From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754693AbbHNBJS (ORCPT ); Thu, 13 Aug 2015 21:09:18 -0400 Received: from arcturus.aphlor.org ([188.246.204.175]:56191 "EHLO arcturus.aphlor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752450AbbHNBJQ (ORCPT ); Thu, 13 Aug 2015 21:09:16 -0400 Date: Thu, 13 Aug 2015 21:09:03 -0400 From: Dave Jones To: daniel.vetter@intel.com Cc: Linux Kernel , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org Subject: i915/kasan: out of bounds access in i915_cmd_parser_init_ring Message-ID: <20150814010903.GA19621@codemonkey.org.uk> Mail-Followup-To: Dave Jones , daniel.vetter@intel.com, Linux Kernel , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -2.9 (--) X-Spam-Report: Spam report generated by SpamAssassin on "arcturus.aphlor.org" Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Authenticated-User: davej@codemonkey.org.uk Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I finally got around to playing with kasan. It didn't end well. I added some debugging to validate_cmds_sorted to print out the table sizes right before the stack traces. Dave validate_cmds_sorted: table:ffffffffa1fb4220 cmd_table_count:3 validate_cmds_sorted: table:ffffffffa1fb4220 table->count:12 validate_cmds_sorted: table:ffffffffa1fb4230 table->count:20 validate_cmds_sorted: table:ffffffffa1fb4230 table->count:20 validate_cmds_sorted: table:ffffffffa1fb4240 table->count:18 validate_cmds_sorted: table:ffffffffa1fb41e0 cmd_table_count:2 validate_cmds_sorted: table:ffffffffa1fb41e0 table->count:12 validate_cmds_sorted: table:ffffffffa1fb41f0 table->count:7 validate_cmds_sorted: table:ffffffffa1fb4100 cmd_table_count:3 validate_cmds_sorted: table:ffffffffa1fb4100 table->count:12 validate_cmds_sorted: table:ffffffffa1fb4110 table->count:6 ================================================================== BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x66b/0x760 at addr ffffffffa1fb4374 Read of size 4 by task swapper/0/1 Address belongs to variable hsw_blt_cmds+0xb4/0xe0 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4 0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032 ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f ffff8801d6baf5a8 ffffed003ad75e9b 0000000000000246 ffffffffa1fb4110 0000000010000000 Call Trace: [] dump_stack+0x4f/0x7b [] kasan_report_error+0x3bf/0x3f0 [] kasan_report+0x3b/0x40 [] ? i915_cmd_parser_init_ring+0x66b/0x760 [] __asan_load4+0x66/0xa0 [] i915_cmd_parser_init_ring+0x66b/0x760 [] intel_init_ring_buffer+0x449/0x680 [] intel_init_blt_ring_buffer+0x38e/0x520 [] i915_gem_init_rings+0x74/0x220 [] i915_gem_init+0x1e2/0x320 [] i915_driver_load+0x1571/0x2310 [] ? debug_lockdep_rcu_enabled+0x4e/0x70 [] ? __lock_acquire+0x97e/0x2710 [] ? debug_smp_processor_id+0x17/0x20 [] ? debug_show_all_locks+0x280/0x280 [] ? __mutex_unlock_slowpath+0x11b/0x1e0 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? i915_getparam+0x390/0x390 [] ? mark_held_locks+0xa4/0xd0 [] ? _raw_spin_unlock_irqrestore+0x58/0x70 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? preempt_count_sub+0xc1/0x130 [] ? _raw_spin_unlock_irqrestore+0x43/0x70 [] drm_dev_register+0xd1/0x170 [] drm_get_pci_dev+0xf1/0x350 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] i915_pci_probe+0x83/0xb0 [] pci_device_probe+0xcf/0x130 [] driver_probe_device+0x1e1/0x410 [] ? driver_probe_device+0x410/0x410 [] ? driver_probe_device+0x410/0x410 [] __driver_attach+0xd6/0xe0 [] bus_for_each_dev+0xf5/0x160 [] ? bus_remove_file+0xa0/0xa0 [] ? do_raw_spin_unlock+0xa4/0x140 [] ? preempt_count_sub+0xc1/0x130 [] driver_attach+0x30/0x40 [] bus_add_driver+0x2b1/0x330 [] driver_register+0xde/0x1b0 [] __pci_register_driver+0xbc/0xd0 [] drm_pci_init+0x1e7/0x210 [] ? do_one_initcall+0x108/0x242 [] ? do_one_initcall+0x108/0x242 [] i915_init+0xdb/0xe3 [] ? mipi_dsi_bus_init+0x12/0x12 [] do_one_initcall+0x227/0x242 [] ? start_kernel+0x4ed/0x4ed [] ? parse_args+0x5b/0x4f0 [] kernel_init_freeable+0x290/0x321 [] ? rest_init+0x150/0x150 [] kernel_init+0x14/0x100 [] ? rest_init+0x150/0x150 [] ret_from_fork+0x3f/0x70 [] ? rest_init+0x150/0x150 Memory state around the buggy address: ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 >ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa ^ ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x67e/0x760 at addr ffffffffa1fb4378 Read of size 4 by task swapper/0/1 Address belongs to variable hsw_blt_cmds+0xb8/0xe0 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4 0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032 ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010 ffffed0000000000 0000000000000246 fffffbfff43f686e 6666662010000000 Call Trace: [] dump_stack+0x4f/0x7b [] kasan_report_error+0x3bf/0x3f0 [] kasan_report+0x3b/0x40 [] ? i915_cmd_parser_init_ring+0x67e/0x760 [] __asan_load4+0x66/0xa0 [] i915_cmd_parser_init_ring+0x67e/0x760 [] intel_init_ring_buffer+0x449/0x680 [] intel_init_blt_ring_buffer+0x38e/0x520 [] i915_gem_init_rings+0x74/0x220 [] i915_gem_init+0x1e2/0x320 [] i915_driver_load+0x1571/0x2310 [] ? debug_lockdep_rcu_enabled+0x4e/0x70 [] ? __lock_acquire+0x97e/0x2710 [] ? debug_smp_processor_id+0x17/0x20 [] ? debug_show_all_locks+0x280/0x280 [] ? __mutex_unlock_slowpath+0x11b/0x1e0 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? i915_getparam+0x390/0x390 [] ? mark_held_locks+0xa4/0xd0 [] ? _raw_spin_unlock_irqrestore+0x58/0x70 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? preempt_count_sub+0xc1/0x130 [] ? _raw_spin_unlock_irqrestore+0x43/0x70 [] drm_dev_register+0xd1/0x170 [] drm_get_pci_dev+0xf1/0x350 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] i915_pci_probe+0x83/0xb0 [] pci_device_probe+0xcf/0x130 [] driver_probe_device+0x1e1/0x410 [] ? driver_probe_device+0x410/0x410 [] ? driver_probe_device+0x410/0x410 [] __driver_attach+0xd6/0xe0 [] bus_for_each_dev+0xf5/0x160 [] ? bus_remove_file+0xa0/0xa0 [] ? do_raw_spin_unlock+0xa4/0x140 [] ? preempt_count_sub+0xc1/0x130 [] driver_attach+0x30/0x40 [] bus_add_driver+0x2b1/0x330 [] driver_register+0xde/0x1b0 [] __pci_register_driver+0xbc/0xd0 [] drm_pci_init+0x1e7/0x210 [] ? do_one_initcall+0x108/0x242 [] ? do_one_initcall+0x108/0x242 [] i915_init+0xdb/0xe3 [] ? mipi_dsi_bus_init+0x12/0x12 [] do_one_initcall+0x227/0x242 [] ? start_kernel+0x4ed/0x4ed [] ? parse_args+0x5b/0x4f0 [] kernel_init_freeable+0x290/0x321 [] ? rest_init+0x150/0x150 [] kernel_init+0x14/0x100 [] ? rest_init+0x150/0x150 [] ret_from_fork+0x3f/0x70 [] ? rest_init+0x150/0x150 Memory state around the buggy address: ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 >ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa ^ ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== validate_cmds_sorted: table:ffffffffa1fb4120 table->count:2 ================================================================== BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x6eb/0x760 at addr ffffffffa1fb4374 Read of size 4 by task swapper/0/1 Address belongs to variable hsw_blt_cmds+0xb4/0xe0 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4 0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032 ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010 ffffed003ad75e9b 0000000000000246 ffffffffa1fb4120 0000000000000003 Call Trace: [] dump_stack+0x4f/0x7b [] kasan_report_error+0x3bf/0x3f0 [] kasan_report+0x3b/0x40 [] ? i915_cmd_parser_init_ring+0x6eb/0x760 [] __asan_load4+0x66/0xa0 [] i915_cmd_parser_init_ring+0x6eb/0x760 [] intel_init_ring_buffer+0x449/0x680 [] intel_init_blt_ring_buffer+0x38e/0x520 [] i915_gem_init_rings+0x74/0x220 [] i915_gem_init+0x1e2/0x320 [] i915_driver_load+0x1571/0x2310 [] ? debug_lockdep_rcu_enabled+0x4e/0x70 [] ? __lock_acquire+0x97e/0x2710 [] ? debug_smp_processor_id+0x17/0x20 [] ? debug_show_all_locks+0x280/0x280 [] ? __mutex_unlock_slowpath+0x11b/0x1e0 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? i915_getparam+0x390/0x390 [] ? mark_held_locks+0xa4/0xd0 [] ? _raw_spin_unlock_irqrestore+0x58/0x70 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? preempt_count_sub+0xc1/0x130 [] ? _raw_spin_unlock_irqrestore+0x43/0x70 [] drm_dev_register+0xd1/0x170 [] drm_get_pci_dev+0xf1/0x350 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] i915_pci_probe+0x83/0xb0 [] pci_device_probe+0xcf/0x130 [] driver_probe_device+0x1e1/0x410 [] ? driver_probe_device+0x410/0x410 [] ? driver_probe_device+0x410/0x410 [] __driver_attach+0xd6/0xe0 [] bus_for_each_dev+0xf5/0x160 [] ? bus_remove_file+0xa0/0xa0 [] ? do_raw_spin_unlock+0xa4/0x140 [] ? preempt_count_sub+0xc1/0x130 [] driver_attach+0x30/0x40 [] bus_add_driver+0x2b1/0x330 [] driver_register+0xde/0x1b0 [] __pci_register_driver+0xbc/0xd0 [] drm_pci_init+0x1e7/0x210 [] ? do_one_initcall+0x108/0x242 [] ? do_one_initcall+0x108/0x242 [] i915_init+0xdb/0xe3 [] ? mipi_dsi_bus_init+0x12/0x12 [] do_one_initcall+0x227/0x242 [] ? start_kernel+0x4ed/0x4ed [] ? parse_args+0x5b/0x4f0 [] kernel_init_freeable+0x290/0x321 [] ? rest_init+0x150/0x150 [] kernel_init+0x14/0x100 [] ? rest_init+0x150/0x150 [] ret_from_fork+0x3f/0x70 [] ? rest_init+0x150/0x150 Memory state around the buggy address: ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 >ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa ^ ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x6fb/0x760 at addr ffffffffa1fb4378 Read of size 4 by task swapper/0/1 Address belongs to variable hsw_blt_cmds+0xb8/0xe0 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4 0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032 ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010 ffffed0000000000 0000000000000246 fffffbfff43f686e 6666662000000003 Call Trace: [] dump_stack+0x4f/0x7b [] kasan_report_error+0x3bf/0x3f0 [] kasan_report+0x3b/0x40 [] ? i915_cmd_parser_init_ring+0x6fb/0x760 [] __asan_load4+0x66/0xa0 [] i915_cmd_parser_init_ring+0x6fb/0x760 [] intel_init_ring_buffer+0x449/0x680 [] intel_init_blt_ring_buffer+0x38e/0x520 [] i915_gem_init_rings+0x74/0x220 [] i915_gem_init+0x1e2/0x320 [] i915_driver_load+0x1571/0x2310 [] ? debug_lockdep_rcu_enabled+0x4e/0x70 [] ? __lock_acquire+0x97e/0x2710 [] ? debug_smp_processor_id+0x17/0x20 [] ? debug_show_all_locks+0x280/0x280 [] ? __mutex_unlock_slowpath+0x11b/0x1e0 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? i915_getparam+0x390/0x390 [] ? mark_held_locks+0xa4/0xd0 [] ? _raw_spin_unlock_irqrestore+0x58/0x70 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] ? preempt_count_sub+0xc1/0x130 [] ? _raw_spin_unlock_irqrestore+0x43/0x70 [] drm_dev_register+0xd1/0x170 [] drm_get_pci_dev+0xf1/0x350 [] ? trace_hardirqs_on_caller+0x192/0x2a0 [] i915_pci_probe+0x83/0xb0 [] pci_device_probe+0xcf/0x130 [] driver_probe_device+0x1e1/0x410 [] ? driver_probe_device+0x410/0x410 [] ? driver_probe_device+0x410/0x410 [] __driver_attach+0xd6/0xe0 [] bus_for_each_dev+0xf5/0x160 [] ? bus_remove_file+0xa0/0xa0 [] ? do_raw_spin_unlock+0xa4/0x140 [] ? preempt_count_sub+0xc1/0x130 [] driver_attach+0x30/0x40 [] bus_add_driver+0x2b1/0x330 [] driver_register+0xde/0x1b0 [] __pci_register_driver+0xbc/0xd0 [] drm_pci_init+0x1e7/0x210 [] ? do_one_initcall+0x108/0x242 [] ? do_one_initcall+0x108/0x242 [] i915_init+0xdb/0xe3 [] ? mipi_dsi_bus_init+0x12/0x12 [] do_one_initcall+0x227/0x242 [] ? start_kernel+0x4ed/0x4ed [] ? parse_args+0x5b/0x4f0 [] kernel_init_freeable+0x290/0x321 [] ? rest_init+0x150/0x150 [] kernel_init+0x14/0x100 [] ? rest_init+0x150/0x150 [] ret_from_fork+0x3f/0x70 [] ? rest_init+0x150/0x150 Memory state around the buggy address: ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 >ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa ^ ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================