From patchwork Mon Jul 27 08:59:45 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Chris Wilson X-Patchwork-Id: 6869871 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id ADC88C05AE for ; Mon, 27 Jul 2015 08:59:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D2B4B206A3 for ; Mon, 27 Jul 2015 08:59:56 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 68108206A0 for ; Mon, 27 Jul 2015 08:59:55 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C65796E3D0; Mon, 27 Jul 2015 01:59:54 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from fireflyinternet.com (mail.fireflyinternet.com [87.106.93.118]) by gabe.freedesktop.org (Postfix) with ESMTP id B4C936E3D0 for ; Mon, 27 Jul 2015 01:59:53 -0700 (PDT) X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from nuc-i3427.alporthouse.com (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP id 42762622-1500048 for multiple; Mon, 27 Jul 2015 09:59:52 +0100 Received: by nuc-i3427.alporthouse.com (sSMTP sendmail emulation); Mon, 27 Jul 2015 09:59:45 +0100 Date: Mon, 27 Jul 2015 09:59:45 +0100 From: Chris Wilson To: Hanno =?iso-8859-1?Q?B=F6ck?= Message-ID: <20150727085945.GA7300@nuc-i3427.alporthouse.com> Mail-Followup-To: Chris Wilson , Hanno =?iso-8859-1?Q?B=F6ck?= , intel-gfx@lists.freedesktop.org References: <20150725185620.6c22c90a@pc1> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20150725185620.6c22c90a@pc1> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: intel-gfx@lists.freedesktop.org Subject: Re: [Intel-gfx] Error in inner loop in validate_cmds_sorted / out of bounds issue X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Sat, Jul 25, 2015 at 06:56:20PM -0700, Hanno Böck wrote: > Hi, > > I was trying to track down an out of bounds read issue in the intel drm > driver that got reported by kasan. > > It happens in the function validate_cmds_sorted (i915_cmd_parser.c), > where there are two nested loops, this is the relevant code part: > for (i = 0; i < cmd_table_count; i++) { > const struct drm_i915_cmd_table *table = &cmd_tables[i]; > u32 previous = 0; > int j; > > for (j = 0; j < table->count; j++) { > const struct drm_i915_cmd_descriptor *desc = > &table->table[i]; > > > Now that &table->table[i] should probably really be &table->table[j], > because that's the counter variable of the inner loop. Otherwise it > doesn't make any sense (the inner loop would just repeat doing the same > thing multiple times). > However if I try to change [i] to [j] here my system doesn't boot any > more, I just get a black screen. So I assume this bug is somehow hiding > another more severe bug. The tables aren't sorted, that is worth fixing. This should get you booting with minimal fuss if you care to track down the error. diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c index 430571b..688e814 100644 --- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -672,6 +672,13 @@ static void fini_hash_table(struct intel_engine_cs *ring) } } +#define DRM_ERROR_ON(cond, fmt, ...) ({ \ + bool __cond = !!(cond); \ + if (unlikely(__cond)) \ + drm_err("assertion failed, %s: " fmt, #cond, ##__VA_ARGS__); \ + unlikely(__cond); \ +}) + /** * i915_cmd_parser_init_ring() - set cmd parser related fields for a ringbuffer * @ring: the ringbuffer to initialize @@ -751,11 +758,16 @@ int i915_cmd_parser_init_ring(struct intel_engine_cs *ring) default: DRM_ERROR("CMD: cmd_parser_init with unknown ring: %d\n", ring->id); - BUG(); + return -ENODEV; } - BUG_ON(!validate_cmds_sorted(ring, cmd_tables, cmd_table_count)); - BUG_ON(!validate_regs_sorted(ring)); + if (DRM_ERROR_ON(!validate_cmds_sorted(ring, cmd_tables, cmd_table_count), + "command parser table is not sorted - required for bisetion searching\n")) + return -ENODEV; + + if (DRM_ERROR_ON(!validate_regs_sorted(ring), + "register lists are not sorted - required for bisection searching\n")) + return -ENODEV; WARN_ON(!hash_empty(ring->cmd_hash));