[PATCH 1/1] drm/mediatek: Fix access violation in mtk_drm_crtc_dma_dev_get
Macpaul Lin
macpaul.lin at mediatek.com
Tue Nov 14 01:16:46 PST 2023
On 11/10/23 09:29, Stuart Lee wrote:
> Add error handling to check NULL input in
> mtk_drm_crtc_dma_dev_get function.
>
> While display path is not configured correctly, none of crtc is
> established. So the caller of mtk_drm_crtc_dma_dev_get may pass
> input parameter *crtc as NULL, Which may cause coredump when
> we try to get the container of NULL pointer.
>
> Fixes: cb1d6bcca542 ("drm/mediatek: Add dma dev get function")
> Signed-off-by: Stuart Lee <stuart.lee at mediatek.com>
> Cc: stable at vger.kernel.org
> ---
> drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> index c277b9fae950..047c9a31d306 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> @@ -921,7 +921,14 @@ static int mtk_drm_crtc_init_comp_planes(struct drm_device *drm_dev,
>
> struct device *mtk_drm_crtc_dma_dev_get(struct drm_crtc *crtc)
> {
> - struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
> + struct mtk_drm_crtc *mtk_crtc = NULL;
> +
> + if (!crtc)
> + return NULL;
> +
> + mtk_crtc = to_mtk_crtc(crtc);
> + if (!mtk_crtc)
> + return NULL;
>
> return mtk_crtc->dma_dev;
> }
Maybe you could attach the stack dump log in commit message next time.
I've tested this patch with 6.7-rc1 on mt8395-genio-1200-evk.
The following error dump can be solved with this patch, thanks.
Tested-by: Macpaul Lin <macpaul.lin at mediatek.com>
[ 2.804652] mediatek-drm mediatek-drm.6.auto: bound
1c110000.vpp-merge (ops mtk_disp_merge_component_ops [mediatek_drm])
[ 2.804660] mediatek-drm mediatek-drm.4.auto: Not creating crtc 0
because component 8 is disabled or missing
[ 2.804662] mediatek-drm mediatek-drm.4.auto: Not creating crtc 0
because component 9 is disabled or missing
[ 2.804666] Unable to handle kernel NULL pointer dereference at
virtual address 00000000000004a0
[ 2.804668] Mem abort info:
[ 2.804669] ESR = 0x0000000096000004
[ 2.804670] EC = 0x25: DABT (current EL), IL = 32 bits
[ 2.804671] SET = 0, FnV = 0
[ 2.804672] EA = 0, S1PTW = 0
[ 2.804673] FSC = 0x04: level 0 translation fault
[ 2.804674] Data abort info:
[ 2.804674] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 2.804676] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 2.804677] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 2.804678] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107380000
[ 2.804680] [00000000000004a0] pgd=0000000000000000, p4d=0000000000000000
[ 2.804683] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 2.804684] Modules linked in: mt6315_regulator mtk_jpeg
mtk_jpeg_enc_hw crct10dif_ce mtk_jpeg_dec_hw btusb btrtl mtk_vcodec_dec
btintel btmtk v4l2_vp9 mtk_vcodec_enc btbcm v4l2_h264 mtk_vcodec_dbgfs
mediatek_drm bluetooth mtk_vcodec_common v4l2_mem2mem ecdh_generic
videobuf2_dma_contig ecc videobuf2_memops videobuf2_v4l2 rfkill
goodix_ts videodev videobuf2_common mc drm_kms_helper mtk_mmsys
mtk_mutex mtk_cmdq_helper mcp251xfd mtk_cmdq_mailbox pcie_mediatek_gen3
can_dev mtk_scp pwm_mtk_disp mtk_rpmsg rtc_mt6397 mtk_scp_ipi
snd_soc_dmic spmi_mtk_pmif mediatek_cpufreq_hw pwm_bl fuse drm backlight
ipv6
[ 2.828100] CPU: 7 PID: 56 Comm: kworker/u16:1 Not tainted
6.7.0-rc1-mtk+modified #1
[ 2.829073] Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
[ 2.829838] Workqueue: events_unbound deferred_probe_work_func
[ 2.830578] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS
BTYPE=--)
[ 2.831452] pc : mtk_drm_crtc_dma_dev_get+0x0/0x8 [mediatek_drm]
[ 2.832212] lr : mtk_drm_bind+0x418/0x5e8 [mediatek_drm]
[ 2.832885] sp : ffff800082d93a20
[ 2.833301] x29: ffff800082d93a40 x28: ffff8000824379c0 x27:
ffff80007acc8c10
[ 2.834197] x26: ffff0000c7e3e080 x25: 0000000000000002 x24:
0000000000000000
[ 2.835093] x23: ffff0000c7e3e080 x22: 0000000000000002 x21:
0000000000000000
[ 2.835989] x20: ffff0000ca5a2800 x19: ffff0000c7e3e080 x18:
ffffffffffffffff
[ 2.836884] x17: 69645f6b746d2073 x16: 706f28206c61612e x15:
ffff80008288a5aa
[ 2.837779] x14: ffffffffffffffff x13: 0a676e697373696d x12:
20726f2064656c62
[ 2.838676] x11: fffffffffffe0000 x10: 0000000000000020 x9 :
ffff800082d93900
[ 2.839572] x8 : 0000000000000020 x7 : 20726f2064656c62 x6 :
000000000000000c
[ 2.840468] x5 : ffff0001fef70d08 x4 : 0000000000000000 x3 :
ffff0000ca5a2ae0
[ 2.841363] x2 : ffff0000ca5a2ae0 x1 : 0000000000000000 x0 :
0000000000000000
[ 2.842259] Call trace:
[ 2.842568] mtk_drm_crtc_dma_dev_get+0x0/0x8 [mediatek_drm]
[ 2.843285] try_to_bring_up_aggregate_device+0x168/0x1d4
[ 2.843965] __component_add+0xa4/0x170
[ 2.844448] component_add+0x14/0x20
[ 2.844898] mtk_disp_rdma_probe+0x178/0x268 [mediatek_drm]
[ 2.845602] platform_probe+0x68/0xdc
[ 2.846064] really_probe+0x148/0x2ac
[ 2.846525] __driver_probe_device+0x78/0x12c
[ 2.847074] driver_probe_device+0x40/0x160
[ 2.847600] __device_attach_driver+0xb8/0x134
[ 2.848158] bus_for_each_drv+0x84/0xe4
[ 2.848641] __device_attach+0xac/0x1b8
[ 2.849124] device_initial_probe+0x14/0x20
[ 2.849651] bus_probe_device+0xa8/0xac
[ 2.850133] deferred_probe_work_func+0x88/0xc0
[ 2.850702] process_one_work+0x138/0x260
[ 2.851209] worker_thread+0x32c/0x438
[ 2.851681] kthread+0x118/0x11c
[ 2.852088] ret_from_fork+0x10/0x20
[ 2.852540] Code: 97fffdec a8c17bfd d50323bf d65f03c0 (f9425000)
[ 2.853305] ---[ end trace 0000000000000000 ]---
[ 4.102725] random: crng init done
Best regards,
Macpaul Lin
More information about the linux-arm-kernel
mailing list