mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-19 02:04:19 +08:00
5279fc7724
bdw_load_gamma_lut is writing beyond the array to the maximum value. The intend of the function is to clamp values > 1 to 1, so write the intended color to the max register. This fixes the following KASAN warning: [ 197.020857] [IGT] kms_pipe_color: executing [ 197.063434] [IGT] kms_pipe_color: starting subtest ctm-0-25-pipe0 [ 197.078989] ================================================================== [ 197.079127] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915] [ 197.079188] Read of size 2 at addr ffff8800d38db150 by task kms_pipe_color/1839 [ 197.079208] CPU: 2 PID: 1839 Comm: kms_pipe_color Tainted: G U 4.13.0-rc1-patser+ #5211 [ 197.079215] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015 [ 197.079220] Call Trace: [ 197.079230] dump_stack+0x68/0x9e [ 197.079239] print_address_description+0x6f/0x250 [ 197.079251] kasan_report+0x216/0x370 [ 197.079374] ? bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915] [ 197.079451] ? gen8_write16+0x4e0/0x4e0 [i915] [ 197.079460] __asan_report_load2_noabort+0x14/0x20 [ 197.079535] bdw_load_gamma_lut.isra.2+0x3b9/0x570 [i915] [ 197.079612] broadwell_load_luts+0x1df/0x550 [i915] [ 197.079690] intel_color_load_luts+0x7b/0x80 [i915] [ 197.079764] intel_begin_crtc_commit+0x138/0x760 [i915] [ 197.079783] drm_atomic_helper_commit_planes_on_crtc+0x1a3/0x820 [drm_kms_helper] [ 197.079859] ? intel_pre_plane_update+0x571/0x580 [i915] [ 197.079937] intel_update_crtc+0x238/0x330 [i915] [ 197.080016] intel_update_crtcs+0x10f/0x210 [i915] [ 197.080092] intel_atomic_commit_tail+0x1552/0x3340 [i915] [ 197.080101] ? _raw_spin_unlock+0x3c/0x40 [ 197.080110] ? __queue_work+0xb40/0xbf0 [ 197.080188] ? skl_update_crtcs+0xc00/0xc00 [i915] [ 197.080195] ? trace_hardirqs_on+0xd/0x10 [ 197.080269] ? intel_atomic_commit_ready+0x128/0x13c [i915] [ 197.080329] ? __i915_sw_fence_complete+0x5b8/0x6d0 [i915] [ 197.080336] ? debug_object_activate+0x39e/0x580 [ 197.080397] ? i915_sw_fence_await+0x30/0x30 [i915] [ 197.080409] ? __might_sleep+0x15b/0x180 [ 197.080483] intel_atomic_commit+0x944/0xa70 [i915] [ 197.080490] ? refcount_dec_and_test+0x11/0x20 [ 197.080567] ? intel_atomic_commit_tail+0x3340/0x3340 [i915] [ 197.080597] ? drm_atomic_crtc_set_property+0x303/0x580 [drm] [ 197.080674] ? intel_atomic_commit_tail+0x3340/0x3340 [i915] [ 197.080704] drm_atomic_commit+0xd7/0xe0 [drm] [ 197.080722] drm_atomic_helper_crtc_set_property+0xec/0x130 [drm_kms_helper] [ 197.080749] drm_mode_crtc_set_obj_prop+0x7d/0xb0 [drm] [ 197.080775] drm_mode_obj_set_property_ioctl+0x50b/0x5d0 [drm] [ 197.080783] ? __might_fault+0x104/0x180 [ 197.080809] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm] [ 197.080838] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm] [ 197.080861] drm_ioctl_kernel+0x154/0x1a0 [drm] [ 197.080885] drm_ioctl+0x624/0x8f0 [drm] [ 197.080910] ? drm_mode_obj_find_prop_id+0x160/0x160 [drm] [ 197.080934] ? drm_getunique+0x210/0x210 [drm] [ 197.080943] ? __handle_mm_fault+0x1bd0/0x1ce0 [ 197.080949] ? lock_downgrade+0x610/0x610 [ 197.080957] ? __lru_cache_add+0x15a/0x180 [ 197.080967] do_vfs_ioctl+0xd92/0xe40 [ 197.080975] ? ioctl_preallocate+0x1b0/0x1b0 [ 197.080982] ? selinux_capable+0x20/0x20 [ 197.080991] ? __do_page_fault+0x7b7/0x9a0 [ 197.080997] ? lock_downgrade+0x5bb/0x610 [ 197.081007] ? security_file_ioctl+0x57/0x90 [ 197.081016] SyS_ioctl+0x4e/0x80 [ 197.081024] entry_SYSCALL_64_fastpath+0x18/0xad [ 197.081030] RIP: 0033:0x7f61f287a987 [ 197.081035] RSP: 002b:00007fff7d44d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 197.081043] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f61f287a987 [ 197.081048] RDX: 00007fff7d44d1c0 RSI: 00000000c01864ba RDI: 0000000000000003 [ 197.081053] RBP: 00007f61f2b3eb00 R08: 0000000000000059 R09: 0000000000000000 [ 197.081058] R10: 0000002ea5c4a290 R11: 0000000000000246 R12: 00007f61f2b3eb58 [ 197.081063] R13: 0000000000001010 R14: 00007f61f2b3eb58 R15: 0000000000002702 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101659 Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Reported-by: Martin Peres <martin.peres@linux.intel.com> Cc: Martin Peres <martin.peres@linux.intel.com> Fixes: |
||
|---|---|---|
| .. | ||
| amd | ||
| arc | ||
| arm | ||
| armada | ||
| ast | ||
| atmel-hlcdc | ||
| bochs | ||
| bridge | ||
| cirrus | ||
| etnaviv | ||
| exynos | ||
| fsl-dcu | ||
| gma500 | ||
| hisilicon | ||
| i2c | ||
| i810 | ||
| i915 | ||
| imx | ||
| lib | ||
| mediatek | ||
| meson | ||
| mga | ||
| mgag200 | ||
| msm | ||
| mxsfb | ||
| nouveau | ||
| omapdrm | ||
| panel | ||
| pl111 | ||
| qxl | ||
| r128 | ||
| radeon | ||
| rcar-du | ||
| rockchip | ||
| savage | ||
| selftests | ||
| shmobile | ||
| sis | ||
| sti | ||
| stm | ||
| sun4i | ||
| tdfx | ||
| tegra | ||
| tilcdc | ||
| tinydrm | ||
| ttm | ||
| udl | ||
| vc4 | ||
| vgem | ||
| via | ||
| virtio | ||
| vmwgfx | ||
| zte | ||
| ati_pcigart.c | ||
| drm_agpsupport.c | ||
| drm_atomic_helper.c | ||
| drm_atomic.c | ||
| drm_auth.c | ||
| drm_blend.c | ||
| drm_bridge.c | ||
| drm_bufs.c | ||
| drm_cache.c | ||
| drm_color_mgmt.c | ||
| drm_connector.c | ||
| drm_context.c | ||
| drm_crtc_helper_internal.h | ||
| drm_crtc_helper.c | ||
| drm_crtc_internal.h | ||
| drm_crtc.c | ||
| drm_debugfs_crc.c | ||
| drm_debugfs.c | ||
| drm_dma.c | ||
| drm_dp_aux_dev.c | ||
| drm_dp_dual_mode_helper.c | ||
| drm_dp_helper.c | ||
| drm_dp_mst_topology.c | ||
| drm_drv.c | ||
| drm_dumb_buffers.c | ||
| drm_edid_load.c | ||
| drm_edid.c | ||
| drm_encoder_slave.c | ||
| drm_encoder.c | ||
| drm_fb_cma_helper.c | ||
| drm_fb_helper.c | ||
| drm_file.c | ||
| drm_flip_work.c | ||
| drm_fourcc.c | ||
| drm_framebuffer.c | ||
| drm_gem_cma_helper.c | ||
| drm_gem.c | ||
| drm_global.c | ||
| drm_hashtab.c | ||
| drm_info.c | ||
| drm_internal.h | ||
| drm_ioc32.c | ||
| drm_ioctl.c | ||
| drm_irq.c | ||
| drm_kms_helper_common.c | ||
| drm_legacy.h | ||
| drm_lock.c | ||
| drm_memory.c | ||
| drm_mipi_dsi.c | ||
| drm_mm.c | ||
| drm_mode_config.c | ||
| drm_mode_object.c | ||
| drm_modes.c | ||
| drm_modeset_helper.c | ||
| drm_modeset_lock.c | ||
| drm_of.c | ||
| drm_panel.c | ||
| drm_pci.c | ||
| drm_plane_helper.c | ||
| drm_plane.c | ||
| drm_prime.c | ||
| drm_print.c | ||
| drm_probe_helper.c | ||
| drm_property.c | ||
| drm_rect.c | ||
| drm_scatter.c | ||
| drm_scdc_helper.c | ||
| drm_simple_kms_helper.c | ||
| drm_syncobj.c | ||
| drm_sysfs.c | ||
| drm_trace_points.c | ||
| drm_trace.h | ||
| drm_vblank.c | ||
| drm_vm.c | ||
| drm_vma_manager.c | ||
| Kconfig | ||
| Makefile | ||