From a02d3d0eefe03576c33294b4201fdbe6bde21cde Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Mon, 15 Nov 2010 21:58:14 +0100 Subject: xf86-video-glamo: fix stack corruption from overflowing cmdq Signed-off-by: Martin Jansa --- ...efine-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch | 66 ++++++++++++++++++++++ recipes/xorg-driver/xf86-video-glamo_git.bb | 3 +- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 recipes/xorg-driver/xf86-video-glamo/0001-glamo-drm-define-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch diff --git a/recipes/xorg-driver/xf86-video-glamo/0001-glamo-drm-define-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch b/recipes/xorg-driver/xf86-video-glamo/0001-glamo-drm-define-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch new file mode 100644 index 0000000000..0c7350fc18 --- /dev/null +++ b/recipes/xorg-driver/xf86-video-glamo/0001-glamo-drm-define-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch @@ -0,0 +1,66 @@ +From e2d0f9a3ba7f36b0b8ac8d736dd76da6e5e07f38 Mon Sep 17 00:00:00 2001 +From: Martin Jansa +Date: Fri, 29 Oct 2010 11:19:08 +0200 +Subject: [PATCH] glamo-drm: define GLAMO_CMDQ_MAX_COUNT instead of magic constant 1024 + +* fix check for full queue, because size != count here +* make sure we have enough space in queue for 2 resp. 4 more commands in + GlamoDRMAddCommand resp. GlamoDRMAddCommandBO + +Signed-off-by: Martin Jansa +--- + src/glamo-drm.c | 16 +++++++++++----- + 1 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/glamo-drm.c b/src/glamo-drm.c +index aac93bb..01e8510 100644 +--- a/src/glamo-drm.c ++++ b/src/glamo-drm.c +@@ -32,6 +32,8 @@ + + #include "glamo.h" + ++/* How many commands can be stored before forced dispatch */ ++#define GLAMO_CMDQ_MAX_COUNT 1024 + + /* Submit the prepared command sequence to the kernel */ + void GlamoDRMDispatch(GlamoPtr pGlamo) +@@ -60,7 +62,7 @@ void GlamoDRMDispatch(GlamoPtr pGlamo) + + void GlamoDRMAddCommand(GlamoPtr pGlamo, uint16_t reg, uint16_t val) + { +- if ( pGlamo->cmdq_drm_used == pGlamo->cmdq_drm_size ) { ++ if ( pGlamo->cmdq_drm_used >= GLAMO_CMDQ_MAX_COUNT - 2 ) { + xf86DrvMsg(pGlamo->pScreen->myNum, X_INFO, + "Forced command cache flush.\n"); + GlamoDRMDispatch(pGlamo); +@@ -74,7 +76,8 @@ void GlamoDRMAddCommand(GlamoPtr pGlamo, uint16_t reg, uint16_t val) + + void GlamoDRMAddCommandBO(GlamoPtr pGlamo, uint16_t reg, struct glamo_bo *bo) + { +- if ( pGlamo->cmdq_drm_used == pGlamo->cmdq_drm_size ) { ++ if ( pGlamo->cmdq_drm_used >= GLAMO_CMDQ_MAX_COUNT - 4 || ++ pGlamo->cmdq_obj_used >= GLAMO_CMDQ_MAX_COUNT) { + xf86DrvMsg(pGlamo->pScreen->myNum, X_INFO, + "Forced command cache flush.\n"); + GlamoDRMDispatch(pGlamo); +@@ -98,10 +101,13 @@ void GlamoDRMAddCommandBO(GlamoPtr pGlamo, uint16_t reg, struct glamo_bo *bo) + + void GlamoDRMInit(GlamoPtr pGlamo) + { +- pGlamo->cmdq_objs = malloc(1024); +- pGlamo->cmdq_obj_pos = malloc(1024); ++ pGlamo->cmdq_objs = malloc(GLAMO_CMDQ_MAX_COUNT); ++ pGlamo->cmdq_obj_pos = malloc(GLAMO_CMDQ_MAX_COUNT); + pGlamo->cmdq_obj_used = 0; + pGlamo->cmdq_drm_used = 0; +- pGlamo->cmdq_drm_size = 4 * 1024; ++ /* we're using 2bytes per entry (uint16_t) that's why we need to allocate ++ * GLAMO_CMDQ_MAX_COUNT * 2 bytes ++ */ ++ pGlamo->cmdq_drm_size = 2 * GLAMO_CMDQ_MAX_COUNT; + pGlamo->cmdq_drm = malloc(pGlamo->cmdq_drm_size); + } +-- +1.7.3.2 + diff --git a/recipes/xorg-driver/xf86-video-glamo_git.bb b/recipes/xorg-driver/xf86-video-glamo_git.bb index d08018181d..4279ea25bf 100644 --- a/recipes/xorg-driver/xf86-video-glamo_git.bb +++ b/recipes/xorg-driver/xf86-video-glamo_git.bb @@ -4,9 +4,10 @@ DEPENDS += "libdrm" RDEPENDS_${PN} = "xserver-xorg-extension-dri xserver-xorg-extension-dri2 xserver-xorg-extension-glx mesa-dri" PE = "2" PV = "1.0.0+gitr${SRCPV}" -PR = "${INC_PR}.4" +PR = "${INC_PR}.5" SRC_URI = "git://git.openmoko.org/git/xf86-video-glamo.git;protocol=git;branch=master \ + file://0001-glamo-drm-define-GLAMO_CMDQ_MAX_COUNT-instead-of-mag.patch \ " S = "${WORKDIR}/git" -- cgit 1.2.3-korg