From: Matthew Auld <matthew.auld@intel.com>
To: intel-gfx@lists.freedesktop.org
Subject: [PATCH] drm/i915: fix out-of-bounds page_table access
Date: Fri, 24 Jun 2016 17:04:46 +0100 [thread overview]
Message-ID: <1466784286-29059-1-git-send-email-matthew.auld@intel.com> (raw)
The gen6_for_all_pdes macro does the upper-bound evaluation after
accessing the page_table array, hence on the final iteration we end up
hitting an out-of-bounds error:
[ 1023.831657] UBSAN: Undefined behaviour in drivers/gpu/drm/i915/i915_gem_gtt.c:1993:2
[ 1023.831680] index 512 is out of range for type 'i915_page_table *[512]'
[ 1023.831696] CPU: 0 PID: 4833 Comm: rmmod Tainted: G U 4.7.0-rc4-drm-intel-debug+ #5
[ 1023.831698] Hardware name: ASUS All Series/Z87-K, BIOS 1202 05/13/2014
[ 1023.831700] 0000000000000200 00000000adfe9733 ffff8801a3917988 ffffffff818cc0a4
[ 1023.831705] 0000000041b58ab3 ffffffff8275ca08 ffffffff818cbff2 ffff8801a39179b0
[ 1023.831708] ffff8801a3917960 0000000000000200 1ffffffff4365b17 0000000000000001
[ 1023.831711] Call Trace:
[ 1023.831717] [<ffffffff818cc0a4>] dump_stack+0xb2/0x10e
[ 1023.831721] [<ffffffff818cbff2>] ? _atomic_dec_and_lock+0x152/0x152
[ 1023.831726] [<ffffffff81952b0b>] ubsan_epilogue+0xd/0x4e
[ 1023.831730] [<ffffffff8195373d>] __ubsan_handle_out_of_bounds+0x107/0x14d
[ 1023.831733] [<ffffffff81953636>] ? __ubsan_handle_shift_out_of_bounds+0x24c/0x24c
[ 1023.831737] [<ffffffff814bfde6>] ? kfree+0x246/0x3f0
[ 1023.831801] [<ffffffffa183bff8>] gen6_ppgtt_cleanup+0x128/0x130 [i915]
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
drivers/gpu/drm/i915/i915_gem_gtt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
index 163b564..9e5228d 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
@@ -409,7 +409,7 @@ struct i915_hw_ppgtt {
#define gen6_for_all_pdes(pt, ppgtt, iter) \
for (iter = 0; \
- pt = ppgtt->pd.page_table[iter], iter < I915_PDES; \
+ iter < I915_PDES ? (pt = ppgtt->pd.page_table[iter]), 1 : 0; \
iter++)
static inline uint32_t i915_pte_index(uint64_t address, uint32_t pde_shift)
--
2.7.4
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next reply other threads:[~2016-06-24 16:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 16:04 Matthew Auld [this message]
2016-06-24 16:33 ` ✓ Ro.CI.BAT: success for drm/i915: fix out-of-bounds page_table access Patchwork
2016-06-24 16:37 ` [PATCH] " Chris Wilson
2016-06-24 18:28 ` Dave Gordon
2016-06-24 18:37 ` [PATCH] drm/i915: tweak gen6_for_{each_pde, all_pdes} macros Dave Gordon
2016-06-25 15:48 ` Matthew Auld
2016-06-25 5:26 ` ✗ Ro.CI.BAT: warning for drm/i915: fix out-of-bounds page_table access (rev2) Patchwork
2016-06-27 11:59 ` Dave Gordon
2016-06-27 12:14 ` Tvrtko Ursulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1466784286-29059-1-git-send-email-matthew.auld@intel.com \
--to=matthew.auld@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.