From b5e0a9418e09a7b6df1728a26832c7c34aa1adf8 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Fri, 1 Dec 2017 00:15:36 +0000
Subject: [PATCH] drm/i915: Set fake_vma.size as well as fake_vma.node.size for capture
Git-commit: b5e0a9418e09a7b6df1728a26832c7c34aa1adf8
Patch-mainline: v4.16-rc1
References: FATE#322643 bsc#1055900

When capturing the bo, we allocate an error object with an array of
min(vma->size, vma->node.size) pages, plus a bit for compression overhead.
However, when creating the fake vma to describe the bo, only one of the
sizes was filled in, resulting in a too small array. Through my and CI
testing, this was sufficient for the mostly empty NULL context as
it compressed well (or the out-of-bounds access simply didn't cause an
issue). However, in real workloads on Cannonlake, we were overflowing
that array and causing havoc with the random memory corruption.

Reported-by: Rafael Antognolli <rafael.antognolli@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103964
Fixes: 4e90a6e22272 ("drm/i915: Record default HW state in the GPU error state")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Tested-by: Rodrigo Vivi <rodrigo.vivi@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171201001536.13941-1-chris@chris-wilson.co.uk
Reviewed-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/gpu/drm/i915/i915_gpu_error.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -1424,6 +1424,7 @@ capture_object(struct drm_i915_private *
 	if (obj && i915_gem_object_has_pages(obj)) {
 		struct i915_vma fake = {
 			.node = { .start = U64_MAX, .size = obj->base.size },
+			.size = obj->base.size,
 			.pages = obj->mm.pages,
 			.obj = obj,
 		};