From patchwork Sun Jun  5 11:55:00 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Wahren <stefan.wahren@i2se.com>
X-Patchwork-Id: 9156457
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	12D0560221 for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun,  5 Jun 2016 21:16:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 04127272AA
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun,  5 Jun 2016 21:16:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id ECF6928210; Sun,  5 Jun 2016 21:16:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8AE1A272AA
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun,  5 Jun 2016 21:16:17 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id C32146E271;
	Sun,  5 Jun 2016 21:16:11 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
X-Greylist: delayed 306 seconds by postgrey-1.35 at gabe;
	Sun, 05 Jun 2016 12:00:17 UTC
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.133])
	by gabe.freedesktop.org (Postfix) with ESMTPS id D3A026E12C
	for <dri-devel@lists.freedesktop.org>;
	Sun,  5 Jun 2016 12:00:17 +0000 (UTC)
Received: from oxbaltgw08.schlund.de ([172.19.246.14]) by
	mrelayeu.kundenserver.de (mreue002) with ESMTPSA (Nemesis) id
	0LhoMU-1bnpHJ1b8s-00n9Qh; Sun, 05 Jun 2016 13:55:03 +0200
Date: Sun, 5 Jun 2016 13:55:00 +0200 (CEST)
From: Stefan Wahren <stefan.wahren@i2se.com>
To: Eric Anholt <eric@anholt.net>
Message-ID: 
 <1451308512.283673.a75e31a3-192b-4097-ab2b-b113563d70e6.open-xchange@email.1und1.de>
In-Reply-To: <878tyku240.fsf@eliezer.anholt.net>
References: 
 <216263505.261681.c2b71a89-24ac-4970-b99e-c80b6a2e1ba0.open-xchange@email.1und1.de>
	<878tyku240.fsf@eliezer.anholt.net>
Subject: Re: drm/vc4: NULL pointer dereference after failed to allocate
	buffer
MIME-Version: 1.0
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.8.0-Rev30
X-Originating-Client: open-xchange-appsuite
X-Provags-ID: V03:K0:bC/RLKiE4Wy8x1/E6K1HOxShLRrXkBufUN2ijVhV3Ls5viXtzK1
	6zYX6ked2t+29hTkfYv1BEbNkBiLCtnOJcCZe4AdsCosKsg0psfpTuFaU/3QwDrNT7zALVO
	dT8PSTVKjjY42wK+rGDfzlQ2o79FQWl/jiCEExZQPIi6+uhJGyXvV5SoU62hP/KGcKN8qt2
	O8nZUvSms3t8IcwuPdh/w==
X-UI-Out-Filterresults: notjunk:1; V01:K0:MRmcPHYar38=:Jwk0x4dr7HeWNR/NmKeZZI
	Dldx6Dby7U8Jg0H11aCtRf18O48s61RYakDJDmB2H1d3IFTi3j00e2wOT47K9WMmKy5J1OmsH
	qpdBxGw0lnKwZ3Wj30XRzllXabVKYjSkm2i1BquVR8FbGTAifYjsrac0tRGPT1s2hAsbTB0lL
	V9x1LynJMr93+ceR93s4qJgHb0nexviuwVPNGlTviMkvsNoQ/b7xJspCSXgo24gt2Iy2V8hia
	rSyCdfupivXB6S6Z9jPVIVp5h7kWbc/DOY7J/ydqnRrgWfJTd/cXt69oDsitTfRFYDIjHH96w
	rbGG6SQ/EfW8iNdFs31kd17VsnQgwui7Hqv+RGQ/Si52fYYqUznRjoD9zpBxLJMbjzxq0ZA4F
	qagwEukBEQ476zdc7gbDpO2znMpWOYMEjbhmvr63yIdKHRhhmA3QvQ5CbSNGyA5zbUlNdvzfK
	/F/U6D0wbVSgp1GN1+Toe9NeRFjXjw1XRYTz8ejmv3s8oBCHfBMQzhUsWJFjW7Sb896AjlW0q
	4QZ8193Ndl+5h45HPYVXUq6udrv2TpG8xRpILbCD553T6akL9gyjicBy5wkDs4fZ0SzArVppX
	Mun8uqL9yg5PCXkdKZFaP3Ukxgh0bXRIvgFHfeCkSU9RKsrh2mrITMDblH57mDxTthD02F+Bu
	xQ17TDFfzdXfCA+xckuWcSI17WaxeybVJ6w1Jak9OYAE56NlWebuETNKur3kP8IrtZ635koMx
	YVgSONPPBJQnrnfb
X-Mailman-Approved-At: Sun, 05 Jun 2016 21:13:44 +0000
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Eric,

[add Daniel]

> Eric Anholt <eric@anholt.net> hat am 4. Juni 2016 um 22:32 geschrieben:
> 
> 
> Stefan Wahren <stefan.wahren@i2se.com> writes:
> 
> > Hi,
> >
> > i tried to boot 4.7.0-rc1-next-20160602 with bcm2835_defconfig on a
> > Raspberry Pi
> > B.
> >
> > Unfortunately it crashes with a NULL pointer dereference and many oops
> > following:
> > ...
> > [    2.209373] vc4-drm soc:gpu: bound 20902000.hdmi (ops vc4_hdmi_ops)
> > [    2.228303] vc4-drm soc:gpu: bound 20206000.pixelvalve (ops vc4_crtc_ops)
> > [    2.247681] vc4-drm soc:gpu: bound 20207000.pixelvalve (ops vc4_crtc_ops)
> > [    2.270300] vc4-drm soc:gpu: bound 20807000.pixelvalve (ops vc4_crtc_ops)
> > [    2.288902] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops)
> > [    2.307006] vc4-drm soc:gpu: bound 20c00000.v3d (ops vc4_v3d_ops)
> > [    2.325069] fb: switching to vc4drmfb from simple
> > [    2.341322] Console: switching to colour dummy device 80x30
> > [    2.350955] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
> > [    2.357821] [drm] No driver support for vblank timestamp query.
> > [    2.368495] mmc0: new SDHC card at address 1234
> > [    2.374284] mmcblk0: mmc0:1234 SA32G 29.3 GiB
> > [    2.381213]  mmcblk0: p1 p2
> > [    2.398018] vc4-drm soc:gpu: failed to allocate buffer with size 9216000
> > [    2.404912] Unable to handle kernel NULL pointer dereference at virtual
> > address 00000000
> > [    2.413070] pgd = c0004000
> > [    2.415856] [00000000] *pgd=00000000
> > [    2.419501] Internal error: Oops: 80000005 [#1] ARM
> > [    2.424425] CPU: 0 PID: 6 Comm: kworker/u2:0 Not tainted
> > 4.7.0-rc1-next-20160602+ #2
> > [    2.432214] Hardware name: BCM2835
> > [    2.435677] Workqueue: deferwq deferred_probe_work_func
> > [    2.440948] task: cb8957c0 ti: cb8b2000 task.ti: cb8b2000
> > [    2.446378] PC is at 0x0
> > [    2.448953] LR is at drm_gem_cma_create+0xf0/0x108
> 
> Figure out where in drm_gem_cma_create() you are?

It was the first call in the error path. I attached a patch which fixed the NULL
pointer dereference for me. But i think it's not a proper one and seems to be
related to 50cbc132460d ("drm: Use the driver's gem_object_free function from
CMA helpers.")

> -next kernels have
> been working for me on Pi 2s and 3s, and jumping to a NULL seems
> surprising for that function.

Sure they have enough memory but my Pi 1 has only 256 RAM. I didn't expect VC4
to work, but not a crash ;-)

Stefan

 EXPORT_SYMBOL_GPL(drm_gem_cma_create);

diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c
b/drivers/gpu/drm/drm_gem_cma_helper.c
index e1ab008..91c19cc 100644
--- a/drivers/gpu/drm/drm_gem_cma_helper.c
+++ b/drivers/gpu/drm/drm_gem_cma_helper.c
@@ -121,7 +121,9 @@ struct drm_gem_cma_object *drm_gem_cma_create(struct
drm_device *drm,
 	return cma_obj;
 
 error:
-	drm->driver->gem_free_object(&cma_obj->base);
+	if (drm->driver->gem_free_object)
+		drm->driver->gem_free_object(&cma_obj->base);
+
 	return ERR_PTR(ret);
 }