drm/i915: fix typo causing bad memory access in ring init
diff mbox

Message ID 1439518384-20691-1-git-send-email-airlied@gmail.com
State New
Headers show

Commit Message

Dave Airlie Aug. 14, 2015, 2:13 a.m. UTC
From: Dave Airlie <airlied@redhat.com>

This is validating from the wrong index.

testing with KASAN found it.

Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
 drivers/gpu/drm/i915/i915_cmd_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Chris Wilson Aug. 14, 2015, 7:40 a.m. UTC | #1
On Fri, Aug 14, 2015 at 12:13:04PM +1000, Dave Airlie wrote:
> From: Dave Airlie <airlied@redhat.com>
> 
> This is validating from the wrong index.
> 
> testing with KASAN found it.
> 
> Reported-by: Dave Jones <davej@codemonkey.org.uk>
> Signed-off-by: Dave Airlie <airlied@redhat.com>
> ---
>  drivers/gpu/drm/i915/i915_cmd_parser.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c
> index 61ae8ff..59f85e2 100644
> --- a/drivers/gpu/drm/i915/i915_cmd_parser.c
> +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
> @@ -534,7 +534,7 @@ static bool validate_cmds_sorted(struct intel_engine_cs *ring,
>  
>  		for (j = 0; j < table->count; j++) {
>  			const struct drm_i915_cmd_descriptor *desc =
> -				&table->table[i];
> +				&table->table[j];
>  			u32 curr = desc->cmd.value & desc->cmd.mask;

Which uncovered another problem that the tables weren't sorted and
triggered a nasty BUG().

Daniel should have already sent the pair of fixes onwards.
-Chris
Daniel Vetter Aug. 14, 2015, 8:07 a.m. UTC | #2
On Fri, Aug 14, 2015 at 08:40:47AM +0100, Chris Wilson wrote:
> On Fri, Aug 14, 2015 at 12:13:04PM +1000, Dave Airlie wrote:
> > From: Dave Airlie <airlied@redhat.com>
> > 
> > This is validating from the wrong index.
> > 
> > testing with KASAN found it.
> > 
> > Reported-by: Dave Jones <davej@codemonkey.org.uk>
> > Signed-off-by: Dave Airlie <airlied@redhat.com>
> > ---
> >  drivers/gpu/drm/i915/i915_cmd_parser.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c
> > index 61ae8ff..59f85e2 100644
> > --- a/drivers/gpu/drm/i915/i915_cmd_parser.c
> > +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
> > @@ -534,7 +534,7 @@ static bool validate_cmds_sorted(struct intel_engine_cs *ring,
> >  
> >  		for (j = 0; j < table->count; j++) {
> >  			const struct drm_i915_cmd_descriptor *desc =
> > -				&table->table[i];
> > +				&table->table[j];
> >  			u32 curr = desc->cmd.value & desc->cmd.mask;
> 
> Which uncovered another problem that the tables weren't sorted and
> triggered a nasty BUG().
> 
> Daniel should have already sent the pair of fixes onwards.

Yeah if you want this fixed asap you need 9f58582c7ad64f025e7f and
8453580cb8834dedffda from next for other it'll BUG.
-Daniel

Patch
diff mbox

diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c
index 61ae8ff..59f85e2 100644
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
+++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
@@ -534,7 +534,7 @@  static bool validate_cmds_sorted(struct intel_engine_cs *ring,
 
 		for (j = 0; j < table->count; j++) {
 			const struct drm_i915_cmd_descriptor *desc =
-				&table->table[i];
+				&table->table[j];
 			u32 curr = desc->cmd.value & desc->cmd.mask;
 
 			if (curr < previous) {