diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2009-09-15 23:23:18 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-10-05 09:32:07 -0700 |
| commit | c10bea0fd064017b07714512bb1a1da0502c50e9 (patch) | |
| tree | 8e8300b2492212a0e8ab48f22f6b81461e8d061c /drivers | |
| parent | 485571eb15c87439d56c4bd6ace25ee63d432726 (diff) | |
| download | lwn-c10bea0fd064017b07714512bb1a1da0502c50e9.tar.gz lwn-c10bea0fd064017b07714512bb1a1da0502c50e9.zip | |
drm/i915: Check that the relocation points to within the target
commit cd0b9fb400ba775737bdc3874c4cbee4047e66d8 upstream.
Eric noted a potential concern with the low bits not being strictly used
as part of the absolute offset (instead part of the command stream to the
GPU), but in practice that should not be an issue.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Tested-by: Andy Whitcroft <apw@canonical.com>
Cc: Eric Anholt <eric@anholt.net>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/gpu/drm/i915/i915_gem.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index f19abbe624d1..f45d38cf7a15 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -3006,6 +3006,16 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, return -EINVAL; } + if (reloc->delta >= target_obj->size) { + DRM_ERROR("Relocation beyond target object bounds: " + "obj %p target %d delta %d size %d.\n", + obj, reloc->target_handle, + (int) reloc->delta, (int) target_obj->size); + drm_gem_object_unreference(target_obj); + i915_gem_object_unpin(obj); + return -EINVAL; + } + if (reloc->write_domain & I915_GEM_DOMAIN_CPU || reloc->read_domains & I915_GEM_DOMAIN_CPU) { DRM_ERROR("reloc with read/write CPU domains: " |