Re: [REGRESSION][ASAN] drm/client: Deprecate struct drm_client_buffer.gem

Tue, 04 Nov 2025 02:52:57 -0800 

Hi

Am 31.10.25 um 16:49 schrieb Ian Forbes:

On Mon, Oct 27, 2025 at 7:11 AM Thomas Zimmermann <[email protected]> wrote:

The client buffer's framebuffer holds a reference and pointer on
each of its GEM buffer objects. Thus the field gem in the client-
buffer struct is not necessary. Deprecated the field and convert
the client-buffer helpers to use the framebuffer's objects.

In drm_client_buffer_delete(), do a possible vunmap before releasing
the framebuffer. Otherwise we'd eventually release the framebuffer
before unmaping its buffer objects.

v2:
- avoid dependency on CONFIG_DRM_KMS_HELPER

Signed-off-by: Thomas Zimmermann <[email protected]>
Reviewed-by: Jocelyn Falempe <[email protected]>
---

This patch has caused a crash on vmwgfx with ASAN enabled.
A possible fix is available at https://lore.kernel.org/dri-devel/[email protected]/T/#u 

Best regards
Thomas



[   22.286155] Console: switching to colour dummy device 80x25
[   22.359287] vmwgfx 0000:00:0f.0: vgaarb: deactivate vga console
[   22.388482] vmwgfx 0000:00:0f.0: [drm] FIFO at 0x00000000fb800000
size is 8192 KiB
[   22.390036] vmwgfx 0000:00:0f.0: [drm] VRAM at 0x00000000f0000000
size is 131072 KiB
[   22.391255] vmwgfx 0000:00:0f.0: [drm] Running on SVGA version 2.
[   22.392209] vmwgfx 0000:00:0f.0: [drm] Capabilities: rect copy,
cursor, cursor bypass, cursor bypass 2, 8bit emulation, alpha cursor,
3D, extended fifo, multimon, pitchlock, irq mask, display topology,
gmr, traces, gmr2, screen object 2, command buffers, command buffers
2, gbobject, dx, hp cmd queue, no bb restriction, cap2 register,
[   22.396463] vmwgfx 0000:00:0f.0: [drm] Capabilities2: grow otable,
intra surface copy, dx2, gb memsize 2, screendma reg, otable ptdepth2,
non ms to ms stretchblt, cursor mob, mshint, cb max size 4mb, dx3,
frame type, trace full fb, extra regs, lo staging,
[   22.400175] vmwgfx 0000:00:0f.0: [drm] DMA map mode: Caching DMA mappings.
[   22.400224] audit: type=1130 audit(1761925118.444:63): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-fsck@dev-disk-by\x2duuid-AFBE\x2d8A94 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[   22.401320] vmwgfx 0000:00:0f.0: [drm] Legacy memory limits: VRAM =
4096 KiB, FIFO = 256 KiB, surface = 0 KiB
[   22.406225] vmwgfx 0000:00:0f.0: [drm] MOB limits: max mob size =
1048576 KiB, max mob pages = 524288
[   22.407602] vmwgfx 0000:00:0f.0: [drm] Max GMR ids is 64
[   22.408398] vmwgfx 0000:00:0f.0: [drm] Max number of GMR pages is 65536
[   22.409393] vmwgfx 0000:00:0f.0: [drm] Maximum display memory size
is 262144 KiB
[   22.419541] vmwgfx 0000:00:0f.0: [drm] Screen Target display unit initialized
[   22.422876] vmwgfx 0000:00:0f.0: [drm] Fifo max 0x00040000 min
0x00001000 cap 0x0000077f
[   22.426030] vmwgfx 0000:00:0f.0: [drm] Using command buffers with DMA pool.
[   22.427664] vmwgfx 0000:00:0f.0: [drm] Available shader model: SM_5_1X.
[   22.621336] [drm] Initialized vmwgfx 2.21.0 for 0000:00:0f.0 on minor 0
[   22.627782] fbcon: vmwgfxdrmfb (fb0) is primary device
[   22.640191] Console: switching to colour frame buffer device 160x50
[   22.641788] Oops: general protection fault, probably for
non-canonical address 0xdffffc000000001f: 0000 [#1] SMP KASAN NOPTI
[   22.641795] KASAN: null-ptr-deref in range
[0x00000000000000f8-0x00000000000000ff]
[   22.641802] CPU: 6 UID: 0 PID: 134 Comm: kworker/6:1 Not tainted
6.18.0-rc2+ #63 PREEMPT(lazy)
[   22.641809] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
Reference Platform, BIOS VMW201.00V.24928539.B64.2508260915 08/26/2025
[   22.641812] Workqueue: events drm_fb_helper_damage_work
[   22.641824] RIP: 0010:drm_gem_lock+0x25/0x50
[   22.641831] Code: 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 b8
00 00 00 00 00 fc ff df 53 48 89 fb 48 81 c7 f8 00 00 00 48 89 fa 48
c1 ea 03 <80> 3c 02 00 75 0f 48 8b bb f8 00 00 00 31 f6 5b e9 16 2e 15
01 e8
[   22.641835] RSP: 0018:ffff88810638fb78 EFLAGS: 00010202
[   22.641838] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9e694d16
[   22.641841] RDX: 000000000000001f RSI: ffff88810638fbf0 RDI: 00000000000000f8
[   22.641844] RBP: ffff88810638fbb0 R08: 0000000000000001 R09: ffffed1020c71f6d
[   22.641847] R10: ffff88810638fb6f R11: 0000000000000006 R12: 0000000000000000
[   22.641849] R13: ffff88810bfc6710 R14: ffff88810638fbf0 R15: ffff88810638fbf0
[   22.641852] FS:  0000000000000000(0000) GS:ffff8882b6b3b000(0000)
knlGS:0000000000000000
[   22.641855] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.641858] CR2: 00007f7357b568a1 CR3: 0000000106a70006 CR4: 00000000007706f0
[   22.641887] PKRU: 55555554
[   22.641889] Call Trace:
[   22.641891]  <TASK>
[   22.641894]  drm_client_buffer_vmap_local+0x78/0x140
[   22.641903]  drm_fbdev_ttm_helper_fb_dirty+0x20c/0x510 [drm_ttm_helper]
[   22.641913]  ? __pfx_drm_fbdev_ttm_helper_fb_dirty+0x10/0x10 [drm_ttm_helper]
[   22.641918]  ? __raw_spin_lock_irqsave+0x8c/0xf0
[   22.641924]  ? __pfx___raw_spin_lock_irqsave+0x10/0x10
[   22.641928]  ? __pfx_mutex_lock+0x10/0x10
[   22.641936]  drm_fb_helper_fb_dirty+0x29a/0x5e0
[   22.641942]  ? __pfx_drm_fb_helper_fb_dirty+0x10/0x10
[   22.641946]  ? _raw_spin_lock_irq+0x8a/0xe0
[   22.641950]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[   22.641955]  process_one_work+0x668/0xeb0
[   22.641962]  worker_thread+0x5f6/0x1060
[   22.641967]  ? __kthread_parkme+0x8d/0x170
[   22.641972]  ? __pfx_worker_thread+0x10/0x10
[   22.641976]  kthread+0x36f/0x710
[   22.641980]  ? __pfx_kthread+0x10/0x10
[   22.641983]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[   22.641987]  ? __pfx_kthread+0x10/0x10
[   22.641990]  ret_from_fork+0x1c9/0x260
[   22.641995]  ? __pfx_kthread+0x10/0x10
[   22.641999]  ret_from_fork_asm+0x1a/0x30
[   22.642004]  </TASK>
[   22.642006] Modules linked in: vfat(+) snd_ac97_codec(+) vmxnet3(+)
ac97_bus fat snd_seq snd_pcm gameport vmwgfx(+) snd_rawmidi
snd_seq_device snd_timer drm_ttm_helper snd i2c_piix4 ttm i2c_smbus
joydev soundcore loop nfnetlink vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock zram
vmw_vmci lz4hc_compress lz4_compress polyval_clmulni
ghash_clmulni_intel ata_generic pata_acpi serio_raw fuse
[   22.642056] ---[ end trace 0000000000000000 ]---
[   22.642059] RIP: 0010:drm_gem_lock+0x25/0x50
[   22.642063] Code: 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 b8
00 00 00 00 00 fc ff df 53 48 89 fb 48 81 c7 f8 00 00 00 48 89 fa 48
c1 ea 03 <80> 3c 02 00 75 0f 48 8b bb f8 00 00 00 31 f6 5b e9 16 2e 15
01 e8
[   22.642066] RSP: 0018:ffff88810638fb78 EFLAGS: 00010202
[   22.642069] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff9e694d16
[   22.642072] RDX: 000000000000001f RSI: ffff88810638fbf0 RDI: 00000000000000f8
[   22.642074] RBP: ffff88810638fbb0 R08: 0000000000000001 R09: ffffed1020c71f6d
[   22.642077] R10: ffff88810638fb6f R11: 0000000000000006 R12: 0000000000000000
[   22.642079] R13: ffff88810bfc6710 R14: ffff88810638fbf0 R15: ffff88810638fbf0
[   22.642082] FS:  0000000000000000(0000) GS:ffff8882b6b3b000(0000)
knlGS:0000000000000000
[   22.642085] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.642087] CR2: 00007f7357b568a1 CR3: 0000000106a70006 CR4: 00000000007706f0
[   22.642112] PKRU: 55555554


--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)

Reply via email to