From: Alex Deucher <alexdeucher@gmail.com> To: Daniel Kurtz <djkurtz@chromium.org> Cc: "Deucher, Alexander" <alexander.deucher@amd.com>, David Airlie <airlied@linux.ie>, LKML <linux-kernel@vger.kernel.org>, amd-gfx list <amd-gfx@lists.freedesktop.org>, Akshu Agrawal <Akshu.Agrawal@amd.com>, jclinton@chromium.org, dri-devel <dri-devel@lists.freedesktop.org>, Vijendar Mukunda <Vijendar.Mukunda@amd.com>, Christian Koenig <christian.koenig@amd.com> Subject: Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init Date: Tue, 3 Jul 2018 12:20:11 -0400 [thread overview] Message-ID: <CADnq5_Nwt+i2Sezh2Rmg9VyYYbc8LAMJyS6eQf9K5yAp-GgAXA@mail.gmail.com> (raw) In-Reply-To: <CAGS+omATU0gus_EvbHtegGK1ZkaKVmSOr1E6QLQjd+LA_tC_LA@mail.gmail.com> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote: > Hi Alex, > > On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote: >> >> >> >> On 4/13/2018 9:45 PM, Daniel Kurtz wrote: >> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for >> > stoney/cz") added support for the "BT_I2S" ACP i2s channel. As part of >> > this change, one additional acp resource was added, but the "num_resource" >> > count was accidentally incremented by 2. >> > >> > This incorrect count eventually causes mfd_add_device() to try to access >> > an invalid memory address (the location of non-existent resource 5. >> > >> > This fault was detected by running a KASAN enabled kernel, which produced >> > the following splat at boot: >> > >> > [ 6.612987] ================================================================== >> > [ 6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1 >> > [ 6.613509] >> > [ 6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349 >> > [ 6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018 >> > [ 6.613509] Call Trace: >> > [ 6.613509] dump_stack+0x4d/0x63 >> > [ 6.613509] print_address_description+0x80/0x2d6 >> > [ 6.613509] ? mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] kasan_report+0x255/0x295 >> > [ 6.613509] mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] ? kasan_kmalloc+0x99/0xa8 >> > [ 6.613509] ? mfd_add_devices+0x58/0xe4 >> > [ 6.613509] ? __kmalloc+0x154/0x178 >> > [ 6.613509] mfd_add_devices+0xa5/0xe4 >> > [ 6.613509] acp_hw_init+0x92e/0xc4a >> > [ 6.613509] amdgpu_device_init+0x1dfb/0x22a2 >> > [ 6.613509] ? kmalloc_order+0x53/0x5d >> > [ 6.613509] ? kmalloc_order_trace+0x23/0xb3 >> > [ 6.613509] amdgpu_driver_load_kms+0xce/0x267 >> > [ 6.613509] drm_dev_register+0x169/0x2fb >> > [ 6.613509] amdgpu_pci_probe+0x217/0x242 >> > [ 6.613509] pci_device_probe+0x101/0x18e >> > [ 6.613509] driver_probe_device+0x1dd/0x419 >> > [ 6.613509] ? ___might_sleep+0x80/0x1b6 >> > [ 6.613509] __driver_attach+0x9f/0xc9 >> > [ 6.613509] ? driver_probe_device+0x419/0x419 >> > [ 6.613509] bus_for_each_dev+0xbc/0xe1 >> > [ 6.613509] bus_add_driver+0x189/0x2c0 >> > [ 6.613509] driver_register+0x108/0x156 >> > [ 6.613509] ? ttm_init+0x67/0x67 >> > [ 6.613509] do_one_initcall+0xb2/0x161 >> > [ 6.613509] kernel_init_freeable+0x25a/0x308 >> > [ 6.613509] ? rest_init+0xcc/0xcc >> > [ 6.613509] kernel_init+0x11/0x10d >> > [ 6.613509] ? rest_init+0xcc/0xcc >> > [ 6.613509] ret_from_fork+0x22/0x40 >> > [ 6.613509] >> > [ 6.613509] Allocated by task 1: >> > [ 6.613509] save_stack+0x46/0xce >> > [ 6.613509] kasan_kmalloc+0x99/0xa8 >> > [ 6.613509] kmem_cache_alloc_trace+0x11a/0x13e >> > [ 6.613509] acp_hw_init+0x210/0xc4a >> > [ 6.613509] amdgpu_device_init+0x1dfb/0x22a2 >> > [ 6.613509] amdgpu_driver_load_kms+0xce/0x267 >> > [ 6.613509] drm_dev_register+0x169/0x2fb >> > [ 6.613509] amdgpu_pci_probe+0x217/0x242 >> > [ 6.613509] pci_device_probe+0x101/0x18e >> > [ 6.613509] driver_probe_device+0x1dd/0x419 >> > [ 6.613509] __driver_attach+0x9f/0xc9 >> > [ 6.613509] bus_for_each_dev+0xbc/0xe1 >> > [ 6.613509] bus_add_driver+0x189/0x2c0 >> > [ 6.613509] driver_register+0x108/0x156 >> > [ 6.613509] do_one_initcall+0xb2/0x161 >> > [ 6.613509] kernel_init_freeable+0x25a/0x308 >> > [ 6.613509] kernel_init+0x11/0x10d >> > [ 6.613509] ret_from_fork+0x22/0x40 >> > [ 6.613509] >> > [ 6.613509] Freed by task 0: >> > [ 6.613509] (stack is not available) >> > [ 6.613509] >> > [ 6.613509] The buggy address belongs to the object at ffff880107d4db08 >> > [ 6.613509] which belongs to the cache kmalloc-512 of size 512 >> > [ 6.613509] The buggy address is located 336 bytes inside of >> > [ 6.613509] 512-byte region [ffff880107d4db08, ffff880107d4dd08) >> > [ 6.613509] The buggy address belongs to the page: >> > [ 6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 >> > [ 6.613509] flags: 0x8000000000008100(slab|head) >> > [ 6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012 >> > [ 6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000 >> > [ 6.613509] page dumped because: kasan: bad access detected >> > [ 6.613509] >> > [ 6.613509] Memory state around the buggy address: >> > [ 6.613509] ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> > [ 6.613509] ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> > [ 6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >> > [ 6.613509] ^ >> > [ 6.613509] ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> > [ 6.613509] ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> > [ 6.613509] ================================================================== >> > >> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz") >> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> >> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com> > > > Was this patch ever picked up? I can't find it in agd5f/linux. It wasn't applied. I don't see 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz") upstream yet either. Daniel, Vijendar, which ones do you want applied? Can you send me the patches? Alex > > Thanks, > -Dan > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Alex Deucher <alexdeucher@gmail.com> To: Daniel Kurtz <djkurtz@chromium.org> Cc: David Airlie <airlied@linux.ie>, LKML <linux-kernel@vger.kernel.org>, amd-gfx list <amd-gfx@lists.freedesktop.org>, Akshu Agrawal <Akshu.Agrawal@amd.com>, jclinton@chromium.org, dri-devel <dri-devel@lists.freedesktop.org>, Vijendar Mukunda <Vijendar.Mukunda@amd.com>, "Deucher, Alexander" <alexander.deucher@amd.com>, Christian Koenig <christian.koenig@amd.com> Subject: Re: [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init Date: Tue, 3 Jul 2018 12:20:11 -0400 [thread overview] Message-ID: <CADnq5_Nwt+i2Sezh2Rmg9VyYYbc8LAMJyS6eQf9K5yAp-GgAXA@mail.gmail.com> (raw) In-Reply-To: <CAGS+omATU0gus_EvbHtegGK1ZkaKVmSOr1E6QLQjd+LA_tC_LA@mail.gmail.com> On Mon, Jul 2, 2018 at 5:48 PM, Daniel Kurtz <djkurtz@chromium.org> wrote: > Hi Alex, > > On Sun, Apr 15, 2018 at 9:48 PM Agrawal, Akshu <Akshu.Agrawal@amd.com> wrote: >> >> >> >> On 4/13/2018 9:45 PM, Daniel Kurtz wrote: >> > Commit 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for >> > stoney/cz") added support for the "BT_I2S" ACP i2s channel. As part of >> > this change, one additional acp resource was added, but the "num_resource" >> > count was accidentally incremented by 2. >> > >> > This incorrect count eventually causes mfd_add_device() to try to access >> > an invalid memory address (the location of non-existent resource 5. >> > >> > This fault was detected by running a KASAN enabled kernel, which produced >> > the following splat at boot: >> > >> > [ 6.612987] ================================================================== >> > [ 6.613509] BUG: KASAN: slab-out-of-bounds in mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] Read of size 8 at addr ffff880107d4dc58 by task swapper/0/1 >> > [ 6.613509] >> > [ 6.613509] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.33 #349 >> > [ 6.613509] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10543.0.2018_04_03_1812 04/02/2018 >> > [ 6.613509] Call Trace: >> > [ 6.613509] dump_stack+0x4d/0x63 >> > [ 6.613509] print_address_description+0x80/0x2d6 >> > [ 6.613509] ? mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] kasan_report+0x255/0x295 >> > [ 6.613509] mfd_add_device+0x4bc/0x7a7 >> > [ 6.613509] ? kasan_kmalloc+0x99/0xa8 >> > [ 6.613509] ? mfd_add_devices+0x58/0xe4 >> > [ 6.613509] ? __kmalloc+0x154/0x178 >> > [ 6.613509] mfd_add_devices+0xa5/0xe4 >> > [ 6.613509] acp_hw_init+0x92e/0xc4a >> > [ 6.613509] amdgpu_device_init+0x1dfb/0x22a2 >> > [ 6.613509] ? kmalloc_order+0x53/0x5d >> > [ 6.613509] ? kmalloc_order_trace+0x23/0xb3 >> > [ 6.613509] amdgpu_driver_load_kms+0xce/0x267 >> > [ 6.613509] drm_dev_register+0x169/0x2fb >> > [ 6.613509] amdgpu_pci_probe+0x217/0x242 >> > [ 6.613509] pci_device_probe+0x101/0x18e >> > [ 6.613509] driver_probe_device+0x1dd/0x419 >> > [ 6.613509] ? ___might_sleep+0x80/0x1b6 >> > [ 6.613509] __driver_attach+0x9f/0xc9 >> > [ 6.613509] ? driver_probe_device+0x419/0x419 >> > [ 6.613509] bus_for_each_dev+0xbc/0xe1 >> > [ 6.613509] bus_add_driver+0x189/0x2c0 >> > [ 6.613509] driver_register+0x108/0x156 >> > [ 6.613509] ? ttm_init+0x67/0x67 >> > [ 6.613509] do_one_initcall+0xb2/0x161 >> > [ 6.613509] kernel_init_freeable+0x25a/0x308 >> > [ 6.613509] ? rest_init+0xcc/0xcc >> > [ 6.613509] kernel_init+0x11/0x10d >> > [ 6.613509] ? rest_init+0xcc/0xcc >> > [ 6.613509] ret_from_fork+0x22/0x40 >> > [ 6.613509] >> > [ 6.613509] Allocated by task 1: >> > [ 6.613509] save_stack+0x46/0xce >> > [ 6.613509] kasan_kmalloc+0x99/0xa8 >> > [ 6.613509] kmem_cache_alloc_trace+0x11a/0x13e >> > [ 6.613509] acp_hw_init+0x210/0xc4a >> > [ 6.613509] amdgpu_device_init+0x1dfb/0x22a2 >> > [ 6.613509] amdgpu_driver_load_kms+0xce/0x267 >> > [ 6.613509] drm_dev_register+0x169/0x2fb >> > [ 6.613509] amdgpu_pci_probe+0x217/0x242 >> > [ 6.613509] pci_device_probe+0x101/0x18e >> > [ 6.613509] driver_probe_device+0x1dd/0x419 >> > [ 6.613509] __driver_attach+0x9f/0xc9 >> > [ 6.613509] bus_for_each_dev+0xbc/0xe1 >> > [ 6.613509] bus_add_driver+0x189/0x2c0 >> > [ 6.613509] driver_register+0x108/0x156 >> > [ 6.613509] do_one_initcall+0xb2/0x161 >> > [ 6.613509] kernel_init_freeable+0x25a/0x308 >> > [ 6.613509] kernel_init+0x11/0x10d >> > [ 6.613509] ret_from_fork+0x22/0x40 >> > [ 6.613509] >> > [ 6.613509] Freed by task 0: >> > [ 6.613509] (stack is not available) >> > [ 6.613509] >> > [ 6.613509] The buggy address belongs to the object at ffff880107d4db08 >> > [ 6.613509] which belongs to the cache kmalloc-512 of size 512 >> > [ 6.613509] The buggy address is located 336 bytes inside of >> > [ 6.613509] 512-byte region [ffff880107d4db08, ffff880107d4dd08) >> > [ 6.613509] The buggy address belongs to the page: >> > [ 6.613509] page:ffffea00041f5300 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 >> > [ 6.613509] flags: 0x8000000000008100(slab|head) >> > [ 6.613509] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100120012 >> > [ 6.613509] raw: ffffea0004208520 ffff88010b001680 ffff88010b002cc0 0000000000000000 >> > [ 6.613509] page dumped because: kasan: bad access detected >> > [ 6.613509] >> > [ 6.613509] Memory state around the buggy address: >> > [ 6.613509] ffff880107d4db00: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> > [ 6.613509] ffff880107d4db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> > [ 6.613509] >ffff880107d4dc00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >> > [ 6.613509] ^ >> > [ 6.613509] ffff880107d4dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> > [ 6.613509] ffff880107d4dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> > [ 6.613509] ================================================================== >> > >> > Fixes: 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz") >> > Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> >> Acked-by: Akshu Agrawal <akshu.agrawal@amd.com> > > > Was this patch ever picked up? I can't find it in agd5f/linux. It wasn't applied. I don't see 51f7415039d4 ("drm/amd/amdgpu: creating two I2S instances for stoney/cz") upstream yet either. Daniel, Vijendar, which ones do you want applied? Can you send me the patches? Alex > > Thanks, > -Dan > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/dri-devel _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2018-07-03 16:20 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-04-13 16:15 [PATCH] drm/amdgpu/acp: Fix slab-out-of-bounds in mfd_add_device in acp_hw_init Daniel Kurtz 2018-04-13 16:15 ` Daniel Kurtz 2018-04-16 3:47 ` Agrawal, Akshu 2018-04-16 3:47 ` Agrawal, Akshu 2018-07-02 21:48 ` Daniel Kurtz 2018-07-02 21:48 ` Daniel Kurtz 2018-07-03 16:20 ` Alex Deucher [this message] 2018-07-03 16:20 ` Alex Deucher 2018-07-04 8:48 ` Mukunda,Vijendar 2018-07-04 8:48 ` Mukunda,Vijendar 2018-07-05 16:38 ` Alex Deucher 2018-07-05 16:38 ` Alex Deucher 2018-07-09 6:40 ` Agrawal, Akshu 2018-07-09 6:40 ` Agrawal, Akshu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CADnq5_Nwt+i2Sezh2Rmg9VyYYbc8LAMJyS6eQf9K5yAp-GgAXA@mail.gmail.com \ --to=alexdeucher@gmail.com \ --cc=Akshu.Agrawal@amd.com \ --cc=Vijendar.Mukunda@amd.com \ --cc=airlied@linux.ie \ --cc=alexander.deucher@amd.com \ --cc=amd-gfx@lists.freedesktop.org \ --cc=christian.koenig@amd.com \ --cc=djkurtz@chromium.org \ --cc=dri-devel@lists.freedesktop.org \ --cc=jclinton@chromium.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.