drm/msm: NULL pointer dereference in drivers/gpu/drm/msm/msm_gem_vma.c

While I was testing the upcoming adv7533 CEC support with my Dragonboard c410
I encountered this NULL pointer dereference:

[   17.912822] Unable to handle kernel NULL pointer dereference at virtual address 000000e8
[   17.917191] user pgtable: 4k pages, 48-bit VAs, pgd = ffff800030e9f000
[   17.925249] [00000000000000e8] *pgd=00000000b0daf003, *pud=0000000000000000
[   17.931650] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[   17.938395] Modules linked in: btqcomsmd btqca arc4 wcn36xx mac80211 bluetooth cfg80211 ecdh_generic r8152 snd_soc_hdmi_codec adv7511 cec
qcom_wcnss_pil msm mdt_loader drm_kms_helper msm_rng rng_core drm
[   17.943967] CPU: 0 PID: 1684 Comm: Xorg Tainted: G        W       4.13.0-rc1-dragonboard #111
[   17.962005] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[   17.970685] task: ffff800031236c00 task.stack: ffff800033fbc000
[   17.977582] PC is at msm_gem_unmap_vma+0x20/0x80 [msm]
[   17.983213] LR is at put_iova+0x60/0xb8 [msm]
[   17.988303] pc : [<ffff000000ac2d58>] lr : [<ffff000000ac07c8>] pstate: 20000145
[   17.992733] sp : ffff800033fbfb30
[   18.000193] x29: ffff800033fbfb30 x28: ffff800030b5f000
[   18.003407] x27: 00000000000000b4 x26: ffff0000009f8cd8
[   18.008789] x25: 0000000000000004 x24: dead000000000100
[   18.014085] x23: dead000000000200 x22: ffff800030b5fd40
[   18.019379] x21: ffff800030b5fc00 x20: 0000000000000000
[   18.024675] x19: ffff80003082bf00 x18: 0000000000000000
[   18.029970] x17: 0000ffffb3347e70 x16: ffff000008207638
[   18.035265] x15: 0000000000000053 x14: 0000000000000000
[   18.040560] x13: 0000000000000038 x12: 0101010101010101
[   18.045855] x11: 7f7f7f7f7f7f7f7f x10: 0000000000000040
[   18.051150] x9 : ffff800030b5f038 x8 : ffff800031657b50
[   18.056446] x7 : ffff800031657b78 x6 : 0000000000000000
[   18.061740] x5 : 0000000000000000 x4 : 00000000b5c01000
[   18.067036] x3 : 0000000000000000 x2 : ffff8000337bf300
[   18.072330] x1 : ffff80003082bf00 x0 : 0000000000000000
[   18.077629] Process Xorg (pid: 1684, stack limit = 0xffff800033fbc000)
[   18.082925] Stack: (0xffff800033fbfb30 to 0xffff800033fc0000)
[   18.089262] fb20:                                   ffff800033fbfb60 ffff000000ac07c8
[   18.095081] fb40: ffff80003082bf00 ffff800030b5fc90 ffff800030b5fc00 ffff000000abf4a0
[   18.102893] fb60: ffff800033fbfba0 ffff000000ac16b0 ffff800030b5fc00 ffff8000338ff870
[   18.110706] fb80: ffff8000338ff800 ffff800030b5fc00 ffff800030b5fda8 ffff800033fbfd80
[   18.118518] fba0: ffff800033fbfbe0 ffff0000009d4244 ffff800030b5fc00 ffff800030b5f038
[   18.126332] fbc0: ffff800033fbfbd0 ffff800030b5fc00 ffff800030b5f038 ffff0000009d4840
[   18.134144] fbe0: ffff800033fbfbf0 ffff0000009d4858 ffff800033fbfc10 ffff0000009d48e4
[   18.141955] fc00: ffff800030b5fc00 ffff8000338ffd98 ffff800033fbfc30 ffff0000009d49a4
[   18.149768] fc20: ffff800030b5fc00 ffff800030b5f000 ffff800033fbfc60 ffff0000009d4a4c
[   18.157581] fc40: ffff800030b5f050 ffff800030b5f000 0000000000000001 ffff800030b5fc00
[   18.165394] fc60: ffff800033fbfca0 ffff0000009d4ab0 0000000000000018 ffff800030b5f000
[   18.173206] fc80: ffff0000009efd28 ffff800033fbfd80 ffff8000338ff800 ffff0000009d56a8
[   18.181019] fca0: ffff800033fbfcb0 ffff0000009efd54 ffff800033fbfcc0 ffff0000009d56c8
[   18.188831] fcc0: ffff800033fbfd00 ffff0000009d58e0 ffff0000009fa6e0 00000000c00464b4
[   18.196643] fce0: 0000000000000004 ffff80003082b400 0000ffffea1f0e00 0000000000000000
[   18.204456] fd00: ffff800033fbfe00 ffff000008206f0c ffff80000335caf8 ffff80003082b400
[   18.212269] fd20: 0000ffffea1f0e00 ffff80003082b400 00000000c00464b4 0000ffffea1f0e00
[   18.220081] fd40: 0000000000000124 000000000000001d ffff0000089d2000 ffff800031236c00
[   18.227894] fd60: ffff800033fbfd80 0000000000000004 ffff0000009efd28 ffff800033fbfd80
[   18.235706] fd80: 0000000100000001 0000008000000001 0000001800000020 0000000000000001
[   18.243518] fda0: 0000000100000000 0000000100000001 0000ffff00000000 0000ffff00000000
[   18.251331] fdc0: 0000000000000124 0000000000000038 ffff0000089d2000 ffff800031236c00
[   18.259144] fde0: ffff800033fbfe40 ffff000008214124 ffff800033fbfe30 ffff000008203290
[   18.266956] fe00: ffff800033fbfe80 ffff0000082076b4 0000000000000000 ffff800030d8a000
[   18.274768] fe20: ffff80003082b400 0000000000000016 ffff800033fbfe50 ffff0000081f0488
[   18.282581] fe40: ffff800033fbfe80 ffff000008207678 0000000000000000 ffff80003082b400
[   18.290393] fe60: ffff800033fbfe70 ffff0000082138b0 ffff800033fbfe80 ffff000008207658
[   18.298207] fe80: 0000000000000000 ffff000008082f84 0000000000000000 0000800034a16000
[   18.306017] fea0: ffffffffffffffff 0000ffffb3347e7c 0000000000000000 0000000000000015
[   18.313832] fec0: 0000000000000016 00000000c00464b4 0000ffffea1f0e00 0000000000000001
[   18.321643] fee0: 0000000000000020 0000000000000080 0000000000000001 0000000000000000
[   18.329456] ff00: 000000000000001d 000000012692c5b0 0101010101010101 7f7f7f7f7f7f7f7f
[   18.337269] ff20: 0101010101010101 0000000000000038 0000000000000000 0000000000000053
[   18.345082] ff40: 0000ffffb368b2b8 0000ffffb3347e70 0000000000000000 0000ffffb3847000
[   18.352894] ff60: 0000ffffea1f0e00 00000000c00464b4 0000000000000016 0000ffffea1f0edc
[   18.360705] ff80: 000000012692ad20 0000000000000003 00000001214282e4 0000000121428388
[   18.368518] ffa0: 0000000000000000 0000ffffea1f0da0 0000ffffb367185c 0000ffffea1f0da0
[   18.376332] ffc0: 0000ffffb3347e7c 0000000000000000 0000000000000016 000000000000001d
[   18.384142] ffe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   18.391953] Call trace:
[   18.399760] Exception stack(0xffff800033fbf950 to 0xffff800033fbfa80)
[   18.402023] f940:                                   ffff80003082bf00 0001000000000000
[   18.408622] f960: ffff800033fbfb30 ffff000000ac2d58 0000000020000145 ffff8000338ffa78
[   18.416435] f980: 0000000000000000 0000000000000000 ffff800033fbf9e0 ffff0000089afcf0
[   18.424248] f9a0: ffff80000348f230 ffff8000338ffa78 0000000000000000 0000000000000000
[   18.432060] f9c0: ffff8000338ffaa8 0000000000000001 ffff800033fbfb80 ffff0000009e8f38
[   18.439872] f9e0: ffff800033fbfa10 ffff0000089a9ff8 0000000000000027 ffff80003082b918
[   18.447684] fa00: 0000000000000000 ffff80003082bf00 ffff8000337bf300 0000000000000000
[   18.455497] fa20: 00000000b5c01000 0000000000000000 0000000000000000 ffff800031657b78
[   18.463310] fa40: ffff800031657b50 ffff800030b5f038 0000000000000040 7f7f7f7f7f7f7f7f
[   18.471122] fa60: 0101010101010101 0000000000000038 0000000000000000 0000000000000053
[   18.479062] [<ffff000000ac2d58>] msm_gem_unmap_vma+0x20/0x80 [msm]
[   18.486862] [<ffff000000ac07c8>] put_iova+0x60/0xb8 [msm]
[   18.492938] [<ffff000000ac16b0>] msm_gem_free_object+0x60/0x198 [msm]
[   18.498432] [<ffff0000009d4244>] drm_gem_object_free+0x1c/0x58 [drm]
[   18.504854] [<ffff0000009d4858>] drm_gem_object_put_unlocked+0x90/0xa0 [drm]
[   18.511273] [<ffff0000009d48e4>] drm_gem_object_handle_put_unlocked+0x64/0xd0 [drm]
[   18.518300] [<ffff0000009d49a4>] drm_gem_object_release_handle+0x54/0x98 [drm]
[   18.525679] [<ffff0000009d4a4c>] drm_gem_handle_delete+0x64/0xb8 [drm]
[   18.532968] [<ffff0000009d4ab0>] drm_gem_dumb_destroy+0x10/0x18 [drm]
[   18.539479] [<ffff0000009efd54>] drm_mode_destroy_dumb_ioctl+0x2c/0x40 [drm]
[   18.545992] [<ffff0000009d56c8>] drm_ioctl_kernel+0x68/0xe0 [drm]
[   18.553105] [<ffff0000009d58e0>] drm_ioctl+0x178/0x3b0 [drm]
[   18.558970] [<ffff000008206f0c>] do_vfs_ioctl+0xa4/0x7d0
[   18.564694] [<ffff0000082076b4>] SyS_ioctl+0x7c/0x98
[   18.569992] [<ffff000008082f84>] el0_svc_naked+0x38/0x3c
[   18.574941] Code: a90153f3 aa0003f4 f90013f5 aa0103f3 (f9407400)
[   18.580502] ---[ end trace b1ac6888ec40b0be ]---

It turns out that the aspace argument in msm_gem_unmap_vma() is NULL.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
[Note: this case gets hit with !IOMMU config]
Signed-off-by: Rob Clark <robdclark@gmail.com>

diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index c36321bc87148864db09bd0af4fc38a39cb182f9..d34e331554f3903eaded86cf12fdd4a4ef24507a 100644 (file)
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -42,7 +42,7 @@ void
 msm_gem_unmap_vma(struct msm_gem_address_space *aspace,
                struct msm_gem_vma *vma, struct sg_table *sgt)
 {
-       if (!vma->iova)
+       if (!aspace || !vma->iova)
                return;
 
        if (aspace->mmu) {