All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-04-13 16:15 ` Daniel Kurtz
  0 siblings, 0 replies; 14+ messages in thread
From: Daniel Kurtz @ 2018-04-13 16:15 UTC (permalink / raw)
  Cc: Daniel Kurtz, Alex Deucher, Christian König, David Airlie,
	Vijendar Mukunda, Akshu Agrawal, Jason Clinton,
	open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
	open list

Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
this change, one additional acp resource was added, but the "num_resource"
count was accidentally incremented by 2.

This incorrect count eventually causes mfd_add_device() to try to access
an invalid memory address (the location of non-existent resource 5.

This fault was detected by running a KASAN enabled kernel, which produced
the following splat at boot:

[    6.612987] ==================================================================
[    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
[    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
[    6.613509]
[    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
[    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
[    6.613509] Call Trace:
[    6.613509]  dump_stack+0x4d/0x63
[    6.613509]  print_address_description+0x80/0x2d6
[    6.613509]  ? mfd_add_device+0x4bc/0x7a7
[    6.613509]  kasan_report+0x255/0x295
[    6.613509]  mfd_add_device+0x4bc/0x7a7
[    6.613509]  ? kasan_kmalloc+0x99/0xa8
[    6.613509]  ? mfd_add_devices+0x58/0xe4
[    6.613509]  ? __kmalloc+0x154/0x178
[    6.613509]  mfd_add_devices+0xa5/0xe4
[    6.613509]  acp_hw_init+0x92e/0xc4a
[    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
[    6.613509]  ? kmalloc_order+0x53/0x5d
[    6.613509]  ? kmalloc_order_trace+0x23/0xb3
[    6.613509]  amdgpu_driver_load_kms+0xce/0x267
[    6.613509]  drm_dev_register+0x169/0x2fb
[    6.613509]  amdgpu_pci_probe+0x217/0x242
[    6.613509]  pci_device_probe+0x101/0x18e
[    6.613509]  driver_probe_device+0x1dd/0x419
[    6.613509]  ? ___might_sleep+0x80/0x1b6
[    6.613509]  __driver_attach+0x9f/0xc9
[    6.613509]  ? driver_probe_device+0x419/0x419
[    6.613509]  bus_for_each_dev+0xbc/0xe1
[    6.613509]  bus_add_driver+0x189/0x2c0
[    6.613509]  driver_register+0x108/0x156
[    6.613509]  ? ttm_init+0x67/0x67
[    6.613509]  do_one_initcall+0xb2/0x161
[    6.613509]  kernel_init_freeable+0x25a/0x308
[    6.613509]  ? rest_init+0xcc/0xcc
[    6.613509]  kernel_init+0x11/0x10d
[    6.613509]  ? rest_init+0xcc/0xcc
[    6.613509]  ret_from_fork+0x22/0x40
[    6.613509]
[    6.613509] Allocated by task 1:
[    6.613509]  save_stack+0x46/0xce
[    6.613509]  kasan_kmalloc+0x99/0xa8
[    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
[    6.613509]  acp_hw_init+0x210/0xc4a
[    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
[    6.613509]  amdgpu_driver_load_kms+0xce/0x267
[    6.613509]  drm_dev_register+0x169/0x2fb
[    6.613509]  amdgpu_pci_probe+0x217/0x242
[    6.613509]  pci_device_probe+0x101/0x18e
[    6.613509]  driver_probe_device+0x1dd/0x419
[    6.613509]  __driver_attach+0x9f/0xc9
[    6.613509]  bus_for_each_dev+0xbc/0xe1
[    6.613509]  bus_add_driver+0x189/0x2c0
[    6.613509]  driver_register+0x108/0x156
[    6.613509]  do_one_initcall+0xb2/0x161
[    6.613509]  kernel_init_freeable+0x25a/0x308
[    6.613509]  kernel_init+0x11/0x10d
[    6.613509]  ret_from_fork+0x22/0x40
[    6.613509]
[    6.613509] Freed by task 0:
[    6.613509] (stack is not available)
[    6.613509]
[    6.613509] The buggy address belongs to the object at ffff880107d4db08
[    6.613509]  which belongs to the cache kmalloc-512 of size 512
[    6.613509] The buggy address is located 336 bytes inside of
[    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
[    6.613509] The buggy address belongs to the page:
[    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[    6.613509] flags: 0x8000000000008100(slab|head)
[    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
[    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
[    6.613509] page dumped because: kasan: bad access detected
[    6.613509]
[    6.613509] Memory state around the buggy address:
[    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[    6.613509]                                                     ^
[    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    6.613509] ==================================================================

Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
index 20f20079935b..42f0d60cf3f4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
@@ -402,7 +402,7 @@ static int acp_hw_init(void *handle)
 	adev->acp.acp_res[4].end = adev->acp.acp_res[4].start;
 
 	adev->acp.acp_cell[0].name = "acp_audio_dma";
-	adev->acp.acp_cell[0].num_resources = 6;
+	adev->acp.acp_cell[0].num_resources = 5;
 	adev->acp.acp_cell[0].resources = &adev->acp.acp_res[0];
 	adev->acp.acp_cell[0].platform_data = &adev->asic_type;
 	adev->acp.acp_cell[0].pdata_size = sizeof(adev->asic_type);
-- 
2.17.0.484.g0c8726318c-goog

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-04-13 16:15 ` Daniel Kurtz
  0 siblings, 0 replies; 14+ messages in thread
From: Daniel Kurtz @ 2018-04-13 16:15 UTC (permalink / raw)
  Cc: David Airlie, open list:DRM DRIVERS, open list, Daniel Kurtz,
	Akshu Agrawal, Jason Clinton,
	open list:RADEON and AMDGPU DRM DRIVERS, Vijendar Mukunda,
	Alex Deucher, Christian König

Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
this change, one additional acp resource was added, but the "num_resource"
count was accidentally incremented by 2.

This incorrect count eventually causes mfd_add_device() to try to access
an invalid memory address (the location of non-existent resource 5.

This fault was detected by running a KASAN enabled kernel, which produced
the following splat at boot:

[    6.612987] ==================================================================
[    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
[    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
[    6.613509]
[    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
[    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
[    6.613509] Call Trace:
[    6.613509]  dump_stack+0x4d/0x63
[    6.613509]  print_address_description+0x80/0x2d6
[    6.613509]  ? mfd_add_device+0x4bc/0x7a7
[    6.613509]  kasan_report+0x255/0x295
[    6.613509]  mfd_add_device+0x4bc/0x7a7
[    6.613509]  ? kasan_kmalloc+0x99/0xa8
[    6.613509]  ? mfd_add_devices+0x58/0xe4
[    6.613509]  ? __kmalloc+0x154/0x178
[    6.613509]  mfd_add_devices+0xa5/0xe4
[    6.613509]  acp_hw_init+0x92e/0xc4a
[    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
[    6.613509]  ? kmalloc_order+0x53/0x5d
[    6.613509]  ? kmalloc_order_trace+0x23/0xb3
[    6.613509]  amdgpu_driver_load_kms+0xce/0x267
[    6.613509]  drm_dev_register+0x169/0x2fb
[    6.613509]  amdgpu_pci_probe+0x217/0x242
[    6.613509]  pci_device_probe+0x101/0x18e
[    6.613509]  driver_probe_device+0x1dd/0x419
[    6.613509]  ? ___might_sleep+0x80/0x1b6
[    6.613509]  __driver_attach+0x9f/0xc9
[    6.613509]  ? driver_probe_device+0x419/0x419
[    6.613509]  bus_for_each_dev+0xbc/0xe1
[    6.613509]  bus_add_driver+0x189/0x2c0
[    6.613509]  driver_register+0x108/0x156
[    6.613509]  ? ttm_init+0x67/0x67
[    6.613509]  do_one_initcall+0xb2/0x161
[    6.613509]  kernel_init_freeable+0x25a/0x308
[    6.613509]  ? rest_init+0xcc/0xcc
[    6.613509]  kernel_init+0x11/0x10d
[    6.613509]  ? rest_init+0xcc/0xcc
[    6.613509]  ret_from_fork+0x22/0x40
[    6.613509]
[    6.613509] Allocated by task 1:
[    6.613509]  save_stack+0x46/0xce
[    6.613509]  kasan_kmalloc+0x99/0xa8
[    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
[    6.613509]  acp_hw_init+0x210/0xc4a
[    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
[    6.613509]  amdgpu_driver_load_kms+0xce/0x267
[    6.613509]  drm_dev_register+0x169/0x2fb
[    6.613509]  amdgpu_pci_probe+0x217/0x242
[    6.613509]  pci_device_probe+0x101/0x18e
[    6.613509]  driver_probe_device+0x1dd/0x419
[    6.613509]  __driver_attach+0x9f/0xc9
[    6.613509]  bus_for_each_dev+0xbc/0xe1
[    6.613509]  bus_add_driver+0x189/0x2c0
[    6.613509]  driver_register+0x108/0x156
[    6.613509]  do_one_initcall+0xb2/0x161
[    6.613509]  kernel_init_freeable+0x25a/0x308
[    6.613509]  kernel_init+0x11/0x10d
[    6.613509]  ret_from_fork+0x22/0x40
[    6.613509]
[    6.613509] Freed by task 0:
[    6.613509] (stack is not available)
[    6.613509]
[    6.613509] The buggy address belongs to the object at ffff880107d4db08
[    6.613509]  which belongs to the cache kmalloc-512 of size 512
[    6.613509] The buggy address is located 336 bytes inside of
[    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
[    6.613509] The buggy address belongs to the page:
[    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[    6.613509] flags: 0x8000000000008100(slab|head)
[    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
[    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
[    6.613509] page dumped because: kasan: bad access detected
[    6.613509]
[    6.613509] Memory state around the buggy address:
[    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[    6.613509]                                                     ^
[    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    6.613509] ==================================================================

Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
index 20f20079935b..42f0d60cf3f4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
@@ -402,7 +402,7 @@ static int acp_hw_init(void *handle)
 	adev->acp.acp_res[4].end = adev->acp.acp_res[4].start;
 
 	adev->acp.acp_cell[0].name = "acp_audio_dma";
-	adev->acp.acp_cell[0].num_resources = 6;
+	adev->acp.acp_cell[0].num_resources = 5;
 	adev->acp.acp_cell[0].resources = &adev->acp.acp_res[0];
 	adev->acp.acp_cell[0].platform_data = &adev->asic_type;
 	adev->acp.acp_cell[0].pdata_size = sizeof(adev->asic_type);
-- 
2.17.0.484.g0c8726318c-goog

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
  2018-04-13 16:15 ` Daniel Kurtz
@ 2018-04-16  3:47   ` Agrawal, Akshu
  -1 siblings, 0 replies; 14+ messages in thread
From: Agrawal, Akshu @ 2018-04-16  3:47 UTC (permalink / raw)
  To: Daniel Kurtz
  Cc: Alex Deucher, Christian König, David Airlie,
	Vijendar Mukunda, Jason Clinton,
	open list:RADEON and AMDGPU DRM DRIVERS, open list:DRM DRIVERS,
	open list



On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
> this change, one additional acp resource was added, but the "num_resource"
> count was accidentally incremented by 2.
> 
> This incorrect count eventually causes mfd_add_device() to try to access
> an invalid memory address (the location of non-existent resource 5.
> 
> This fault was detected by running a KASAN enabled kernel, which produced
> the following splat at boot:
> 
> [    6.612987] ==================================================================
> [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
> [    6.613509]
> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
> [    6.613509] Call Trace:
> [    6.613509]  dump_stack+0x4d/0x63
> [    6.613509]  print_address_description+0x80/0x2d6
> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
> [    6.613509]  kasan_report+0x255/0x295
> [    6.613509]  mfd_add_device+0x4bc/0x7a7
> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
> [    6.613509]  ? mfd_add_devices+0x58/0xe4
> [    6.613509]  ? __kmalloc+0x154/0x178
> [    6.613509]  mfd_add_devices+0xa5/0xe4
> [    6.613509]  acp_hw_init+0x92e/0xc4a
> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> [    6.613509]  ? kmalloc_order+0x53/0x5d
> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> [    6.613509]  drm_dev_register+0x169/0x2fb
> [    6.613509]  amdgpu_pci_probe+0x217/0x242
> [    6.613509]  pci_device_probe+0x101/0x18e
> [    6.613509]  driver_probe_device+0x1dd/0x419
> [    6.613509]  ? ___might_sleep+0x80/0x1b6
> [    6.613509]  __driver_attach+0x9f/0xc9
> [    6.613509]  ? driver_probe_device+0x419/0x419
> [    6.613509]  bus_for_each_dev+0xbc/0xe1
> [    6.613509]  bus_add_driver+0x189/0x2c0
> [    6.613509]  driver_register+0x108/0x156
> [    6.613509]  ? ttm_init+0x67/0x67
> [    6.613509]  do_one_initcall+0xb2/0x161
> [    6.613509]  kernel_init_freeable+0x25a/0x308
> [    6.613509]  ? rest_init+0xcc/0xcc
> [    6.613509]  kernel_init+0x11/0x10d
> [    6.613509]  ? rest_init+0xcc/0xcc
> [    6.613509]  ret_from_fork+0x22/0x40
> [    6.613509]
> [    6.613509] Allocated by task 1:
> [    6.613509]  save_stack+0x46/0xce
> [    6.613509]  kasan_kmalloc+0x99/0xa8
> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
> [    6.613509]  acp_hw_init+0x210/0xc4a
> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> [    6.613509]  drm_dev_register+0x169/0x2fb
> [    6.613509]  amdgpu_pci_probe+0x217/0x242
> [    6.613509]  pci_device_probe+0x101/0x18e
> [    6.613509]  driver_probe_device+0x1dd/0x419
> [    6.613509]  __driver_attach+0x9f/0xc9
> [    6.613509]  bus_for_each_dev+0xbc/0xe1
> [    6.613509]  bus_add_driver+0x189/0x2c0
> [    6.613509]  driver_register+0x108/0x156
> [    6.613509]  do_one_initcall+0xb2/0x161
> [    6.613509]  kernel_init_freeable+0x25a/0x308
> [    6.613509]  kernel_init+0x11/0x10d
> [    6.613509]  ret_from_fork+0x22/0x40
> [    6.613509]
> [    6.613509] Freed by task 0:
> [    6.613509] (stack is not available)
> [    6.613509]
> [    6.613509] The buggy address belongs to the object at ffff880107d4db08
> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
> [    6.613509] The buggy address is located 336 bytes inside of
> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
> [    6.613509] The buggy address belongs to the page:
> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> [    6.613509] flags: 0x8000000000008100(slab|head)
> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
> [    6.613509] page dumped because: kasan: bad access detected
> [    6.613509]
> [    6.613509] Memory state around the buggy address:
> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> [    6.613509]                                                     ^
> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [    6.613509] ==================================================================
> 
> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>

> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> index 20f20079935b..42f0d60cf3f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> @@ -402,7 +402,7 @@ static int acp_hw_init(void *handle)
>   	adev->acp.acp_res[4].end = adev->acp.acp_res[4].start;
>   
>   	adev->acp.acp_cell[0].name = "acp_audio_dma";
> -	adev->acp.acp_cell[0].num_resources = 6;
> +	adev->acp.acp_cell[0].num_resources = 5;
>   	adev->acp.acp_cell[0].resources = &adev->acp.acp_res[0];
>   	adev->acp.acp_cell[0].platform_data = &adev->asic_type;
>   	adev->acp.acp_cell[0].pdata_size = sizeof(adev->asic_type);
> 

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-04-16  3:47   ` Agrawal, Akshu
  0 siblings, 0 replies; 14+ messages in thread
From: Agrawal, Akshu @ 2018-04-16  3:47 UTC (permalink / raw)
  To: Daniel Kurtz
  Cc: David Airlie, open list, open list:RADEON and AMDGPU DRM DRIVERS,
	Jason Clinton, open list:DRM DRIVERS, Vijendar Mukunda,
	Alex Deucher, Christian König



On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
> this change, one additional acp resource was added, but the "num_resource"
> count was accidentally incremented by 2.
> 
> This incorrect count eventually causes mfd_add_device() to try to access
> an invalid memory address (the location of non-existent resource 5.
> 
> This fault was detected by running a KASAN enabled kernel, which produced
> the following splat at boot:
> 
> [    6.612987] ==================================================================
> [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
> [    6.613509]
> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
> [    6.613509] Call Trace:
> [    6.613509]  dump_stack+0x4d/0x63
> [    6.613509]  print_address_description+0x80/0x2d6
> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
> [    6.613509]  kasan_report+0x255/0x295
> [    6.613509]  mfd_add_device+0x4bc/0x7a7
> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
> [    6.613509]  ? mfd_add_devices+0x58/0xe4
> [    6.613509]  ? __kmalloc+0x154/0x178
> [    6.613509]  mfd_add_devices+0xa5/0xe4
> [    6.613509]  acp_hw_init+0x92e/0xc4a
> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> [    6.613509]  ? kmalloc_order+0x53/0x5d
> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> [    6.613509]  drm_dev_register+0x169/0x2fb
> [    6.613509]  amdgpu_pci_probe+0x217/0x242
> [    6.613509]  pci_device_probe+0x101/0x18e
> [    6.613509]  driver_probe_device+0x1dd/0x419
> [    6.613509]  ? ___might_sleep+0x80/0x1b6
> [    6.613509]  __driver_attach+0x9f/0xc9
> [    6.613509]  ? driver_probe_device+0x419/0x419
> [    6.613509]  bus_for_each_dev+0xbc/0xe1
> [    6.613509]  bus_add_driver+0x189/0x2c0
> [    6.613509]  driver_register+0x108/0x156
> [    6.613509]  ? ttm_init+0x67/0x67
> [    6.613509]  do_one_initcall+0xb2/0x161
> [    6.613509]  kernel_init_freeable+0x25a/0x308
> [    6.613509]  ? rest_init+0xcc/0xcc
> [    6.613509]  kernel_init+0x11/0x10d
> [    6.613509]  ? rest_init+0xcc/0xcc
> [    6.613509]  ret_from_fork+0x22/0x40
> [    6.613509]
> [    6.613509] Allocated by task 1:
> [    6.613509]  save_stack+0x46/0xce
> [    6.613509]  kasan_kmalloc+0x99/0xa8
> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
> [    6.613509]  acp_hw_init+0x210/0xc4a
> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> [    6.613509]  drm_dev_register+0x169/0x2fb
> [    6.613509]  amdgpu_pci_probe+0x217/0x242
> [    6.613509]  pci_device_probe+0x101/0x18e
> [    6.613509]  driver_probe_device+0x1dd/0x419
> [    6.613509]  __driver_attach+0x9f/0xc9
> [    6.613509]  bus_for_each_dev+0xbc/0xe1
> [    6.613509]  bus_add_driver+0x189/0x2c0
> [    6.613509]  driver_register+0x108/0x156
> [    6.613509]  do_one_initcall+0xb2/0x161
> [    6.613509]  kernel_init_freeable+0x25a/0x308
> [    6.613509]  kernel_init+0x11/0x10d
> [    6.613509]  ret_from_fork+0x22/0x40
> [    6.613509]
> [    6.613509] Freed by task 0:
> [    6.613509] (stack is not available)
> [    6.613509]
> [    6.613509] The buggy address belongs to the object at ffff880107d4db08
> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
> [    6.613509] The buggy address is located 336 bytes inside of
> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
> [    6.613509] The buggy address belongs to the page:
> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> [    6.613509] flags: 0x8000000000008100(slab|head)
> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
> [    6.613509] page dumped because: kasan: bad access detected
> [    6.613509]
> [    6.613509] Memory state around the buggy address:
> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> [    6.613509]                                                     ^
> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [    6.613509] ==================================================================
> 
> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>

> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> index 20f20079935b..42f0d60cf3f4 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
> @@ -402,7 +402,7 @@ static int acp_hw_init(void *handle)
>   	adev->acp.acp_res[4].end = adev->acp.acp_res[4].start;
>   
>   	adev->acp.acp_cell[0].name = "acp_audio_dma";
> -	adev->acp.acp_cell[0].num_resources = 6;
> +	adev->acp.acp_cell[0].num_resources = 5;
>   	adev->acp.acp_cell[0].resources = &adev->acp.acp_res[0];
>   	adev->acp.acp_cell[0].platform_data = &adev->asic_type;
>   	adev->acp.acp_cell[0].pdata_size = sizeof(adev->asic_type);
> 
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
  2018-04-16  3:47   ` Agrawal, Akshu
@ 2018-07-02 21:48     ` Daniel Kurtz
  -1 siblings, 0 replies; 14+ messages in thread
From: Daniel Kurtz @ 2018-07-02 21:48 UTC (permalink / raw)
  To: alexander.deucher
  Cc: christian.koenig, Akshu Agrawal, David Airlie, Vijendar.Mukunda,
	jclinton, amd-gfx, dri-devel, linux-kernel

Hi Alex,

On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>
>
>
> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
> > stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
> > this change, one additional acp resource was added, but the "num_resource"
> > count was accidentally incremented by 2.
> >
> > This incorrect count eventually causes mfd_add_device() to try to access
> > an invalid memory address (the location of non-existent resource 5.
> >
> > This fault was detected by running a KASAN enabled kernel, which produced
> > the following splat at boot:
> >
> > [    6.612987] ==================================================================
> > [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
> > [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
> > [    6.613509]
> > [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
> > [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
> > [    6.613509] Call Trace:
> > [    6.613509]  dump_stack+0x4d/0x63
> > [    6.613509]  print_address_description+0x80/0x2d6
> > [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
> > [    6.613509]  kasan_report+0x255/0x295
> > [    6.613509]  mfd_add_device+0x4bc/0x7a7
> > [    6.613509]  ? kasan_kmalloc+0x99/0xa8
> > [    6.613509]  ? mfd_add_devices+0x58/0xe4
> > [    6.613509]  ? __kmalloc+0x154/0x178
> > [    6.613509]  mfd_add_devices+0xa5/0xe4
> > [    6.613509]  acp_hw_init+0x92e/0xc4a
> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> > [    6.613509]  ? kmalloc_order+0x53/0x5d
> > [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> > [    6.613509]  drm_dev_register+0x169/0x2fb
> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
> > [    6.613509]  pci_device_probe+0x101/0x18e
> > [    6.613509]  driver_probe_device+0x1dd/0x419
> > [    6.613509]  ? ___might_sleep+0x80/0x1b6
> > [    6.613509]  __driver_attach+0x9f/0xc9
> > [    6.613509]  ? driver_probe_device+0x419/0x419
> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
> > [    6.613509]  bus_add_driver+0x189/0x2c0
> > [    6.613509]  driver_register+0x108/0x156
> > [    6.613509]  ? ttm_init+0x67/0x67
> > [    6.613509]  do_one_initcall+0xb2/0x161
> > [    6.613509]  kernel_init_freeable+0x25a/0x308
> > [    6.613509]  ? rest_init+0xcc/0xcc
> > [    6.613509]  kernel_init+0x11/0x10d
> > [    6.613509]  ? rest_init+0xcc/0xcc
> > [    6.613509]  ret_from_fork+0x22/0x40
> > [    6.613509]
> > [    6.613509] Allocated by task 1:
> > [    6.613509]  save_stack+0x46/0xce
> > [    6.613509]  kasan_kmalloc+0x99/0xa8
> > [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
> > [    6.613509]  acp_hw_init+0x210/0xc4a
> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> > [    6.613509]  drm_dev_register+0x169/0x2fb
> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
> > [    6.613509]  pci_device_probe+0x101/0x18e
> > [    6.613509]  driver_probe_device+0x1dd/0x419
> > [    6.613509]  __driver_attach+0x9f/0xc9
> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
> > [    6.613509]  bus_add_driver+0x189/0x2c0
> > [    6.613509]  driver_register+0x108/0x156
> > [    6.613509]  do_one_initcall+0xb2/0x161
> > [    6.613509]  kernel_init_freeable+0x25a/0x308
> > [    6.613509]  kernel_init+0x11/0x10d
> > [    6.613509]  ret_from_fork+0x22/0x40
> > [    6.613509]
> > [    6.613509] Freed by task 0:
> > [    6.613509] (stack is not available)
> > [    6.613509]
> > [    6.613509] The buggy address belongs to the object at ffff880107d4db08
> > [    6.613509]  which belongs to the cache kmalloc-512 of size 512
> > [    6.613509] The buggy address is located 336 bytes inside of
> > [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
> > [    6.613509] The buggy address belongs to the page:
> > [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> > [    6.613509] flags: 0x8000000000008100(slab|head)
> > [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
> > [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
> > [    6.613509] page dumped because: kasan: bad access detected
> > [    6.613509]
> > [    6.613509] Memory state around the buggy address:
> > [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> > [    6.613509]                                                     ^
> > [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [    6.613509] ==================================================================
> >
> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>


Was this patch ever picked up?  I can't find it in agd5f/linux.

Thanks,
-Dan

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-02 21:48     ` Daniel Kurtz
  0 siblings, 0 replies; 14+ messages in thread
From: Daniel Kurtz @ 2018-07-02 21:48 UTC (permalink / raw)
  To: alexander.deucher
  Cc: David Airlie, linux-kernel, amd-gfx, Akshu Agrawal, jclinton,
	dri-devel, Vijendar.Mukunda, christian.koenig

Hi Alex,

On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>
>
>
> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
> > stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
> > this change, one additional acp resource was added, but the "num_resource"
> > count was accidentally incremented by 2.
> >
> > This incorrect count eventually causes mfd_add_device() to try to access
> > an invalid memory address (the location of non-existent resource 5.
> >
> > This fault was detected by running a KASAN enabled kernel, which produced
> > the following splat at boot:
> >
> > [    6.612987] ==================================================================
> > [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
> > [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
> > [    6.613509]
> > [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
> > [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
> > [    6.613509] Call Trace:
> > [    6.613509]  dump_stack+0x4d/0x63
> > [    6.613509]  print_address_description+0x80/0x2d6
> > [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
> > [    6.613509]  kasan_report+0x255/0x295
> > [    6.613509]  mfd_add_device+0x4bc/0x7a7
> > [    6.613509]  ? kasan_kmalloc+0x99/0xa8
> > [    6.613509]  ? mfd_add_devices+0x58/0xe4
> > [    6.613509]  ? __kmalloc+0x154/0x178
> > [    6.613509]  mfd_add_devices+0xa5/0xe4
> > [    6.613509]  acp_hw_init+0x92e/0xc4a
> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> > [    6.613509]  ? kmalloc_order+0x53/0x5d
> > [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> > [    6.613509]  drm_dev_register+0x169/0x2fb
> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
> > [    6.613509]  pci_device_probe+0x101/0x18e
> > [    6.613509]  driver_probe_device+0x1dd/0x419
> > [    6.613509]  ? ___might_sleep+0x80/0x1b6
> > [    6.613509]  __driver_attach+0x9f/0xc9
> > [    6.613509]  ? driver_probe_device+0x419/0x419
> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
> > [    6.613509]  bus_add_driver+0x189/0x2c0
> > [    6.613509]  driver_register+0x108/0x156
> > [    6.613509]  ? ttm_init+0x67/0x67
> > [    6.613509]  do_one_initcall+0xb2/0x161
> > [    6.613509]  kernel_init_freeable+0x25a/0x308
> > [    6.613509]  ? rest_init+0xcc/0xcc
> > [    6.613509]  kernel_init+0x11/0x10d
> > [    6.613509]  ? rest_init+0xcc/0xcc
> > [    6.613509]  ret_from_fork+0x22/0x40
> > [    6.613509]
> > [    6.613509] Allocated by task 1:
> > [    6.613509]  save_stack+0x46/0xce
> > [    6.613509]  kasan_kmalloc+0x99/0xa8
> > [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
> > [    6.613509]  acp_hw_init+0x210/0xc4a
> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
> > [    6.613509]  drm_dev_register+0x169/0x2fb
> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
> > [    6.613509]  pci_device_probe+0x101/0x18e
> > [    6.613509]  driver_probe_device+0x1dd/0x419
> > [    6.613509]  __driver_attach+0x9f/0xc9
> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
> > [    6.613509]  bus_add_driver+0x189/0x2c0
> > [    6.613509]  driver_register+0x108/0x156
> > [    6.613509]  do_one_initcall+0xb2/0x161
> > [    6.613509]  kernel_init_freeable+0x25a/0x308
> > [    6.613509]  kernel_init+0x11/0x10d
> > [    6.613509]  ret_from_fork+0x22/0x40
> > [    6.613509]
> > [    6.613509] Freed by task 0:
> > [    6.613509] (stack is not available)
> > [    6.613509]
> > [    6.613509] The buggy address belongs to the object at ffff880107d4db08
> > [    6.613509]  which belongs to the cache kmalloc-512 of size 512
> > [    6.613509] The buggy address is located 336 bytes inside of
> > [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
> > [    6.613509] The buggy address belongs to the page:
> > [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> > [    6.613509] flags: 0x8000000000008100(slab|head)
> > [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
> > [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
> > [    6.613509] page dumped because: kasan: bad access detected
> > [    6.613509]
> > [    6.613509] Memory state around the buggy address:
> > [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> > [    6.613509]                                                     ^
> > [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [    6.613509] ==================================================================
> >
> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>


Was this patch ever picked up?  I can't find it in agd5f/linux.

Thanks,
-Dan
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
  2018-07-02 21:48     ` Daniel Kurtz
@ 2018-07-03 16:20       ` Alex Deucher
  -1 siblings, 0 replies; 14+ messages in thread
From: Alex Deucher @ 2018-07-03 16:20 UTC (permalink / raw)
  To: Daniel Kurtz
  Cc: Deucher, Alexander, David Airlie, LKML, amd-gfx list,
	Akshu Agrawal, jclinton, dri-devel, Vijendar Mukunda,
	Christian Koenig

On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
> Hi Alex,
>
> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>>
>>
>>
>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>> > stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>> > this change, one additional acp resource was added, but the "num_resource"
>> > count was accidentally incremented by 2.
>> >
>> > This incorrect count eventually causes mfd_add_device() to try to access
>> > an invalid memory address (the location of non-existent resource 5.
>> >
>> > This fault was detected by running a KASAN enabled kernel, which produced
>> > the following splat at boot:
>> >
>> > [    6.612987] ==================================================================
>> > [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
>> > [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
>> > [    6.613509]
>> > [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>> > [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>> > [    6.613509] Call Trace:
>> > [    6.613509]  dump_stack+0x4d/0x63
>> > [    6.613509]  print_address_description+0x80/0x2d6
>> > [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>> > [    6.613509]  kasan_report+0x255/0x295
>> > [    6.613509]  mfd_add_device+0x4bc/0x7a7
>> > [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>> > [    6.613509]  ? mfd_add_devices+0x58/0xe4
>> > [    6.613509]  ? __kmalloc+0x154/0x178
>> > [    6.613509]  mfd_add_devices+0xa5/0xe4
>> > [    6.613509]  acp_hw_init+0x92e/0xc4a
>> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>> > [    6.613509]  ? kmalloc_order+0x53/0x5d
>> > [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>> > [    6.613509]  drm_dev_register+0x169/0x2fb
>> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
>> > [    6.613509]  pci_device_probe+0x101/0x18e
>> > [    6.613509]  driver_probe_device+0x1dd/0x419
>> > [    6.613509]  ? ___might_sleep+0x80/0x1b6
>> > [    6.613509]  __driver_attach+0x9f/0xc9
>> > [    6.613509]  ? driver_probe_device+0x419/0x419
>> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
>> > [    6.613509]  bus_add_driver+0x189/0x2c0
>> > [    6.613509]  driver_register+0x108/0x156
>> > [    6.613509]  ? ttm_init+0x67/0x67
>> > [    6.613509]  do_one_initcall+0xb2/0x161
>> > [    6.613509]  kernel_init_freeable+0x25a/0x308
>> > [    6.613509]  ? rest_init+0xcc/0xcc
>> > [    6.613509]  kernel_init+0x11/0x10d
>> > [    6.613509]  ? rest_init+0xcc/0xcc
>> > [    6.613509]  ret_from_fork+0x22/0x40
>> > [    6.613509]
>> > [    6.613509] Allocated by task 1:
>> > [    6.613509]  save_stack+0x46/0xce
>> > [    6.613509]  kasan_kmalloc+0x99/0xa8
>> > [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>> > [    6.613509]  acp_hw_init+0x210/0xc4a
>> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>> > [    6.613509]  drm_dev_register+0x169/0x2fb
>> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
>> > [    6.613509]  pci_device_probe+0x101/0x18e
>> > [    6.613509]  driver_probe_device+0x1dd/0x419
>> > [    6.613509]  __driver_attach+0x9f/0xc9
>> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
>> > [    6.613509]  bus_add_driver+0x189/0x2c0
>> > [    6.613509]  driver_register+0x108/0x156
>> > [    6.613509]  do_one_initcall+0xb2/0x161
>> > [    6.613509]  kernel_init_freeable+0x25a/0x308
>> > [    6.613509]  kernel_init+0x11/0x10d
>> > [    6.613509]  ret_from_fork+0x22/0x40
>> > [    6.613509]
>> > [    6.613509] Freed by task 0:
>> > [    6.613509] (stack is not available)
>> > [    6.613509]
>> > [    6.613509] The buggy address belongs to the object at ffff880107d4db08
>> > [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>> > [    6.613509] The buggy address is located 336 bytes inside of
>> > [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>> > [    6.613509] The buggy address belongs to the page:
>> > [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
>> > [    6.613509] flags: 0x8000000000008100(slab|head)
>> > [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
>> > [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
>> > [    6.613509] page dumped because: kasan: bad access detected
>> > [    6.613509]
>> > [    6.613509] Memory state around the buggy address:
>> > [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> > [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> > [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>> > [    6.613509]                                                     ^
>> > [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > [    6.613509] ==================================================================
>> >
>> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
>> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>
>
> Was this patch ever picked up?  I can't find it in agd5f/linux.

It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
creating two I2S instances for stoney/cz") upstream yet either.
Daniel, Vijendar, which ones do you want applied?  Can you send me the
patches?

Alex

>
> Thanks,
> -Dan
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-03 16:20       ` Alex Deucher
  0 siblings, 0 replies; 14+ messages in thread
From: Alex Deucher @ 2018-07-03 16:20 UTC (permalink / raw)
  To: Daniel Kurtz
  Cc: David Airlie, LKML, amd-gfx list, Akshu Agrawal, jclinton,
	dri-devel, Vijendar Mukunda, Deucher, Alexander,
	Christian Koenig

On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
> Hi Alex,
>
> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>>
>>
>>
>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>> > stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>> > this change, one additional acp resource was added, but the "num_resource"
>> > count was accidentally incremented by 2.
>> >
>> > This incorrect count eventually causes mfd_add_device() to try to access
>> > an invalid memory address (the location of non-existent resource 5.
>> >
>> > This fault was detected by running a KASAN enabled kernel, which produced
>> > the following splat at boot:
>> >
>> > [    6.612987] ==================================================================
>> > [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
>> > [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
>> > [    6.613509]
>> > [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>> > [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>> > [    6.613509] Call Trace:
>> > [    6.613509]  dump_stack+0x4d/0x63
>> > [    6.613509]  print_address_description+0x80/0x2d6
>> > [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>> > [    6.613509]  kasan_report+0x255/0x295
>> > [    6.613509]  mfd_add_device+0x4bc/0x7a7
>> > [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>> > [    6.613509]  ? mfd_add_devices+0x58/0xe4
>> > [    6.613509]  ? __kmalloc+0x154/0x178
>> > [    6.613509]  mfd_add_devices+0xa5/0xe4
>> > [    6.613509]  acp_hw_init+0x92e/0xc4a
>> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>> > [    6.613509]  ? kmalloc_order+0x53/0x5d
>> > [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>> > [    6.613509]  drm_dev_register+0x169/0x2fb
>> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
>> > [    6.613509]  pci_device_probe+0x101/0x18e
>> > [    6.613509]  driver_probe_device+0x1dd/0x419
>> > [    6.613509]  ? ___might_sleep+0x80/0x1b6
>> > [    6.613509]  __driver_attach+0x9f/0xc9
>> > [    6.613509]  ? driver_probe_device+0x419/0x419
>> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
>> > [    6.613509]  bus_add_driver+0x189/0x2c0
>> > [    6.613509]  driver_register+0x108/0x156
>> > [    6.613509]  ? ttm_init+0x67/0x67
>> > [    6.613509]  do_one_initcall+0xb2/0x161
>> > [    6.613509]  kernel_init_freeable+0x25a/0x308
>> > [    6.613509]  ? rest_init+0xcc/0xcc
>> > [    6.613509]  kernel_init+0x11/0x10d
>> > [    6.613509]  ? rest_init+0xcc/0xcc
>> > [    6.613509]  ret_from_fork+0x22/0x40
>> > [    6.613509]
>> > [    6.613509] Allocated by task 1:
>> > [    6.613509]  save_stack+0x46/0xce
>> > [    6.613509]  kasan_kmalloc+0x99/0xa8
>> > [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>> > [    6.613509]  acp_hw_init+0x210/0xc4a
>> > [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>> > [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>> > [    6.613509]  drm_dev_register+0x169/0x2fb
>> > [    6.613509]  amdgpu_pci_probe+0x217/0x242
>> > [    6.613509]  pci_device_probe+0x101/0x18e
>> > [    6.613509]  driver_probe_device+0x1dd/0x419
>> > [    6.613509]  __driver_attach+0x9f/0xc9
>> > [    6.613509]  bus_for_each_dev+0xbc/0xe1
>> > [    6.613509]  bus_add_driver+0x189/0x2c0
>> > [    6.613509]  driver_register+0x108/0x156
>> > [    6.613509]  do_one_initcall+0xb2/0x161
>> > [    6.613509]  kernel_init_freeable+0x25a/0x308
>> > [    6.613509]  kernel_init+0x11/0x10d
>> > [    6.613509]  ret_from_fork+0x22/0x40
>> > [    6.613509]
>> > [    6.613509] Freed by task 0:
>> > [    6.613509] (stack is not available)
>> > [    6.613509]
>> > [    6.613509] The buggy address belongs to the object at ffff880107d4db08
>> > [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>> > [    6.613509] The buggy address is located 336 bytes inside of
>> > [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>> > [    6.613509] The buggy address belongs to the page:
>> > [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
>> > [    6.613509] flags: 0x8000000000008100(slab|head)
>> > [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
>> > [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
>> > [    6.613509] page dumped because: kasan: bad access detected
>> > [    6.613509]
>> > [    6.613509] Memory state around the buggy address:
>> > [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> > [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> > [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>> > [    6.613509]                                                     ^
>> > [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > [    6.613509] ==================================================================
>> >
>> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
>> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>
>
> Was this patch ever picked up?  I can't find it in agd5f/linux.

It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
creating two I2S instances for stoney/cz") upstream yet either.
Daniel, Vijendar, which ones do you want applied?  Can you send me the
patches?

Alex

>
> Thanks,
> -Dan
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-04  8:48         ` Mukunda,Vijendar
  0 siblings, 0 replies; 14+ messages in thread
From: Mukunda,Vijendar @ 2018-07-04  8:48 UTC (permalink / raw)
  To: Alex Deucher, Daniel Kurtz
  Cc: Deucher, Alexander, David Airlie, LKML, amd-gfx list,
	Akshu Agrawal, jclinton, dri-devel, Christian Koenig



On Tuesday 03 July 2018 09:50 PM, Alex Deucher wrote:
> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
>> Hi Alex,
>>
>> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>>>
>>>
>>>
>>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>>>> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>>>> this change, one additional acp resource was added, but the "num_resource"
>>>> count was accidentally incremented by 2.
>>>>
>>>> This incorrect count eventually causes mfd_add_device() to try to access
>>>> an invalid memory address (the location of non-existent resource 5.
>>>>
>>>> This fault was detected by running a KASAN enabled kernel, which produced
>>>> the following splat at boot:
>>>>
>>>> [    6.612987] ==================================================================
>>>> [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
>>>> [    6.613509]
>>>> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>>>> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>>>> [    6.613509] Call Trace:
>>>> [    6.613509]  dump_stack+0x4d/0x63
>>>> [    6.613509]  print_address_description+0x80/0x2d6
>>>> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509]  kasan_report+0x255/0x295
>>>> [    6.613509]  mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>>>> [    6.613509]  ? mfd_add_devices+0x58/0xe4
>>>> [    6.613509]  ? __kmalloc+0x154/0x178
>>>> [    6.613509]  mfd_add_devices+0xa5/0xe4
>>>> [    6.613509]  acp_hw_init+0x92e/0xc4a
>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>> [    6.613509]  ? kmalloc_order+0x53/0x5d
>>>> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>> [    6.613509]  ? ___might_sleep+0x80/0x1b6
>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>> [    6.613509]  ? driver_probe_device+0x419/0x419
>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>> [    6.613509]  driver_register+0x108/0x156
>>>> [    6.613509]  ? ttm_init+0x67/0x67
>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>> [    6.613509]
>>>> [    6.613509] Allocated by task 1:
>>>> [    6.613509]  save_stack+0x46/0xce
>>>> [    6.613509]  kasan_kmalloc+0x99/0xa8
>>>> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>>>> [    6.613509]  acp_hw_init+0x210/0xc4a
>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>> [    6.613509]  driver_register+0x108/0x156
>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>> [    6.613509]
>>>> [    6.613509] Freed by task 0:
>>>> [    6.613509] (stack is not available)
>>>> [    6.613509]
>>>> [    6.613509] The buggy address belongs to the object at ffff880107d4db08
>>>> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>>>> [    6.613509] The buggy address is located 336 bytes inside of
>>>> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>>>> [    6.613509] The buggy address belongs to the page:
>>>> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
>>>> [    6.613509] flags: 0x8000000000008100(slab|head)
>>>> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
>>>> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
>>>> [    6.613509] page dumped because: kasan: bad access detected
>>>> [    6.613509]
>>>> [    6.613509] Memory state around the buggy address:
>>>> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>>>> [    6.613509]                                                     ^
>>>> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> [    6.613509] ==================================================================
>>>>
>>>> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
>>>> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>>
>>
>> Was this patch ever picked up?  I can't find it in agd5f/linux.
> 
> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
> creating two I2S instances for stoney/cz") upstream yet either.
> Daniel, Vijendar, which ones do you want applied?  Can you send me the
> patches?
> 
> Alex

Hi Alex,

"drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists 
in drm-next branch. Please pick the patch .

Thanks,
Vijendar

> 
>>
>> Thanks,
>> -Dan
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-04  8:48         ` Mukunda,Vijendar
  0 siblings, 0 replies; 14+ messages in thread
From: Mukunda,Vijendar @ 2018-07-04  8:48 UTC (permalink / raw)
  To: Alex Deucher, Daniel Kurtz
  Cc: David Airlie, LKML, amd-gfx list, Akshu Agrawal,
	jclinton-F7+t8E8rja9g9hUCZPvPmw, dri-devel, Deucher, Alexander,
	Christian Koenig



On Tuesday 03 July 2018 09:50 PM, Alex Deucher wrote:
> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
>> Hi Alex,
>>
>> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote:
>>>
>>>
>>>
>>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>>>> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>>>> this change, one additional acp resource was added, but the "num_resource"
>>>> count was accidentally incremented by 2.
>>>>
>>>> This incorrect count eventually causes mfd_add_device() to try to access
>>>> an invalid memory address (the location of non-existent resource 5.
>>>>
>>>> This fault was detected by running a KASAN enabled kernel, which produced
>>>> the following splat at boot:
>>>>
>>>> [    6.612987] ==================================================================
>>>> [    6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1
>>>> [    6.613509]
>>>> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>>>> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>>>> [    6.613509] Call Trace:
>>>> [    6.613509]  dump_stack+0x4d/0x63
>>>> [    6.613509]  print_address_description+0x80/0x2d6
>>>> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509]  kasan_report+0x255/0x295
>>>> [    6.613509]  mfd_add_device+0x4bc/0x7a7
>>>> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>>>> [    6.613509]  ? mfd_add_devices+0x58/0xe4
>>>> [    6.613509]  ? __kmalloc+0x154/0x178
>>>> [    6.613509]  mfd_add_devices+0xa5/0xe4
>>>> [    6.613509]  acp_hw_init+0x92e/0xc4a
>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>> [    6.613509]  ? kmalloc_order+0x53/0x5d
>>>> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>> [    6.613509]  ? ___might_sleep+0x80/0x1b6
>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>> [    6.613509]  ? driver_probe_device+0x419/0x419
>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>> [    6.613509]  driver_register+0x108/0x156
>>>> [    6.613509]  ? ttm_init+0x67/0x67
>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>> [    6.613509]
>>>> [    6.613509] Allocated by task 1:
>>>> [    6.613509]  save_stack+0x46/0xce
>>>> [    6.613509]  kasan_kmalloc+0x99/0xa8
>>>> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>>>> [    6.613509]  acp_hw_init+0x210/0xc4a
>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>> [    6.613509]  driver_register+0x108/0x156
>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>> [    6.613509]
>>>> [    6.613509] Freed by task 0:
>>>> [    6.613509] (stack is not available)
>>>> [    6.613509]
>>>> [    6.613509] The buggy address belongs to the object at ffff880107d4db08
>>>> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>>>> [    6.613509] The buggy address is located 336 bytes inside of
>>>> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>>>> [    6.613509] The buggy address belongs to the page:
>>>> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
>>>> [    6.613509] flags: 0x8000000000008100(slab|head)
>>>> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012
>>>> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000
>>>> [    6.613509] page dumped because: kasan: bad access detected
>>>> [    6.613509]
>>>> [    6.613509] Memory state around the buggy address:
>>>> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>>>> [    6.613509]                                                     ^
>>>> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> [    6.613509] ==================================================================
>>>>
>>>> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz")
>>>> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>>
>>
>> Was this patch ever picked up?  I can't find it in agd5f/linux.
> 
> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
> creating two I2S instances for stoney/cz") upstream yet either.
> Daniel, Vijendar, which ones do you want applied?  Can you send me the
> patches?
> 
> Alex

Hi Alex,

"drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists 
in drm-next branch. Please pick the patch .

Thanks,
Vijendar

> 
>>
>> Thanks,
>> -Dan
>> _______________________________________________
>> dri-devel mailing list
>> dri-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-05 16:38           ` Alex Deucher
  0 siblings, 0 replies; 14+ messages in thread
From: Alex Deucher @ 2018-07-05 16:38 UTC (permalink / raw)
  To: Mukunda,Vijendar
  Cc: Daniel Kurtz, Deucher, Alexander, David Airlie, LKML,
	amd-gfx list, Akshu Agrawal, jclinton, dri-devel,
	Christian Koenig

On Wed, Jul 4, 2018 at 4:48 AM, Mukunda,Vijendar
<vijendar.mukunda@amd.com> wrote:
>
>
> On Tuesday 03 July 2018 09:50 PM, Alex Deucher wrote:
>>
>> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
>>>
>>> Hi Alex,
>>>
>>> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com>
>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>>>>>
>>>>> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>>> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>>>>> this change, one additional acp resource was added, but the
>>>>> "num_resource"
>>>>> count was accidentally incremented by 2.
>>>>>
>>>>> This incorrect count eventually causes mfd_add_device() to try to
>>>>> access
>>>>> an invalid memory address (the location of non-existent resource 5.
>>>>>
>>>>> This fault was detected by running a KASAN enabled kernel, which
>>>>> produced
>>>>> the following splat at boot:
>>>>>
>>>>> [    6.612987]
>>>>> ==================================================================
>>>>> [    6.613509] BUG: KASAN: slab-out-of-bounds in
>>>>> mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task
>>>>> swapper/0/1
>>>>> [    6.613509]
>>>>> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>>>>> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS
>>>>> Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>>>>> [    6.613509] Call Trace:
>>>>> [    6.613509]  dump_stack+0x4d/0x63
>>>>> [    6.613509]  print_address_description+0x80/0x2d6
>>>>> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509]  kasan_report+0x255/0x295
>>>>> [    6.613509]  mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>>>>> [    6.613509]  ? mfd_add_devices+0x58/0xe4
>>>>> [    6.613509]  ? __kmalloc+0x154/0x178
>>>>> [    6.613509]  mfd_add_devices+0xa5/0xe4
>>>>> [    6.613509]  acp_hw_init+0x92e/0xc4a
>>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>>> [    6.613509]  ? kmalloc_order+0x53/0x5d
>>>>> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>>> [    6.613509]  ? ___might_sleep+0x80/0x1b6
>>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>>> [    6.613509]  ? driver_probe_device+0x419/0x419
>>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>>> [    6.613509]  driver_register+0x108/0x156
>>>>> [    6.613509]  ? ttm_init+0x67/0x67
>>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>>> [    6.613509]
>>>>> [    6.613509] Allocated by task 1:
>>>>> [    6.613509]  save_stack+0x46/0xce
>>>>> [    6.613509]  kasan_kmalloc+0x99/0xa8
>>>>> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>>>>> [    6.613509]  acp_hw_init+0x210/0xc4a
>>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>>> [    6.613509]  driver_register+0x108/0x156
>>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>>> [    6.613509]
>>>>> [    6.613509] Freed by task 0:
>>>>> [    6.613509] (stack is not available)
>>>>> [    6.613509]
>>>>> [    6.613509] The buggy address belongs to the object at
>>>>> ffff880107d4db08
>>>>> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>>>>> [    6.613509] The buggy address is located 336 bytes inside of
>>>>> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>>>>> [    6.613509] The buggy address belongs to the page:
>>>>> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:
>>>>> (null) index:0x0 compound_mapcount: 0
>>>>> [    6.613509] flags: 0x8000000000008100(slab|head)
>>>>> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000
>>>>> 0000000100120012
>>>>> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0
>>>>> 0000000000000000
>>>>> [    6.613509] page dumped because: kasan: bad access detected
>>>>> [    6.613509]
>>>>> [    6.613509] Memory state around the buggy address:
>>>>> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00
>>>>> 00 00 00 00
>>>>> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> 00 00 00 00
>>>>> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]                                                     ^
>>>>> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]
>>>>> ==================================================================
>>>>>
>>>>> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>>> stoney/cz")
>>>>> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>>>>
>>>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>>>
>>>
>>>
>>> Was this patch ever picked up?  I can't find it in agd5f/linux.
>>
>>
>> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
>> creating two I2S instances for stoney/cz") upstream yet either.
>> Daniel, Vijendar, which ones do you want applied?  Can you send me the
>> patches?
>>
>> Alex
>
>
> Hi Alex,
>
> "drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists in
> drm-next branch. Please pick the patch .

So just that one?  I seem to recall there being later revisions of
that patch that you reworked after applying the original version.
Also that patch was originally part of a larger series.  Are those
changes required too?

Alex

>
> Thanks,
> Vijendar
>
>
>>
>>>
>>> Thanks,
>>> -Dan
>>> _______________________________________________
>>> dri-devel mailing list
>>> dri-devel@lists.freedesktop.org
>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-05 16:38           ` Alex Deucher
  0 siblings, 0 replies; 14+ messages in thread
From: Alex Deucher @ 2018-07-05 16:38 UTC (permalink / raw)
  To: Mukunda,Vijendar
  Cc: David Airlie, dri-devel, LKML, amd-gfx list, Akshu Agrawal,
	jclinton-F7+t8E8rja9g9hUCZPvPmw, Daniel Kurtz, Deucher,
	Alexander, Christian Koenig

On Wed, Jul 4, 2018 at 4:48 AM, Mukunda,Vijendar
<vijendar.mukunda@amd.com> wrote:
>
>
> On Tuesday 03 July 2018 09:50 PM, Alex Deucher wrote:
>>
>> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote:
>>>
>>> Hi Alex,
>>>
>>> On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com>
>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On 4/13/2018 9:45 PM, Daniel Kurtz wrote:
>>>>>
>>>>> Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>>> stoney/cz") added support for the "BT_I2S" ACP i2s channel.  As part of
>>>>> this change, one additional acp resource was added, but the
>>>>> "num_resource"
>>>>> count was accidentally incremented by 2.
>>>>>
>>>>> This incorrect count eventually causes mfd_add_device() to try to
>>>>> access
>>>>> an invalid memory address (the location of non-existent resource 5.
>>>>>
>>>>> This fault was detected by running a KASAN enabled kernel, which
>>>>> produced
>>>>> the following splat at boot:
>>>>>
>>>>> [    6.612987]
>>>>> ==================================================================
>>>>> [    6.613509] BUG: KASAN: slab-out-of-bounds in
>>>>> mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509] Read of size 8 at addr ffff880107d4dc58 by task
>>>>> swapper/0/1
>>>>> [    6.613509]
>>>>> [    6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349
>>>>> [    6.613509] Hardware name: Google Grunt/Grunt, BIOS
>>>>> Google_Grunt.10543.0.2018_04_03_1812 04/02/2018
>>>>> [    6.613509] Call Trace:
>>>>> [    6.613509]  dump_stack+0x4d/0x63
>>>>> [    6.613509]  print_address_description+0x80/0x2d6
>>>>> [    6.613509]  ? mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509]  kasan_report+0x255/0x295
>>>>> [    6.613509]  mfd_add_device+0x4bc/0x7a7
>>>>> [    6.613509]  ? kasan_kmalloc+0x99/0xa8
>>>>> [    6.613509]  ? mfd_add_devices+0x58/0xe4
>>>>> [    6.613509]  ? __kmalloc+0x154/0x178
>>>>> [    6.613509]  mfd_add_devices+0xa5/0xe4
>>>>> [    6.613509]  acp_hw_init+0x92e/0xc4a
>>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>>> [    6.613509]  ? kmalloc_order+0x53/0x5d
>>>>> [    6.613509]  ? kmalloc_order_trace+0x23/0xb3
>>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>>> [    6.613509]  ? ___might_sleep+0x80/0x1b6
>>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>>> [    6.613509]  ? driver_probe_device+0x419/0x419
>>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>>> [    6.613509]  driver_register+0x108/0x156
>>>>> [    6.613509]  ? ttm_init+0x67/0x67
>>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>>> [    6.613509]  ? rest_init+0xcc/0xcc
>>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>>> [    6.613509]
>>>>> [    6.613509] Allocated by task 1:
>>>>> [    6.613509]  save_stack+0x46/0xce
>>>>> [    6.613509]  kasan_kmalloc+0x99/0xa8
>>>>> [    6.613509]  kmem_cache_alloc_trace+0x11a/0x13e
>>>>> [    6.613509]  acp_hw_init+0x210/0xc4a
>>>>> [    6.613509]  amdgpu_device_init+0x1dfb/0x22a2
>>>>> [    6.613509]  amdgpu_driver_load_kms+0xce/0x267
>>>>> [    6.613509]  drm_dev_register+0x169/0x2fb
>>>>> [    6.613509]  amdgpu_pci_probe+0x217/0x242
>>>>> [    6.613509]  pci_device_probe+0x101/0x18e
>>>>> [    6.613509]  driver_probe_device+0x1dd/0x419
>>>>> [    6.613509]  __driver_attach+0x9f/0xc9
>>>>> [    6.613509]  bus_for_each_dev+0xbc/0xe1
>>>>> [    6.613509]  bus_add_driver+0x189/0x2c0
>>>>> [    6.613509]  driver_register+0x108/0x156
>>>>> [    6.613509]  do_one_initcall+0xb2/0x161
>>>>> [    6.613509]  kernel_init_freeable+0x25a/0x308
>>>>> [    6.613509]  kernel_init+0x11/0x10d
>>>>> [    6.613509]  ret_from_fork+0x22/0x40
>>>>> [    6.613509]
>>>>> [    6.613509] Freed by task 0:
>>>>> [    6.613509] (stack is not available)
>>>>> [    6.613509]
>>>>> [    6.613509] The buggy address belongs to the object at
>>>>> ffff880107d4db08
>>>>> [    6.613509]  which belongs to the cache kmalloc-512 of size 512
>>>>> [    6.613509] The buggy address is located 336 bytes inside of
>>>>> [    6.613509]  512-byte region [ffff880107d4db08, ffff880107d4dd08)
>>>>> [    6.613509] The buggy address belongs to the page:
>>>>> [    6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping:
>>>>> (null) index:0x0 compound_mapcount: 0
>>>>> [    6.613509] flags: 0x8000000000008100(slab|head)
>>>>> [    6.613509] raw: 8000000000008100 0000000000000000 0000000000000000
>>>>> 0000000100120012
>>>>> [    6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0
>>>>> 0000000000000000
>>>>> [    6.613509] page dumped because: kasan: bad access detected
>>>>> [    6.613509]
>>>>> [    6.613509] Memory state around the buggy address:
>>>>> [    6.613509]  ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00
>>>>> 00 00 00 00
>>>>> [    6.613509]  ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> 00 00 00 00
>>>>> [    6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]                                                     ^
>>>>> [    6.613509]  ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]  ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc
>>>>> fc fc fc fc
>>>>> [    6.613509]
>>>>> ==================================================================
>>>>>
>>>>> Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for
>>>>> stoney/cz")
>>>>> Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
>>>>
>>>> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com>
>>>
>>>
>>>
>>> Was this patch ever picked up?  I can't find it in agd5f/linux.
>>
>>
>> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
>> creating two I2S instances for stoney/cz") upstream yet either.
>> Daniel, Vijendar, which ones do you want applied?  Can you send me the
>> patches?
>>
>> Alex
>
>
> Hi Alex,
>
> "drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists in
> drm-next branch. Please pick the patch .

So just that one?  I seem to recall there being later revisions of
that patch that you reworked after applying the original version.
Also that patch was originally part of a larger series.  Are those
changes required too?

Alex

>
> Thanks,
> Vijendar
>
>
>>
>>>
>>> Thanks,
>>> -Dan
>>> _______________________________________________
>>> dri-devel mailing list
>>> dri-devel@lists.freedesktop.org
>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
  2018-07-05 16:38           ` Alex Deucher
@ 2018-07-09  6:40             ` Agrawal, Akshu
  -1 siblings, 0 replies; 14+ messages in thread
From: Agrawal, Akshu @ 2018-07-09  6:40 UTC (permalink / raw)
  To: Alex Deucher, Mukunda,Vijendar
  Cc: Daniel Kurtz, Deucher, Alexander, David Airlie, LKML,
	amd-gfx list, jclinton, dri-devel, Christian Koenig

>>>> Was this patch ever picked up?  I can't find it in agd5f/linux.
>>>
>>>
>>> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
>>> creating two I2S instances for stoney/cz") upstream yet either.
>>> Daniel, Vijendar, which ones do you want applied?  Can you send me the
>>> patches?
>>>
>>> Alex
>>
>>
>> Hi Alex,
>>
>> "drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists in
>> drm-next branch. Please pick the patch .
> 
> So just that one?  I seem to recall there being later revisions of
> that patch that you reworked after applying the original version.
> Also that patch was originally part of a larger series.  Are those
> changes required too?
> 
> Alex
> 

Hi Alex,

In agd5f/linux, branch "amd-staging-drm-next",
506f7d1 drm/amd/amdgpu: creating two I2S instances for stoney/cz
patch is present.
This patch is the correct version and there aren't any other changes
required with it.

Only Dan's, this mail's patch is currently missing form the tree.

Thanks,
Akshu

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init
@ 2018-07-09  6:40             ` Agrawal, Akshu
  0 siblings, 0 replies; 14+ messages in thread
From: Agrawal, Akshu @ 2018-07-09  6:40 UTC (permalink / raw)
  To: Alex Deucher, Mukunda,Vijendar
  Cc: David Airlie, dri-devel, LKML, amd-gfx list, jclinton, Deucher,
	Alexander, Christian Koenig

>>>> Was this patch ever picked up?  I can't find it in agd5f/linux.
>>>
>>>
>>> It wasn't applied.  I don't see 51f7415039d4 ("drm/amd/amdgpu:
>>> creating two I2S instances for stoney/cz") upstream yet either.
>>> Daniel, Vijendar, which ones do you want applied?  Can you send me the
>>> patches?
>>>
>>> Alex
>>
>>
>> Hi Alex,
>>
>> "drm/amd/amdgpu: creating two I2S instances for stoney/cz" patch exists in
>> drm-next branch. Please pick the patch .
> 
> So just that one?  I seem to recall there being later revisions of
> that patch that you reworked after applying the original version.
> Also that patch was originally part of a larger series.  Are those
> changes required too?
> 
> Alex
> 

Hi Alex,

In agd5f/linux, branch "amd-staging-drm-next",
506f7d1 drm/amd/amdgpu: creating two I2S instances for stoney/cz
patch is present.
This patch is the correct version and there aren't any other changes
required with it.

Only Dan's, this mail's patch is currently missing form the tree.

Thanks,
Akshu
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2018-07-09  6:41 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-13 16:15 [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init Daniel Kurtz
2018-04-13 16:15 ` Daniel Kurtz
2018-04-16  3:47 ` Agrawal, Akshu
2018-04-16  3:47   ` Agrawal, Akshu
2018-07-02 21:48   ` Daniel Kurtz
2018-07-02 21:48     ` Daniel Kurtz
2018-07-03 16:20     ` Alex Deucher
2018-07-03 16:20       ` Alex Deucher
2018-07-04  8:48       ` Mukunda,Vijendar
2018-07-04  8:48         ` Mukunda,Vijendar
2018-07-05 16:38         ` Alex Deucher
2018-07-05 16:38           ` Alex Deucher
2018-07-09  6:40           ` Agrawal, Akshu
2018-07-09  6:40             ` Agrawal, Akshu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.