Hi Laurent,
This is a friendly ping to get your feedback on my reply below. I don't think
the Fixes tag is incorrect here. Please could you take another look and let me
know if I can resend with your Reviewed-by?
Kind regards,
Alvin
On Mon, Oct 16, 2023 at 10:42:27AM +0200, Alvin Šipraga wrote:
> Hi Laurent,
>
> Thanks for the quick review!
>
> On Mon, Oct 16, 2023 at 11:14:44AM +0300, Laurent Pinchart wrote:
> > Hello Alvin,
> >
> > On Sat, Oct 14, 2023 at 08:46:12PM +0200, Alvin Šipraga wrote:
> > > From: Mads Bligaard Nielsen <bli@xxxxxxxxxxxxxxx>
> > >
> > > Moved IRQ registration down to end of adv7511_probe().
> > >
> > > If an IRQ already is pending during adv7511_probe
> > > (before adv7511_cec_init) then cec_received_msg_ts
> > > could crash using uninitialized data:
> > >
> > > Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5
> > > Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
> > > Call trace:
> > > cec_received_msg_ts+0x48/0x990 [cec]
> > > adv7511_cec_irq_process+0x1cc/0x308 [adv7511]
> > > adv7511_irq_process+0xd8/0x120 [adv7511]
> > > adv7511_irq_handler+0x1c/0x30 [adv7511]
> > > irq_thread_fn+0x30/0xa0
> > > irq_thread+0x14c/0x238
> > > kthread+0x190/0x1a8
> > >
> > > Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
> >
> > Isn't the issue older than that ?
>
> I don't think so. The stacktrace shows the crash is in CEC handling code, which
> was added in the blamed commit. A static analysis of adv7511_irq_process()
> suggests that the only other place where data could be uninitialized is if the
> hpd_work is scheduled:
>
> if (process_hpd && irq0 & ADV7511_INT0_HPD && adv7511->bridge.encoder)
> schedule_work(&adv7511->hpd_work);
>
> ... but this has a check on bridge.encoder, which seems to have been introduced
> in a similar fix here:
>
> | commit a1d0503d26ea2ef04f3f013d379e8f4d29c27127
> | Author: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>
> | Date: Thu May 14 00:31:07 2015 +0300
> |
> | drm: adv7511: Fix crash in IRQ handler when no encoder is associated
> |
> | The ADV7511 is probed before its slave encoder init function associates
> | it with an encoder. This creates a time window during which hot plug
> | detection interrupts can occur with an encoder, resulting in a crash in
> | the IRQ handler.
> |
> | Fix this by ignoring hot plug detection IRQs when no encoder is
> | associated yet.
> |
> | Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>
> | Acked-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
> |
> | diff --git a/drivers/gpu/drm/i2c/adv7511.c b/drivers/gpu/drm/i2c/adv7511.c
> | index b728523e194f..2aaa3c88999e 100644
> | --- a/drivers/gpu/drm/i2c/adv7511.c
> | +++ b/drivers/gpu/drm/i2c/adv7511.c
> | @@ -438,7 +438,7 @@ static int adv7511_irq_process(struct adv7511 *adv7511)
> | regmap_write(adv7511->regmap, ADV7511_REG_INT(0), irq0);
> | regmap_write(adv7511->regmap, ADV7511_REG_INT(1), irq1);
> |
> | - if (irq0 & ADV7511_INT0_HDP)
> | + if (irq0 & ADV7511_INT0_HDP && adv7511->encoder)
> | drm_helper_hpd_irq_event(adv7511->encoder->dev);
> |
> | if (irq0 & ADV7511_INT0_EDID_READY || irq1 & ADV7511_INT1_DDC_ERROR) {
>
> So assuming that is the case, I am not sure which Fixes: tag I ought to
> otherwise use. What do you think?
>
> >
> > > Signed-off-by: Mads Bligaard Nielsen <bli@xxxxxxxxxxxxxxx>
> > > Signed-off-by: Alvin Šipraga <alsi@xxxxxxxxxxxxxxx>
> >
> > With the Fixes: tag updated,
> >
> > Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>
>
> Kind regards,
> Alvin
