diff options
author | Dave Airlie <airlied@redhat.com> | 2009-06-30 11:47:14 +1000 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2009-07-15 17:13:15 +1000 |
commit | 5176fdc4c5873e52f9cb6e166d80e843847e7eb4 (patch) | |
tree | a9b1638a5f94252d07b5b31793ec41a08346714d /drivers | |
parent | e7168cab5bbac0a0e5413fd55ba0e92555bf860d (diff) | |
download | op-kernel-dev-5176fdc4c5873e52f9cb6e166d80e843847e7eb4.zip op-kernel-dev-5176fdc4c5873e52f9cb6e166d80e843847e7eb4.tar.gz |
drm/radeon/kms: drop zero length CS indirect buffers.
If userspace sends a zero length IB, it really shouldn't have bothered
so EINVAL it.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/drm/radeon/radeon_cs.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c index b843f9b..a169067 100644 --- a/drivers/gpu/drm/radeon/radeon_cs.c +++ b/drivers/gpu/drm/radeon/radeon_cs.c @@ -127,17 +127,23 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) sizeof(struct drm_radeon_cs_chunk))) { return -EFAULT; } + p->chunks[i].length_dw = user_chunk.length_dw; + p->chunks[i].kdata = NULL; p->chunks[i].chunk_id = user_chunk.chunk_id; + if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_RELOCS) { p->chunk_relocs_idx = i; } if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_IB) { p->chunk_ib_idx = i; + /* zero length IB isn't useful */ + if (p->chunks[i].length_dw == 0) + return -EINVAL; } + p->chunks[i].length_dw = user_chunk.length_dw; cdata = (uint32_t *)(unsigned long)user_chunk.chunk_data; - p->chunks[i].kdata = NULL; size = p->chunks[i].length_dw * sizeof(uint32_t); p->chunks[i].kdata = kzalloc(size, GFP_KERNEL); if (p->chunks[i].kdata == NULL) { |