Re: [PATCH] drm/xe: Prevent BIT() overflow when handling invalid prefetch region

[Matthew Auld <matthew.auld@intel.com>]

On 12/11/2025 16:26, Lin, Shuicheng wrote:
> On Wed, Nov 12, 2025 2:24 AM Matthew Auld wrote:
>> On 12/11/2025 00:23, Shuicheng Lin wrote:
>>> If user provides a large value (such as 0x80) for parameter
>>> prefetch_mem_region_instance in vm_bind ioctl, it will cause
>>> BIT(prefetch_region) overflow as below:
>>> "
>>>    ------------[ cut here ]------------
>>>    UBSAN: shift-out-of-bounds in drivers/gpu/drm/xe/xe_vm.c:3414:7
>>>    shift exponent 128 is too large for 64-bit type 'long unsigned int'
>>>    CPU: 8 UID: 0 PID: 53120 Comm: xe_exec_system_ Tainted: G        W
>> 6.18.0-rc1-lgci-xe-kernel+ #200 PREEMPT(voluntary)
>>>    Tainted: [W]=WARN
>>>    Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS
>> 0812 02/24/2023
>>>    Call Trace:
>>>     <TASK>
>>>     dump_stack_lvl+0xa0/0xc0
>>>     dump_stack+0x10/0x20
>>>     ubsan_epilogue+0x9/0x40
>>>     __ubsan_handle_shift_out_of_bounds+0x10e/0x170
>>>     ? mutex_unlock+0x12/0x20
>>>     xe_vm_bind_ioctl.cold+0x20/0x3c [xe]
>>>    ...
>>> "
>>> Fix it by validating prefetch_region before the BIT() usage.
>>>
>>> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel
>>> GPUs")
>>
>> I think should be:
>>
>> Fixes: c1bb69a2e8e2 ("drm/xe/svm: Consult madvise preferred location in
>> prefetch")
> 
> The UBSAN warning is for the BIT(), and this BIT() check exists since dd08ebf6c352.
> The c1bb69a2e8e2 is for "region_to_mem_type[prefetch_region]", which is truly
> an issue, but not the UBSAN complain about. So I prefer to use dd08ebf6c352.
> What is your idea about it? Thanks.

Oh, I see. Sorry for missing that. That is slightly annoying since we 
will need to be backport this fix to older kernels, but this patch won't 
apply cleanly. The s/region/prefetch_region/ is fairly recent.

In that case, I think we at least need to add:

Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: <stable@vger.kernel.org> # v6.8+

So this doesn't fall through the cracks. Once this gets picked up for 
older stable kernels you should get mail(s) for which kernels this patch 
fails to cleanly apply on, and the mail itself will contain instructions 
for how to send a patch. I think that should work?

> 
>>
>> And also:
>>
>> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6478
> 
> Let me add it. I didn't add it because I cannot open it.
> Maybe it is due to some permission.
> 
>>
>>> Cc: Matthew Auld <matthew.auld@intel.com>
>>> Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
>>
>> Reviewed-by: Matthew Auld <matthew.auld@intel.com>
>>
>> An IGT that uses a too large prefetch_region would be good also.
> 
> Let me implement it later.
> 
> Shuicheng
> 
>>
>>> ---
>>>    drivers/gpu/drm/xe/xe_vm.c | 6 ++++--
>>>    1 file changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
>>> index 8fb5cc6a69ec..7cac646bdf1c 100644
>>> --- a/drivers/gpu/drm/xe/xe_vm.c
>>> +++ b/drivers/gpu/drm/xe/xe_vm.c
>>> @@ -3411,8 +3411,10 @@ static int vm_bind_ioctl_check_args(struct
>> xe_device *xe, struct xe_vm *vm,
>>>    				 op == DRM_XE_VM_BIND_OP_PREFETCH) ||
>>>    		    XE_IOCTL_DBG(xe, prefetch_region &&
>>>    				 op != DRM_XE_VM_BIND_OP_PREFETCH) ||
>>> -		    XE_IOCTL_DBG(xe,  (prefetch_region !=
>> DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC &&
>>> -				       !(BIT(prefetch_region) & xe-
>>> info.mem_region_mask))) ||
>>> +		    XE_IOCTL_DBG(xe, (prefetch_region !=
>> DRM_XE_CONSULT_MEM_ADVISE_PREF_LOC &&
>>> +				      /* Guard against undefined shift in
>> BIT(prefetch_region) */
>>> +				      (prefetch_region >= (sizeof(xe-
>>> info.mem_region_mask) * 8) ||
>>> +				      !(BIT(prefetch_region) & xe-
>>> info.mem_region_mask)))) ||
>>>    		    XE_IOCTL_DBG(xe, obj &&
>>>    				 op == DRM_XE_VM_BIND_OP_UNMAP) ||
>>>    		    XE_IOCTL_DBG(xe, (flags &
>>> DRM_XE_VM_BIND_FLAG_MADVISE_AUTORESET) &&
>