From mboxrd@z Thu Jan 1 00:00:00 1970 From: bugzilla-daemon@freedesktop.org Subject: [Bug 101387] amdgpu display corruption and hang on AMD A10-9620P Date: Tue, 13 Jun 2017 11:35:43 +0000 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1462816643==" Return-path: Received: from culpepper.freedesktop.org (culpepper.freedesktop.org [131.252.210.165]) by gabe.freedesktop.org (Postfix) with ESMTP id B9BDE6E2AF for ; Tue, 13 Jun 2017 11:35:43 +0000 (UTC) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============1462816643== Content-Type: multipart/alternative; boundary="14973537430.6CC0A.16996"; charset="UTF-8" --14973537430.6CC0A.16996 Date: Tue, 13 Jun 2017 11:35:43 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated https://bugs.freedesktop.org/show_bug.cgi?id=3D101387 --- Comment #6 from Carlo Caione --- Uhm, probably I have found something. In amdgpu_atombios_crtc_powergate_init() we are declaring ENABLE_DISP_POWER_GATING_PARAMETERS_V2_1 args; so that args is basically a 32byte struct. We are passing down this struct = to amdgpu_atom_execute_table() casting it to (uint32_t *). This address is then assigned to (uint32_t *) ectx.ps in amdgpu_atom_execute_table_locked(). At a certain point during the execution of the code in the table with index= =3D 75, atom_put_dst() is called with argument ATOM_ARG_PS and index =3D=3D 1. = So we are doing: ctx->ps[idx] =3D cpu_to_le32(val); but being idx =3D=3D 1, we are accessing over the boundaries of args, so tr= iggering the stack corruption. Is this analysis correct and if it is how can we fix this? --=20 You are receiving this mail because: You are the assignee for the bug.= --14973537430.6CC0A.16996 Date: Tue, 13 Jun 2017 11:35:43 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated

Commen= t # 6 on bug 10138= 7 from = Carlo Caione 
Uhm, probably I have found something.

In amdgpu_atombios_crtc_powergate_init() we are declaring

ENABLE_DISP_POWER_GATING_PARAMETERS_V2_1 args;

so that args is basically a 32byte struct. We are passing down this struct =
to
amdgpu_atom_execute_table() casting it to (uint32_t *). This address is then
assigned to (uint32_t *) ectx.ps in amdgpu_atom_execute_table_locked().

At a certain point during the execution of the code in the table with index=
 =3D
75, atom_put_dst() is called with argument ATOM_ARG_PS and index =3D=3D 1. =
So we
are doing:

ctx->ps[idx] =3D cpu_to_le32(val);

but being idx =3D=3D 1, we are accessing over the boundaries of args, so tr=
iggering
the stack corruption.

Is this analysis correct and if it is how can we fix this?

You are receiving this mail because:
  • You are the assignee for the bug.
= --14973537430.6CC0A.16996-- --===============1462816643== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============1462816643==--