* [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new
@ 2020-12-28 21:31 Iskren Chernev
2020-12-28 21:31 ` [PATCH 2/2] drm/msm: Ensure get_pages is called when locked Iskren Chernev
2021-03-01 19:59 ` [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new patchwork-bot+linux-arm-msm
0 siblings, 2 replies; 3+ messages in thread
From: Iskren Chernev @ 2020-12-28 21:31 UTC (permalink / raw)
To: Rob Clark
Cc: Sean Paul, David Airlie, Daniel Vetter, Kristian H . Kristensen,
linux-arm-msm, dri-devel, freedreno, linux-kernel,
~postmarketos/upstreaming, Iskren Chernev
The crash was caused by locking an uninitialized lock during init of
drm_gem_object. The lock changed in the breaking commit, but the init
was not moved accordingly.
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = (ptrval)
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
Modules linked in: msm(+) qcom_spmi_vadc qcom_vadc_common dm_mod usb_f_rndis rmi_i2c rmi_core qnoc_msm8974 icc_smd_rpm pm8941_pwrkey
CPU: 2 PID: 1020 Comm: udevd Not tainted 5.10.0-postmarketos-qcom-msm8974 #8
Hardware name: Generic DT based system
PC is at ww_mutex_lock+0x20/0xb0
LR is at _msm_gem_new+0x13c/0x298 [msm]
pc : [<c0be31e8>] lr : [<bf0b3404>] psr: 20000013
sp : c36e7ad0 ip : c3b3d800 fp : 00000000
r10: 00000001 r9 : c3b22800 r8 : 00000000
r7 : c3b23000 r6 : c3b3d600 r5 : c3b3d600 r4 : 00000000
r3 : c34b4780 r2 : c3b3d6f4 r1 : 00000000 r0 : 00000000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5787d Table: 03ae406a DAC: 00000051
Process udevd (pid: 1020, stack limit = 0x(ptrval))
Stack: (0xc36e7ad0 to 0xc36e8000)
[...]
[<c0be31e8>] (ww_mutex_lock) from [<bf0b3404>] (_msm_gem_new+0x13c/0x298 [msm])
[<bf0b3404>] (_msm_gem_new [msm]) from [<bf0b3aa8>] (_msm_gem_kernel_new+0x20/0x190 [msm])
[<bf0b3aa8>] (_msm_gem_kernel_new [msm]) from [<bf0b4a30>] (msm_gem_kernel_new+0x24/0x2c [msm])
[<bf0b4a30>] (msm_gem_kernel_new [msm]) from [<bf0b8e2c>] (msm_gpu_init+0x308/0x548 [msm])
[<bf0b8e2c>] (msm_gpu_init [msm]) from [<bf060a90>] (adreno_gpu_init+0x13c/0x240 [msm])
[<bf060a90>] (adreno_gpu_init [msm]) from [<bf062b1c>] (a3xx_gpu_init+0x78/0x1dc [msm])
[<bf062b1c>] (a3xx_gpu_init [msm]) from [<bf05f394>] (adreno_bind+0x1cc/0x274 [msm])
[<bf05f394>] (adreno_bind [msm]) from [<c087a254>] (component_bind_all+0x11c/0x278)
[<c087a254>] (component_bind_all) from [<bf0b11d4>] (msm_drm_bind+0x18c/0x5b4 [msm])
[<bf0b11d4>] (msm_drm_bind [msm]) from [<c0879ea0>] (try_to_bring_up_master+0x200/0x2c8)
[<c0879ea0>] (try_to_bring_up_master) from [<c087a648>] (component_master_add_with_match+0xc8/0xfc)
[<c087a648>] (component_master_add_with_match) from [<bf0b0c3c>] (msm_pdev_probe+0x288/0x2c4 [msm])
[<bf0b0c3c>] (msm_pdev_probe [msm]) from [<c08844cc>] (platform_drv_probe+0x48/0x98)
[<c08844cc>] (platform_drv_probe) from [<c0881cc4>] (really_probe+0x108/0x528)
[<c0881cc4>] (really_probe) from [<c0882480>] (driver_probe_device+0x78/0x1d4)
[<c0882480>] (driver_probe_device) from [<c08828dc>] (device_driver_attach+0xa8/0xb0)
[<c08828dc>] (device_driver_attach) from [<c0882998>] (__driver_attach+0xb4/0x154)
[<c0882998>] (__driver_attach) from [<c087fa1c>] (bus_for_each_dev+0x78/0xb8)
[<c087fa1c>] (bus_for_each_dev) from [<c0880e98>] (bus_add_driver+0x10c/0x208)
[<c0880e98>] (bus_add_driver) from [<c0883504>] (driver_register+0x88/0x118)
[<c0883504>] (driver_register) from [<c0302098>] (do_one_initcall+0x50/0x2b0)
[<c0302098>] (do_one_initcall) from [<c03bace4>] (do_init_module+0x60/0x288)
[<c03bace4>] (do_init_module) from [<c03bdf1c>] (sys_finit_module+0xd4/0x120)
[<c03bdf1c>] (sys_finit_module) from [<c0300060>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xc36e7fa8 to 0xc36e7ff0)
7fa0: 00020000 00000000 00000007 b6edd5b0 00000000 b6f2ff20
7fc0: 00020000 00000000 0000017b 0000017b b6eef980 bedc3a54 00473c99 00000000
7fe0: b6edd5b0 bedc3918 b6ed8a5f b6f6a8b0
Code: e3c3303f e593300c e1a04000 f590f000 (e1940f9f)
---[ end trace 277e2a3da40bbb76 ]---
Fixes: 6c0e3ea250476 ("drm/msm/gem: Switch over to obj->resv for locking")
Signed-off-by: Iskren Chernev <iskren.chernev@gmail.com>
---
drivers/gpu/drm/msm/msm_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 32d5c514e28ad..c658deb31eb5d 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -1116,6 +1116,8 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
struct msm_gem_vma *vma;
struct page **pages;
+ drm_gem_private_object_init(dev, obj, size);
+
msm_gem_lock(obj);
vma = add_vma(obj, NULL);
@@ -1127,7 +1129,6 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
to_msm_bo(obj)->vram_node = &vma->node;
- drm_gem_private_object_init(dev, obj, size);
pages = get_pages(obj);
if (IS_ERR(pages)) {
base-commit: d7a03a44a5e93f39ece70ec75d25c6088caa0fdb
--
2.29.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] drm/msm: Ensure get_pages is called when locked
2020-12-28 21:31 [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new Iskren Chernev
@ 2020-12-28 21:31 ` Iskren Chernev
2021-03-01 19:59 ` [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new patchwork-bot+linux-arm-msm
1 sibling, 0 replies; 3+ messages in thread
From: Iskren Chernev @ 2020-12-28 21:31 UTC (permalink / raw)
To: Rob Clark
Cc: Sean Paul, David Airlie, Daniel Vetter, Kristian H . Kristensen,
linux-arm-msm, dri-devel, freedreno, linux-kernel,
~postmarketos/upstreaming, Iskren Chernev
get_pages is only called in a locked context. Add a WARN_ON to make sure
it stays that way.
Signed-off-by: Iskren Chernev <iskren.chernev@gmail.com>
---
drivers/gpu/drm/msm/msm_gem.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index c658deb31eb5d..9d10739c4eb2d 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -96,6 +96,8 @@ static struct page **get_pages(struct drm_gem_object *obj)
{
struct msm_gem_object *msm_obj = to_msm_bo(obj);
+ WARN_ON(!msm_gem_is_locked(obj));
+
if (!msm_obj->pages) {
struct drm_device *dev = obj->dev;
struct page **p;
@@ -1129,8 +1131,9 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
to_msm_bo(obj)->vram_node = &vma->node;
-
+ msm_gem_lock(obj);
pages = get_pages(obj);
+ msm_gem_unlock(obj);
if (IS_ERR(pages)) {
ret = PTR_ERR(pages);
goto fail;
--
2.29.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new
2020-12-28 21:31 [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new Iskren Chernev
2020-12-28 21:31 ` [PATCH 2/2] drm/msm: Ensure get_pages is called when locked Iskren Chernev
@ 2021-03-01 19:59 ` patchwork-bot+linux-arm-msm
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+linux-arm-msm @ 2021-03-01 19:59 UTC (permalink / raw)
To: Iskren Chernev; +Cc: linux-arm-msm
Hello:
This series was applied to qcom/linux.git (refs/heads/for-next):
On Mon, 28 Dec 2020 23:31:30 +0200 you wrote:
> The crash was caused by locking an uninitialized lock during init of
> drm_gem_object. The lock changed in the breaking commit, but the init
> was not moved accordingly.
>
> 8<--- cut here ---
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = (ptrval)
> [00000000] *pgd=00000000
> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> Modules linked in: msm(+) qcom_spmi_vadc qcom_vadc_common dm_mod usb_f_rndis rmi_i2c rmi_core qnoc_msm8974 icc_smd_rpm pm8941_pwrkey
> CPU: 2 PID: 1020 Comm: udevd Not tainted 5.10.0-postmarketos-qcom-msm8974 #8
> Hardware name: Generic DT based system
> PC is at ww_mutex_lock+0x20/0xb0
> LR is at _msm_gem_new+0x13c/0x298 [msm]
> pc : [<c0be31e8>] lr : [<bf0b3404>] psr: 20000013
> sp : c36e7ad0 ip : c3b3d800 fp : 00000000
> r10: 00000001 r9 : c3b22800 r8 : 00000000
> r7 : c3b23000 r6 : c3b3d600 r5 : c3b3d600 r4 : 00000000
> r3 : c34b4780 r2 : c3b3d6f4 r1 : 00000000 r0 : 00000000
> Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 10c5787d Table: 03ae406a DAC: 00000051
> Process udevd (pid: 1020, stack limit = 0x(ptrval))
> Stack: (0xc36e7ad0 to 0xc36e8000)
> [...]
> [<c0be31e8>] (ww_mutex_lock) from [<bf0b3404>] (_msm_gem_new+0x13c/0x298 [msm])
> [<bf0b3404>] (_msm_gem_new [msm]) from [<bf0b3aa8>] (_msm_gem_kernel_new+0x20/0x190 [msm])
> [<bf0b3aa8>] (_msm_gem_kernel_new [msm]) from [<bf0b4a30>] (msm_gem_kernel_new+0x24/0x2c [msm])
> [<bf0b4a30>] (msm_gem_kernel_new [msm]) from [<bf0b8e2c>] (msm_gpu_init+0x308/0x548 [msm])
> [<bf0b8e2c>] (msm_gpu_init [msm]) from [<bf060a90>] (adreno_gpu_init+0x13c/0x240 [msm])
> [<bf060a90>] (adreno_gpu_init [msm]) from [<bf062b1c>] (a3xx_gpu_init+0x78/0x1dc [msm])
> [<bf062b1c>] (a3xx_gpu_init [msm]) from [<bf05f394>] (adreno_bind+0x1cc/0x274 [msm])
> [<bf05f394>] (adreno_bind [msm]) from [<c087a254>] (component_bind_all+0x11c/0x278)
> [<c087a254>] (component_bind_all) from [<bf0b11d4>] (msm_drm_bind+0x18c/0x5b4 [msm])
> [<bf0b11d4>] (msm_drm_bind [msm]) from [<c0879ea0>] (try_to_bring_up_master+0x200/0x2c8)
> [<c0879ea0>] (try_to_bring_up_master) from [<c087a648>] (component_master_add_with_match+0xc8/0xfc)
> [<c087a648>] (component_master_add_with_match) from [<bf0b0c3c>] (msm_pdev_probe+0x288/0x2c4 [msm])
> [<bf0b0c3c>] (msm_pdev_probe [msm]) from [<c08844cc>] (platform_drv_probe+0x48/0x98)
> [<c08844cc>] (platform_drv_probe) from [<c0881cc4>] (really_probe+0x108/0x528)
> [<c0881cc4>] (really_probe) from [<c0882480>] (driver_probe_device+0x78/0x1d4)
> [<c0882480>] (driver_probe_device) from [<c08828dc>] (device_driver_attach+0xa8/0xb0)
> [<c08828dc>] (device_driver_attach) from [<c0882998>] (__driver_attach+0xb4/0x154)
> [<c0882998>] (__driver_attach) from [<c087fa1c>] (bus_for_each_dev+0x78/0xb8)
> [<c087fa1c>] (bus_for_each_dev) from [<c0880e98>] (bus_add_driver+0x10c/0x208)
> [<c0880e98>] (bus_add_driver) from [<c0883504>] (driver_register+0x88/0x118)
> [<c0883504>] (driver_register) from [<c0302098>] (do_one_initcall+0x50/0x2b0)
> [<c0302098>] (do_one_initcall) from [<c03bace4>] (do_init_module+0x60/0x288)
> [<c03bace4>] (do_init_module) from [<c03bdf1c>] (sys_finit_module+0xd4/0x120)
> [<c03bdf1c>] (sys_finit_module) from [<c0300060>] (ret_fast_syscall+0x0/0x54)
> Exception stack(0xc36e7fa8 to 0xc36e7ff0)
> 7fa0: 00020000 00000000 00000007 b6edd5b0 00000000 b6f2ff20
> 7fc0: 00020000 00000000 0000017b 0000017b b6eef980 bedc3a54 00473c99 00000000
> 7fe0: b6edd5b0 bedc3918 b6ed8a5f b6f6a8b0
> Code: e3c3303f e593300c e1a04000 f590f000 (e1940f9f)
>
> [...]
Here is the summary with links:
- [1/2] drm/msm: Fix null dereference in _msm_gem_new
https://git.kernel.org/qcom/c/a694ffed8765
- [2/2] drm/msm: Ensure get_pages is called when locked
https://git.kernel.org/qcom/c/07fcad0d726d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-01 20:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-28 21:31 [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new Iskren Chernev
2020-12-28 21:31 ` [PATCH 2/2] drm/msm: Ensure get_pages is called when locked Iskren Chernev
2021-03-01 19:59 ` [PATCH 1/2] drm/msm: Fix null dereference in _msm_gem_new patchwork-bot+linux-arm-msm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).