[PATCH] video: fbdev: Convert timers to use timer_setup()

[PATCH] video: fbdev: Convert timers to use timer_setup()

[Kees Cook]

In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly. One tracking pointer was added, and
one initialization was cleaned up.

Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: David Lechner <david@lechnology.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Jean Delvare <jdelvare@suse.de>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-omap@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/video/fbdev/aty/radeon_base.c      |  8 +++-----
 drivers/video/fbdev/core/fbcon.c           | 10 +++++-----
 drivers/video/fbdev/core/fbcon.h           |  1 +
 drivers/video/fbdev/omap/hwa742.c          |  6 ++----
 drivers/video/fbdev/omap2/omapfb/dss/dsi.c |  6 ++----
 drivers/video/fbdev/pxa3xx-gcu.c           | 12 ++++--------
 6 files changed, 17 insertions(+), 26 deletions(-)

diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c
index 8ad1643e7d1c..4d77daeecf99 100644
--- a/drivers/video/fbdev/aty/radeon_base.c
+++ b/drivers/video/fbdev/aty/radeon_base.c
@@ -1454,9 +1454,9 @@ static void radeon_write_pll_regs(struct radeonfb_info *rinfo, struct radeon_reg
 /*
  * Timer function for delayed LVDS panel power up/down
  */
-static void radeon_lvds_timer_func(unsigned long data)
+static void radeon_lvds_timer_func(struct timer_list *t)
 {
-	struct radeonfb_info *rinfo = (struct radeonfb_info *)data;
+	struct radeonfb_info *rinfo = from_timer(rinfo, t, lvds_timer);
 
 	radeon_engine_idle();
 
@@ -2291,9 +2291,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev,
 	rinfo->pdev = pdev;
 	
 	spin_lock_init(&rinfo->reg_lock);
-	init_timer(&rinfo->lvds_timer);
-	rinfo->lvds_timer.function = radeon_lvds_timer_func;
-	rinfo->lvds_timer.data = (unsigned long)rinfo;
+	timer_setup(&rinfo->lvds_timer, radeon_lvds_timer_func, 0);
 
 	c1 = ent->device >> 8;
 	c2 = ent->device & 0xff;
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 04612f938bab..3b4a96379128 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -395,10 +395,10 @@ static void fb_flashcursor(struct work_struct *work)
 	console_unlock();
 }
 
-static void cursor_timer_handler(unsigned long dev_addr)
+static void cursor_timer_handler(struct timer_list *t)
 {
-	struct fb_info *info = (struct fb_info *) dev_addr;
-	struct fbcon_ops *ops = info->fbcon_par;
+	struct fbcon_ops *ops = from_timer(ops, t, cursor_timer);
+	struct fb_info *info = ops->info;
 
 	queue_work(system_power_efficient_wq, &info->queue);
 	mod_timer(&ops->cursor_timer, jiffies + ops->cur_blink_jiffies);
@@ -414,8 +414,7 @@ static void fbcon_add_cursor_timer(struct fb_info *info)
 		if (!info->queue.func)
 			INIT_WORK(&info->queue, fb_flashcursor);
 
-		setup_timer(&ops->cursor_timer, cursor_timer_handler,
-			    (unsigned long) info);
+		timer_setup(&ops->cursor_timer, cursor_timer_handler, 0);
 		mod_timer(&ops->cursor_timer, jiffies + ops->cur_blink_jiffies);
 		ops->flags |= FBCON_FLAGS_CURSOR_TIMER;
 	}
@@ -714,6 +713,7 @@ static int con2fb_acquire_newinfo(struct vc_data *vc, struct fb_info *info,
 
 	if (!err) {
 		ops->cur_blink_jiffies = HZ / 5;
+		ops->info = info;
 		info->fbcon_par = ops;
 
 		if (vc)
diff --git a/drivers/video/fbdev/core/fbcon.h b/drivers/video/fbdev/core/fbcon.h
index 18f3ac144237..9f7744fbc962 100644
--- a/drivers/video/fbdev/core/fbcon.h
+++ b/drivers/video/fbdev/core/fbcon.h
@@ -69,6 +69,7 @@ struct fbcon_ops {
 	struct timer_list cursor_timer; /* Cursor timer */
 	struct fb_cursor cursor_state;
 	struct display *p;
+	struct fb_info *info;
         int    currcon;	                /* Current VC. */
 	int    cur_blink_jiffies;
 	int    cursor_flash;
diff --git a/drivers/video/fbdev/omap/hwa742.c b/drivers/video/fbdev/omap/hwa742.c
index a4ee65b8f918..6199d4806193 100644
--- a/drivers/video/fbdev/omap/hwa742.c
+++ b/drivers/video/fbdev/omap/hwa742.c
@@ -474,7 +474,7 @@ static void auto_update_complete(void *data)
 			  jiffies + HWA742_AUTO_UPDATE_TIME);
 }
 
-static void hwa742_update_window_auto(unsigned long arg)
+static void hwa742_update_window_auto(struct timer_list *unused)
 {
 	LIST_HEAD(req_list);
 	struct hwa742_request *last;
@@ -1002,9 +1002,7 @@ static int hwa742_init(struct omapfb_device *fbdev, int ext_mode,
 	hwa742.auto_update_window.height = fbdev->panel->y_res;
 	hwa742.auto_update_window.format = 0;
 
-	init_timer(&hwa742.auto_update_timer);
-	hwa742.auto_update_timer.function = hwa742_update_window_auto;
-	hwa742.auto_update_timer.data = 0;
+	timer_setup(&hwa742.auto_update_timer, hwa742_update_window_auto, 0);
 
 	hwa742.prev_color_mode = -1;
 	hwa742.prev_flags = 0;
diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c
index 30d49f3800b3..8e1d60d48dbb 100644
--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c
@@ -3988,7 +3988,7 @@ static void dsi_update_screen_dispc(struct platform_device *dsidev)
 }
 
 #ifdef DSI_CATCH_MISSING_TE
-static void dsi_te_timeout(unsigned long arg)
+static void dsi_te_timeout(struct timer_list *unused)
 {
 	DSSERR("TE not received for 250ms!\n");
 }
@@ -5298,9 +5298,7 @@ static int dsi_bind(struct device *dev, struct device *master, void *data)
 			     dsi_framedone_timeout_work_callback);
 
 #ifdef DSI_CATCH_MISSING_TE
-	init_timer(&dsi->te_timer);
-	dsi->te_timer.function = dsi_te_timeout;
-	dsi->te_timer.data = 0;
+	timer_setup(&dsi->te_timer, dsi_te_timeout, 0);
 #endif
 
 	res = platform_get_resource_byname(dsidev, IORESOURCE_MEM, "proto");
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 933619da1a94..e88447eac32c 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c
@@ -513,16 +513,10 @@ pxa3xx_gcu_mmap(struct file *file, struct vm_area_struct *vma)
 #ifdef PXA3XX_GCU_DEBUG_TIMER
 static struct timer_list pxa3xx_gcu_debug_timer;
 
-static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
+static void pxa3xx_gcu_debug_timedout(struct timer_list *unused)
 {
-	struct pxa3xx_gcu_priv *priv = (struct pxa3xx_gcu_priv *) ptr;
-
 	QERROR("Timer DUMP");
 
-	/* init the timer structure */
-	init_timer(&pxa3xx_gcu_debug_timer);
-	pxa3xx_gcu_debug_timer.function = pxa3xx_gcu_debug_timedout;
-	pxa3xx_gcu_debug_timer.data = ptr;
 	pxa3xx_gcu_debug_timer.expires = jiffies + 5*HZ; /* one second */
 
 	add_timer(&pxa3xx_gcu_debug_timer);
@@ -530,7 +524,9 @@ static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
 
 static void pxa3xx_gcu_init_debug_timer(void)
 {
-	pxa3xx_gcu_debug_timedout((unsigned long) &pxa3xx_gcu_debug_timer);
+	/* init the timer structure */
+	timer_setup(&pxa3xx_gcu_debug_timer, pxa3xx_gcu_debug_timedout, 0);
+	pxa3xx_gcu_debug_timedout(NULL);
 }
 #else
 static inline void pxa3xx_gcu_init_debug_timer(void) {}
-- 
2.7.4


-- 
Kees Cook
Pixel Security

Re: [PATCH] video: fbdev: Convert timers to use timer_setup()

[Bartlomiej Zolnierkiewicz]

On Tuesday, October 24, 2017 08:20:26 AM Kees Cook wrote:

> diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
> index 933619da1a94..e88447eac32c 100644
> --- a/drivers/video/fbdev/pxa3xx-gcu.c
> +++ b/drivers/video/fbdev/pxa3xx-gcu.c
> @@ -513,16 +513,10 @@ pxa3xx_gcu_mmap(struct file *file, struct vm_area_struct *vma)
>  #ifdef PXA3XX_GCU_DEBUG_TIMER
>  static struct timer_list pxa3xx_gcu_debug_timer;
>  
> -static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
> +static void pxa3xx_gcu_debug_timedout(struct timer_list *unused)
>  {
> -	struct pxa3xx_gcu_priv *priv = (struct pxa3xx_gcu_priv *) ptr;
> -
>  	QERROR("Timer DUMP");

QERROR() macro is using priv so this code now fails to build.

[ Please compile these timer changes with PXA3XX_GCU_DEBUG and
  PXA3XX_GCU_DEBUG_TIMER defined. ]

Also please port your changes over fbdvev-for-next tree as
currently this patch doesn't apply (fbdev tree contains
"video: fbdev: pxa3xx_gcu: Use setup_timer and mod_timer"
cleanup).

> -	/* init the timer structure */
> -	init_timer(&pxa3xx_gcu_debug_timer);
> -	pxa3xx_gcu_debug_timer.function = pxa3xx_gcu_debug_timedout;
> -	pxa3xx_gcu_debug_timer.data = ptr;
>  	pxa3xx_gcu_debug_timer.expires = jiffies + 5*HZ; /* one second */
>  
>  	add_timer(&pxa3xx_gcu_debug_timer);
> @@ -530,7 +524,9 @@ static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
>  
>  static void pxa3xx_gcu_init_debug_timer(void)
>  {
> -	pxa3xx_gcu_debug_timedout((unsigned long) &pxa3xx_gcu_debug_timer);
> +	/* init the timer structure */
> +	timer_setup(&pxa3xx_gcu_debug_timer, pxa3xx_gcu_debug_timedout, 0);
> +	pxa3xx_gcu_debug_timedout(NULL);
>  }
>  #else
>  static inline void pxa3xx_gcu_init_debug_timer(void) {}

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

Re: [PATCH] video: fbdev: Convert timers to use timer_setup()

[Kees Cook]

On Thu, Nov 9, 2017 at 9:08 AM, Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> On Tuesday, October 24, 2017 08:20:26 AM Kees Cook wrote:
>
>> diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
>> index 933619da1a94..e88447eac32c 100644
>> --- a/drivers/video/fbdev/pxa3xx-gcu.c
>> +++ b/drivers/video/fbdev/pxa3xx-gcu.c
>> @@ -513,16 +513,10 @@ pxa3xx_gcu_mmap(struct file *file, struct vm_area_struct *vma)
>>  #ifdef PXA3XX_GCU_DEBUG_TIMER
>>  static struct timer_list pxa3xx_gcu_debug_timer;
>>
>> -static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
>> +static void pxa3xx_gcu_debug_timedout(struct timer_list *unused)
>>  {
>> -     struct pxa3xx_gcu_priv *priv = (struct pxa3xx_gcu_priv *) ptr;
>> -
>>       QERROR("Timer DUMP");
>
> QERROR() macro is using priv so this code now fails to build.

Ah, yes, I see. However, in looking at this, I don't think it ever
worked. The existing code does:

static void pxa3xx_gcu_init_debug_timer(void)
{
        pxa3xx_gcu_debug_timedout((unsigned long) &pxa3xx_gcu_debug_timer);
}
...
static void pxa3xx_gcu_debug_timedout(unsigned long ptr)
{
        struct pxa3xx_gcu_priv *priv = (struct pxa3xx_gcu_priv *) ptr;

        QERROR("Timer DUMP");
...

But pxa3xx_gcu_debug_timer is not a struct pxa3xx_gcu_priv, so
QERROR() will be reporting garbage.

I will send a patch that fixes this and switches to timer_setup(),
though it might make more sense to just remove the debug timer
entirely.

> [ Please compile these timer changes with PXA3XX_GCU_DEBUG and
>   PXA3XX_GCU_DEBUG_TIMER defined. ]

Hm, these appear to be manual knobs? What do you think about wiring
these up to a Kconfig so build tests for things like "make
allmodconfig" would enable it? This would allow for much greater build
coverage.

> Also please port your changes over fbdvev-for-next tree as
> currently this patch doesn't apply (fbdev tree contains
> "video: fbdev: pxa3xx_gcu: Use setup_timer and mod_timer"
> cleanup).

Sure thing, thanks!

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH] video: fbdev: Convert timers to use timer_setup()

[Bartlomiej Zolnierkiewicz]

On Thursday, November 09, 2017 10:40:13 AM Kees Cook wrote:
> On Thu, Nov 9, 2017 at 9:08 AM, Bartlomiej Zolnierkiewicz

[...]

> > [ Please compile these timer changes with PXA3XX_GCU_DEBUG and
> >   PXA3XX_GCU_DEBUG_TIMER defined. ]
> 
> Hm, these appear to be manual knobs? What do you think about wiring
> these up to a Kconfig so build tests for things like "make
> allmodconfig" would enable it? This would allow for much greater build
> coverage.

This is a good idea, care to send a patch?

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

Re: video: fbdev: Convert timers to use timer_setup()

[Guenter Roeck]

On Tue, Oct 24, 2017 at 08:20:26AM -0700, Kees Cook wrote:
> In preparation for unconditionally passing the struct timer_list pointer to
> all timer callbacks, switch to using the new timer_setup() and from_timer()
> to pass the timer pointer explicitly. One tracking pointer was added, and
> one initialization was cleaned up.
> 
> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Cc: David Lechner <david@lechnology.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Sean Paul <seanpaul@chromium.org>
> Cc: Jean Delvare <jdelvare@suse.de>
> Cc: Hans de Goede <hdegoede@redhat.com>
> Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> Cc: linux-fbdev@vger.kernel.org
> Cc: dri-devel@lists.freedesktop.org
> Cc: linux-omap@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Hi Kees,

this patch causes a large number of qemu crashes.

Unable to handle kernel NULL pointer dereference at virtual address 00000194
pgd = c0004000
[00000194] *pgd\0000000
Internal error: Oops: 5 [#1] ARM
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.0-next-20171113 #1
Hardware name: ARM-Versatile (Device Tree Support)
task: c04df238 task.stack: c04da000
PC is at queue_work_on+0x1c/0x48
...
[<c00371b0>] (queue_work_on) from [<c01f5504>] (cursor_timer_handler+0x20/0x44)
[<c01f5504>] (cursor_timer_handler) from [<c005bedc>] (call_timer_fn+0x24/0xa0)
[<c005bedc>] (call_timer_fn) from [<c005bfd4>] (expire_timers+0x7c/0x8c)
[<c005bfd4>] (expire_timers) from [<c005c1ac>] (run_timer_softirq+0x88/0x184)
[<c005c1ac>] (run_timer_softirq) from [<c00095f0>] (__do_softirq+0xe0/0x238)
[<c00095f0>] (__do_softirq) from [<c0027634>] (irq_exit+0xb4/0xd0)
[<c0027634>] (irq_exit) from [<c0053b0c>] (__handle_domain_irq+0x50/0xa8)
[<c0053b0c>] (__handle_domain_irq) from [<c0009438>] (vic_handle_irq+0x54/0x94)
[<c0009438>] (vic_handle_irq) from [<c00197a8>] (__irq_svc+0x68/0x84)

See
http://kerneltests.org/builders/qemu-arm-next/builds/806/steps/qemubuildcommand/logs/stdio
for complete crash logs.

Reverting the patch fixes the problem.

Images for various other architectures crash as well in next-20171113,
but I didn't bisect those. It looks like there are additional (possibly irq
related) problems in the latest -next kernel; I don't know if those are
also related to timer changes.

Guenter

---
git bisect log:

# bad: [c348a99ee55feac43b5b62a5957c6d8e2b6c3abe] Add linux-next specific files for 20171113
# good: [bebc6082da0a9f5d47a1ea2edc099bf671058bd4] Linux 4.14
git bisect start 'HEAD' 'v4.14'
# bad: [ef01732397847b006e3a9147829739c490b8272c] Merge remote-tracking branch 'crypto/master'
git bisect bad ef01732397847b006e3a9147829739c490b8272c
# good: [16337aaf7b06176148e7007dc20e34cd1e634a0f] Merge remote-tracking branch 'v4l-dvb/master'
git bisect good 16337aaf7b06176148e7007dc20e34cd1e634a0f
# good: [2ae21cf527da0e5cf9d7ee14bd5b0909bb9d1a75] tcp: Namespace-ify sysctl_tcp_early_retrans
git bisect good 2ae21cf527da0e5cf9d7ee14bd5b0909bb9d1a75
# good: [fdae5f37a88caed9d2105f5a1ff609322f9e5416] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
git bisect good fdae5f37a88caed9d2105f5a1ff609322f9e5416
# bad: [01ff3f27ce88684a034bfad8fe5f5f99db04030e] Merge remote-tracking branch 'mac80211-next/master'
git bisect bad 01ff3f27ce88684a034bfad8fe5f5f99db04030e
# good: [e5b9855372a0f3d53d8e84b51d781a736e5b7e99] Merge branch 'device-properties' into linux-next
git bisect good e5b9855372a0f3d53d8e84b51d781a736e5b7e99
# bad: [1417face305e9e10f8e65216e9bcb7a74c4e42ff] Merge remote-tracking branch 'thermal/next'
git bisect bad 1417face305e9e10f8e65216e9bcb7a74c4e42ff
# bad: [e7528eca7b6e5b7d7d5b9dbcf39b31a535bfb32f] Merge remote-tracking branch 'pm/linux-next'
git bisect bad e7528eca7b6e5b7d7d5b9dbcf39b31a535bfb32f
# good: [ab798b908737e999e5d9bcebe972e9d5002583cc] video: fbdev: au1200fb: Style clean up
git bisect good ab798b908737e999e5d9bcebe972e9d5002583cc
# good: [0101f48ae50d700becafbbba2c57005174c54658] video: fbdev: aty: radeon_pm: mark expected switch fall-throughs
git bisect good 0101f48ae50d700becafbbba2c57005174c54658
# bad: [1fc1d27c1ab07a8830a0139f45508a49c6d71729] Merge remote-tracking branch 'fbdev/fbdev-for-next'
git bisect bad 1fc1d27c1ab07a8830a0139f45508a49c6d71729
# good: [ac831a379d34109451b3c41a44a20ee10ecb615f] fbdev: controlfb: Add missing modes to fix out of bounds access
git bisect good ac831a379d34109451b3c41a44a20ee10ecb615f
# bad: [6c78935777d12ead2d32adf3eb525a24faf02d04] video: fbdev: Convert timers to use timer_setup()
git bisect bad 6c78935777d12ead2d32adf3eb525a24faf02d04
# good: [e4a67df75a7b93b1bcddf576fa9122da2305dc8b] video: fbdev: pxa3xx_gcu: Convert timers to use timer_setup()
git bisect good e4a67df75a7b93b1bcddf576fa9122da2305dc8b
# first bad commit: [6c78935777d12ead2d32adf3eb525a24faf02d04] video: fbdev: Convert timers to use timer_setup()

Re: video: fbdev: Convert timers to use timer_setup()

[Kees Cook]

On Mon, Nov 13, 2017 at 5:45 PM, Guenter Roeck <linux@roeck-us.net> wrote:
> On Tue, Oct 24, 2017 at 08:20:26AM -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_setup() and from_timer()
>> to pass the timer pointer explicitly. One tracking pointer was added, and
>> one initialization was cleaned up.
>>
>> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
>> Cc: David Lechner <david@lechnology.com>
>> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
>> Cc: Sean Paul <seanpaul@chromium.org>
>> Cc: Jean Delvare <jdelvare@suse.de>
>> Cc: Hans de Goede <hdegoede@redhat.com>
>> Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
>> Cc: linux-fbdev@vger.kernel.org
>> Cc: dri-devel@lists.freedesktop.org
>> Cc: linux-omap@vger.kernel.org
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Hi Kees,
>
> this patch causes a large number of qemu crashes.
>
> Unable to handle kernel NULL pointer dereference at virtual address 00000194
> pgd = c0004000
> [00000194] *pgd\0000000
> Internal error: Oops: 5 [#1] ARM
> Modules linked in:
> CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.0-next-20171113 #1
> Hardware name: ARM-Versatile (Device Tree Support)
> task: c04df238 task.stack: c04da000
> PC is at queue_work_on+0x1c/0x48
> ...
> [<c00371b0>] (queue_work_on) from [<c01f5504>] (cursor_timer_handler+0x20/0x44)
> [<c01f5504>] (cursor_timer_handler) from [<c005bedc>] (call_timer_fn+0x24/0xa0)
> [<c005bedc>] (call_timer_fn) from [<c005bfd4>] (expire_timers+0x7c/0x8c)
> [<c005bfd4>] (expire_timers) from [<c005c1ac>] (run_timer_softirq+0x88/0x184)
> [<c005c1ac>] (run_timer_softirq) from [<c00095f0>] (__do_softirq+0xe0/0x238)
> [<c00095f0>] (__do_softirq) from [<c0027634>] (irq_exit+0xb4/0xd0)
> [<c0027634>] (irq_exit) from [<c0053b0c>] (__handle_domain_irq+0x50/0xa8)
> [<c0053b0c>] (__handle_domain_irq) from [<c0009438>] (vic_handle_irq+0x54/0x94)
> [<c0009438>] (vic_handle_irq) from [<c00197a8>] (__irq_svc+0x68/0x84)
>
> See
> http://kerneltests.org/builders/qemu-arm-next/builds/806/steps/qemubuildcommand/logs/stdio
> for complete crash logs.
>
> Reverting the patch fixes the problem.
>
> Images for various other architectures crash as well in next-20171113,
> but I didn't bisect those. It looks like there are additional (possibly irq
> related) problems in the latest -next kernel; I don't know if those are
> also related to timer changes.

I think this is already fixed here:
https://marc.info/?l=linux-fbdev&m\x151056635200583&w=2

If not, please let me know! :)

-Kees

-- 
Kees Cook
Pixel Security