arm64: dts: rockchip: rv1126b: Increase size of vop regs

windowsair · rkhuangtao · commit 9fc0dafbd05b · 2025-04-10T02:29:56.000Z
The write back related regs locate at offset 0x280, which is large than origin reg size 0x200. Access these reg will cause reg bak out of bounds. [ 1011.665341] ================================================================== [ 1011.665361] BUG: KASAN: slab-out-of-bounds in vop_mask_write+0xa1/0xd6 [ 1011.665389] Read of size 4 at addr b22e2ac0 by task vo_render_0/2007 [ 1011.665407] [ 1011.665421] CPU: 1 PID: 2007 Comm: vo_render_0 Tainted: G B O 6.1.118 friendlyarm#2 [ 1011.665442] Hardware name: Generic DT based system [ 1011.665462] unwind_backtrace from show_stack+0xb/0xc [ 1011.665495] show_stack from dump_stack_lvl+0x2b/0x34 [ 1011.665531] dump_stack_lvl from print_report+0x4b/0x304 [ 1011.665562] print_report from kasan_report+0x71/0x80 [ 1011.665589] kasan_report from vop_mask_write+0xa1/0xd6 [ 1011.665615] vop_mask_write from vop_initial+0xbff/0x1bd0 [ 1011.665641] vop_initial from vop_crtc_atomic_enable+0x519/0x6fbc [ 1011.665669] vop_crtc_atomic_enable from drm_atomic_helper_commit_modeset_enables+0x253/0x634 [ 1011.665705] drm_atomic_helper_commit_modeset_enables from rockchip_drm_atomic_helper_commit_tail_rpm+0xa7/0x7c8 [ 1011.665744] rockchip_drm_atomic_helper_commit_tail_rpm from commit_tail+0xe7/0x200 [ 1011.665780] commit_tail from drm_atomic_helper_commit+0x159/0x164 [ 1011.665811] drm_atomic_helper_commit from drm_atomic_commit+0x181/0x1b0 [ 1011.665851] drm_atomic_commit from drm_mode_atomic_ioctl+0xbb5/0xe28 [ 1011.665888] drm_mode_atomic_ioctl from drm_ioctl+0x4af/0x528 [ 1011.665925] drm_ioctl from vfs_ioctl+0x57/0x64 [ 1011.665956] vfs_ioctl from sys_ioctl+0x29f/0xc1c [ 1011.665983] sys_ioctl from ret_fast_syscall+0x1/0x54 [ 1011.666009] Exception stack(0xf1233fa8 to 0xf1233ff0) [ 1011.666033] 3fa0: 8b201608 8bbfe308 00000031 c03864bc 8bbfe308 8bbfe2d8 [ 1011.666056] 3fc0: 8b201608 8bbfe308 c03864bc 00000036 8b202630 8b202640 8b202650 8b202638 [ 1011.666079] 3fe0: 9c302ee4 8bbfe2c8 9c2e6f90 9c78bd18 [ 1011.666094] [ 1011.666104] Allocated by task 61: [ 1011.666117] kasan_set_track+0x17/0x1a [ 1011.666144] ____kasan_kmalloc+0x4b/0x4e [ 1011.666168] devm_kmalloc+0x1f/0xe8 [ 1011.666191] vop_bind+0xe81/0x2840 [ 1011.666212] component_bind_all+0x211/0x518 [ 1011.666237] rockchip_drm_bind+0x5c5/0x1030 [ 1011.666260] try_to_bring_up_aggregate_device+0x33d/0x3d4 [ 1011.666285] component_master_add_with_match+0x179/0x1b0 [ 1011.666310] rockchip_drm_platform_probe+0x241/0x28c [ 1011.666334] platform_probe+0xa3/0xf4 [ 1011.666352] really_probe+0x267/0x478 [ 1011.666376] __driver_probe_device+0x225/0x240 [ 1011.666399] driver_probe_device+0x41/0xb4 [ 1011.666423] __device_attach_driver+0x99/0x130 [ 1011.666446] bus_for_each_drv+0xe5/0x100 [ 1011.666467] __device_attach+0x14f/0x1e0 [ 1011.666491] bus_probe_device+0x7b/0x158 [ 1011.666513] deferred_probe_work_func+0x177/0x18c [ 1011.666537] process_one_work+0x387/0x544 [ 1011.666561] process_scheduled_works+0x37/0x38 [ 1011.666583] worker_thread+0x43d/0x52c [ 1011.666603] kthread+0x179/0x18c [ 1011.666623] ret_from_fork+0x11/0x2c [ 1011.666642] [ 1011.666653] The buggy address belongs to the object at b22e2800 [ 1011.666653] which belongs to the cache kmalloc-1k of size 1024 [ 1011.666672] The buggy address is located 704 bytes inside of [ 1011.666672] 1024-byte region [b22e2800, b22e2c00) [ 1011.666693] [ 1011.666713] The buggy address belongs to the physical page: [ 1011.666730] page:8dc7e73e refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x424e0 [ 1011.666756] head:8dc7e73e order:3 compound_mapcount:0 compound_pincount:0 [ 1011.666774] flags: 0x10200(slab|head|zone=0) [ 1011.666805] raw: 00010200 ef0a2b00 00000002 b1201700 00000000 00100010 ffffffff 00000001 [ 1011.666823] page dumped because: kasan: bad access detected [ 1011.666835] [ 1011.666845] Memory state around the buggy address: [ 1011.666861] b22e2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1011.666877] b22e2a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 1011.666895] >b22e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1011.666908] ^ [ 1011.666922] b22e2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1011.666938] b22e2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1011.666953] ================================================================== Fixes: 83aabef ("arm64: dts: rockchip: Add vop support for RV1126B") Change-Id: I36cf27060350c32d6630be80a5e169cdafdfb26f Signed-off-by: Chaoyi Chen <chaoyi.chen@rock-chips.com>
diff --git a/arch/arm64/boot/dts/rockchip/rv1126b.dtsi b/arch/arm64/boot/dts/rockchip/rv1126b.dtsi
@@ -3436,7 +3436,7 @@
 
 	vop: vop@22150000 {
 		compatible = "rockchip,rv1126b-vop";
-		reg = <0x22150000 0x200>, <0x22150a00 0x400>;
+		reg = <0x22150000 0x300>, <0x22150a00 0x400>;
 		reg-names = "regs", "gamma_lut";
 		rockchip,grf = <&ioc_grf>;
 		interrupts = <GIC_SPI 139 IRQ_TYPE_LEVEL_HIGH>;
