drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

From Christian Koenig 96800ba9e565ab752774cd88328f96aed28a1436 in linux 4.19.y/4.19.37 a66477b0efe511d98dde3e4aaeb189790e6f0a39 in mainline linux
author: jsg <jsg@openbsd.org> 2019-04-27 08:10:32 +0000
committer: jsg <jsg@openbsd.org> 2019-04-27 08:10:32 +0000
commit: a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c (patch)
tree: ac2c9fb92b8e9641181b048cf3ae1e445fc59604
parent: fix up some rxprio handling while here (diff)
download: wireguard-openbsd-a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c.tar.xz
wireguard-openbsd-a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/ttm/ttm_page_alloc.c b/sys/dev/pci/drm/ttm/ttm_page_alloc.c
index 34bd8624ebb..dd1e4f98262 100644
--- a/sys/dev/pci/drm/ttm/ttm_page_alloc.c
+++ b/sys/dev/pci/drm/ttm/ttm_page_alloc.c
@@ -765,7 +765,8 @@ static void ttm_put_pages(struct vm_page **pages, unsigned npages, int flags,
 			}
 
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
-			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+			    (npages - i) >= HPAGE_PMD_NR) {
 				for (j = 0; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
@@ -796,7 +797,7 @@ static void ttm_put_pages(struct vm_page **pages, unsigned npages, int flags,
 		unsigned max_size, n2free;
 
 		spin_lock_irqsave(&huge->lock, irq_flags);
-		while (i < npages) {
+		while ((npages - i) >= HPAGE_PMD_NR) {
 			struct vm_page *p = pages[i];
 			unsigned j;
author	jsg <jsg@openbsd.org>	2019-04-27 08:10:32 +0000
committer	jsg <jsg@openbsd.org>	2019-04-27 08:10:32 +0000
commit	a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c (patch)
tree	ac2c9fb92b8e9641181b048cf3ae1e445fc59604
parent	fix up some rxprio handling while here (diff)
download	wireguard-openbsd-a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c.tar.xz wireguard-openbsd-a9ec26adf0b9b5fea86d759286598ecb5c6d5e6c.zip