* [PATCH] drm/exynos: Check for NULL dereference of crtc
@ 2015-02-17 17:14 Charles Keepax
2015-03-06 13:13 ` Inki Dae
0 siblings, 1 reply; 4+ messages in thread
From: Charles Keepax @ 2015-02-17 17:14 UTC (permalink / raw)
To: inki.dae
Cc: jy0922.shim, sw0312.kim, kyungmin.park, airlied, kgene, dri-devel,
linux-samsung-soc, linux-kernel
The commit "drm/exynos: remove exynos_plane_dpms" (d9ea6256) removed the
use of the enabled flag, which means that the code may attempt to call
win_enable on a NULL crtc. This results in the following oops on
Arndale:
[ 1.673479] Unable to handle kernel NULL pointer dereference at virtual address 00000368
[ 1.681500] pgd = c0004000
[ 1.684154] [00000368] *pgd=00000000
[ 1.687713] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 1.693012] Modules linked in:
[ 1.696045] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
3.19.0-07545-g57485fa #1907
[ 1.703524] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
(....)
[ 2.014803] [<c02f9cfc>] (exynos_plane_destroy) from [<c02e61b4>] (drm_mode_config_cleanup+0x168/0x20c)
[ 2.024178] [<c02e61b4>] (drm_mode_config_cleanup) from [<c02f66fc>] (exynos_drm_load+0xac/0x12c)
This patch adds in a check to ensure exynos_crtc is not NULL before it
is dereferenced.
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
---
drivers/gpu/drm/exynos/exynos_drm_plane.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_plane.c b/drivers/gpu/drm/exynos/exynos_drm_plane.c
index 2dfb847..78fc0a1 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_plane.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_plane.c
@@ -176,7 +176,7 @@ static int exynos_disable_plane(struct drm_plane *plane)
struct exynos_drm_plane *exynos_plane = to_exynos_plane(plane);
struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(plane->crtc);
- if (exynos_crtc->ops->win_disable)
+ if (exynos_crtc && exynos_crtc->ops->win_disable)
exynos_crtc->ops->win_disable(exynos_crtc,
exynos_plane->zpos);
--
1.7.2.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/exynos: Check for NULL dereference of crtc
2015-02-17 17:14 [PATCH] drm/exynos: Check for NULL dereference of crtc Charles Keepax
@ 2015-03-06 13:13 ` Inki Dae
2015-03-06 14:04 ` Charles Keepax
0 siblings, 1 reply; 4+ messages in thread
From: Inki Dae @ 2015-03-06 13:13 UTC (permalink / raw)
To: Charles Keepax
Cc: jy0922.shim, sw0312.kim, kyungmin.park, airlied, kgene, dri-devel,
linux-samsung-soc, linux-kernel
On 2015년 02월 18일 02:14, Charles Keepax wrote:
> The commit "drm/exynos: remove exynos_plane_dpms" (d9ea6256) removed the
> use of the enabled flag, which means that the code may attempt to call
> win_enable on a NULL crtc. This results in the following oops on
Hmm... it's strange. plane->funcs->destroy() is called prior to
crtc->funcs->destroy() so it should be exynos_crtc is not NULL. However,
it seems there is any corner case we didn't catch up.
Applied.
Thanks,
Inki Dae
> Arndale:
>
> [ 1.673479] Unable to handle kernel NULL pointer dereference at virtual address 00000368
> [ 1.681500] pgd = c0004000
> [ 1.684154] [00000368] *pgd=00000000
> [ 1.687713] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> [ 1.693012] Modules linked in:
> [ 1.696045] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
> 3.19.0-07545-g57485fa #1907
> [ 1.703524] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
> (....)
> [ 2.014803] [<c02f9cfc>] (exynos_plane_destroy) from [<c02e61b4>] (drm_mode_config_cleanup+0x168/0x20c)
> [ 2.024178] [<c02e61b4>] (drm_mode_config_cleanup) from [<c02f66fc>] (exynos_drm_load+0xac/0x12c)
>
> This patch adds in a check to ensure exynos_crtc is not NULL before it
> is dereferenced.
>
> Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
> ---
> drivers/gpu/drm/exynos/exynos_drm_plane.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/gpu/drm/exynos/exynos_drm_plane.c b/drivers/gpu/drm/exynos/exynos_drm_plane.c
> index 2dfb847..78fc0a1 100644
> --- a/drivers/gpu/drm/exynos/exynos_drm_plane.c
> +++ b/drivers/gpu/drm/exynos/exynos_drm_plane.c
> @@ -176,7 +176,7 @@ static int exynos_disable_plane(struct drm_plane *plane)
> struct exynos_drm_plane *exynos_plane = to_exynos_plane(plane);
> struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(plane->crtc);
>
> - if (exynos_crtc->ops->win_disable)
> + if (exynos_crtc && exynos_crtc->ops->win_disable)
> exynos_crtc->ops->win_disable(exynos_crtc,
> exynos_plane->zpos);
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/exynos: Check for NULL dereference of crtc
2015-03-06 13:13 ` Inki Dae
@ 2015-03-06 14:04 ` Charles Keepax
2015-03-07 12:19 ` Inki Dae
0 siblings, 1 reply; 4+ messages in thread
From: Charles Keepax @ 2015-03-06 14:04 UTC (permalink / raw)
To: Inki Dae
Cc: jy0922.shim, sw0312.kim, kyungmin.park, airlied, kgene, dri-devel,
linux-samsung-soc, linux-kernel
On Fri, Mar 06, 2015 at 10:13:42PM +0900, Inki Dae wrote:
> On 2015년 02월 18일 02:14, Charles Keepax wrote:
> > The commit "drm/exynos: remove exynos_plane_dpms" (d9ea6256) removed the
> > use of the enabled flag, which means that the code may attempt to call
> > win_enable on a NULL crtc. This results in the following oops on
>
> Hmm... it's strange. plane->funcs->destroy() is called prior to
> crtc->funcs->destroy() so it should be exynos_crtc is not NULL. However,
> it seems there is any corner case we didn't catch up.
>
> Applied.
Thanks, it seems the offending path in an error path, looks like
Arndale is missing some required DT setting which causes
exynos_drm_load to fail:
[ 1.638109] of_graph_get_next_endpoint(): no port node found in /dp-controller@145B0000
[ 1.646424] exynos-drm exynos-drm: bound 14400000.fimd (ops fimd_component_ops)
[ 1.652704] /dp-controller@145B0000: could not find display-timings node
[ 1.659323] /dp-controller@145B0000: no timings specified
[ 1.664709] [drm:exynos_dp_bind] *ERROR* failed: of_get_videomode() : -22
[ 1.671485] exynos-drm exynos-drm: failed to bind 145b0000.dp-controller (ops exynos_dp_ops): -22
Which ends up calling exynos_plane_destroy as part of the clean up:
[ 1.698655] [<c0015db4>] (unwind_backtrace) from [<c00121cc>] (show_stack+0x20/0x24)
[ 1.706385] [<c00121cc>] (show_stack) from [<c0528230>] (dump_stack+0x78/0xc4)
[ 1.713588] [<c0528230>] (dump_stack) from [<c02f72ec>] (exynos_disable_plane+0x2c/0x60)
[ 1.721660] [<c02f72ec>] (exynos_disable_plane) from [<c02f733c>] (exynos_plane_destroy+0x1c/0x30)
[ 1.730605] [<c02f733c>] (exynos_plane_destroy) from [<c02e37c4>] (drm_mode_config_cleanup+0x168/0x20c)
[ 1.739982] [<c02e37c4>] (drm_mode_config_cleanup) from [<c02f3d18>] (exynos_drm_load+0xac/0x12c)
[ 1.748832] [<c02f3d18>] (exynos_drm_load) from [<c02dc074>] (drm_dev_register+0xb0/0x110)
[ 1.757075] [<c02dc074>] (drm_dev_register) from [<c02ddc88>] (drm_platform_init+0x50/0xe0)
[ 1.765405] [<c02ddc88>] (drm_platform_init) from [<c02f3a08>] (exynos_drm_bind+0x20/0x28)
[ 1.773655] [<c02f3a08>] (exynos_drm_bind) from [<c02fe664>] (try_to_bring_up_master.part.1+0xd8/0x114)
[ 1.783027] [<c02fe664>] (try_to_bring_up_master.part.1) from [<c02fe754>] (component_master_add_with_match+0xb4/0x134)
[ 1.793792] [<c02fe754>] (component_master_add_with_match) from [<c02f3e94>] (exynos_drm_platform_probe+0xfc/0x124)
[ 1.804207] [<c02f3e94>] (exynos_drm_platform_probe) from [<c0304a44>] (platform_drv_probe+0x58/0xb4)
[ 1.813411] [<c0304a44>] (platform_drv_probe) from [<c0302fa8>] (driver_probe_device+0x11c/0x23c)
[ 1.822261] [<c0302fa8>] (driver_probe_device) from [<c0303164>] (__driver_attach+0x9c/0xa0)
[ 1.830679] [<c0303164>] (__driver_attach) from [<c03014a0>] (bus_for_each_dev+0x64/0x98)
[ 1.838838] [<c03014a0>] (bus_for_each_dev) from [<c0302a4c>] (driver_attach+0x2c/0x30)
[ 1.846824] [<c0302a4c>] (driver_attach) from [<c030269c>] (bus_add_driver+0xe8/0x1e4)
[ 1.854722] [<c030269c>] (bus_add_driver) from [<c0303ad8>] (driver_register+0x88/0x104)
[ 1.862794] [<c0303ad8>] (driver_register) from [<c03048ac>] (__platform_driver_register+0x58/0x6c)
[ 1.871827] [<c03048ac>] (__platform_driver_register) from [<c02f3f84>] (exynos_drm_init+0xc8/0x124)
[ 1.880936] [<c02f3f84>] (exynos_drm_init) from [<c00089f4>] (do_one_initcall+0x90/0x1e0)
[ 1.889096] [<c00089f4>] (do_one_initcall) from [<c08b2e24>] (kernel_init_freeable+0x114/0x1e0)
[ 1.897779] [<c08b2e24>] (kernel_init_freeable) from [<c05235ac>] (kernel_init+0x18/0xfc)
[ 1.905934] [<c05235ac>] (kernel_init) from [<c000efa0>] (ret_from_fork+0x14/0x34)
Hope that helps some, afraid I am not really familiar enough with
the graphics stack to chase that down much more though.
Thanks,
Charles
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/exynos: Check for NULL dereference of crtc
2015-03-06 14:04 ` Charles Keepax
@ 2015-03-07 12:19 ` Inki Dae
0 siblings, 0 replies; 4+ messages in thread
From: Inki Dae @ 2015-03-07 12:19 UTC (permalink / raw)
To: Charles Keepax
Cc: jy0922.shim, sw0312.kim, kyungmin.park, airlied, kgene, dri-devel,
linux-samsung-soc, linux-kernel
On 2015년 03월 06일 23:04, Charles Keepax wrote:
> On Fri, Mar 06, 2015 at 10:13:42PM +0900, Inki Dae wrote:
>> On 2015년 02월 18일 02:14, Charles Keepax wrote:
>>> The commit "drm/exynos: remove exynos_plane_dpms" (d9ea6256) removed the
>>> use of the enabled flag, which means that the code may attempt to call
>>> win_enable on a NULL crtc. This results in the following oops on
>>
>> Hmm... it's strange. plane->funcs->destroy() is called prior to
>> crtc->funcs->destroy() so it should be exynos_crtc is not NULL. However,
>> it seems there is any corner case we didn't catch up.
>>
>> Applied.
>
> Thanks, it seems the offending path in an error path, looks like
> Arndale is missing some required DT setting which causes
> exynos_drm_load to fail:
Right. With quick look, it seems that this issue is incurred because it
tried to access plane->crtc object to call win_disable callback of FIMD
driver before mode_set callback is called: plane->crtc would be set by
mode_set callback so if it has no pair of encoder and crtc then the
plane can never point a crtc object created by FIMD driver.
Thanks,
Inki Dae
>
> [ 1.638109] of_graph_get_next_endpoint(): no port node found in /dp-controller@145B0000
> [ 1.646424] exynos-drm exynos-drm: bound 14400000.fimd (ops fimd_component_ops)
> [ 1.652704] /dp-controller@145B0000: could not find display-timings node
> [ 1.659323] /dp-controller@145B0000: no timings specified
> [ 1.664709] [drm:exynos_dp_bind] *ERROR* failed: of_get_videomode() : -22
> [ 1.671485] exynos-drm exynos-drm: failed to bind 145b0000.dp-controller (ops exynos_dp_ops): -22
>
> Which ends up calling exynos_plane_destroy as part of the clean up:
>
> [ 1.698655] [<c0015db4>] (unwind_backtrace) from [<c00121cc>] (show_stack+0x20/0x24)
> [ 1.706385] [<c00121cc>] (show_stack) from [<c0528230>] (dump_stack+0x78/0xc4)
> [ 1.713588] [<c0528230>] (dump_stack) from [<c02f72ec>] (exynos_disable_plane+0x2c/0x60)
> [ 1.721660] [<c02f72ec>] (exynos_disable_plane) from [<c02f733c>] (exynos_plane_destroy+0x1c/0x30)
> [ 1.730605] [<c02f733c>] (exynos_plane_destroy) from [<c02e37c4>] (drm_mode_config_cleanup+0x168/0x20c)
> [ 1.739982] [<c02e37c4>] (drm_mode_config_cleanup) from [<c02f3d18>] (exynos_drm_load+0xac/0x12c)
> [ 1.748832] [<c02f3d18>] (exynos_drm_load) from [<c02dc074>] (drm_dev_register+0xb0/0x110)
> [ 1.757075] [<c02dc074>] (drm_dev_register) from [<c02ddc88>] (drm_platform_init+0x50/0xe0)
> [ 1.765405] [<c02ddc88>] (drm_platform_init) from [<c02f3a08>] (exynos_drm_bind+0x20/0x28)
> [ 1.773655] [<c02f3a08>] (exynos_drm_bind) from [<c02fe664>] (try_to_bring_up_master.part.1+0xd8/0x114)
> [ 1.783027] [<c02fe664>] (try_to_bring_up_master.part.1) from [<c02fe754>] (component_master_add_with_match+0xb4/0x134)
> [ 1.793792] [<c02fe754>] (component_master_add_with_match) from [<c02f3e94>] (exynos_drm_platform_probe+0xfc/0x124)
> [ 1.804207] [<c02f3e94>] (exynos_drm_platform_probe) from [<c0304a44>] (platform_drv_probe+0x58/0xb4)
> [ 1.813411] [<c0304a44>] (platform_drv_probe) from [<c0302fa8>] (driver_probe_device+0x11c/0x23c)
> [ 1.822261] [<c0302fa8>] (driver_probe_device) from [<c0303164>] (__driver_attach+0x9c/0xa0)
> [ 1.830679] [<c0303164>] (__driver_attach) from [<c03014a0>] (bus_for_each_dev+0x64/0x98)
> [ 1.838838] [<c03014a0>] (bus_for_each_dev) from [<c0302a4c>] (driver_attach+0x2c/0x30)
> [ 1.846824] [<c0302a4c>] (driver_attach) from [<c030269c>] (bus_add_driver+0xe8/0x1e4)
> [ 1.854722] [<c030269c>] (bus_add_driver) from [<c0303ad8>] (driver_register+0x88/0x104)
> [ 1.862794] [<c0303ad8>] (driver_register) from [<c03048ac>] (__platform_driver_register+0x58/0x6c)
> [ 1.871827] [<c03048ac>] (__platform_driver_register) from [<c02f3f84>] (exynos_drm_init+0xc8/0x124)
> [ 1.880936] [<c02f3f84>] (exynos_drm_init) from [<c00089f4>] (do_one_initcall+0x90/0x1e0)
> [ 1.889096] [<c00089f4>] (do_one_initcall) from [<c08b2e24>] (kernel_init_freeable+0x114/0x1e0)
> [ 1.897779] [<c08b2e24>] (kernel_init_freeable) from [<c05235ac>] (kernel_init+0x18/0xfc)
> [ 1.905934] [<c05235ac>] (kernel_init) from [<c000efa0>] (ret_from_fork+0x14/0x34)
>
> Hope that helps some, afraid I am not really familiar enough with
> the graphics stack to chase that down much more though.
>
> Thanks,
> Charles
> --
> To unsubscribe from this list: send the line "unsubscribe linux-samsung-soc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-03-07 12:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-17 17:14 [PATCH] drm/exynos: Check for NULL dereference of crtc Charles Keepax
2015-03-06 13:13 ` Inki Dae
2015-03-06 14:04 ` Charles Keepax
2015-03-07 12:19 ` Inki Dae
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).