aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/gpu/drm
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2013-12-31 10:50:30 -0500
committerDaniel Vetter <daniel.vetter@ffwll.ch>2014-01-07 02:22:42 -0500
commitcc79714fbcd57607f3df7780374181c0637a0829 (patch)
tree08d1b4d96e9cf7a0330ba3c51ad91359e69f8922 /drivers/gpu/drm
parentc0a7f818997f58b2c184a3ff313c170c411b88b4 (diff)
drm/i915: Avoid dereference past end of page array in gen6_ppgtt_insert_entries()
[ 89.237347] BUG: unable to handle kernel paging request at ffff880096326000 [ 89.237369] IP: [<ffffffff81347227>] gen6_ppgtt_insert_entries+0x117/0x170 [ 89.237382] PGD 2272067 PUD 25df0e067 PMD 25de5c067 PTE 8000000096326060 [ 89.237394] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 89.237404] CPU: 1 PID: 1981 Comm: gem_concurrent_ Not tainted 3.13.0-rc4+ #639 [ 89.237411] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 [ 89.237420] task: ffff88024c038030 ti: ffff88024b130000 task.ti: ffff88024b130000 [ 89.237425] RIP: 0010:[<ffffffff81347227>] [<ffffffff81347227>] gen6_ppgtt_insert_entries+0x117/0x170 [ 89.237435] RSP: 0018:ffff88024b131ae0 EFLAGS: 00010286 [ 89.237440] RAX: ffff880096325000 RBX: 0000000000000400 RCX: 0000000000001000 [ 89.237445] RDX: 0000000000000200 RSI: 0000000000000001 RDI: 0000000000000010 [ 89.237451] RBP: ffff88024b131b30 R08: ffff88024cc3aef0 R09: 0000000000000000 [ 89.237456] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88024cc3ae00 [ 89.237462] R13: ffff88024a578000 R14: 0000000000000001 R15: ffff88024a578ffc [ 89.237469] FS: 00007ff5475d8900(0000) GS:ffff88025d020000(0000) knlGS:0000000000000000 [ 89.237475] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 89.237480] CR2: ffff880096326000 CR3: 000000024d531000 CR4: 00000000001407e0 [ 89.237485] Stack: [ 89.237488] ffff880000000000 0000020000000000 ffff88024b23f2c0 0000000100000000 [ 89.237499] 0000000000000001 000000000007ffff ffff8801e7bf5ac0 ffff8801e7bf5ac0 [ 89.237510] ffff88024cc3ae00 ffff880248a2ee40 ffff88024b131b58 ffffffff813455ed [ 89.237521] Call Trace: [ 89.237528] [<ffffffff813455ed>] ppgtt_bind_vma+0x3d/0x60 [ 89.237534] [<ffffffff8133d8dc>] i915_gem_object_pin+0x55c/0x6a0 [ 89.237541] [<ffffffff8134275b>] i915_gem_execbuffer_reserve_vma.isra.14+0x5b/0x110 [ 89.237548] [<ffffffff81342a88>] i915_gem_execbuffer_reserve+0x278/0x2c0 [ 89.237555] [<ffffffff81343d29>] i915_gem_do_execbuffer.isra.22+0x699/0x1250 [ 89.237562] [<ffffffff81344d91>] ? i915_gem_execbuffer2+0x51/0x290 [ 89.237569] [<ffffffff81344de6>] i915_gem_execbuffer2+0xa6/0x290 [ 89.237575] [<ffffffff813014f2>] drm_ioctl+0x4d2/0x610 [ 89.237582] [<ffffffff81080bf1>] ? cpuacct_account_field+0xa1/0xc0 [ 89.237588] [<ffffffff81080b55>] ? cpuacct_account_field+0x5/0xc0 [ 89.237597] [<ffffffff811371c0>] do_vfs_ioctl+0x300/0x520 [ 89.237603] [<ffffffff810757a1>] ? vtime_account_user+0x91/0xa0 [ 89.237610] [<ffffffff810e40eb>] ? context_tracking_user_exit+0x9b/0xe0 [ 89.237617] [<ffffffff81083d7d>] ? trace_hardirqs_on+0xd/0x10 [ 89.237623] [<ffffffff81137425>] SyS_ioctl+0x45/0x80 [ 89.237630] [<ffffffff815afffa>] tracesys+0xd4/0xd9 [ 89.237634] Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 83 45 bc 01 49 8b 84 24 78 01 00 00 65 ff 0c 25 e0 b8 00 00 8b 55 bc <4c> 8b 2c d0 65 ff 04 25 e0 b8 00 00 49 8b 45 00 48 c1 e8 2d 48 [ 89.237741] RIP [<ffffffff81347227>] gen6_ppgtt_insert_entries+0x117/0x170 [ 89.237749] RSP <ffff88024b131ae0> [ 89.237753] CR2: ffff880096326000 [ 89.237758] ---[ end trace 27416ba8b18d496c ]--- This bug dates back to the original introduction of the gen6_ppgtt_insert_entries() Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Ben Widawsky <benjamin.widawsky@intel.com> Reviewed-by: Ben Widawsky <ben@bwidawsk.net> [danvet: Dropped cc: stable since without full ppgtt there's no way we'll access the last page directory with this function since that range is occupied (only in the allocator) with the ppgtt pdes. Without aliasing we can start to use that range and blow up.] Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Diffstat (limited to 'drivers/gpu/drm')
-rw-r--r--drivers/gpu/drm/i915/i915_gem_gtt.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 9e07a864dec0..de9c945f72a7 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -581,21 +581,23 @@ static void gen6_ppgtt_insert_entries(struct i915_address_space *vm,
581 unsigned act_pte = first_entry % I915_PPGTT_PT_ENTRIES; 581 unsigned act_pte = first_entry % I915_PPGTT_PT_ENTRIES;
582 struct sg_page_iter sg_iter; 582 struct sg_page_iter sg_iter;
583 583
584 pt_vaddr = kmap_atomic(ppgtt->pt_pages[act_pt]); 584 pt_vaddr = NULL;
585 for_each_sg_page(pages->sgl, &sg_iter, pages->nents, 0) { 585 for_each_sg_page(pages->sgl, &sg_iter, pages->nents, 0) {
586 dma_addr_t page_addr; 586 if (pt_vaddr == NULL)
587 pt_vaddr = kmap_atomic(ppgtt->pt_pages[act_pt]);
587 588
588 page_addr = sg_page_iter_dma_address(&sg_iter); 589 pt_vaddr[act_pte] =
589 pt_vaddr[act_pte] = vm->pte_encode(page_addr, cache_level, true); 590 vm->pte_encode(sg_page_iter_dma_address(&sg_iter),
591 cache_level, true);
590 if (++act_pte == I915_PPGTT_PT_ENTRIES) { 592 if (++act_pte == I915_PPGTT_PT_ENTRIES) {
591 kunmap_atomic(pt_vaddr); 593 kunmap_atomic(pt_vaddr);
594 pt_vaddr = NULL;
592 act_pt++; 595 act_pt++;
593 pt_vaddr = kmap_atomic(ppgtt->pt_pages[act_pt]);
594 act_pte = 0; 596 act_pte = 0;
595
596 } 597 }
597 } 598 }
598 kunmap_atomic(pt_vaddr); 599 if (pt_vaddr)
600 kunmap_atomic(pt_vaddr);
599} 601}
600 602
601static void gen6_ppgtt_cleanup(struct i915_address_space *vm) 603static void gen6_ppgtt_cleanup(struct i915_address_space *vm)