leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5f1f10998e
linux/drivers/gpu/drm/nouveau
History
Thomas Zimmermann f644e3038f drm/nouveau: Fix out-of-bounds access when deferencing MMU type 
The value of struct drm_device.ttm.type_vram can become -1 for unknown
types of memory (see nouveau_ttm_init()). This leads to an out-of-bounds
error when accessing struct nvif_mmu.type[]:

  [   18.304116] ==================================================================
  [   18.311649] BUG: KASAN: slab-out-of-bounds in nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau]
  [   18.320415] Read of size 1 at addr ffff88810ffac1fe by task systemd-udevd/342
  [   18.327681]
  [   18.329208] CPU: 1 PID: 342 Comm: systemd-udevd Tainted: G            E     5.10.0-rc2-1-default+ #581
  [   18.338681] Hardware name: Dell Inc. OptiPlex 9020/0N4YC8, BIOS A24 10/24/2018
  [   18.346032] Call Trace:
  [   18.348536]  dump_stack+0xae/0xe5
  [   18.351919]  print_address_description.constprop.0+0x17/0xf0
  [   18.357787]  ? nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau]
  [   18.363818]  __kasan_report.cold+0x20/0x38
  [   18.368099]  ? nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau]
  [   18.374133]  kasan_report+0x3a/0x50
  [   18.377789]  nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau]
  <...>
  [   18.767690] Allocated by task 342:
  [   18.773087]  kasan_save_stack+0x1b/0x40
  [   18.778890]  __kasan_kmalloc.constprop.0+0xbf/0xd0
  [   18.785646]  __kmalloc_track_caller+0x1be/0x390
  [   18.792165]  kstrdup_const+0x46/0x70
  [   18.797686]  kobject_set_name_vargs+0x2f/0xb0
  [   18.803992]  kobject_init_and_add+0x9d/0xf0
  [   18.810117]  ttm_mem_global_init+0x12c/0x210 [ttm]
  [   18.816853]  ttm_bo_global_init+0x4a/0x160 [ttm]
  [   18.823420]  ttm_bo_device_init+0x39/0x220 [ttm]
  [   18.830046]  nouveau_ttm_init+0x2c3/0x830 [nouveau]
  [   18.836929]  nouveau_drm_device_init+0x1b4/0x3f0 [nouveau]
  <...>
  [   19.105336] ==================================================================

Fix this error, by not using type_vram as an index if it's negative.
Assume default values instead.

The error was seen on Nvidia G72 hardware.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Acked-by: Christian König <christian.koenig@amd.com>
Fixes: 1cf65c4518 ("drm/ttm: add caching state to ttm_bus_placement")
Cc: Christian König <christian.koenig@amd.com>
Cc: Michael J. Ruhl <michael.j.ruhl@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: VMware Graphics <linux-graphics-maintainer@vmware.com>
Cc: Roland Scheidegger <sroland@vmware.com>
Cc: Huang Rui <ray.huang@amd.com>
Cc: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Hawking Zhang <Hawking.Zhang@amd.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Likun Gao <Likun.Gao@amd.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Cc: virtualization@lists.linux-foundation.org
Cc: spice-devel@lists.freedesktop.org
Cc: amd-gfx@lists.freedesktop.org
Link: https://patchwork.freedesktop.org/patch/msgid/20201110133655.13174-1-tzimmermann@suse.de
2020-11-11 20:13:31 +01:00
..
dispnv04 Merge drm/drm-next into drm-misc-next 2020-09-14 18:11:40 +02:00
dispnv50 drm/nouveau/kms/nv50-: Use state helper instead of crtc pointer 2020-11-03 12:20:09 +01:00
include drm/nouveau/kms/nv50-: Program notifier offset before requesting disp caps 2020-10-30 09:34:12 +10:00
nvif
nvkm drm: remove unneeded break 2020-11-08 18:59:00 +01:00
Kbuild
Kconfig drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends 2020-11-09 09:19:24 +01:00
nouveau_abi16.c drm/nouveau: stop using TTM placement flags 2020-09-11 13:31:23 +02:00
nouveau_abi16.h
nouveau_acpi.c
nouveau_acpi.h
nouveau_backlight.c
nouveau_bios.c
nouveau_bios.h
nouveau_bo74c1.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo85b5.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo90b5.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo0039.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo5039.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo9039.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_bo.c drm/nouveau: Fix out-of-bounds access when deferencing MMU type 2020-11-11 20:13:31 +01:00
nouveau_bo.h drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends 2020-11-09 09:19:24 +01:00
nouveau_boa0b5.c Merge drm/drm-next into drm-misc-next 2020-08-12 20:42:08 +02:00
nouveau_chan.c drm/nouveau: switch over to the new pin interface 2020-09-24 16:16:50 +02:00
nouveau_chan.h
nouveau_connector.c drm/nouveau/kms/nv50-: Get rid of bogus nouveau_conn_mode_valid() 2020-10-30 09:34:13 +10:00
nouveau_connector.h drm/nouveau/kms: Only use hpd_work for reprobing in HPD paths 2020-08-31 19:10:08 -04:00
nouveau_crtc.h
nouveau_debugfs.c
nouveau_debugfs.h
nouveau_display.c drm/nouveau/kms: Only use hpd_work for reprobing in HPD paths 2020-08-31 19:10:08 -04:00
nouveau_display.h drm/nouveau/kms: Only use hpd_work for reprobing in HPD paths 2020-08-31 19:10:08 -04:00
nouveau_dma.c
nouveau_dma.h drm/nouveau/fence: use NVIDIA's headers for sync() 2020-07-24 18:51:04 +10:00
nouveau_dmem.c drm next for 5.10-rc1 2020-10-15 10:46:16 -07:00
nouveau_dmem.h
nouveau_dp.c drm/nouveau/kms/nv50-: Fix clock checking algorithm in nv50_dp_mode_valid() 2020-10-30 09:34:13 +10:00
nouveau_drm.c drm/ttm: nuke ttm_bo_evict_mm and rename mgr function v3 2020-10-07 13:53:08 +02:00
nouveau_drv.h drm/nouveau: switch to new allocator 2020-10-29 15:57:17 +01:00
nouveau_encoder.h drm/nouveau/kms/nv50-: Add support for DP_SINK_COUNT 2020-08-31 19:10:09 -04:00
nouveau_fbcon.c drm/nouveau: stop using TTM placement flags 2020-09-11 13:31:23 +02:00
nouveau_fbcon.h
nouveau_fence.c
nouveau_fence.h
nouveau_gem.c drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends 2020-11-09 09:19:24 +01:00
nouveau_gem.h drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends 2020-11-09 09:19:24 +01:00
nouveau_hwmon.c
nouveau_hwmon.h
nouveau_ioc32.c
nouveau_ioctl.h
nouveau_led.c
nouveau_led.h
nouveau_mem.c Merge drm/drm-next into drm-misc-next 2020-11-02 11:17:54 +01:00
nouveau_mem.h drm/ttm: merge ttm_dma_tt back into ttm_tt 2020-10-26 14:45:42 +01:00
nouveau_nvif.c
nouveau_platform.c
nouveau_platform.h
nouveau_prime.c drm/gem: Use struct dma_buf_map in GEM vmap ops and convert GEM backends 2020-11-09 09:19:24 +01:00
nouveau_reg.h
nouveau_sgdma.c drm/ttm: merge ttm_dma_tt back into ttm_tt 2020-10-26 14:45:42 +01:00
nouveau_svm.c drm/nouveau/nouveau: fix the start/end range for migration 2020-10-30 09:34:11 +10:00
nouveau_svm.h nouveau/svm: use the new migration invalidation 2020-07-28 16:20:33 -03:00
nouveau_ttm.c drm/nouveau/ttm: Add limits.h 2020-11-02 11:54:44 +01:00
nouveau_ttm.h drm/nouveau/ttm: use driver bind/unbind/destroy functions. 2020-09-09 08:30:11 +10:00
nouveau_usif.c
nouveau_usif.h
nouveau_vga.c
nouveau_vga.h
nouveau_vmm.c
nouveau_vmm.h
nv04_fbcon.c
nv04_fence.c
nv10_fence.c drm/nouveau/fence: use NVIDIA's headers for read() 2020-07-24 18:51:04 +10:00
nv10_fence.h
nv17_fence.c drm/nouveau: stop using TTM placement flags 2020-09-11 13:31:23 +02:00
nv50_display.h
nv50_fbcon.c drm/nouveau/fbcon/nv50-: use NVIDIA's headers for fillrect() 2020-07-24 18:51:04 +10:00
nv50_fence.c drm/nouveau: stop using TTM placement flags 2020-09-11 13:31:23 +02:00
nv84_fence.c drm/nouveau: stop using TTM placement flags 2020-09-11 13:31:23 +02:00
nvc0_fbcon.c drm/nouveau/fbcon/nv50-: use NVIDIA's headers for fillrect() 2020-07-24 18:51:04 +10:00
nvc0_fence.c drm/nouveau/fence: use NVIDIA's headers for sync() 2020-07-24 18:51:04 +10:00