* [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
@ 2019-04-08 13:13 Christian König
2019-04-09 7:47 ` Zhang, Jerry(Junwei)
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
0 siblings, 2 replies; 8+ messages in thread
From: Christian König @ 2019-04-08 13:13 UTC (permalink / raw)
To: Jerry.Zhang-5C7GfCeVMHo, ray.huang-5C7GfCeVMHo,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.
v2: simplify the test if enough pages are left in the array (Christian).
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f841accc2c00..f77c81db161b 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
}
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
- if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+ if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+ (npages - i) >= HPAGE_PMD_NR) {
for (j = 0; j < HPAGE_PMD_NR; ++j)
if (p++ != pages[i + j])
break;
@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
unsigned max_size, n2free;
spin_lock_irqsave(&huge->lock, irq_flags);
- while (i < npages) {
+ while ((npages - i) >= HPAGE_PMD_NR) {
struct page *p = pages[i];
unsigned j;
--
2.17.1
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
2019-04-08 13:13 [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Christian König
@ 2019-04-09 7:47 ` Zhang, Jerry(Junwei)
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
1 sibling, 0 replies; 8+ messages in thread
From: Zhang, Jerry(Junwei) @ 2019-04-09 7:47 UTC (permalink / raw)
To: Christian König, ray.huang, amd-gfx, dri-devel
On 4/8/19 9:13 PM, Christian König wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
Series is Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
Regards,
Jerry
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> }
>
> #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> - if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> + if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> + (npages - i) >= HPAGE_PMD_NR) {
> for (j = 0; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> unsigned max_size, n2free;
>
> spin_lock_irqsave(&huge->lock, irq_flags);
> - while (i < npages) {
> + while ((npages - i) >= HPAGE_PMD_NR) {
> struct page *p = pages[i];
> unsigned j;
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 8+ messages in thread[parent not found: <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>]
* [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages()
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
@ 2019-04-08 13:13 ` Christian König
2019-04-09 11:13 ` Huang, Ray
2019-04-08 14:12 ` [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Michel Dänzer
2019-04-09 11:14 ` Huang, Ray
2 siblings, 1 reply; 8+ messages in thread
From: Christian König @ 2019-04-08 13:13 UTC (permalink / raw)
To: Jerry.Zhang-5C7GfCeVMHo, ray.huang-5C7GfCeVMHo,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
The first page entry is always the same with itself.
Signed-off-by: Christian König <christian.koenig@amd.com>
---
drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f77c81db161b..c74147f0cbe3 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
if (!(flags & TTM_PAGE_FLAG_DMA32) &&
(npages - i) >= HPAGE_PMD_NR) {
- for (j = 0; j < HPAGE_PMD_NR; ++j)
+ for (j = 1; j < HPAGE_PMD_NR; ++j)
if (p++ != pages[i + j])
break;
@@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
if (!p)
break;
- for (j = 0; j < HPAGE_PMD_NR; ++j)
+ for (j = 1; j < HPAGE_PMD_NR; ++j)
if (p++ != pages[i + j])
break;
--
2.17.1
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 8+ messages in thread* RE: [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages()
2019-04-08 13:13 ` [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages() Christian König
@ 2019-04-09 11:13 ` Huang, Ray
0 siblings, 0 replies; 8+ messages in thread
From: Huang, Ray @ 2019-04-09 11:13 UTC (permalink / raw)
To: Christian König, Zhang, Jerry, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org
> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com]
> Sent: Monday, April 08, 2019 9:13 PM
> To: Zhang, Jerry <Jerry.Zhang@amd.com>; Huang, Ray
> <Ray.Huang@amd.com>; amd-gfx@lists.freedesktop.org; dri-
> devel@lists.freedesktop.org
> Subject: [PATCH 2/2] drm/ttm: fix start page for huge page check in
> ttm_put_pages()
>
> The first page entry is always the same with itself.
>
> Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
> ---
> drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f77c81db161b..c74147f0cbe3 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags, #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> (npages - i) >= HPAGE_PMD_NR) {
> - for (j = 0; j < HPAGE_PMD_NR; ++j)
> + for (j = 1; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
>
> @@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
> if (!p)
> break;
>
> - for (j = 0; j < HPAGE_PMD_NR; ++j)
> + for (j = 1; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
>
> --
> 2.17.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
2019-04-08 13:13 ` [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages() Christian König
@ 2019-04-08 14:12 ` Michel Dänzer
2019-04-09 11:14 ` Huang, Ray
2 siblings, 0 replies; 8+ messages in thread
From: Michel Dänzer @ 2019-04-08 14:12 UTC (permalink / raw)
To: Christian König
Cc: Jerry.Zhang-5C7GfCeVMHo, ray.huang-5C7GfCeVMHo,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
On 2019-04-08 3:13 p.m., Christian König wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> }
>
> #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> - if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> + if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> + (npages - i) >= HPAGE_PMD_NR) {
> for (j = 0; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
> unsigned max_size, n2free;
>
> spin_lock_irqsave(&huge->lock, irq_flags);
> - while (i < npages) {
> + while ((npages - i) >= HPAGE_PMD_NR) {
> struct page *p = pages[i];
> unsigned j;
>
>
This series is
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
--
Earthling Michel Dänzer | https://www.amd.com
Libre software enthusiast | Mesa and X developer
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 8+ messages in thread* RE: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
2019-04-08 13:13 ` [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages() Christian König
2019-04-08 14:12 ` [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Michel Dänzer
@ 2019-04-09 11:14 ` Huang, Ray
2 siblings, 0 replies; 8+ messages in thread
From: Huang, Ray @ 2019-04-09 11:14 UTC (permalink / raw)
To: Christian König, Zhang, Jerry,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com]
> Sent: Monday, April 08, 2019 9:13 PM
> To: Zhang, Jerry <Jerry.Zhang@amd.com>; Huang, Ray
> <Ray.Huang@amd.com>; amd-gfx@lists.freedesktop.org; dri-
> devel@lists.freedesktop.org
> Subject: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
>
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
> drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
> }
>
> #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> - if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> + if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> + (npages - i) >= HPAGE_PMD_NR) {
> for (j = 0; j < HPAGE_PMD_NR; ++j)
> if (p++ != pages[i + j])
> break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
> unsigned max_size, n2free;
>
> spin_lock_irqsave(&huge->lock, irq_flags);
> - while (i < npages) {
> + while ((npages - i) >= HPAGE_PMD_NR) {
> struct page *p = pages[i];
> unsigned j;
>
> --
> 2.17.1
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
@ 2019-04-02 7:40 Christian König
2019-04-02 14:57 ` Jann Horn
0 siblings, 1 reply; 8+ messages in thread
From: Christian König @ 2019-04-02 7:40 UTC (permalink / raw)
To: dri-devel, jannh
When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.
v2: simplify the test if enough pages are left in the array (Christian).
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
---
drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f841accc2c00..f77c81db161b 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
}
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
- if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+ if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+ (npages - i) >= HPAGE_PMD_NR) {
for (j = 0; j < HPAGE_PMD_NR; ++j)
if (p++ != pages[i + j])
break;
@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
unsigned max_size, n2free;
spin_lock_irqsave(&huge->lock, irq_flags);
- while (i < npages) {
+ while ((npages - i) >= HPAGE_PMD_NR) {
struct page *p = pages[i];
unsigned j;
--
2.17.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
2019-04-02 7:40 Christian König
@ 2019-04-02 14:57 ` Jann Horn
0 siblings, 0 replies; 8+ messages in thread
From: Jann Horn @ 2019-04-02 14:57 UTC (permalink / raw)
To: Christian König; +Cc: dri-devel
On Tue, Apr 2, 2019 at 9:40 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
Thanks; I've verified that with these patches applied, my VM doesn't
print an ASAN warning on boot anymore.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-04-09 11:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-08 13:13 [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Christian König
2019-04-09 7:47 ` Zhang, Jerry(Junwei)
[not found] ` <20190408131310.3130-1-christian.koenig-5C7GfCeVMHo@public.gmane.org>
2019-04-08 13:13 ` [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages() Christian König
2019-04-09 11:13 ` Huang, Ray
2019-04-08 14:12 ` [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Michel Dänzer
2019-04-09 11:14 ` Huang, Ray
-- strict thread matches above, loose matches on Subject: below --
2019-04-02 7:40 Christian König
2019-04-02 14:57 ` Jann Horn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).