summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--shared-core/nouveau_fifo.c3
-rw-r--r--shared-core/nouveau_object.c26
2 files changed, 28 insertions, 1 deletions
diff --git a/shared-core/nouveau_fifo.c b/shared-core/nouveau_fifo.c
index bc3a9948..fcdc14c8 100644
--- a/shared-core/nouveau_fifo.c
+++ b/shared-core/nouveau_fifo.c
@@ -474,6 +474,9 @@ static int nouveau_ioctl_fifo_alloc(DRM_IOCTL_ARGS)
DRM_COPY_FROM_USER_IOCTL(init, (drm_nouveau_fifo_alloc_t __user *) data,
sizeof(init));
+ if (init.fb_ctxdma_handle == ~0 || init.tt_ctxdma_handle == ~0)
+ return DRM_ERR(EINVAL);
+
res = nouveau_fifo_alloc(dev, &init.channel, filp,
init.fb_ctxdma_handle,
init.tt_ctxdma_handle);
diff --git a/shared-core/nouveau_object.c b/shared-core/nouveau_object.c
index dcb29b40..82944c2b 100644
--- a/shared-core/nouveau_object.c
+++ b/shared-core/nouveau_object.c
@@ -470,6 +470,26 @@ nouveau_gpuobj_new_ref(drm_device_t *dev, int oc, int rc, uint32_t handle,
return 0;
}
+static int
+nouveau_gpuobj_ref_find(drm_device_t *dev, int channel, uint32_t handle,
+ nouveau_gpuobj_ref_t **ref_ret)
+{
+ drm_nouveau_private_t *dev_priv = dev->dev_private;
+ struct nouveau_fifo *chan = dev_priv->fifos[channel];
+ nouveau_gpuobj_ref_t *ref = chan->ramht_refs;
+
+ while (ref) {
+ if (ref->handle == handle) {
+ if (ref_ret)
+ *ref_ret = ref;
+ return 0;
+ }
+ ref = ref->next;
+ }
+
+ return DRM_ERR(EINVAL);
+}
+
int
nouveau_gpuobj_new_fake(drm_device_t *dev, uint32_t offset, uint32_t size,
uint32_t flags, nouveau_gpuobj_t **pgpuobj,
@@ -927,7 +947,11 @@ int nouveau_ioctl_grobj_alloc(DRM_IOCTL_ARGS)
}
//FIXME: check args, only allow trusted objects to be created
- //FIXME: check for pre-existing handle
+
+ if (init.handle == ~0)
+ return DRM_ERR(EINVAL);
+ if (nouveau_gpuobj_ref_find(dev, init.channel, init.handle, NULL) == 0)
+ return DRM_ERR(EEXIST);
if ((ret = nouveau_gpuobj_gr_new(dev, init.channel, init.class, &gr))) {
DRM_ERROR("Error creating gr object: %d (%d/0x%08x)\n",