KASAN errors with vc4 DRM on Raspberry Pi 4

Maxime Ripard maxime at cerno.tech
Mon May 24 13:13:08 UTC 2021


Hi Marc,

On Mon, May 24, 2021 at 12:01:27PM +0200, Marc Haber wrote:
> Hi,
> 
> when running a current (5.12.6) Linux kernel on a Raspberry Pi 4 which
> has KASAN enablen, upon (manual) loading of the vc4 module, the
> following appears in dmesg:
> 
> [   27.713689] rc rc0: vc4 as /devices/platform/soc/fef00700.hdmi/rc/rc0
> [   27.714408] input: vc4 as /devices/platform/soc/fef00700.hdmi/rc/rc0/input5
> [   27.717603] debugfs: Directory 'fef00700.hdmi' with parent 'vc4-hdmi-0' already present!
> [   27.722211] vc4-drm gpu: bound fef00700.hdmi (ops vc4_hdmi_ops [vc4])
> [   27.727765] Registered IR keymap rc-cec
> [   27.728809] rc rc1: vc4 as /devices/platform/soc/fef05700.hdmi/rc/rc1
> [   27.729550] input: vc4 as /devices/platform/soc/fef05700.hdmi/rc/rc1/input6
> [   27.736865] debugfs: Directory 'fef05700.hdmi' with parent 'vc4-hdmi-1' already present!
> [   27.740984] vc4-drm gpu: bound fef05700.hdmi (ops vc4_hdmi_ops [vc4])
> [   27.741704] vc4-drm gpu: bound fe400000.hvs (ops vc4_hvs_ops [vc4])
> [   27.742757] vc4-drm gpu: bound fe004000.txp (ops vc4_txp_ops [vc4])
> [   27.744440] vc4-drm gpu: bound fe206000.pixelvalve (ops vc4_crtc_ops [vc4])
> [   27.745161] vc4-drm gpu: bound fe207000.pixelvalve (ops vc4_crtc_ops [vc4])
> [   27.746165] vc4-drm gpu: bound fe20a000.pixelvalve (ops vc4_crtc_ops [vc4])
> [   27.746733] vc4-drm gpu: bound fe216000.pixelvalve (ops vc4_crtc_ops [vc4])
> [   27.771356] [drm] Initialized vc4 0.0.0 20140616 for gpu on minor 0
> [   27.827068] Console: switching to colour frame buffer device 160x50
> [   27.827623] ==================================================================
> [   27.827638] BUG: KASAN: slab-out-of-bounds in vc4_atomic_commit_tail+0x1d4/0x950 [vc4]
> [   27.827822] Read of size 8 at addr ffff2b83c2956540 by task modprobe/499
> 
> [   27.827840] CPU: 3 PID: 499 Comm: modprobe Tainted: G         C  E     5.12.5-zgrpi4 #1
> [   27.827853] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
> [   27.827861] Call trace:
> [   27.827865]  dump_backtrace+0x0/0x2d0
> [   27.827891]  show_stack+0x24/0x30
> [   27.827905]  dump_stack+0xfc/0x168
> [   27.827919]  print_address_description.constprop.0+0x68/0x2b0
> [   27.827931]  kasan_report+0x1d4/0x270
> [   27.827947]  __asan_load8+0x94/0xd0
> [   27.827959]  vc4_atomic_commit_tail+0x1d4/0x950 [vc4]
> [   27.828116]  commit_tail+0x104/0x20c [drm_kms_helper]
> [   27.828192]  drm_atomic_helper_commit+0x1cc/0x460 [drm_kms_helper]
> [   27.828265]  drm_atomic_commit+0x88/0xa0 [drm]
> [   27.828405]  drm_client_modeset_commit_atomic+0x2f8/0x3a0 [drm]
> [   27.828542]  drm_client_modeset_commit_locked+0x94/0x230 [drm]
> [   27.828679]  drm_fb_helper_pan_display+0x16c/0x3b0 [drm_kms_helper]
> [   27.828753]  fb_pan_display+0x130/0x200
> [   27.828768]  bit_update_start+0x3c/0xa0
> [   27.828782]  fbcon_switch+0x61c/0x854
> [   27.828795]  redraw_screen+0x188/0x364
> [   27.828807]  do_bind_con_driver.isra.0+0x458/0x530
> [   27.828820]  do_take_over_console+0x208/0x2f0
> [   27.828832]  do_fbcon_takeover+0x9c/0x130
> [   27.828845]  fbcon_fb_registered+0x154/0x170
> [   27.828859]  register_framebuffer+0x314/0x490
> [   27.828870]  __drm_fb_helper_initial_config_and_unlock+0x568/0x820 [drm_kms_helper]
> [   27.828943]  drm_fbdev_client_hotplug+0x20c/0x380 [drm_kms_helper]
> [   27.829015]  drm_fbdev_generic_setup+0xe8/0x240 [drm_kms_helper]
> [   27.829087]  vc4_drm_bind+0x1d4/0x1f0 [vc4]
> [   27.829240]  try_to_bring_up_master+0x260/0x2e0
> [   27.829259]  component_master_add_with_match+0x134/0x184
> [   27.829270]  vc4_platform_drm_probe+0x120/0x170 [vc4]
> [   27.829419]  platform_probe+0x98/0x114
> [   27.829429]  really_probe+0x150/0x710
> [   27.829442]  driver_probe_device+0x80/0xf0
> [   27.829456]  device_driver_attach+0x124/0x130
> [   27.829470]  __driver_attach+0xbc/0x190
> [   27.829483]  bus_for_each_dev+0xf0/0x160
> [   27.829494]  driver_attach+0x40/0x50
> [   27.829507]  bus_add_driver+0x1b0/0x2c0
> [   27.829519]  driver_register+0xec/0x21c
> [   27.829533]  __platform_driver_register+0x50/0x60
> [   27.829543]  vc4_drm_register+0x54/0x1000 [vc4]
> [   27.829692]  do_one_initcall+0xa8/0x350
> [   27.829705]  do_init_module+0xe8/0x3a4
> [   27.829718]  load_module+0x3298/0x3820
> [   27.829729]  __do_sys_finit_module+0x110/0x170
> [   27.829741]  __arm64_sys_finit_module+0x50/0x6c
> [   27.829753]  el0_svc_common.constprop.0+0xa0/0x1a0
> [   27.829767]  do_el0_svc+0x90/0xb0
> [   27.829779]  el0_svc+0x20/0x30
> [   27.829794]  el0_sync_handler+0x1a4/0x1b0
> [   27.829807]  el0_sync+0x180/0x1c0
> 
> [   27.829821] Allocated by task 499:
> [   27.829829]  kasan_save_stack+0x28/0x60
> [   27.829846]  __kasan_kmalloc+0x88/0xb0
> [   27.829858]  kmem_cache_alloc_trace+0x1ec/0x3a4
> [   27.829870]  vc4_hvs_channels_duplicate_state+0x54/0x190 [vc4]
> [   27.830021]  drm_atomic_get_private_obj_state+0x14c/0x230 [drm]
> [   27.830160]  vc4_atomic_check+0x48/0x740 [vc4]
> [   27.830309]  drm_atomic_check_only+0xa44/0xf00 [drm]
> [   27.830447]  drm_atomic_commit+0x3c/0xa0 [drm]
> [   27.830583]  drm_client_modeset_commit_atomic+0x2f8/0x3a0 [drm]
> [   27.830720]  drm_client_modeset_commit_locked+0x94/0x230 [drm]
> [   27.830857]  drm_client_modeset_commit+0x40/0x70 [drm]
> [   27.830994]  drm_fb_helper_set_par+0x10c/0x180 [drm_kms_helper]
> [   27.831068]  fbcon_init+0x3c4/0x88c
> [   27.831086]  visual_init+0x154/0x1f0
> [   27.831098]  do_bind_con_driver.isra.0+0x2cc/0x530
> [   27.831110]  do_take_over_console+0x208/0x2f0
> [   27.831122]  do_fbcon_takeover+0x9c/0x130
> [   27.831135]  fbcon_fb_registered+0x154/0x170
> [   27.831149]  register_framebuffer+0x314/0x490
> [   27.831160]  __drm_fb_helper_initial_config_and_unlock+0x568/0x820 [drm_kms_helper]
> [   27.831233]  drm_fbdev_client_hotplug+0x20c/0x380 [drm_kms_helper]
> [   27.831305]  drm_fbdev_generic_setup+0xe8/0x240 [drm_kms_helper]
> [   27.831377]  vc4_drm_bind+0x1d4/0x1f0 [vc4]
> [   27.831530]  try_to_bring_up_master+0x260/0x2e0
> [   27.831543]  component_master_add_with_match+0x134/0x184
> [   27.831554]  vc4_platform_drm_probe+0x120/0x170 [vc4]
> [   27.831710]  platform_probe+0x98/0x114
> [   27.831720]  really_probe+0x150/0x710
> [   27.831733]  driver_probe_device+0x80/0xf0
> [   27.831746]  device_driver_attach+0x124/0x130
> [   27.831759]  __driver_attach+0xbc/0x190
> [   27.831772]  bus_for_each_dev+0xf0/0x160
> [   27.831784]  driver_attach+0x40/0x50
> [   27.831796]  bus_add_driver+0x1b0/0x2c0
> [   27.831808]  driver_register+0xec/0x21c
> [   27.831821]  __platform_driver_register+0x50/0x60
> [   27.831831]  vc4_drm_register+0x54/0x1000 [vc4]
> [   27.831981]  do_one_initcall+0xa8/0x350
> [   27.831992]  do_init_module+0xe8/0x3a4
> [   27.832004]  load_module+0x3298/0x3820
> [   27.832015]  __do_sys_finit_module+0x110/0x170
> [   27.832026]  __arm64_sys_finit_module+0x50/0x6c
> [   27.832037]  el0_svc_common.constprop.0+0xa0/0x1a0
> [   27.832051]  do_el0_svc+0x90/0xb0
> [   27.832063]  el0_svc+0x20/0x30
> [   27.832076]  el0_sync_handler+0x1a4/0x1b0
> [   27.832090]  el0_sync+0x180/0x1c0
> 
> [   27.832102] The buggy address belongs to the object at ffff2b83c2956500
>                 which belongs to the cache kmalloc-128 of size 128
> [   27.832111] The buggy address is located 64 bytes inside of
>                 128-byte region [ffff2b83c2956500, ffff2b83c2956580)
> [   27.832123] The buggy address belongs to the page:
> [   27.832128] page:0000000013b6837e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42956
> [   27.832141] flags: 0x4000000000000200(slab)
> [   27.832160] raw: 4000000000000200 fffffcae0f0a5680 0000001000000002 ffff2b83c0002300
> [   27.832171] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
> [   27.832177] page dumped because: kasan: bad access detected
> 
> [   27.832185] Memory state around the buggy address:
> [   27.832192]  ffff2b83c2956400: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   27.832201]  ffff2b83c2956480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   27.832209] >ffff2b83c2956500: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
> [   27.832214]                                            ^
> [   27.832221]  ffff2b83c2956580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   27.832229]  ffff2b83c2956600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   27.832234] ==================================================================
> [   27.832239] Disabling lock debugging due to kernel taint
> [   28.373731] vc4-drm gpu: [drm] fb0: vc4drmfb frame buffer device
> [   28.602388] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.610889] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.672737] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.679625] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.689390] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.695457] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.701659] vc4_hdmi fef00700.hdmi: ASoC: error at snd_soc_dai_startup on fef00700.hdmi: -19
> [   28.747178] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.754082] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.814820] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.816158] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.820460] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.821131] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> [   28.821646] vc4_hdmi fef05700.hdmi: ASoC: error at snd_soc_dai_startup on fef05700.hdmi: -19
> 
> 
> I have a hunch this shouldnt be there.
> 
> Is this enough data you can work with? If I can of any more help, I'll
> be happy to assist. I am just not a hacker or coder.

I tried to reproduce it here, but couldn't come up with that error.

Can you share a bit more information on the system you're seeing it on?
What's your configuration, when does the issue comes up?

Thanks!
Maxime
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20210524/ea74cf98/attachment-0001.sig>


More information about the dri-devel mailing list