[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Wed, 1 Feb 2012 18:42:52 + Dave Airlie wrote: > On Tue, Jan 24, 2012 at 2:10 PM, Alex Deucher > wrote: > > On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov > > wrote: > >> From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 > >> From: Igor Murzov > >> Date: Sun, 22 Jan 2012 19:02:27 +0400 > >> Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in > >> radeon_atrm_get_bios() > >> > >> At a boot time I observed following bug: > >> > >> ?BUG: unable to handle kernel paging request at 8800a4244000 > >> ?IP: [] memcpy+0xb/0x120 > >> ?PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 > >> ?Oops: [#1] SMP DEBUG_PAGEALLOC > >> ?CPU 0 > >> ?Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 > >> radeon(+) > >> ?mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart > >> mmc_core > >> ?sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys > >> snd_hda_codec_hdmi > >> ?joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel > >> snd_hda_codec > >> ?snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse > >> hwmon > >> ?i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw > >> snd_page_alloc > >> ?loop btrfs > >> > >> ?Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 ? ? ? ? > >> ? ? ? ? ? ? ? ? ? /AMD CRB > >> ?RIP: 0010:[] ?[] memcpy+0xb/0x120 > >> ?RSP: 0018:8800aa72db00 ?EFLAGS: 00010246 > >> ?RAX: 8800a415 RBX: 1000 RCX: 0087 > >> ?RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 > >> ?RBP: 8800aa72db78 R08: 0010 R09: 8174bbec > >> ?R10: 812ee010 R11: 0001 R12: 1000 > >> ?R13: 0001 R14: 8800a414 R15: 8800aaba1800 > >> ?FS: ?7ff9a3bd4720() GS:8800afa0() > >> knlGS: > >> ?CS: ?0010 DS: ES: CR0: 8005003b > >> ?CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 > >> ?DR0: DR1: DR2: > >> ?DR3: DR6: 0ff0 DR7: 0400 > >> ?Process modprobe (pid: 1008, threadinfo 8800aa72c000, task > >> 8800aa0e4000) > >> ?Stack: > >> ?a04e7c7b 0001 0001 8800aa72db28 > >> ?0001 1000 8113cbef 0020 > >> ?8800a4243420 8802 8800aa72db08 8800a9d42000 > >> ?Call Trace: > >> ?[] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] > >> ?[] ? kmalloc_order_trace+0x3f/0xb0 > >> ?[] radeon_get_bios+0x68/0x2f0 [radeon] > >> ?[] rv770_init+0x40/0x280 [radeon] > >> ?[] radeon_device_init+0x560/0x600 [radeon] > >> ?[] radeon_driver_load_kms+0xaf/0x170 [radeon] > >> ?[] drm_get_pci_dev+0x18e/0x2c0 [drm] > >> ?[] radeon_pci_probe+0xad/0xb5 [radeon] > >> ?[] local_pci_probe+0x5f/0xd0 > >> ?[] pci_device_probe+0x88/0xb0 > >> ?[] ? driver_sysfs_add+0x7a/0xb0 > >> ?[] really_probe+0x68/0x180 > >> ?[] driver_probe_device+0x45/0x70 > >> ?[] __driver_attach+0xa3/0xb0 > >> ?[] ? driver_probe_device+0x70/0x70 > >> ?[] bus_for_each_dev+0x5e/0x90 > >> ?[] driver_attach+0x1e/0x20 > >> ?[] bus_add_driver+0xc8/0x280 > >> ?[] driver_register+0x76/0x140 > >> ?[] __pci_register_driver+0x66/0xe0 > >> ?[] drm_pci_init+0x111/0x120 [drm] > >> ?[] ? vga_switcheroo_register_handler+0x3a/0x60 > >> ?[] ? 0xa0228fff > >> ?[] radeon_init+0xec/0xee [radeon] > >> ?[] do_one_initcall+0x42/0x180 > >> ?[] sys_init_module+0x92/0x1e0 > >> ?[] system_call_fastpath+0x16/0x1b > >> ?Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb > >> ?e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 48 > >> ?a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c > >> ?RIP ?[] memcpy+0xb/0x120 > >> ?RSP > >> ?CR2: 8800a4244000 > >> ?---[ end trace fcffa1599cf56382 ]--- > >> > >> Call to acpi_evaluate_object() not always returns 4096 bytes chunks, > >> on my system it can return 2048 bytes chunk, so pass the length of > >> retrieved chunk to memcpy(), not the length of the recieving buffer. > >&g
Re: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Wed, 1 Feb 2012 18:42:52 + Dave Airlie airl...@gmail.com wrote: On Tue, Jan 24, 2012 at 2:10 PM, Alex Deucher alexdeuc...@gmail.com wrote: On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov intergalactic.anonym...@gmail.com wrote: From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 From: Igor Murzov e-m...@date.by Date: Sun, 22 Jan 2012 19:02:27 +0400 Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios() At a boot time I observed following bug: BUG: unable to handle kernel paging request at 8800a4244000 IP: [81275b5b] memcpy+0xb/0x120 PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 Oops: [#1] SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 radeon(+) mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys snd_hda_codec_hdmi joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw snd_page_alloc loop btrfs Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 /AMD CRB RIP: 0010:[81275b5b] [81275b5b] memcpy+0xb/0x120 RSP: 0018:8800aa72db00 EFLAGS: 00010246 RAX: 8800a415 RBX: 1000 RCX: 0087 RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 RBP: 8800aa72db78 R08: 0010 R09: 8174bbec R10: 812ee010 R11: 0001 R12: 1000 R13: 0001 R14: 8800a414 R15: 8800aaba1800 FS: 7ff9a3bd4720() GS:8800afa0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Process modprobe (pid: 1008, threadinfo 8800aa72c000, task 8800aa0e4000) Stack: a04e7c7b 0001 0001 8800aa72db28 0001 1000 8113cbef 0020 8800a4243420 8802 8800aa72db08 8800a9d42000 Call Trace: [a04e7c7b] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] [8113cbef] ? kmalloc_order_trace+0x3f/0xb0 [a04a9298] radeon_get_bios+0x68/0x2f0 [radeon] [a04c7a30] rv770_init+0x40/0x280 [radeon] [a047d740] radeon_device_init+0x560/0x600 [radeon] [a047ef4f] radeon_driver_load_kms+0xaf/0x170 [radeon] [a043cdde] drm_get_pci_dev+0x18e/0x2c0 [drm] [a04e7e95] radeon_pci_probe+0xad/0xb5 [radeon] [81296c5f] local_pci_probe+0x5f/0xd0 [81297418] pci_device_probe+0x88/0xb0 [813417aa] ? driver_sysfs_add+0x7a/0xb0 [813418d8] really_probe+0x68/0x180 [81341be5] driver_probe_device+0x45/0x70 [81341cb3] __driver_attach+0xa3/0xb0 [81341c10] ? driver_probe_device+0x70/0x70 [813400ce] bus_for_each_dev+0x5e/0x90 [8134172e] driver_attach+0x1e/0x20 [81341298] bus_add_driver+0xc8/0x280 [813422c6] driver_register+0x76/0x140 [812976d6] __pci_register_driver+0x66/0xe0 [a043d021] drm_pci_init+0x111/0x120 [drm] [8133c67a] ? vga_switcheroo_register_handler+0x3a/0x60 [a0229000] ? 0xa0228fff [a02290ec] radeon_init+0xec/0xee [radeon] [810002f2] do_one_initcall+0x42/0x180 [8109d8d2] sys_init_module+0x92/0x1e0 [815407a9] system_call_fastpath+0x16/0x1b Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c RIP [81275b5b] memcpy+0xb/0x120 RSP 8800aa72db00 CR2: 8800a4244000 ---[ end trace fcffa1599cf56382 ]--- Call to acpi_evaluate_object() not always returns 4096 bytes chunks, on my system it can return 2048 bytes chunk, so pass the length of retrieved chunk to memcpy(), not the length of the recieving buffer. Signed-off-by: Igor Murzov e-m...@date.by Hi Igor, I'm not sure I understand, does your BIOS return 2K chunks always or just for the last chunks? Only for the last chunk. acpi_evaluate_object() returns 16 x 4Kb chunks and then 1 x 2Kb on my laptop. If I revert both my patches (211fa4fc4e13492151e698d92b0dff56b29928ec and a3f83ab1a717c0e6c2f59a4cfdaa10707cc35c55), applying following patch: - diff --git a/drivers/gpu/drm/radeon
[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Tue, Jan 24, 2012 at 2:10 PM, Alex Deucher wrote: > On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov > wrote: >> From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 >> From: Igor Murzov >> Date: Sun, 22 Jan 2012 19:02:27 +0400 >> Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in >> radeon_atrm_get_bios() >> >> At a boot time I observed following bug: >> >> ?BUG: unable to handle kernel paging request at 8800a4244000 >> ?IP: [] memcpy+0xb/0x120 >> ?PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 >> ?Oops: [#1] SMP DEBUG_PAGEALLOC >> ?CPU 0 >> ?Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 >> radeon(+) >> ?mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart >> mmc_core >> ?sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys >> snd_hda_codec_hdmi >> ?joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec >> ?snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse >> hwmon >> ?i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw >> snd_page_alloc >> ?loop btrfs >> >> ?Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 ? ? ? ? ? >> ? ? ? ? ? ? ? ? /AMD CRB >> ?RIP: 0010:[] ?[] memcpy+0xb/0x120 >> ?RSP: 0018:8800aa72db00 ?EFLAGS: 00010246 >> ?RAX: 8800a415 RBX: 1000 RCX: 0087 >> ?RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 >> ?RBP: 8800aa72db78 R08: 0010 R09: 8174bbec >> ?R10: 812ee010 R11: 0001 R12: 1000 >> ?R13: 0001 R14: 8800a414 R15: 8800aaba1800 >> ?FS: ?7ff9a3bd4720() GS:8800afa0() knlGS: >> ?CS: ?0010 DS: ES: CR0: 8005003b >> ?CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 >> ?DR0: DR1: DR2: >> ?DR3: DR6: 0ff0 DR7: 0400 >> ?Process modprobe (pid: 1008, threadinfo 8800aa72c000, task >> 8800aa0e4000) >> ?Stack: >> ?a04e7c7b 0001 0001 8800aa72db28 >> ?0001 1000 8113cbef 0020 >> ?8800a4243420 8802 8800aa72db08 8800a9d42000 >> ?Call Trace: >> ?[] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] >> ?[] ? kmalloc_order_trace+0x3f/0xb0 >> ?[] radeon_get_bios+0x68/0x2f0 [radeon] >> ?[] rv770_init+0x40/0x280 [radeon] >> ?[] radeon_device_init+0x560/0x600 [radeon] >> ?[] radeon_driver_load_kms+0xaf/0x170 [radeon] >> ?[] drm_get_pci_dev+0x18e/0x2c0 [drm] >> ?[] radeon_pci_probe+0xad/0xb5 [radeon] >> ?[] local_pci_probe+0x5f/0xd0 >> ?[] pci_device_probe+0x88/0xb0 >> ?[] ? driver_sysfs_add+0x7a/0xb0 >> ?[] really_probe+0x68/0x180 >> ?[] driver_probe_device+0x45/0x70 >> ?[] __driver_attach+0xa3/0xb0 >> ?[] ? driver_probe_device+0x70/0x70 >> ?[] bus_for_each_dev+0x5e/0x90 >> ?[] driver_attach+0x1e/0x20 >> ?[] bus_add_driver+0xc8/0x280 >> ?[] driver_register+0x76/0x140 >> ?[] __pci_register_driver+0x66/0xe0 >> ?[] drm_pci_init+0x111/0x120 [drm] >> ?[] ? vga_switcheroo_register_handler+0x3a/0x60 >> ?[] ? 0xa0228fff >> ?[] radeon_init+0xec/0xee [radeon] >> ?[] do_one_initcall+0x42/0x180 >> ?[] sys_init_module+0x92/0x1e0 >> ?[] system_call_fastpath+0x16/0x1b >> ?Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb >> ?e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 48 >> ?a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c >> ?RIP ?[] memcpy+0xb/0x120 >> ?RSP >> ?CR2: 8800a4244000 >> ?---[ end trace fcffa1599cf56382 ]--- >> >> Call to acpi_evaluate_object() not always returns 4096 bytes chunks, >> on my system it can return 2048 bytes chunk, so pass the length of >> retrieved chunk to memcpy(), not the length of the recieving buffer. >> >> Signed-off-by: Igor Murzov Hi Igor, I'm not sure I understand, does your BIOS return 2K chunks always or just for the last chunks? since if it returns 2K always, won't your next patch break stuff? we have a regression report against the second patch, just wondering what it might be. Dave.
Re: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Tue, Jan 24, 2012 at 2:10 PM, Alex Deucher alexdeuc...@gmail.com wrote: On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov intergalactic.anonym...@gmail.com wrote: From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 From: Igor Murzov e-m...@date.by Date: Sun, 22 Jan 2012 19:02:27 +0400 Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios() At a boot time I observed following bug: BUG: unable to handle kernel paging request at 8800a4244000 IP: [81275b5b] memcpy+0xb/0x120 PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 Oops: [#1] SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 radeon(+) mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys snd_hda_codec_hdmi joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw snd_page_alloc loop btrfs Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 /AMD CRB RIP: 0010:[81275b5b] [81275b5b] memcpy+0xb/0x120 RSP: 0018:8800aa72db00 EFLAGS: 00010246 RAX: 8800a415 RBX: 1000 RCX: 0087 RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 RBP: 8800aa72db78 R08: 0010 R09: 8174bbec R10: 812ee010 R11: 0001 R12: 1000 R13: 0001 R14: 8800a414 R15: 8800aaba1800 FS: 7ff9a3bd4720() GS:8800afa0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Process modprobe (pid: 1008, threadinfo 8800aa72c000, task 8800aa0e4000) Stack: a04e7c7b 0001 0001 8800aa72db28 0001 1000 8113cbef 0020 8800a4243420 8802 8800aa72db08 8800a9d42000 Call Trace: [a04e7c7b] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] [8113cbef] ? kmalloc_order_trace+0x3f/0xb0 [a04a9298] radeon_get_bios+0x68/0x2f0 [radeon] [a04c7a30] rv770_init+0x40/0x280 [radeon] [a047d740] radeon_device_init+0x560/0x600 [radeon] [a047ef4f] radeon_driver_load_kms+0xaf/0x170 [radeon] [a043cdde] drm_get_pci_dev+0x18e/0x2c0 [drm] [a04e7e95] radeon_pci_probe+0xad/0xb5 [radeon] [81296c5f] local_pci_probe+0x5f/0xd0 [81297418] pci_device_probe+0x88/0xb0 [813417aa] ? driver_sysfs_add+0x7a/0xb0 [813418d8] really_probe+0x68/0x180 [81341be5] driver_probe_device+0x45/0x70 [81341cb3] __driver_attach+0xa3/0xb0 [81341c10] ? driver_probe_device+0x70/0x70 [813400ce] bus_for_each_dev+0x5e/0x90 [8134172e] driver_attach+0x1e/0x20 [81341298] bus_add_driver+0xc8/0x280 [813422c6] driver_register+0x76/0x140 [812976d6] __pci_register_driver+0x66/0xe0 [a043d021] drm_pci_init+0x111/0x120 [drm] [8133c67a] ? vga_switcheroo_register_handler+0x3a/0x60 [a0229000] ? 0xa0228fff [a02290ec] radeon_init+0xec/0xee [radeon] [810002f2] do_one_initcall+0x42/0x180 [8109d8d2] sys_init_module+0x92/0x1e0 [815407a9] system_call_fastpath+0x16/0x1b Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c RIP [81275b5b] memcpy+0xb/0x120 RSP 8800aa72db00 CR2: 8800a4244000 ---[ end trace fcffa1599cf56382 ]--- Call to acpi_evaluate_object() not always returns 4096 bytes chunks, on my system it can return 2048 bytes chunk, so pass the length of retrieved chunk to memcpy(), not the length of the recieving buffer. Signed-off-by: Igor Murzov e-m...@date.by Hi Igor, I'm not sure I understand, does your BIOS return 2K chunks always or just for the last chunks? since if it returns 2K always, won't your next patch break stuff? we have a regression report against the second patch, just wondering what it might be. Dave. ___ dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel
[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov wrote: > From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 > From: Igor Murzov > Date: Sun, 22 Jan 2012 19:02:27 +0400 > Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in > radeon_atrm_get_bios() > > At a boot time I observed following bug: > > ?BUG: unable to handle kernel paging request at 8800a4244000 > ?IP: [] memcpy+0xb/0x120 > ?PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 > ?Oops: [#1] SMP DEBUG_PAGEALLOC > ?CPU 0 > ?Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 > radeon(+) > ?mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core > ?sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys > snd_hda_codec_hdmi > ?joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec > ?snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon > ?i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw > snd_page_alloc > ?loop btrfs > > ?Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 ? ? ? ? ? ? > ? ? ? ? ? ? ? /AMD CRB > ?RIP: 0010:[] ?[] memcpy+0xb/0x120 > ?RSP: 0018:8800aa72db00 ?EFLAGS: 00010246 > ?RAX: 8800a415 RBX: 1000 RCX: 0087 > ?RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 > ?RBP: 8800aa72db78 R08: 0010 R09: 8174bbec > ?R10: 812ee010 R11: 0001 R12: 1000 > ?R13: 0001 R14: 8800a414 R15: 8800aaba1800 > ?FS: ?7ff9a3bd4720() GS:8800afa0() knlGS: > ?CS: ?0010 DS: ES: CR0: 8005003b > ?CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 > ?DR0: DR1: DR2: > ?DR3: DR6: 0ff0 DR7: 0400 > ?Process modprobe (pid: 1008, threadinfo 8800aa72c000, task > 8800aa0e4000) > ?Stack: > ?a04e7c7b 0001 0001 8800aa72db28 > ?0001 1000 8113cbef 0020 > ?8800a4243420 8802 8800aa72db08 8800a9d42000 > ?Call Trace: > ?[] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] > ?[] ? kmalloc_order_trace+0x3f/0xb0 > ?[] radeon_get_bios+0x68/0x2f0 [radeon] > ?[] rv770_init+0x40/0x280 [radeon] > ?[] radeon_device_init+0x560/0x600 [radeon] > ?[] radeon_driver_load_kms+0xaf/0x170 [radeon] > ?[] drm_get_pci_dev+0x18e/0x2c0 [drm] > ?[] radeon_pci_probe+0xad/0xb5 [radeon] > ?[] local_pci_probe+0x5f/0xd0 > ?[] pci_device_probe+0x88/0xb0 > ?[] ? driver_sysfs_add+0x7a/0xb0 > ?[] really_probe+0x68/0x180 > ?[] driver_probe_device+0x45/0x70 > ?[] __driver_attach+0xa3/0xb0 > ?[] ? driver_probe_device+0x70/0x70 > ?[] bus_for_each_dev+0x5e/0x90 > ?[] driver_attach+0x1e/0x20 > ?[] bus_add_driver+0xc8/0x280 > ?[] driver_register+0x76/0x140 > ?[] __pci_register_driver+0x66/0xe0 > ?[] drm_pci_init+0x111/0x120 [drm] > ?[] ? vga_switcheroo_register_handler+0x3a/0x60 > ?[] ? 0xa0228fff > ?[] radeon_init+0xec/0xee [radeon] > ?[] do_one_initcall+0x42/0x180 > ?[] sys_init_module+0x92/0x1e0 > ?[] system_call_fastpath+0x16/0x1b > ?Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb > ?e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 48 > ?a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c > ?RIP ?[] memcpy+0xb/0x120 > ?RSP > ?CR2: 8800a4244000 > ?---[ end trace fcffa1599cf56382 ]--- > > Call to acpi_evaluate_object() not always returns 4096 bytes chunks, > on my system it can return 2048 bytes chunk, so pass the length of > retrieved chunk to memcpy(), not the length of the recieving buffer. > > Signed-off-by: Igor Murzov Both patches are: Reviewed-by: Alex Deucher > --- > ?drivers/gpu/drm/radeon/radeon_atpx_handler.c | ? ?2 +- > ?1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c > b/drivers/gpu/drm/radeon/radeon_atpx_handler.c > index 9d95792..c666a5b 100644 > --- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c > +++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c > @@ -58,7 +58,7 @@ static int radeon_atrm_call(acpi_handle atrm_handle, > uint8_t *bios, > ? ? ? ?} > > ? ? ? ?obj = (union acpi_object *)buffer.pointer; > - ? ? ? memcpy(bios+offset, obj->buffer.pointer, len); > + ? ? ? memcpy(bios+offset, obj->buffer.pointer, obj->buffer.length); > ? ? ? ?kfree(buffer.pointer); > ? ? ? ?return len; > ?} > -- > 1.7.5.1 >
Re: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
On Sun, Jan 22, 2012 at 9:43 AM, Igor Murzov intergalactic.anonym...@gmail.com wrote: From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 From: Igor Murzov e-m...@date.by Date: Sun, 22 Jan 2012 19:02:27 +0400 Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios() At a boot time I observed following bug: BUG: unable to handle kernel paging request at 8800a4244000 IP: [81275b5b] memcpy+0xb/0x120 PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 Oops: [#1] SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 radeon(+) mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys snd_hda_codec_hdmi joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw snd_page_alloc loop btrfs Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 /AMD CRB RIP: 0010:[81275b5b] [81275b5b] memcpy+0xb/0x120 RSP: 0018:8800aa72db00 EFLAGS: 00010246 RAX: 8800a415 RBX: 1000 RCX: 0087 RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 RBP: 8800aa72db78 R08: 0010 R09: 8174bbec R10: 812ee010 R11: 0001 R12: 1000 R13: 0001 R14: 8800a414 R15: 8800aaba1800 FS: 7ff9a3bd4720() GS:8800afa0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Process modprobe (pid: 1008, threadinfo 8800aa72c000, task 8800aa0e4000) Stack: a04e7c7b 0001 0001 8800aa72db28 0001 1000 8113cbef 0020 8800a4243420 8802 8800aa72db08 8800a9d42000 Call Trace: [a04e7c7b] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] [8113cbef] ? kmalloc_order_trace+0x3f/0xb0 [a04a9298] radeon_get_bios+0x68/0x2f0 [radeon] [a04c7a30] rv770_init+0x40/0x280 [radeon] [a047d740] radeon_device_init+0x560/0x600 [radeon] [a047ef4f] radeon_driver_load_kms+0xaf/0x170 [radeon] [a043cdde] drm_get_pci_dev+0x18e/0x2c0 [drm] [a04e7e95] radeon_pci_probe+0xad/0xb5 [radeon] [81296c5f] local_pci_probe+0x5f/0xd0 [81297418] pci_device_probe+0x88/0xb0 [813417aa] ? driver_sysfs_add+0x7a/0xb0 [813418d8] really_probe+0x68/0x180 [81341be5] driver_probe_device+0x45/0x70 [81341cb3] __driver_attach+0xa3/0xb0 [81341c10] ? driver_probe_device+0x70/0x70 [813400ce] bus_for_each_dev+0x5e/0x90 [8134172e] driver_attach+0x1e/0x20 [81341298] bus_add_driver+0xc8/0x280 [813422c6] driver_register+0x76/0x140 [812976d6] __pci_register_driver+0x66/0xe0 [a043d021] drm_pci_init+0x111/0x120 [drm] [8133c67a] ? vga_switcheroo_register_handler+0x3a/0x60 [a0229000] ? 0xa0228fff [a02290ec] radeon_init+0xec/0xee [radeon] [810002f2] do_one_initcall+0x42/0x180 [8109d8d2] sys_init_module+0x92/0x1e0 [815407a9] system_call_fastpath+0x16/0x1b Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c RIP [81275b5b] memcpy+0xb/0x120 RSP 8800aa72db00 CR2: 8800a4244000 ---[ end trace fcffa1599cf56382 ]--- Call to acpi_evaluate_object() not always returns 4096 bytes chunks, on my system it can return 2048 bytes chunk, so pass the length of retrieved chunk to memcpy(), not the length of the recieving buffer. Signed-off-by: Igor Murzov e-m...@date.by Both patches are: Reviewed-by: Alex Deucher alexander.deuc...@amd.com --- drivers/gpu/drm/radeon/radeon_atpx_handler.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c index 9d95792..c666a5b 100644 --- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c +++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c @@ -58,7 +58,7 @@ static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios, } obj = (union acpi_object *)buffer.pointer; - memcpy(bios+offset, obj-buffer.pointer, len); + memcpy(bios+offset, obj-buffer.pointer, obj
[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
At a boot time I observed following bug: BUG: unable to handle kernel paging request at 8800a4244000 IP: [] memcpy+0xb/0x120 PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 Oops: [#1] SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 radeon(+) mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys snd_hda_codec_hdmi joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw snd_page_alloc loop btrfs Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 /AMD CRB RIP: 0010:[] [] memcpy+0xb/0x120 RSP: 0018:8800aa72db00 EFLAGS: 00010246 RAX: 8800a415 RBX: 1000 RCX: 0087 RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 RBP: 8800aa72db78 R08: 0010 R09: 8174bbec R10: 812ee010 R11: 0001 R12: 1000 R13: 0001 R14: 8800a414 R15: 8800aaba1800 FS: 7ff9a3bd4720() GS:8800afa0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Process modprobe (pid: 1008, threadinfo 8800aa72c000, task 8800aa0e4000) Stack: a04e7c7b 0001 0001 8800aa72db28 0001 1000 8113cbef 0020 8800a4243420 8802 8800aa72db08 8800a9d42000 Call Trace: [] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] [] ? kmalloc_order_trace+0x3f/0xb0 [] radeon_get_bios+0x68/0x2f0 [radeon] [] rv770_init+0x40/0x280 [radeon] [] radeon_device_init+0x560/0x600 [radeon] [] radeon_driver_load_kms+0xaf/0x170 [radeon] [] drm_get_pci_dev+0x18e/0x2c0 [drm] [] radeon_pci_probe+0xad/0xb5 [radeon] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x88/0xb0 [] ? driver_sysfs_add+0x7a/0xb0 [] really_probe+0x68/0x180 [] driver_probe_device+0x45/0x70 [] __driver_attach+0xa3/0xb0 [] ? driver_probe_device+0x70/0x70 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x280 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] drm_pci_init+0x111/0x120 [drm] [] ? vga_switcheroo_register_handler+0x3a/0x60 [] ? 0xa0228fff [] radeon_init+0xec/0xee [radeon] [] do_one_initcall+0x42/0x180 [] sys_init_module+0x92/0x1e0 [] system_call_fastpath+0x16/0x1b Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c RIP [] memcpy+0xb/0x120 RSP CR2: 8800a4244000 ---[ end trace fcffa1599cf56382 ]--- Call to acpi_evaluate_object() not always returns 4096 bytes chunks, on my system it can return 2048 bytes chunk, so pass the length of retrieved chunk to memcpy(), not the length of the recieving buffer. Signed-off-by: Igor Murzov --- drivers/gpu/drm/radeon/radeon_atpx_handler.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c index 9d95792..c666a5b 100644 --- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c +++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c @@ -58,7 +58,7 @@ static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios, } obj = (union acpi_object *)buffer.pointer; - memcpy(bios+offset, obj->buffer.pointer, len); + memcpy(bios+offset, obj->buffer.pointer, obj->buffer.length); kfree(buffer.pointer); return len; } -- 1.7.5.1
[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
[PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios()
From 77c912ea1eca50a93a34d5be69f9dc96a8bef0d8 Mon Sep 17 00:00:00 2001 From: Igor Murzov e-m...@date.by Date: Sun, 22 Jan 2012 19:02:27 +0400 Subject: [PATCH 1/2] drm/radeon: fix invalid memory access in radeon_atrm_get_bios() At a boot time I observed following bug: BUG: unable to handle kernel paging request at 8800a4244000 IP: [81275b5b] memcpy+0xb/0x120 PGD 1816063 PUD 1fe7d067 PMD 1ff9f067 PTE 8000a4244160 Oops: [#1] SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: btusb bluetooth brcmsmac brcmutil crc8 cordic b43 radeon(+) mac80211 cfg80211 ttm ohci_hcd drm_kms_helper rfkill drm ssb agpgart mmc_core sp5100_tco video battery ac thermal processor rtc_cmos thermal_sys snd_hda_codec_hdmi joydev snd_hda_codec_conexant button bcma pcmcia snd_hda_intel snd_hda_codec snd_hwdep snd_pcm shpchp pcmcia_core k8temp snd_timer atl1c snd psmouse hwmon i2c_piix4 i2c_algo_bit soundcore evdev i2c_core ehci_hcd sg serio_raw snd_page_alloc loop btrfs Pid: 1008, comm: modprobe Not tainted 3.3.0-rc1 #21 LENOVO 20046 /AMD CRB RIP: 0010:[81275b5b] [81275b5b] memcpy+0xb/0x120 RSP: 0018:8800aa72db00 EFLAGS: 00010246 RAX: 8800a415 RBX: 1000 RCX: 0087 RDX: RSI: 8800a4244000 RDI: 8800a4150bc8 RBP: 8800aa72db78 R08: 0010 R09: 8174bbec R10: 812ee010 R11: 0001 R12: 1000 R13: 0001 R14: 8800a414 R15: 8800aaba1800 FS: 7ff9a3bd4720() GS:8800afa0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 8800a4244000 CR3: a9c18000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: 0ff0 DR7: 0400 Process modprobe (pid: 1008, threadinfo 8800aa72c000, task 8800aa0e4000) Stack: a04e7c7b 0001 0001 8800aa72db28 0001 1000 8113cbef 0020 8800a4243420 8802 8800aa72db08 8800a9d42000 Call Trace: [a04e7c7b] ? radeon_atrm_get_bios_chunk+0x8b/0xd0 [radeon] [8113cbef] ? kmalloc_order_trace+0x3f/0xb0 [a04a9298] radeon_get_bios+0x68/0x2f0 [radeon] [a04c7a30] rv770_init+0x40/0x280 [radeon] [a047d740] radeon_device_init+0x560/0x600 [radeon] [a047ef4f] radeon_driver_load_kms+0xaf/0x170 [radeon] [a043cdde] drm_get_pci_dev+0x18e/0x2c0 [drm] [a04e7e95] radeon_pci_probe+0xad/0xb5 [radeon] [81296c5f] local_pci_probe+0x5f/0xd0 [81297418] pci_device_probe+0x88/0xb0 [813417aa] ? driver_sysfs_add+0x7a/0xb0 [813418d8] really_probe+0x68/0x180 [81341be5] driver_probe_device+0x45/0x70 [81341cb3] __driver_attach+0xa3/0xb0 [81341c10] ? driver_probe_device+0x70/0x70 [813400ce] bus_for_each_dev+0x5e/0x90 [8134172e] driver_attach+0x1e/0x20 [81341298] bus_add_driver+0xc8/0x280 [813422c6] driver_register+0x76/0x140 [812976d6] __pci_register_driver+0x66/0xe0 [a043d021] drm_pci_init+0x111/0x120 [drm] [8133c67a] ? vga_switcheroo_register_handler+0x3a/0x60 [a0229000] ? 0xa0228fff [a02290ec] radeon_init+0xec/0xee [radeon] [810002f2] do_one_initcall+0x42/0x180 [8109d8d2] sys_init_module+0x92/0x1e0 [815407a9] system_call_fastpath+0x16/0x1b Code: 58 2a 43 50 88 43 4e 48 83 c4 08 5b c9 c3 66 90 e8 cb fd ff ff eb e6 90 90 90 90 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c RIP [81275b5b] memcpy+0xb/0x120 RSP 8800aa72db00 CR2: 8800a4244000 ---[ end trace fcffa1599cf56382 ]--- Call to acpi_evaluate_object() not always returns 4096 bytes chunks, on my system it can return 2048 bytes chunk, so pass the length of retrieved chunk to memcpy(), not the length of the recieving buffer. Signed-off-by: Igor Murzov e-m...@date.by --- drivers/gpu/drm/radeon/radeon_atpx_handler.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c index 9d95792..c666a5b 100644 --- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c +++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c @@ -58,7 +58,7 @@ static int radeon_atrm_call(acpi_handle atrm_handle, uint8_t *bios, } obj = (union acpi_object *)buffer.pointer; - memcpy(bios+offset, obj-buffer.pointer, len); + memcpy(bios+offset, obj-buffer.pointer, obj-buffer.length); kfree(buffer.pointer); return len; } -- 1.7.5.1 ___ dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org
