drm: fd.o Bug #7595: Avoid u32 overflows in radeon_check_and_fixup_offset().

The overflows could cause valid offsets to get rejected under some circumstances, e.g. when the framebuffer resides at the very end of the card's address space. Signed-off-by: Dave Airlie <airlied@linux.ie>
author: Michel Daenzer <michel@tungstengraphics.com> 2006-09-21 14:12:11 -0400
committer: Dave Airlie <airlied@linux.ie> 2006-09-21 15:32:34 -0400
commit: 214ff13d9ebbba7940f29bc89669f85f12533083 (patch)
tree: bb1e106de12fca7046be3bc6b21cb13a765e4ea1
parent: 47cc140931cc03076014fdbfdd512d6dd9d74d34 (diff)
1 files changed, 12 insertions, 13 deletions
diff --git a/drivers/char/drm/radeon_state.c b/drivers/char/drm/radeon_state.c
index 0433ff80cb70..bcfa1514a4d0 100644
--- a/drivers/char/drm/radeon_state.c
+++ b/drivers/char/drm/radeon_state.c
@@ -42,7 +42,11 @@ static __inline__ int radeon_check_and_fixup_offset(drm_radeon_private_t *
                                                    drm_file_t * filp_priv,
                                                    u32 *offset)
 {
-        u32 off = *offset;
+        u64 off = *offset;
+        u32 fb_start = dev_priv->fb_location;
+        u32 fb_end = fb_start + dev_priv->fb_size - 1;
+        u32 gart_start = dev_priv->gart_vm_start;
+        u32 gart_end = gart_start + dev_priv->gart_size - 1;
        struct drm_radeon_driver_file_fields *radeon_priv;
        /* Hrm ... the story of the offset ... So this function converts
@@ -62,10 +66,8 @@ static __inline__ int radeon_check_and_fixup_offset(drm_radeon_private_t *
        /* First, the best case, the offset already lands in either the
         * framebuffer or the GART mapped space
         */
-        if ((off >= dev_priv->fb_location &&
+        if ((off >= fb_start && off <= fb_end) ||
-             off < (dev_priv->fb_location + dev_priv->fb_size)) ||
+            (off >= gart_start && off <= gart_end))
-            (off >= dev_priv->gart_vm_start &&
-             off < (dev_priv->gart_vm_start + dev_priv->gart_size)))
                return 0;
        /* Ok, that didn't happen... now check if we have a zero based
@@ -78,16 +80,13 @@ static __inline__ int radeon_check_and_fixup_offset(drm_radeon_private_t *
        }
        /* Finally, assume we aimed at a GART offset if beyond the fb */
-        if (off > (dev_priv->fb_location + dev_priv->fb_size))
+        if (off > fb_end)
-                off = off - (dev_priv->fb_location + dev_priv->fb_size) +
+                off = off - fb_end - 1 + gart_start;
-                        dev_priv->gart_vm_start;
        /* Now recheck and fail if out of bounds */
-        if ((off >= dev_priv->fb_location &&
+        if ((off >= fb_start && off <= fb_end) ||
-             off < (dev_priv->fb_location + dev_priv->fb_size)) ||
+            (off >= gart_start && off <= gart_end)) {
-            (off >= dev_priv->gart_vm_start &&
+                DRM_DEBUG("offset fixed up to 0x%x\n", (unsigned int)off);
-             off < (dev_priv->gart_vm_start + dev_priv->gart_size))) {
-                DRM_DEBUG("offset fixed up to 0x%x\n", off);
                *offset = off;
                return 0;
        }
author	Michel Daenzer <michel@tungstengraphics.com>	2006-09-21 14:12:11 -0400
committer	Dave Airlie <airlied@linux.ie>	2006-09-21 15:32:34 -0400
commit	214ff13d9ebbba7940f29bc89669f85f12533083 (patch)
tree	bb1e106de12fca7046be3bc6b21cb13a765e4ea1
parent	47cc140931cc03076014fdbfdd512d6dd9d74d34 (diff)