From patchwork Fri Jun 24 16:04:46 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Auld <matthew.auld@intel.com>
X-Patchwork-Id: 9197867
Return-Path: <intel-gfx-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DF2F06075F for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 24 Jun 2016 16:04:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D09D428499
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 24 Jun 2016 16:04:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C51FD284B8; Fri, 24 Jun 2016 16:04:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5EBDB28499
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Fri, 24 Jun 2016 16:04:51 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 159646EAFF;
	Fri, 24 Jun 2016 16:04:50 +0000 (UTC)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
	by gabe.freedesktop.org (Postfix) with ESMTP id 6EAFA6EAFB
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 24 Jun 2016 16:04:48 +0000 (UTC)
Received: from orsmga002.jf.intel.com ([10.7.209.21])
	by orsmga102.jf.intel.com with ESMTP; 24 Jun 2016 09:04:48 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.26,521,1459839600"; d="scan'208";
	a="1004578784"
Received: from cmcgrego-mobl.ger.corp.intel.com (HELO
	mwahaha.ger.corp.intel.com) ([10.252.10.157])
	by orsmga002.jf.intel.com with ESMTP; 24 Jun 2016 09:04:46 -0700
From: Matthew Auld <matthew.auld@intel.com>
To: intel-gfx@lists.freedesktop.org
Date: Fri, 24 Jun 2016 17:04:46 +0100
Message-Id: <1466784286-29059-1-git-send-email-matthew.auld@intel.com>
X-Mailer: git-send-email 2.7.4
Subject: [Intel-gfx] [PATCH] drm/i915: fix out-of-bounds page_table access
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Intel graphics driver community testing & development
	<intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The gen6_for_all_pdes macro does the upper-bound evaluation after
accessing the page_table array, hence on the final iteration we end up
hitting an out-of-bounds error:

[ 1023.831657] UBSAN: Undefined behaviour in drivers/gpu/drm/i915/i915_gem_gtt.c:1993:2
[ 1023.831680] index 512 is out of range for type 'i915_page_table *[512]'
[ 1023.831696] CPU: 0 PID: 4833 Comm: rmmod Tainted: G     U          4.7.0-rc4-drm-intel-debug+ #5
[ 1023.831698] Hardware name: ASUS All Series/Z87-K, BIOS 1202 05/13/2014
[ 1023.831700]  0000000000000200 00000000adfe9733 ffff8801a3917988 ffffffff818cc0a4
[ 1023.831705]  0000000041b58ab3 ffffffff8275ca08 ffffffff818cbff2 ffff8801a39179b0
[ 1023.831708]  ffff8801a3917960 0000000000000200 1ffffffff4365b17 0000000000000001
[ 1023.831711] Call Trace:
[ 1023.831717]  [<ffffffff818cc0a4>] dump_stack+0xb2/0x10e
[ 1023.831721]  [<ffffffff818cbff2>] ? _atomic_dec_and_lock+0x152/0x152
[ 1023.831726]  [<ffffffff81952b0b>] ubsan_epilogue+0xd/0x4e
[ 1023.831730]  [<ffffffff8195373d>] __ubsan_handle_out_of_bounds+0x107/0x14d
[ 1023.831733]  [<ffffffff81953636>] ? __ubsan_handle_shift_out_of_bounds+0x24c/0x24c
[ 1023.831737]  [<ffffffff814bfde6>] ? kfree+0x246/0x3f0
[ 1023.831801]  [<ffffffffa183bff8>] gen6_ppgtt_cleanup+0x128/0x130 [i915]

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 drivers/gpu/drm/i915/i915_gem_gtt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
index 163b564..9e5228d 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
@@ -409,7 +409,7 @@ struct i915_hw_ppgtt {
 
 #define gen6_for_all_pdes(pt, ppgtt, iter)  \
 	for (iter = 0;		\
-	     pt = ppgtt->pd.page_table[iter], iter < I915_PDES;	\
+	     iter < I915_PDES ? (pt = ppgtt->pd.page_table[iter]), 1 : 0; \
 	     iter++)
 
 static inline uint32_t i915_pte_index(uint64_t address, uint32_t pde_shift)