[1/2] radeon/kms: fix dma relocation checking

Commit Message

Jerome Glisse Jan. 9, 2013, 9:40 p.m. UTC

From: Jerome Glisse <jglisse@redhat.com>

We were checking the index against the size of the relocation buffer
instead of against the last index. This fix kernel segfault when
userspace submit ill formated command stream/relocation buffer pair.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
---
 drivers/gpu/drm/radeon/r600_cs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Alex Deucher Jan. 9, 2013, 9:59 p.m. UTC | #1

On Wed, Jan 9, 2013 at 4:40 PM,  <j.glisse@gmail.com> wrote:
> From: Jerome Glisse <jglisse@redhat.com>
>
> We were checking the index against the size of the relocation buffer
> instead of against the last index. This fix kernel segfault when
> userspace submit ill formated command stream/relocation buffer pair.
>
> Signed-off-by: Jerome Glisse <jglisse@redhat.com>

Added to my -fixes queue.  thanks!

Alex

Patch

diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
index 9ea13d0..f91919e 100644
--- a/drivers/gpu/drm/radeon/r600_cs.c
+++ b/drivers/gpu/drm/radeon/r600_cs.c
@@ -2561,16 +2561,16 @@  int r600_dma_cs_next_reloc(struct radeon_cs_parser *p,
 	struct radeon_cs_chunk *relocs_chunk;
 	unsigned idx;
 
+	*cs_reloc = NULL;
 	if (p->chunk_relocs_idx == -1) {
 		DRM_ERROR("No relocation chunk !\n");
 		return -EINVAL;
 	}
-	*cs_reloc = NULL;
 	relocs_chunk = &p->chunks[p->chunk_relocs_idx];
 	idx = p->dma_reloc_idx;
-	if (idx >= relocs_chunk->length_dw) {
+	if (idx >= p->nrelocs) {
 		DRM_ERROR("Relocs at %d after relocations chunk end %d !\n",
-			  idx, relocs_chunk->length_dw);
+			  idx, p->nrelocs);
 		return -EINVAL;
 	}
 	*cs_reloc = p->relocs_ptr[idx];