[linux-sunxi] [PATCH] gpu:mali: fix memory allocation/mapping mismatch

Tue, 14 Jan 2014 01:36:53 -0800 

The UMP code allocated the requested size in the page table, and
then tried to map the original buffer size on the same page table.
This lead to nice segfaults when userspace did not completely map
a UMP buffer (which it only rarely does).

Signed-off-by: Luc Verhaegen <l...@skynet.be>
---
 drivers/gpu/mali/mali/common/mali_memory.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/mali/mali/common/mali_memory.c 
b/drivers/gpu/mali/mali/common/mali_memory.c
index 776dd1e..613bd88 100644
--- a/drivers/gpu/mali/mali/common/mali_memory.c
+++ b/drivers/gpu/mali/mali/common/mali_memory.c
@@ -482,8 +482,14 @@ static mali_physical_memory_allocation_result 
ump_memory_commit(void* ctx, mali_
 
        for(i=0; i<nr_blocks; ++i)
        {
-               MALI_DEBUG_PRINT(4, ("Mapping in 0x%08x size %d\n", 
ump_blocks[i].addr , ump_blocks[i].size));
-               if (_MALI_OSK_ERR_OK != 
mali_allocation_engine_map_physical(engine, descriptor, *offset, 
ump_blocks[i].addr , 0, ump_blocks[i].size ))
+               u32 remainder = descriptor->size - (*offset - 
ret_allocation->initial_offset);
+
+               if (remainder > ump_blocks[i].size)
+                       remainder = ump_blocks[i].size;
+
+               MALI_DEBUG_PRINT(4, ("Mapping in 0x%08x size %d\n", 
ump_blocks[i].addr , remainder));
+
+               if (_MALI_OSK_ERR_OK != 
mali_allocation_engine_map_physical(engine, descriptor, *offset, 
ump_blocks[i].addr , 0, remainder))
                {
                        u32 size_allocated = *offset - 
ret_allocation->initial_offset;
                        MALI_DEBUG_PRINT(1, ("Mapping of external memory 
failed\n"));
@@ -495,7 +501,7 @@ static mali_physical_memory_allocation_result 
ump_memory_commit(void* ctx, mali_
                        _mali_osk_free(ret_allocation);
                        return MALI_MEM_ALLOC_INTERNAL_FAILURE;
                }
-               *offset += ump_blocks[i].size;
+               *offset += remainder;
        }
 
        if (descriptor->flags & MALI_MEMORY_ALLOCATION_FLAG_MAP_GUARD_PAGE)
-- 
1.7.7

-- 
You received this message because you are subscribed to the Google Groups 
"linux-sunxi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to linux-sunxi+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to