radeon/kms: fix dma relocation checking

We were checking the index against the size of the relocation buffer instead of against the last index. This fix kernel segfault when userspace submit ill formated command stream/relocation buffer pair. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
author: Jerome Glisse <jglisse@redhat.com> 2013-01-09 16:40:42 -0500
committer: Alex Deucher <alexander.deucher@amd.com> 2013-01-10 17:05:38 -0500
commit: 9305ede6afe2998b391cd225e02a18f37d62028e (patch)
tree: 3f5256256b89fe06c94a23fa8f29fb792799ea15
parent: 51861d4eebc2ddc25c77084343d060fa79f6e291 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
index 6858a4068f7b..69ec24ab8d63 100644
--- a/drivers/gpu/drm/radeon/r600_cs.c
+++ b/drivers/gpu/drm/radeon/r600_cs.c
@@ -2563,16 +2563,16 @@ int r600_dma_cs_next_reloc(struct radeon_cs_parser *p,
        struct radeon_cs_chunk *relocs_chunk;
        unsigned idx;
+        *cs_reloc = NULL;
        if (p->chunk_relocs_idx == -1) {
                DRM_ERROR("No relocation chunk !\n");
                return -EINVAL;
        }
-        *cs_reloc = NULL;
        relocs_chunk = &p->chunks[p->chunk_relocs_idx];
        idx = p->dma_reloc_idx;
-        if (idx >= relocs_chunk->length_dw) {
+        if (idx >= p->nrelocs) {
                DRM_ERROR("Relocs at %d after relocations chunk end %d !\n",
-                          idx, relocs_chunk->length_dw);
+                          idx, p->nrelocs);
                return -EINVAL;
        }
        *cs_reloc = p->relocs_ptr[idx];
author	Jerome Glisse <jglisse@redhat.com>	2013-01-09 16:40:42 -0500
committer	Alex Deucher <alexander.deucher@amd.com>	2013-01-10 17:05:38 -0500
commit	9305ede6afe2998b391cd225e02a18f37d62028e (patch)
tree	3f5256256b89fe06c94a23fa8f29fb792799ea15
parent	51861d4eebc2ddc25c77084343d060fa79f6e291 (diff)