Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Check bounds in agp_i810_borrow.
details: https://anonhg.NetBSD.org/src/rev/3ecdcfdd5d42
branches: trunk
changeset: 329861:3ecdcfdd5d42
user: riastradh <riastradh%NetBSD.org@localhost>
date: Thu Jun 12 15:05:29 2014 +0000
description:
Check bounds in agp_i810_borrow.
Out of paranoia, do a bus_space_subregion in case the old drm code
tries sizes that the agp_i810 code doesn't agree with.
diffstat:
sys/dev/pci/agp_i810.c | 23 ++++++++++++++++++-----
sys/dev/pci/agpvar.h | 4 ++--
sys/external/bsd/drm/dist/bsd-core/drm_memory.c | 3 ++-
sys/external/bsd/drm2/drm/drm_memory.c | 11 ++++++-----
4 files changed, 28 insertions(+), 13 deletions(-)
diffs (133 lines):
diff -r 7923fb17976d -r 3ecdcfdd5d42 sys/dev/pci/agp_i810.c
--- a/sys/dev/pci/agp_i810.c Thu Jun 12 14:49:02 2014 +0000
+++ b/sys/dev/pci/agp_i810.c Thu Jun 12 15:05:29 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: agp_i810.c,v 1.98 2014/06/12 14:49:02 riastradh Exp $ */
+/* $NetBSD: agp_i810.c,v 1.99 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2000 Doug Rabson
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: agp_i810.c,v 1.98 2014/06/12 14:49:02 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: agp_i810.c,v 1.99 2014/06/12 15:05:29 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -70,6 +70,8 @@
/* XXX hack, see below */
static bus_addr_t agp_i810_vga_regbase;
+static bus_size_t agp_i810_vga_regsize;
+static bus_space_tag_t agp_i810_vga_bst;
static bus_space_handle_t agp_i810_vga_bsh;
static u_int32_t agp_i810_get_aperture(struct agp_softc *);
@@ -473,6 +475,8 @@
* of VGA chip registers
*/
agp_i810_vga_regbase = mmadr;
+ agp_i810_vga_regsize = isc->size;
+ agp_i810_vga_bst = isc->bst;
agp_i810_vga_bsh = isc->bsh;
/* Initialize the chipset. */
@@ -677,12 +681,21 @@
* of VGA chip registers
*/
int
-agp_i810_borrow(bus_addr_t base, bus_space_handle_t *hdlp)
+agp_i810_borrow(bus_addr_t base, bus_size_t size, bus_space_handle_t *hdlp)
{
- if (!agp_i810_vga_regbase || base != agp_i810_vga_regbase)
+ if (agp_i810_vga_regbase == 0)
+ return 0;
+ if (base < agp_i810_vga_regbase)
+ return 0;
+ if (agp_i810_vga_regsize < size)
return 0;
- *hdlp = agp_i810_vga_bsh;
+ if ((base - agp_i810_vga_regbase) > (agp_i810_vga_regsize - size))
+ return 0;
+ if (bus_space_subregion(agp_i810_vga_bst, agp_i810_vga_bsh,
+ (base - agp_i810_vga_regbase), (agp_i810_vga_regsize - size),
+ hdlp))
+ return 0;
return 1;
}
diff -r 7923fb17976d -r 3ecdcfdd5d42 sys/dev/pci/agpvar.h
--- a/sys/dev/pci/agpvar.h Thu Jun 12 14:49:02 2014 +0000
+++ b/sys/dev/pci/agpvar.h Thu Jun 12 15:05:29 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: agpvar.h,v 1.18 2009/05/06 10:34:32 cegger Exp $ */
+/* $NetBSD: agpvar.h,v 1.19 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2000 Doug Rabson
@@ -268,6 +268,6 @@
* XXX horrible hack to allow drm code to use our mapping
* of VGA chip registers
*/
-int agp_i810_borrow(bus_addr_t, bus_space_handle_t *);
+int agp_i810_borrow(bus_addr_t, bus_size_t, bus_space_handle_t *);
#endif /* !_PCI_AGPPRIV_H_ */
diff -r 7923fb17976d -r 3ecdcfdd5d42 sys/external/bsd/drm/dist/bsd-core/drm_memory.c
--- a/sys/external/bsd/drm/dist/bsd-core/drm_memory.c Thu Jun 12 14:49:02 2014 +0000
+++ b/sys/external/bsd/drm/dist/bsd-core/drm_memory.c Thu Jun 12 15:05:29 2014 +0000
@@ -146,7 +146,8 @@
{
dev->pci_map_data[i].mapped--;
#if NAGP_I810 > 0 /* XXX horrible kludge: agp might have mapped it */
- if (agp_i810_borrow(map->offset, &map->bsh))
+ if (agp_i810_borrow(map->offset, map->size,
+ &map->bsh))
return bus_space_vaddr(map->bst, map->bsh);
#endif
#if NGENFB > 0
diff -r 7923fb17976d -r 3ecdcfdd5d42 sys/external/bsd/drm2/drm/drm_memory.c
--- a/sys/external/bsd/drm2/drm/drm_memory.c Thu Jun 12 14:49:02 2014 +0000
+++ b/sys/external/bsd/drm2/drm/drm_memory.c Thu Jun 12 15:05:29 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $ */
+/* $NetBSD: drm_memory.c,v 1.4 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: drm_memory.c,v 1.4 2014/06/12 15:05:29 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "agp_i810.h"
@@ -58,11 +58,11 @@
* XXX drm_bus_borrow is a horrible kludge!
*/
static bool
-drm_bus_borrow(bus_addr_t base, bus_space_handle_t *handlep)
+drm_bus_borrow(bus_addr_t base, bus_size_t size, bus_space_handle_t *handlep)
{
#if NAGP_I810 > 0
- if (agp_i810_borrow(base, handlep))
+ if (agp_i810_borrow(base, size, handlep))
return true;
#endif
@@ -113,7 +113,8 @@
}
/* Couldn't map it. Try borrowing from someone else. */
- if (drm_bus_borrow(map->offset, &map->lm_data.bus_space.bsh)) {
+ if (drm_bus_borrow(map->offset, map->size,
+ &map->lm_data.bus_space.bsh)) {
map->lm_data.bus_space.bus_map = NULL;
goto win;
}
Home |
Main Index |
Thread Index |
Old Index