[PATCH] drm/nouveau: Fix out-of-bounds access when deferencing MMU type
Christian König
ckoenig.leichtzumerken at gmail.com
Fri Nov 13 08:01:18 UTC 2020
Am 12.11.20 um 15:20 schrieb Ruhl, Michael J:
>> -----Original Message-----
>> From: Ben Skeggs <skeggsb at gmail.com>
>> Sent: Wednesday, November 11, 2020 9:39 PM
>> To: Ruhl, Michael J <michael.j.ruhl at intel.com>
>> Cc: Thomas Zimmermann <tzimmermann at suse.de>; bskeggs at redhat.com;
>> airlied at linux.ie; daniel at ffwll.ch; christian.koenig at amd.com; amd-
>> gfx at lists.freedesktop.org; nouveau at lists.freedesktop.org; dri-
>> devel at lists.freedesktop.org; virtualization at lists.linux-foundation.org; Roland
>> Scheidegger <sroland at vmware.com>; Jason Gunthorpe <jgg at ziepe.ca>;
>> Huang Rui <ray.huang at amd.com>; VMware Graphics <linux-graphics-
>> maintainer at vmware.com>; Gerd Hoffmann <kraxel at redhat.com>; spice-
>> devel at lists.freedesktop.org; Alex Deucher <alexander.deucher at amd.com>;
>> Dave Airlie <airlied at redhat.com>; Likun Gao <Likun.Gao at amd.com>; Felix
>> Kuehling <Felix.Kuehling at amd.com>; Hawking Zhang
>> <Hawking.Zhang at amd.com>
>> Subject: Re: [PATCH] drm/nouveau: Fix out-of-bounds access when
>> deferencing MMU type
>>
>> On Thu, 12 Nov 2020 at 02:27, Ruhl, Michael J <michael.j.ruhl at intel.com>
>> wrote:
>>>> -----Original Message-----
>>>> From: Thomas Zimmermann <tzimmermann at suse.de>
>>>> Sent: Wednesday, November 11, 2020 7:08 AM
>>>> To: Ruhl, Michael J <michael.j.ruhl at intel.com>; bskeggs at redhat.com;
>>>> airlied at linux.ie; daniel at ffwll.ch; christian.koenig at amd.com
>>>> Cc: nouveau at lists.freedesktop.org; dri-devel at lists.freedesktop.org;
>>>> Maarten Lankhorst <maarten.lankhorst at linux.intel.com>; Maxime Ripard
>>>> <mripard at kernel.org>; Dave Airlie <airlied at redhat.com>; Gerd Hoffmann
>>>> <kraxel at redhat.com>; Alex Deucher <alexander.deucher at amd.com>;
>>>> VMware Graphics <linux-graphics-maintainer at vmware.com>; Roland
>>>> Scheidegger <sroland at vmware.com>; Huang Rui <ray.huang at amd.com>;
>>>> Felix Kuehling <Felix.Kuehling at amd.com>; Hawking Zhang
>>>> <Hawking.Zhang at amd.com>; Jason Gunthorpe <jgg at ziepe.ca>; Likun
>> Gao
>>>> <Likun.Gao at amd.com>; virtualization at lists.linux-foundation.org; spice-
>>>> devel at lists.freedesktop.org; amd-gfx at lists.freedesktop.org
>>>> Subject: Re: [PATCH] drm/nouveau: Fix out-of-bounds access when
>>>> deferencing MMU type
>>>>
>>>> Hi
>>>>
>>>> Am 10.11.20 um 16:27 schrieb Ruhl, Michael J:
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Thomas Zimmermann <tzimmermann at suse.de>
>>>>>> Sent: Tuesday, November 10, 2020 8:37 AM
>>>>>> To: bskeggs at redhat.com; airlied at linux.ie; daniel at ffwll.ch; Ruhl,
>> Michael J
>>>>>> <michael.j.ruhl at intel.com>; christian.koenig at amd.com
>>>>>> Cc: nouveau at lists.freedesktop.org; dri-devel at lists.freedesktop.org;
>>>> Thomas
>>>>>> Zimmermann <tzimmermann at suse.de>; Maarten Lankhorst
>>>>>> <maarten.lankhorst at linux.intel.com>; Maxime Ripard
>>>>>> <mripard at kernel.org>; Dave Airlie <airlied at redhat.com>; Gerd
>> Hoffmann
>>>>>> <kraxel at redhat.com>; Alex Deucher <alexander.deucher at amd.com>;
>>>>>> VMware Graphics <linux-graphics-maintainer at vmware.com>; Roland
>>>>>> Scheidegger <sroland at vmware.com>; Huang Rui
>> <ray.huang at amd.com>;
>>>>>> Felix Kuehling <Felix.Kuehling at amd.com>; Hawking Zhang
>>>>>> <Hawking.Zhang at amd.com>; Jason Gunthorpe <jgg at ziepe.ca>; Likun
>>>> Gao
>>>>>> <Likun.Gao at amd.com>; virtualization at lists.linux-foundation.org;
>> spice-
>>>>>> devel at lists.freedesktop.org; amd-gfx at lists.freedesktop.org
>>>>>> Subject: [PATCH] drm/nouveau: Fix out-of-bounds access when
>>>> deferencing
>>>>>> MMU type
>>>>>>
>>>>>> The value of struct drm_device.ttm.type_vram can become -1 for
>>>> unknown
>>>>>> types of memory (see nouveau_ttm_init()). This leads to an out-of-
>> bounds
>>>>>> error when accessing struct nvif_mmu.type[]:
>>>>> Would this make more sense to just set the type_vram = 0 instead of -1?
>>> >From what I understand, these indices refer to an internal type of MMU,
>>>> rsp the MMU's capabilities. However, my hardware (pre-NV50) does not
>>>> have an MMU at all.
>>> Yeah, and upon further review I see that my comment was completely
>> wrong
>>> (value vs. index).
>>>
>>> A better suggestion would have been, create an entry in the array that
>> means,
>>> "unsupported type" with a value of 0, but...
>>>
>>>> I agree that it would be nice to have a cleaner design that incorporates
>>>> this case, but resolving that would apparently require more than a bugfix.
>>> I agree. The -1 index is a special case for the platform path
>>> (platform != NV_DEVICE_INFO_V0_SOC). This is a fix for the issue, but not
>>> a complete solution.
>>>
>>> If you need it:
>>> Reviewed-by: Michael J. Ruhl <michael.j.ruhl at intel.com>
>> I've put an alternate fix for this here[1], and will get it into
>> drm-fixes later today.
>>
>> Ben.
>>
>> [1]
>> https://github.com/skeggsb/nouveau/commit/4590f7120c2f1f4aea9d8b93a2d
>> ae43b312d35ad
> This makes a lot of sense. I spent some time trying to reconcile the platform info
> that was not being used in this case, but didn't see the solution like this. This is
> pretty clean.
I was already wondering why the old code never hit that problem, but
this explains it properly and also fixes it up cleanly.
>
> If you would like:
>
> Reviewed-by: Michael J. Ruhl <michael.j.ruhl at intel.com>
Feel free to add an Reviewed-by: Christian König
<christian.koenig at amd.com> as well.
Regards,
Christian.
>
> For this solution as well.
>
> Mike
>
More information about the amd-gfx
mailing list