drm/vc4: NULL pointer dereference after failed to allocate buffer

Stefan Wahren stefan.wahren at i2se.com
Sun Jun 5 11:55:00 UTC 2016 

Hi Eric,

[add Daniel]

> Eric Anholt <eric at anholt.net> hat am 4. Juni 2016 um 22:32 geschrieben:
> 
> 
> Stefan Wahren <stefan.wahren at i2se.com> writes:
> 
> > Hi,
> >
> > i tried to boot 4.7.0-rc1-next-20160602 with bcm2835_defconfig on a
> > Raspberry Pi
> > B.
> >
> > Unfortunately it crashes with a NULL pointer dereference and many oops
> > following:
> > ...
> > [    2.209373] vc4-drm soc:gpu: bound 20902000.hdmi (ops vc4_hdmi_ops)
> > [    2.228303] vc4-drm soc:gpu: bound 20206000.pixelvalve (ops vc4_crtc_ops)
> > [    2.247681] vc4-drm soc:gpu: bound 20207000.pixelvalve (ops vc4_crtc_ops)
> > [    2.270300] vc4-drm soc:gpu: bound 20807000.pixelvalve (ops vc4_crtc_ops)
> > [    2.288902] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops)
> > [    2.307006] vc4-drm soc:gpu: bound 20c00000.v3d (ops vc4_v3d_ops)
> > [    2.325069] fb: switching to vc4drmfb from simple
> > [    2.341322] Console: switching to colour dummy device 80x30
> > [    2.350955] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
> > [    2.357821] [drm] No driver support for vblank timestamp query.
> > [    2.368495] mmc0: new SDHC card at address 1234
> > [    2.374284] mmcblk0: mmc0:1234 SA32G 29.3 GiB
> > [    2.381213]  mmcblk0: p1 p2
> > [    2.398018] vc4-drm soc:gpu: failed to allocate buffer with size 9216000
> > [    2.404912] Unable to handle kernel NULL pointer dereference at virtual
> > address 00000000
> > [    2.413070] pgd = c0004000
> > [    2.415856] [00000000] *pgd=00000000
> > [    2.419501] Internal error: Oops: 80000005 [#1] ARM
> > [    2.424425] CPU: 0 PID: 6 Comm: kworker/u2:0 Not tainted
> > 4.7.0-rc1-next-20160602+ #2
> > [    2.432214] Hardware name: BCM2835
> > [    2.435677] Workqueue: deferwq deferred_probe_work_func
> > [    2.440948] task: cb8957c0 ti: cb8b2000 task.ti: cb8b2000
> > [    2.446378] PC is at 0x0
> > [    2.448953] LR is at drm_gem_cma_create+0xf0/0x108
> 
> Figure out where in drm_gem_cma_create() you are?

It was the first call in the error path. I attached a patch which fixed the NULL
pointer dereference for me. But i think it's not a proper one and seems to be
related to 50cbc132460d ("drm: Use the driver's gem_object_free function from
CMA helpers.")

> -next kernels have
> been working for me on Pi 2s and 3s, and jumping to a NULL seems
> surprising for that function.

Sure they have enough memory but my Pi 1 has only 256 RAM. I didn't expect VC4
to work, but not a crash ;-)

Stefan

diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c
b/drivers/gpu/drm/drm_gem_cma_helper.c
index e1ab008..91c19cc 100644
--- a/drivers/gpu/drm/drm_gem_cma_helper.c
+++ b/drivers/gpu/drm/drm_gem_cma_helper.c
@@ -121,7 +121,9 @@ struct drm_gem_cma_object *drm_gem_cma_create(struct
drm_device *drm,
 	return cma_obj;
 
 error:
-	drm->driver->gem_free_object(&cma_obj->base);
+	if (drm->driver->gem_free_object)
+		drm->driver->gem_free_object(&cma_obj->base);
+
 	return ERR_PTR(ret);
 }
 EXPORT_SYMBOL_GPL(drm_gem_cma_create);

More information about the dri-devel mailing list