[PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

[PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

[Christian König]

When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.

v2: simplify the test if enough pages are left in the array (Christian).

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f841accc2c00..f77c81db161b 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 			}
 
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
-			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+			    (npages - i) >= HPAGE_PMD_NR) {
 				for (j = 0; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 		unsigned max_size, n2free;
 
 		spin_lock_irqsave(&huge->lock, irq_flags);
-		while (i < npages) {
+		while ((npages - i) >= HPAGE_PMD_NR) {
 			struct page *p = pages[i];
 			unsigned j;
 
-- 
2.17.1

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

[PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages()

[Christian König]

The first page entry is always the same with itself.

Signed-off-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f77c81db161b..c74147f0cbe3 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
 			    (npages - i) >= HPAGE_PMD_NR) {
-				for (j = 0; j < HPAGE_PMD_NR; ++j)
+				for (j = 1; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
 
@@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 			if (!p)
 				break;
 
-			for (j = 0; j < HPAGE_PMD_NR; ++j)
+			for (j = 1; j < HPAGE_PMD_NR; ++j)
 				if (p++ != pages[i + j])
 				    break;
 
-- 
2.17.1

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

[Michel Dänzer]

On 2019-04-08 3:13 p.m., Christian König wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
> 
> v2: simplify the test if enough pages are left in the array (Christian).
> 
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
>  			}
>  
>  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> -			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> +			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> +			    (npages - i) >= HPAGE_PMD_NR) {
>  				for (j = 0; j < HPAGE_PMD_NR; ++j)
>  					if (p++ != pages[i + j])
>  					    break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
>  		unsigned max_size, n2free;
>  
>  		spin_lock_irqsave(&huge->lock, irq_flags);
> -		while (i < npages) {
> +		while ((npages - i) >= HPAGE_PMD_NR) {
>  			struct page *p = pages[i];
>  			unsigned j;
>  
> 

This series is

Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>


-- 
Earthling Michel Dänzer               |              https://www.amd.com
Libre software enthusiast             |             Mesa and X developer
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

[Zhang, Jerry(Junwei)]

On 4/8/19 9:13 PM, Christian König wrote:
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
>
> v2: simplify the test if enough pages are left in the array (Christian).
Series is Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>

Regards,
Jerry
>
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>
> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
>   drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
>   			}
>   
>   #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> -			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> +			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> +			    (npages - i) >= HPAGE_PMD_NR) {
>   				for (j = 0; j < HPAGE_PMD_NR; ++j)
>   					if (p++ != pages[i + j])
>   					    break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
>   		unsigned max_size, n2free;
>   
>   		spin_lock_irqsave(&huge->lock, irq_flags);
> -		while (i < npages) {
> +		while ((npages - i) >= HPAGE_PMD_NR) {
>   			struct page *p = pages[i];
>   			unsigned j;
>   

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

RE: [PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages()

[Huang, Ray]

> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com]
> Sent: Monday, April 08, 2019 9:13 PM
> To: Zhang, Jerry <Jerry.Zhang@amd.com>; Huang, Ray
> <Ray.Huang@amd.com>; amd-gfx@lists.freedesktop.org; dri-
> devel@lists.freedesktop.org
> Subject: [PATCH 2/2] drm/ttm: fix start page for huge page check in
> ttm_put_pages()
> 
> The first page entry is always the same with itself.
> 
> Signed-off-by: Christian König <christian.koenig@amd.com>

Reviewed-by: Huang Rui <ray.huang@amd.com>

> ---
>  drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f77c81db161b..c74147f0cbe3 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
>  			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
>  			    (npages - i) >= HPAGE_PMD_NR) {
> -				for (j = 0; j < HPAGE_PMD_NR; ++j)
> +				for (j = 1; j < HPAGE_PMD_NR; ++j)
>  					if (p++ != pages[i + j])
>  					    break;
> 
> @@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
>  			if (!p)
>  				break;
> 
> -			for (j = 0; j < HPAGE_PMD_NR; ++j)
> +			for (j = 1; j < HPAGE_PMD_NR; ++j)
>  				if (p++ != pages[i + j])
>  				    break;
> 
> --
> 2.17.1

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

RE: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

[Huang, Ray]

> -----Original Message-----
> From: Christian König [mailto:ckoenig.leichtzumerken@gmail.com]
> Sent: Monday, April 08, 2019 9:13 PM
> To: Zhang, Jerry <Jerry.Zhang@amd.com>; Huang, Ray
> <Ray.Huang@amd.com>; amd-gfx@lists.freedesktop.org; dri-
> devel@lists.freedesktop.org
> Subject: [PATCH 1/2] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
> 
> When ttm_put_pages() tries to figure out whether it's dealing with
> transparent hugepages, it just reads past the bounds of the pages array
> without a check.
> 
> v2: simplify the test if enough pages are left in the array (Christian).
> 
> Signed-off-by: Jann Horn <jannh@google.com>
> Signed-off-by: Christian König <christian.koenig@amd.com>

Reviewed-by: Huang Rui <ray.huang@amd.com>

> Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
> Cc: stable@vger.kernel.org
> ---
>  drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index f841accc2c00..f77c81db161b 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
>  			}
> 
>  #ifdef CONFIG_TRANSPARENT_HUGEPAGE
> -			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
> +			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
> +			    (npages - i) >= HPAGE_PMD_NR) {
>  				for (j = 0; j < HPAGE_PMD_NR; ++j)
>  					if (p++ != pages[i + j])
>  					    break;
> @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages,
> unsigned npages, int flags,
>  		unsigned max_size, n2free;
> 
>  		spin_lock_irqsave(&huge->lock, irq_flags);
> -		while (i < npages) {
> +		while ((npages - i) >= HPAGE_PMD_NR) {
>  			struct page *p = pages[i];
>  			unsigned j;
> 
> --
> 2.17.1

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

[PATCH 2/2] drm/ttm: fix start page for huge page check in ttm_put_pages()

[Christian König]

The first page entry is always the same with itself.

Signed-off-by: Christian König <christian.koenig@amd.com>
---
 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index f77c81db161b..c74147f0cbe3 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -732,7 +732,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
 			    (npages - i) >= HPAGE_PMD_NR) {
-				for (j = 0; j < HPAGE_PMD_NR; ++j)
+				for (j = 1; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
 
@@ -767,7 +767,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
 			if (!p)
 				break;
 
-			for (j = 0; j < HPAGE_PMD_NR; ++j)
+			for (j = 1; j < HPAGE_PMD_NR; ++j)
 				if (p++ != pages[i + j])
 				    break;
 
-- 
2.17.1

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel