From mboxrd@z Thu Jan  1 00:00:00 1970
From: j.glisse@gmail.com
Subject: [PATCH 1/2] radeon/kms: fix dma relocation checking
Date: Wed,  9 Jan 2013 16:40:42 -0500
Message-ID: <1357767643-3538-1-git-send-email-j.glisse@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com
	[209.85.216.45])
	by gabe.freedesktop.org (Postfix) with ESMTP id D39D1E5FB9
	for <dri-devel@lists.freedesktop.org>;
	Wed,  9 Jan 2013 13:43:57 -0800 (PST)
Received: by mail-qa0-f45.google.com with SMTP id j15so1086199qaq.11
	for <dri-devel@lists.freedesktop.org>;
	Wed, 09 Jan 2013 13:43:57 -0800 (PST)
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: dri-devel@lists.freedesktop.org
Cc: Jerome Glisse <jglisse@redhat.com>
List-Id: dri-devel@lists.freedesktop.org

From: Jerome Glisse <jglisse@redhat.com>

We were checking the index against the size of the relocation buffer
instead of against the last index. This fix kernel segfault when
userspace submit ill formated command stream/relocation buffer pair.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
---
 drivers/gpu/drm/radeon/r600_cs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
index 9ea13d0..f91919e 100644
--- a/drivers/gpu/drm/radeon/r600_cs.c
+++ b/drivers/gpu/drm/radeon/r600_cs.c
@@ -2561,16 +2561,16 @@ int r600_dma_cs_next_reloc(struct radeon_cs_parser *p,
 	struct radeon_cs_chunk *relocs_chunk;
 	unsigned idx;
 
+	*cs_reloc = NULL;
 	if (p->chunk_relocs_idx == -1) {
 		DRM_ERROR("No relocation chunk !\n");
 		return -EINVAL;
 	}
-	*cs_reloc = NULL;
 	relocs_chunk = &p->chunks[p->chunk_relocs_idx];
 	idx = p->dma_reloc_idx;
-	if (idx >= relocs_chunk->length_dw) {
+	if (idx >= p->nrelocs) {
 		DRM_ERROR("Relocs at %d after relocations chunk end %d !\n",
-			  idx, relocs_chunk->length_dw);
+			  idx, p->nrelocs);
 		return -EINVAL;
 	}
 	*cs_reloc = p->relocs_ptr[idx];
-- 
1.7.11.7