From 0665ea6611fec3fce278fd879316df37acfd41b1 Mon Sep 17 00:00:00 2001 From: Mika Kuoppala Date: Fri, 13 Mar 2015 15:21:53 +0200 Subject: [PATCH] drm/i915: Fix vmap_batch page iterator overrun vmap_batch() calculates amount of needed pages for the mapping we are going to create. And it uses this page count as an argument for the for_each_sg_pages() macro. The macro takes the number of sg list entities as an argument, not the page count. So we ended up iterating through all the pages on the mapped object, corrupting memory past the smaller pages[] array. Fix this by bailing out when we have enough pages. This regression has been introduced in commit 29de6c7f6941ec0889ef229f751d3b01c3595586 Author: Chris Wilson Date: Wed Jan 14 11:20:57 2015 +0000 drm/i915: Trim the command parser allocations Cc: Chris Wilson Signed-off-by: Mika Kuoppala Signed-off-by: Daniel Vetter --- drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/i915_cmd_parser.c b/drivers/gpu/drm/i915/i915_cmd_parser.c index 9a6da3536ae52..61ae8ff4eaed9 100644 --- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -836,8 +836,11 @@ static u32 *vmap_batch(struct drm_i915_gem_object *obj, } i = 0; - for_each_sg_page(obj->pages->sgl, &sg_iter, npages, first_page) + for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, first_page) { pages[i++] = sg_page_iter_page(&sg_iter); + if (i == npages) + break; + } addr = vmap(pages, i, 0, PAGE_KERNEL); if (addr == NULL) { -- 2.39.5