Module Name: src
Committed By: riastradh
Date: Thu Jun 12 15:05:29 UTC 2014
Modified Files:
src/sys/dev/pci: agp_i810.c agpvar.h
src/sys/external/bsd/drm/dist/bsd-core: drm_memory.c
src/sys/external/bsd/drm2/drm: drm_memory.c
Log Message:
Check bounds in agp_i810_borrow.
Out of paranoia, do a bus_space_subregion in case the old drm code
tries sizes that the agp_i810 code doesn't agree with.
To generate a diff of this commit:
cvs rdiff -u -r1.98 -r1.99 src/sys/dev/pci/agp_i810.c
cvs rdiff -u -r1.18 -r1.19 src/sys/dev/pci/agpvar.h
cvs rdiff -u -r1.13 -r1.14 \
src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c
cvs rdiff -u -r1.3 -r1.4 src/sys/external/bsd/drm2/drm/drm_memory.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/agp_i810.c
diff -u src/sys/dev/pci/agp_i810.c:1.98 src/sys/dev/pci/agp_i810.c:1.99
--- src/sys/dev/pci/agp_i810.c:1.98 Thu Jun 12 14:49:02 2014
+++ src/sys/dev/pci/agp_i810.c Thu Jun 12 15:05:29 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: agp_i810.c,v 1.98 2014/06/12 14:49:02 riastradh Exp $ */
+/* $NetBSD: agp_i810.c,v 1.99 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2000 Doug Rabson
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: agp_i810.c,v 1.98 2014/06/12 14:49:02 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: agp_i810.c,v 1.99 2014/06/12 15:05:29 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -70,6 +70,8 @@ struct agp_softc *agp_i810_sc = NULL;
/* XXX hack, see below */
static bus_addr_t agp_i810_vga_regbase;
+static bus_size_t agp_i810_vga_regsize;
+static bus_space_tag_t agp_i810_vga_bst;
static bus_space_handle_t agp_i810_vga_bsh;
static u_int32_t agp_i810_get_aperture(struct agp_softc *);
@@ -473,6 +475,8 @@ agp_i810_attach(device_t parent, device_
* of VGA chip registers
*/
agp_i810_vga_regbase = mmadr;
+ agp_i810_vga_regsize = isc->size;
+ agp_i810_vga_bst = isc->bst;
agp_i810_vga_bsh = isc->bsh;
/* Initialize the chipset. */
@@ -677,12 +681,21 @@ agp_i810_teardown_chipset_flush_page(str
* of VGA chip registers
*/
int
-agp_i810_borrow(bus_addr_t base, bus_space_handle_t *hdlp)
+agp_i810_borrow(bus_addr_t base, bus_size_t size, bus_space_handle_t *hdlp)
{
- if (!agp_i810_vga_regbase || base != agp_i810_vga_regbase)
+ if (agp_i810_vga_regbase == 0)
+ return 0;
+ if (base < agp_i810_vga_regbase)
+ return 0;
+ if (agp_i810_vga_regsize < size)
+ return 0;
+ if ((base - agp_i810_vga_regbase) > (agp_i810_vga_regsize - size))
+ return 0;
+ if (bus_space_subregion(agp_i810_vga_bst, agp_i810_vga_bsh,
+ (base - agp_i810_vga_regbase), (agp_i810_vga_regsize - size),
+ hdlp))
return 0;
- *hdlp = agp_i810_vga_bsh;
return 1;
}
Index: src/sys/dev/pci/agpvar.h
diff -u src/sys/dev/pci/agpvar.h:1.18 src/sys/dev/pci/agpvar.h:1.19
--- src/sys/dev/pci/agpvar.h:1.18 Wed May 6 10:34:32 2009
+++ src/sys/dev/pci/agpvar.h Thu Jun 12 15:05:29 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: agpvar.h,v 1.18 2009/05/06 10:34:32 cegger Exp $ */
+/* $NetBSD: agpvar.h,v 1.19 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2000 Doug Rabson
@@ -268,6 +268,6 @@ void agp_memory_info(void *, void *, str
* XXX horrible hack to allow drm code to use our mapping
* of VGA chip registers
*/
-int agp_i810_borrow(bus_addr_t, bus_space_handle_t *);
+int agp_i810_borrow(bus_addr_t, bus_size_t, bus_space_handle_t *);
#endif /* !_PCI_AGPPRIV_H_ */
Index: src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c
diff -u src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c:1.13 src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c:1.14
--- src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c:1.13 Thu Oct 17 21:15:18 2013
+++ src/sys/external/bsd/drm/dist/bsd-core/drm_memory.c Thu Jun 12 15:05:29 2014
@@ -146,7 +146,8 @@ drm_netbsd_ioremap(struct drm_device *de
{
dev->pci_map_data[i].mapped--;
#if NAGP_I810 > 0 /* XXX horrible kludge: agp might have mapped it */
- if (agp_i810_borrow(map->offset, &map->bsh))
+ if (agp_i810_borrow(map->offset, map->size,
+ &map->bsh))
return bus_space_vaddr(map->bst, map->bsh);
#endif
#if NGENFB > 0
Index: src/sys/external/bsd/drm2/drm/drm_memory.c
diff -u src/sys/external/bsd/drm2/drm/drm_memory.c:1.3 src/sys/external/bsd/drm2/drm/drm_memory.c:1.4
--- src/sys/external/bsd/drm2/drm/drm_memory.c:1.3 Wed May 14 04:38:49 2014
+++ src/sys/external/bsd/drm2/drm/drm_memory.c Thu Jun 12 15:05:29 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $ */
+/* $NetBSD: drm_memory.c,v 1.4 2014/06/12 15:05:29 riastradh Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: drm_memory.c,v 1.3 2014/05/14 04:38:49 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: drm_memory.c,v 1.4 2014/06/12 15:05:29 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "agp_i810.h"
@@ -58,11 +58,11 @@ __KERNEL_RCSID(0, "$NetBSD: drm_memory.c
* XXX drm_bus_borrow is a horrible kludge!
*/
static bool
-drm_bus_borrow(bus_addr_t base, bus_space_handle_t *handlep)
+drm_bus_borrow(bus_addr_t base, bus_size_t size, bus_space_handle_t *handlep)
{
#if NAGP_I810 > 0
- if (agp_i810_borrow(base, handlep))
+ if (agp_i810_borrow(base, size, handlep))
return true;
#endif
@@ -113,7 +113,8 @@ drm_ioremap(struct drm_device *dev, stru
}
/* Couldn't map it. Try borrowing from someone else. */
- if (drm_bus_borrow(map->offset, &map->lm_data.bus_space.bsh)) {
+ if (drm_bus_borrow(map->offset, map->size,
+ &map->lm_data.bus_space.bsh)) {
map->lm_data.bus_space.bus_map = NULL;
goto win;
}
