| Message ID | 20190408131310.3130-1-christian.koenig@amd.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 | expand |
On 2019-04-08 3:13 p.m., Christian König wrote: > When ttm_put_pages() tries to figure out whether it's dealing with > transparent hugepages, it just reads past the bounds of the pages array > without a check. > > v2: simplify the test if enough pages are left in the array (Christian). > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Christian König <christian.koenig@amd.com> > Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages") > Cc: stable@vger.kernel.org > --- > drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c > index f841accc2c00..f77c81db161b 100644 > --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c > +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c > @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, > } > > #ifdef CONFIG_TRANSPARENT_HUGEPAGE > - if (!(flags & TTM_PAGE_FLAG_DMA32)) { > + if (!(flags & TTM_PAGE_FLAG_DMA32) && > + (npages - i) >= HPAGE_PMD_NR) { > for (j = 0; j < HPAGE_PMD_NR; ++j) > if (p++ != pages[i + j]) > break; > @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, > unsigned max_size, n2free; > > spin_lock_irqsave(&huge->lock, irq_flags); > - while (i < npages) { > + while ((npages - i) >= HPAGE_PMD_NR) { > struct page *p = pages[i]; > unsigned j; > > This series is Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
On 4/8/19 9:13 PM, Christian König wrote: > When ttm_put_pages() tries to figure out whether it's dealing with > transparent hugepages, it just reads past the bounds of the pages array > without a check. > > v2: simplify the test if enough pages are left in the array (Christian). Series is Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com> Regards, Jerry > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Christian König <christian.koenig@amd.com> > Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages") > Cc: stable@vger.kernel.org > --- > drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c > index f841accc2c00..f77c81db161b 100644 > --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c > +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c > @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, > } > > #ifdef CONFIG_TRANSPARENT_HUGEPAGE > - if (!(flags & TTM_PAGE_FLAG_DMA32)) { > + if (!(flags & TTM_PAGE_FLAG_DMA32) && > + (npages - i) >= HPAGE_PMD_NR) { > for (j = 0; j < HPAGE_PMD_NR; ++j) > if (p++ != pages[i + j]) > break; > @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, > unsigned max_size, n2free; > > spin_lock_irqsave(&huge->lock, irq_flags); > - while (i < npages) { > + while ((npages - i) >= HPAGE_PMD_NR) { > struct page *p = pages[i]; > unsigned j; >
> -----Original Message----- > From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com] > Sent: Monday, April 08, 2019 9:13 PM > To: Zhang, Jerry <Jerry.Zhang@amd.com>; Huang, Ray > <Ray.Huang@amd.com>; amd-gfx@lists.freedesktop.org; dri- > devel@lists.freedesktop.org > Subject: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 > > When ttm_put_pages() tries to figure out whether it's dealing with > transparent hugepages, it just reads past the bounds of the pages array > without a check. > > v2: simplify the test if enough pages are left in the array (Christian). > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Huang Rui <ray.huang@amd.com> > Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages") > Cc: stable@vger.kernel.org > --- > drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c > b/drivers/gpu/drm/ttm/ttm_page_alloc.c > index f841accc2c00..f77c81db161b 100644 > --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c > +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c > @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, > unsigned npages, int flags, > } > > #ifdef CONFIG_TRANSPARENT_HUGEPAGE > - if (!(flags & TTM_PAGE_FLAG_DMA32)) { > + if (!(flags & TTM_PAGE_FLAG_DMA32) && > + (npages - i) >= HPAGE_PMD_NR) { > for (j = 0; j < HPAGE_PMD_NR; ++j) > if (p++ != pages[i + j]) > break; > @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, > unsigned npages, int flags, > unsigned max_size, n2free; > > spin_lock_irqsave(&huge->lock, irq_flags); > - while (i < npages) { > + while ((npages - i) >= HPAGE_PMD_NR) { > struct page *p = pages[i]; > unsigned j; > > -- > 2.17.1
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c index f841accc2c00..f77c81db161b 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, } #ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (!(flags & TTM_PAGE_FLAG_DMA32)) { + if (!(flags & TTM_PAGE_FLAG_DMA32) && + (npages - i) >= HPAGE_PMD_NR) { for (j = 0; j < HPAGE_PMD_NR; ++j) if (p++ != pages[i + j]) break; @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, unsigned max_size, n2free; spin_lock_irqsave(&huge->lock, irq_flags); - while (i < npages) { + while ((npages - i) >= HPAGE_PMD_NR) { struct page *p = pages[i]; unsigned j;