Ubuntu
linux package

UBSAN: array-index-out-of-bounds in dcn31_resources on AMD yellow carp platform

Bug #1958229 reported by You-Sheng Yang
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HWE Next
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Fix Released
High
You-Sheng Yang
Jammy
Fix Released
High
You-Sheng Yang

Bug Description

[SRU Justification]

[Impact]

On HP Lockheed16, following UBSAN warning dumped at boot and the first
USB4 port is disabled:

  UBSAN: array-index-out-of-bounds in /drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.c:1295:22
  index 6 is out of range for type 'dcn10_stream_enc_registers[5]'

This is a follow-up for bug 1953008 on Jammy, which only happens when
patches for USB4 alt mode were applied and tested on a HP platform.

[Fix]

Commit d374d3b49321 ("drm/amd/display: Fix out of bounds access on DNC31
stream encoder regs") from Linus' tree.

[Test Case]

Apply and check no more such warning, and USB alt mode should work.

[Where problems could occur]

No. This specifies the expected array size to avoid UBSAN warning.

[Other Info]

While UBSAN is only turned on by default on 5.15 kernels or newer, and
we didn't find this issue on oem-5.14, so only Jammy is nominated here.

========== original bug report ==========

UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c:1295:22

This is a follow-up for bug 1953008, which only happens when patches for USB4 alt mode were applied.

This is found on HP Lockheed16 and will disable one of the tbt port.

Source tree available in https://git.launchpad.net/~vicamo/+git/ubuntu-kernel/tree/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c?h=bug-1953008/amdgpu-yellow-carp-support-usb4-altmode/jammy&id=243857296edd341e5054cc50732b3af3432eaaf6#n1295

1263 static struct stream_encoder *dcn31_stream_encoder_create(
1264 enum engine_id eng_id,
1265 struct dc_context *ctx)
1266 {
...
1293 dcn30_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1294 eng_id, vpg, afmt,
1295 &stream_enc_regs[eng_id],
1296 &se_shift, &se_mask);

[ 5.557065] [drm] amdgpu kernel modesetting enabled.
[ 5.562748] amdgpu: Virtual CRAT table created for CPU
[ 5.562769] amdgpu: Topology: Add CPU node
[ 5.563048] checking generic (320000000 8ca000) vs hw (320000000 10000000)
[ 5.563053] fb0: switching to amdgpu from EFI VGA
[ 5.563274] Console: switching to colour dummy device 80x25
[ 5.563386] amdgpu 0000:64:00.0: vgaarb: deactivate vga console
[ 5.563768] [drm] initializing kernel modesetting (YELLOW_CARP 0x1002:0x1681 0x103C:0x8990 0xD5).
[ 5.563791] amdgpu 0000:64:00.0: amdgpu: Trusted Memory Zone (TMZ) feature disabled as experimental (default)
[ 5.563968] [drm] register mmio base: 0xA4800000
[ 5.563969] [drm] register mmio size: 524288
[ 5.563976] [drm] PCIE atomic ops is not supported
[ 5.565481] [drm] add ip block number 0 <nv_common>
[ 5.565483] [drm] add ip block number 1 <gmc_v10_0>
[ 5.565484] [drm] add ip block number 2 <navi10_ih>
[ 5.565485] [drm] add ip block number 3 <psp>
[ 5.565486] [drm] add ip block number 4 <smu>
[ 5.565487] [drm] add ip block number 5 <gfx_v10_0>
[ 5.565488] [drm] add ip block number 6 <sdma_v5_2>
[ 5.565490] [drm] add ip block number 7 <dm>
[ 5.565491] [drm] add ip block number 8 <vcn_v3_0>
[ 5.565492] [drm] add ip block number 9 <jpeg_v3_0>
[ 5.565512] amdgpu 0000:64:00.0: amdgpu: Fetched VBIOS from VFCT
[ 5.565515] amdgpu: ATOM BIOS: 113-REMBRANDT-032
[ 5.565529] [drm] VCN(0) decode is enabled in VM mode
[ 5.565530] [drm] VCN(0) encode is enabled in VM mode
[ 5.565532] [drm] JPEG decode is enabled in VM mode
[ 5.565570] [drm] vm size is 262144 GB, 4 levels, block size is 9-bit, fragment size is 9-bit
[ 5.565576] amdgpu 0000:64:00.0: amdgpu: VRAM: 512M 0x000000F400000000 - 0x000000F41FFFFFFF (512M used)
[ 5.565579] amdgpu 0000:64:00.0: amdgpu: GART: 512M 0x0000000000000000 - 0x000000001FFFFFFF
[ 5.565580] amdgpu 0000:64:00.0: amdgpu: AGP: 267419648M 0x000000F800000000 - 0x0000FFFFFFFFFFFF
[ 5.565589] [drm] Detected VRAM RAM=512M, BAR=512M
[ 5.565590] [drm] RAM width 64bits DDR5
[ 5.565640] [drm] amdgpu: 512M of VRAM memory ready
[ 5.565642] [drm] amdgpu: 3072M of GTT memory ready.
[ 5.565658] [drm] GART: num cpu pages 131072, num gpu pages 131072
[ 5.566076] [drm] PCIE GART of 512M enabled (table at 0x000000F4008CA000).
[ 5.567973] amdgpu 0000:64:00.0: amdgpu: PSP runtime database doesn't exist
[ 5.573492] [drm] use_doorbell being set to: [true]
[ 5.574279] [drm] Loading DMUB firmware via PSP: version=0x0400000D
[ 5.574727] [drm] Found VCN firmware Version ENC: 1.14 DEC: 2 VEP: 0 Revision: 3
[ 5.574733] amdgpu 0000:64:00.0: amdgpu: Will use PSP to load VCN firmware
[ 5.599344] [drm] reserve 0xa00000 from 0xf41f400000 for PSP TMR
[ 5.625250] usb 3-2.4: reset high-speed USB device number 4 using xhci_hcd
[ 5.644351] intel_rapl_common: Found RAPL domain package
[ 5.644356] intel_rapl_common: Found RAPL domain core
[ 5.665305] amdgpu 0000:64:00.0: amdgpu: RAS: optional ras ta ucode is not available
[ 5.671557] amdgpu 0000:64:00.0: amdgpu: RAP: optional rap ta ucode is not available
[ 5.671562] amdgpu 0000:64:00.0: amdgpu: SECUREDISPLAY: securedisplay ta ucode is not available
[ 5.671649] amdgpu 0000:64:00.0: amdgpu: smu fw reported version = 0x04450800 (1093.8.0)
[ 5.674717] amdgpu 0000:64:00.0: amdgpu: SMU is initialized successfully!
[ 5.675088] [drm] kiq ring mec 2 pipe 1 q 0
[ 5.675818] ================================================================================
[ 5.675825] UBSAN: array-index-out-of-bounds in /tmp/kernel-vicamo-0a7e41cfca68-YnVV/build/drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.c:1295:22
[ 5.675829] index 6 is out of range for type 'dcn10_stream_enc_registers [5]'
[ 5.675831] CPU: 5 PID: 431 Comm: systemd-udevd Not tainted 5.15.0-2016-generic #16~20.04.1+lp1953008.4
[ 5.675834] Hardware name: HP HP EliteBook 865 G9 Notebook PC/8990, BIOS U82 Ver. 80.13.00 10/14/2021
[ 5.675835] Call Trace:
[ 5.675837] <TASK>
[ 5.675839] dump_stack_lvl+0x4a/0x5f
[ 5.675848] dump_stack+0x10/0x12
[ 5.675849] ubsan_epilogue+0x9/0x45
[ 5.675851] __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 5.675853] dcn31_stream_encoder_create+0x1b8/0x230 [amdgpu]
[ 5.676031] resource_construct+0x1a3/0x500 [amdgpu]
[ 5.676164] dcn31_resource_construct+0xf4b/0x15e0 [amdgpu]
[ 5.676404] dcn31_create_resource_pool+0x41/0x90 [amdgpu]
[ 5.676531] dc_create_resource_pool+0xc9/0x240 [amdgpu]
[ 5.676842] dc_construct+0x1d9/0x500 [amdgpu]
[ 5.677020] ? kmalloc_order+0x83/0xc0
[ 5.677025] dc_create+0x46/0x140 [amdgpu]
[ 5.677194] amdgpu_dm_init+0x1ba/0x250 [amdgpu]
[ 5.677341] ? complete+0x3f/0x50
[ 5.677345] ? drm_sched_entity_init+0x113/0x1c0 [gpu_sched]
[ 5.677349] dm_hw_init+0x13/0x30 [amdgpu]
[ 5.677474] amdgpu_device_ip_init+0x5dc/0x6b7 [amdgpu]
[ 5.677612] amdgpu_device_init.cold+0x70c/0xc48 [amdgpu]
[ 5.677740] ? pci_read_config_word+0x27/0x40
[ 5.677745] amdgpu_driver_load_kms+0x6d/0x320 [amdgpu]
[ 5.677836] amdgpu_pci_probe+0x11e/0x1a0 [amdgpu]
[ 5.677924] local_pci_probe+0x4b/0x90
[ 5.677927] pci_device_probe+0x182/0x1f0
[ 5.677928] really_probe.part.0+0xcb/0x370
[ 5.677932] really_probe+0x40/0x80
[ 5.677933] __driver_probe_device+0x115/0x190
[ 5.677934] driver_probe_device+0x23/0xa0
[ 5.677935] __driver_attach+0xbd/0x160
[ 5.677936] ? __device_attach_driver+0x110/0x110
[ 5.677937] bus_for_each_dev+0x7e/0xc0
[ 5.677940] driver_attach+0x1e/0x20
[ 5.677941] bus_add_driver+0x161/0x200
[ 5.677942] driver_register+0x74/0xd0
[ 5.677943] __pci_register_driver+0x68/0x70
[ 5.677944] amdgpu_init+0x7c/0x1000 [amdgpu]
[ 5.678034] ? 0xffffffffc1b97000
[ 5.678035] do_one_initcall+0x48/0x1d0
[ 5.678039] ? __cond_resched+0x19/0x30
[ 5.678042] ? kmem_cache_alloc_trace+0x15a/0x420
[ 5.678046] do_init_module+0x62/0x250
[ 5.678049] load_module+0x1320/0x15b0
[ 5.678051] __do_sys_finit_module+0xbf/0x120
[ 5.678053] ? __do_sys_finit_module+0xbf/0x120
[ 5.678055] __x64_sys_finit_module+0x1a/0x20
[ 5.678056] do_syscall_64+0x5c/0xc0
[ 5.678058] ? __x64_sys_mmap+0x33/0x40
[ 5.678061] ? do_syscall_64+0x69/0xc0
[ 5.678062] ? syscall_exit_to_user_mode+0x27/0x50
[ 5.678063] ? __x64_sys_openat+0x20/0x30
[ 5.678066] ? do_syscall_64+0x69/0xc0
[ 5.678067] ? do_syscall_64+0x69/0xc0
[ 5.678068] ? syscall_exit_to_user_mode+0x27/0x50
[ 5.678069] ? __x64_sys_openat+0x20/0x30
[ 5.678071] ? do_syscall_64+0x69/0xc0
[ 5.678072] ? sysvec_reschedule_ipi+0x78/0xe0
[ 5.678073] ? asm_sysvec_reschedule_ipi+0xa/0x20
[ 5.678075] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 5.678077] RIP: 0033:0x7f6489ced89d
[ 5.678081] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
[ 5.678083] RSP: 002b:00007ffdae903db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 5.678086] RAX: ffffffffffffffda RBX: 000055c103bc1030 RCX: 00007f6489ced89d
[ 5.678087] RDX: 0000000000000000 RSI: 00007f6489bcaded RDI: 000000000000001a
[ 5.678087] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000
[ 5.678088] R10: 000000000000001a R11: 0000000000000246 R12: 00007f6489bcaded
[ 5.678089] R13: 0000000000000000 R14: 000055c103bedae0 R15: 000055c103bc1030
[ 5.678090] </TASK>
[ 5.678091] ================================================================================

See original description
You-Sheng Yang (vicamo)
tags: added: amd oem-priority originate-from-1957782
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1958229

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: jammy
You-Sheng Yang (vicamo)
Changed in linux (Ubuntu):
status: Incomplete → In Progress
importance: Undecided → High
assignee: nobody → You-Sheng Yang (vicamo)
Revision history for this message
You-Sheng Yang (vicamo) wrote :

SRU: https://lists.ubuntu.com/archives/kernel-team/2022-January/127257.html (jammy)

description: updated
You-Sheng Yang (vicamo)
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
You-Sheng Yang (vicamo) wrote :

Has been committed to 5.15.0-19.19 or later. Currently respan in 5.15.0-22.22 in focal-proposed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-22.22

---------------
linux (5.15.0-22.22) jammy; urgency=medium

  * jammy/linux: 5.15.0-22.22 -proposed tracker (LP: #1960290)

 -- Paolo Pisati <email address hidden> Tue, 08 Feb 2022 10:48:49 +0100

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
You-Sheng Yang (vicamo)
Changed in hwe-next:
status: New → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-5.15/5.15.0-23.23~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.