amdgpu UBSAN warnings in 6.10.0-rc5

Jeff Layton jlayton at kernel.org
Sun Jun 30 12:31:21 UTC 2024 

I've been testing some vfs patches (multigrain timestamps) on my
personal desktop with a 6.10.0-rc5-ish kernel, and have hit a number of
warnings in the amdgpu driver, including a UBSAN warning that looks
like a potential array overrun:

[    8.772608] ------------[ cut here ]------------
[    8.772609] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/bios/bios_parser2.c:680:23
[    8.772612] index 8 is out of range for type 'atom_gpio_pin_assignment [8]'
[    8.772614] CPU: 13 PID: 508 Comm: (udev-worker) Not tainted 6.10.0-rc5-00292-gb3efd5c27332 #35
[    8.772616] Hardware name: Micro-Star International Co., Ltd. MS-7E27/PRO B650M-P (MS-7E27), BIOS 1.A0 06/07/2024
[    8.772618] Call Trace:
[    8.772620]  <TASK>
[    8.772621]  dump_stack_lvl+0x5d/0x80
[    8.772629]  ubsan_epilogue+0x5/0x30
[    8.772633]  __ubsan_handle_out_of_bounds.cold+0x46/0x4b
[    8.772636]  bios_parser_get_gpio_pin_info+0x11c/0x150 [amdgpu]
[    8.773016]  link_get_hpd_gpio+0x7e/0xd0 [amdgpu]
[    8.773205]  construct_phy+0x26d/0xd40 [amdgpu]
[    8.773355]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.773370]  ? link_create+0x210/0x250 [amdgpu]
[    8.773493]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.773495]  link_create+0x210/0x250 [amdgpu]
[    8.773610]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.773612]  create_links+0x151/0x530 [amdgpu]
[    8.773759]  dc_create+0x401/0x7b0 [amdgpu]
[    8.773883]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.773886]  amdgpu_dm_init.isra.0+0x32f/0x22d0 [amdgpu]
[    8.774045]  ? irq_work_queue+0x2d/0x50
[    8.774048]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774050]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774052]  ? vprintk_emit+0x176/0x2a0
[    8.774056]  ? dev_vprintk_emit+0x181/0x1b0
[    8.774063]  dm_hw_init+0x12/0x30 [amdgpu]
[    8.774187]  amdgpu_device_init.cold+0x1c43/0x1f90 [amdgpu]
[    8.774373]  amdgpu_driver_load_kms+0x19/0x70 [amdgpu]
[    8.774507]  amdgpu_pci_probe+0x1a7/0x4b0 [amdgpu]
[    8.774631]  local_pci_probe+0x42/0x90
[    8.774635]  pci_device_probe+0xc1/0x2a0
[    8.774638]  really_probe+0xdb/0x340
[    8.774642]  ? pm_runtime_barrier+0x54/0x90
[    8.774644]  ? __pfx___driver_attach+0x10/0x10
[    8.774646]  __driver_probe_device+0x78/0x110
[    8.774648]  driver_probe_device+0x1f/0xa0
[    8.774650]  __driver_attach+0xba/0x1c0
[    8.774652]  bus_for_each_dev+0x8c/0xe0
[    8.774655]  bus_add_driver+0x142/0x220
[    8.774657]  driver_register+0x72/0xd0
[    8.774660]  ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
[    8.774779]  do_one_initcall+0x58/0x310
[    8.774784]  do_init_module+0x90/0x250
[    8.774787]  init_module_from_file+0x86/0xc0
[    8.774791]  idempotent_init_module+0x121/0x2b0
[    8.774794]  __x64_sys_finit_module+0x5e/0xb0
[    8.774796]  do_syscall_64+0x82/0x160
[    8.774799]  ? __pfx_page_put_link+0x10/0x10
[    8.774804]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774806]  ? do_sys_openat2+0x9c/0xe0
[    8.774809]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774810]  ? syscall_exit_to_user_mode+0x72/0x220
[    8.774813]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774815]  ? do_syscall_64+0x8e/0x160
[    8.774816]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774818]  ? __seccomp_filter+0x303/0x520
[    8.774820]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774824]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774825]  ? syscall_exit_to_user_mode+0x72/0x220
[    8.774827]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774829]  ? do_syscall_64+0x8e/0x160
[    8.774830]  ? do_syscall_64+0x8e/0x160
[    8.774831]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774833]  ? srso_alias_return_thunk+0x5/0xfbef5
[    8.774835]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[    8.774837] RIP: 0033:0x7fa5f44391bd
[    8.774848] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2b cc 0c 00 f7 d8 64 89 01 48
[    8.774850] RSP: 002b:00007fff5d55a5a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[    8.774852] RAX: ffffffffffffffda RBX: 0000555b3bfe6a50 RCX: 00007fa5f44391bd
[    8.774854] RDX: 0000000000000000 RSI: 00007fa5f455507d RDI: 000000000000002c
[    8.774855] RBP: 00007fff5d55a660 R08: 0000000000000001 R09: 00007fff5d55a5f0
[    8.774855] R10: 0000000000000050 R11: 0000000000000246 R12: 00007fa5f455507d
[    8.774856] R13: 0000000000020000 R14: 0000555b3bfebb30 R15: 0000555b3bff63d0
[    8.774859]  </TASK>
[    8.774864] ---[ end trace ]---


It looks like "count" probably needs to be clamped to
ARRAY_SIZE(header->gpio_pin) in bios_parser_get_gpio_pin_info ?

dmesg is attached. There are couple of other warnings in there too
after the UBSAN one, but this one looks the most worrisome.
-- 
Jeff Layton <jlayton at kernel.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: amd-warnings-dmesg.out.gz
Type: application/gzip
Size: 35260 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20240630/3667cf73/attachment-0001.gz>

More information about the dri-devel mailing list