From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8CDECCDB465 for ; Mon, 16 Oct 2023 14:52:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233374AbjJPOwh (ORCPT ); Mon, 16 Oct 2023 10:52:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233095AbjJPOwg (ORCPT ); Mon, 16 Oct 2023 10:52:36 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C695AAB for ; Mon, 16 Oct 2023 07:52:34 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15107C433C8; Mon, 16 Oct 2023 14:52:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1697467954; bh=GjwWMK7Vo5KNp8DTuucbCxWgON1e1BG4gAa/VMg7cfQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0s5pU7i2mMVBP5c1u+ecD6kmONdasT/A17IvP+gSBxai7JHsMx6uKtukECDamMxMt 6/ymRqQjK7k53cKgvxDr+0jCDYiGrXLhAp14XpaLZdBlKcZLTob3kzRENrNx5T/qLU elmTOYiny999BG/DGBo5roCYAcmh9K2kzh1BKEfE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, "Matthew Wilcox (Oracle)" , Oleksandr Natalenko , Maxime Ripard Subject: [PATCH 6.5 122/191] drm: Do not overrun array in drm_gem_get_pages() Date: Mon, 16 Oct 2023 10:41:47 +0200 Message-ID: <20231016084018.227136004@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231016084015.400031271@linuxfoundation.org> References: <20231016084015.400031271@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matthew Wilcox (Oracle) commit b7fd68ab1538e3adb665670414bea440f399fda9 upstream. If the shared memory object is larger than the DRM object that it backs, we can overrun the page array. Limit the number of pages we install from each folio to prevent this. Signed-off-by: "Matthew Wilcox (Oracle)" Reported-by: Oleksandr Natalenko Tested-by: Oleksandr Natalenko Link: https://lore.kernel.org/lkml/13360591.uLZWGnKmhe@natalenko.name/ Fixes: 3291e09a4638 ("drm: convert drm_gem_put_pages() to use a folio_batch") Cc: stable@vger.kernel.org # 6.5.x Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20231005135648.2317298-1-willy@infradead.org Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_gem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -537,7 +537,7 @@ struct page **drm_gem_get_pages(struct d struct page **pages; struct folio *folio; struct folio_batch fbatch; - int i, j, npages; + long i, j, npages; if (WARN_ON(!obj->filp)) return ERR_PTR(-EINVAL); @@ -561,11 +561,13 @@ struct page **drm_gem_get_pages(struct d i = 0; while (i < npages) { + long nr; folio = shmem_read_folio_gfp(mapping, i, mapping_gfp_mask(mapping)); if (IS_ERR(folio)) goto fail; - for (j = 0; j < folio_nr_pages(folio); j++, i++) + nr = min(npages - i, folio_nr_pages(folio)); + for (j = 0; j < nr; j++, i++) pages[i] = folio_file_page(folio, i); /* Make sure shmem keeps __GFP_DMA32 allocated pages in the