From: Dave Gordon <david.s.gordon@intel.com>
To: intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH] drm/i915: fix out-of-bounds page_table access
Date: Fri, 24 Jun 2016 19:28:35 +0100 [thread overview]
Message-ID: <576D7BD3.1000904@intel.com> (raw)
In-Reply-To: <20160624163717.GB10180@nuc-i3427.alporthouse.com>
On 24/06/16 17:37, Chris Wilson wrote:
> On Fri, Jun 24, 2016 at 05:04:46PM +0100, Matthew Auld wrote:
>> The gen6_for_all_pdes macro does the upper-bound evaluation after
>> accessing the page_table array, hence on the final iteration we end up
>> hitting an out-of-bounds error:
>>
>> [ 1023.831657] UBSAN: Undefined behaviour in drivers/gpu/drm/i915/i915_gem_gtt.c:1993:2
>> [ 1023.831680] index 512 is out of range for type 'i915_page_table *[512]'
>> [ 1023.831696] CPU: 0 PID: 4833 Comm: rmmod Tainted: G U 4.7.0-rc4-drm-intel-debug+ #5
>> [ 1023.831698] Hardware name: ASUS All Series/Z87-K, BIOS 1202 05/13/2014
>> [ 1023.831700] 0000000000000200 00000000adfe9733 ffff8801a3917988 ffffffff818cc0a4
>> [ 1023.831705] 0000000041b58ab3 ffffffff8275ca08 ffffffff818cbff2 ffff8801a39179b0
>> [ 1023.831708] ffff8801a3917960 0000000000000200 1ffffffff4365b17 0000000000000001
>> [ 1023.831711] Call Trace:
>> [ 1023.831717] [<ffffffff818cc0a4>] dump_stack+0xb2/0x10e
>> [ 1023.831721] [<ffffffff818cbff2>] ? _atomic_dec_and_lock+0x152/0x152
>> [ 1023.831726] [<ffffffff81952b0b>] ubsan_epilogue+0xd/0x4e
>> [ 1023.831730] [<ffffffff8195373d>] __ubsan_handle_out_of_bounds+0x107/0x14d
>> [ 1023.831733] [<ffffffff81953636>] ? __ubsan_handle_shift_out_of_bounds+0x24c/0x24c
>> [ 1023.831737] [<ffffffff814bfde6>] ? kfree+0x246/0x3f0
>> [ 1023.831801] [<ffffffffa183bff8>] gen6_ppgtt_cleanup+0x128/0x130 [i915]
>>
>> Cc: Chris Wilson <chris@chris-wilson.co.uk>
>> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
>
> Ok. Tried to find something to complain about and couldn't.
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
> -Chris
Well ... not enough to reject it, but there's the lack of parentheses
round macro parameters, and it uses ?: rather than the && style used in
the Gen8 equivalents. I'll post an alternative based on the Gen8 version ...
.Dave.
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2016-06-24 18:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 16:04 [PATCH] drm/i915: fix out-of-bounds page_table access Matthew Auld
2016-06-24 16:33 ` ✓ Ro.CI.BAT: success for " Patchwork
2016-06-24 16:37 ` [PATCH] " Chris Wilson
2016-06-24 18:28 ` Dave Gordon [this message]
2016-06-24 18:37 ` [PATCH] drm/i915: tweak gen6_for_{each_pde, all_pdes} macros Dave Gordon
2016-06-25 15:48 ` Matthew Auld
2016-06-25 5:26 ` ✗ Ro.CI.BAT: warning for drm/i915: fix out-of-bounds page_table access (rev2) Patchwork
2016-06-27 11:59 ` Dave Gordon
2016-06-27 12:14 ` Tvrtko Ursulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=576D7BD3.1000904@intel.com \
--to=david.s.gordon@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.