Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3289251rwa; Tue, 23 Aug 2022 02:04:42 -0700 (PDT) X-Google-Smtp-Source: AA6agR6MmkCs9z4wXmSyxwlLsqodVXLLU2PVxbDwo/OXWOMYDSuj1GkCAWCwo+5XfBFR2oJKCZpF X-Received: by 2002:a05:6402:5002:b0:444:26fd:d341 with SMTP id p2-20020a056402500200b0044426fdd341mr2834599eda.351.1661245481932; Tue, 23 Aug 2022 02:04:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661245481; cv=none; d=google.com; s=arc-20160816; b=LmWN5iVnw6Vict/USF/n57Nuofpu49Z/2KgsyJCbjvJGqLO9NDbyWzC9r7fCz7YGEd b6kw2SPUqPOAYYjnqmgTnl2vE2k6XYBCbKCXtrRv8ldyO1HOCQf+BPwaBve9z2tU8caT gwVJRUGYJh1QFrR9iknWCJjOPxBVlB1vD+xTX7VK4/yWsO2m+lTSyxLxYGX+RzJxwX2m c2RoVG4ElI0E0dkO/OwfydSHwJ0aV8CuZ/JBuYs1czBBOCDOw/d+4dRvVYWAi9KKC66/ BJpJj6dTa2CF5FljpPFGV5dH8e6tJLaBgnSvlYGRHVfuJFtXTGqhsYmBfTYF7wZyoaS6 YWjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=BYIdG9zoxzlJrcwnEQC3uPCB8wf/8dgeUZMVUqHrFso=; b=bwl5XYAaBFWtyXlbhPfuiP79hHxF5ss5GXp2m5wRmhpcb45kVJAvPkBEjbCUx+lgsL aw/qQCnkeHzaW1L+DbpWVFHukKF4glD2Tr5AwgJnwpo5QS4tSx7BWIYwiksLcJ0lSxmu aQVKWgHOnovpvZ8+NGeq3SpZoQ485S+1M16h/sC5b1W7OmYaxqJIm/y12cXFWKh4nnYN hKpcddL1dumSU09Qy5TIfO5aLpbPxktW/ts0jU7K8Hhf+QgLRZkLRpsd1RPqWQf2QjYj pAUB0KArRMn7gRNA++ttgS1qg/LRCBKfR1eTUZCc90LHMrU1FAhArtesxz2smrd/Wv/r 6W/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@semihalf.com header.s=google header.b="r/ygoMH4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=semihalf.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y13-20020a056402270d00b004461b801769si1900989edd.390.2022.08.23.02.04.16; Tue, 23 Aug 2022 02:04:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@semihalf.com header.s=google header.b="r/ygoMH4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=semihalf.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241181AbiHWHrt (ORCPT + 99 others); Tue, 23 Aug 2022 03:47:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241110AbiHWHrr (ORCPT ); Tue, 23 Aug 2022 03:47:47 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E7DF647D3 for ; Tue, 23 Aug 2022 00:47:46 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id 2so8917720edx.2 for ; Tue, 23 Aug 2022 00:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf.com; s=google; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc; bh=BYIdG9zoxzlJrcwnEQC3uPCB8wf/8dgeUZMVUqHrFso=; b=r/ygoMH4PmOcKkRHWKGLm4IJsjvq7jQQvgR8f0yM8XfPlucwO7274qaI+UOtzXCcgi +Rn5qDcqdr53GXGjAwkE1WU0NGsaCc4fIe23izlDzWN/gJib6IHg5uP+Wgzu2uz4F8zM Qa+1JOclWTMrk6wFRCar84pDpAnUeCeBUHnnLzNkjm8kpBjpnUOu3r3jSrvpyUHlSWcH QdPTuvHjK7KkQd4nILuQ5mupXY4PR5hz/Lq9xe7WPwqqmpUGTbBX5Qo6Fe16FpsXUW/T AmH7Dv+xDbm8lPhe/wqpvTQbTflDAd9ceUHVm6HvNys/WAPxxIrseYdTTSuNUuseZvMn Y7pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc; bh=BYIdG9zoxzlJrcwnEQC3uPCB8wf/8dgeUZMVUqHrFso=; b=gKGuRW1XD3AAR1e8U/j5c1QEpvEoQKXmmBJBusJIw92tya/x3oX4JxmEw9OePDmLb0 AUgF0+HlKegHXFLILI047zAFzmaRVfX3tsBuGpMoz4PyReDBX5fXHeb5qWLdixvNcWAS o304S42sTCikOUEhXzNdQ65oHWfJWMtnUTZt95CcHDlKjP/NDfbSYEskZsEFonyFBrjj aRzP33RqJ74Y/0zLR56QgKkQJojKzE/N6RWKTs+FpjV26lFEpJoOl/m7v+edlOLEi/mz /DlMAOoz/zFMswFchTb+CE0YWpsrPGUIFq+MW6L5oyqSC7A2JR98M5WEYy1rGKrnTj9q lzow== X-Gm-Message-State: ACgBeo2b/aqg12pIhO8uY+LcISv5PeiLcKn4I6a0Gv9yueymC9unOMky 8opFtCeQzA9SWT8NxrtuH1uiGfp47c12hHFlgZV8WNqljg== X-Received: by 2002:a05:6402:40cb:b0:446:fd02:f03b with SMTP id z11-20020a05640240cb00b00446fd02f03bmr2470245edb.405.1661240865088; Tue, 23 Aug 2022 00:47:45 -0700 (PDT) MIME-Version: 1.0 References: <20220201153354.11971-1-lukasz.bartosik@semihalf.com> In-Reply-To: From: =?UTF-8?Q?=C5=81ukasz_Bartosik?= Date: Tue, 23 Aug 2022 09:47:33 +0200 Message-ID: Subject: Re: [Intel-gfx] [PATCH v1] drm/i915: fix null pointer dereference To: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Nathan Chancellor , keescook@chromium.org Cc: Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , Tvrtko Ursulin , intel-gfx@lists.freedesktop.org, upstream@semihalf.com, llvm@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > Hi all, > > Apologies in advance if you see this twice. I did not see the original > make it to either lore.kernel.org or the freedesktop.org archives so I > figured it might have been sent into the void. > > On Tue, Feb 01, 2022 at 04:33:54PM +0100, Lukasz Bartosik wrote: > > From: =C5=81ukasz Bartosik > > > > Asus chromebook CX550 crashes during boot on v5.17-rc1 kernel. > > The root cause is null pointer defeference of bi_next > > in tgl_get_bw_info() in drivers/gpu/drm/i915/display/intel_bw.c. > > > > BUG: kernel NULL pointer dereference, address: 000000000000002e > > PGD 0 P4D 0 > > Oops: 0002 [#1] PREEMPT SMP NOPTI > > CPU: 0 PID: 1 Comm: swapper/0 Tainted: G U 5.17.0-rc1 > > Hardware name: Google Delbin/Delbin, BIOS Google_Delbin.13672.156.3 05/= 14/2021 > > RIP: 0010:tgl_get_bw_info+0x2de/0x510 > > ... > > [ 2.554467] Call Trace: > > [ 2.554467] > > [ 2.554467] intel_bw_init_hw+0x14a/0x434 > > [ 2.554467] ? _printk+0x59/0x73 > > [ 2.554467] ? _dev_err+0x77/0x91 > > [ 2.554467] i915_driver_hw_probe+0x329/0x33e > > [ 2.554467] i915_driver_probe+0x4c8/0x638 > > [ 2.554467] i915_pci_probe+0xf8/0x14e > > [ 2.554467] ? _raw_spin_unlock_irqrestore+0x12/0x2c > > [ 2.554467] pci_device_probe+0xaa/0x142 > > [ 2.554467] really_probe+0x13f/0x2f4 > > [ 2.554467] __driver_probe_device+0x9e/0xd3 > > [ 2.554467] driver_probe_device+0x24/0x7c > > [ 2.554467] __driver_attach+0xba/0xcf > > [ 2.554467] ? driver_attach+0x1f/0x1f > > [ 2.554467] bus_for_each_dev+0x8c/0xc0 > > [ 2.554467] bus_add_driver+0x11b/0x1f7 > > [ 2.554467] driver_register+0x60/0xea > > [ 2.554467] ? mipi_dsi_bus_init+0x16/0x16 > > [ 2.554467] i915_init+0x2c/0xb9 > > [ 2.554467] ? mipi_dsi_bus_init+0x16/0x16 > > [ 2.554467] do_one_initcall+0x12e/0x2b3 > > [ 2.554467] do_initcall_level+0xd6/0xf3 > > [ 2.554467] do_initcalls+0x4e/0x79 > > [ 2.554467] kernel_init_freeable+0xed/0x14d > > [ 2.554467] ? rest_init+0xc1/0xc1 > > [ 2.554467] kernel_init+0x1a/0x120 > > [ 2.554467] ret_from_fork+0x1f/0x30 > > [ 2.554467] > > ... > > Kernel panic - not syncing: Fatal exception > > > > Fixes: c64a9a7c05be ("drm/i915: Update memory bandwidth formulae") > > Signed-off-by: =C5=81ukasz Bartosik > > --- > > drivers/gpu/drm/i915/display/intel_bw.c | 16 +++++++++------- > > 1 file changed, 9 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/display/intel_bw.c b/drivers/gpu/drm/= i915/display/intel_bw.c > > index 2da4aacc956b..bd0ed68b7faa 100644 > > --- a/drivers/gpu/drm/i915/display/intel_bw.c > > +++ b/drivers/gpu/drm/i915/display/intel_bw.c > > @@ -404,15 +404,17 @@ static int tgl_get_bw_info(struct drm_i915_privat= e *dev_priv, const struct intel > > int clpchgroup; > > int j; > > > > - if (i < num_groups - 1) > > - bi_next =3D &dev_priv->max_bw[i + 1]; > > - > > clpchgroup =3D (sa->deburst * qi.deinterleave / num_chann= els) << i; > > > > - if (i < num_groups - 1 && clpchgroup < clperchgroup) > > - bi_next->num_planes =3D (ipqdepth - clpchgroup) /= clpchgroup + 1; > > - else > > - bi_next->num_planes =3D 0; > > + if (i < num_groups - 1) { > > + bi_next =3D &dev_priv->max_bw[i + 1]; > > + > > + if (clpchgroup < clperchgroup) > > + bi_next->num_planes =3D (ipqdepth - clpch= group) / > > + clpchgroup + 1; > > + else > > + bi_next->num_planes =3D 0; > > + } > > > > bi->num_qgv_points =3D qi.num_points; > > bi->num_psf_gv_points =3D qi.num_psf_points; > > -- > > 2.35.0.rc2.247.g8bbb082509-goog > > > > > > Was this patch ever applied or was the issue fixed in a different way? > If CONFIG_INIT_STACK_ALL_ZERO is enabled (it is on by default when the > compiler supports it), bi_next will be deterministically initialized to > NULL, which means 'bi_next->num_planes =3D 0' will crash when the first i= f > statement is not taken (i.e. 'i > num_groups - 1'). This was reported to > us at [1] so it impacts real users (and I have been applying this change > locally for six months). I see some discussion in this thread, was it > ever resolved? > > [1]: https://github.com/ClangBuiltLinux/linux/issues/1626 > > Cheers, > Nathan The patch was not accepted by upstream. I gave up after sending two reminde= rs that the issue is still present which resulted in no upstream reaction. I have been also applying that patch locally for a few months. Thanks for bringing it up to upstream attention again.