Bug 110670

Summary: i965 miptree tiled_memcpy code uses MAP_RAW without error checks
Product: Mesa Reporter: Anssi Hannula <anssi.hannula>
Component: Drivers/DRI/i965Assignee: Intel 3D Bugs Mailing List <intel-3d-bugs>
Status: NEW --- QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium    
Version: git   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Simple workaround/hack to avoid tiled_memcpy without MMAP_WC
Simple Qt testcase

Description Anssi Hannula 2019-05-13 10:53:02 UTC
Created attachment 144244 [details] [review]
Simple workaround/hack to avoid tiled_memcpy without MMAP_WC

The i965 miptree tiled_memcpy mode, added in 54c823ec790427acbea31212a6ed30a17bd25ff0 ("i965/miptree: Use cpu tiling/detiling when mapping"), calls intel_miptree_map_raw(,,MAP_RAW) from intel_miptree_map_tiled_memcpy() and intel_miptree_unmap_tiled_memcpy(), and does not check return value.

This causes invalid pointer dereferences if the call fails, causing a segfault.

In my case the call fails because pre-4.0 kernel versions do not support I915_MMAP_WC so brw_bo_map_wc() fails (like in bug #110602), but I guess there may be a number of other failure cases where the mmap request may fail.

The code in intel_miptree_map() should select another mapping mode if tiled_memcpy mode is not possible due to missing I915_MMAP_WC. Attached is a quick workaround that avoids the mapping mode in my case.

There seem to be several other non-checked intel_miptree_map_raw() calls in intel_mipmap_tree.c (and several checked ones), but they do not add MAP_RAW flag so they did not fail for me. But maybe error checks should still be added to those as well in case of other failure reasons?

This was observed on a ValleyView Gen7 (8086:0f31) with kernel 3.10.35 with the attached small Qt program with Qt 5.11.2.
Comment 1 Anssi Hannula 2019-05-13 10:54:15 UTC
Created attachment 144245 [details]
Simple Qt testcase

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.