* [PATCH] drm/nv50/fb: Fix nullptr-deref on IGPs
@ 2013-01-09 2:36 Roy Spliet
0 siblings, 0 replies; 4+ messages in thread
From: Roy Spliet @ 2013-01-09 2:36 UTC (permalink / raw)
To: Nouveau devlist; +Cc: Ben Skeggs, Roy Spliet
When COMP_MAX_TAG == 0, the tags mm was uninitialised. Fixed by initialising with zero length.
Signed-off-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
Tested-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
---
drivers/gpu/drm/nouveau/core/subdev/fb/base.c | 11 ++++++++---
drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c | 5 +++--
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
index d6d1600..695dde8 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
@@ -86,10 +86,15 @@ nouveau_fb_preinit(struct nouveau_fb *pfb)
return ret;
}
- if (!nouveau_mm_initialised(&pfb->tags) && tags) {
- ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
+ if (!nouveau_mm_initialised(&pfb->tags)) {
+ if(tags) {
+ ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
+ } else {
+ ret = nouveau_mm_init(&pfb->tags, 0, 0, 1);
+ }
+
if (ret)
- return ret;
+ return ret;
}
nv_info(pfb, "RAM type: %s\n", name[pfb->ram.type]);
diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
index a4338d9..0772ec9 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
@@ -101,7 +101,7 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
struct nouveau_bios *bios = nouveau_bios(device);
const u32 rsvd_head = ( 256 * 1024) >> 12; /* vga memory */
const u32 rsvd_tail = (1024 * 1024) >> 12; /* vbios etc */
- u32 size;
+ u32 size, tags = 0;
int ret;
pfb->ram.size = nv_rd32(pfb, 0x10020c);
@@ -142,10 +142,11 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
return ret;
pfb->ram.ranks = (nv_rd32(pfb, 0x100200) & 0x4) ? 2 : 1;
+ tags = nv_rd32(pfb, 0x100320);
break;
}
- return nv_rd32(pfb, 0x100320);
+ return tags;
}
static int
--
1.8.0.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] drm/nv50/fb: Fix nullptr-deref on IGPs
@ 2013-01-09 2:40 Roy Spliet
[not found] ` <1357699233-29046-1-git-send-email-r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Roy Spliet @ 2013-01-09 2:40 UTC (permalink / raw)
To: Nouveau devlist; +Cc: Ben Skeggs, Roy Spliet
When COMP_MAX_TAG == 0, the tags mm was uninitialised. Fixed by initialising with zero length.
v2: Fix style error
Signed-off-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
Tested-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
---
drivers/gpu/drm/nouveau/core/subdev/fb/base.c | 9 +++++++--
drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c | 5 +++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
index d6d1600..e1b5773 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
@@ -86,8 +86,13 @@ nouveau_fb_preinit(struct nouveau_fb *pfb)
return ret;
}
- if (!nouveau_mm_initialised(&pfb->tags) && tags) {
- ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
+ if (!nouveau_mm_initialised(&pfb->tags)) {
+ if(tags) {
+ ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
+ } else {
+ ret = nouveau_mm_init(&pfb->tags, 0, 0, 1);
+ }
+
if (ret)
return ret;
}
diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
index a4338d9..0772ec9 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
@@ -101,7 +101,7 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
struct nouveau_bios *bios = nouveau_bios(device);
const u32 rsvd_head = ( 256 * 1024) >> 12; /* vga memory */
const u32 rsvd_tail = (1024 * 1024) >> 12; /* vbios etc */
- u32 size;
+ u32 size, tags = 0;
int ret;
pfb->ram.size = nv_rd32(pfb, 0x10020c);
@@ -142,10 +142,11 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
return ret;
pfb->ram.ranks = (nv_rd32(pfb, 0x100200) & 0x4) ? 2 : 1;
+ tags = nv_rd32(pfb, 0x100320);
break;
}
- return nv_rd32(pfb, 0x100320);
+ return tags;
}
static int
--
1.8.0.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/nv50/fb: Fix nullptr-deref on IGPs
[not found] ` <1357699233-29046-1-git-send-email-r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
@ 2013-01-09 5:46 ` Emil Velikov
[not found] ` <50ED0440.5060609-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Emil Velikov @ 2013-01-09 5:46 UTC (permalink / raw)
To: Roy Spliet; +Cc: Nouveau devlist, Ben Skeggs
On 09/01/13 02:40, Roy Spliet wrote:
> When COMP_MAX_TAG == 0, the tags mm was uninitialised. Fixed by initialising with zero length.
>
> v2: Fix style error
>
> Signed-off-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
> Tested-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
> ---
> drivers/gpu/drm/nouveau/core/subdev/fb/base.c | 9 +++++++--
> drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c | 5 +++--
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
> index d6d1600..e1b5773 100644
> --- a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
> +++ b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
> @@ -86,8 +86,13 @@ nouveau_fb_preinit(struct nouveau_fb *pfb)
> return ret;
> }
>
> - if (!nouveau_mm_initialised(&pfb->tags) && tags) {
> - ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
Btw the commit that introduced this code, changed "tags" to "++tags"
> + if (!nouveau_mm_initialised(&pfb->tags)) {
> + if(tags) {
> + ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
> + } else {
> + ret = nouveau_mm_init(&pfb->tags, 0, 0, 1);
> + }
> +
> if (ret)
> return ret;
> }
> diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
> index a4338d9..0772ec9 100644
> --- a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
> +++ b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
> @@ -101,7 +101,7 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
> struct nouveau_bios *bios = nouveau_bios(device);
> const u32 rsvd_head = ( 256 * 1024) >> 12; /* vga memory */
> const u32 rsvd_tail = (1024 * 1024) >> 12; /* vbios etc */
> - u32 size;
> + u32 size, tags = 0;
> int ret;
>
> pfb->ram.size = nv_rd32(pfb, 0x10020c);
> @@ -142,10 +142,11 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
> return ret;
>
> pfb->ram.ranks = (nv_rd32(pfb, 0x100200) & 0x4) ? 2 : 1;
> + tags = nv_rd32(pfb, 0x100320);
> break;
> }
>
> - return nv_rd32(pfb, 0x100320);
> + return tags;
> }
>
> static int
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/nv50/fb: Fix nullptr-deref on IGPs
[not found] ` <50ED0440.5060609-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2013-01-09 10:49 ` Roy Spliet
0 siblings, 0 replies; 4+ messages in thread
From: Roy Spliet @ 2013-01-09 10:49 UTC (permalink / raw)
To: Emil Velikov; +Cc: Nouveau devlist, Ben Skeggs
I reckon that's because COMP_TAGS_MAX returns the highest possible
value, and zero's a tag too?
Op 09-01-13 06:46, Emil Velikov schreef:
> On 09/01/13 02:40, Roy Spliet wrote:
>> When COMP_MAX_TAG == 0, the tags mm was uninitialised. Fixed by initialising with zero length.
>>
>> v2: Fix style error
>>
>> Signed-off-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
>> Tested-by: Roy Spliet <r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
>> ---
>> drivers/gpu/drm/nouveau/core/subdev/fb/base.c | 9 +++++++--
>> drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c | 5 +++--
>> 2 files changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
>> index d6d1600..e1b5773 100644
>> --- a/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
>> +++ b/drivers/gpu/drm/nouveau/core/subdev/fb/base.c
>> @@ -86,8 +86,13 @@ nouveau_fb_preinit(struct nouveau_fb *pfb)
>> return ret;
>> }
>>
>> - if (!nouveau_mm_initialised(&pfb->tags) && tags) {
>> - ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
> Btw the commit that introduced this code, changed "tags" to "++tags"
>
>> + if (!nouveau_mm_initialised(&pfb->tags)) {
>> + if(tags) {
>> + ret = nouveau_mm_init(&pfb->tags, 0, ++tags, 1);
>> + } else {
>> + ret = nouveau_mm_init(&pfb->tags, 0, 0, 1);
>> + }
>> +
>> if (ret)
>> return ret;
>> }
>> diff --git a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
>> index a4338d9..0772ec9 100644
>> --- a/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
>> +++ b/drivers/gpu/drm/nouveau/core/subdev/fb/nv50.c
>> @@ -101,7 +101,7 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
>> struct nouveau_bios *bios = nouveau_bios(device);
>> const u32 rsvd_head = ( 256 * 1024) >> 12; /* vga memory */
>> const u32 rsvd_tail = (1024 * 1024) >> 12; /* vbios etc */
>> - u32 size;
>> + u32 size, tags = 0;
>> int ret;
>>
>> pfb->ram.size = nv_rd32(pfb, 0x10020c);
>> @@ -142,10 +142,11 @@ nv50_fb_vram_init(struct nouveau_fb *pfb)
>> return ret;
>>
>> pfb->ram.ranks = (nv_rd32(pfb, 0x100200) & 0x4) ? 2 : 1;
>> + tags = nv_rd32(pfb, 0x100320);
>> break;
>> }
>>
>> - return nv_rd32(pfb, 0x100320);
>> + return tags;
>> }
>>
>> static int
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-01-09 10:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-09 2:40 [PATCH] drm/nv50/fb: Fix nullptr-deref on IGPs Roy Spliet
[not found] ` <1357699233-29046-1-git-send-email-r.spliet-oe7qfRrRQfeEZXFvZSAUrfP6llvjuJOh@public.gmane.org>
2013-01-09 5:46 ` Emil Velikov
[not found] ` <50ED0440.5060609-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-01-09 10:49 ` Roy Spliet
-- strict thread matches above, loose matches on Subject: below --
2013-01-09 2:36 Roy Spliet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.