From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kumar, Shobhit" <shobhit.kumar@intel.com>
Subject: Re: [PATCH] drm/i915: Fix crash when failing to parse
	MIPI VBT
Date: Fri, 25 Jul 2014 12:02:18 +0530
Message-ID: <53D1F9F2.7020200@intel.com>
References: <1406211372-25120-1-git-send-email-rafael.barbalho@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mga03.intel.com (mga03.intel.com [143.182.124.21])
 by gabe.freedesktop.org (Postfix) with ESMTP id 6B4216E78D
 for <intel-gfx@lists.freedesktop.org>; Thu, 24 Jul 2014 23:32:21 -0700 (PDT)
In-Reply-To: <1406211372-25120-1-git-send-email-rafael.barbalho@intel.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
 <mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
To: rafael.barbalho@intel.com, intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On 7/24/2014 7:46 PM, rafael.barbalho@intel.com wrote:
> From: Rafael Barbalho <rafael.barbalho@intel.com>
>
> This particular nasty presented itself while trying to register the
> intelfb device (intel_fbdev.c). During the process of registering the device
> the driver will disable the crtc via i9xx_crtc_disable. These will
> also disable the panel using the generic mipi panel functions in
> dsi_mod_vbt_generic.c. The stale MIPI generic data sequence pointers would
> cause a crash within those functions. However, all of this is happening
> while console_lock is held from do_register_framebuffer inside fbcon.c. Which
> means that you got kernel log and just the device appearing to reboot/hang for
> no apparent reason.
>
> The fault started from the FB_EVENT_FB_REGISTERED event using the
> fb_notifier_call_chain call in fbcon.c.
>
> Cc: Shobhit Kumar <shobhit.kumar@intel.com>
> Signed-off-by: Rafael Barbalho <rafael.barbalho@intel.com>
> ---
>   drivers/gpu/drm/i915/intel_bios.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
> index 608ed30..a669550 100644
> --- a/drivers/gpu/drm/i915/intel_bios.c
> +++ b/drivers/gpu/drm/i915/intel_bios.c
> @@ -878,7 +878,7 @@ err:
>
>   	/* error during parsing so set all pointers to null
>   	 * because of partial parsing */
> -	memset(dev_priv->vbt.dsi.sequence, 0, MIPI_SEQ_MAX);
> +	memset(dev_priv->vbt.dsi.sequence, 0, sizeof(dev_priv->vbt.dsi.sequence));

Ouch !! This mistake hurts. This is manifesting now because the VBT 
probably you tested had sequences not supported by the driver. I am 
influencing a TLV based VBT structure design for the sequence which when 
done will ensure proper parsing for all that is known and unknown 
pointers will remain NULL. But for now

Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com>

Regards
Shobhit