[PATCH 2/4] umr: Fix ring-stream segmentation fault
Luben Tuikov
luben.tuikov at amd.com
Thu Mar 10 00:42:24 UTC 2022
Fix a segmentation fault when running --ring-stream for a ring and no
bounds are specified. For instance "umr --ring-stream sdma0" on Sienna
Cichlid, generates the following segmentation fault:
Core was generated by `umr --ring-stream sdma0'.
Program terminated with signal SIGSEGV, Segmentation fault.
0 umr_sdma_decode_ring (asic=0x86cff0, ringname=0x7ffe92844ae0 "sdma0", start=1484, stop=10000) at /home/ltuikov/proj/open/umr/src/lib/read_sdma_stream.c:68
68 lineardata[linearsize++] = ringdata[3 + start]; // first 3 words are rptr/wptr/dwptr
Missing separate debuginfos, use: dnf debuginfo-install SDL2-2.0.14-1.fc33.x86_64 glibc-2.32-10.fc33.x86_64 libedit-3.1-38.20210714cvs.fc33.x86_64 libffi-3.1-26.fc33.x86_64 libgcc-10.3.1-1.fc33.x86_64 libpciaccess-0.16-3.fc33.x86_64 libstdc++-10.3.1-1.fc33.x86_64 llvm-libs-11.0.0-1.fc33.x86_64 nanomsg-1.1.5-6.fc33.x86_64 ncurses-libs-6.2-3.20200222.fc33.x86_64 zlib-1.2.11-23.fc33.x86_64
(gdb) bt
0 umr_sdma_decode_ring (asic=0x86cff0, ringname=0x7ffe92844ae0 "sdma0", start=1484, stop=10000) at /home/ltuikov/proj/open/umr/src/lib/read_sdma_stream.c:68
1 0x0000000000473b71 in present_sdma (asic=0x86cff0, ringname=0x7ffe92844ae0 "sdma0", start=0, end=10000, vmid=4294967295, addr=139867074238864, nwords=0)
at /home/ltuikov/proj/open/umr/src/app/ring_stream_read.c:1214
2 0x00000000004740c9 in umr_read_ring_stream (asic=0x86cff0, ringpath=0x7ffe92847190 "sdma0") at /home/ltuikov/proj/open/umr/src/app/ring_stream_read.c:1325
3 0x0000000000457567 in main (argc=3, argv=0x7ffe92845268) at /home/ltuikov/proj/open/umr/src/app/main.c:473
(gdb) l
63
64 // copy ring data into linear array
65 lineardata = calloc(ringsize, sizeof(*lineardata));
66 linearsize = 0;
67 while (start != stop) {
68 lineardata[linearsize++] = ringdata[3 + start]; // first 3 words are rptr/wptr/dwptr
69 start = (start + 1) % ringsize;
70 }
71
72 ps = umr_sdma_decode_stream(asic, -1, 0, 0, lineardata, linearsize);
(gdb) p ringsize
$1 = 2048
(gdb) p linearsize
$2 = 30157
(gdb)
Where "linearsize" of 30157 is clearly out of bounds of "lineardata."
Cc: Alex Deucher <Alexander.Deucher at amd.com>
Cc: Tom StDenis <tom.stdenis at amd.com>
Signed-off-by: Luben Tuikov <luben.tuikov at amd.com>
---
src/lib/read_sdma_stream.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/lib/read_sdma_stream.c b/src/lib/read_sdma_stream.c
index 63c4fc284afa17..863d251ef64a63 100644
--- a/src/lib/read_sdma_stream.c
+++ b/src/lib/read_sdma_stream.c
@@ -63,11 +63,10 @@ struct umr_sdma_stream *umr_sdma_decode_ring(struct umr_asic *asic, char *ringna
// copy ring data into linear array
lineardata = calloc(ringsize, sizeof(*lineardata));
- linearsize = 0;
- while (start != stop) {
- lineardata[linearsize++] = ringdata[3 + start]; // first 3 words are rptr/wptr/dwptr
- start = (start + 1) % ringsize;
- }
+ for (linearsize = 0;
+ start != stop && linearsize < ringsize;
+ linearsize++, start = (start + 1) % ringsize)
+ lineardata[linearsize] = ringdata[3 + start]; // first 3 words are rptr/wptr/dwptr
ps = umr_sdma_decode_stream(asic, -1, 0, 0, lineardata, linearsize);
free(lineardata);
--
2.35.1.291.gdab1b7905d
More information about the amd-gfx
mailing list