[PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

Tue Apr 9 11:14:55 UTC 2019

> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken at gmail.com]
> Sent: Monday, April 08, 2019 9:13 PM
> To: Zhang, Jerry <Jerry.Zhang at amd.com>; Huang, Ray
> <Ray.Huang at amd.com>; amd-gfx at lists.freedesktop.org; dri-
> devel at lists.freedesktop.org
> Subject: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
> 
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
> 
> v2: simplify the test if enough pages are left in the array (Christian).
> 
> Signed-off-by: Jann Horn <jannh at google.com>
> Signed-off-by: Christian König <christian.koenig at amd.com>

Reviewed-by: Huang Rui <ray.huang at amd.com>

> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable at vger.kernel.org
> ---
>  drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
>  			}
> 
>  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> -			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> +			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> +			    (npages - i) >= HPAGE_PMD_NR) {
>  				for (j = 0; j < HPAGE_PMD_NR; ++j)
>  					if (p++ != pages[i + j])
>  					    break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
>  		unsigned max_size, n2free;
> 
>  		spin_lock_irqsave(&huge->lock, irq_flags);
> -		while (i < npages) {
> +		while ((npages - i) >= HPAGE_PMD_NR) {
>  			struct page *p = pages[i];
>  			unsigned j;
> 
> --
> 2.17.1