[Intel-gfx] [PATCH] drm/i915: fix out-of-bounds page_table access

Matthew Auld matthew.auld at intel.com
Fri Jun 24 16:04:46 UTC 2016 

The gen6_for_all_pdes macro does the upper-bound evaluation after
accessing the page_table array, hence on the final iteration we end up
hitting an out-of-bounds error:

[ 1023.831657] UBSAN: Undefined behaviour in drivers/gpu/drm/i915/i915_gem_gtt.c:1993:2
[ 1023.831680] index 512 is out of range for type 'i915_page_table *[512]'
[ 1023.831696] CPU: 0 PID: 4833 Comm: rmmod Tainted: G     U          4.7.0-rc4-drm-intel-debug+ #5
[ 1023.831698] Hardware name: ASUS All Series/Z87-K, BIOS 1202 05/13/2014
[ 1023.831700]  0000000000000200 00000000adfe9733 ffff8801a3917988 ffffffff818cc0a4
[ 1023.831705]  0000000041b58ab3 ffffffff8275ca08 ffffffff818cbff2 ffff8801a39179b0
[ 1023.831708]  ffff8801a3917960 0000000000000200 1ffffffff4365b17 0000000000000001
[ 1023.831711] Call Trace:
[ 1023.831717]  [<ffffffff818cc0a4>] dump_stack+0xb2/0x10e
[ 1023.831721]  [<ffffffff818cbff2>] ? _atomic_dec_and_lock+0x152/0x152
[ 1023.831726]  [<ffffffff81952b0b>] ubsan_epilogue+0xd/0x4e
[ 1023.831730]  [<ffffffff8195373d>] __ubsan_handle_out_of_bounds+0x107/0x14d
[ 1023.831733]  [<ffffffff81953636>] ? __ubsan_handle_shift_out_of_bounds+0x24c/0x24c
[ 1023.831737]  [<ffffffff814bfde6>] ? kfree+0x246/0x3f0
[ 1023.831801]  [<ffffffffa183bff8>] gen6_ppgtt_cleanup+0x128/0x130 [i915]

Cc: Chris Wilson <chris at chris-wilson.co.uk>
Signed-off-by: Matthew Auld <matthew.auld at intel.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
index 163b564..9e5228d 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
@@ -409,7 +409,7 @@ struct i915_hw_ppgtt {
 
 #define gen6_for_all_pdes(pt, ppgtt, iter)  \
 	for (iter = 0;		\
-	     pt = ppgtt->pd.page_table[iter], iter < I915_PDES;	\
+	     iter < I915_PDES ? (pt = ppgtt->pd.page_table[iter]), 1 : 0; \
 	     iter++)
 
 static inline uint32_t i915_pte_index(uint64_t address, uint32_t pde_shift)
-- 
2.7.4

More information about the Intel-gfx mailing list