[Bug 110670] i965 miptree tiled_memcpy code uses MAP_RAW without error checks

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon May 13 10:53:02 UTC 2019 

https://bugs.freedesktop.org/show_bug.cgi?id=110670

            Bug ID: 110670
           Summary: i965 miptree tiled_memcpy code uses MAP_RAW without
                    error checks
           Product: Mesa
           Version: git
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: intel-3d-bugs at lists.freedesktop.org
          Reporter: anssi.hannula at bitwise.fi
        QA Contact: intel-3d-bugs at lists.freedesktop.org

Created attachment 144244
  --> https://bugs.freedesktop.org/attachment.cgi?id=144244&action=edit
Simple workaround/hack to avoid tiled_memcpy without MMAP_WC

The i965 miptree tiled_memcpy mode, added in
54c823ec790427acbea31212a6ed30a17bd25ff0 ("i965/miptree: Use cpu
tiling/detiling when mapping"), calls intel_miptree_map_raw(,,MAP_RAW) from
intel_miptree_map_tiled_memcpy() and intel_miptree_unmap_tiled_memcpy(), and
does not check return value.

This causes invalid pointer dereferences if the call fails, causing a segfault.

In my case the call fails because pre-4.0 kernel versions do not support
I915_MMAP_WC so brw_bo_map_wc() fails (like in bug #110602), but I guess there
may be a number of other failure cases where the mmap request may fail.

The code in intel_miptree_map() should select another mapping mode if
tiled_memcpy mode is not possible due to missing I915_MMAP_WC. Attached is a
quick workaround that avoids the mapping mode in my case.

There seem to be several other non-checked intel_miptree_map_raw() calls in
intel_mipmap_tree.c (and several checked ones), but they do not add MAP_RAW
flag so they did not fail for me. But maybe error checks should still be added
to those as well in case of other failure reasons?

This was observed on a ValleyView Gen7 (8086:0f31) with kernel 3.10.35 with the
attached small Qt program with Qt 5.11.2.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20190513/f24b7d86/attachment.html>

More information about the intel-3d-bugs mailing list