Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4171153pxj; Tue, 8 Jun 2021 08:05:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxxEsofR8Vh7WJA4Kg7khJjOuUagXzqS3T+inbsTFeC1be5EE8H/xH6xK8wW+qk/OBJh3V X-Received: by 2002:a17:906:c1c5:: with SMTP id bw5mr23952546ejb.552.1623164714297; Tue, 08 Jun 2021 08:05:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623164714; cv=none; d=google.com; s=arc-20160816; b=uj8SARpAwHLs03nBw3jiuTXOAk8xHs2Jm98w+tB/YVINtF3TMXF5FFB1rW3KAFXIqT 8p065dLbEuTUwAxjR8T0Fe983MfTciYOjSLvuFsAEElxgmSjhG4o9DL6Qs0WuxfbgzcN UYVjzgOXd7X8ZpNcbjN7aHHlMJi2vV1YSrN8lD2I2Ipf9Y8HGi7py4bwJfR2KrStIc9/ 1OJ7ihHQSK6IWFgNPKUYsVrrZ/rZ4hhLzUL/u+70YNKJS812YPtKvtc/J6yF5ywNdjcX RX9ywGGB3tw5aeuwtJmUkMgAqKok+QvdEGaaZEVDgwhDSwz19eWXM1nxT4HwWJRY/4Bb qacQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=9uxUaFYZ+DQ2h7cod7sdDbU03oQ7ZNjk02RDTPiDk1g=; b=T188M8wxA18J/nj60XiYAPJAOIpcrtSabnXA+xIYyb/DuHwEqMV1+hMG2NgA0g8al6 Dq6Y3b5tCWtS7pwZLEAvM/vmHAKiHWWPxwb85Jivp3Rpa0n8F8YZ+XWdztHa+nsM0Btq lThwpWKciymfGtCGGVkTgEKVRfJET09JPF8FLlEwFiko4Jc3RUHoUgrUtRVsIDg2LWou KW/H12b1c9n7IRQyllBedYQElWzu/Wbb0ni8CTH4KVCRcshpoRoT/FJjSj724Aa9Mbak w7Z+2BmsXMSYssqcGjrwp7clQiwHdbUie/mTz+a+Y//rfoBUhB2eKwOoEI02CFzbuAP9 rS9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cerno.tech header.s=fm3 header.b=u1rkJw7D; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b="j/U5ccdc"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cerno.tech Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b16si15543754ede.389.2021.06.08.08.04.49; Tue, 08 Jun 2021 08:05:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cerno.tech header.s=fm3 header.b=u1rkJw7D; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b="j/U5ccdc"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cerno.tech Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233710AbhFHPFH (ORCPT + 99 others); Tue, 8 Jun 2021 11:05:07 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:56755 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231667AbhFHPFG (ORCPT ); Tue, 8 Jun 2021 11:05:06 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B64965C012E; Tue, 8 Jun 2021 11:03:13 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 08 Jun 2021 11:03:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cerno.tech; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=9uxUaFYZ+DQ2h7cod7sdDbU03oQ 7ZNjk02RDTPiDk1g=; b=u1rkJw7DK/Vi7SA9ePKcxrHelbyQudRRd1kqBGi3aGO eUmSqtCsHiEfay5TJR3xMkVB6PvpSFvVstQ3F+BtMHgCkvszXNqI8gwwVfQpQ675 tTQKdvX5iS4fIwTOMkpimQrcNeTqcpaukhf/xGm9LaY7Y+tPudwNDvuFfYOuAhMO 3Oj8fnrXybrYsb90+2twzMd0mIlkGjjPv1BBiBq2Is0bsEqOVM1kRLJYvMfkqBif zIbIn0m5Hue6IvWgc5HEvXOw30b23nw/S/Fe6CK1L0I2/irbLbluZrgSSM9epi2i nZ7ABuSMIvxHToI5d8qYd1hbo64vEuw0T7ESvep03Og== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=9uxUaF YZ+DQ2h7cod7sdDbU03oQ7ZNjk02RDTPiDk1g=; b=j/U5ccdc8x/hNkZPGZcWZi 7avkH36rK50w4VjKB9eiFzYcQJYhjD22WJTfK0h9JSw1Grj/sf5C1a5vvUI7YNyS W86kDV+zEixnV7+yeGYoOcjtMZbRefw5lKaeZQbJslX1jU2BqF9Ve+44HGfHjdqm g9JagBZiCN3kAz6c677rShZBjp3/q3ekToJxzxdKIFj6J2/ZvfYtLCAOmAyCV/F6 MObPT5XLGl6hST820I8jFH858kFzMyo06HhH54ED7XozDj3PYi+wKDGbflqmS4oR 7qq6plP5nQSKd+8q8+yWwfq/tg8FrHd3JTgihhrROs/j2gBO1yknPdSw952qKfcg == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfedtledgieekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpeforgigihhm vgcutfhiphgrrhguuceomhgrgihimhgvsegtvghrnhhordhtvggthheqnecuggftrfgrth htvghrnhepveevfeffudeviedtgeethffhteeuffetfeffvdehvedvheetteehvdelfffg jedvnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmrgigihhmvgestggvrhhnohdrthgvtghh X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 8 Jun 2021 11:03:11 -0400 (EDT) Date: Tue, 8 Jun 2021 17:03:09 +0200 From: Maxime Ripard To: Mark Rutland Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Arnd Bergmann , Catalin Marinas , Daniel Vetter , David Airlie , Emma Anholt , Will Deacon , dri-devel@lists.freedesktop.org Subject: Re: [PATCH] drm/vc4: fix vc4_atomic_commit_tail() logic Message-ID: <20210608150309.ggoffedtwntkcoxz@gilmour> References: <20210608085513.2069-1-mark.rutland@arm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="62jyrdut76dhr3o3" Content-Disposition: inline In-Reply-To: <20210608085513.2069-1-mark.rutland@arm.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --62jyrdut76dhr3o3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Tue, Jun 08, 2021 at 09:55:12AM +0100, Mark Rutland wrote: > In vc4_atomic_commit_tail() we iterate of the set of old CRTCs, and > attempt to wait on any channels which are still in use. When we iterate > over the CRTCs, we have: >=20 > * `i` - the index of the CRTC > * `channel` - the channel a CRTC is using >=20 > When we check the channel state, we consult: >=20 > old_hvs_state->fifo_state[channel].in_use >=20 > ... but when we wait for the channel, we erroneously wait on: >=20 > old_hvs_state->fifo_state[i].pending_commit >=20 > ... rather than: >=20 > old_hvs_state->fifo_state[channel].pending_commit >=20 > ... and this bogus access has been observed to result in boot-time hangs > on some arm64 configurations, and can be detected using KASAN. FIx this > by using the correct index. >=20 > I've tested this on a Raspberry Pi 3 model B v1.2 with KASAN. >=20 > Trimmed KASAN splat: >=20 > | =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > | BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1cc/0x910 > | Read of size 8 at addr ffff000007360440 by task kworker/u8:0/7 > | CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.13.0-rc3-00009-g694c523e= 7267 #3 > | > | Hardware name: Raspberry Pi 3 Model B (DT) > | Workqueue: events_unbound deferred_probe_work_func > | Call trace: > | dump_backtrace+0x0/0x2b4 > | show_stack+0x1c/0x30 > | dump_stack+0xfc/0x168 > | print_address_description.constprop.0+0x2c/0x2c0 > | kasan_report+0x1dc/0x240 > | __asan_load8+0x98/0xd4 > | vc4_atomic_commit_tail+0x1cc/0x910 > | commit_tail+0x100/0x210 > | ... > | > | Allocated by task 7: > | kasan_save_stack+0x2c/0x60 > | __kasan_kmalloc+0x90/0xb4 > | vc4_hvs_channels_duplicate_state+0x60/0x1a0 > | drm_atomic_get_private_obj_state+0x144/0x230 > | vc4_atomic_check+0x40/0x73c > | drm_atomic_check_only+0x998/0xe60 > | drm_atomic_commit+0x34/0x94 > | drm_client_modeset_commit_atomic+0x2f4/0x3a0 > | drm_client_modeset_commit_locked+0x8c/0x230 > | drm_client_modeset_commit+0x38/0x60 > | drm_fb_helper_set_par+0x104/0x17c > | fbcon_init+0x43c/0x970 > | visual_init+0x14c/0x1e4 > | ... > | > | The buggy address belongs to the object at ffff000007360400 > | which belongs to the cache kmalloc-128 of size 128 > | The buggy address is located 64 bytes inside of > | 128-byte region [ffff000007360400, ffff000007360480) > | The buggy address belongs to the page: > | page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 in= dex:0x0 pfn:0x7360 > | flags: 0x3fffc0000000200(slab|node=3D0|zone=3D0|lastcpupid=3D0xffff) > | raw: 03fffc0000000200 dead000000000100 dead000000000122 ffff000004c02300 > | raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 > | page dumped because: kasan: bad access detected > | > | Memory state around the buggy address: > | ffff000007360300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > | ffff000007360380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > | >ffff000007360400: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > | ^ > | ffff000007360480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > | ffff000007360500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > | =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > Link: https://lore.kernel.org/r/4d0c8318-bad8-2be7-e292-fc8f70c198de@sams= ung.com > Link: https://lore.kernel.org/linux-arm-kernel/20210607151740.moncryl5zv3= ahq4s@gilmour > Signed-off-by: Mark Rutland > Reported-by: Marek Szyprowski > Cc: Arnd Bergmann > Cc: Catalin Marinas > Cc: Daniel Vetter > Cc: David Airlie > Cc: Emma Anholt > Cc: Maxime Ripard > Cc: Will Deacon > Cc: dri-devel@lists.freedesktop.org Applied, thanks! Maxime --62jyrdut76dhr3o3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCYL+GrQAKCRDj7w1vZxhR xYjaAP99sIC/Te+afa4YPVj30ky5lhFJpF9/MrlMUmKIWa/JnAD+KjMNv0mKXWPZ JZz2Ue9Sdn7cbovemU6yOjEJoF2bDAM= =ZRlj -----END PGP SIGNATURE----- --62jyrdut76dhr3o3--