[PATCH] drm/mst: check connector state before dereference
Mario Limonciello
mario.limonciello at amd.com
Tue Sep 19 21:04:18 UTC 2023
On 9/19/2023 15:51, Fangzhi Zuo wrote:
> We are seeing the crash in the wild that we cannot repro ourselves.
> We want to be able to gather more data and the code should never be
> allowed to crash.
>
> [ 8.433306] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [ 8.433318] #PF: supervisor read access in kernel mode
> [ 8.433323] #PF: error_code(0x0000) - not-present page
> [ 8.433327] PGD 0 P4D 0
> [ 8.433333] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [ 8.433339] CPU: 7 PID: 488 Comm: Xorg Tainted: G OE 6.2.10-arch1-1-00004-g72efbf0a04ca #2 cb04c5bbf595f3de9363c870cd584da0b91be458
> [ 8.433348] Hardware name: HP HP ProBook 445 G6/85D9, BIOS R80 Ver. 01.21.01 07/28/2022
> [ 8.433351] RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
> [ 8.433387] Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8b 40 08 4d 8d 65 38 8b 88 90 00 00 00 b8 01 00 00 00 d3 e0 41
> [ 8.433392] RSP: 0018:ffffb7b540ee36b0 EFLAGS: 00010293
> [ 8.433397] RAX: 0000000000000000 RBX: ffff90d6064ae780 RCX: 0000000000000224
> [ 8.433401] RDX: ffff90d6069e0400 RSI: ffff90d60c496568 RDI: ffff90d6064ae780
> [ 8.433405] RBP: ffff90d60c483000 R08: 0000000000000407 R09: ffff90d608c8e850
> [ 8.433408] R10: 0000000000000002 R11: 0000000000000000 R12: ffffb7b540ee3798
> [ 8.433411] R13: ffff90d607ab9660 R14: ffff90d60c496568 R15: 0000000000000224
> [ 8.433415] FS: 00007fead406e440(0000) GS:ffff90d9201c0000(0000) knlGS:0000000000000000
> [ 8.433419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 8.433423] CR2: 0000000000000008 CR3: 0000000102f96000 CR4: 00000000003506e0
> [ 8.433427] Call Trace:
> [ 8.433431] <TASK>
> [ 8.433437] compute_mst_dsc_configs_for_link+0x31a/0xab0 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.434321] ? get_page_from_freelist+0x14a5/0x1630
> [ 8.434338] compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.435205] amdgpu_dm_atomic_check+0xf33/0x11b0 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.435985] drm_atomic_check_only+0x5c0/0xa30
> [ 8.435994] drm_atomic_commit+0x5a/0xd0
> [ 8.436001] ? __pfx___drm_printfn_info+0x10/0x10
> [ 8.436008] drm_atomic_helper_set_config+0x74/0xb0
> [ 8.436014] drm_mode_setcrtc+0x515/0x7e0
> [ 8.436023] ? __pfx_drm_mode_setcrtc+0x10/0x10
> [ 8.436029] drm_ioctl_kernel+0xcd/0x170
> [ 8.436036] drm_ioctl+0x233/0x410
> [ 8.436040] ? __pfx_drm_mode_setcrtc+0x10/0x10
> [ 8.436049] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.436755] __x64_sys_ioctl+0x94/0xd0
> [ 8.436763] do_syscall_64+0x5f/0x90
> [ 8.436772] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.437477] ? __x64_sys_ioctl+0xac/0xd0
> [ 8.437484] ? syscall_exit_to_user_mode+0x1b/0x40
> [ 8.437492] ? do_syscall_64+0x6b/0x90
> [ 8.437499] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu b041282416fbbcc9f3f3583485c4c54bacfbbcf9]
> [ 8.438193] ? __x64_sys_ioctl+0xac/0xd0
> [ 8.438199] ? syscall_exit_to_user_mode+0x1b/0x40
> [ 8.438205] ? do_syscall_64+0x6b/0x90
> [ 8.438211] ? syscall_exit_to_user_mode+0x1b/0x40
> [ 8.438217] ? do_syscall_64+0x6b/0x90
> [ 8.438223] entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [ 8.438231] RIP: 0033:0x7fead4a3f53f
> [ 8.438258] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
> [ 8.438262] RSP: 002b:00007ffd20e26be0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> [ 8.438268] RAX: ffffffffffffffda RBX: 0000564cc75abfa0 RCX: 00007fead4a3f53f
> [ 8.438271] RDX: 00007ffd20e26c70 RSI: 00000000c06864a2 RDI: 000000000000000f
> [ 8.438273] RBP: 00007ffd20e26c70 R08: 0000000000000000 R09: 0000564cc75dec90
> [ 8.438276] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c06864a2
> [ 8.438278] R13: 000000000000000f R14: 0000564cc6cb7f00 R15: 0000564cc6ab4620
> [ 8.438286] </TASK>
> [ 8.438288] Modules linked in: cmac algif_hash algif_skcipher af_alg bnep rtw88_8822be snd_hda_codec_realtek intel_rapl_msr intel_rapl_common rtw88_8822b snd_hda_codec_generic edac_mce_amd ledtrig_audio snd_hda_codec_hdmi rtw88_pci kvm_amd rtw88_core snd_hda_intel kvm snd_intel_dspcfg mac80211 nls_iso8859_1 snd_intel_sdw_acpi uvcvideo btusb vfat snd_hda_codec irqbypass fat btrtl videobuf2_vmalloc crct10dif_pclmul crc32_pclmul videobuf2_memops polyval_clmulni btbcm libarc4 snd_hda_core videobuf2_v4l2 polyval_generic btintel gf128mul snd_hwdep btmtk ghash_clmulni_intel hid_multitouch sha512_ssse3 videodev r8169 snd_pcm cfg80211 bluetooth aesni_intel ucsi_acpi realtek typec_ucsi hp_wmi videobuf2_common crypto_simd mdio_devres sparse_keymap snd_timer sp5100_tco cryptd typec mc ecdh_generic mousedev joydev rapl platform_profile snd psmouse rfkill k10temp wmi_bmof i2c_piix4 soundcore libphy ccp roles hp_accel lis3lv02d i2c_hid_acpi i2c_amd_mp2_plat i2c_hid wireless_hotkey i2c_amd_mp2_pci
> [ 8.438385] acpi_cpufreq mac_hid vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) sg crypto_user dm_mod fuse loop bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 hid_logitech_hidpp hid_logitech_dj usbhid amdgpu rtsx_pci_sdmmc drm_ttm_helper serio_raw atkbd ttm mmc_core libps2 drm_buddy vivaldi_fmap gpu_sched crc32c_intel xhci_pci drm_display_helper i8042 xhci_pci_renesas rtsx_pci cec video serio wmi
> [ 8.438436] CR2: 0000000000000008
> [ 8.438440] ---[ end trace 0000000000000000 ]---
> [ 8.438443] RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
> [ 8.438470] Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8b 40 08 4d 8d 65 38 8b 88 90 00 00 00 b8 01 00 00 00 d3 e0 41
> [ 8.438473] RSP: 0018:ffffb7b540ee36b0 EFLAGS: 00010293
> [ 8.438477] RAX: 0000000000000000 RBX: ffff90d6064ae780 RCX: 0000000000000224
> [ 8.438480] RDX: ffff90d6069e0400 RSI: ffff90d60c496568 RDI: ffff90d6064ae780
> [ 8.438482] RBP: ffff90d60c483000 R08: 0000000000000407 R09: ffff90d608c8e850
> [ 8.438485] R10: 0000000000000002 R11: 0000000000000000 R12: ffffb7b540ee3798
> [ 8.438487] R13: ffff90d607ab9660 R14: ffff90d60c496568 R15: 0000000000000224
> [ 8.438490] FS: 00007fead406e440(0000) GS:ffff90d9201c0000(0000) knlGS:0000000000000000
> [ 8.438493] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 8.438496] CR2: 0000000000000008 CR3: 0000000102f96000 CR4: 00000000003506e0
>
> Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2314#note_2080187
> Suggested-by: John Lindgren <john at jlindgren.net>
> Signed-off-by: Fangzhi Zuo <Jerry.Zuo at amd.com>
Considering it's being reported across stable kernels as well, if
everyone is amenable this direction I think it is worth also adding a
stable tag when committed.
Cc: stable at vger.kernel.org # 6.1+
Reviewed-by: Mario Limonciello <mario.limonciello at amd.com>
> ---
> drivers/gpu/drm/display/drm_dp_mst_topology.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
> index c490e8befc2f..995bf34154ec 100644
> --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
> +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
> @@ -4314,7 +4314,9 @@ int drm_dp_atomic_find_time_slots(struct drm_atomic_state *state,
> return PTR_ERR(topology_state);
>
> conn_state = drm_atomic_get_new_connector_state(state, port->connector);
> - topology_state->pending_crtc_mask |= drm_crtc_mask(conn_state->crtc);
> + WARN_ON(!conn_state);
> + if (conn_state)
> + topology_state->pending_crtc_mask |= drm_crtc_mask(conn_state->crtc);
>
> /* Find the current allocation for this port, if any */
> payload = drm_atomic_get_mst_payload_state(topology_state, port);
> @@ -4400,12 +4402,14 @@ int drm_dp_atomic_release_time_slots(struct drm_atomic_state *state,
> bool update_payload = true;
>
> old_conn_state = drm_atomic_get_old_connector_state(state, port->connector);
> - if (!old_conn_state->crtc)
> + WARN_ON(!old_conn_state);
> + if (!old_conn_state || !old_conn_state->crtc)
> return 0;
>
> /* If the CRTC isn't disabled by this state, don't release it's payload */
> new_conn_state = drm_atomic_get_new_connector_state(state, port->connector);
> - if (new_conn_state->crtc) {
> + WARN_ON(!new_conn_state);
> + if (new_conn_state && new_conn_state->crtc) {
> struct drm_crtc_state *crtc_state =
> drm_atomic_get_new_crtc_state(state, new_conn_state->crtc);
>
> @@ -4432,7 +4436,7 @@ int drm_dp_atomic_release_time_slots(struct drm_atomic_state *state,
> return -EINVAL;
> }
>
> - if (new_conn_state->crtc)
> + if (new_conn_state && new_conn_state->crtc)
> return 0;
>
> drm_dbg_atomic(mgr->dev, "[MST PORT:%p] TU %d -> 0\n", port, payload->time_slots);
More information about the dri-devel
mailing list