Boris Brezillon <boris.brezillon@free-electrons.com> writes:

> When saving BOs in the hang state we skip one entry of the
> kernel_state->bo[] array, thus leaving it to NULL. This leads to a NULL
> pointer dereference when, later in this function, we iterate over all
> BOs to check their ->madv state.
>
> Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> ---
> Changes in v2:
> - Get rid of prev_idx an replace it by k which is indepently incremented
>   every time a new object is added to kernel_state->bo[].
> - Add a WARN_ON_ONCE() when final value of k is inconsistent

Reviewed and pushed to drm-misc-fixes back on Thursday.  Thanks!