drm/msm: NULL pointer dereference in drivers/gpu/drm/msm/msm_gem_vma.c

Rob Clark robdclark at gmail.com
Tue Aug 1 10:29:28 UTC 2017 

On Sun, Jul 30, 2017 at 8:46 AM, Hans Verkuil <hverkuil at xs4all.nl> wrote:
> Hi all,
>
> While I was testing the upcoming adv7533 CEC support with my Dragonboard c410
> I encountered this NULL pointer dereference:
>
> [   17.912822] Unable to handle kernel NULL pointer dereference at virtual address 000000e8
> [   17.917191] user pgtable: 4k pages, 48-bit VAs, pgd = ffff800030e9f000
> [   17.925249] [00000000000000e8] *pgd=00000000b0daf003, *pud=0000000000000000
> [   17.931650] Internal error: Oops: 96000005 [#1] PREEMPT SMP
> [   17.938395] Modules linked in: btqcomsmd btqca arc4 wcn36xx mac80211 bluetooth cfg80211 ecdh_generic r8152 snd_soc_hdmi_codec adv7511 cec
> qcom_wcnss_pil msm mdt_loader drm_kms_helper msm_rng rng_core drm
> [   17.943967] CPU: 0 PID: 1684 Comm: Xorg Tainted: G        W       4.13.0-rc1-dragonboard #111
> [   17.962005] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
> [   17.970685] task: ffff800031236c00 task.stack: ffff800033fbc000
> [   17.977582] PC is at msm_gem_unmap_vma+0x20/0x80 [msm]
> [   17.983213] LR is at put_iova+0x60/0xb8 [msm]
> [   17.988303] pc : [<ffff000000ac2d58>] lr : [<ffff000000ac07c8>] pstate: 20000145
> [   17.992733] sp : ffff800033fbfb30
> [   18.000193] x29: ffff800033fbfb30 x28: ffff800030b5f000
> [   18.003407] x27: 00000000000000b4 x26: ffff0000009f8cd8
> [   18.008789] x25: 0000000000000004 x24: dead000000000100
> [   18.014085] x23: dead000000000200 x22: ffff800030b5fd40
> [   18.019379] x21: ffff800030b5fc00 x20: 0000000000000000
> [   18.024675] x19: ffff80003082bf00 x18: 0000000000000000
> [   18.029970] x17: 0000ffffb3347e70 x16: ffff000008207638
> [   18.035265] x15: 0000000000000053 x14: 0000000000000000
> [   18.040560] x13: 0000000000000038 x12: 0101010101010101
> [   18.045855] x11: 7f7f7f7f7f7f7f7f x10: 0000000000000040
> [   18.051150] x9 : ffff800030b5f038 x8 : ffff800031657b50
> [   18.056446] x7 : ffff800031657b78 x6 : 0000000000000000
> [   18.061740] x5 : 0000000000000000 x4 : 00000000b5c01000
> [   18.067036] x3 : 0000000000000000 x2 : ffff8000337bf300
> [   18.072330] x1 : ffff80003082bf00 x0 : 0000000000000000
> [   18.077629] Process Xorg (pid: 1684, stack limit = 0xffff800033fbc000)
> [   18.082925] Stack: (0xffff800033fbfb30 to 0xffff800033fc0000)
> [   18.089262] fb20:                                   ffff800033fbfb60 ffff000000ac07c8
> [   18.095081] fb40: ffff80003082bf00 ffff800030b5fc90 ffff800030b5fc00 ffff000000abf4a0
> [   18.102893] fb60: ffff800033fbfba0 ffff000000ac16b0 ffff800030b5fc00 ffff8000338ff870
> [   18.110706] fb80: ffff8000338ff800 ffff800030b5fc00 ffff800030b5fda8 ffff800033fbfd80
> [   18.118518] fba0: ffff800033fbfbe0 ffff0000009d4244 ffff800030b5fc00 ffff800030b5f038
> [   18.126332] fbc0: ffff800033fbfbd0 ffff800030b5fc00 ffff800030b5f038 ffff0000009d4840
> [   18.134144] fbe0: ffff800033fbfbf0 ffff0000009d4858 ffff800033fbfc10 ffff0000009d48e4
> [   18.141955] fc00: ffff800030b5fc00 ffff8000338ffd98 ffff800033fbfc30 ffff0000009d49a4
> [   18.149768] fc20: ffff800030b5fc00 ffff800030b5f000 ffff800033fbfc60 ffff0000009d4a4c
> [   18.157581] fc40: ffff800030b5f050 ffff800030b5f000 0000000000000001 ffff800030b5fc00
> [   18.165394] fc60: ffff800033fbfca0 ffff0000009d4ab0 0000000000000018 ffff800030b5f000
> [   18.173206] fc80: ffff0000009efd28 ffff800033fbfd80 ffff8000338ff800 ffff0000009d56a8
> [   18.181019] fca0: ffff800033fbfcb0 ffff0000009efd54 ffff800033fbfcc0 ffff0000009d56c8
> [   18.188831] fcc0: ffff800033fbfd00 ffff0000009d58e0 ffff0000009fa6e0 00000000c00464b4
> [   18.196643] fce0: 0000000000000004 ffff80003082b400 0000ffffea1f0e00 0000000000000000
> [   18.204456] fd00: ffff800033fbfe00 ffff000008206f0c ffff80000335caf8 ffff80003082b400
> [   18.212269] fd20: 0000ffffea1f0e00 ffff80003082b400 00000000c00464b4 0000ffffea1f0e00
> [   18.220081] fd40: 0000000000000124 000000000000001d ffff0000089d2000 ffff800031236c00
> [   18.227894] fd60: ffff800033fbfd80 0000000000000004 ffff0000009efd28 ffff800033fbfd80
> [   18.235706] fd80: 0000000100000001 0000008000000001 0000001800000020 0000000000000001
> [   18.243518] fda0: 0000000100000000 0000000100000001 0000ffff00000000 0000ffff00000000
> [   18.251331] fdc0: 0000000000000124 0000000000000038 ffff0000089d2000 ffff800031236c00
> [   18.259144] fde0: ffff800033fbfe40 ffff000008214124 ffff800033fbfe30 ffff000008203290
> [   18.266956] fe00: ffff800033fbfe80 ffff0000082076b4 0000000000000000 ffff800030d8a000
> [   18.274768] fe20: ffff80003082b400 0000000000000016 ffff800033fbfe50 ffff0000081f0488
> [   18.282581] fe40: ffff800033fbfe80 ffff000008207678 0000000000000000 ffff80003082b400
> [   18.290393] fe60: ffff800033fbfe70 ffff0000082138b0 ffff800033fbfe80 ffff000008207658
> [   18.298207] fe80: 0000000000000000 ffff000008082f84 0000000000000000 0000800034a16000
> [   18.306017] fea0: ffffffffffffffff 0000ffffb3347e7c 0000000000000000 0000000000000015
> [   18.313832] fec0: 0000000000000016 00000000c00464b4 0000ffffea1f0e00 0000000000000001
> [   18.321643] fee0: 0000000000000020 0000000000000080 0000000000000001 0000000000000000
> [   18.329456] ff00: 000000000000001d 000000012692c5b0 0101010101010101 7f7f7f7f7f7f7f7f
> [   18.337269] ff20: 0101010101010101 0000000000000038 0000000000000000 0000000000000053
> [   18.345082] ff40: 0000ffffb368b2b8 0000ffffb3347e70 0000000000000000 0000ffffb3847000
> [   18.352894] ff60: 0000ffffea1f0e00 00000000c00464b4 0000000000000016 0000ffffea1f0edc
> [   18.360705] ff80: 000000012692ad20 0000000000000003 00000001214282e4 0000000121428388
> [   18.368518] ffa0: 0000000000000000 0000ffffea1f0da0 0000ffffb367185c 0000ffffea1f0da0
> [   18.376332] ffc0: 0000ffffb3347e7c 0000000000000000 0000000000000016 000000000000001d
> [   18.384142] ffe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   18.391953] Call trace:
> [   18.399760] Exception stack(0xffff800033fbf950 to 0xffff800033fbfa80)
> [   18.402023] f940:                                   ffff80003082bf00 0001000000000000
> [   18.408622] f960: ffff800033fbfb30 ffff000000ac2d58 0000000020000145 ffff8000338ffa78
> [   18.416435] f980: 0000000000000000 0000000000000000 ffff800033fbf9e0 ffff0000089afcf0
> [   18.424248] f9a0: ffff80000348f230 ffff8000338ffa78 0000000000000000 0000000000000000
> [   18.432060] f9c0: ffff8000338ffaa8 0000000000000001 ffff800033fbfb80 ffff0000009e8f38
> [   18.439872] f9e0: ffff800033fbfa10 ffff0000089a9ff8 0000000000000027 ffff80003082b918
> [   18.447684] fa00: 0000000000000000 ffff80003082bf00 ffff8000337bf300 0000000000000000
> [   18.455497] fa20: 00000000b5c01000 0000000000000000 0000000000000000 ffff800031657b78
> [   18.463310] fa40: ffff800031657b50 ffff800030b5f038 0000000000000040 7f7f7f7f7f7f7f7f
> [   18.471122] fa60: 0101010101010101 0000000000000038 0000000000000000 0000000000000053
> [   18.479062] [<ffff000000ac2d58>] msm_gem_unmap_vma+0x20/0x80 [msm]
> [   18.486862] [<ffff000000ac07c8>] put_iova+0x60/0xb8 [msm]
> [   18.492938] [<ffff000000ac16b0>] msm_gem_free_object+0x60/0x198 [msm]
> [   18.498432] [<ffff0000009d4244>] drm_gem_object_free+0x1c/0x58 [drm]
> [   18.504854] [<ffff0000009d4858>] drm_gem_object_put_unlocked+0x90/0xa0 [drm]
> [   18.511273] [<ffff0000009d48e4>] drm_gem_object_handle_put_unlocked+0x64/0xd0 [drm]
> [   18.518300] [<ffff0000009d49a4>] drm_gem_object_release_handle+0x54/0x98 [drm]
> [   18.525679] [<ffff0000009d4a4c>] drm_gem_handle_delete+0x64/0xb8 [drm]
> [   18.532968] [<ffff0000009d4ab0>] drm_gem_dumb_destroy+0x10/0x18 [drm]
> [   18.539479] [<ffff0000009efd54>] drm_mode_destroy_dumb_ioctl+0x2c/0x40 [drm]
> [   18.545992] [<ffff0000009d56c8>] drm_ioctl_kernel+0x68/0xe0 [drm]
> [   18.553105] [<ffff0000009d58e0>] drm_ioctl+0x178/0x3b0 [drm]
> [   18.558970] [<ffff000008206f0c>] do_vfs_ioctl+0xa4/0x7d0
> [   18.564694] [<ffff0000082076b4>] SyS_ioctl+0x7c/0x98
> [   18.569992] [<ffff000008082f84>] el0_svc_naked+0x38/0x3c
> [   18.574941] Code: a90153f3 aa0003f4 f90013f5 aa0103f3 (f9407400)
> [   18.580502] ---[ end trace b1ac6888ec40b0be ]---
>
> It turns out that the aspace argument in msm_gem_unmap_vma() is NULL.
>

Oh, I think the issue is no-iommu, in which case aspace is NULL,
(which is the state upstream since qcom_iommu is not merged yet, but a
config I don't end up testing as much since gpu is disabled without
iommu).  This looks like the correct fix.  Thanks.

BR,
-R

> This quick hack prevents the NULL pointer dereference and the HDMI output
> behaves itself again:
>
> diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
> index c36321bc8714..d34e331554f3 100644
> --- a/drivers/gpu/drm/msm/msm_gem_vma.c
> +++ b/drivers/gpu/drm/msm/msm_gem_vma.c
> @@ -42,7 +42,7 @@ void
>  msm_gem_unmap_vma(struct msm_gem_address_space *aspace,
>                 struct msm_gem_vma *vma, struct sg_table *sgt)
>  {
> -       if (!vma->iova)
> +       if (!aspace || !vma->iova)
>                 return;
>
>         if (aspace->mmu) {
>
> I have might just be addressing a symptom and not the cause as I have no idea what
> is happening here. But on the off-chance that I am actually right:
>
> Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
>
> Regards,
>
>         Hans

More information about the dri-devel mailing list