[Intel-gfx] [PATCH] drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut
Lionel Landwerlin
lionel.g.landwerlin at intel.com
Mon Jul 24 10:04:03 UTC 2017
Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin at intel.com>
On 24/07/17 10:14, Maarten Lankhorst wrote:
> bdw_load_gamma_lut is writing beyond the array to the maximum value.
s/writing/reading/ ?
> The intend of the function is to clamp values > 1 to 1, so write
s/intend/intent/
> the intended color to the max register.
>
> This fixes the following KASAN warning:
>
> [ 197.020857] [IGT] kms_pipe_color: executing
> [ 197.063434] [IGT] kms_pipe_color: starting subtest ctm-0-25-pipe0
> [ 197.078989] ==================================================================
> [ 197.079127] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
> [ 197.079188] Read of size 2 at addr ffff8800d38db150 by task kms_pipe_color/1839
> [ 197.079208] CPU: 2 PID: 1839 Comm: kms_pipe_color Tainted: G U 4.13.0-rc1-patser+ #5211
> [ 197.079215] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015
> [ 197.079220] Call Trace:
> [ 197.079230] dump_stack+0x68/0x9e
> [ 197.079239] print_address_description+0x6f/0x250
> [ 197.079251] kasan_report+0x216/0x370
> [ 197.079374] ? bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
> [ 197.079451] ? gen8_write16+0x4e0/0x4e0 [i915]
> [ 197.079460] __asan_report_load2_noabort+0x14/0x20
> [ 197.079535] bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915]
> [ 197.079612] broadwell_load_luts+0x1df/0x550 [i915]
> [ 197.079690] intel_color_load_luts+0x7b/0x80 [i915]
> [ 197.079764] intel_begin_crtc_commit+0x138/0x760 [i915]
> [ 197.079783] drm_atomic_helper_commit_planes_on_crtc+0x1a3/0x820 [drm_kms_helper]
> [ 197.079859] ? intel_pre_plane_update+0x571/0x580 [i915]
> [ 197.079937] intel_update_crtc+0x238/0x330 [i915]
> [ 197.080016] intel_update_crtcs+0x10f/0x210 [i915]
> [ 197.080092] intel_atomic_commit_tail+0x1552/0x3340 [i915]
> [ 197.080101] ? _raw_spin_unlock+0x3c/0x40
> [ 197.080110] ? __queue_work+0xb40/0xbf0
> [ 197.080188] ? skl_update_crtcs+0xc00/0xc00 [i915]
> [ 197.080195] ? trace_hardirqs_on+0xd/0x10
> [ 197.080269] ? intel_atomic_commit_ready+0x128/0x13c [i915]
> [ 197.080329] ? __i915_sw_fence_complete+0x5b8/0x6d0 [i915]
> [ 197.080336] ? debug_object_activate+0x39e/0x580
> [ 197.080397] ? i915_sw_fence_await+0x30/0x30 [i915]
> [ 197.080409] ? __might_sleep+0x15b/0x180
> [ 197.080483] intel_atomic_commit+0x944/0xa70 [i915]
> [ 197.080490] ? refcount_dec_and_test+0x11/0x20
> [ 197.080567] ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
> [ 197.080597] ? drm_atomic_crtc_set_property+0x303/0x580 [drm]
> [ 197.080674] ? intel_atomic_commit_tail+0x3340/0x3340 [i915]
> [ 197.080704] drm_atomic_commit+0xd7/0xe0 [drm]
> [ 197.080722] drm_atomic_helper_crtc_set_property+0xec/0x130 [drm_kms_helper]
> [ 197.080749] drm_mode_crtc_set_obj_prop+0x7d/0xb0 [drm]
> [ 197.080775] drm_mode_obj_set_property_ioctl+0x50b/0x5d0 [drm]
> [ 197.080783] ? __might_fault+0x104/0x180
> [ 197.080809] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
> [ 197.080838] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
> [ 197.080861] drm_ioctl_kernel+0x154/0x1a0 [drm]
> [ 197.080885] drm_ioctl+0x624/0x8f0 [drm]
> [ 197.080910] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm]
> [ 197.080934] ? drm_getunique+0x210/0x210 [drm]
> [ 197.080943] ? __handle_mm_fault+0x1bd0/0x1ce0
> [ 197.080949] ? lock_downgrade+0x610/0x610
> [ 197.080957] ? __lru_cache_add+0x15a/0x180
> [ 197.080967] do_vfs_ioctl+0xd92/0xe40
> [ 197.080975] ? ioctl_preallocate+0x1b0/0x1b0
> [ 197.080982] ? selinux_capable+0x20/0x20
> [ 197.080991] ? __do_page_fault+0x7b7/0x9a0
> [ 197.080997] ? lock_downgrade+0x5bb/0x610
> [ 197.081007] ? security_file_ioctl+0x57/0x90
> [ 197.081016] SyS_ioctl+0x4e/0x80
> [ 197.081024] entry_SYSCALL_64_fastpath+0x18/0xad
> [ 197.081030] RIP: 0033:0x7f61f287a987
> [ 197.081035] RSP: 002b:00007fff7d44d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> [ 197.081043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f61f287a987
> [ 197.081048] RDX: 00007fff7d44d1c0 RSI: 00000000c01864ba RDI: 0000000000000003
> [ 197.081053] RBP: 00007f61f2b3eb00 R08: 0000000000000059 R09: 0000000000000000
> [ 197.081058] R10: 0000002ea5c4a290 R11: 0000000000000246 R12: 00007f61f2b3eb58
> [ 197.081063] R13: 0000000000001010 R14: 00007f61f2b3eb58 R15: 0000000000002702
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101659
> Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Reported-by: Martin Peres <martin.peres at linux.intel.com>
> Cc: Martin Peres <martin.peres at linux.intel.com>
> Fixes: 82cf435b3134 ("drm/i915: Implement color management on bdw/skl/bxt/kbl")
> Cc: Shashank Sharma <shashank.sharma at intel.com>
> Cc: Kiran S Kumar <kiran.s.kumar at intel.com>
> Cc: Kausal Malladi <kausalmalladi at gmail.com>
> Cc: Lionel Landwerlin <lionel.g.landwerlin at intel.com>
> Cc: Matt Roper <matthew.d.roper at intel.com>
> Cc: Daniel Vetter <daniel.vetter at intel.com>
> Cc: Jani Nikula <jani.nikula at linux.intel.com>
> Cc: intel-gfx at lists.freedesktop.org
> Cc: <stable at vger.kernel.org> # v4.7+
> ---
> drivers/gpu/drm/i915/intel_color.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/i915/intel_color.c b/drivers/gpu/drm/i915/intel_color.c
> index f85d57555957..1813d84989c9 100644
> --- a/drivers/gpu/drm/i915/intel_color.c
> +++ b/drivers/gpu/drm/i915/intel_color.c
> @@ -398,6 +398,7 @@ static void bdw_load_gamma_lut(struct drm_crtc_state *state, u32 offset)
> }
>
> /* Program the max register to clamp values > 1.0. */
> + i = lut_size - 1;
> I915_WRITE(PREC_PAL_GC_MAX(pipe, 0),
> drm_color_lut_extract(lut[i].red, 16));
> I915_WRITE(PREC_PAL_GC_MAX(pipe, 1),
More information about the Intel-gfx
mailing list