Skip to content

Commit

Permalink
drm/i915: Fix vmap_batch page iterator overrun
Browse files Browse the repository at this point in the history
vmap_batch() calculates amount of needed pages for the mapping
we are going to create. And it uses this page count as an
argument for the for_each_sg_pages() macro. The macro takes the number
of sg list entities as an argument, not the page count. So we ended
up iterating through all the pages on the mapped object, corrupting
memory past the smaller pages[] array.

Fix this by bailing out when we have enough pages.

This regression has been introduced in

commit 17cabf5
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Jan 14 11:20:57 2015 +0000

    drm/i915: Trim the command parser allocations

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
  • Loading branch information
Mika Kuoppala authored and Daniel Vetter committed Mar 17, 2015
1 parent a1559ff commit 72c5ba9
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion drivers/gpu/drm/i915/i915_cmd_parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -836,8 +836,11 @@ static u32 *vmap_batch(struct drm_i915_gem_object *obj,
}

i = 0;
for_each_sg_page(obj->pages->sgl, &sg_iter, npages, first_page)
for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, first_page) {
pages[i++] = sg_page_iter_page(&sg_iter);
if (i == npages)
break;
}

addr = vmap(pages, i, 0, PAGE_KERNEL);
if (addr == NULL) {
Expand Down

0 comments on commit 72c5ba9

Please sign in to comment.