diff options
Diffstat (limited to 'drivers/gpu/drm/i915/i915_gem.c')
-rw-r--r-- | drivers/gpu/drm/i915/i915_gem.c | 54 |
1 files changed, 29 insertions, 25 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index cf4ffbee1c00..90b1d6753b9d 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c | |||
@@ -136,14 +136,12 @@ i915_gem_create_ioctl(struct drm_device *dev, void *data, | |||
136 | return -ENOMEM; | 136 | return -ENOMEM; |
137 | 137 | ||
138 | ret = drm_gem_handle_create(file_priv, obj, &handle); | 138 | ret = drm_gem_handle_create(file_priv, obj, &handle); |
139 | /* drop reference from allocate - handle holds it now */ | ||
140 | drm_gem_object_unreference_unlocked(obj); | ||
139 | if (ret) { | 141 | if (ret) { |
140 | drm_gem_object_unreference_unlocked(obj); | ||
141 | return ret; | 142 | return ret; |
142 | } | 143 | } |
143 | 144 | ||
144 | /* Sink the floating reference from kref_init(handlecount) */ | ||
145 | drm_gem_object_handle_unreference_unlocked(obj); | ||
146 | |||
147 | args->handle = handle; | 145 | args->handle = handle; |
148 | return 0; | 146 | return 0; |
149 | } | 147 | } |
@@ -471,14 +469,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, | |||
471 | return -ENOENT; | 469 | return -ENOENT; |
472 | obj_priv = to_intel_bo(obj); | 470 | obj_priv = to_intel_bo(obj); |
473 | 471 | ||
474 | /* Bounds check source. | 472 | /* Bounds check source. */ |
475 | * | 473 | if (args->offset > obj->size || args->size > obj->size - args->offset) { |
476 | * XXX: This could use review for overflow issues... | 474 | ret = -EINVAL; |
477 | */ | 475 | goto err; |
478 | if (args->offset > obj->size || args->size > obj->size || | 476 | } |
479 | args->offset + args->size > obj->size) { | 477 | |
480 | drm_gem_object_unreference_unlocked(obj); | 478 | if (!access_ok(VERIFY_WRITE, |
481 | return -EINVAL; | 479 | (char __user *)(uintptr_t)args->data_ptr, |
480 | args->size)) { | ||
481 | ret = -EFAULT; | ||
482 | goto err; | ||
482 | } | 483 | } |
483 | 484 | ||
484 | if (i915_gem_object_needs_bit17_swizzle(obj)) { | 485 | if (i915_gem_object_needs_bit17_swizzle(obj)) { |
@@ -490,8 +491,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, | |||
490 | file_priv); | 491 | file_priv); |
491 | } | 492 | } |
492 | 493 | ||
494 | err: | ||
493 | drm_gem_object_unreference_unlocked(obj); | 495 | drm_gem_object_unreference_unlocked(obj); |
494 | |||
495 | return ret; | 496 | return ret; |
496 | } | 497 | } |
497 | 498 | ||
@@ -580,8 +581,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj, | |||
580 | 581 | ||
581 | user_data = (char __user *) (uintptr_t) args->data_ptr; | 582 | user_data = (char __user *) (uintptr_t) args->data_ptr; |
582 | remain = args->size; | 583 | remain = args->size; |
583 | if (!access_ok(VERIFY_READ, user_data, remain)) | ||
584 | return -EFAULT; | ||
585 | 584 | ||
586 | 585 | ||
587 | mutex_lock(&dev->struct_mutex); | 586 | mutex_lock(&dev->struct_mutex); |
@@ -934,14 +933,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, | |||
934 | return -ENOENT; | 933 | return -ENOENT; |
935 | obj_priv = to_intel_bo(obj); | 934 | obj_priv = to_intel_bo(obj); |
936 | 935 | ||
937 | /* Bounds check destination. | 936 | /* Bounds check destination. */ |
938 | * | 937 | if (args->offset > obj->size || args->size > obj->size - args->offset) { |
939 | * XXX: This could use review for overflow issues... | 938 | ret = -EINVAL; |
940 | */ | 939 | goto err; |
941 | if (args->offset > obj->size || args->size > obj->size || | 940 | } |
942 | args->offset + args->size > obj->size) { | 941 | |
943 | drm_gem_object_unreference_unlocked(obj); | 942 | if (!access_ok(VERIFY_READ, |
944 | return -EINVAL; | 943 | (char __user *)(uintptr_t)args->data_ptr, |
944 | args->size)) { | ||
945 | ret = -EFAULT; | ||
946 | goto err; | ||
945 | } | 947 | } |
946 | 948 | ||
947 | /* We can only do the GTT pwrite on untiled buffers, as otherwise | 949 | /* We can only do the GTT pwrite on untiled buffers, as otherwise |
@@ -975,8 +977,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, | |||
975 | DRM_INFO("pwrite failed %d\n", ret); | 977 | DRM_INFO("pwrite failed %d\n", ret); |
976 | #endif | 978 | #endif |
977 | 979 | ||
980 | err: | ||
978 | drm_gem_object_unreference_unlocked(obj); | 981 | drm_gem_object_unreference_unlocked(obj); |
979 | |||
980 | return ret; | 982 | return ret; |
981 | } | 983 | } |
982 | 984 | ||
@@ -2400,7 +2402,7 @@ i915_gem_clear_fence_reg(struct drm_gem_object *obj) | |||
2400 | I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0); | 2402 | I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0); |
2401 | break; | 2403 | break; |
2402 | case 3: | 2404 | case 3: |
2403 | if (obj_priv->fence_reg > 8) | 2405 | if (obj_priv->fence_reg >= 8) |
2404 | fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg - 8) * 4; | 2406 | fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg - 8) * 4; |
2405 | else | 2407 | else |
2406 | case 2: | 2408 | case 2: |
@@ -3258,6 +3260,8 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, | |||
3258 | (int) reloc->offset, | 3260 | (int) reloc->offset, |
3259 | reloc->read_domains, | 3261 | reloc->read_domains, |
3260 | reloc->write_domain); | 3262 | reloc->write_domain); |
3263 | drm_gem_object_unreference(target_obj); | ||
3264 | i915_gem_object_unpin(obj); | ||
3261 | return -EINVAL; | 3265 | return -EINVAL; |
3262 | } | 3266 | } |
3263 | if (reloc->write_domain & I915_GEM_DOMAIN_CPU || | 3267 | if (reloc->write_domain & I915_GEM_DOMAIN_CPU || |