fix bi_next null pointer dereference resulting in kernel panic

Android not booting with following kernel panic call stack [ 0.453164] BUG: kernel NULL pointer dereference, address: 000000000000002e [ 0.454144] #PF: supervisor write access in kernel mode [ 0.454144] #PF: error_code(0x0002) - not-present page [ 0.454144] PGD 0 P4D 0 [ 0.454144] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 0.454144] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G U 5.10.140-00002-g9fa723cd4a75-dirty #7 [ 0.454144] Hardware name: /, BIOS TL0B2001.B22 09/24/2022 [ 0.454144] RIP: 0010:tgl_get_bw_info+0x2f9/0x5d0 [ 0.454144] Code: 3b 85 4c ff ff ff 48 89 9d 18 ff ff ff 7d 1b 48 83 f9 05 74 15 8b 85 54 ff ff ff 44 89 c6 44 29 c0 99 41 f7 f8 89 c6 40 fe c6 <40> 88 77 2e 8a 55 c3 49 89 ce 48 8d 0c 49 48 c1 e1 04 41 88 94 0d [ 0.454144] RSP: 0000:ffff9c05c0063828 EFLAGS: 00010216 [ 0.454144] RAX: 0000000000000080 RBX: 0000000000000006 RCX: 0000000000000005 [ 0.454144] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.454144] RBP: ffff9c05c0063920 R08: 0000000000000080 R09: 0000000000000002 [ 0.454144] R10: 0000000000000018 R11: 000000000000005a R12: 0000000000004000 [ 0.454144] R13: ffff972204cb0000 R14: 0000000000000004 R15: 0000000000000001 [ 0.454144] FS: 0000000000000000(0000) GS:ffff9725a0640000(0000) knlGS:0000000000000000 [ 0.454144] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.454144] CR2: 000000000000002e CR3: 00000003a6014001 CR4: 00000000007f0ee0 [ 0.454144] PKRU: 55555554 [ 0.454144] Call Trace: [ 0.454144] ? i915_save_display+0x292/0x360 [ 0.454144] intel_bw_init_hw+0xbc/0x4a0 [ 0.454144] ? sandybridge_pcode_read+0x5b/0xa0 [ 0.454144] ? intel_dram_detect+0x445/0x460 [ 0.454144] i915_driver_probe+0xe4d/0xe90 [ 0.454144] ? __pm_runtime_resume+0x7c/0x90 [ 0.454144] i915_pci_probe+0x1bd/0x220 [ 0.454144] ? _raw_spin_unlock_irqrestore+0x32/0x50 [ 0.454144] pci_device_probe+0xad/0x140 [ 0.454144] really_probe+0x2ca/0x800 [ 0.454144] driver_probe_device+0xd6/0x150 [ 0.454144] device_driver_attach+0x6f/0xb0 [ 0.454144] __driver_attach+0xf7/0x220 [ 0.454144] ? driver_attach+0x20/0x20 [ 0.454144] bus_for_each_dev+0xa1/0xe0 [ 0.454144] driver_attach+0x1e/0x20 [ 0.454144] bus_add_driver+0x12e/0x240 [ 0.454144] driver_register+0x86/0x120 [ 0.454144] __pci_register_driver+0x80/0x90 [ 0.454144] ? mipi_dsi_bus_init+0x17/0x17 [ 0.454144] i915_pci_register_driver+0x1e/0x20 [ 0.454144] i915_init+0x26/0x9e [ 0.454144] ? mipi_dsi_bus_init+0x17/0x17 [ 0.454144] do_one_initcall+0x151/0x300 [ 0.454144] do_initcall_level+0xd6/0xf3 [ 0.454144] do_initcalls+0x4e/0x7a [ 0.454144] do_basic_setup+0x24/0x26 [ 0.454144] kernel_init_freeable+0x113/0x175 [ 0.454144] ? rest_init+0xc0/0xc0 [ 0.454144] kernel_init+0xe/0x190 [ 0.454144] ret_from_fork+0x1f/0x30 [ 0.454144] Modules linked in: [ 0.454144] CR2: 000000000000002e [ 0.454144] ---[ end trace 6cbf90f9839ffaee ]--- [ 0.454144] RIP: 0010:tgl_get_bw_info+0x2f9/0x5d0 Fix the issue by validating the parameter before using it. Tracked-On: OAM-105099 Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>
xihua-chen · Dec 13, 2022 · ce28d41 · ce28d41
1 parent 39fb37c
commit ce28d41
Showing 1 changed file with 95 additions and 0 deletions.
diff --git a/...mmon/kernel/lts2020-yocto/0024-fix-bi_next-null-pointer-dereference-resulting-in-ke.patch b/...mmon/kernel/lts2020-yocto/0024-fix-bi_next-null-pointer-dereference-resulting-in-ke.patch
@@ -0,0 +1,95 @@
+From f0dd0776c42a6276ed7d172503fdc41fafe4a029 Mon Sep 17 00:00:00 2001
+From: Kanli Hu <[email protected]>
+Date: Fri, 18 Nov 2022 10:57:14 +0530
+Subject: [PATCH] fix bi_next null pointer dereference resulting in kernel
+ panic
+
+Android not booting with following kernel panic call stack
+[    0.453164] BUG: kernel NULL pointer dereference, address: 000000000000002e
+[    0.454144] #PF: supervisor write access in kernel mode
+[    0.454144] #PF: error_code(0x0002) - not-present page
+[    0.454144] PGD 0 P4D 0
+[    0.454144] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[    0.454144] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G     U            5.10.140-00002-g9fa723cd4a75-dirty #7
+[    0.454144] Hardware name:  /, BIOS TL0B2001.B22 09/24/2022
+[    0.454144] RIP: 0010:tgl_get_bw_info+0x2f9/0x5d0
+[    0.454144] Code: 3b 85 4c ff ff ff 48 89 9d 18 ff ff ff 7d 1b 48 83 f9 05 74 15 8b 85 54 ff ff ff 44 89 c6 44 29 c0 99 41 f7 f8 89 c6 40 fe c6 <40> 88 77 2e 8a 55 c3 49 89 ce 48 8d 0c 49 48 c1 e1 04 41 88 94 0d
+[    0.454144] RSP: 0000:ffff9c05c0063828 EFLAGS: 00010216
+[    0.454144] RAX: 0000000000000080 RBX: 0000000000000006 RCX: 0000000000000005
+[    0.454144] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[    0.454144] RBP: ffff9c05c0063920 R08: 0000000000000080 R09: 0000000000000002
+[    0.454144] R10: 0000000000000018 R11: 000000000000005a R12: 0000000000004000
+[    0.454144] R13: ffff972204cb0000 R14: 0000000000000004 R15: 0000000000000001
+[    0.454144] FS:  0000000000000000(0000) GS:ffff9725a0640000(0000) knlGS:0000000000000000
+[    0.454144] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[    0.454144] CR2: 000000000000002e CR3: 00000003a6014001 CR4: 00000000007f0ee0
+[    0.454144] PKRU: 55555554
+[    0.454144] Call Trace:
+[    0.454144]  ? i915_save_display+0x292/0x360
+[    0.454144]  intel_bw_init_hw+0xbc/0x4a0
+[    0.454144]  ? sandybridge_pcode_read+0x5b/0xa0
+[    0.454144]  ? intel_dram_detect+0x445/0x460
+[    0.454144]  i915_driver_probe+0xe4d/0xe90
+[    0.454144]  ? __pm_runtime_resume+0x7c/0x90
+[    0.454144]  i915_pci_probe+0x1bd/0x220
+[    0.454144]  ? _raw_spin_unlock_irqrestore+0x32/0x50
+[    0.454144]  pci_device_probe+0xad/0x140
+[    0.454144]  really_probe+0x2ca/0x800
+[    0.454144]  driver_probe_device+0xd6/0x150
+[    0.454144]  device_driver_attach+0x6f/0xb0
+[    0.454144]  __driver_attach+0xf7/0x220
+[    0.454144]  ? driver_attach+0x20/0x20
+[    0.454144]  bus_for_each_dev+0xa1/0xe0
+[    0.454144]  driver_attach+0x1e/0x20
+[    0.454144]  bus_add_driver+0x12e/0x240
+[    0.454144]  driver_register+0x86/0x120
+[    0.454144]  __pci_register_driver+0x80/0x90
+[    0.454144]  ? mipi_dsi_bus_init+0x17/0x17
+[    0.454144]  i915_pci_register_driver+0x1e/0x20
+[    0.454144]  i915_init+0x26/0x9e
+[    0.454144]  ? mipi_dsi_bus_init+0x17/0x17
+[    0.454144]  do_one_initcall+0x151/0x300
+[    0.454144]  do_initcall_level+0xd6/0xf3
+[    0.454144]  do_initcalls+0x4e/0x7a
+[    0.454144]  do_basic_setup+0x24/0x26
+[    0.454144]  kernel_init_freeable+0x113/0x175
+[    0.454144]  ? rest_init+0xc0/0xc0
+[    0.454144]  kernel_init+0xe/0x190
+[    0.454144]  ret_from_fork+0x1f/0x30
+[    0.454144] Modules linked in:
+[    0.454144] CR2: 000000000000002e
+[    0.454144] ---[ end trace 6cbf90f9839ffaee ]---
+[    0.454144] RIP: 0010:tgl_get_bw_info+0x2f9/0x5d0
+
+Fix the issue by validating the parameter before using it.
+
+Tracked-On: OAM-105099
+Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>
+---
+ drivers/gpu/drm/i915/display/intel_bw.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_bw.c b/drivers/gpu/drm/i915/display/intel_bw.c
+index abec394f6869..0322deb94279 100644
+--- a/drivers/gpu/drm/i915/display/intel_bw.c
++++ b/drivers/gpu/drm/i915/display/intel_bw.c
+@@ -409,10 +409,12 @@ static int tgl_get_bw_info(struct drm_i915_private *dev_priv, const struct intel
+
+ 		clpchgroup = (sa->deburst * qi.deinterleave / num_channels) << i;
+
+-		if (i < num_groups - 1 && clpchgroup < clperchgroup)
+-			bi_next->num_planes = (ipqdepth - clpchgroup) / clpchgroup + 1;
+-		else
+-			bi_next->num_planes = 0;
++		if (bi_next != NULL) {
++			if (i < num_groups - 1 && clpchgroup < clperchgroup)
++				bi_next->num_planes = (ipqdepth - clpchgroup) / clpchgroup + 1;
++			else
++				bi_next->num_planes = 0;
++		}
+
+ 		bi->num_qgv_points = qi.num_points;
+ 		bi->num_psf_gv_points = qi.num_psf_points;
+-- 
+2.38.1
+