lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 22 Apr 2015 19:45:11 +0300
From:	Mika Kuoppala <mika.kuoppala@...ux.intel.com>
To:	torvalds@...ux-foundation.org, daniel.vetter@...el.com,
	jani.nikula@...ux.intel.com, airlied@...ux.ie, ben@...dawsk.net
Cc:	intel-gfx@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
	Chris Wilson <chris@...is-wilson.co.uk>,
	Michel Thierry <michel.thierry@...el.com>
Subject: [PATCH] drm/i915: Add checks to i915_bind_vma

The current aliasing ppgtt implementation allocates
the page table structures on driver initialization
for the entire vm address space. Earlier the page tables
were allocated as array of struct pages, but introduction
of dynamic allocation of page structures changed the page
tables to be inside a page directory.

We have a detailed bug report where traversing of tables and
deferencing page_table[pte]->page oopses. This indicates that
our pre allocation of page tables has failed or that we get
corrupt vma which does not fit inside the vm area and throws
pte > 511.

Add more checks to catch the latter. Warn and bail out if
we get vma which is out of bounds for binding.

v2: Check vma node early (Chris)

Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Chris Wilson <chris@...is-wilson.co.uk>
Cc: Michel Thierry <michel.thierry@...el.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@...el.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 0239fbf..2ffa8f6 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -2746,6 +2746,13 @@ i915_get_ggtt_vma_pages(struct i915_vma *vma)
 int i915_vma_bind(struct i915_vma *vma, enum i915_cache_level cache_level,
 		  u32 flags)
 {
+
+	if (WARN_ON(!drm_mm_node_allocated(&vma->node)))
+		return -EINVAL;
+
+	if (WARN_ON(vma->node.start > vma->vm->total - vma->node.size))
+		return -EINVAL;
+
 	if (i915_is_ggtt(vma->vm)) {
 		int ret = i915_get_ggtt_vma_pages(vma);
 
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ