Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  agp: fix arbitrary kernel memory writes
  agp: fix OOM and buffer overflow
  drm/radeon/kms: fix IH writeback on r6xx+ on big endian machines
Linus Torvalds 14 years ago
parent
25b210371f 194b3da873
commit
8ed54bd565
3 changed files with 17 additions and 6 deletions
Split View Show Diff Stats
  1. 15 4
      drivers/char/agp/generic.c
  2. 1 1
      drivers/gpu/drm/radeon/evergreen.c
  3. 1 1
      drivers/gpu/drm/radeon/r600.c

+ 15 - 4
drivers/char/agp/generic.c
View File 

@@ -115,6 +115,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
 
 	struct agp_memory *new;
 
 	unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
 
 
+	if (INT_MAX/sizeof(struct page *) < num_agp_pages)
 
+		return NULL;
 
+
 
 	new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
 
 	if (new == NULL)
 
 		return NULL;
 
@@ -234,11 +237,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
 
 	int scratch_pages;
 
 	struct agp_memory *new;
 
 	size_t i;
 
+	int cur_memory;
 
 
 	if (!bridge)
 
 		return NULL;
 
 
-	if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
 
+	cur_memory = atomic_read(&bridge->current_memory_agp);
 
+	if ((cur_memory + page_count > bridge->max_memory_agp) ||
 
+	    (cur_memory + page_count < page_count))
 
 		return NULL;
 
 
 	if (type >= AGP_USER_TYPES) {
 
@@ -1089,8 +1095,8 @@ int agp_generic_insert_memory(struct agp_memory * mem, off_t pg_start, int type)
 
 		return -EINVAL;
 
 	}
 
 
-	/* AK: could wrap */
 
-	if ((pg_start + mem->page_count) > num_entries)
 
+	if (((pg_start + mem->page_count) > num_entries) ||
 
+	    ((pg_start + mem->page_count) < pg_start))
 
 		return -EINVAL;
 
 
 	j = pg_start;
 
@@ -1124,7 +1130,7 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
 
 {
 
 	size_t i;
 
 	struct agp_bridge_data *bridge;
 
-	int mask_type;
 
+	int mask_type, num_entries;
 
 
 	bridge = mem->bridge;
 
 	if (!bridge)
 
@@ -1136,6 +1142,11 @@ int agp_generic_remove_memory(struct agp_memory *mem, off_t pg_start, int type)
 
 	if (type != mem->type)
 
 		return -EINVAL;
 
 
+	num_entries = agp_num_entries();
 
+	if (((pg_start + mem->page_count) > num_entries) ||
 
+	    ((pg_start + mem->page_count) < pg_start))
 
+		return -EINVAL;
 
+
 
 	mask_type = bridge->driver->agp_type_to_mask_type(bridge, type);
 
 	if (mask_type != 0) {
 
 		/* The generic routines know nothing of memory types */

+ 1 - 1
drivers/gpu/drm/radeon/evergreen.c
View File 

@@ -2580,7 +2580,7 @@ static inline u32 evergreen_get_ih_wptr(struct radeon_device *rdev)
 
 	u32 wptr, tmp;
 
 
 	if (rdev->wb.enabled)
 
-		wptr = rdev->wb.wb[R600_WB_IH_WPTR_OFFSET/4];
 
+		wptr = le32_to_cpu(rdev->wb.wb[R600_WB_IH_WPTR_OFFSET/4]);
 
 	else
 
 		wptr = RREG32(IH_RB_WPTR);

+ 1 - 1
drivers/gpu/drm/radeon/r600.c
View File 

@@ -3231,7 +3231,7 @@ static inline u32 r600_get_ih_wptr(struct radeon_device *rdev)
 
 	u32 wptr, tmp;
 
 
 	if (rdev->wb.enabled)
 
-		wptr = rdev->wb.wb[R600_WB_IH_WPTR_OFFSET/4];
 
+		wptr = le32_to_cpu(rdev->wb.wb[R600_WB_IH_WPTR_OFFSET/4]);
 
 	else
 
 		wptr = RREG32(IH_RB_WPTR);