forked from Minki/linux
368f622c0d
If commands buffer claims a number of words that is higher than its BO can fit, a kernel OOPS will be fired on the out-of-bounds BO access. This was triggered by an opentegra Xorg driver that erroneously pushed too many commands to the pushbuf. The CDMA commands buffer address is 4 bytes aligned, so check its alignment. The maximum number of the CDMA gather fetches is 16383, add a check for it. Add a sanity check for the relocations in a same way. [ 46.829393] Unable to handle kernel paging request at virtual address f09b2000 ... [<c04a3ba4>] (host1x_job_pin) from [<c04dfcd0>] (tegra_drm_submit+0x474/0x510) [<c04dfcd0>] (tegra_drm_submit) from [<c04deea0>] (tegra_submit+0x50/0x6c) [<c04deea0>] (tegra_submit) from [<c04c07c0>] (drm_ioctl+0x1e4/0x3ec) [<c04c07c0>] (drm_ioctl) from [<c02541a0>] (do_vfs_ioctl+0x9c/0x8e4) [<c02541a0>] (do_vfs_ioctl) from [<c0254a1c>] (SyS_ioctl+0x34/0x5c) [<c0254a1c>] (SyS_ioctl) from [<c0107640>] (ret_fast_syscall+0x0/0x3c) Signed-off-by: Dmitry Osipenko <digetx@gmail.com> Reviewed-by: Erik Faye-Lund <kusmabite@gmail.com> Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> Signed-off-by: Thierry Reding <treding@nvidia.com>
84 lines
2.1 KiB
C
84 lines
2.1 KiB
C
/*
|
|
* Tegra host1x GEM implementation
|
|
*
|
|
* Copyright (c) 2012-2013, NVIDIA Corporation.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*/
|
|
|
|
#ifndef __HOST1X_GEM_H
|
|
#define __HOST1X_GEM_H
|
|
|
|
#include <linux/host1x.h>
|
|
|
|
#include <drm/drm.h>
|
|
#include <drm/drmP.h>
|
|
#include <drm/drm_gem.h>
|
|
|
|
#define TEGRA_BO_BOTTOM_UP (1 << 0)
|
|
|
|
enum tegra_bo_tiling_mode {
|
|
TEGRA_BO_TILING_MODE_PITCH,
|
|
TEGRA_BO_TILING_MODE_TILED,
|
|
TEGRA_BO_TILING_MODE_BLOCK,
|
|
};
|
|
|
|
struct tegra_bo_tiling {
|
|
enum tegra_bo_tiling_mode mode;
|
|
unsigned long value;
|
|
};
|
|
|
|
struct tegra_bo {
|
|
struct drm_gem_object gem;
|
|
struct host1x_bo base;
|
|
unsigned long flags;
|
|
struct sg_table *sgt;
|
|
dma_addr_t paddr;
|
|
void *vaddr;
|
|
|
|
struct drm_mm_node *mm;
|
|
unsigned long num_pages;
|
|
struct page **pages;
|
|
/* size of IOMMU mapping */
|
|
size_t size;
|
|
|
|
struct tegra_bo_tiling tiling;
|
|
};
|
|
|
|
static inline struct tegra_bo *to_tegra_bo(struct drm_gem_object *gem)
|
|
{
|
|
return container_of(gem, struct tegra_bo, gem);
|
|
}
|
|
|
|
static inline struct tegra_bo *host1x_to_tegra_bo(struct host1x_bo *bo)
|
|
{
|
|
return container_of(bo, struct tegra_bo, base);
|
|
}
|
|
|
|
struct tegra_bo *tegra_bo_create(struct drm_device *drm, size_t size,
|
|
unsigned long flags);
|
|
struct tegra_bo *tegra_bo_create_with_handle(struct drm_file *file,
|
|
struct drm_device *drm,
|
|
size_t size,
|
|
unsigned long flags,
|
|
u32 *handle);
|
|
void tegra_bo_free_object(struct drm_gem_object *gem);
|
|
int tegra_bo_dumb_create(struct drm_file *file, struct drm_device *drm,
|
|
struct drm_mode_create_dumb *args);
|
|
int tegra_bo_dumb_map_offset(struct drm_file *file, struct drm_device *drm,
|
|
u32 handle, u64 *offset);
|
|
|
|
int tegra_drm_mmap(struct file *file, struct vm_area_struct *vma);
|
|
|
|
extern const struct vm_operations_struct tegra_bo_vm_ops;
|
|
|
|
struct dma_buf *tegra_gem_prime_export(struct drm_device *drm,
|
|
struct drm_gem_object *gem,
|
|
int flags);
|
|
struct drm_gem_object *tegra_gem_prime_import(struct drm_device *drm,
|
|
struct dma_buf *buf);
|
|
|
|
#endif
|