summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2009-09-16 00:23:18 +0200
committerJesse Barnes <jbarnes@virtuousgeek.org>2009-09-19 00:31:21 +0200
commitcd0b9fb400ba775737bdc3874c4cbee4047e66d8 (patch)
treef5816a8740c8bf4b01381f9fb67b58a1ebf0c82e
parentdrm/i915: correct FBC update when pipe base update occurs (diff)
downloadlinux-cd0b9fb400ba775737bdc3874c4cbee4047e66d8.tar.xz
linux-cd0b9fb400ba775737bdc3874c4cbee4047e66d8.zip
drm/i915: Check that the relocation points to within the target
Eric noted a potential concern with the low bits not being strictly used as part of the absolute offset (instead part of the command stream to the GPU), but in practice that should not be an issue. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Tested-by: Andy Whitcroft <apw@canonical.com> Cc: Eric Anholt <eric@anholt.net> CC: stable@kernel.org Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
-rw-r--r--drivers/gpu/drm/i915/i915_gem.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 725b4484a092..c60ca32f65d2 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -3158,6 +3158,16 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
return -EINVAL;
}
+ if (reloc->delta >= target_obj->size) {
+ DRM_ERROR("Relocation beyond target object bounds: "
+ "obj %p target %d delta %d size %d.\n",
+ obj, reloc->target_handle,
+ (int) reloc->delta, (int) target_obj->size);
+ drm_gem_object_unreference(target_obj);
+ i915_gem_object_unpin(obj);
+ return -EINVAL;
+ }
+
if (reloc->write_domain & I915_GEM_DOMAIN_CPU ||
reloc->read_domains & I915_GEM_DOMAIN_CPU) {
DRM_ERROR("reloc with read/write CPU domains: "