From patchwork Tue Jun 8 08:55:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 455762 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp3478022jae; Tue, 8 Jun 2021 01:55:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzPNmnQ1hC4tWctiwJHbIkGw+utS9fgMg1q0JtewFOeYKJtwcBe7yxayxdcxhu0doPRzmI X-Received: by 2002:a17:90a:fb51:: with SMTP id iq17mr13419192pjb.26.1623142528543; Tue, 08 Jun 2021 01:55:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623142528; cv=none; d=google.com; s=arc-20160816; b=JvaemMfu1OFaMgzDymd4NVJxYg7YRaLfbAn5oGMfY+lV/OOcqZ8jlEh1U26o1dsHB5 l8fwUjpHQyJKQz6KpYvEwFCgCL8u9/kRS+7BZzYdfX0EY8PjRBPtDeC6zv9MWTZe2VWp /j9QEyNPhpkPfAR5++ue/m1QCoT93nOypDUCbxa5yl/kY8+OvInBmeR1KDaYUAiqHfz3 KZzuhXttTzRQSzIqxOaTBaYAQEWdRbVScm+jlRN/ZET9pykbVoYrTJgIBV2ogIPnReqJ en/XIy6w/4ic0TOlWQYg4fT4i1mwKjdi4iiNarHSAdrFU1h82PiyQoXluwtvOoh7qCaV 6HYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:message-id:date:subject:to:from :delivered-to; bh=daFUR0dP6rZHNQWFDiB6cccv65ELPV9BH94mfI67k7w=; b=BRjbg+OEJCEOf3BKQWz+1/JeMM0DSJJ8QNusK58hkA6qhFlRfm9swbVvwHLG3Qjk/6 DcyH+QRASv/mFj59nQRsd4cRZcEdAzATOIDcJLELsA/1NxhAJEJxbVmK2ngcDCt4C8qI FlvymIbB+7rYN22NjRrRVEMce9E7rxawvaTmXMlTlJKORv8kRiGpSq1M5YTE/Cf/71JL e9Qm3wV8YWDZLGqbCTIDBRkqMLHnHISE8HQuf4Z7wC6oF5RRHGImBrfVAn5NKaaRkC0L wLkHhaveeki5cWNyBXxivgfivaXLBJU7Irtyt/E2zbBdTVBwho443ExuqP9BNoHVn0AD ewbQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from gabe.freedesktop.org (gabe.freedesktop.org. [131.252.210.177]) by mx.google.com with ESMTPS id k136si16710354pgc.155.2021.06.08.01.55.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Jun 2021 01:55:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) client-ip=131.252.210.177; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 573B26EB4E; Tue, 8 Jun 2021 08:55:27 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by gabe.freedesktop.org (Postfix) with ESMTP id 5D4A86EB4E for ; Tue, 8 Jun 2021 08:55:25 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 81184113E; Tue, 8 Jun 2021 01:55:24 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id CB4863F719; Tue, 8 Jun 2021 01:55:22 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH] drm/vc4: fix vc4_atomic_commit_tail() logic Date: Tue, 8 Jun 2021 09:55:12 +0100 Message-Id: <20210608085513.2069-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Emma Anholt , Arnd Bergmann , David Airlie , Catalin Marinas , dri-devel@lists.freedesktop.org, Maxime Ripard , Will Deacon Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In vc4_atomic_commit_tail() we iterate of the set of old CRTCs, and attempt to wait on any channels which are still in use. When we iterate over the CRTCs, we have: * `i` - the index of the CRTC * `channel` - the channel a CRTC is using When we check the channel state, we consult: old_hvs_state->fifo_state[channel].in_use ... but when we wait for the channel, we erroneously wait on: old_hvs_state->fifo_state[i].pending_commit ... rather than: old_hvs_state->fifo_state[channel].pending_commit ... and this bogus access has been observed to result in boot-time hangs on some arm64 configurations, and can be detected using KASAN. FIx this by using the correct index. I've tested this on a Raspberry Pi 3 model B v1.2 with KASAN. Trimmed KASAN splat: | ================================================================== | BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1cc/0x910 | Read of size 8 at addr ffff000007360440 by task kworker/u8:0/7 | CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.13.0-rc3-00009-g694c523e7267 #3 | | Hardware name: Raspberry Pi 3 Model B (DT) | Workqueue: events_unbound deferred_probe_work_func | Call trace: | dump_backtrace+0x0/0x2b4 | show_stack+0x1c/0x30 | dump_stack+0xfc/0x168 | print_address_description.constprop.0+0x2c/0x2c0 | kasan_report+0x1dc/0x240 | __asan_load8+0x98/0xd4 | vc4_atomic_commit_tail+0x1cc/0x910 | commit_tail+0x100/0x210 | ... | | Allocated by task 7: | kasan_save_stack+0x2c/0x60 | __kasan_kmalloc+0x90/0xb4 | vc4_hvs_channels_duplicate_state+0x60/0x1a0 | drm_atomic_get_private_obj_state+0x144/0x230 | vc4_atomic_check+0x40/0x73c | drm_atomic_check_only+0x998/0xe60 | drm_atomic_commit+0x34/0x94 | drm_client_modeset_commit_atomic+0x2f4/0x3a0 | drm_client_modeset_commit_locked+0x8c/0x230 | drm_client_modeset_commit+0x38/0x60 | drm_fb_helper_set_par+0x104/0x17c | fbcon_init+0x43c/0x970 | visual_init+0x14c/0x1e4 | ... | | The buggy address belongs to the object at ffff000007360400 | which belongs to the cache kmalloc-128 of size 128 | The buggy address is located 64 bytes inside of | 128-byte region [ffff000007360400, ffff000007360480) | The buggy address belongs to the page: | page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7360 | flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff) | raw: 03fffc0000000200 dead000000000100 dead000000000122 ffff000004c02300 | raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 | page dumped because: kasan: bad access detected | | Memory state around the buggy address: | ffff000007360300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | ffff000007360380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | >ffff000007360400: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc | ^ | ffff000007360480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | ffff000007360500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | ================================================================== Link: https://lore.kernel.org/r/4d0c8318-bad8-2be7-e292-fc8f70c198de@samsung.com Link: https://lore.kernel.org/linux-arm-kernel/20210607151740.moncryl5zv3ahq4s@gilmour Signed-off-by: Mark Rutland Reported-by: Marek Szyprowski Cc: Arnd Bergmann Cc: Catalin Marinas Cc: Daniel Vetter Cc: David Airlie Cc: Emma Anholt Cc: Maxime Ripard Cc: Will Deacon Cc: dri-devel@lists.freedesktop.org --- drivers/gpu/drm/vc4/vc4_kms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 Acked-by: Arnd Bergmann Tested-by: Marek Szyprowski diff --git a/drivers/gpu/drm/vc4/vc4_kms.c b/drivers/gpu/drm/vc4/vc4_kms.c index bb5529a7a9c2..948b3a58aad1 100644 --- a/drivers/gpu/drm/vc4/vc4_kms.c +++ b/drivers/gpu/drm/vc4/vc4_kms.c @@ -372,7 +372,7 @@ static void vc4_atomic_commit_tail(struct drm_atomic_state *state) if (!old_hvs_state->fifo_state[channel].in_use) continue; - ret = drm_crtc_commit_wait(old_hvs_state->fifo_state[i].pending_commit); + ret = drm_crtc_commit_wait(old_hvs_state->fifo_state[channel].pending_commit); if (ret) drm_err(dev, "Timed out waiting for commit\n"); }