drm/radeon: Fix u32 overflows when determining AGP base address in card space.
authorMichel Dänzer <michel@tungstengraphics.com>
Sun, 18 Feb 2007 07:03:21 +0000 (18:03 +1100)
committerDave Airlie <airlied@linux.ie>
Sun, 11 Mar 2007 01:07:17 +0000 (12:07 +1100)
The overflows could lead to the AGP aperture overlapping the framebuffer are    in the card's address space when the latter is located at the very end of th    32 bit address space, which would result in a freeze on X server startup,
probably because the card read commands from the framebuffer instead of from    AGP.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392915 .

Signed-off-by: Dave Airlie <airlied@linux.ie>
drivers/char/drm/radeon_cp.c

index 5ed965688293a04b6c6a11641be19ce0adf5ba6c..c1850ecac302cdbb3ae0089ff778a14befadc0dc 100644 (file)
@@ -1560,8 +1560,8 @@ static int radeon_do_init_cp(drm_device_t * dev, drm_radeon_init_t * init)
                if (dev_priv->flags & RADEON_IS_AGP) {
                        base = dev->agp->base;
                        /* Check if valid */
-                       if ((base + dev_priv->gart_size) > dev_priv->fb_location &&
-                           base < (dev_priv->fb_location + dev_priv->fb_size)) {
+                       if ((base + dev_priv->gart_size - 1) >= dev_priv->fb_location &&
+                           base < (dev_priv->fb_location + dev_priv->fb_size - 1)) {
                                DRM_INFO("Can't use AGP base @0x%08lx, won't fit\n",
                                         dev->agp->base);
                                base = 0;
@@ -1571,8 +1571,8 @@ static int radeon_do_init_cp(drm_device_t * dev, drm_radeon_init_t * init)
                /* If not or if AGP is at 0 (Macs), try to put it elsewhere */
                if (base == 0) {
                        base = dev_priv->fb_location + dev_priv->fb_size;
-                       if (((base + dev_priv->gart_size) & 0xfffffffful)
-                           < base)
+                       if (base < dev_priv->fb_location ||
+                           ((base + dev_priv->gart_size) & 0xfffffffful) < base)
                                base = dev_priv->fb_location
                                        - dev_priv->gart_size;
                }