From patchwork Tue Apr  2 07:40:16 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_K=C3=B6nig?=
 <ckoenig.leichtzumerken@gmail.com>
X-Patchwork-Id: 10881193
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 55A9617EE
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F0B728737
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3D20C286E6; Tue,  2 Apr 2019 07:40:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham
 version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D6C66286E6
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:22 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 0848C6E2DC;
	Tue,  2 Apr 2019 07:40:22 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com
 [IPv6:2a00:1450:4864:20::443])
 by gabe.freedesktop.org (Postfix) with ESMTPS id E96936E2DC
 for <dri-devel@lists.freedesktop.org>; Tue,  2 Apr 2019 07:40:19 +0000 (UTC)
Received: by mail-wr1-x443.google.com with SMTP id r4so15227635wrq.8
 for <dri-devel@lists.freedesktop.org>; Tue, 02 Apr 2019 00:40:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=yo3Jhu1JafbCQ+0DSosde9dllTbGxioNVRHowItVJ78=;
 b=N9kio9/UgILaquWGdgoGfdXrcUfQBkEDHzJFcMMsW/ixLUPR0qdJfJPAzDMq+1VR9Y
 ZSS/+BK4QDCSi+MbG2+2sbCG+iZ69UKfEuMSWma20BcsvENjdQ0JPGHzpWpoEjeKD6fE
 yCVG4UKj3NRWSF+s0OMG4MNJ28OYlivDbzStW7ySJGi97KS8Clk+N8ftZYwh3GYfH/f0
 yxJLOfnsPIOB8UZtwbjbVeo+vb2UbtJ4doCZbDe9dFqln+ZAi9EYZf7Cp/gQXOPvMt/4
 HBUl9ElQtepquXy2xZ1p6cazG2PW93BIGtAQyM1Tun7tXNMvXQA4gagovF5U78L3ks1+
 xR2g==
X-Gm-Message-State: APjAAAUi9BrbLerh2pr9/F4DvKaUVabncOvz43gnLQ+t9DaPcuqEW4r7
 Ch2qVv4GGCgVoBLcDScaNGlp9fDJ
X-Google-Smtp-Source: 
 APXvYqw6Nx+u5xC8rLicNZRlgloLo526X/AqERsg0CNBSIUX0Pp0kQk9D9I+NUEFenLUgU/0/r6SHA==
X-Received: by 2002:adf:b612:: with SMTP id f18mr1325889wre.236.1554190818510;
 Tue, 02 Apr 2019 00:40:18 -0700 (PDT)
Received: from abel.fritz.box ([2a02:908:1252:fb60:3c9b:bea2:158f:20d7])
 by smtp.gmail.com with ESMTPSA id b204sm23144623wmh.29.2019.04.02.00.40.17
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 02 Apr 2019 00:40:17 -0700 (PDT)
From: " =?utf-8?q?Christian_K=C3=B6nig?= " <ckoenig.leichtzumerken@gmail.com>
X-Google-Original-From: =?utf-8?q?Christian_K=C3=B6nig?=
 <christian.koenig@amd.com>
To: dri-devel@lists.freedesktop.org,
	jannh@google.com
Subject: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
Date: Tue,  2 Apr 2019 09:40:16 +0200
Message-Id: <20190402074017.18681-1-christian.koenig@amd.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=yo3Jhu1JafbCQ+0DSosde9dllTbGxioNVRHowItVJ78=;
 b=a9eARZFMP5wZYDqUdK/lsKsjAI5mnDNVvqM++6G6zi9j53XeknUp9kUwplm+MXpZZ/
 Z+LWek7GZTn+DUaQd8GAzWmvRZHmjFW4pjoh/s/069PyXGMUAGkO12Di0km9C5C7ErCO
 1an1nf47E9a9vaaqlzeCAfwvJE9Nq90D3ab5hgdXYHBmHTmiDqByVE+ASEfLQLeH6vMI
 dalYr3DP9SvOCgC/r7U/V835UCluZl18KsW2/vcLLPXNukyzsoLNs10LWbCs0W5fYJCH
 j/dKZKro4Cfux8xFsZVwiY1s4RH7XwfhNrMEpC//CTJigXeQq+4QnEwAq0I0hImo7LdV
 vAYg==
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.

v2: simplify the test if enough pages are left in the array (Christian).

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f841accc2c00..f77c81db161b 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 			}
 
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
-			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+			    (npages - i) >= HPAGE_PMD_NR) {
 				for (j = 0; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 		unsigned max_size, n2free;
 
 		spin_lock_irqsave(&huge->lock, irq_flags);
-		while (i < npages) {
+		while ((npages - i) >= HPAGE_PMD_NR) {
 			struct page *p = pages[i];
 			unsigned j;
 

From patchwork Tue Apr  2 07:40:17 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_K=C3=B6nig?=
 <ckoenig.leichtzumerken@gmail.com>
X-Patchwork-Id: 10881195
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4471E922
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FC5D288D8
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 23F96288DD; Tue,  2 Apr 2019 07:40:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham
 version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D7C36288AC
	for <patchwork-dri-devel@patchwork.kernel.org>;
 Tue,  2 Apr 2019 07:40:24 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 293406E2DF;
	Tue,  2 Apr 2019 07:40:22 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com
 [IPv6:2a00:1450:4864:20::442])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 9B1886E2DC
 for <dri-devel@lists.freedesktop.org>; Tue,  2 Apr 2019 07:40:20 +0000 (UTC)
Received: by mail-wr1-x442.google.com with SMTP id y7so15203321wrn.11
 for <dri-devel@lists.freedesktop.org>; Tue, 02 Apr 2019 00:40:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=8GJYv5AzGlgtG15e3ZTcgvYKLDiELwzaMtQf7aHUMEg=;
 b=oPoaQRy8KXwDMNiYABJeZqyeZfkcRLhwI75qoWRqtJyIjGzeinttt0Qn5fmUlp1zHo
 8yTFPzWa+/5UJJXMjiYQIaEKH9cNKTFG22ZiVDzwl3ZMBK11c8lADCCaPokRGbAjMMga
 6a6Coka8BEwJ1N6fvAm6q9AWq1IgkT/RebGWqo0WnyslXf8Z/alZSa5NcriReJl6v0vK
 MYG8oBluKiTe9+8lrT4ti6nky7W7NLVU5cqtsTkZAqeCQbFfxRZGrTuKMtgTSXMA03Cz
 UNSXkpiwmXMbhsQea1qboNF36toYeEwwnd6ARd3MVKJ61PJ2VOxZ5MiQMlT1xz1U6TrD
 0QAg==
X-Gm-Message-State: APjAAAXCZ9UCVXeDiQj+jQ5aw/W/uLWmEEl/5JyO0CAftDj7XpPFCEgn
 dB8d+Fq38No1QjcKsHScGnNmvn2B
X-Google-Smtp-Source: 
 APXvYqwUrhWiN4nU6hw5HgXCqTgMmE7+UxKkYPFmMGNz+/toLhpDlXZRTn3ddgQfzheQKQEVWZuv3g==
X-Received: by 2002:adf:df08:: with SMTP id y8mr17601937wrl.91.1554190819200;
 Tue, 02 Apr 2019 00:40:19 -0700 (PDT)
Received: from abel.fritz.box ([2a02:908:1252:fb60:3c9b:bea2:158f:20d7])
 by smtp.gmail.com with ESMTPSA id b204sm23144623wmh.29.2019.04.02.00.40.18
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 02 Apr 2019 00:40:18 -0700 (PDT)
From: " =?utf-8?q?Christian_K=C3=B6nig?= " <ckoenig.leichtzumerken@gmail.com>
X-Google-Original-From: =?utf-8?q?Christian_K=C3=B6nig?=
 <christian.koenig@amd.com>
To: dri-devel@lists.freedesktop.org,
	jannh@google.com
Subject: [PATCH 2/2] drm/ttm: fix start page for huge page check in
 ttm_put_pages()
Date: Tue,  2 Apr 2019 09:40:17 +0200
Message-Id: <20190402074017.18681-2-christian.koenig@amd.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190402074017.18681-1-christian.koenig@amd.com>
References: <20190402074017.18681-1-christian.koenig@amd.com>
MIME-Version: 1.0
X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:in-reply-to:references:mime-version
 :content-transfer-encoding;
 bh=8GJYv5AzGlgtG15e3ZTcgvYKLDiELwzaMtQf7aHUMEg=;
 b=qIdVYpauUAi06dKRbsHYOA3pGDU+rqJmTmxLWFGD/DiJUxx0kI0NfqfZFKUD0VSCSV
 UZeOnkJ3SI2S63RzcjUe3CVDhnoDjPqkaIH1bet0aSTCyGh7hrrVsMYVCpKHanIHY2ki
 W/+RsuR3320ZVUGJwuujeJM4HXPwxWOFxiEMYN1htNZ8sO0tl36LyD60YQg6CDhWqm+5
 TCKzm6noXuZkCjayHRLCFdCK4hDrX0RFi+XWDXz+d4Qq3vqpHDlAnAtoKtkP+dWBiPjx
 6wwe5AkTtyFyg05E0uOEq10q7nNMcjjUc8kI+DBLXsTsPmaceSIjOub4Ai0saTntIzn1
 D1Rw==
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The first page entry is always the same with itself.

Signed-off-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f77c81db161b..c74147f0cbe3 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
 			    (npages - i) >= HPAGE_PMD_NR) {
-				for (j = 0; j < HPAGE_PMD_NR; ++j)
+				for (j = 1; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
 
@@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 			if (!p)
 				break;
 
-			for (j = 0; j < HPAGE_PMD_NR; ++j)
+			for (j = 1; j < HPAGE_PMD_NR; ++j)
 				if (p++ != pages[i + j])
 				    break;