diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2017-01-23 14:52:45 +0000 |
|---|---|---|
| committer | Chris Wilson <chris@chris-wilson.co.uk> | 2017-01-23 15:52:23 +0000 |
| commit | 7c518460303353084ebcfca99bc4b67ce33745a1 (patch) | |
| tree | c4b2f937de57029d313fdb42bba475979a6bcf31 /drivers/gpu/drm/i915/intel_ringbuffer.h | |
| parent | 4c01ded5732d6533a2858fae30c197f734745062 (diff) | |
| download | linux-7c518460303353084ebcfca99bc4b67ce33745a1.tar.gz | |
drm/i915: Pevent copying uninitialised garbage into vma->ggtt_view
Since tweaking i915_vma_compare() we allowed constructors to skip
clearing the ggtt_view believing that we didn't access the unused
members. That, as it turns out, was not entirely true. In particular,
i915_gem_fault() uses
ret = remap_io_mapping(area,
area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
(ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT,
min_t(u64, vma->size, area->vm_end - area->vm_start),
&ggtt->mappable);
i.e. the ggtt_view.partial for both normal and partial views. If we
allowed garbage into the normal vma->ggtt_view and then try userspace
tried to mmap it, we could explode in an unobvious fashion.
Fixes: 7b92c047bae2 ("drm/i915: Eliminate superfluous i915_ggtt_view_rotated")
Fixes: 3bf4d5751943 ("drm/i915: Stop clearing i915_ggtt_view")
Reported-by: Matthew Auld <matthew.william.auld@gmail.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170123145245.3972-1-chris@chris-wilson.co.uk
Tested-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Diffstat (limited to 'drivers/gpu/drm/i915/intel_ringbuffer.h')
0 files changed, 0 insertions, 0 deletions