Commit 9305ede6 authored by Jerome Glisse's avatar Jerome Glisse Committed by Alex Deucher

radeon/kms: fix dma relocation checking

We were checking the index against the size of the relocation buffer
instead of against the last index. This fix kernel segfault when
userspace submit ill formated command stream/relocation buffer pair.
Signed-off-by: default avatarJerome Glisse <jglisse@redhat.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent 51861d4e
...@@ -2563,16 +2563,16 @@ int r600_dma_cs_next_reloc(struct radeon_cs_parser *p, ...@@ -2563,16 +2563,16 @@ int r600_dma_cs_next_reloc(struct radeon_cs_parser *p,
struct radeon_cs_chunk *relocs_chunk; struct radeon_cs_chunk *relocs_chunk;
unsigned idx; unsigned idx;
*cs_reloc = NULL;
if (p->chunk_relocs_idx == -1) { if (p->chunk_relocs_idx == -1) {
DRM_ERROR("No relocation chunk !\n"); DRM_ERROR("No relocation chunk !\n");
return -EINVAL; return -EINVAL;
} }
*cs_reloc = NULL;
relocs_chunk = &p->chunks[p->chunk_relocs_idx]; relocs_chunk = &p->chunks[p->chunk_relocs_idx];
idx = p->dma_reloc_idx; idx = p->dma_reloc_idx;
if (idx >= relocs_chunk->length_dw) { if (idx >= p->nrelocs) {
DRM_ERROR("Relocs at %d after relocations chunk end %d !\n", DRM_ERROR("Relocs at %d after relocations chunk end %d !\n",
idx, relocs_chunk->length_dw); idx, p->nrelocs);
return -EINVAL; return -EINVAL;
} }
*cs_reloc = p->relocs_ptr[idx]; *cs_reloc = p->relocs_ptr[idx];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment