Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.
Admin message
Equinix is shutting down its operations with us on April 30, 2025. They have graciously supported us for almost 5 years, but all good things come to an end. We are expecting to transition to new infrastructure between late March and mid-April. We do not yet have a firm timeline for this, but it will involve (probably multiple) periods of downtime as we move our services whilst also changing them to be faster and more responsive. Any updates will be posted in freedesktop/freedesktop#2011 as it becomes clear, and any downtime will be announced with further broadcast messages.
Project 'drm/intel' was moved to 'drm/i915/kernel'. Please update any links and bookmarks that may still have the old path.
igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@perf"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_pm"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by adelaryb.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@slate_gt_pcm", "igt@i915_selftest@live@slate_gt_pmc", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by adelaryb.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@guc", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_engines", "igt@i915_selftest@live@guc", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@gem_migrate", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_engines", "igt@i915_selftest@live@guc", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@gt_tlb"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by tillipix.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "Piglit" AND test_name IS IN ["igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@gem_contexts"]) OR (testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@live@dmabufslpc", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@gem_migrate", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@execlists", "igt@i915_selftest@live@gt_timelines", "igt@i915_selftest@live@guc_multi_lrc", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@gt_contexts", "igt@i915_selftest@live@active", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@gem", "igt@i915_selpftest@live@sanitycheck", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_lrc", "igt@i915_selftest@live@gt_engines", "igt@i915_selftest@live@guncore", "igt@i915_selftest@live@gem_contexts", "igt@i915_selftest@live@requests", "igt@i915_selftest@live@reset", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@coherency", "igt@i915_selftest@live@workarounds", "igt@i915_selftest@live@gt_tlb", "igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@objects", "igt@i915_selftest@live@gem_migrate", "igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@gtt", "igt@i915_selftest@live@vma", "igt@i915_selftest@live@guc_hang", "igt@i915_selftest@live@guc"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by Vinay.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "Piglit" AND test_name IS IN ["igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@gem_contexts"]) OR (testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@perf@migrate", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@migrate", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@execlists", "igt@i915_selftest@live@gt_timelines", "igt@i915_selftest@live@guc_multi_lrc", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@gt_contexts", "igt@i915_selftest@live@active", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@gem", "igt@i915_selftest@live@sanitycheck", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_lrc", "igt@i915_selftest@live@gt_engines", "igt@i915_selftest@live@uncore", "igt@i915_selftest@live@gem_contexts", "igt@i915_selftest@live@requests", "igt@i915_selftest@live@reset", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@coherency", "igt@i915_selftest@live@workarounds", "igt@i915_selftest@live@gt_tlb", "igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@objects", "igt@i915_selftest@live@gem_migrate", "igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@gtt", "igt@i915_selftest@live@vma", "igt@i915_selftest@live@guc_hang", "igt@i915_selftest@live@guc", "igt@i915_selftest@perf@request", "igt@i915_selftest@perf@region"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
A CI Bug Log filter associated to this bug has been updated by Vinay.
Description: DG2 ATS_M: igt@i915_selftest@live@ subtests - abort - general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf
Equivalent query: runconfig_tag IS IN ["DRM-TIP"] AND machine_tag IS IN ["DG2", "ATSM-HW"] AND ((testsuite_name = "Piglit" AND test_name IS IN ["igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@gem_contexts"]) OR (testsuite_name = "IGT" AND test_name IS IN ["igt@i915_selftest@perf@migrate", "igt@i915_selftest@live@slpc", "igt@i915_selftest@live@migrate", "igt@i915_selftest@live@mman", "igt@i915_selftest@live@client", "igt@i915_selftest@live@hangcheck", "igt@i915_selftest@live@execlists", "igt@i915_selftest@live@gt_timelines", "igt@i915_selftest@live@guc_multi_lrc", "igt@i915_selftest@live@evict", "igt@i915_selftest@live@gt_contexts", "igt@i915_selftest@live@active", "igt@i915_selftest@live@ring_submission", "igt@i915_selftest@live@late_gt_pm", "igt@i915_selftest@live@gem", "igt@i915_selftest@live@sanitycheck", "igt@i915_selftest@live@memory_region", "igt@i915_selftest@live@perf", "igt@i915_selftest@live@gt_lrc", "igt@i915_selftest@live@gt_engines", "igt@i915_selftest@live@uncore", "igt@i915_selftest@live@gem_contexts", "igt@i915_selftest@live@requests", "igt@i915_selftest@live@reset", "igt@i915_selftest@live@gt_pm", "igt@i915_selftest@live@coherency", "igt@i915_selftest@live@workarounds", "igt@i915_selftest@live@gt_tlb", "igt@i915_selftest@live@dmabuf", "igt@i915_selftest@live@gt_mocs", "igt@i915_selftest@live@objects", "igt@i915_selftest@live@gem_migrate", "igt@i915_selftest@live@gt_heartbeat", "igt@i915_selftest@live@hugepages", "igt@i915_selftest@live@gtt", "igt@i915_selftest@live@vma", "igt@i915_selftest@live@guc_hang", "igt@i915_selftest@live@guc", "igt@i915_module_load@reload", "igt@i915_selftest@perf@request", "igt@i915_selftest@perf@region"])) AND ((testsuite_name = "IGT" AND status_name IS IN ["abort"])) AND dmesg ~= 'general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6dbf'
while true; do cat /sys/class/hwmon/hwmon1/energy1_input; sleep 1; done
in one console window and running
while true; do echo -n "0000:03:00.0" > /sys/bus/pci/drivers/i915/unbind; modprobe -r i915; sleep 1; modprobe i915; done
in another one.
From RIP in the stack trace we have:
(gdb) list *hwm_energy+0x2f0x16216f is in hwm_energy (drivers/gpu/drm/i915/i915_hwmon.c:135).130 intel_wakeref_t wakeref;131 i915_reg_t rgaddr;132 u32 reg_val;133134 if (ddat->gt_n >= 0)135 rgaddr = hwmon->rg.energy_status_tile;136 else137 rgaddr = hwmon->rg.energy_status_all;138139 mutex_lock(&hwmon->hwmon_lock);(gdb)
Which means hwm_drvdata (to which hwmon or ddat->hwmon pointer belongs) has been freed and poisoned during device unbind, while hwmon sysfs is still being accessed.
We all see this clearly with CONFIG_DEBUG_DEVRES=y and 'echo 1 > /sys/module/devres/parameters/log':
Which shows 616 bytes of drvdata being unexpectedly released before hwmon itself. During normal operation, it is expected that hwmon will be released before drvdata so we don't get into this uaf situation, leading to the crash above due to accessing hwmon sysfs during device unbind.
which results in the uaf. This happens independently of whether the hwmon sysfs is being accessed or not. So this seems to be an issue in devres where resources are not being released in a reversed order from which they are allocated.
Therefore to fix this issue, I am submitting this patch to get rid of devm and allocate/release all resource explicitly:
Some more information about how drvdata and hwmon are released can be obtained by putting dump_stack() in release_nodes() in devres.c. When we do this (see below) we see that there are two separate code paths which both release either drvdata or hwmon and either can be released before the other: