diff options
| author | Sean Paul <seanpaul@chromium.org> | 2018-12-03 14:55:56 -0500 |
|---|---|---|
| committer | Rob Clark <robdclark@gmail.com> | 2018-12-11 13:07:11 -0500 |
| commit | ff5952a72cb4d04c976eeffd8443e4eef22e1bfb (patch) | |
| tree | 512cb97cb4e4ad888ed54b80dd708e616036b12b | |
| parent | e6f6d63ed14c20528aa6df05a8f0707c183c6ba3 (diff) | |
drm/msm: dpu: Allocate proper amount for dpu_crtc_state
Since dpu_crtc subclasses crtc_state, we need a custom .reset hook in
order to allocate the right amount of memory to accommodate the
additional struct members in dpu_crtc_state. So bring it [partially]
back.
Relevant KASAN splat:
[ 10.333382] ==================================================================
[ 10.344288] BUG: KASAN: slab-out-of-bounds in kmemdup+0x50/0x80
[ 10.350390] Read of size 736 at addr ffffffc0d9f06080 by task frecon/394
[ 10.358861] CPU: 6 PID: 394 Comm: frecon Tainted: G W 4.19.4 #121
[ 10.366476] Hardware name: Google Cheza (rev2) (DT)
[ 10.371514] Call trace:
[ 10.374087] dump_backtrace+0x0/0x194
[ 10.377878] show_stack+0x20/0x28
[ 10.381330] dump_stack+0xa0/0xc8
[ 10.384783] print_address_description+0x78/0x2e0
[ 10.389639] kasan_report+0x290/0x2d0
[ 10.393428] check_memory_region+0x20/0x14c
[ 10.397740] __asan_loadN+0x14/0x1c
[ 10.401345] kmemdup+0x50/0x80
[ 10.404524] dpu_crtc_duplicate_state+0x58/0xa0
[ 10.409228] drm_atomic_get_crtc_state+0xac/0x178
[ 10.414095] __drm_atomic_helper_set_config+0x54/0x4a4
[ 10.419393] drm_atomic_helper_set_config+0x60/0xb4
[ 10.424435] drm_mode_setcrtc+0x720/0x760
[ 10.428570] drm_ioctl_kernel+0xd8/0x13c
[ 10.432617] drm_ioctl+0x380/0x4f4
[ 10.436150] drm_compat_ioctl+0x54/0x13c
[ 10.440219] __arm64_compat_sys_ioctl+0x1d8/0xef4
[ 10.445086] el0_svc_common+0xd8/0x138
[ 10.448961] el0_svc_compat_handler+0x58/0x68
[ 10.453463] el0_svc_compat+0x8/0x18
[ 10.458712] Allocated by task 56:
[ 10.462148] kasan_kmalloc.part.4+0x48/0xf4
[ 10.466465] kasan_kmalloc+0x8c/0xa0
[ 10.470165] kmem_cache_alloc_trace+0x25c/0x27c
[ 10.474848] drm_atomic_helper_crtc_reset+0x68/0x98
[ 10.479877] drm_mode_config_reset+0xc4/0x19c
[ 10.484383] msm_drm_bind+0x814/0x8dc
[ 10.488169] try_to_bring_up_master.part.7+0x48/0xac
[ 10.493282] component_master_add_with_match+0x158/0x198
[ 10.498758] msm_pdev_probe+0x328/0x348
[ 10.502736] platform_drv_probe+0x74/0xc8
[ 10.506877] really_probe+0x1ac/0x35c
[ 10.510659] driver_probe_device+0xd4/0x118
[ 10.514975] __device_attach_driver+0xc8/0xf4
[ 10.519477] bus_for_each_drv+0xb4/0xe4
[ 10.523439] __device_attach+0xd0/0x158
[ 10.527394] device_initial_probe+0x24/0x30
[ 10.531715] bus_probe_device+0x50/0xe4
[ 10.535681] deferred_probe_work_func+0xac/0xdc
[ 10.540376] process_one_work+0x3f0/0x6d4
[ 10.544521] worker_thread+0x3f4/0x520
[ 10.548399] kthread+0x1b4/0x1c8
[ 10.551740] ret_from_fork+0x10/0x18
[ 10.556986] Freed by task 0:
[ 10.559967] (stack is not available)
[ 10.565216] The buggy address belongs to the object at ffffffc0d9f06080
which belongs to the cache kmalloc-1024 of size 1024
[ 10.578268] The buggy address is located 0 bytes inside of
1024-byte region [ffffffc0d9f06080, ffffffc0d9f06480)
[ 10.590248] The buggy address belongs to the page:
[ 10.595195] page:ffffffbf0367c000 count:1 mapcount:0 mapping:ffffffc0de40f680 index:0x0 compound_mapcount: 0
[ 10.605321] flags: 0x4000000000008100(slab|head)
[ 10.610100] raw: 4000000000008100 ffffffbf0369fa08 ffffffbf0367f008 ffffffc0de40f680
[ 10.618077] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 10.626049] page dumped because: kasan: bad access detected
[ 10.633341] Memory state around the buggy address:
[ 10.638282] ffffffc0d9f06180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 10.645710] ffffffc0d9f06200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 10.653139] >ffffffc0d9f06280: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 10.660571] ^
[ 10.665774] ffffffc0d9f06300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 10.673210] ffffffc0d9f06380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 10.680639] ==================================================================
Fixes: a6ba45afda41 (drm/msm/dpu: Replace dpu_crtc_reset by atomic helper)
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Bruce Wang <bzwang@chromium.org>
Cc: Rob Clark <robdclark@gmail.com>
Reviewed-by: Bruce Wang <bzwang@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
| -rw-r--r-- | drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c index cb62ef092c20..d8ca312fc30c 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c @@ -819,6 +819,18 @@ static void _dpu_crtc_vblank_enable_no_lock( } } +static void dpu_crtc_reset(struct drm_crtc *crtc) +{ + struct dpu_crtc_state *cstate; + + if (crtc->state) + dpu_crtc_destroy_state(crtc, crtc->state); + + crtc->state = kzalloc(sizeof(*cstate), GFP_KERNEL); + if (crtc->state) + crtc->state->crtc = crtc; +} + /** * dpu_crtc_duplicate_state - state duplicate hook * @crtc: Pointer to drm crtc structure @@ -1466,7 +1478,7 @@ static const struct drm_crtc_funcs dpu_crtc_funcs = { .set_config = drm_atomic_helper_set_config, .destroy = dpu_crtc_destroy, .page_flip = drm_atomic_helper_page_flip, - .reset = drm_atomic_helper_crtc_reset, + .reset = dpu_crtc_reset, .atomic_duplicate_state = dpu_crtc_duplicate_state, .atomic_destroy_state = dpu_crtc_destroy_state, .late_register = dpu_crtc_late_register, |