diff options
| author | Mika Kuoppala <mika.kuoppala@linux.intel.com> | 2015-03-13 16:21:53 +0300 |
|---|---|---|
| committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2015-03-18 00:30:31 +0300 |
| commit | 72c5ba9562147d3fc2d22cd44c30bd136cd4a1ac (patch) | |
| tree | ab091c977ced78de761dc2069c117aff441d38c2 | |
| parent | a1559ffefb2a80eabbee65d7cc04e828d4fd557d (diff) | |
| download | linux-72c5ba9562147d3fc2d22cd44c30bd136cd4a1ac.tar.xz | |
drm/i915: Fix vmap_batch page iterator overrun
vmap_batch() calculates amount of needed pages for the mapping
we are going to create. And it uses this page count as an
argument for the for_each_sg_pages() macro. The macro takes the number
of sg list entities as an argument, not the page count. So we ended
up iterating through all the pages on the mapped object, corrupting
memory past the smaller pages[] array.
Fix this by bailing out when we have enough pages.
This regression has been introduced in
commit 17cabf571e50677d980e9ab2a43c5f11213003ae
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Wed Jan 14 11:20:57 2015 +0000
drm/i915: Trim the command parser allocations
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
| -rw-r--r-- | drivers/gpu/drm/i915/i915_cmd_parser.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c index 9a6da3536ae5..61ae8ff4eaed 100644 --- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -836,8 +836,11 @@ static u32 *vmap_batch(struct drm_i915_gem_object *obj, } i = 0; - for_each_sg_page(obj->pages->sgl, &sg_iter, npages, first_page) + for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, first_page) { pages[i++] = sg_page_iter_page(&sg_iter); + if (i == npages) + break; + } addr = vmap(pages, i, 0, PAGE_KERNEL); if (addr == NULL) { |