From: Daniel Vetter <daniel@ffwll.ch>
To: Michel Thierry <michel.thierry@intel.com>
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH] drm/i915: prevent out of range pt in the PDE macros (take 3)
Date: Fri, 2 Oct 2015 09:58:05 +0200 [thread overview]
Message-ID: <20151002075805.GD3383@phenom.ffwll.local> (raw)
In-Reply-To: <1443715175-32567-1-git-send-email-michel.thierry@intel.com>
On Thu, Oct 01, 2015 at 04:59:35PM +0100, Michel Thierry wrote:
> We tried to fix this in commit fdc454c1484a ("drm/i915: Prevent out of
> range pt in gen6_for_each_pde").
>
> But the static analyzer still complains that, just before we break due
> to "iter < I915_PDES", we do "pt = (pd)->page_table[iter]" with an
> iter value that is bigger than I915_PDES. Of course, this isn't really
> a problem since no one uses pt outside the macro. Still, every single
> new usage of the macro will create a new issue for us to mark as a
> false positive.
>
> Also, Paulo re-started the discussion a while ago [1], but didn't end up
> implemented.
>
> In order to "solve" this "problem", this patch takes the ideas from
> Chris and Dave, but that check would change the desired behavior of the
> code, because the object (for example pdp->page_directory[iter]) can be
> null during init/alloc, and C would take this as false, breaking the for
> loop immediately.
>
> This has been already verified with "static analysis tools".
>
> [1]http://lists.freedesktop.org/archives/intel-gfx/2015-June/068548.html
>
> Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Dave Gordon <david.s.gordon@intel.com>
> Signed-off-by: Michel Thierry <michel.thierry@intel.com>
So maybe I'm dense and not seeing what's really going on, but the only
thing we seem to be doing is create a pointer to arr[SIZE], i.e. a pointer
to the element right after the last valid one. Pointer arithmetic and
comparison are explicitly allowed by the C standard on such a pointer. The
only thing not allowed is dereference it (which we don't seem to be doing
here).
The reason for this is exactly this case here, not allowing this means
checking whether you've run off the end of an array often becomes very
unnatural.
So if there's nothing else going on I think the right choice is to mark
them all up as false positives - the tool is wrong.
-Daniel
> ---
> drivers/gpu/drm/i915/i915_gem_gtt.h | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
> index 9fbb07d..94f8344 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.h
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
> @@ -394,7 +394,9 @@ struct i915_hw_ppgtt {
> */
> #define gen6_for_each_pde(pt, pd, start, length, temp, iter) \
> for (iter = gen6_pde_index(start); \
> - pt = (pd)->page_table[iter], length > 0 && iter < I915_PDES; \
> + pt = (length > 0 && iter < I915_PDES) ? \
> + (pd)->page_table[iter] : NULL, \
> + length > 0 && iter < I915_PDES; \
> iter++, \
> temp = ALIGN(start+1, 1 << GEN6_PDE_SHIFT) - start, \
> temp = min_t(unsigned, temp, length), \
> @@ -459,7 +461,9 @@ static inline uint32_t gen6_pde_index(uint32_t addr)
> */
> #define gen8_for_each_pde(pt, pd, start, length, temp, iter) \
> for (iter = gen8_pde_index(start); \
> - pt = (pd)->page_table[iter], length > 0 && iter < I915_PDES; \
> + pt = (length > 0 && iter < I915_PDES) ? \
> + (pd)->page_table[iter] : NULL, \
> + length > 0 && iter < I915_PDES; \
> iter++, \
> temp = ALIGN(start+1, 1 << GEN8_PDE_SHIFT) - start, \
> temp = min(temp, length), \
> @@ -467,7 +471,8 @@ static inline uint32_t gen6_pde_index(uint32_t addr)
>
> #define gen8_for_each_pdpe(pd, pdp, start, length, temp, iter) \
> for (iter = gen8_pdpe_index(start); \
> - pd = (pdp)->page_directory[iter], \
> + pd = (length > 0 && (iter < I915_PDPES_PER_PDP(dev))) ? \
> + (pdp)->page_directory[iter] : NULL, \
> length > 0 && (iter < I915_PDPES_PER_PDP(dev)); \
> iter++, \
> temp = ALIGN(start+1, 1 << GEN8_PDPE_SHIFT) - start, \
> @@ -476,7 +481,8 @@ static inline uint32_t gen6_pde_index(uint32_t addr)
>
> #define gen8_for_each_pml4e(pdp, pml4, start, length, temp, iter) \
> for (iter = gen8_pml4e_index(start); \
> - pdp = (pml4)->pdps[iter], \
> + pdp = (length > 0 && iter < GEN8_PML4ES_PER_PML4) ? \
> + (pml4)->pdps[iter] : NULL, \
> length > 0 && iter < GEN8_PML4ES_PER_PML4; \
> iter++, \
> temp = ALIGN(start+1, 1ULL << GEN8_PML4E_SHIFT) - start, \
> --
> 2.6.0
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2015-10-02 7:55 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 15:59 [PATCH] drm/i915: prevent out of range pt in the PDE macros (take 3) Michel Thierry
2015-10-01 16:09 ` Chris Wilson
2015-10-02 12:47 ` Michel Thierry
2015-10-02 12:58 ` Chris Wilson
2015-10-02 13:11 ` Michel Thierry
2015-10-02 7:58 ` Daniel Vetter [this message]
2015-10-02 8:58 ` Chris Wilson
2015-10-02 10:52 ` Daniel Vetter
2015-10-02 13:16 ` [PATCH v2] " Michel Thierry
2015-10-05 16:36 ` Dave Gordon
2015-10-05 16:59 ` Michel Thierry
2015-10-06 8:38 ` Daniel Vetter
2015-10-06 9:43 ` Chris Wilson
2015-10-06 10:09 ` Daniel Vetter
2015-10-06 10:19 ` Chris Wilson
2015-10-06 11:21 ` Dave Gordon
2015-10-06 11:53 ` Chris Wilson
2015-12-03 15:29 ` Dave Gordon
2015-12-08 13:30 ` [PATCH 0/1] drm/i915: eliminate 'temp' in gen8_for_each_{pdd, pdpe, pml4e} Dave Gordon
2015-12-08 13:30 ` [PATCH 1/1] drm/i915: eliminate 'temp' in gen8_for_each_{pdd, pdpe, pml4e} macros Dave Gordon
2015-12-10 8:39 ` Daniel Vetter
2015-12-10 8:35 ` [PATCH 0/1] drm/i915: eliminate 'temp' in gen8_for_each_{pdd, pdpe, pml4e} Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151002075805.GD3383@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=intel-gfx@lists.freedesktop.org \
--cc=michel.thierry@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox