diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2019-04-27 08:10:33 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2019-04-27 08:10:33 +0000 |
| commit | 0a734dc4458627db8fd064cd278d44cbc0308526 (patch) | |
| tree | 6394db41c0fb315f052635082f74a0ed3dcb9163 /sys | |
| parent | 0b71a99cafb6ec4fb99365001928c1352cac9ec8 (diff) | |
drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
From Christian Koenig
96800ba9e565ab752774cd88328f96aed28a1436 in linux 4.19.y/4.19.37
a66477b0efe511d98dde3e4aaeb189790e6f0a39 in mainline linux
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/pci/drm/ttm/ttm_page_alloc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/ttm/ttm_page_alloc.c b/sys/dev/pci/drm/ttm/ttm_page_alloc.c index 34bd8624ebb..dd1e4f98262 100644 --- a/sys/dev/pci/drm/ttm/ttm_page_alloc.c +++ b/sys/dev/pci/drm/ttm/ttm_page_alloc.c @@ -765,7 +765,8 @@ static void ttm_put_pages(struct vm_page **pages, unsigned npages, int flags, } #ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (!(flags & TTM_PAGE_FLAG_DMA32)) { + if (!(flags & TTM_PAGE_FLAG_DMA32) && + (npages - i) >= HPAGE_PMD_NR) { for (j = 0; j < HPAGE_PMD_NR; ++j) if (p++ != pages[i + j]) break; @@ -796,7 +797,7 @@ static void ttm_put_pages(struct vm_page **pages, unsigned npages, int flags, unsigned max_size, n2free; spin_lock_irqsave(&huge->lock, irq_flags); - while (i < npages) { + while ((npages - i) >= HPAGE_PMD_NR) { struct vm_page *p = pages[i]; unsigned j; |