[BUG] rockpro64-v2: NULL pointer dereference when booting

Alexandru Elisei alexandru.elisei at arm.com
Mon Jan 24 03:51:48 PST 2022 

Hi,

When booting a rockpro64-v2 with a kernel built from commit dd81e1c7d5fb
("Merge tag 'powerpc-5.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux"),
which was the latest commit when ran the tests, I encounter a NULL pointer
dereference:

[..]
[    0.000000] Kernel command line: root=PARTUUID=7f4aab92-69d8-47f3-be10-624da40a71f9 rw earlycon rootwait
[..]
[    3.396944] hub 7-0:1.0: USB hub found
[    3.397575] hub 7-0:1.0: 1 port detected
[    3.406086] ohci-platform fe3e0000.usb: Generic Platform OHCI controller
[    3.406932] ohci-platform fe3e0000.usb: new USB bus registered, assigned bus number 8
[    3.408530] ohci-platform fe3e0000.usb: irq 38, io mem 0xfe3e0000
[    3.476869] hub 8-0:1.0: USB hub found
[    3.477501] hub 8-0:1.0: 1 port detected
[    3.483278] rk808 0-001b: chip id: 0x0
[    3.498495] random: fast init done
[    3.509322] rk808-regulator rk808-regulator: there is no dvs0 gpio
[    3.510143] rk808-regulator rk808-regulator: there is no dvs1 gpio
[    3.569278] OF: graph: no port node found in /i2c at ff3d0000/typec-portc at 22
[    3.573471] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    3.574466] Mem abort info:
[    3.574800]   ESR = 0x96000004
[    3.575163]   EC = 0x25: DABT (current EL), IL = 32 bits
[    3.575770]   SET = 0, FnV = 0
[    3.576204]   EA = 0, S1PTW = 0
[    3.576580]   FSC = 0x04: level 0 translation fault
[    3.577140] Data abort info:
[    3.577482]   ISV = 0, ISS = 0x00000004
[    3.577927]   CM = 0, WnR = 0
[    3.578279] [0000000000000000] user address but active_mm is swapper
[    3.579065] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[    3.579586] Modules linked in:
[    3.579880] CPU: 5 PID: 7 Comm: kworker/u12:0 Not tainted 5.16.0-rc6-00081-g730b49aac426 #244
[    3.580667] Hardware name: Pine64 RockPro64 v2.0 (DT)
[    3.581135] Workqueue: events_unbound deferred_probe_work_func
[    3.581689] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.582335] pc : component_master_add_with_match+0x20/0xfc
[    3.582850] lr : typec_link_ports+0x58/0x8c
[    3.583244] sp : ffff800013093980
[    3.583553] x29: ffff800013093980 x28: ffff80001212b000 x27: ffff00000041d00d
[    3.584223] x26: ffff0000063e85e0 x25: ffff800012fcb290 x24: ffff000001386820
[    3.584891] x23: ffff000006c2e808 x22: ffff800011416670 x21: ffff000006c2e808
[    3.585558] x20: 0000000000000000 x19: ffff000006c2e800 x18: ffffffffffffffff
[    3.586224] x17: 000000040044ffff x16: 00400034b5503510 x15: 0000000000005ff9
[    3.586890] x14: 0000000000000000 x13: 0000000000000003 x12: ffff0000063e8080
[    3.587557] x11: 0000000000000005 x10: ffff800012c13a60 x9 : 0000000000000000
[    3.588224] x8 : 0000200000000000 x7 : 0000000000000038 x6 : 000000000000004b
[    3.588892] x5 : 0000000000000000 x4 : ffff000000711800 x3 : ffff800010cd6390
[    3.589558] x2 : 0000000000000000 x1 : ffff800011416670 x0 : ffff000006c2e808
[    3.590224] Call trace:
[    3.590457]  component_master_add_with_match+0x20/0xfc
[    3.590938]  typec_link_ports+0x58/0x8c
[    3.591299]  typec_register_port+0x1ac/0x300
[    3.591705]  tcpm_register_port+0x62c/0x90c
[    3.592099]  fusb302_probe+0x260/0x430
[    3.592453]  i2c_device_probe+0x338/0x370
[    3.592835]  really_probe.part.0+0x9c/0x30c
[    3.593229]  __driver_probe_device+0x98/0x144
[    3.593639]  driver_probe_device+0xc8/0x160
[    3.594033]  __device_attach_driver+0xb8/0x120
[    3.594450]  bus_for_each_drv+0x78/0xd0
[    3.594810]  __device_attach+0xd8/0x180
[    3.595171]  device_initial_probe+0x14/0x20
[    3.595565]  bus_probe_device+0x9c/0xa4
[    3.595926]  deferred_probe_work_func+0x88/0xc4
[    3.596351]  process_one_work+0x288/0x6e0
[    3.596729]  worker_thread+0x220/0x464
[    3.597081]  kthread+0x17c/0x190
[    3.597392]  ret_from_fork+0x10/0x20
[    3.597737] Code: aa0203f4 a9025bf5 aa0003f5 aa0103f6 (a9400440) 
[    3.598301] ---[ end trace 823a8d1795013b55 ]---

The full log can be found at [1]; config file can be found at [2]. All
pastebins expire after 6 months.

I tried bisecting the bug and the first bad commit is 730b49aac426 ("usb:
typec: port-mapper: Convert to the component framework"). I tried to double
check that the patch is indeed responsible by reverting it from master, but
I got this build error:

drivers/usb/typec/port-mapper.c: In function 'typec_link_ports':
drivers/usb/typec/port-mapper.c:256:15: error: implicit declaration of function 'usb_for_each_port'; did you mean 'usb_for_each_dev'? [-Werror=implicit-function-declaration]
  256 |         ret = usb_for_each_port(&con->dev, each_port);
      |               ^~~~~~~~~~~~~~~~~
      |               usb_for_each_dev

I tried building and booting from the bad commit, and I got the same NULL
pointer dereference error. When building from the last good commit
(8c67d06f3fd9 ("usb: Link the ports to the connectors they are attached
to")), the board boots just fine. The log when booting from the good commit
can be found at [3].

I can help with debugging and testing, but I'm not familiar enough with the
USB subsystem to fix it myself.

[1] https://pastebin.com/w4tMNhve
[2] https://pastebin.com/SiUuLeMs
[3] https://pastebin.com/Pcm9xmL7

Thanks,
Alex

More information about the linux-arm-kernel mailing list