[PATCH v2] drm/xe: Fix out-of-bounds field write in MI_STORE_DATA_IMM
Lucas De Marchi
lucas.demarchi at intel.com
Wed Jun 11 20:10:19 UTC 2025
On Wed, Jun 11, 2025 at 09:17:56AM +0000, Lin, Shuicheng wrote:
>Hi maintainers:
>Just to avoid this patch be missed, could you please help review and merge it?
>Thanks.
>
>Best Regards
>Shuicheng
>
>On Wed, May 28, 2025 2:26 AM Brost, Matthew wrote:
>> On Tue, May 27, 2025 at 04:30:50PM +0000, Jia Yao wrote:
>> > According to Bspec, bits 0~9 of MI_STORE_DATA_IMM must not exceed 0x3FE.
>> > The macro MI_SDI_NUM_QW(x) evaluates to 2 * x + 1, which means the
>> > condition 2 * x + 1 <= 0x3FE must be satisfied. Therefore, the maximum
>> > valid value for x is 0x1FE, not 0x1FF.
>> >
>> > v2
>> > - Replace 0x1fe with macro MAX_PTE_PER_SDI (Auld, Matthew &
>> > Patelczyk, Maciej)
it seems some replaces were missed. See below.
>> >
>> > Bspec: 60246
>> >
>> > Fixes: 9c44fd5f6e8a ("drm/xe: Add migrate layer functions for SVM
>> > support")
>> > Cc: Matthew Brost <matthew.brost at intel.com>
>>
>> Thanks for the fix:
>> Reviewed-by: Matthew Brost <matthew.brost at intel.com>
>>
>> > Cc: Brian3 Nguyen <brian3.nguyen at intel.com>
>> > Cc: Alex Zuo <alex.zuo at intel.com>
>> > Cc: Matthew Auld <matthew.auld at intel.com>
>> > Cc: Maciej Patelczyk <maciej.patelczyk at intel.com>
>> > Suggested-by: Shuicheng Lin <shuicheng.lin at intel.com>
>> > Signed-off-by: Jia Yao <jia.yao at intel.com>
>> > ---
>> > drivers/gpu/drm/xe/xe_migrate.c | 8 ++++----
>> > 1 file changed, 4 insertions(+), 4 deletions(-)
>> >
>> > diff --git a/drivers/gpu/drm/xe/xe_migrate.c
>> > b/drivers/gpu/drm/xe/xe_migrate.c index 8f8e9fdfb2a8..1ede50780a14
>> > 100644
>> > --- a/drivers/gpu/drm/xe/xe_migrate.c
>> > +++ b/drivers/gpu/drm/xe/xe_migrate.c
>> > @@ -1555,13 +1555,13 @@ static u32 pte_update_cmd_size(u64 size)
>> > XE_WARN_ON(size > MAX_PREEMPTDISABLE_TRANSFER);
>> > /*
>> > * MI_STORE_DATA_IMM command is used to update page table. Each
>> > - * instruction can update maximumly 0x1ff pte entries. To update
>> > - * n (n <= 0x1ff) pte entries, we need:
>> > + * instruction can update maximumly 0x1fe pte entries. To update
^ here
>> > + * n (n <= 0x1fe) pte entries, we need:
^ and here
>> > * 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
>> > * 2 dword for the page table's physical location
>> > * 2*n dword for value of pte to fill (each pte entry is 2 dwords)
>> > */
>> > - num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1ff);
>> > + num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries,
>> MAX_PTE_PER_SDI);
>> > num_dword += entries * 2;
>> >
>> > return num_dword;
>> > @@ -1577,7 +1577,7 @@ static void build_pt_update_batch_sram(struct
>> > xe_migrate *m,
>> >
>> > ptes = DIV_ROUND_UP(size, XE_PAGE_SIZE);
>> > while (ptes) {
>> > - u32 chunk = min(0x1ffU, ptes);
>> > + u32 chunk = min(MAX_PTE_PER_SDI, ptes);
and first arg would not be unsigned anymore. Maybe also change the
define to add the u suffix?
Lucas De Marchi
>> >
>> > bb->cs[bb->len++] = MI_STORE_DATA_IMM |
>> MI_SDI_NUM_QW(chunk);
>> > bb->cs[bb->len++] = pt_offset;
>> > --
>> > 2.34.1
>> >
More information about the Intel-xe
mailing list