Re: [PATCH] drm/i915: Fix a crash in shmem_pin_map() error handling

Christoph Hellwig <hch@xxxxxx> · Fri, 23 Oct 2020 14:19:41 +0200

On Fri, Oct 23, 2020 at 02:34:01PM +0300, Dan Carpenter wrote:
> There is a signedness bug in shmem_pin_map() error handling because "i"
> is unsigned.  The "while (--i >= 0)" will loop forever until the system
> crashes.

I actually sent a patch to Andrew before the end of the merge window
to use a for loop with a new j iterator to fix this based on your
automated report, but it looks like that didn't go in.

> Fixes: bfed6708d6c9 ("drm/i915: use vmap in shmem_pin_map")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  drivers/gpu/drm/i915/gt/shmem_utils.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/gt/shmem_utils.c b/drivers/gpu/drm/i915/gt/shmem_utils.c
> index f011ea42487e..7eb542018219 100644
> --- a/drivers/gpu/drm/i915/gt/shmem_utils.c
> +++ b/drivers/gpu/drm/i915/gt/shmem_utils.c
> @@ -52,8 +52,9 @@ struct file *shmem_create_from_object(struct drm_i915_gem_object *obj)
>  void *shmem_pin_map(struct file *file)
>  {
>  	struct page **pages;
> -	size_t n_pages, i;
> +	size_t n_pages;
>  	void *vaddr;
> +	int i;
>  
>  	n_pages = file->f_mapping->host->i_size >> PAGE_SHIFT;
>  	pages = kvmalloc_array(n_pages, sizeof(*pages), GFP_KERNEL);

This assumes we never have more than INT_MAX worth of pages before
a failure. 
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx