• Thomas Hellström's avatar
    drm/xe/vm: Avoid reserving zero fences · eb538b55
    Thomas Hellström authored
    The function xe_vm_prepare_vma was blindly accepting zero as the
    number of fences and forwarded that to drm_exec_prepare_obj.
    
    However, that leads to an out-of-bounds shift in the
    dma_resv_reserve_fences() and while one could argue that the
    dma_resv code should be robust against that, avoid attempting
    to reserve zero fences.
    
    Relevant stack trace:
    
    [773.183188] ------------[ cut here ]------------
    [773.183199] UBSAN: shift-out-of-bounds in ../include/linux/log2.h:57:13
    [773.183241] shift exponent 64 is too large for 64-bit type 'long unsigned int'
    [773.183254] CPU: 2 PID: 1816 Comm: xe_evict Tainted: G     U             6.8.0-rc3-xe #1
    [773.183256] Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 2014 10/14/2022
    [773.183257] Call Trace:
    [773.183258]  <TASK>
    [773.183260]  dump_stack_lvl+0xaf/0xd0
    [773.183266]  dump_stack+0x10/0x20
    [773.183283]  ubsan_epilogue+0x9/0x40
    [773.183286]  __ubsan_handle_shift_out_of_bounds+0x10f/0x170
    [773.183293]  dma_resv_reserve_fences.cold+0x2b/0x48
    [773.183295]  ? ww_mutex_lock+0x3c/0x110
    [773.183301]  drm_exec_prepare_obj+0x45/0x60 [drm_exec]
    [773.183313]  xe_vm_prepare_vma+0x33/0x70 [xe]
    [773.183375]  xe_vma_destroy_unlocked+0x55/0xa0 [xe]
    [773.183427]  xe_vm_close_and_put+0x526/0x940 [xe]
    
    Fixes: 2714d509 ("drm/xe: Convert pagefaulting code to use drm_exec")
    Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Cc: Matthew Brost <matthew.brost@intel.com>
    Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Signed-off-by: default avatarThomas Hellström <thomas.hellstrom@linux.intel.com>
    Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240208132115.3132-1-thomas.hellstrom@linux.intel.com
    eb538b55
xe_vm.c 75.7 KB