diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2018-04-18 01:42:56 -0400 |
|---|---|---|
| committer | Sean Paul <seanpaul@chromium.org> | 2018-04-25 15:03:12 -0400 |
| commit | 66c0255cf58718517e4cdff3612b92b82c2bf71b (patch) | |
| tree | 6faec70fb71c58f12f639a2388756c65ac435899 | |
| parent | ab170c27361d1578b4769276ce2bbdb14394743d (diff) | |
qxl: fix qxl_release_{map,unmap}
s/PAGE_SIZE/PAGE_MASK/
Luckily release_offset is never larger than PAGE_SIZE, so the bug has no
bad side effects and managed to stay unnoticed for years that way ...
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20180418054257.15388-2-kraxel@redhat.com
Signed-off-by: Sean Paul <seanpaul@chromium.org>
| -rw-r--r-- | drivers/gpu/drm/qxl/qxl_ioctl.c | 4 | ||||
| -rw-r--r-- | drivers/gpu/drm/qxl/qxl_release.c | 6 |
2 files changed, 5 insertions, 5 deletions
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index e238a1a2eca1..6cc9f3367fa0 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c | |||
| @@ -182,9 +182,9 @@ static int qxl_process_single_command(struct qxl_device *qdev, | |||
| 182 | goto out_free_reloc; | 182 | goto out_free_reloc; |
| 183 | 183 | ||
| 184 | /* TODO copy slow path code from i915 */ | 184 | /* TODO copy slow path code from i915 */ |
| 185 | fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); | 185 | fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_MASK)); |
| 186 | unwritten = __copy_from_user_inatomic_nocache | 186 | unwritten = __copy_from_user_inatomic_nocache |
| 187 | (fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), | 187 | (fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_MASK), |
| 188 | u64_to_user_ptr(cmd->command), cmd->command_size); | 188 | u64_to_user_ptr(cmd->command), cmd->command_size); |
| 189 | 189 | ||
| 190 | { | 190 | { |
diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c index 5d84a66fed36..a0b4244d283d 100644 --- a/drivers/gpu/drm/qxl/qxl_release.c +++ b/drivers/gpu/drm/qxl/qxl_release.c | |||
| @@ -411,10 +411,10 @@ union qxl_release_info *qxl_release_map(struct qxl_device *qdev, | |||
| 411 | struct qxl_bo_list *entry = list_first_entry(&release->bos, struct qxl_bo_list, tv.head); | 411 | struct qxl_bo_list *entry = list_first_entry(&release->bos, struct qxl_bo_list, tv.head); |
| 412 | struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); | 412 | struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); |
| 413 | 413 | ||
| 414 | ptr = qxl_bo_kmap_atomic_page(qdev, bo, release->release_offset & PAGE_SIZE); | 414 | ptr = qxl_bo_kmap_atomic_page(qdev, bo, release->release_offset & PAGE_MASK); |
| 415 | if (!ptr) | 415 | if (!ptr) |
| 416 | return NULL; | 416 | return NULL; |
| 417 | info = ptr + (release->release_offset & ~PAGE_SIZE); | 417 | info = ptr + (release->release_offset & ~PAGE_MASK); |
| 418 | return info; | 418 | return info; |
| 419 | } | 419 | } |
| 420 | 420 | ||
| @@ -426,7 +426,7 @@ void qxl_release_unmap(struct qxl_device *qdev, | |||
| 426 | struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); | 426 | struct qxl_bo *bo = to_qxl_bo(entry->tv.bo); |
| 427 | void *ptr; | 427 | void *ptr; |
| 428 | 428 | ||
| 429 | ptr = ((void *)info) - (release->release_offset & ~PAGE_SIZE); | 429 | ptr = ((void *)info) - (release->release_offset & ~PAGE_MASK); |
| 430 | qxl_bo_kunmap_atomic_page(qdev, bo, ptr); | 430 | qxl_bo_kunmap_atomic_page(qdev, bo, ptr); |
| 431 | } | 431 | } |
| 432 | 432 | ||