Commit 8adabb89 authored by Chris Wilson's avatar Chris Wilson Committed by Daniel Vetter

drm/i915: Pevent copying uninitialised garbage into vma->ggtt_view

Since tweaking i915_vma_compare() we allowed constructors to skip
clearing the ggtt_view believing that we didn't access the unused
members. That, as it turns out, was not entirely true. In particular,
i915_gem_fault() uses

    ret = remap_io_mapping(area,
	    area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
	    (ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT,
	    min_t(u64, vma->size, area->vm_end - area->vm_start),
	    &ggtt->mappable);

i.e. the ggtt_view.partial for both normal and partial views. If we
allowed garbage into the normal vma->ggtt_view and then try userspace
tried to mmap it, we could explode in an unobvious fashion.

Fixes: 7b92c047 ("drm/i915: Eliminate superfluous i915_ggtt_view_rotated")
Fixes: 3bf4d575 ("drm/i915: Stop clearing i915_ggtt_view")
Reported-by: default avatarMatthew Auld <matthew.william.auld@gmail.com>
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170123145245.3972-1-chris@chris-wilson.co.ukTested-by: default avatarMatthew Auld <matthew.auld@intel.com>
Reviewed-by: default avatarMatthew Auld <matthew.auld@intel.com>
(cherry picked from commit 7c518460)
parent add6329c
...@@ -91,7 +91,7 @@ vma_create(struct drm_i915_gem_object *obj, ...@@ -91,7 +91,7 @@ vma_create(struct drm_i915_gem_object *obj,
vma->size = obj->base.size; vma->size = obj->base.size;
vma->display_alignment = I915_GTT_MIN_ALIGNMENT; vma->display_alignment = I915_GTT_MIN_ALIGNMENT;
if (view) { if (view && view->type != I915_GGTT_VIEW_NORMAL) {
vma->ggtt_view = *view; vma->ggtt_view = *view;
if (view->type == I915_GGTT_VIEW_PARTIAL) { if (view->type == I915_GGTT_VIEW_PARTIAL) {
GEM_BUG_ON(range_overflows_t(u64, GEM_BUG_ON(range_overflows_t(u64,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment