From f644e3038f8875d239f1a3abdc0b469e0af19a65 Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Tue, 10 Nov 2020 14:36:55 +0100 Subject: [PATCH] drm/nouveau: Fix out-of-bounds access when deferencing MMU type MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The value of struct drm_device.ttm.type_vram can become -1 for unknown types of memory (see nouveau_ttm_init()). This leads to an out-of-bounds error when accessing struct nvif_mmu.type[]: [ 18.304116] ================================================================== [ 18.311649] BUG: KASAN: slab-out-of-bounds in nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau] [ 18.320415] Read of size 1 at addr ffff88810ffac1fe by task systemd-udevd/342 [ 18.327681] [ 18.329208] CPU: 1 PID: 342 Comm: systemd-udevd Tainted: G E 5.10.0-rc2-1-default+ #581 [ 18.338681] Hardware name: Dell Inc. OptiPlex 9020/0N4YC8, BIOS A24 10/24/2018 [ 18.346032] Call Trace: [ 18.348536] dump_stack+0xae/0xe5 [ 18.351919] print_address_description.constprop.0+0x17/0xf0 [ 18.357787] ? nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau] [ 18.363818] __kasan_report.cold+0x20/0x38 [ 18.368099] ? nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau] [ 18.374133] kasan_report+0x3a/0x50 [ 18.377789] nouveau_ttm_io_mem_reserve+0x17a/0x7e0 [nouveau] <...> [ 18.767690] Allocated by task 342: [ 18.773087] kasan_save_stack+0x1b/0x40 [ 18.778890] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 18.785646] __kmalloc_track_caller+0x1be/0x390 [ 18.792165] kstrdup_const+0x46/0x70 [ 18.797686] kobject_set_name_vargs+0x2f/0xb0 [ 18.803992] kobject_init_and_add+0x9d/0xf0 [ 18.810117] ttm_mem_global_init+0x12c/0x210 [ttm] [ 18.816853] ttm_bo_global_init+0x4a/0x160 [ttm] [ 18.823420] ttm_bo_device_init+0x39/0x220 [ttm] [ 18.830046] nouveau_ttm_init+0x2c3/0x830 [nouveau] [ 18.836929] nouveau_drm_device_init+0x1b4/0x3f0 [nouveau] <...> [ 19.105336] ================================================================== Fix this error, by not using type_vram as an index if it's negative. Assume default values instead. The error was seen on Nvidia G72 hardware. Signed-off-by: Thomas Zimmermann Reviewed-by: Michael J. Ruhl Acked-by: Christian König Fixes: 1cf65c45183a ("drm/ttm: add caching state to ttm_bus_placement") Cc: Christian König Cc: Michael J. Ruhl Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: Ben Skeggs Cc: Dave Airlie Cc: Gerd Hoffmann Cc: Alex Deucher Cc: "Christian König" Cc: VMware Graphics Cc: Roland Scheidegger Cc: Huang Rui Cc: Felix Kuehling Cc: Hawking Zhang Cc: Jason Gunthorpe Cc: Likun Gao Cc: dri-devel@lists.freedesktop.org Cc: nouveau@lists.freedesktop.org Cc: virtualization@lists.linux-foundation.org Cc: spice-devel@lists.freedesktop.org Cc: amd-gfx@lists.freedesktop.org Link: https://patchwork.freedesktop.org/patch/msgid/20201110133655.13174-1-tzimmermann@suse.de --- drivers/gpu/drm/nouveau/nouveau_bo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c index 2b7720f..7aa4286 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bo.c +++ b/drivers/gpu/drm/nouveau/nouveau_bo.c @@ -1057,9 +1057,12 @@ nouveau_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_resource *reg) struct nvkm_device *device = nvxx_device(&drm->client.device); struct nouveau_mem *mem = nouveau_mem(reg); struct nvif_mmu *mmu = &drm->client.mmu; - const u8 type = mmu->type[drm->ttm.type_vram].type; + u8 type = 0; int ret; + if (drm->ttm.type_vram >= 0) + type = mmu->type[drm->ttm.type_vram].type; + mutex_lock(&drm->ttm.io_reserve_mutex); retry: switch (reg->mem_type) { -- 2.7.4