Re: [igt-dev] [PATCH i-g-t 1/3 v5] lib/igt_kms: Fix memory corruption

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Modem, Bhanuprakash" <bhanuprakash.modem@intel.com>
To: Vignesh Raman <vignesh.raman@collabora.com>,
	<daniels@collabora.com>, <helen.koike@collabora.com>,
	<juhapekka.heikkila@gmail.com>, <igt-dev@lists.freedesktop.org>
Subject: Re: [igt-dev] [PATCH i-g-t 1/3 v5] lib/igt_kms: Fix memory corruption
Date: Fri, 10 Nov 2023 15:21:27 +0530	[thread overview]
Message-ID: <b4585b60-0fa7-c139-401d-fb215fac4336@intel.com> (raw)
In-Reply-To: <20231110084106.655504-1-vignesh.raman@collabora.com>

Hi Vignesh,

On Fri-10-11-2023 02:11 pm, Vignesh Raman wrote:
> virtio-gpu kernel driver, which provides KMS, reports 16 for count_crtcs
> which exceeds IGT_MAX_PIPES set to 8. The function igt_display_require
> allocates memory for IGT_MAX_PIPES members of igt_pipe_t structures,
> but then writes into it based on the count_crtcs reported by the kernel,
> resulting in memory corruption.
> 
>   # malloc(): corrupted top size
>   # Received signal SIGABRT.
>   # Stack trace:
>   #  #0 [fatal_sig_handler+0x17b]
>   #  #1 [__sigaction+0x40]
>   #  #2 [pthread_key_delete+0x14c]
>   #  #3 [gsignal+0x12]
>   #  #4 [abort+0xd3]
>   #  #5 [__fsetlocking+0x290]
>   #  #6 [timer_settime+0x37a]
>   #  #7 [__default_morecore+0x1f1b]
>   #  #8 [__libc_calloc+0x161]
>   #  #9 [drmModeGetPlaneResources+0x44]
>   #  #10 [igt_display_require+0x194]
>   #  #11 [__igt_unique____real_main1356+0x93c]
>   #  #12 [main+0x3f]
>   #  #13 [__libc_init_first+0x8a]
>   #  #14 [__libc_start_main+0x85]
>   #  #15 [_start+0x21]
> 
> Increase IGT_MAX_PIPES to 16 to fix this memory corruption issue.
> igt_display_require initializes display and allocate resources as
> a prerequisite for the tests. Skip the test if count_crtcs exceeds
> IGT_MAX_PIPES with debug information.
> 
> This fix is required for drm-ci to run igt tests on virtio-gpu.
> 
> Reviewed-by: Daniel Stone <daniels@collabora.com>
> Acked-by: Helen Koike <helen.koike@collabora.com>
> Suggested-by: Daniel Stone <daniels@collabora.com>
> Suggested-by: Bhanuprakash Modem <bhanuprakash.modem@intel.com>
> Signed-off-by: Vignesh Raman <vignesh.raman@collabora.com>
> ---
> 
> v2:
>    - Rework the fix to increase IGT_MAX_PIPES to 16.
> 
> v3:
>    - Fail the test if count_crtcs exceeds IGT_MAX_PIPES with debug information.
> 
> v4:
>    - Update test documentation and blacklist tests.
> 
> v5:
>    - Skip the test if count_crtcs exceeds IGT_MAX_PIPES with debug information.
>      Split the commits.
> 
> ---
>   lib/igt_kms.c |  6 +++++-
>   lib/igt_kms.h | 20 +++++++++++++++++++-
>   2 files changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/igt_kms.c b/lib/igt_kms.c
> index 453103f90..bbcc12b47 100644
> --- a/lib/igt_kms.c
> +++ b/lib/igt_kms.c
> @@ -906,7 +906,7 @@ static igt_plane_t *igt_get_assigned_primary(igt_output_t *output, igt_pipe_t *p
>    */
>   const char *kmstest_pipe_name(enum pipe pipe)
>   {
> -	static const char str[] = "A\0B\0C\0D\0E\0F\0G\0H";
> +	static const char str[] = "A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0K\0L\0M\0N\0O\0P";
>   
>   	_Static_assert(sizeof(str) == IGT_MAX_PIPES * 2,
>   		       "Missing pipe name");
> @@ -2770,6 +2770,10 @@ void igt_display_require(igt_display_t *display, int drm_fd)
>   	}
>   #endif
>   
> +	igt_require_f(resources->count_crtcs <= IGT_MAX_PIPES,
---------------------------------------------^
As pipe index starts from 0, we must use '<' not '<='.

> +		     "count_crtcs exceeds IGT_MAX_PIPES, resources->count_crtcs=%d, IGT_MAX_PIPES=%d\n",
> +		     resources->count_crtcs, IGT_MAX_PIPES);
> +
>   	display->n_pipes = IGT_MAX_PIPES;
>   	display->pipes = calloc(sizeof(igt_pipe_t), display->n_pipes);
>   	igt_assert_f(display->pipes, "Failed to allocate memory for %d pipes\n", display->n_pipes);
> diff --git a/lib/igt_kms.h b/lib/igt_kms.h
> index 9028ab9be..5c705b585 100644
> --- a/lib/igt_kms.h
> +++ b/lib/igt_kms.h
> @@ -57,6 +57,16 @@
>    * @PIPE_D: Fourth crtc.
>    * @PIPE_E: Fifth crtc.
>    * @PIPE_F: Sixth crtc.
> + * @PIPE_G: Seventh crtc.
> + * @PIPE_H: Eighth crtc.
> + * @PIPE_I: Ninth crtc.
> + * @PIPE_J: Tenth crtc.
> + * @PIPE_K: Eleventh crtc.
> + * @PIPE_L: Twelfth crtc.
> + * @PIPE_M: Thirteenth crtc.
> + * @PIPE_N: Fourteenth crtc.
> + * @PIPE_O: Fifteenth crtc.
> + * @PIPE_P: Sixteenth crtc.
>    * @IGT_MAX_PIPES: Max number of pipes allowed.
>    */
>   enum pipe {
> @@ -70,7 +80,15 @@ enum pipe {
>           PIPE_F,
>   	PIPE_G,
>   	PIPE_H,
> -        IGT_MAX_PIPES
> +	PIPE_I,
> +	PIPE_J,
> +	PIPE_K,
> +	PIPE_L,
> +	PIPE_M,
> +	PIPE_N,
> +	PIPE_O,
> +	PIPE_P,
> +	IGT_MAX_PIPES

Please don't mix tabs & spaces, and try to align with the declaration of 
previous pipes.

Apart from these minor fixes, this patch LGTM. With above comments 
addressed, this patch is

Reviewed-by: Bhanuprakash Modem <bhanuprakash.modem@intel.com>

- Bhanu

>   };
>   const char *kmstest_pipe_name(enum pipe pipe);
>   int kmstest_pipe_to_index(char pipe);

next prev parent reply	other threads:[~2023-11-10  9:51 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-10  8:41 [igt-dev] [PATCH i-g-t 1/3 v5] lib/igt_kms: Fix memory corruption Vignesh Raman
2023-11-10  8:41 ` [igt-dev] [PATCH i-g-t 2/3 v5] tests: Update test documentation Vignesh Raman
2023-11-10  9:52   ` Modem, Bhanuprakash
2023-11-10 13:57   ` Helen Koike
2023-11-10  8:41 ` [igt-dev] [PATCH i-g-t 3/3 v5] intel-ci: Blacklist tests on pipe I to pipe P Vignesh Raman
2023-11-10  9:53   ` Modem, Bhanuprakash
2023-11-10 13:58   ` Helen Koike
2023-11-10  9:51 ` Modem, Bhanuprakash [this message]
2023-11-10 11:38   ` [igt-dev] [PATCH i-g-t 1/3 v5] lib/igt_kms: Fix memory corruption Vignesh Raman
2023-11-13  5:43     ` Modem, Bhanuprakash
2023-11-10 10:21 ` [igt-dev] ✓ CI.xeBAT: success for series starting with [i-g-t,1/3,v5] " Patchwork
2023-11-10 10:30 ` [igt-dev] ✓ Fi.CI.BAT: " Patchwork
2023-11-10 15:56 ` [igt-dev] ✗ Fi.CI.IGT: failure " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b4585b60-0fa7-c139-401d-fb215fac4336@intel.com \
    --to=bhanuprakash.modem@intel.com \
    --cc=daniels@collabora.com \
    --cc=helen.koike@collabora.com \
    --cc=igt-dev@lists.freedesktop.org \
    --cc=juhapekka.heikkila@gmail.com \
    --cc=vignesh.raman@collabora.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.