Re: [PATCH] drm/vc4: fix vc4_atomic_commit_tail() logic
From: Arnd Bergmann
Date: Tue Jun 08 2021 - 05:09:55 EST
On Tue, Jun 8, 2021 at 10:56 AM Mark Rutland <mark.rutland@xxxxxxx> wrote:
>
> In vc4_atomic_commit_tail() we iterate of the set of old CRTCs, and
> attempt to wait on any channels which are still in use. When we iterate
> over the CRTCs, we have:
>
> * `i` - the index of the CRTC
> * `channel` - the channel a CRTC is using
>
> When we check the channel state, we consult:
>
> old_hvs_state->fifo_state[channel].in_use
>
> ... but when we wait for the channel, we erroneously wait on:
>
> old_hvs_state->fifo_state[i].pending_commit
>
> ... rather than:
>
> old_hvs_state->fifo_state[channel].pending_commit
>
> ... and this bogus access has been observed to result in boot-time hangs
> on some arm64 configurations, and can be detected using KASAN. FIx this
> by using the correct index.
>
> I've tested this on a Raspberry Pi 3 model B v1.2 with KASAN.
...
>
> Link: https://lore.kernel.org/r/4d0c8318-bad8-2be7-e292-fc8f70c198de@xxxxxxxxxxx
> Link: https://lore.kernel.org/linux-arm-kernel/20210607151740.moncryl5zv3ahq4s@gilmour
> Signed-off-by: Mark Rutland <mark.rutland@xxxxxxx>
> Reported-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx>
> Cc: Arnd Bergmann <arnd@xxxxxxxx>
Acked-by: Arnd Bergmann <arnd@xxxxxxxx>