Fix a segmentation fault when running --ring-stream for a ring and no
bounds are specified. For instance "umr --ring-stream sdma0" on Sienna
Cichlid, generates the following segmentation fault:

Core was generated by `umr --ring-stream sdma0'.
Program terminated with signal SIGSEGV, Segmentation fault.
0  umr_sdma_decode_ring (asic=0x86cff0, ringname=0x7ffe92844ae0 "sdma0", 
start=1484, stop=10000) at 
/home/ltuikov/proj/open/umr/src/lib/read_sdma_stream.c:68
68                              lineardata[linearsize++] = ringdata[3 + start]; 
 // first 3 words are rptr/wptr/dwptr
Missing separate debuginfos, use: dnf debuginfo-install 
SDL2-2.0.14-1.fc33.x86_64 glibc-2.32-10.fc33.x86_64 
libedit-3.1-38.20210714cvs.fc33.x86_64 libffi-3.1-26.fc33.x86_64 
libgcc-10.3.1-1.fc33.x86_64 libpciaccess-0.16-3.fc33.x86_64 
libstdc++-10.3.1-1.fc33.x86_64 llvm-libs-11.0.0-1.fc33.x86_64 
nanomsg-1.1.5-6.fc33.x86_64 ncurses-libs-6.2-3.20200222.fc33.x86_64 
zlib-1.2.11-23.fc33.x86_64
(gdb) bt
0  umr_sdma_decode_ring (asic=0x86cff0, ringname=0x7ffe92844ae0 "sdma0", 
start=1484, stop=10000) at 
/home/ltuikov/proj/open/umr/src/lib/read_sdma_stream.c:68
1  0x0000000000473b71 in present_sdma (asic=0x86cff0, ringname=0x7ffe92844ae0 
"sdma0", start=0, end=10000, vmid=4294967295, addr=139867074238864, nwords=0)
    at /home/ltuikov/proj/open/umr/src/app/ring_stream_read.c:1214
2  0x00000000004740c9 in umr_read_ring_stream (asic=0x86cff0, 
ringpath=0x7ffe92847190 "sdma0") at 
/home/ltuikov/proj/open/umr/src/app/ring_stream_read.c:1325
3  0x0000000000457567 in main (argc=3, argv=0x7ffe92845268) at 
/home/ltuikov/proj/open/umr/src/app/main.c:473
(gdb) l
63
64                      // copy ring data into linear array
65                      lineardata = calloc(ringsize, sizeof(*lineardata));
66                      linearsize = 0;
67                      while (start != stop) {
68                              lineardata[linearsize++] = ringdata[3 + start]; 
 // first 3 words are rptr/wptr/dwptr
69                              start = (start + 1) % ringsize;
70                      }
71
72                      ps = umr_sdma_decode_stream(asic, -1, 0, 0, lineardata, 
linearsize);
(gdb) p ringsize
$1 = 2048
(gdb) p linearsize
$2 = 30157
(gdb)

Where "linearsize" of 30157 is clearly out of bounds of "lineardata."

Cc: Alex Deucher <alexander.deuc...@amd.com>
Cc: Tom StDenis <tom.stde...@amd.com>
Signed-off-by: Luben Tuikov <luben.tui...@amd.com>
Reviewed-by: Tom StDenis <tom.stde...@amd.com>
---
 src/lib/read_sdma_stream.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lib/read_sdma_stream.c b/src/lib/read_sdma_stream.c
index 63c4fc284afa17..863d251ef64a63 100644
--- a/src/lib/read_sdma_stream.c
+++ b/src/lib/read_sdma_stream.c
@@ -63,11 +63,10 @@ struct umr_sdma_stream *umr_sdma_decode_ring(struct 
umr_asic *asic, char *ringna
 
                // copy ring data into linear array
                lineardata = calloc(ringsize, sizeof(*lineardata));
-               linearsize = 0;
-               while (start != stop) {
-                       lineardata[linearsize++] = ringdata[3 + start];  // 
first 3 words are rptr/wptr/dwptr
-                       start = (start + 1) % ringsize;
-               }
+               for (linearsize = 0;
+                    start != stop && linearsize < ringsize;
+                    linearsize++, start = (start + 1) % ringsize)
+                       lineardata[linearsize] = ringdata[3 + start];  // first 
3 words are rptr/wptr/dwptr
 
                ps = umr_sdma_decode_stream(asic, -1, 0, 0, lineardata, 
linearsize);
                free(lineardata);
-- 
2.35.1.291.gdab1b7905d

Reply via email to