From patchwork Mon Dec  3 19:55:56 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Paul <sean@poorly.run>
X-Patchwork-Id: 10710477
Return-Path: <linux-arm-msm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1E1331057
	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
 Mon,  3 Dec 2018 19:56:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0FB712B09F
	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
 Mon,  3 Dec 2018 19:56:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 03CCF2B2F2; Mon,  3 Dec 2018 19:56:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 565532B1B6
	for <patchwork-linux-arm-msm@patchwork.kernel.org>;
 Mon,  3 Dec 2018 19:56:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725850AbeLCT4H (ORCPT
        <rfc822;patchwork-linux-arm-msm@patchwork.kernel.org>);
        Mon, 3 Dec 2018 14:56:07 -0500
Received: from mail-yw1-f67.google.com ([209.85.161.67]:36089 "EHLO
        mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725912AbeLCT4H (ORCPT
        <rfc822;linux-arm-msm@vger.kernel.org>);
        Mon, 3 Dec 2018 14:56:07 -0500
Received: by mail-yw1-f67.google.com with SMTP id y194so5932136ywg.3
        for <linux-arm-msm@vger.kernel.org>;
 Mon, 03 Dec 2018 11:56:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=poorly.run; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ZInVpnacUHxMSXeSTPypbWc2NGg+hMa1Dh0clUuHnss=;
        b=bu5feQgdFot/KQVAKYf+7zd8+3ap9B6xx8V8c8TlsF8dhXr2uBep2EtszkMCXP/MgC
         qS8RcXNt8Ifs8IzPTxUWCjsxcK88E895eCs3oGmz7CxwdANljB9r1ufgUCkV2j20sR8K
         XGsBT9xPoLF4fggkLKqrUQn2lwO/Nm//SDdOCSUv2o4gfNFOOmU3PJ3Z/Qm3IqjT+fan
         0Oi5yoWV3cpBBh5LwPPovmEhBeuilFRbx93/hRilT5YRcfnFnMLlAtYRLqrRo+oJkIxQ
         n/k+ffD9/onI+kbLxd59akbT8tNb3QyyJkq34DqGaK0utmgzS0Oh43uIFpU+XOumPycE
         s7tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ZInVpnacUHxMSXeSTPypbWc2NGg+hMa1Dh0clUuHnss=;
        b=eX1Ww+Yyho/fUyFd5GjAWbHcY+IqcRwTPy+jPppHkjARbDrxZi9kXNgzuze0XwALPd
         ItMes+e0vA6DhI98KCig/E1iaFlpakWw6jFoE+3Yk7zDzZ4GUgkdafrWE7kTf6AS+xnK
         MfP7wvYZYzsOceH1pRa8xz700xrybl82MpUEVKjjrNMHdbQQPQ84fXdxre5VQ7DnAYzF
         Yc4WNtJ7swhMsC8h3/dooEwhrlQl88HvnEMo+H4aghIw7LAWzYXZrYq4rDl62O9FfMcb
         IG2SobNO0oxVet8X0y/qir86cyl2yDz74s2helW0tccCGePqdy6zJBFk0EzSCBIZLczz
         4OJA==
X-Gm-Message-State: AA+aEWakegxxrZpI8C0tPNJypF+XR+sTnmiXqYa4+gfwPGSS11yZxIGn
        X4AQLv5boE/USSkLYw1NLVLtKQ==
X-Google-Smtp-Source: 
 AFSGD/VaKvOgj2fGSYqg28hEvWwJje9pNPpzu2tLyf3Z0aXejJrRt8rv+kHB0PpBXVRYO9nSKT/a3A==
X-Received: by 2002:a81:e40d:: with SMTP id
 r13mr17717006ywl.265.1543866965357;
        Mon, 03 Dec 2018 11:56:05 -0800 (PST)
Received: from rosewood.cam.corp.google.com
 ([2620:0:1013:11:ad55:b1db:adfe:3b9f])
        by smtp.gmail.com with ESMTPSA id
 j6sm5013276ywi.110.2018.12.03.11.56.04
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 11:56:04 -0800 (PST)
From: Sean Paul <sean@poorly.run>
Cc: Sean Paul <seanpaul@chromium.org>,
        Bruce Wang <bzwang@chromium.org>,
        Rob Clark <robdclark@gmail.com>, linux-arm-msm@vger.kernel.org,
        dri-devel@lists.freedesktop.org, freedreno@lists.freedesktop.org
Subject: [PATCH] drm/msm: dpu: Allocate proper amount for dpu_crtc_state
Date: Mon,  3 Dec 2018 14:55:56 -0500
Message-Id: <20181203195604.65338-1-sean@poorly.run>
X-Mailer: git-send-email 2.20.0.rc1.387.gf8505762e3-goog
MIME-Version: 1.0
To: unlisted-recipients:; (no To-header on input)
Sender: linux-arm-msm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-arm-msm.vger.kernel.org>
X-Mailing-List: linux-arm-msm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Sean Paul <seanpaul@chromium.org>

Since dpu_crtc subclasses crtc_state, we need a custom .reset hook in
order to allocate the right amount of memory to accommodate the
additional struct members in dpu_crtc_state. So bring it [partially]
back.

Relevant KASAN splat:
[   10.333382] ==================================================================
[   10.344288] BUG: KASAN: slab-out-of-bounds in kmemdup+0x50/0x80
[   10.350390] Read of size 736 at addr ffffffc0d9f06080 by task frecon/394

[   10.358861] CPU: 6 PID: 394 Comm: frecon Tainted: G        W         4.19.4 #121
[   10.366476] Hardware name: Google Cheza (rev2) (DT)
[   10.371514] Call trace:
[   10.374087]  dump_backtrace+0x0/0x194
[   10.377878]  show_stack+0x20/0x28
[   10.381330]  dump_stack+0xa0/0xc8
[   10.384783]  print_address_description+0x78/0x2e0
[   10.389639]  kasan_report+0x290/0x2d0
[   10.393428]  check_memory_region+0x20/0x14c
[   10.397740]  __asan_loadN+0x14/0x1c
[   10.401345]  kmemdup+0x50/0x80
[   10.404524]  dpu_crtc_duplicate_state+0x58/0xa0
[   10.409228]  drm_atomic_get_crtc_state+0xac/0x178
[   10.414095]  __drm_atomic_helper_set_config+0x54/0x4a4
[   10.419393]  drm_atomic_helper_set_config+0x60/0xb4
[   10.424435]  drm_mode_setcrtc+0x720/0x760
[   10.428570]  drm_ioctl_kernel+0xd8/0x13c
[   10.432617]  drm_ioctl+0x380/0x4f4
[   10.436150]  drm_compat_ioctl+0x54/0x13c
[   10.440219]  __arm64_compat_sys_ioctl+0x1d8/0xef4
[   10.445086]  el0_svc_common+0xd8/0x138
[   10.448961]  el0_svc_compat_handler+0x58/0x68
[   10.453463]  el0_svc_compat+0x8/0x18

[   10.458712] Allocated by task 56:
[   10.462148]  kasan_kmalloc.part.4+0x48/0xf4
[   10.466465]  kasan_kmalloc+0x8c/0xa0
[   10.470165]  kmem_cache_alloc_trace+0x25c/0x27c
[   10.474848]  drm_atomic_helper_crtc_reset+0x68/0x98
[   10.479877]  drm_mode_config_reset+0xc4/0x19c
[   10.484383]  msm_drm_bind+0x814/0x8dc
[   10.488169]  try_to_bring_up_master.part.7+0x48/0xac
[   10.493282]  component_master_add_with_match+0x158/0x198
[   10.498758]  msm_pdev_probe+0x328/0x348
[   10.502736]  platform_drv_probe+0x74/0xc8
[   10.506877]  really_probe+0x1ac/0x35c
[   10.510659]  driver_probe_device+0xd4/0x118
[   10.514975]  __device_attach_driver+0xc8/0xf4
[   10.519477]  bus_for_each_drv+0xb4/0xe4
[   10.523439]  __device_attach+0xd0/0x158
[   10.527394]  device_initial_probe+0x24/0x30
[   10.531715]  bus_probe_device+0x50/0xe4
[   10.535681]  deferred_probe_work_func+0xac/0xdc
[   10.540376]  process_one_work+0x3f0/0x6d4
[   10.544521]  worker_thread+0x3f4/0x520
[   10.548399]  kthread+0x1b4/0x1c8
[   10.551740]  ret_from_fork+0x10/0x18

[   10.556986] Freed by task 0:
[   10.559967] (stack is not available)

[   10.565216] The buggy address belongs to the object at ffffffc0d9f06080
                which belongs to the cache kmalloc-1024 of size 1024
[   10.578268] The buggy address is located 0 bytes inside of
                1024-byte region [ffffffc0d9f06080, ffffffc0d9f06480)
[   10.590248] The buggy address belongs to the page:
[   10.595195] page:ffffffbf0367c000 count:1 mapcount:0 mapping:ffffffc0de40f680 index:0x0 compound_mapcount: 0
[   10.605321] flags: 0x4000000000008100(slab|head)
[   10.610100] raw: 4000000000008100 ffffffbf0369fa08 ffffffbf0367f008 ffffffc0de40f680
[   10.618077] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[   10.626049] page dumped because: kasan: bad access detected

[   10.633341] Memory state around the buggy address:
[   10.638282]  ffffffc0d9f06180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   10.645710]  ffffffc0d9f06200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   10.653139] >ffffffc0d9f06280: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   10.660571]                                         ^
[   10.665774]  ffffffc0d9f06300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.673210]  ffffffc0d9f06380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.680639] ==================================================================

Fixes: a6ba45afda41 ("drm/msm/dpu: Replace dpu_crtc_reset by atomic helper")
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Bruce Wang <bzwang@chromium.org>
Cc: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Bruce Wang <bzwang@chromium.org>
---
 drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
index 1e3e57817b72b..d27ea2a95f85b 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
@@ -819,6 +819,18 @@ static void _dpu_crtc_vblank_enable_no_lock(
 	}
 }
 
+static void dpu_crtc_reset(struct drm_crtc *crtc)
+{
+	struct dpu_crtc_state *cstate;
+
+	if (crtc->state)
+		dpu_crtc_destroy_state(crtc, crtc->state);
+
+	crtc->state = kzalloc(sizeof(*cstate), GFP_KERNEL);
+	if (crtc->state)
+		crtc->state->crtc = crtc;
+}
+
 /**
  * dpu_crtc_duplicate_state - state duplicate hook
  * @crtc: Pointer to drm crtc structure
@@ -1466,7 +1478,7 @@ static const struct drm_crtc_funcs dpu_crtc_funcs = {
 	.set_config = drm_atomic_helper_set_config,
 	.destroy = dpu_crtc_destroy,
 	.page_flip = drm_atomic_helper_page_flip,
-	.reset = drm_atomic_helper_crtc_reset,
+	.reset = dpu_crtc_reset,
 	.atomic_duplicate_state = dpu_crtc_duplicate_state,
 	.atomic_destroy_state = dpu_crtc_destroy_state,
 	.late_register = dpu_crtc_late_register,