On Tue, Jun 8, 2021 at 10:56 AM Mark Rutland <mark.rutland@xxxxxxx> wrote: > > In vc4_atomic_commit_tail() we iterate of the set of old CRTCs, and > attempt to wait on any channels which are still in use. When we iterate > over the CRTCs, we have: > > * `i` - the index of the CRTC > * `channel` - the channel a CRTC is using > > When we check the channel state, we consult: > > old_hvs_state->fifo_state[channel].in_use > > ... but when we wait for the channel, we erroneously wait on: > > old_hvs_state->fifo_state[i].pending_commit > > ... rather than: > > old_hvs_state->fifo_state[channel].pending_commit > > ... and this bogus access has been observed to result in boot-time hangs > on some arm64 configurations, and can be detected using KASAN. FIx this > by using the correct index. > > I've tested this on a Raspberry Pi 3 model B v1.2 with KASAN. ... > > Link: https://lore.kernel.org/r/4d0c8318-bad8-2be7-e292-fc8f70c198de@xxxxxxxxxxx > Link: https://lore.kernel.org/linux-arm-kernel/20210607151740.moncryl5zv3ahq4s@gilmour > Signed-off-by: Mark Rutland <mark.rutland@xxxxxxx> > Reported-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx> > Cc: Arnd Bergmann <arnd@xxxxxxxx> Acked-by: Arnd Bergmann <arnd@xxxxxxxx>
