On 23 January 2017 at 14:52, Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote:
> Since tweaking i915_vma_compare() we allowed constructors to skip
> clearing the ggtt_view believing that we didn't access the unused
> members. That, as it turns out, was not entirely true. In particular,
> i915_gem_fault() uses
>
> ret = remap_io_mapping(area,
> area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
> (ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT,
> min_t(u64, vma->size, area->vm_end - area->vm_start),
> &ggtt->mappable);
>
> i.e. the ggtt_view.partial for both normal and partial views. If we
> allowed garbage into the normal vma->ggtt_view and then try userspace
> tried to mmap it, we could explode in an unobvious fashion.
>
> Fixes: 7b92c047bae2 ("drm/i915: Eliminate superfluous i915_ggtt_view_rotated")
> Fixes: 3bf4d5751943 ("drm/i915: Stop clearing i915_ggtt_view")
> Reported-by: Matthew Auld <matthew.william.auld@xxxxxxxxx>
> Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
> Cc: Matthew Auld <matthew.william.auld@xxxxxxxxx>
Tested-by: Matthew Auld <matthew.auld@xxxxxxxxx>
Reviewed-by: Matthew Auld <matthew.auld@xxxxxxxxx>
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
