projects / mesa.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b82f0f)
r6xx/r7xx: emit relocation for FRAG & TILE buffer
authorJerome Glisse <jglisse@redhat.com>
Mon, 18 Jan 2010 10:05:50 +0000 (11:05 +0100)
committerJerome Glisse <jglisse@redhat.com>
Mon, 18 Jan 2010 11:14:07 +0000 (12:14 +0100)
FRAG & TILE buffer are unused but still they need
to be associated with a valid relocation so that
userspace can't try to abuse them to overwritte
GART and then try to write anywhere in system
memory.

src/mesa/drivers/dri/r600/r700_chip.c patch | blob | history

diff --git a/src/mesa/drivers/dri/r600/r700_chip.c b/src/mesa/drivers/dri/r600/r700_chip.c
index 3bc2d2ba02b44658fa4fee54c05654a3a4d925b2..1a1a87c3cf919e54781100393952d950699df47a 100644 (file)
--- a/src/mesa/drivers/dri/r600/r700_chip.c
+++ b/src/mesa/drivers/dri/r600/r700_chip.c
@@ -453,13 +453,31 @@ static void r700SendRenderTargetState(GLcontext *ctx, struct radeon_state_atom *
                R600_OUT_BATCH((2 << id));
                END_BATCH();
        }
+       /* Set CMASK & TILE buffer to the offset of color buffer as
+        * we don't use those this shouldn't cause any issue and we
+        * then have a valid cmd stream
+        */
+       BEGIN_BATCH_NO_AUTOSTATE(3 + 2);
+       R600_OUT_BATCH_REGSEQ(CB_COLOR0_TILE + (4 * id), 1);
+       R600_OUT_BATCH(r700->render_target[id].CB_COLOR0_TILE.u32All);
+       R600_OUT_BATCH_RELOC(r700->render_target[id].CB_COLOR0_BASE.u32All,
+                            rrb->bo,
+                            r700->render_target[id].CB_COLOR0_BASE.u32All,
+                            0, RADEON_GEM_DOMAIN_VRAM, 0);
+       END_BATCH();
+       BEGIN_BATCH_NO_AUTOSTATE(3 + 2);
+       R600_OUT_BATCH_REGSEQ(CB_COLOR0_FRAG + (4 * id), 1);
+       R600_OUT_BATCH(r700->render_target[id].CB_COLOR0_FRAG.u32All);
+       R600_OUT_BATCH_RELOC(r700->render_target[id].CB_COLOR0_BASE.u32All,
+                            rrb->bo,
+                            r700->render_target[id].CB_COLOR0_BASE.u32All,
+                            0, RADEON_GEM_DOMAIN_VRAM, 0);
+        END_BATCH();
 
-        BEGIN_BATCH_NO_AUTOSTATE(18);
+        BEGIN_BATCH_NO_AUTOSTATE(12);
        R600_OUT_BATCH_REGVAL(CB_COLOR0_SIZE + (4 * id), r700->render_target[id].CB_COLOR0_SIZE.u32All);
        R600_OUT_BATCH_REGVAL(CB_COLOR0_VIEW + (4 * id), r700->render_target[id].CB_COLOR0_VIEW.u32All);
        R600_OUT_BATCH_REGVAL(CB_COLOR0_INFO + (4 * id), r700->render_target[id].CB_COLOR0_INFO.u32All);
-       R600_OUT_BATCH_REGVAL(CB_COLOR0_TILE + (4 * id), r700->render_target[id].CB_COLOR0_TILE.u32All);
-       R600_OUT_BATCH_REGVAL(CB_COLOR0_FRAG + (4 * id), r700->render_target[id].CB_COLOR0_FRAG.u32All);
        R600_OUT_BATCH_REGVAL(CB_COLOR0_MASK + (4 * id), r700->render_target[id].CB_COLOR0_MASK.u32All);
         END_BATCH();