From patchwork Wed Jan 9 21:40:42 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Glisse X-Patchwork-Id: 1956951 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork1.kernel.org (Postfix) with ESMTP id 7F6AB40232 for ; Wed, 9 Jan 2013 21:44:10 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7D806E66E6 for ; Wed, 9 Jan 2013 13:44:10 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com [209.85.216.45]) by gabe.freedesktop.org (Postfix) with ESMTP id D39D1E5FB9 for ; Wed, 9 Jan 2013 13:43:57 -0800 (PST) Received: by mail-qa0-f45.google.com with SMTP id j15so1086199qaq.11 for ; Wed, 09 Jan 2013 13:43:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer; bh=N60p1AH8ITk5yLG2BTqZKknWlatX7t20zyvMQ73VMD8=; b=uvL0Iku4WJSMHMI57k3Dg+QvI7XIPASVtiMIAt6ppy/M2lFAbPjL4fkPFvnNPo/moi ocplNdgJj+2KdtrNkp2fH+fuNLfkfav9WlpEnEw5Q+1kGf/0lGtZQFbYO4/gJhaGr01g NDEfwm/xA4mx/3YziW1HXuDgrox5tJoejHEHVZm51DA8mtbGu/5+b8vb8N5sFyitnegs OVFqMDegDbcyo00KFCQGzZtPF+HB9/r0k5/TjU1KdEEEVTSjZHHWEMXEFTkUvY5/flAZ GNzF27FZwtro3asq1MlI6rsoYc2yN7nNgxt+gWdeHAID/Zw8AgymoIXC13AFL5jnimVv Ohag== X-Received: by 10.49.71.178 with SMTP id w18mr63915935qeu.11.1357767837164; Wed, 09 Jan 2013 13:43:57 -0800 (PST) Received: from localhost.boston.devel.redhat.com ([66.187.233.206]) by mx.google.com with ESMTPS id hn9sm23818499qab.8.2013.01.09.13.43.55 (version=SSLv3 cipher=OTHER); Wed, 09 Jan 2013 13:43:56 -0800 (PST) From: j.glisse@gmail.com To: dri-devel@lists.freedesktop.org Subject: [PATCH 1/2] radeon/kms: fix dma relocation checking Date: Wed, 9 Jan 2013 16:40:42 -0500 Message-Id: <1357767643-3538-1-git-send-email-j.glisse@gmail.com> X-Mailer: git-send-email 1.7.11.7 Cc: Jerome Glisse X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org From: Jerome Glisse We were checking the index against the size of the relocation buffer instead of against the last index. This fix kernel segfault when userspace submit ill formated command stream/relocation buffer pair. Signed-off-by: Jerome Glisse --- drivers/gpu/drm/radeon/r600_cs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c index 9ea13d0..f91919e 100644 --- a/drivers/gpu/drm/radeon/r600_cs.c +++ b/drivers/gpu/drm/radeon/r600_cs.c @@ -2561,16 +2561,16 @@ int r600_dma_cs_next_reloc(struct radeon_cs_parser *p, struct radeon_cs_chunk *relocs_chunk; unsigned idx; + *cs_reloc = NULL; if (p->chunk_relocs_idx == -1) { DRM_ERROR("No relocation chunk !\n"); return -EINVAL; } - *cs_reloc = NULL; relocs_chunk = &p->chunks[p->chunk_relocs_idx]; idx = p->dma_reloc_idx; - if (idx >= relocs_chunk->length_dw) { + if (idx >= p->nrelocs) { DRM_ERROR("Relocs at %d after relocations chunk end %d !\n", - idx, relocs_chunk->length_dw); + idx, p->nrelocs); return -EINVAL; } *cs_reloc = p->relocs_ptr[idx];