diff options
author | Thomas Hellstrom <unichrome@shipmail.org> | 2004-12-06 11:19:23 +0000 |
---|---|---|
committer | Thomas Hellstrom <unichrome@shipmail.org> | 2004-12-06 11:19:23 +0000 |
commit | 1fbfd9eb32220a10d66373b77172965cfeccd4f7 (patch) | |
tree | b3d575f5a2a104b28aece230c6983e88c8d66908 /shared-core/via_dma.c | |
parent | 267e0645272720344eb7556a948e72112edbe2ec (diff) |
Security and optimization fixes for the via drm:
1. The command verifier was never initialized in the non-core source tree.
2. Check added that the AGP ring buffer has been initialized before
accepting command buffer.
3. Free space check in the AGP buffer is moved to after command
verification, which is more optimal in most cases.
Diffstat (limited to 'shared-core/via_dma.c')
-rw-r--r-- | shared-core/via_dma.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/shared-core/via_dma.c b/shared-core/via_dma.c index 0c2ac470..ac7b7bea 100644 --- a/shared-core/via_dma.c +++ b/shared-core/via_dma.c @@ -170,19 +170,22 @@ int via_dma_init(DRM_IOCTL_ARGS) static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd) { - drm_via_private_t *dev_priv = dev->dev_private; + drm_via_private_t *dev_priv; uint32_t *vb; int ret; + dev_priv = (drm_via_private_t *) dev->dev_private; + + if (dev_priv->ring.virtual_start == NULL) { + DRM_ERROR("%s called without initializing AGP ring buffer.\n", + __FUNCTION__); + return DRM_ERR(EFAULT); + } if (cmd->size > pci_bufsiz && pci_bufsiz > 0) { return DRM_ERR(ENOMEM); } - vb = via_check_dma(dev_priv, cmd->size); - if (vb == NULL) { - return DRM_ERR(EAGAIN); - } if (DRM_COPY_FROM_USER(pci_buf, cmd->buf, cmd->size)) return DRM_ERR(EFAULT); @@ -198,6 +201,11 @@ static int via_dispatch_cmdbuffer(drm_device_t * dev, drm_via_cmdbuffer_t * cmd) return ret; } + vb = via_check_dma(dev_priv, cmd->size); + if (vb == NULL) { + return DRM_ERR(EAGAIN); + } + memcpy(vb, pci_buf, cmd->size); dev_priv->dma_low += cmd->size; |