From 453393369dc9806d2455151e329c599684762428 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
Date: Wed, 10 Apr 2019 11:43:43 +0200
Subject: [PATCH] drm/ttm: fix incrementing the page pointer for huge pages
Mime-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit
Git-commit: 453393369dc9806d2455151e329c599684762428
Patch-mainline: v5.1-rc6
References: CVE-2019-19927 bsc#1160147
When we increment the counter we need to increment the pointer as well.
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: e16858a7e6e7 drm/ttm: fix start page for huge page check in ttm_put_pages()
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Acked-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index c74147f0cbe3..627f8dc91d0e 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -733,7 +733,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
if (!(flags & TTM_PAGE_FLAG_DMA32) &&
(npages - i) >= HPAGE_PMD_NR) {
for (j = 1; j < HPAGE_PMD_NR; ++j)
- if (p++ != pages[i + j])
+ if (++p != pages[i + j])
break;
if (j == HPAGE_PMD_NR)
@@ -768,7 +768,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
break;
for (j = 1; j < HPAGE_PMD_NR; ++j)
- if (p++ != pages[i + j])
+ if (++p != pages[i + j])
break;
if (j != HPAGE_PMD_NR)
--
2.16.4