提交 96800ba9 编写于 作者: C Christian König 提交者: Greg Kroah-Hartman

drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

commit a66477b0efe511d98dde3e4aaeb189790e6f0a39 upstream.

When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.

v2: simplify the test if enough pages are left in the array (Christian).
Signed-off-by: NJann Horn <jannh@google.com>
Signed-off-by: NChristian König <christian.koenig@amd.com>
Fixes: 5c42c64f ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
Reviewed-by: NMichel Dänzer <michel.daenzer@amd.com>
Reviewed-by: NJunwei Zhang <Jerry.Zhang@amd.com>
Reviewed-by: NHuang Rui <ray.huang@amd.com>
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 fbe5cff9
...@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, ...@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
} }
#ifdef CONFIG_TRANSPARENT_HUGEPAGE #ifdef CONFIG_TRANSPARENT_HUGEPAGE
if (!(flags & TTM_PAGE_FLAG_DMA32)) { if (!(flags & TTM_PAGE_FLAG_DMA32) &&
(npages - i) >= HPAGE_PMD_NR) {
for (j = 0; j < HPAGE_PMD_NR; ++j) for (j = 0; j < HPAGE_PMD_NR; ++j)
if (p++ != pages[i + j]) if (p++ != pages[i + j])
break; break;
...@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, ...@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
unsigned max_size, n2free; unsigned max_size, n2free;
spin_lock_irqsave(&huge->lock, irq_flags); spin_lock_irqsave(&huge->lock, irq_flags);
while (i < npages) { while ((npages - i) >= HPAGE_PMD_NR) {
struct page *p = pages[i]; struct page *p = pages[i];
unsigned j; unsigned j;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册