Bug 194595

Summary: ATRM caller - Field [TBF3] at 294912 exceeds Buffer [Null] size 262144 bits - Lenovo ThinkPad e550
Product: ACPI Reporter: yousifjkadom
Component: BIOSAssignee: Lv Zheng (lv.zheng)
Status: CLOSED DOCUMENTED    
Severity: normal CC: Robert.Moore, rui.zhang
Priority: P1    
Hardware: Intel   
OS: Linux   
Kernel Version: 4.9.9 Subsystem:
Regression: No Bisected commit-id:
Attachments: error
[PATCH] Backported linux ATRM access code
ASL code for ACPICA upstream to reproduce this issue

Description yousifjkadom 2017-02-15 10:13:25 UTC
Created attachment 254767 [details]
error

Hi. I'm on Fedora 24 x64 bit Cinnamon edition. Since before kernel 4.9.9 (before 4.9.6 exactly I do not remamber at which version start, but it is 1st 4.9.x that Fedora 24 received) I started to encounter error message at booting, please look for screen shot. 

Please beware that last 2 lines are not included in this bug because they are related to other bug that I already opened (support for AMD R7 M265 dedicated VGA). The remaining lines from 1st to 6th (counting from above to bellow) related to this bug.

I wait many upgrade in the hope that this error message disappear but it continue. Till now it is - as I feel - just cosmetic bug. My system complete boot & system started & work without apparent problem. But I post this bug since I noticed in your change log attention to correct similar messages & I read in Fedora forum one of it's members suffer from similar message but he has failure to complete it's boot. For that I post this bug to avoid further possible deterioration.  

I'm on Lenovo ThinkPad e550 with 8 GB RAM, 1 TB HHD, hybrid system with AMD Radeon R7 M265 dedicated VGA (not supported till now) + Intel Corporation HD Graphic 5500, Intel Core i7-5500U CPU @ 2.40 x 2

By the way, I'm not sure about component that should selected for this bug. I selected BIOS. If it is wrong
Comment 1 Lv Zheng 2017-03-14 05:37:40 UTC
Please upload acpidump output here.

Thanks
Comment 2 Zhang Rui 2017-03-20 04:15:55 UTC
ping...
Comment 3 yousifjkadom 2017-03-20 11:15:47 UTC
Hi. What you mean by "acpidump outout" & how I get it to upload it to you?

Please I'm new for Linux less than 1 year Linux usage only, so be step by step with me & learn me how to remove any generated file if it need special way to remove it.

Best.
Comment 4 Zhang Rui 2017-03-27 04:13:21 UTC
you can install acpidump tool from the repo, and run "sudo acpidump > acpidump.out". and attach the acpidump.out file in this bug report.
Comment 5 Lv Zheng 2017-03-27 08:21:48 UTC
Linking to http://bugs.acpica.org/show_bug.cgi?id=1372.
Comment 6 Robert Moore 2017-03-28 16:09:35 UTC
Still could use the acpidump for this machine, thanks.
Comment 7 Robert Moore 2017-03-28 20:00:07 UTC
This looks very much like a duplicate of 194753, but we need the acpidump to verify.
Comment 8 Robert Moore 2017-03-29 16:04:42 UTC
I have a Lenovo DSDT that contains the code in question:


  DSDT: Length=61624, Revision=1, Checksum=229,
	OEMID=LENOVO, OEM Table ID=TP-7U, OEM Revision=0x1200,
	Creator ID=MSFT, Creator Revision=0x3000000

Field (ATRP, AnyAcc, Lock, Preserve)
{
    IDX0,   262144, 
    IDX1,   262144
}

Method (ATRM, 2, Serialized)
{
    If (LGreaterEqual (Arg0, 0x8000))
    {
        Return (GETB (Subtract (Arg0, 0x8000), Arg1, IDX1))
    }
    ....
}

Arguments to ATRM:

Arg0 = BitIndex
Arg1 = BitLength

Method (GETB, 3, Serialized)
{
    Multiply (Arg0, 0x08, Local0)
    Multiply (Arg1, 0x08, Local1)
    CreateField (Arg2, Local0, Local1, TBF3)
    Return (TBF3)
}

Arguments to GETB:

Arg0 = BitIndex
Arg1 = BitLength
Arg2 = Input buffer (length = 262144 = 0x40000 = 0x8000 bytes)
Arg0 + Arg1 = 294912 = 0x48000 = 0x9000 bytes


Extracting some of the code into a test case results in reproducing the problem exactly:

DefinitionBlock ("", "SSDT", 2, "Intel", "_SSDT_01", 0x00000001)
{
    OperationRegion (ATRP, SystemMemory, 0x4000, 0x00010000)
    Field (ATRP, AnyAcc, Lock, Preserve)
    {
        IDX0,   262144, 
        IDX1,   262144
    }
    Method (ATRM, 2, Serialized)
    {
        If (LGreaterEqual (Arg0, 0x8000))
        {
            Return (GETB (Subtract (Arg0, 0x8000), Arg1, IDX1))
        }
    }
    Method (GETB, 3, Serialized)
    {
        Multiply (Arg0, 0x08, Local0)
        Multiply (Arg1, 0x08, Local1)
        CreateField (Arg2, Local0, Local1, TBF3)
        Return (TBF3)
    }
    Method (TEST)
    {
        ATRM (0x10000, 0x1000)
    }
}

Output from acpiexec (with updated error message for the buffer overrun):

ACPI Error: Field [TBF3] at bit offset/length 262144/32768 exceeds size of target Buffer (262144 bits) (20170303/dsopcode-359)
[AcpiExec] Exception AE_AML_BUFFER_LIMIT during execution of method [GETB] Opcode [CreateField] @F
[GETB] @0000A #5B13:  CreateField (Arg2, Local0, Local1, TBF3)

Initialized Local Variables for method [GETB]:
    Local0: 00651378 <Obj>             Integer 0000000000040000
    Local1: 00651498 <Obj>             Integer 0000000000008000

Initialized Arguments for Method [GETB]:  (0 arguments defined for method invocation)
    Arg0:   00651A98 <Obj>             Integer 0000000000008000
    Arg1:   00651738 <Obj>             Integer 0000000000001000
    Arg2:   00651A38 <Obj>             Buffer(32768) 00 00 00 00 00 00 00 00

ACPI Error: Method parse/execution failed [\GETB] (Node 00650908), AE_AML_BUFFER_LIMIT (20170303/psparse-668)
ACPI Error: Method parse/execution failed [\ATRM] (Node 006508C0), AE_AML_BUFFER_LIMIT (20170303/psparse-668)
ACPI Error: Method parse/execution failed [\TEST] (Node 00650FA8), AE_AML_BUFFER_LIMIT (20170303/psparse-668)
ACPI Exception: AE_AML_BUFFER_LIMIT, while executing \TEST from debugger (20170303/dbexec-318)
0x4 Outstanding allocations after evaluation of \TEST
Evaluation of \TEST failed with status AE_AML_BUFFER_LIMIT

It appears that ATRM is treated as an external interface and is in fact called by the OS -- by at least a couple drivers:

amdgpu\amdgpu_bios.c
radeon\radeon_bios.c

So, this would appear to be the next place to look. The arguments to ATRM are overflowing a buffer.
Comment 9 Lv Zheng 2017-03-31 05:30:11 UTC
However,
1. According to the dmesg, 294912 (0x9000) and 262144 (0x8000) do not seem to exceed 0x10000.
2. What the Buffer [NULL] means to us?
                         ^^^^^^
Comment 10 Lv Zheng 2017-03-31 05:32:37 UTC
Will ATRM (0x9000, 0x1000) return similar error as reported?
Comment 11 Robert Moore 2017-03-31 16:12:12 UTC
Buffer [NULL] is essentially a bug, the output is assuming the buffer is a named object, which is not true.
Comment 12 Robert Moore 2017-03-31 16:38:01 UTC
For the test code in #8:

ATRM (0x9000, 0x1000) - OK
ATRM (0xF000, 0x1000) - OK

ATRM (0xF001, 0x1000) - FAILS

Error message (I changed the message, no longer returns the NULL):

ACPI Error: Field [TBF3] at bit offset/length 229384/32768 exceeds size of target Buffer (262144 bits) (20170303/dsopcode-359)
Comment 13 Lv Zheng 2017-04-24 09:25:13 UTC
Looking at the following driver code:

	int size = 256 * 1024;

If the ATRM is return in this way:

    OperationRegion (ATRP, SystemMemory, 0x4000, 0x00010000)
    Field (ATRP, AnyAcc, Lock, Preserve)
    {
        IDX0,   262144, 
        IDX1,   262144
    }
    Method (ATRM, 2, Serialized)
    {
        Store (Concatenate("Arg0: ", Arg0), Debug)
        Store (Concatenate("Arg1: ", Arg1), Debug)
        If (LGreaterEqual (Arg0, 0x8000))
        {
            Return (GETB (Subtract (Arg0, 0x8000), Arg1, IDX1))
        }
        Else
        {
            Return (GETB (Arg0, Arg1, IDX0))
        }
    }
    Method (GETB, 3, Serialized)
    {
        Multiply (Arg0, 0x08, Local0)
        Multiply (Arg1, 0x08, Local1)
        Store (Concatenate("Local0: ", Local0), Debug)
        Store (Concatenate("Local1: ", Local0), Debug)
        CreateField (Arg2, Local0, Local1, TBF3)
        Return (TBF3)
    }

It really exceeds the opregion boundary.
According to the ASL, the size should be 32 * 2 * 1024 = 64 * 1024 < 256 * 1024.
I have no idea how "size" is determined.

Shall we re-assign to GPU driver writers?

Thanks
Lv
Comment 14 Lv Zheng 2017-04-24 09:31:49 UTC
To yousifjkadom@yahoo.com:

You should file a bug to the driver maintainers of:
 drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
 drivers/gpu/drm/radeon/radeon_bios.c

It's not this community, it should be freedesktop.org:
https://bugs.freedesktop.org/
You can refer this bug in your new bug report.

Thanks
Lv
Comment 15 Lv Zheng 2017-04-24 09:33:53 UTC
For detailed reference, the access has exceeded due to:

static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev)
{
	int ret;
	int size = 256 * 1024;
        ^^^^^^^^^^^^^^^^^^^^^^

Thanks
Lv
Comment 16 Lv Zheng 2017-04-24 09:41:58 UTC
Created attachment 255977 [details]
[PATCH] Backported linux ATRM access code

Code for ACPICA upstream to reproduce this.
Comment 17 Lv Zheng 2017-04-24 09:42:30 UTC
Created attachment 255979 [details]
ASL code for ACPICA upstream to reproduce this issue
Comment 18 yousifjkadom 2017-06-15 10:14:01 UTC
Hi. I updated my kernel on Fedora 24 & bug & error message existing !! I'm now on kernel 4.11.4 How you marked this bug as "RESOLVED" ?!

It never fixed & I suffer from it since I opened this bug till now, & I see it marked as "RESOLVED" !

Please your kind attention.
Comment 19 Zhang Rui 2017-06-15 12:20:05 UTC
I think Lv has clarified the root cause of the problem in comment #14, and this is not a problem that should be covered by kernel bugzilla, instead, you should file a bug at https://bugs.freedesktop.org/ to raise the problem to the graphics people.

Bug Closed. If you still have any questions/objections, please feel free to let me know.