Message ID | 20201023113401.GG282278@mwanda (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | drm/i915: Fix a crash in shmem_pin_map() error handling | expand |
On Fri, Oct 23, 2020 at 02:19:41PM +0200, Christoph Hellwig wrote: > > diff --git a/drivers/gpu/drm/i915/gt/shmem_utils.c b/drivers/gpu/drm/i915/gt/shmem_utils.c > > index f011ea42487e..7eb542018219 100644 > > --- a/drivers/gpu/drm/i915/gt/shmem_utils.c > > +++ b/drivers/gpu/drm/i915/gt/shmem_utils.c > > @@ -52,8 +52,9 @@ struct file *shmem_create_from_object(struct drm_i915_gem_object *obj) > > void *shmem_pin_map(struct file *file) > > { > > struct page **pages; > > - size_t n_pages, i; > > + size_t n_pages; > > void *vaddr; > > + int i; > > > > n_pages = file->f_mapping->host->i_size >> PAGE_SHIFT; > > pages = kvmalloc_array(n_pages, sizeof(*pages), GFP_KERNEL); > > This assumes we never have more than INT_MAX worth of pages before > a failure. Doh. Yeah. My bad. regards, dan carpenter
diff --git a/drivers/gpu/drm/i915/gt/shmem_utils.c b/drivers/gpu/drm/i915/gt/shmem_utils.c index f011ea42487e..7eb542018219 100644 --- a/drivers/gpu/drm/i915/gt/shmem_utils.c +++ b/drivers/gpu/drm/i915/gt/shmem_utils.c @@ -52,8 +52,9 @@ struct file *shmem_create_from_object(struct drm_i915_gem_object *obj) void *shmem_pin_map(struct file *file) { struct page **pages; - size_t n_pages, i; + size_t n_pages; void *vaddr; + int i; n_pages = file->f_mapping->host->i_size >> PAGE_SHIFT; pages = kvmalloc_array(n_pages, sizeof(*pages), GFP_KERNEL);
There is a signedness bug in shmem_pin_map() error handling because "i" is unsigned. The "while (--i >= 0)" will loop forever until the system crashes. Fixes: bfed6708d6c9 ("drm/i915: use vmap in shmem_pin_map") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/gpu/drm/i915/gt/shmem_utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)