drm/radeon/kms: drop zero length CS indirect buffers.
authorDave Airlie <airlied@redhat.com>
Tue, 30 Jun 2009 01:47:14 +0000 (11:47 +1000)
committerDave Airlie <airlied@redhat.com>
Wed, 15 Jul 2009 07:13:15 +0000 (17:13 +1000)
If userspace sends a zero length IB, it really shouldn't have bothered
so EINVAL it.

Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/radeon/radeon_cs.c

index b843f9bdfb14fc6928521fd4e7dc492379f99fa3..a169067efc4e5c3ccc87a57dfd1623d6be514035 100644 (file)
@@ -127,17 +127,23 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
                                       sizeof(struct drm_radeon_cs_chunk))) {
                        return -EFAULT;
                }
+               p->chunks[i].length_dw = user_chunk.length_dw;
+               p->chunks[i].kdata = NULL;
                p->chunks[i].chunk_id = user_chunk.chunk_id;
+
                if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_RELOCS) {
                        p->chunk_relocs_idx = i;
                }
                if (p->chunks[i].chunk_id == RADEON_CHUNK_ID_IB) {
                        p->chunk_ib_idx = i;
+                       /* zero length IB isn't useful */
+                       if (p->chunks[i].length_dw == 0)
+                               return -EINVAL;
                }
+
                p->chunks[i].length_dw = user_chunk.length_dw;
                cdata = (uint32_t *)(unsigned long)user_chunk.chunk_data;
 
-               p->chunks[i].kdata = NULL;
                size = p->chunks[i].length_dw * sizeof(uint32_t);
                p->chunks[i].kdata = kzalloc(size, GFP_KERNEL);
                if (p->chunks[i].kdata == NULL) {