drm/vc4: NULL pointer dereference after failed to allocate buffer

Daniel Vetter daniel at ffwll.ch
Mon Jun 6 06:30:38 UTC 2016


On Sun, Jun 05, 2016 at 01:55:00PM +0200, Stefan Wahren wrote:
> Hi Eric,
> 
> [add Daniel]
> 
> > Eric Anholt <eric at anholt.net> hat am 4. Juni 2016 um 22:32 geschrieben:
> > 
> > 
> > Stefan Wahren <stefan.wahren at i2se.com> writes:
> > 
> > > Hi,
> > >
> > > i tried to boot 4.7.0-rc1-next-20160602 with bcm2835_defconfig on a
> > > Raspberry Pi
> > > B.
> > >
> > > Unfortunately it crashes with a NULL pointer dereference and many oops
> > > following:
> > > ...
> > > [    2.209373] vc4-drm soc:gpu: bound 20902000.hdmi (ops vc4_hdmi_ops)
> > > [    2.228303] vc4-drm soc:gpu: bound 20206000.pixelvalve (ops vc4_crtc_ops)
> > > [    2.247681] vc4-drm soc:gpu: bound 20207000.pixelvalve (ops vc4_crtc_ops)
> > > [    2.270300] vc4-drm soc:gpu: bound 20807000.pixelvalve (ops vc4_crtc_ops)
> > > [    2.288902] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops)
> > > [    2.307006] vc4-drm soc:gpu: bound 20c00000.v3d (ops vc4_v3d_ops)
> > > [    2.325069] fb: switching to vc4drmfb from simple
> > > [    2.341322] Console: switching to colour dummy device 80x30
> > > [    2.350955] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
> > > [    2.357821] [drm] No driver support for vblank timestamp query.
> > > [    2.368495] mmc0: new SDHC card at address 1234
> > > [    2.374284] mmcblk0: mmc0:1234 SA32G 29.3 GiB
> > > [    2.381213]  mmcblk0: p1 p2
> > > [    2.398018] vc4-drm soc:gpu: failed to allocate buffer with size 9216000
> > > [    2.404912] Unable to handle kernel NULL pointer dereference at virtual
> > > address 00000000
> > > [    2.413070] pgd = c0004000
> > > [    2.415856] [00000000] *pgd=00000000
> > > [    2.419501] Internal error: Oops: 80000005 [#1] ARM
> > > [    2.424425] CPU: 0 PID: 6 Comm: kworker/u2:0 Not tainted
> > > 4.7.0-rc1-next-20160602+ #2
> > > [    2.432214] Hardware name: BCM2835
> > > [    2.435677] Workqueue: deferwq deferred_probe_work_func
> > > [    2.440948] task: cb8957c0 ti: cb8b2000 task.ti: cb8b2000
> > > [    2.446378] PC is at 0x0
> > > [    2.448953] LR is at drm_gem_cma_create+0xf0/0x108
> > 
> > Figure out where in drm_gem_cma_create() you are?
> 
> It was the first call in the error path. I attached a patch which fixed the NULL
> pointer dereference for me. But i think it's not a proper one and seems to be
> related to 50cbc132460d ("drm: Use the driver's gem_object_free function from
> CMA helpers.")
> 
> > -next kernels have
> > been working for me on Pi 2s and 3s, and jumping to a NULL seems
> > surprising for that function.
> 
> Sure they have enough memory but my Pi 1 has only 256 RAM. I didn't expect VC4
> to work, but not a crash ;-)
> 
> Stefan
> 
> diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c
> b/drivers/gpu/drm/drm_gem_cma_helper.c
> index e1ab008..91c19cc 100644
> --- a/drivers/gpu/drm/drm_gem_cma_helper.c
> +++ b/drivers/gpu/drm/drm_gem_cma_helper.c
> @@ -121,7 +121,9 @@ struct drm_gem_cma_object *drm_gem_cma_create(struct
> drm_device *drm,
>  	return cma_obj;
>  
>  error:
> -	drm->driver->gem_free_object(&cma_obj->base);
> +	if (drm->driver->gem_free_object)
> +		drm->driver->gem_free_object(&cma_obj->base);
> +
>  	return ERR_PTR(ret);
>  }
>  EXPORT_SYMBOL_GPL(drm_gem_cma_create);

Patch for this (and a few others just like it) landed in -rc2.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch


More information about the dri-devel mailing list