From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Widawsky <benjamin.widawsky@intel.com>
Subject: Re: [PATCH 2/2] drm/i915: Avoid dereference past end of
 page array in gen8_ppgtt_insert_entries()
Date: Wed, 1 Jan 2014 12:15:11 -0800
Message-ID: <20140101201511.GD23858@intel.com>
References: <1388505031-29175-1-git-send-email-chris@chris-wilson.co.uk>
	<1388505031-29175-2-git-send-email-chris@chris-wilson.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from mail-pa0-f52.google.com (mail-pa0-f52.google.com
	[209.85.220.52])
	by gabe.freedesktop.org (Postfix) with ESMTP id 7B8D7FA380
	for <intel-gfx@lists.freedesktop.org>;
	Wed,  1 Jan 2014 12:15:14 -0800 (PST)
Received: by mail-pa0-f52.google.com with SMTP id ld10so13913751pab.11
	for <intel-gfx@lists.freedesktop.org>;
	Wed, 01 Jan 2014 12:15:14 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <1388505031-29175-2-git-send-email-chris@chris-wilson.co.uk>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Tue, Dec 31, 2013 at 03:50:31PM +0000, Chris Wilson wrote:
> The bug from gen6_ppgtt_insert_entries() was replicated into
> gen8_ppgtt_insert_entries(). This applies the fix for the OOPS from the
> previous patch to the gen8 routine.
> 
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Ben Widawsky <benjamin.widawsky@intel.com>

Note to Daniel: This is still broken (for gen8) in the 4GB GGTT series.
There, pdpe is the bad guy.

Both are:
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>

> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 366ede6352db..2a26d739a962 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -299,23 +299,23 @@ static void gen8_ppgtt_insert_entries(struct i915_address_space *vm,
>  	unsigned act_pte = first_entry % GEN8_PTES_PER_PAGE;
>  	struct sg_page_iter sg_iter;
>  
> -	pt_vaddr = kmap_atomic(&ppgtt->gen8_pt_pages[act_pt]);
> +	pt_vaddr = NULL;
>  	for_each_sg_page(pages->sgl, &sg_iter, pages->nents, 0) {
> -		dma_addr_t page_addr;
> +		if (pt_vaddr == NULL)
> +			pt_vaddr = kmap_atomic(&ppgtt->gen8_pt_pages[act_pt]);
>  
> -		page_addr = sg_dma_address(sg_iter.sg) +
> -				(sg_iter.sg_pgoffset << PAGE_SHIFT);
> -		pt_vaddr[act_pte] = gen8_pte_encode(page_addr, cache_level,
> -						    true);
> +		pt_vaddr[act_pte] =
> +			gen8_pte_encode(sg_page_iter_dma_address(&sg_iter),
> +					cache_level, true);
>  		if (++act_pte == GEN8_PTES_PER_PAGE) {
>  			kunmap_atomic(pt_vaddr);
> +			pt_vaddr = NULL;
>  			act_pt++;
> -			pt_vaddr = kmap_atomic(&ppgtt->gen8_pt_pages[act_pt]);
>  			act_pte = 0;
> -
>  		}
>  	}
> -	kunmap_atomic(pt_vaddr);
> +	if (pt_vaddr)
> +		kunmap_atomic(pt_vaddr);
>  }
>  
>  static void gen8_ppgtt_cleanup(struct i915_address_space *vm)
> -- 
> 1.8.5.2
> 

-- 
Ben Widawsky, Intel Open Source Technology Center