search

lategoodbye / rpi-zero

Linux kernel source tree
Other
22 stars 3 forks source link

VCHIQ functional test causes NULL ptr deref in multi_v7 #11

Closed lategoodbye closed 6 years ago

lategoodbye commented 7 years ago

Running the VCHIQ functional test on a RPi 2 (arm/multi_v7_defconfig) causes a NULL pointer dereference:

[  129.529550] Unable to handle kernel NULL pointer dereference at virtual address 00000efc
[  129.545118] pgd = c0204000
[  129.551596] [00000efc] *pgd=00000000
[  129.558930] Internal error: Oops: 817 [#1] SMP ARM
[  129.567406] Modules linked in: vc4 snd_soc_core snd_pcm_dmaengine ac97_bus snd_pcm snd_timer snd soundcore
[  129.584686] CPU: 0 PID: 93 Comm: vchiq-slot/0 Not tainted 4.11.0-rc5-next-20170404-gb7ddd1d-dirty #14
[  129.602109] Hardware name: BCM2835
[  129.609660] task: eea55800 task.stack: eef60000
[  129.618405] PC is at memcpy+0xb4/0x330
[  129.626296] LR is at 0x3020100
[  129.633475] pc : [<c05fc6d4>]    lr : [<03020100>]    psr: 00000013
[  129.633475] sp : eef61eac  ip : 0000001c  fp : f0b03000
[  129.653587] r10: 00000004  r9 : 00000000  r8 : f0f0b000
[  129.663142] r7 : c16098e8  r6 : 00000002  r5 : 00000800  r4 : f0f0b040
[  129.674047] r3 : 0000000b  r2 : ffffffe4  r1 : f0b03004  r0 : 00000efc
[  129.684989] Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[  129.696621] Control: 10c5387d  Table: 2de3406a  DAC: 00000051
[  129.706925] Process vchiq-slot/0 (pid: 93, stack limit = 0xeef60220)
[  129.717914] Stack: (0xeef61eac to 0xeef62000)
[  129.726900] 1ea0:                            00000800 00000002 c16098e8 f0f0b000 00000efc
[  129.744629] 1ec0: f0f0b040 c0b40eb4 00000000 c034f3bc c1570ae0 00000001 0000001f f0b03000
[  129.762796] 1ee0: 00000efc f0f0b010 eef61f00 eda39800 eda398dc 00000008 f0ac2194 f0ac40b0
[  129.781511] 1f00: c1570a70 c15e9384 00000001 c0b3ab78 ee8d0018 ef883c40 eea55800 00000000
[  129.800667] 1f20: c14475f0 eef61f58 ee8a4780 c0d073b4 00000004 00000010 0000004e 000000c8
[  129.820006] 1f40: f0ac2194 f0ac2020 c15e96d8 c15e93a8 c15e9428 eda39990 fff9fee9 ffffffff
[  129.839963] 1f60: 00000000 00000000 00000000 ee9f1380 00000000 ee91b000 ee9f139c c15e9384
[  129.860084] 1f80: ee8ddda8 c0b39a70 00000000 c03603f4 ee91b000 c03602d8 00000000 00000000
[  129.880199] 1fa0: 00000000 00000000 00000000 c0308038 00000000 00000000 00000000 00000000
[  129.900740] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  129.921859] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 aaaaaaa8 aaaaaaaa
[  129.943463] [<c05fc6d4>] (memcpy) from [<c0b40eb4>] (vchiq_complete_bulk+0x134/0x268)
[  129.958355] [<c0b40eb4>] (vchiq_complete_bulk) from [<c0b3ab78>] (slot_handler_func+0x1108/0x172c)
[  129.981510] [<c0b3ab78>] (slot_handler_func) from [<c03603f4>] (kthread+0x11c/0x158)
[  129.996585] [<c03603f4>] (kthread) from [<c0308038>] (ret_from_fork+0x14/0x3c)
[  130.011119] Code: e4805004 e4806004 e4807004 e4808004 (e480e004)
lategoodbye commented 7 years ago

Phil Elwell pointed out it's related to the parameter CONFIG_HIGHMEM.

lategoodbye commented 6 years ago

My bugfix has been applied: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20171018&id=974d4d03fc020af4fa4e9e72a86f0fefa37803c5