From: Dave Gordon <david.s.gordon@intel.com>
To: intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH] drm/i915: fix out-of-bounds page_table access
Date: Fri, 24 Jun 2016 19:28:35 +0100 [thread overview]
Message-ID: <576D7BD3.1000904@intel.com> (raw)
In-Reply-To: <20160624163717.GB10180@nuc-i3427.alporthouse.com>
On 24/06/16 17:37, Chris Wilson wrote:
> On Fri, Jun 24, 2016 at 05:04:46PM +0100, Matthew Auld wrote:
>> The gen6_for_all_pdes macro does the upper-bound evaluation after
>> accessing the page_table array, hence on the final iteration we end up
>> hitting an out-of-bounds error:
>>
>> [ 1023.831657] UBSAN: Undefined behaviour in drivers/gpu/drm/i915/i915_gem_gtt.c:1993:2
>> [ 1023.831680] index 512 is out of range for type 'i915_page_table *[512]'
>> [ 1023.831696] CPU: 0 PID: 4833 Comm: rmmod Tainted: G U 4.7.0-rc4-drm-intel-debug+ #5
>> [ 1023.831698] Hardware name: ASUS All Series/Z87-K, BIOS 1202 05/13/2014
>> [ 1023.831700] 0000000000000200 00000000adfe9733 ffff8801a3917988 ffffffff818cc0a4
>> [ 1023.831705] 0000000041b58ab3 ffffffff8275ca08 ffffffff818cbff2 ffff8801a39179b0
>> [ 1023.831708] ffff8801a3917960 0000000000000200 1ffffffff4365b17 0000000000000001
>> [ 1023.831711] Call Trace:
>> [ 1023.831717] [<ffffffff818cc0a4>] dump_stack+0xb2/0x10e
>> [ 1023.831721] [<ffffffff818cbff2>] ? _atomic_dec_and_lock+0x152/0x152
>> [ 1023.831726] [<ffffffff81952b0b>] ubsan_epilogue+0xd/0x4e
>> [ 1023.831730] [<ffffffff8195373d>] __ubsan_handle_out_of_bounds+0x107/0x14d
>> [ 1023.831733] [<ffffffff81953636>] ? __ubsan_handle_shift_out_of_bounds+0x24c/0x24c
>> [ 1023.831737] [<ffffffff814bfde6>] ? kfree+0x246/0x3f0
>> [ 1023.831801] [<ffffffffa183bff8>] gen6_ppgtt_cleanup+0x128/0x130 [i915]
>>
>> Cc: Chris Wilson <chris@chris-wilson.co.uk>
>> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
>
> Ok. Tried to find something to complain about and couldn't.
> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
> -Chris
Well ... not enough to reject it, but there's the lack of parentheses
round macro parameters, and it uses ?: rather than the && style used in
the Gen8 equivalents. I'll post an alternative based on the Gen8 version ...
.Dave.
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2016-06-24 18:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 16:04 [PATCH] drm/i915: fix out-of-bounds page_table access Matthew Auld
2016-06-24 16:33 ` ✓ Ro.CI.BAT: success for " Patchwork
2016-06-24 16:37 ` [PATCH] " Chris Wilson
2016-06-24 18:28 ` Dave Gordon [this message]
2016-06-24 18:37 ` [PATCH] drm/i915: tweak gen6_for_{each_pde, all_pdes} macros Dave Gordon
2016-06-25 15:48 ` Matthew Auld
2016-06-25 5:26 ` ✗ Ro.CI.BAT: warning for drm/i915: fix out-of-bounds page_table access (rev2) Patchwork
2016-06-27 11:59 ` Dave Gordon
2016-06-27 12:14 ` Tvrtko Ursulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=576D7BD3.1000904@intel.com \
--to=david.s.gordon@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox