[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <64732bd4-f946-4359-a3b0-19b3f6f10d44@ursulin.net>
Date: Wed, 4 Sep 2024 10:59:48 +0100
From: Tvrtko Ursulin <tursulin@...ulin.net>
To: Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>
Cc: David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>,
intel-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org,
stable@...r.kernel.org, Daniele Spurio <daniele.ceraolospurio@...el.com>,
John Harrison <John.C.Harrison@...el.com>
Subject: Re: [PATCH] drm/i915/guc: prevent a possible int overflow in wq
offsets
On 26/08/2024 11:45, Nikita Zhandarovich wrote:
> Hi,
>
> On 7/25/24 08:59, Nikita Zhandarovich wrote:
>> It may be possible for the sum of the values derived from
>> i915_ggtt_offset() and __get_parent_scratch_offset()/
>> i915_ggtt_offset() to go over the u32 limit before being assigned
>> to wq offsets of u64 type.
>>
>> Mitigate these issues by expanding one of the right operands
>> to u64 to avoid any overflow issues just in case.
>>
>> Found by Linux Verification Center (linuxtesting.org) with static
>> analysis tool SVACE.
>>
>> Fixes: 2584b3549f4c ("drm/i915/guc: Update to GuC version 70.1.1")
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
>> ---
>> drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
>> index 9400d0eb682b..908ebfa22933 100644
>> --- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
>> +++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
>> @@ -2842,9 +2842,9 @@ static void prepare_context_registration_info_v70(struct intel_context *ce,
>> ce->parallel.guc.wqi_tail = 0;
>> ce->parallel.guc.wqi_head = 0;
>>
>> - wq_desc_offset = i915_ggtt_offset(ce->state) +
>> + wq_desc_offset = (u64)i915_ggtt_offset(ce->state) +
>> __get_parent_scratch_offset(ce);
>> - wq_base_offset = i915_ggtt_offset(ce->state) +
>> + wq_base_offset = (u64)i915_ggtt_offset(ce->state) +
>> __get_wq_offset(ce);
>> info->wq_desc_lo = lower_32_bits(wq_desc_offset);
>> info->wq_desc_hi = upper_32_bits(wq_desc_offset);
>
> Gentle ping,
With the current hardware this cannot overflow but I guess it doesn't
harm to be explicitly safe. Adding some GuC folks to either r-b or add
more candidates for review.
Regards,
Tvrtko
Powered by blists - more mailing lists