| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Mar 2010 16:54:26 +0100
From: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To: Zhenyu Wang <zhenyuw@...ux.intel.com>,
Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
linux-kernel@...r.kernel.org, David.Woodhouse@...el.com,
dwmw2@...radead.org, eric@...olt.net, ben@...adent.org.uk,
gregkh@...e.de
Subject: Re: [PATCH] intel-agp.c: Fix crash when accessing nonexistent GTT
entries in i915
On Thu, Mar 11, 2010 at 9:34 AM, Zhenyu Wang <zhenyuw@...ux.intel.com> wrote:
> On 2010.03.11 08:31:57 +0100, Miguel Ojeda wrote:
>> On Wed, Mar 10, 2010 at 11:09 PM, Miguel Ojeda
>> <miguel.ojeda.sandonis@...il.com> wrote:
>> > Hi,
>> >
>> > The commit 5877960869333e42ebeb733e8d9d5630ff96d350 (included since 2.6.32.4) crashes (locks up) the 82915G/GV/910GL Controller when intel-agp.c tries to access nonexistent GTT entries at:
>> >
>> > - for (i = intel_private.gtt_entries; i < current_size->num_entries; i++) {
>> > + for (i = intel_private.gtt_entries; i < intel_private.gtt_total_size; i++) {
>> >
>> > Rationale: I915 (gma900) has 128 MB of video memory (maximum), as per intel.com ( http://www.intel.com/support/graphics/intel915g/sb/CS-012579.htm ) and lscpi:
>
> I think that page is wrong, and http://www.intel.com/design/chipsets/datashts/301467.htm
> has info that 256K is for GTT bar, so max video memory size is 256M. On my 915G
> board, I can choose 128M/256M in BIOS setup.
You are right, I can choose between 128M/256M in BIOS too. The BIOS
config is the following:
IGD Aperture Size: 128 MB
DVMT MODE: FIXED
IGD DVMT/FIXED MEMORY: 32 MB
>
>> >
>> > 00:02.0 VGA compatible controller: Intel Corporation 82915G/GV/910GL Integrated Graphics Controller (rev 04) (prog-if 00 [VGA controller])
>> > Subsystem: Intel Corporation Device 4147
>> > Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
>> > Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
>> > Latency: 0
>> > Interrupt: pin A routed to IRQ 11
>> > Region 0: Memory at ff480000 (32-bit, non-prefetchable) [size=512K]
>> > Region 1: I/O ports at ec00 [size=8]
>> > Region 2: Memory at d8000000 (32-bit, prefetchable) [size=128M]
>> > Region 3: Memory at ff440000 (32-bit, non-prefetchable) [size=256K]
>
> This also tells bar 3 for GTT has 256K.
>
I see. I just guessed by seeing that gtt_total_size is the double than
older num_entries and that "default" gtt_map_size is 256 instead of
128. Then I checked the webpage and lspci, I wrote the fix and it
worked, so I thought it was 128 MB in fact (so GTT double in size).
>> > Capabilities: <access denied>
>> >
>> >
>> > AFAIK, that implies that its gtt_total_size (in pages) should be 32K (as num_entries showed before the commit) instead of 64K.
>> >
>> > Note: The IS_I915 macro includes 945; however, only GMA900 (I915) had 128 MB as the maximum AFAIK. Therefore, I divided the IS_I915 macro. I do not know about the "E7221" (please check).
>> >
>> > How to reproduce: Access kernel.org in iceweasel (Debian Lenny) and the X server will crash. Sometimes, the kernel freezes.
>> >
>
> I can't produce this on my 915G board with 128M or 256M memory config.
It also occurs in other applications/ways. Maybe you could try to do
some scrolling (I recall it also triggered it) or try to open other
browsers (konqueror is another application that seems to trigger it
easily in this box).
> Could you
> paste dmesg in your failure or just hang?
Attached dmesg, lspci -vv, config and xorg.
When the X server crashes, the kernel does not report anything:
Linux agpgart interface v0.103
agpgart-intel 0000:00:00.0: Intel 915G Chipset
DEBUG i915 num_entries = 32768
DEBUG i915 intel_private.gtt_total_size = 65536
agpgart-intel 0000:00:00.0: detected 8060K stolen memory
agpgart-intel 0000:00:00.0: AGP aperture is 128M @ 0xd8000000
I added a couple of printk's to see the value of num_entries (older
loop limit) and gtt_total_size (newer).
However, xorg reports the error:
Error in I830WaitLpRing(), timeout for 2 seconds
pgetbl_ctl: 0x7ffe0001 getbl_err: 0x00000000
ipeir: 0x00000000 iphdr: 0x15000000
LP ring tail: 0x00013aa8 head: 0x00013ae0 len: 0x0001f001 start 0x00000000
eir: 0x0000 esr: 0x0000 emr: 0xffff
instdone: 0xffc1 instpm: 0x0000
memmode: 0x00000306 instps: 0x800f00ca
hwstam: 0xffff ier: 0x0000 imr: 0xffff iir: 0x0000
Ring at virtual 0xaf1c6000 head 0x13ae0 tail 0x13aa8 count 32754
00013a60: 00004820
00013a64: 00000000
...
00013adc: 00000001
00013ae0: 02001910
Ring end
space: 48 wanted 56
Fatal server error:
lockup
FatalError re-entered, aborting
I830Sync: BEGIN_LP_RING called without closing ADVANCE_LP_RING
I do not know about output/reports when the video/kernel freezes
completely (or seems so).
>
>> > Please review. The fix should be applied to stable series, as well as 2.6.33 and 2.6.34-rc1.
>> >
>> > Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
>> > ---
>> > --- linux-2.6.32.stable/drivers/char/agp/intel-agp.c.old 2010-03-10 15:32:36.000000000 +0100
>> > +++ linux-2.6.32.stable/drivers/char/agp/intel-agp.c 2010-03-10 22:38:23.000000000 +0100
>> > @@ -65,11 +65,11 @@
>> > #define PCI_DEVICE_ID_INTEL_IGDNG_MC2_HB 0x006a
>> > #define PCI_DEVICE_ID_INTEL_IGDNG_M_IG 0x0046
>> >
>> > -/* cover 915 and 945 variants */
>> > #define IS_I915 (agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_E7221_HB || \
>> > agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915G_HB || \
>> > - agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB || \
>> > - agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB || \
>> > + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82915GM_HB)
>> > +
>> > +#define IS_I945 (agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945G_HB || \
>> > agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GM_HB || \
>> > agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_82945GME_HB)
>> >
>> > @@ -724,14 +724,14 @@ static void intel_i830_init_gtt_entries(
>> > break;
>> > case I915_GMCH_GMS_STOLEN_48M:
>> > /* Check it's really I915G */
>> > - if (IS_I915 || IS_I965 || IS_G33 || IS_G4X)
>> > + if (IS_I915 || IS_I945 || IS_I965 || IS_G33 || IS_G4X)
>> > gtt_entries = MB(48) - KB(size);
>> > else
>> > gtt_entries = 0;
>> > break;
>> > case I915_GMCH_GMS_STOLEN_64M:
>> > /* Check it's really I915G */
>> > - if (IS_I915 || IS_I965 || IS_G33 || IS_G4X)
>> > + if (IS_I915 || IS_I945 || IS_I965 || IS_G33 || IS_G4X)
>> > gtt_entries = MB(64) - KB(size);
>> > else
>> > gtt_entries = 0;
>> > @@ -1305,6 +1305,8 @@ static int intel_i915_create_gatt_table(
>> >
>> > if (IS_G33)
>> > gtt_map_size = 1024 * 1024; /* 1M on G33 */
>> > + else if (IS_I915)
>> > + gtt_map_size = 128 * 1024; /* 128K on I915 */
>> > intel_private.gtt = ioremap(temp2, gtt_map_size);
>> > if (!intel_private.gtt)
>> > return -ENOMEM;
>> >
>> >
>> >
>>
>> Cc'ing the original committers.
>
> --
> Open Source Technology Center, Intel ltd.
>
> $gpg --keyserver wwwkeys.pgp.net --recv-keys 4D781827
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkuYqvwACgkQsQQaM014GCfp8QCeKq/pp/1CLnb6wIwyDrcHtlp4
> N2MAn1MLVKNuISjYYcGs1gc/18ABQhZu
> =1GTP
> -----END PGP SIGNATURE-----
>
>
View attachment "dmesg.txt" of type "text/plain" (24430 bytes)
View attachment "lspcivv.txt" of type "text/plain" (20228 bytes)
View attachment "xorg.txt" of type "text/plain" (38361 bytes)
View attachment "config.txt" of type "text/plain" (37526 bytes)
Powered by blists - more mailing lists