From: "Zhang, Jerry(Junwei)" <Jerry.Zhang@amd.com>
To: "Christian König" <ckoenig.leichtzumerken@gmail.com>,
ray.huang@amd.com, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
Date: Tue, 9 Apr 2019 15:47:04 +0800 [thread overview]
Message-ID: <1a25a00b-fd70-d6d1-0d60-b9572582eeba@amd.com> (raw)
In-Reply-To: <20190408131310.3130-1-christian.koenig@amd.com>
On 4/8/19 9:13 PM, Christian König wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
Series is Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
Regards,
Jerry
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> }
>
> #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> - if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> + if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> + (npages - i) >= HPAGE_PMD_NR) {
> for (j = 0; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> unsigned max_size, n2free;
>
> spin_lock_irqsave(&huge->lock, irq_flags);
> - while (i < npages) {
> + while ((npages - i) >= HPAGE_PMD_NR) {
> struct page *p = pages[i];
> unsigned j;
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2019-04-09 7:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-08 13:13 [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Christian König
2019-04-09 7:47 ` Zhang, Jerry(Junwei) [this message]
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
2019-04-08 13:13 ` [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages() Christian König
2019-04-09 11:13 ` Huang, Ray
2019-04-08 14:12 ` [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Michel Dänzer
2019-04-09 11:14 ` Huang, Ray
-- strict thread matches above, loose matches on Subject: below --
2019-04-02 7:40 Christian König
2019-04-02 14:57 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a25a00b-fd70-d6d1-0d60-b9572582eeba@amd.com \
--to=jerry.zhang@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=ckoenig.leichtzumerken@gmail.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=ray.huang@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).