summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJerome Glisse <jglisse@redhat.com>2010-01-18 11:05:50 +0100
committerJerome Glisse <jglisse@redhat.com>2010-01-18 12:14:07 +0100
commit46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f (patch)
treee05c97abfefb4f21e9b39cdfa9a782ac62be92ae
parent7b82f0f67e4614fc12aee492b0a3cdf5db7391df (diff)
r6xx/r7xx: emit relocation for FRAG & TILE buffer
FRAG & TILE buffer are unused but still they need to be associated with a valid relocation so that userspace can't try to abuse them to overwritte GART and then try to write anywhere in system memory.
-rw-r--r--src/mesa/drivers/dri/r600/r700_chip.c24
1 files changed, 21 insertions, 3 deletions
diff --git a/src/mesa/drivers/dri/r600/r700_chip.c b/src/mesa/drivers/dri/r600/r700_chip.c
index 3bc2d2ba02..1a1a87c3cf 100644
--- a/src/mesa/drivers/dri/r600/r700_chip.c
+++ b/src/mesa/drivers/dri/r600/r700_chip.c
@@ -453,13 +453,31 @@ static void r700SendRenderTargetState(GLcontext *ctx, struct radeon_state_atom *
R600_OUT_BATCH((2 << id));
END_BATCH();
}
+ /* Set CMASK & TILE buffer to the offset of color buffer as
+ * we don't use those this shouldn't cause any issue and we
+ * then have a valid cmd stream
+ */
+ BEGIN_BATCH_NO_AUTOSTATE(3 + 2);
+ R600_OUT_BATCH_REGSEQ(CB_COLOR0_TILE + (4 * id), 1);
+ R600_OUT_BATCH(r700->render_target[id].CB_COLOR0_TILE.u32All);
+ R600_OUT_BATCH_RELOC(r700->render_target[id].CB_COLOR0_BASE.u32All,
+ rrb->bo,
+ r700->render_target[id].CB_COLOR0_BASE.u32All,
+ 0, RADEON_GEM_DOMAIN_VRAM, 0);
+ END_BATCH();
+ BEGIN_BATCH_NO_AUTOSTATE(3 + 2);
+ R600_OUT_BATCH_REGSEQ(CB_COLOR0_FRAG + (4 * id), 1);
+ R600_OUT_BATCH(r700->render_target[id].CB_COLOR0_FRAG.u32All);
+ R600_OUT_BATCH_RELOC(r700->render_target[id].CB_COLOR0_BASE.u32All,
+ rrb->bo,
+ r700->render_target[id].CB_COLOR0_BASE.u32All,
+ 0, RADEON_GEM_DOMAIN_VRAM, 0);
+ END_BATCH();
- BEGIN_BATCH_NO_AUTOSTATE(18);
+ BEGIN_BATCH_NO_AUTOSTATE(12);
R600_OUT_BATCH_REGVAL(CB_COLOR0_SIZE + (4 * id), r700->render_target[id].CB_COLOR0_SIZE.u32All);
R600_OUT_BATCH_REGVAL(CB_COLOR0_VIEW + (4 * id), r700->render_target[id].CB_COLOR0_VIEW.u32All);
R600_OUT_BATCH_REGVAL(CB_COLOR0_INFO + (4 * id), r700->render_target[id].CB_COLOR0_INFO.u32All);
- R600_OUT_BATCH_REGVAL(CB_COLOR0_TILE + (4 * id), r700->render_target[id].CB_COLOR0_TILE.u32All);
- R600_OUT_BATCH_REGVAL(CB_COLOR0_FRAG + (4 * id), r700->render_target[id].CB_COLOR0_FRAG.u32All);
R600_OUT_BATCH_REGVAL(CB_COLOR0_MASK + (4 * id), r700->render_target[id].CB_COLOR0_MASK.u32All);
END_BATCH();