[BUG REPORT] Panic with sys_imageblit on arm64

From: yezengruan <yezengruan@huawei.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"dri-devel@lists.freedesktop.org"
	<dri-devel@lists.freedesktop.org>,
	"linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>,
	"b.zolnierkie@samsung.com" <b.zolnierkie@samsung.com>,
	"hdegoede@redhat.com" <hdegoede@redhat.com>,
	"daniel.vetter@ffwll.ch" <daniel.vetter@ffwll.ch>,
	"gustavo@padovan.org" <gustavo@padovan.org>,
	"maarten.lankhorst@linux.intel.com"
	<maarten.lankhorst@linux.intel.com>,
	"sean@poorly.run" <sean@poorly.run>,
	"airlied@linux.ie" <airlied@linux.ie>,
	"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
	"nicolas.pitre@linaro.org" <nicolas.pitre@linaro.org>,
	"kilobyte@angband.pl" <kilobyte@angband.pl>
Cc: "Wanghaibin (D)" <wanghaibin.wang@huawei.com>
Subject: [BUG REPORT] Panic with sys_imageblit on arm64
Date: Tue, 27 Nov 2018 08:25:33 +0000	[thread overview]
Message-ID: <EA71F1939A4E2F4996635D61949EB5BB01BB092B@DGGEMI530-MBX.china.huawei.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 4125 bytes --]

Hi all,

When I run linux-4.19.2 on arm64, I got panic in sys_imageblit. My test steps are as fllows:
1) Remote login using BMC;
2) Enter a bunch of 'Enter' keys;
3) Execute the 'top' command and continuously press shift + page up several times.

This gives the following panic on the serial console:

[47229.923256] Unable to handle kernel paging request at virtual address ffff00002f0bc010
[47229.923258] Mem abort info:
[47229.923259]   ESR = 0x96000047
[47229.923261]   Exception class = DABT (current EL), IL = 32 bits
[47229.923262]   SET = 0, FnV = 0
[47229.923263]   EA = 0, S1PTW = 0
[47229.923263] Data abort info:
[47229.923265]   ISV = 0, ISS = 0x00000047
[47229.923265]   CM = 0, WnR = 1
[47229.923269] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000ea9a862f
[47229.923270] [ffff00002f0bc010] pgd=000000dffbffe803, pud=000000dffbffd803, pmd=000000bf758ee003, pte=0000000000000000
[47229.923279] Internal error: Oops: 96000047 [#1] SMP
[47229.923285] CPU: 45 PID: 16061 Comm: top Kdump: loaded Tainted: G           OE     4.19.2-1.1.23.aarch64 #1
[47229.923286] Hardware name: Huawei Taishan 2280 /BC11SPCD, BIOS 1.46 03/29/2018
[47229.923288] pstate: 80000005 (Nzcv daif -PAN -UAO)
[47229.923295] pc : sys_imageblit+0x414/0x1000 [sysimgblt]
[47229.923317] lr : drm_fb_helper_sys_imageblit+0x28/0x50 [drm_kms_helper]
[47229.923318] sp : ffff00002f6d3820
[47229.923319] x29: ffff00002f6d3820 x28: 00000000000000ff
[47229.923322] x27: 0000000000000010 x26: 0000000000000001
[47229.923325] x25: 0000000000000118 x24: 0000000000000008
[47229.923327] x23: ffff805f771db800 x22: 0000000000000000
[47229.923330] x21: ffff00002f6d3958 x20: ffff00002f0bc010
[47229.923332] x19: 0000000000000000 x18: 0000000000000000
[47229.923335] x17: 0000000000000000 x16: 0000000000000000
[47229.923337] x15: 0000000000000000 x14: 2020202020202020
[47229.923339] x13: 2020202064686374 x12: ffff805f77927360
[47229.923342] x11: ffff000000f54078 x10: 0000000000000023
[47229.923344] x9 : 000000000000000f x8 : 0000000000000003
[47229.923346] x7 : 000000000000008c x6 : 0000000000000002
[47229.923349] x5 : 0000000000000000 x4 : 00000000ad55ad55
[47229.923352] x3 : ffff805f77927360 x2 : 0000000000000000
[47229.923354] x1 : 0000000000000006 x0 : 0000000000000000
[47229.923357] Process top (pid: 16061, stack limit = 0x00000000d490d156)
[47229.923359] Call trace:
[47229.923363]  sys_imageblit+0x414/0x1000 [sysimgblt]
[47229.923373]  drm_fb_helper_sys_imageblit+0x28/0x50 [drm_kms_helper]
[47229.923387]  bit_putcs+0x29c/0x4a0
[47229.923391]  fbcon_putcs+0x110/0x148
[47229.923397]  do_update_region+0x138/0x1d8
[47229.923399]  do_con_trol+0xb44/0x13e0
[47229.923400]  do_con_write.part.29+0x1d0/0x8f0
[47229.923402]  con_write+0x70/0x78
[47229.923405]  n_tty_write+0x1a8/0x428
[47229.923407]  tty_write+0x1bc/0x2f0
[47229.923412]  __vfs_write+0x60/0x1a8
[47229.923414]  vfs_write+0xb0/0x1a8
[47229.923416]  ksys_write+0x6c/0xd8
[47229.923418]  __arm64_sys_write+0x28/0x38
[47229.923424]  el0_svc_common+0xb8/0x118
[47229.923426]  el0_svc_handler+0x38/0x88
[47229.923429]  el0_svc+0x8/0xc
[47229.923431] Code: 0a080000 b8605960 0a000080 4a050000 (b8227a80)
[47229.923436] [kbox] die event detected

I followed the same test steps and found the same problem in the linux-4.20.0-rc3.
In the test I found that if the variable bitstart in function sys_imageblit is greater than variable p->screen_size - 1, the kernel will panic.
The following patch seems to work fine in my test:

diff --git a/drivers/video/fbdev/core/sysimgblt.c b/drivers/video/fbdev/core/sysimgblt.c
index a4d05b1..b316404 100644
--- a/drivers/video/fbdev/core/sysimgblt.c
+++ b/drivers/video/fbdev/core/sysimgblt.c
@@ -254,6 +254,9 @@ void sys_imageblit(struct fb_info *p, const struct fb_image *image)

        bitstart /= 8;
        bitstart &= ~(bpl - 1);
+ if (p->screen_size - 1 < bitstart)
+         return;
+
        dst1 = (void __force *)p->screen_base + bitstart;

        if (p->fbops->fb_sync)

So please CC me directly on any reply.

Many thanks,

Zengruan.


[-- Attachment #1.2: Type: text/html, Size: 18460 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
