diff options
| author | Rob Clark <robdclark@gmail.com> | 2013-09-06 15:36:40 -0400 |
|---|---|---|
| committer | Rob Clark <robdclark@gmail.com> | 2013-09-10 13:57:42 -0400 |
| commit | 198725337ef1f73b73e7dc953c6ffb0799f26ffe (patch) | |
| tree | f0772c0a34e6c55a99ff83d5043281ff8f712e37 | |
| parent | 26791c48e1dcdc17c6c952585806b0ecc493f939 (diff) | |
drm/msm: fix cmdstream size check
Need to check size+offset against bo size (duh!).. now we have a test
case to make sure I've done it right:
https://github.com/freedreno/msmtest/blob/master/submittest.c
Also, use DRM_ERROR() for error case traces, which makes debugging
userspace easier when enabling debug traces is too much.
Signed-off-by: Rob Clark <robdclark@gmail.com>
| -rw-r--r-- | drivers/gpu/drm/msm/msm_gem_submit.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 3e1ef3a00f60..5281d4bc37f7 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c | |||
| @@ -78,7 +78,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, | |||
| 78 | } | 78 | } |
| 79 | 79 | ||
| 80 | if (submit_bo.flags & BO_INVALID_FLAGS) { | 80 | if (submit_bo.flags & BO_INVALID_FLAGS) { |
| 81 | DBG("invalid flags: %x", submit_bo.flags); | 81 | DRM_ERROR("invalid flags: %x\n", submit_bo.flags); |
| 82 | ret = -EINVAL; | 82 | ret = -EINVAL; |
| 83 | goto out_unlock; | 83 | goto out_unlock; |
| 84 | } | 84 | } |
| @@ -92,7 +92,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, | |||
| 92 | */ | 92 | */ |
| 93 | obj = idr_find(&file->object_idr, submit_bo.handle); | 93 | obj = idr_find(&file->object_idr, submit_bo.handle); |
| 94 | if (!obj) { | 94 | if (!obj) { |
| 95 | DBG("invalid handle %u at index %u", submit_bo.handle, i); | 95 | DRM_ERROR("invalid handle %u at index %u\n", submit_bo.handle, i); |
| 96 | ret = -EINVAL; | 96 | ret = -EINVAL; |
| 97 | goto out_unlock; | 97 | goto out_unlock; |
| 98 | } | 98 | } |
| @@ -100,7 +100,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, | |||
| 100 | msm_obj = to_msm_bo(obj); | 100 | msm_obj = to_msm_bo(obj); |
| 101 | 101 | ||
| 102 | if (!list_empty(&msm_obj->submit_entry)) { | 102 | if (!list_empty(&msm_obj->submit_entry)) { |
| 103 | DBG("handle %u at index %u already on submit list", | 103 | DRM_ERROR("handle %u at index %u already on submit list\n", |
| 104 | submit_bo.handle, i); | 104 | submit_bo.handle, i); |
| 105 | ret = -EINVAL; | 105 | ret = -EINVAL; |
| 106 | goto out_unlock; | 106 | goto out_unlock; |
| @@ -216,8 +216,9 @@ static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, | |||
| 216 | struct msm_gem_object **obj, uint32_t *iova, bool *valid) | 216 | struct msm_gem_object **obj, uint32_t *iova, bool *valid) |
| 217 | { | 217 | { |
| 218 | if (idx >= submit->nr_bos) { | 218 | if (idx >= submit->nr_bos) { |
| 219 | DBG("invalid buffer index: %u (out of %u)", idx, submit->nr_bos); | 219 | DRM_ERROR("invalid buffer index: %u (out of %u)\n", |
| 220 | return EINVAL; | 220 | idx, submit->nr_bos); |
| 221 | return -EINVAL; | ||
| 221 | } | 222 | } |
| 222 | 223 | ||
| 223 | if (obj) | 224 | if (obj) |
| @@ -239,7 +240,7 @@ static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *ob | |||
| 239 | int ret; | 240 | int ret; |
| 240 | 241 | ||
| 241 | if (offset % 4) { | 242 | if (offset % 4) { |
| 242 | DBG("non-aligned cmdstream buffer: %u", offset); | 243 | DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset); |
| 243 | return -EINVAL; | 244 | return -EINVAL; |
| 244 | } | 245 | } |
| 245 | 246 | ||
| @@ -266,7 +267,7 @@ static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *ob | |||
| 266 | return -EFAULT; | 267 | return -EFAULT; |
| 267 | 268 | ||
| 268 | if (submit_reloc.submit_offset % 4) { | 269 | if (submit_reloc.submit_offset % 4) { |
| 269 | DBG("non-aligned reloc offset: %u", | 270 | DRM_ERROR("non-aligned reloc offset: %u\n", |
| 270 | submit_reloc.submit_offset); | 271 | submit_reloc.submit_offset); |
| 271 | return -EINVAL; | 272 | return -EINVAL; |
| 272 | } | 273 | } |
| @@ -276,7 +277,7 @@ static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *ob | |||
| 276 | 277 | ||
| 277 | if ((off >= (obj->base.size / 4)) || | 278 | if ((off >= (obj->base.size / 4)) || |
| 278 | (off < last_offset)) { | 279 | (off < last_offset)) { |
| 279 | DBG("invalid offset %u at reloc %u", off, i); | 280 | DRM_ERROR("invalid offset %u at reloc %u\n", off, i); |
| 280 | return -EINVAL; | 281 | return -EINVAL; |
| 281 | } | 282 | } |
| 282 | 283 | ||
| @@ -374,14 +375,15 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, | |||
| 374 | goto out; | 375 | goto out; |
| 375 | 376 | ||
| 376 | if (submit_cmd.size % 4) { | 377 | if (submit_cmd.size % 4) { |
| 377 | DBG("non-aligned cmdstream buffer size: %u", | 378 | DRM_ERROR("non-aligned cmdstream buffer size: %u\n", |
| 378 | submit_cmd.size); | 379 | submit_cmd.size); |
| 379 | ret = -EINVAL; | 380 | ret = -EINVAL; |
| 380 | goto out; | 381 | goto out; |
| 381 | } | 382 | } |
| 382 | 383 | ||
| 383 | if (submit_cmd.size >= msm_obj->base.size) { | 384 | if ((submit_cmd.size + submit_cmd.submit_offset) >= |
| 384 | DBG("invalid cmdstream size: %u", submit_cmd.size); | 385 | msm_obj->base.size) { |
| 386 | DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); | ||
| 385 | ret = -EINVAL; | 387 | ret = -EINVAL; |
| 386 | goto out; | 388 | goto out; |
| 387 | } | 389 | } |