aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDave Airlie <airlied@redhat.com>2009-06-30 11:47:14 +1000
committerDave Airlie <airlied@redhat.com>2009-07-15 17:13:15 +1000
commit5176fdc4c5873e52f9cb6e166d80e843847e7eb4 (patch)
treea9b1638a5f94252d07b5b31793ec41a08346714d
parente7168cab5bbac0a0e5413fd55ba0e92555bf860d (diff)
drm/radeon/kms: drop zero length CS indirect buffers.
If userspace sends a zero length IB, it really shouldn't have bothered so EINVAL it. Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--drivers/gpu/drm/radeon/radeon_cs.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index b843f9bdfb1..a169067efc4 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -127,17 +127,23 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
sizeof(struct drm_radeon_cs_chunk))) {
return -EFAULT;
}
+ p->chunks[i].length_dw = user_chunk.length_dw;
+ p->chunks[i].kdata = NULL;
p->chunks[i].chunk_id = user_chunk.chunk_id;
+
if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_RELOCS) {
p->chunk_relocs_idx = i;
}
if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_IB) {
p->chunk_ib_idx = i;
+ /* zero length IB isn't useful */
+ if (p->chunks[i].length_dw == 0)
+ return -EINVAL;
}
+
p->chunks[i].length_dw = user_chunk.length_dw;
cdata = (uint32_t *)(unsigned long)user_chunk.chunk_data;
- p->chunks[i].kdata = NULL;
size = p->chunks[i].length_dw * sizeof(uint32_t);
p->chunks[i].kdata = kzalloc(size, GFP_KERNEL);
if (p->chunks[i].kdata == NULL) {