1 files changed, 52 insertions, 37 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 16fca1d1799a..90b1d6753b9d 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -136,14 +136,12 @@ i915_gem_create_ioctl(struct drm_device *dev, void *data,
                return -ENOMEM;
        ret = drm_gem_handle_create(file_priv, obj, &handle);
+        /* drop reference from allocate - handle holds it now */
+        drm_gem_object_unreference_unlocked(obj);
        if (ret) {
-                drm_gem_object_unreference_unlocked(obj);
                return ret;
        }
-        /* Sink the floating reference from kref_init(handlecount) */
-        drm_gem_object_handle_unreference_unlocked(obj);
        args->handle = handle;
        return 0;
 }
@@ -471,14 +469,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
                return -ENOENT;
        obj_priv = to_intel_bo(obj);
-        /* Bounds check source.
+        /* Bounds check source.  */
-         *
+        if (args->offset > obj->size || args->size > obj->size - args->offset) {
-         * XXX: This could use review for overflow issues...
+                ret = -EINVAL;
-         */
+                goto err;
-        if (args->offset > obj->size || args->size > obj->size ||
+        }
-            args->offset + args->size > obj->size) {
-                drm_gem_object_unreference_unlocked(obj);
+        if (!access_ok(VERIFY_WRITE,
-                return -EINVAL;
+                       (char __user *)(uintptr_t)args->data_ptr,
+                       args->size)) {
+                ret = -EFAULT;
+                goto err;
        }
        if (i915_gem_object_needs_bit17_swizzle(obj)) {
@@ -490,8 +491,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
                                                        file_priv);
        }
+err:
        drm_gem_object_unreference_unlocked(obj);
        return ret;
 }
@@ -580,8 +581,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
        user_data = (char __user *) (uintptr_t) args->data_ptr;
        remain = args->size;
-        if (!access_ok(VERIFY_READ, user_data, remain))
-                return -EFAULT;
        mutex_lock(&dev->struct_mutex);
@@ -934,14 +933,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
                return -ENOENT;
        obj_priv = to_intel_bo(obj);
-        /* Bounds check destination.
+        /* Bounds check destination. */
-         *
+        if (args->offset > obj->size || args->size > obj->size - args->offset) {
-         * XXX: This could use review for overflow issues...
+                ret = -EINVAL;
-         */
+                goto err;
-        if (args->offset > obj->size || args->size > obj->size ||
+        }
-            args->offset + args->size > obj->size) {
-                drm_gem_object_unreference_unlocked(obj);
+        if (!access_ok(VERIFY_READ,
-                return -EINVAL;
+                       (char __user *)(uintptr_t)args->data_ptr,
+                       args->size)) {
+                ret = -EFAULT;
+                goto err;
        }
        /* We can only do the GTT pwrite on untiled buffers, as otherwise
@@ -975,8 +977,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
                DRM_INFO("pwrite failed %d\n", ret);
 #endif
+err:
        drm_gem_object_unreference_unlocked(obj);
        return ret;
 }
@@ -2351,14 +2353,21 @@ i915_gem_object_get_fence_reg(struct drm_gem_object *obj)
        reg->obj = obj;
-        if (IS_GEN6(dev))
+        switch (INTEL_INFO(dev)->gen) {
+        case 6:
                sandybridge_write_fence_reg(reg);
-        else if (IS_I965G(dev))
+                break;
+        case 5:
+        case 4:
                i965_write_fence_reg(reg);
-        else if (IS_I9XX(dev))
+                break;
+        case 3:
                i915_write_fence_reg(reg);
-        else
+                break;
+        case 2:
                i830_write_fence_reg(reg);
+                break;
+        }
        trace_i915_gem_object_get_fence(obj, obj_priv->fence_reg,
                        obj_priv->tiling_mode);
@@ -2381,22 +2390,26 @@ i915_gem_clear_fence_reg(struct drm_gem_object *obj)
        struct drm_i915_gem_object *obj_priv = to_intel_bo(obj);
        struct drm_i915_fence_reg *reg =
                &dev_priv->fence_regs[obj_priv->fence_reg];
+        uint32_t fence_reg;
-        if (IS_GEN6(dev)) {
+        switch (INTEL_INFO(dev)->gen) {
+        case 6:
                I915_WRITE64(FENCE_REG_SANDYBRIDGE_0 +
                             (obj_priv->fence_reg * 8), 0);
-        } else if (IS_I965G(dev)) {
+                break;
+        case 5:
+        case 4:
                I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0);
-        } else {
+                break;
-                uint32_t fence_reg;
+        case 3:
+                if (obj_priv->fence_reg >= 8)
-                if (obj_priv->fence_reg < 8)
+                        fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg - 8) * 4;
-                        fence_reg = FENCE_REG_830_0 + obj_priv->fence_reg * 4;
                else
-                        fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg -
+        case 2:
-                                                       8) * 4;
+                        fence_reg = FENCE_REG_830_0 + obj_priv->fence_reg * 4;
                I915_WRITE(fence_reg, 0);
+                break;
        }
        reg->obj = NULL;
@@ -3247,6 +3260,8 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
                                  (int) reloc->offset,
                                  reloc->read_domains,
                                  reloc->write_domain);
+                        drm_gem_object_unreference(target_obj);
+                        i915_gem_object_unpin(obj);
                        return -EINVAL;
                }
                if (reloc->write_domain & I915_GEM_DOMAIN_CPU ||

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 16fca1d1799a..90b1d6753b9d 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -136,14 +136,12 @@ i915_gem_create_ioctl(struct drm_device dev, void data,
136	return -ENOMEM;	136	return -ENOMEM;
137		137
138	ret = drm_gem_handle_create(file_priv, obj, &handle);	138	ret = drm_gem_handle_create(file_priv, obj, &handle);
		139	/* drop reference from allocate - handle holds it now */
		140	drm_gem_object_unreference_unlocked(obj);
139	if (ret) {	141	if (ret) {
140	drm_gem_object_unreference_unlocked(obj);
141	return ret;	142	return ret;
142	}	143	}
143		144
144	/* Sink the floating reference from kref_init(handlecount) */
145	drm_gem_object_handle_unreference_unlocked(obj);
146
147	args->handle = handle;	145	args->handle = handle;
148	return 0;	146	return 0;
149	}	147	}
@@ -471,14 +469,17 @@ i915_gem_pread_ioctl(struct drm_device dev, void data,
471	return -ENOENT;	469	return -ENOENT;
472	obj_priv = to_intel_bo(obj);	470	obj_priv = to_intel_bo(obj);
473		471
474	/* Bounds check source.	472	/* Bounds check source. */
475	*	473	if (args->offset > obj->size \|\| args->size > obj->size - args->offset) {
476	* XXX: This could use review for overflow issues...	474	ret = -EINVAL;
477	*/	475	goto err;
478	if (args->offset > obj->size \|\| args->size > obj->size \|\|	476	}
479	args->offset + args->size > obj->size) {	477
480	drm_gem_object_unreference_unlocked(obj);	478	if (!access_ok(VERIFY_WRITE,
481	return -EINVAL;	479	(char __user *)(uintptr_t)args->data_ptr,
		480	args->size)) {
		481	ret = -EFAULT;
		482	goto err;
482	}	483	}
483		484
484	if (i915_gem_object_needs_bit17_swizzle(obj)) {	485	if (i915_gem_object_needs_bit17_swizzle(obj)) {
@@ -490,8 +491,8 @@ i915_gem_pread_ioctl(struct drm_device dev, void data,
490	file_priv);	491	file_priv);
491	}	492	}
492		493
		494	err:
493	drm_gem_object_unreference_unlocked(obj);	495	drm_gem_object_unreference_unlocked(obj);
494
495	return ret;	496	return ret;
496	}	497	}
497		498
@@ -580,8 +581,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device dev, struct drm_gem_object obj,
580		581
581	user_data = (char __user *) (uintptr_t) args->data_ptr;	582	user_data = (char __user *) (uintptr_t) args->data_ptr;
582	remain = args->size;	583	remain = args->size;
583	if (!access_ok(VERIFY_READ, user_data, remain))
584	return -EFAULT;
585		584
586		585
587	mutex_lock(&dev->struct_mutex);	586	mutex_lock(&dev->struct_mutex);
@@ -934,14 +933,17 @@ i915_gem_pwrite_ioctl(struct drm_device dev, void data,
934	return -ENOENT;	933	return -ENOENT;
935	obj_priv = to_intel_bo(obj);	934	obj_priv = to_intel_bo(obj);
936		935
937	/* Bounds check destination.	936	/* Bounds check destination. */
938	*	937	if (args->offset > obj->size \|\| args->size > obj->size - args->offset) {
939	* XXX: This could use review for overflow issues...	938	ret = -EINVAL;
940	*/	939	goto err;
941	if (args->offset > obj->size \|\| args->size > obj->size \|\|	940	}
942	args->offset + args->size > obj->size) {	941
943	drm_gem_object_unreference_unlocked(obj);	942	if (!access_ok(VERIFY_READ,
944	return -EINVAL;	943	(char __user *)(uintptr_t)args->data_ptr,
		944	args->size)) {
		945	ret = -EFAULT;
		946	goto err;
945	}	947	}
946		948
947	/* We can only do the GTT pwrite on untiled buffers, as otherwise	949	/* We can only do the GTT pwrite on untiled buffers, as otherwise
@@ -975,8 +977,8 @@ i915_gem_pwrite_ioctl(struct drm_device dev, void data,
975	DRM_INFO("pwrite failed %d\n", ret);	977	DRM_INFO("pwrite failed %d\n", ret);
976	#endif	978	#endif
977		979
		980	err:
978	drm_gem_object_unreference_unlocked(obj);	981	drm_gem_object_unreference_unlocked(obj);
979
980	return ret;	982	return ret;
981	}	983	}
982		984
@@ -2351,14 +2353,21 @@ i915_gem_object_get_fence_reg(struct drm_gem_object *obj)
2351		2353
2352	reg->obj = obj;	2354	reg->obj = obj;
2353		2355
2354	if (IS_GEN6(dev))	2356	switch (INTEL_INFO(dev)->gen) {
		2357	case 6:
2355	sandybridge_write_fence_reg(reg);	2358	sandybridge_write_fence_reg(reg);
2356	else if (IS_I965G(dev))	2359	break;
		2360	case 5:
		2361	case 4:
2357	i965_write_fence_reg(reg);	2362	i965_write_fence_reg(reg);
2358	else if (IS_I9XX(dev))	2363	break;
		2364	case 3:
2359	i915_write_fence_reg(reg);	2365	i915_write_fence_reg(reg);
2360	else	2366	break;
		2367	case 2:
2361	i830_write_fence_reg(reg);	2368	i830_write_fence_reg(reg);
		2369	break;
		2370	}
2362		2371
2363	trace_i915_gem_object_get_fence(obj, obj_priv->fence_reg,	2372	trace_i915_gem_object_get_fence(obj, obj_priv->fence_reg,
2364	obj_priv->tiling_mode);	2373	obj_priv->tiling_mode);
@@ -2381,22 +2390,26 @@ i915_gem_clear_fence_reg(struct drm_gem_object *obj)
2381	struct drm_i915_gem_object *obj_priv = to_intel_bo(obj);	2390	struct drm_i915_gem_object *obj_priv = to_intel_bo(obj);
2382	struct drm_i915_fence_reg *reg =	2391	struct drm_i915_fence_reg *reg =
2383	&dev_priv->fence_regs[obj_priv->fence_reg];	2392	&dev_priv->fence_regs[obj_priv->fence_reg];
		2393	uint32_t fence_reg;
2384		2394
2385	if (IS_GEN6(dev)) {	2395	switch (INTEL_INFO(dev)->gen) {
		2396	case 6:
2386	I915_WRITE64(FENCE_REG_SANDYBRIDGE_0 +	2397	I915_WRITE64(FENCE_REG_SANDYBRIDGE_0 +
2387	(obj_priv->fence_reg * 8), 0);	2398	(obj_priv->fence_reg * 8), 0);
2388	} else if (IS_I965G(dev)) {	2399	break;
		2400	case 5:
		2401	case 4:
2389	I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0);	2402	I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0);
2390	} else {	2403	break;
2391	uint32_t fence_reg;	2404	case 3:
2392		2405	if (obj_priv->fence_reg >= 8)
2393	if (obj_priv->fence_reg < 8)	2406	fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg - 8) * 4;
2394	fence_reg = FENCE_REG_830_0 + obj_priv->fence_reg * 4;
2395	else	2407	else
2396	fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg -	2408	case 2:
2397	8) * 4;	2409	fence_reg = FENCE_REG_830_0 + obj_priv->fence_reg * 4;
2398		2410
2399	I915_WRITE(fence_reg, 0);	2411	I915_WRITE(fence_reg, 0);
		2412	break;
2400	}	2413	}
2401		2414
2402	reg->obj = NULL;	2415	reg->obj = NULL;
@@ -3247,6 +3260,8 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
3247	(int) reloc->offset,	3260	(int) reloc->offset,
3248	reloc->read_domains,	3261	reloc->read_domains,
3249	reloc->write_domain);	3262	reloc->write_domain);
		3263	drm_gem_object_unreference(target_obj);
		3264	i915_gem_object_unpin(obj);
3250	return -EINVAL;	3265	return -EINVAL;
3251	}	3266	}
3252	if (reloc->write_domain & I915_GEM_DOMAIN_CPU \|\|	3267	if (reloc->write_domain & I915_GEM_DOMAIN_CPU \|\|