Re: [PATCH v2] drm/xe: Prevent BIT() overflow when handling invalid prefetch region

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matthew Auld <matthew.auld@intel.com>
To: Shuicheng Lin <shuicheng.lin@intel.com>, intel-xe@lists.freedesktop.org
Cc: stable@vger.kernel.org
Subject: Re: [PATCH v2] drm/xe: Prevent BIT() overflow when handling invalid prefetch region
Date: Fri, 14 Nov 2025 14:05:11 +0000	[thread overview]
Message-ID: <d2ddc2b2-e22a-4cfb-aa27-9332b03ecbc3@intel.com> (raw)
In-Reply-To: <20251112181005.2120521-2-shuicheng.lin@intel.com>

On 12/11/2025 18:10, Shuicheng Lin wrote:
> If user provides a large value (such as 0x80) for parameter
> prefetch_mem_region_instance in vm_bind ioctl, it will cause
> BIT(prefetch_region) overflow as below:
> "
>   ------------[ cut here ]------------
>   UBSAN: shift-out-of-bounds in drivers/gpu/drm/xe/xe_vm.c:3414:7
>   shift exponent 128 is too large for 64-bit type 'long unsigned int'
>   CPU: 8 UID: 0 PID: 53120 Comm: xe_exec_system_ Tainted: G        W           6.18.0-rc1-lgci-xe-kernel+ #200 PREEMPT(voluntary)
>   Tainted: [W]=WARN
>   Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 0812 02/24/2023
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0xa0/0xc0
>    dump_stack+0x10/0x20
>    ubsan_epilogue+0x9/0x40
>    __ubsan_handle_shift_out_of_bounds+0x10e/0x170
>    ? mutex_unlock+0x12/0x20
>    xe_vm_bind_ioctl.cold+0x20/0x3c [xe]
>   ...
> "
> Fix it by validating prefetch_region before the BIT() usage.
> 
> v2: Add Closes and Cc stable kernels. (Matt)
> 
> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6478
> Cc: <stable@vger.kernel.org> # v6.8+
> Reviewed-by: Matthew Auld <matthew.auld@intel.com>
> Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>

Pushed with added:

Reported-by: Koen Koning <koen.koning@intel.com>
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>

Thanks for the fix.

> ---
>   drivers/gpu/drm/xe/xe_vm.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
> index 8fb5cc6a69ec..7cac646bdf1c 100644
> --- a/drivers/gpu/drm/xe/xe_vm.c
> +++ b/drivers/gpu/drm/xe/xe_vm.c
> @@ -3411,8 +3411,10 @@ static int vm_bind_ioctl_check_args(struct xe_device *xe, struct xe_vm *vm,
>   				 op == DRM_XE_VM_BIND_OP_PREFETCH) ||
>   		    XE_IOCTL_DBG(xe, prefetch_region &&
>   				 op != DRM_XE_VM_BIND_OP_PREFETCH) ||
> -		    XE_IOCTL_DBG(xe,  (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC &&
> -				       !(BIT(prefetch_region) & xe->info.mem_region_mask))) ||
> +		    XE_IOCTL_DBG(xe, (prefetch_region != DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC &&
> +				      /* Guard against undefined shift in BIT(prefetch_region) */
> +				      (prefetch_region >= (sizeof(xe->info.mem_region_mask) * 8) ||
> +				      !(BIT(prefetch_region) & xe->info.mem_region_mask)))) ||
>   		    XE_IOCTL_DBG(xe, obj &&
>   				 op == DRM_XE_VM_BIND_OP_UNMAP) ||
>   		    XE_IOCTL_DBG(xe, (flags & DRM_XE_VM_BIND_FLAG_MADVISE_AUTORESET) &&

     prev parent reply	other threads:[~2025-11-14 14:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-12 18:10 [PATCH v2] drm/xe: Prevent BIT() overflow when handling invalid prefetch region Shuicheng Lin
2025-11-12 18:19 ` ✓ CI.KUnit: success for drm/xe: Prevent BIT() overflow when handling invalid prefetch region (rev2) Patchwork
2025-11-12 19:01 ` ✓ Xe.CI.BAT: " Patchwork
2025-11-13  0:48 ` ✓ Xe.CI.Full: " Patchwork
2025-11-14 14:05 ` Matthew Auld [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d2ddc2b2-e22a-4cfb-aa27-9332b03ecbc3@intel.com \
    --to=matthew.auld@intel.com \
    --cc=intel-xe@lists.freedesktop.org \
    --cc=shuicheng.lin@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.