diff options
| author | Chris Wilson <[email protected]> | 2017-01-23 14:52:45 +0000 |
|---|---|---|
| committer | Chris Wilson <[email protected]> | 2017-01-23 15:52:23 +0000 |
| commit | 7c518460303353084ebcfca99bc4b67ce33745a1 (patch) | |
| tree | c4b2f937de57029d313fdb42bba475979a6bcf31 /tools/perf/scripts/python | |
| parent | 4c01ded5732d6533a2858fae30c197f734745062 (diff) | |
drm/i915: Pevent copying uninitialised garbage into vma->ggtt_view
Since tweaking i915_vma_compare() we allowed constructors to skip
clearing the ggtt_view believing that we didn't access the unused
members. That, as it turns out, was not entirely true. In particular,
i915_gem_fault() uses
ret = remap_io_mapping(area,
area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT),
(ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT,
min_t(u64, vma->size, area->vm_end - area->vm_start),
&ggtt->mappable);
i.e. the ggtt_view.partial for both normal and partial views. If we
allowed garbage into the normal vma->ggtt_view and then try userspace
tried to mmap it, we could explode in an unobvious fashion.
Fixes: 7b92c047bae2 ("drm/i915: Eliminate superfluous i915_ggtt_view_rotated")
Fixes: 3bf4d5751943 ("drm/i915: Stop clearing i915_ggtt_view")
Reported-by: Matthew Auld <[email protected]>
Signed-off-by: Chris Wilson <[email protected]>
Cc: Joonas Lahtinen <[email protected]>
Cc: Matthew Auld <[email protected]>
Link: http://patchwork.freedesktop.org/patch/msgid/[email protected]
Tested-by: Matthew Auld <[email protected]>
Reviewed-by: Matthew Auld <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python')
0 files changed, 0 insertions, 0 deletions