From: Li Chen <chenl311@chinatelecom.cn> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICGG2A ---------------------------------------------------------------------- Syzkaller crashed kernel in drm path. The root cause is that phytium_drm_gem_object_funcs is not assigned before phytium_gem_create_object enters the failed_dma_alloc label. Let's fix this issue by assigning the function earlier. Below is the crash log: ``` [ 9042.703078] [drm:phytium_gem_create_object [phytium_dc_drm]] *ERROR* fail to allocate vram buffer with size 3de4000 [ 9042.717862] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 9042.727173] fuse: Unknown parameter '0xffffffffffffffff<r00000000000000000000' [ 9042.730383] Mem abort info: [ 9042.745443] ESR = 0x0000000096000006 [ 9042.745446] EC = 0x25: DABT (current EL), IL = 32 bits [ 9042.745448] SET = 0, FnV = 0 [ 9042.745450] EA = 0, S1PTW = 0 [ 9042.745451] FSC = 0x06: level 2 translation fault [ 9042.745453] Data abort info: [ 9042.745455] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9042.745457] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9042.745459] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9042.745462] user pgtable: 4k pages, 48-bit VAs, pgdp=00003000894ca000 [ 9042.745464] [0000000000000000] pgd=08003000894cb403, p4d=08003000894cb403, pud=0800300085320403, pmd=0000000000000000 [ 9042.830042] Internal error: Oops: 0000000096000006 [#1] SMP [ 9042.838310] Modules linked in: cramfs camellia_generic serpent_generic blowfish_generic blowfish_common cast5_generic cast_common des_generic libdes rmd160 tcp_bic unix_diag ansi_cprng tcp_dctcp ppp_synctty ip_set_hash_ip n_hdlc cmac pps_ldisc n_gsm nfnetlink_log slcan tcp_diag nfnetlink_cthelper atm nfsd auth_rpcgss nfs_acl twofish_generic twofish_common ccm md4 ppp_async msdos nfs lockd grace fscache crc32_generic netfs smc_diag tcp_westwood smc nfnetlink_osf vfio_iommu_type1 vfio vhost_vsock iommufd squashfs ib_core gfs2 snd_timer snd soundcore uhid nfnetlink_cttimeout pppoe ip_vs cuse can_bcm loop can_raw can vsock_loopback inet_diag vmw_vsock_virtio_transport_common vhost_net vhost ieee802154_socket vsock cfg80211 uinput ieee802154 vhost_iotlb pptp crypto_user l2tp_ppp pppox sctp ppp_generic slhc af_key ip6_vti ip_vti ipip sit geneve macvtap tap ipvlan macvlan hsr xfrm_interface xfrm6_tunnel tunnel4 wireguard libchacha20poly1305 chacha_neon poly1305_neon libcurve25519_generic libchacha nlmon team vcan can_dev tun [ 9042.838608] xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables overlay nfnetlink_queue authenc echainiv cls_matchall esp6 l2tp_ip6 l2tp_eth l2tp_ip l2tp_netlink l2tp_core br_netfilter sch_etf sch_fq dccp_ipv6 dccp_ipv4 dccp sch_ingress act_mirred cls_basic veth bonding tls esp4_offload esp4 psample macsec vxlan ip6_udp_tunnel udp_tunnel vrf 8021q garp mrp ip6_gre ip6_tunnel tunnel6 ip_gre ip_tunnel gre cls_u32 sch_htb dummy binfmt_misc bridge stp llc rfkill ip_set libcrc32c sunrpc vfat fat ipmi_si ipmi_devintf phytium_dc_drm ses enclosure ipmi_msghandler drm_display_helper scsi_transport_sas cec drm_kms_helper cppc_cpufreq sg drm fuse nfnetlink ext4 mbcache jbd2 sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc64 crct10dif_ce ghash_ce sm4_ce_gcm sm4_ce_ccm sm4_ce sm4_ce_cipher sm4 sm3_ce sha3_ce sha512_ce ahci sha512_arm64 sha2_ce libahci sha256_arm64 ice sha1_ce igb sbsa_gwdt libata megaraid_sas i2c_algo_bit i2c_core [ 9042.958095] dm_mirror dm_region_hash dm_log dm_multipath dm_mod aes_neon_bs aes_neon_blk aes_ce_blk aes_ce_cipher [last unloaded: nf_tables] [ 9043.094331] CPU: 39 PID: 127275 Comm: syz-executor.3 Kdump: loaded Not tainted 6.6.0-0001.rc3.ctl4.aarch64 #1 [ 9043.108430] Hardware name: vclusters VSFT5000 B/VSFT5000 B, BIOS KL4.2A.RC.D.170.240314.D.DX 03/14/2024 18:01:48 [ 9043.122832] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 9043.132983] pc : drm_gem_object_free+0xc/0x40 [drm] [ 9043.140480] lr : phytium_gem_create_object+0x2ac/0x338 [phytium_dc_drm] [ 9043.150238] sp : ffff80009cd83bd0 [ 9043.155639] x29: ffff80009cd83bd0 x28: 00000000000000b2 x27: ffff80009cd83ce8 [ 9043.166023] x26: 0000000000000020 x25: 0000000000000020 x24: ffff80007b4b2d78 [ 9043.176292] x23: ffff00ff8de5b000 x22: 0000000003de4000 x21: 0000000000000000 [ 9043.186548] x20: ffff00ff8df94c80 x19: fffffffffffffff4 x18: ffffffffffffffff [ 9043.196768] x17: 6f74206c69616620 x16: 2a524f5252452a20 x15: 5d5d6d72645f6364 [ 9043.207193] x14: 5f6d756974796870 x13: 205d353732373231 x12: 545b5d3837303330 [ 9043.217647] x11: 00000000ffff7fff x10: ffff80008223b900 x9 : ffff80007b5cdcb4 [ 9043.228070] x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 00000000002bffa8 [ 9043.238522] x5 : ffff80008345bd08 x4 : 0000000000000000 x3 : 0000000000000000 [ 9043.248718] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff200014f5b800 [ 9043.258874] Call trace: [ 9043.263132] drm_gem_object_free+0xc/0x40 [drm] [ 9043.270239] phytium_gem_dumb_create+0x60/0x160 [phytium_dc_drm] [ 9043.279194] drm_mode_create_dumb_ioctl+0x98/0xc0 [drm] [ 9043.287188] drm_ioctl_kernel+0xdc/0x188 [drm] [ 9043.294188] drm_ioctl+0x274/0x540 [drm] [ 9043.300456] __arm64_sys_ioctl+0xb4/0x100 [ 9043.306777] invoke_syscall+0x50/0x128 [ 9043.312774] el0_svc_common.constprop.0+0xc8/0xf0 [ 9043.319953] do_el0_svc+0x24/0x38 [ 9043.325324] el0_svc+0x44/0x1b8 [ 9043.330517] el0t_64_sync_handler+0x100/0x130 [ 9043.337369] el0t_64_sync+0x188/0x190 [ 9043.343315] Code: ffff00ff aa1e03e9 952fe875 f940a001 (f9400021) [ 9043.352351] SMP: stopping secondary CPUs [ 9043.412513] Starting crashdump kernel... [ 9044.001381] Bye! ``` Disassembler drm_gem_object_free: ``` 0xffff80007b437398 <drm_gem_object_free>: mov x9, x30 0xffff80007b43739c <drm_gem_object_free+4>: bl 0xffff800080031570 <ftrace_caller> 0xffff80007b4373a0 <drm_gem_object_free+8>: ldr x1, [x0, #320] 0xffff80007b4373a4 <drm_gem_object_free+12>: ldr x1, [x1] 0xffff80007b4373a8 <drm_gem_object_free+16>: cbz x1, 0xffff80007b4373c8 <drm_gem_object_free+48> 0xffff80007b4373ac <drm_gem_object_free+20>: paciasp 0xffff80007b4373b0 <drm_gem_object_free+24>: stp x29, x30, [sp, #-16]! 0xffff80007b4373b4 <drm_gem_object_free+28>: mov x29, sp 0xffff80007b4373b8 <drm_gem_object_free+32>: blr x1 0xffff80007b4373bc <drm_gem_object_free+36>: ldp x29, x30, [sp], #16 0xffff80007b4373c0 <drm_gem_object_free+40>: autiasp 0xffff80007b4373c4 <drm_gem_object_free+44>: ret 0xffff80007b4373c8 <drm_gem_object_free+48>: brk #0x800 0xffff80007b4373cc <drm_gem_object_free+52>: ret 0xffff80007b4373d0 <drm_gem_object_free+56>: .inst 0x865baea8 ; undefined 0xffff80007b4373d4 <drm_gem_object_free+60>: .inst 0xffff00ff ; undefined ``` ldr x1, [x1] <-- trapping instruction Signed-off-by: Li Chen <chenl311@chinatelecom.cn> Reviewed-by: Bin Lai <laib2@chinatelecom.cn> Reviewed-by: Shuo Li <lishuo@phytium.com.cn> --- drivers/gpu/drm/phytium/phytium_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/phytium/phytium_gem.c b/drivers/gpu/drm/phytium/phytium_gem.c index 2cbbcd9fbd112..95b6b0360c065 100644 --- a/drivers/gpu/drm/phytium/phytium_gem.c +++ b/drivers/gpu/drm/phytium/phytium_gem.c @@ -432,6 +432,8 @@ struct phytium_gem_object *phytium_gem_create_object(struct drm_device *dev, uns goto failed_object_init; } + phytium_gem_obj->base.funcs = &phytium_drm_gem_object_funcs; + if (priv->support_memory_type & (MEMORY_TYPE_VRAM_WC | MEMORY_TYPE_VRAM_DEVICE)) { ret = phytium_memory_pool_alloc(priv, &phytium_gem_obj->vaddr, &phytium_gem_obj->phys_addr, size); @@ -475,8 +477,6 @@ struct phytium_gem_object *phytium_gem_create_object(struct drm_device *dev, uns goto failed_dma_alloc; } - phytium_gem_obj->base.funcs = &phytium_drm_gem_object_funcs; - phytium_gem_obj->size = size; list_add_tail(&phytium_gem_obj->list, &priv->gem_list_head); DRM_DEBUG_KMS("phytium_gem_obj iova:0x%pa size:0x%lx\n", -- 2.49.0