From: Jerome Glisse <jglisse@xxxxxxxxxx> In some rare case were packet is big enough to go over page boundary we might not have copied yet the userspace data into the local copy resulting in kernel reading garbage data. Without this patch kernel might submit unprocessed/unrelocated cmd to the GPU which might lead to GPU lockup. v2: Make sure we do copy all the page and don't forget some when the packet count dw is bigger than 1 page v3: Rebase patch against Linus master Signed-off-by: Jerome Glisse <jglisse@xxxxxxxxxx> --- drivers/gpu/drm/radeon/evergreen_cs.c | 35 ++++++++++++++++++++++++++++++++++- drivers/gpu/drm/radeon/r600_cs.c | 19 ++++++++++++++++++- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c index 7a44566..51ad74a 100644 --- a/drivers/gpu/drm/radeon/evergreen_cs.c +++ b/drivers/gpu/drm/radeon/evergreen_cs.c @@ -1021,7 +1021,7 @@ static int evergreen_cs_packet_parse(struct radeon_cs_parser *p, unsigned idx) { struct radeon_cs_chunk *ib_chunk = &p->chunks[p->chunk_ib_idx]; - uint32_t header; + uint32_t header, i, npages; if (idx >= ib_chunk->length_dw) { DRM_ERROR("Can not parse packet at %d after CS end %d !\n", @@ -1052,6 +1052,11 @@ static int evergreen_cs_packet_parse(struct radeon_cs_parser *p, pkt->idx, pkt->type, pkt->count, ib_chunk->length_dw); return -EINVAL; } + /* make sure we copied packet fully from userspace */ + npages = ((idx + pkt->count + 1) >> 10) - (idx >> 10); + for (i = 1; i <= npages; i++) { + radeon_get_ib_value(p, (idx & 0xfffffc00) + i * 0x400); + } return 0; } @@ -2909,12 +2914,16 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) return -EINVAL; } if (tiled) { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 6); dst_offset = ib[idx+1]; dst_offset <<= 8; ib[idx+1] += (u32)(dst_reloc->lobj.gpu_offset >> 8); p->idx += count + 7; } else { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 2); dst_offset = ib[idx+1]; dst_offset |= ((u64)(ib[idx+2] & 0xff)) << 32; @@ -2945,6 +2954,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) switch (misc) { case 0: /* L2T, frame to fields */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 9); if (idx_value & (1 << 31)) { DRM_ERROR("bad L2T, frame to fields DMA_PACKET_COPY\n"); return -EINVAL; @@ -2983,6 +2994,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 1: /* L2T, T2L partial */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 11); if (p->family < CHIP_CAYMAN) { DRM_ERROR("L2T, T2L Partial is cayman only !\n"); return -EINVAL; @@ -3005,6 +3018,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 3: /* L2T, broadcast */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 9); if (idx_value & (1 << 31)) { DRM_ERROR("bad L2T, broadcast DMA_PACKET_COPY\n"); return -EINVAL; @@ -3043,6 +3058,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 4: /* L2T, T2L */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 8); /* detile bit */ if (idx_value & (1 << 31)) { /* tiled src, linear dst */ @@ -3079,6 +3096,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 5: /* T2T partial */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 12); if (p->family < CHIP_CAYMAN) { DRM_ERROR("L2T, T2L Partial is cayman only !\n"); return -EINVAL; @@ -3089,6 +3108,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 7: /* L2T, broadcast */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 9); if (idx_value & (1 << 31)) { DRM_ERROR("bad L2T, broadcast DMA_PACKET_COPY\n"); return -EINVAL; @@ -3132,6 +3153,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) } else { switch (misc) { case 0: + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 8); /* detile bit */ if (idx_value & (1 << 31)) { /* tiled src, linear dst */ @@ -3176,6 +3199,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) switch (misc) { case 0: /* L2L, byte */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 4); src_offset = ib[idx+2]; src_offset |= ((u64)(ib[idx+4] & 0xff)) << 32; dst_offset = ib[idx+1]; @@ -3198,6 +3223,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 1: /* L2L, partial */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 8); if (p->family < CHIP_CAYMAN) { DRM_ERROR("L2L Partial is cayman only !\n"); return -EINVAL; @@ -3211,6 +3238,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) break; case 4: /* L2L, dw, broadcast */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 6); r = r600_dma_cs_next_reloc(p, &dst2_reloc); if (r) { DRM_ERROR("bad L2L, dw, broadcast DMA_PACKET_COPY\n"); @@ -3251,6 +3280,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) } } else { /* L2L, dw */ + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 4); src_offset = ib[idx+2]; src_offset |= ((u64)(ib[idx+4] & 0xff)) << 32; dst_offset = ib[idx+1]; @@ -3274,6 +3305,8 @@ int evergreen_dma_cs_parse(struct radeon_cs_parser *p) } break; case DMA_PACKET_CONSTANT_FILL: + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 3); r = r600_dma_cs_next_reloc(p, &dst_reloc); if (r) { DRM_ERROR("bad DMA_PACKET_CONSTANT_FILL\n"); diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c index 69ec24a..d36f9e6 100644 --- a/drivers/gpu/drm/radeon/r600_cs.c +++ b/drivers/gpu/drm/radeon/r600_cs.c @@ -796,7 +796,7 @@ static int r600_cs_packet_parse(struct radeon_cs_parser *p, unsigned idx) { struct radeon_cs_chunk *ib_chunk = &p->chunks[p->chunk_ib_idx]; - uint32_t header; + uint32_t header, i, npages; if (idx >= ib_chunk->length_dw) { DRM_ERROR("Can not parse packet at %d after CS end %d !\n", @@ -827,6 +827,11 @@ static int r600_cs_packet_parse(struct radeon_cs_parser *p, pkt->idx, pkt->type, pkt->count, ib_chunk->length_dw); return -EINVAL; } + /* make sure we copied packet fully from userspace */ + npages = ((idx + pkt->count + 1) >> 10) - (idx >> 10); + for (i = 1; i <= npages; i++) { + radeon_get_ib_value(p, (idx & 0xfffffc00) + i * 0x400); + } return 0; } @@ -2623,12 +2628,16 @@ int r600_dma_cs_parse(struct radeon_cs_parser *p) return -EINVAL; } if (tiled) { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 4); dst_offset = ib[idx+1]; dst_offset <<= 8; ib[idx+1] += (u32)(dst_reloc->lobj.gpu_offset >> 8); p->idx += count + 5; } else { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 2); dst_offset = ib[idx+1]; dst_offset |= ((u64)(ib[idx+2] & 0xff)) << 32; @@ -2654,6 +2663,8 @@ int r600_dma_cs_parse(struct radeon_cs_parser *p) return -EINVAL; } if (tiled) { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 6); idx_value = radeon_get_ib_value(p, idx + 2); /* detile bit */ if (idx_value & (1 << 31)) { @@ -2680,6 +2691,8 @@ int r600_dma_cs_parse(struct radeon_cs_parser *p) p->idx += 7; } else { if (p->family >= CHIP_RV770) { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 4); src_offset = ib[idx+2]; src_offset |= ((u64)(ib[idx+4] & 0xff)) << 32; dst_offset = ib[idx+1]; @@ -2691,6 +2704,8 @@ int r600_dma_cs_parse(struct radeon_cs_parser *p) ib[idx+4] += upper_32_bits(src_reloc->lobj.gpu_offset) & 0xff; p->idx += 5; } else { + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 3); src_offset = ib[idx+2]; src_offset |= ((u64)(ib[idx+3] & 0xff)) << 32; dst_offset = ib[idx+1]; @@ -2715,6 +2730,8 @@ int r600_dma_cs_parse(struct radeon_cs_parser *p) } break; case DMA_PACKET_CONSTANT_FILL: + /* make sure we copied packet fully from userspace */ + radeon_get_ib_value(p, idx + 3); if (p->family < CHIP_RV770) { DRM_ERROR("Constant Fill is 7xx only !\n"); return -EINVAL; -- 1.7.11.7 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel