[PATCH] drm/xe: Fix out-of-bounds field write in MI_STORE_DATA_IMM

Tue May 27 14:00:35 UTC 2025

On 27.05.2025 15:07, Maciej Patelczyk wrote:
> On 23.05.2025 17:04, Jia Yao wrote:
>
>> According to Bspec, bits 0~9 of MI_STORE_DATA_IMM must not exceed 0x3FE.
>> The macro MI_SDI_NUM_QW(x) evaluates to 2 * x + 1, which means the
>> condition 2 * x + 1 <= 0x3FE must be satisfied. Therefore, the maximum
>> valid value for x is 0x1FE, not 0x1FF.
>>
>> Bspec: 60246
>>
>> Fixes: 9c44fd5f6e8a ("drm/xe: Add migrate layer functions for SVM 
>> support")
>> Cc: Matthew Brost <matthew.brost at intel.com>
>> Cc: Brian3 Nguyen <brian3.nguyen at intel.com>
>> Cc: Alex Zuo <alex.zuo at intel.com>
>> Suggested-by: Shuicheng Lin <shuicheng.lin at intel.com>
>> Signed-off-by: Jia Yao <jia.yao at intel.com>
>> ---
>>   drivers/gpu/drm/xe/xe_migrate.c | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/xe/xe_migrate.c 
>> b/drivers/gpu/drm/xe/xe_migrate.c
>> index 8f8e9fdfb2a8..be8f05574850 100644
>> --- a/drivers/gpu/drm/xe/xe_migrate.c
>> +++ b/drivers/gpu/drm/xe/xe_migrate.c
>> @@ -1555,13 +1555,13 @@ static u32 pte_update_cmd_size(u64 size)
>>       XE_WARN_ON(size > MAX_PREEMPTDISABLE_TRANSFER);
>>       /*
>>        * MI_STORE_DATA_IMM command is used to update page table. Each
>> -     * instruction can update maximumly 0x1ff pte entries. To update
>> -     * n (n <= 0x1ff) pte entries, we need:
>> +     * instruction can update maximumly 0x1fe pte entries. To update
>> +     * n (n <= 0x1fe) pte entries, we need:
>>        * 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
>>        * 2 dword for the page table's physical location
>>        * 2*n dword for value of pte to fill (each pte entry is 2 dwords)
>>        */
>> -    num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1ff);
>> +    num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1fe);
>>       num_dword += entries * 2;
>>         return num_dword;
>> @@ -1577,7 +1577,7 @@ static void build_pt_update_batch_sram(struct 
>> xe_migrate *m,
>>         ptes = DIV_ROUND_UP(size, XE_PAGE_SIZE);
>>       while (ptes) {
>> -        u32 chunk = min(0x1ffU, ptes);
>> +        u32 chunk = min(0x1feU, ptes);
>>             bb->cs[bb->len++] = MI_STORE_DATA_IMM | 
>> MI_SDI_NUM_QW(chunk);
>>           bb->cs[bb->len++] = pt_offset;
>
> In xe_migrate.c there is MAX_PTE_PER_SDI with proper value and used in 
> similar MI_STORE_DATA_IMM context.
>
> Even the comment for MAX_PTE_PER_SDI is similar to the one above.
>
> I would suggest to use this define here.
>
>
> Fixes my issue with xe_eudebug basic-vm-access test therefore for now
>
> Tested-by: Maciej Patelczyk <maciej.patelczyk at intel.com>
>
>
Pity, but after all it does not solve my issue.

Sorry, withdrawing my Tested-by.

Maciej