From: Maxime Ripard <maxime@cerno.tech>
To: Mark Rutland <mark.rutland@arm.com>
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Arnd Bergmann <arnd@arndb.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>,
Emma Anholt <emma@anholt.net>, Will Deacon <will@kernel.org>,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/vc4: fix vc4_atomic_commit_tail() logic
Date: Tue, 8 Jun 2021 17:03:09 +0200 [thread overview]
Message-ID: <20210608150309.ggoffedtwntkcoxz@gilmour> (raw)
In-Reply-To: <20210608085513.2069-1-mark.rutland@arm.com>
[-- Attachment #1.1: Type: text/plain, Size: 4007 bytes --]
Hi,
On Tue, Jun 08, 2021 at 09:55:12AM +0100, Mark Rutland wrote:
> In vc4_atomic_commit_tail() we iterate of the set of old CRTCs, and
> attempt to wait on any channels which are still in use. When we iterate
> over the CRTCs, we have:
>
> * `i` - the index of the CRTC
> * `channel` - the channel a CRTC is using
>
> When we check the channel state, we consult:
>
> old_hvs_state->fifo_state[channel].in_use
>
> ... but when we wait for the channel, we erroneously wait on:
>
> old_hvs_state->fifo_state[i].pending_commit
>
> ... rather than:
>
> old_hvs_state->fifo_state[channel].pending_commit
>
> ... and this bogus access has been observed to result in boot-time hangs
> on some arm64 configurations, and can be detected using KASAN. FIx this
> by using the correct index.
>
> I've tested this on a Raspberry Pi 3 model B v1.2 with KASAN.
>
> Trimmed KASAN splat:
>
> | ==================================================================
> | BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1cc/0x910
> | Read of size 8 at addr ffff000007360440 by task kworker/u8:0/7
> | CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.13.0-rc3-00009-g694c523e7267 #3
> |
> | Hardware name: Raspberry Pi 3 Model B (DT)
> | Workqueue: events_unbound deferred_probe_work_func
> | Call trace:
> | dump_backtrace+0x0/0x2b4
> | show_stack+0x1c/0x30
> | dump_stack+0xfc/0x168
> | print_address_description.constprop.0+0x2c/0x2c0
> | kasan_report+0x1dc/0x240
> | __asan_load8+0x98/0xd4
> | vc4_atomic_commit_tail+0x1cc/0x910
> | commit_tail+0x100/0x210
> | ...
> |
> | Allocated by task 7:
> | kasan_save_stack+0x2c/0x60
> | __kasan_kmalloc+0x90/0xb4
> | vc4_hvs_channels_duplicate_state+0x60/0x1a0
> | drm_atomic_get_private_obj_state+0x144/0x230
> | vc4_atomic_check+0x40/0x73c
> | drm_atomic_check_only+0x998/0xe60
> | drm_atomic_commit+0x34/0x94
> | drm_client_modeset_commit_atomic+0x2f4/0x3a0
> | drm_client_modeset_commit_locked+0x8c/0x230
> | drm_client_modeset_commit+0x38/0x60
> | drm_fb_helper_set_par+0x104/0x17c
> | fbcon_init+0x43c/0x970
> | visual_init+0x14c/0x1e4
> | ...
> |
> | The buggy address belongs to the object at ffff000007360400
> | which belongs to the cache kmalloc-128 of size 128
> | The buggy address is located 64 bytes inside of
> | 128-byte region [ffff000007360400, ffff000007360480)
> | The buggy address belongs to the page:
> | page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7360
> | flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff)
> | raw: 03fffc0000000200 dead000000000100 dead000000000122 ffff000004c02300
> | raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
> | page dumped because: kasan: bad access detected
> |
> | Memory state around the buggy address:
> | ffff000007360300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> | ffff000007360380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> | >ffff000007360400: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
> | ^
> | ffff000007360480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> | ffff000007360500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> | ==================================================================
>
> Link: https://lore.kernel.org/r/4d0c8318-bad8-2be7-e292-fc8f70c198de@samsung.com
> Link: https://lore.kernel.org/linux-arm-kernel/20210607151740.moncryl5zv3ahq4s@gilmour
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: David Airlie <airlied@linux.ie>
> Cc: Emma Anholt <emma@anholt.net>
> Cc: Maxime Ripard <maxime@cerno.tech>
> Cc: Will Deacon <will@kernel.org>
> Cc: dri-devel@lists.freedesktop.org
Applied, thanks!
Maxime
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 176 bytes --]
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
prev parent reply other threads:[~2021-06-08 15:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20210608093713eucas1p1f80bd23f2361de5c86440c1153d3c99b@eucas1p1.samsung.com>
2021-06-08 8:55 ` [PATCH] drm/vc4: fix vc4_atomic_commit_tail() logic Mark Rutland
2021-06-08 9:08 ` Arnd Bergmann
2021-06-08 9:37 ` Marek Szyprowski
2021-06-08 15:03 ` Maxime Ripard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210608150309.ggoffedtwntkcoxz@gilmour \
--to=maxime@cerno.tech \
--cc=airlied@linux.ie \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=emma@anholt.net \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox