mod cdrom sd_mod ohci_pci xhci_pci xhci_pci_renesas xhci_hcd nvme ahci ohci_hcd ehci_pci libahci ehci_hcd crc32c_intel nvme_core libata t10_pi crc_t10dif usbcore crct10dif_generic scsi_mod crct10dif_pclmul crct10dif_common usb_common rtc_cmos dm_mod zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O)
[172536.665526] CR2: 00000000000001d8
[172536.665528] ---[ end trace 7c4392aab817f4b5 ]---
[172536.665558] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]
[172536.665560] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10
[172536.665561] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246
[172536.665562] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[172536.665563] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68
[172536.665564] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38
[172536.665565] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40
[172536.665566] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28
[172536.665568] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000
[172536.665594] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[172536.665595] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0some extra info i found in the source:
#define DRM_V3D_GET_PARAM 0x04
#define DRM_IOCTL_V3D_GET_PARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_V3D_GET_PARAM, struct drm_v3d_get_param)
#define DRM_AMDGPU_CS 0x04
#define DRM_IOCTL_AMDGPU_CS DRM_IOWR(DRM_COMMAND_BASE + DRM_AMDGPU_CS, union drm_amdgpu_cs)and strace does confirm it was sending a DRM_V3D_GET_PARAM
@airlied was also able to reproduce it on a 5.17.5 kernel
https://ext.earthtools.ca/private/rpi/full-dump.txt contains the complete objdump -d amdgpu.ko for matching the backtrace up to, but i cant locate my kernels debug info