On Mon, Jan 23, 2017 at 03:01:20PM +0000, Matthew Auld wrote:
> On 23 January 2017 at 14:52, Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> wrote:
> > Since tweaking i915_vma_compare() we allowed constructors to skip
> > clearing the ggtt_view believing that we didn't access the unused
> > members. That, as it turns out, was not entirely true. In particular,
> > i915_gem_fault() uses
> >
> > ret = remap_io_mapping(area,
> > area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
> > (ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT,
> > min_t(u64, vma->size, area->vm_end - area->vm_start),
> > &ggtt->mappable);
> >
> > i.e. the ggtt_view.partial for both normal and partial views. If we
> > allowed garbage into the normal vma->ggtt_view and then try userspace
> > tried to mmap it, we could explode in an unobvious fashion.
> >
> > Fixes: 7b92c047bae2 ("drm/i915: Eliminate superfluous i915_ggtt_view_rotated")
> > Fixes: 3bf4d5751943 ("drm/i915: Stop clearing i915_ggtt_view")
> > Reported-by: Matthew Auld <matthew.william.auld@xxxxxxxxx>
> > Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> > Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx>
> > Cc: Matthew Auld <matthew.william.auld@xxxxxxxxx>
> Tested-by: Matthew Auld <matthew.auld@xxxxxxxxx>
> Reviewed-by: Matthew Auld <matthew.auld@xxxxxxxxx>
Thanks for quickly finding this.
-Chris
--
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
