From 8ff026723cf170034173052a58c650c8c1f28c0b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Michel=20D=C3=A4nzer?= Date: Thu, 11 Jan 2007 09:02:07 +0100 Subject: [PATCH] radeon: Fix u32 overflows when determining AGP base address in card space. The overflows could lead to the AGP aperture overlapping the framebuffer area in the card's address space when the latter is located at the very end of the 32 bit address space, which would result in a freeze on X server startup, probably because the card read commands from the framebuffer instead of from AGP. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392915 . --- shared-core/radeon_cp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared-core/radeon_cp.c b/shared-core/radeon_cp.c index 4135f4d..0fa6535 100644 --- a/shared-core/radeon_cp.c +++ b/shared-core/radeon_cp.c @@ -1563,8 +1563,8 @@ static int radeon_do_init_cp(drm_device_t * dev, drm_radeon_init_t * init) if (dev_priv->flags & RADEON_IS_AGP) { base = dev->agp->base; /* Check if valid */ - if ((base + dev_priv->gart_size) > dev_priv->fb_location && - base < (dev_priv->fb_location + dev_priv->fb_size)) { + if ((base + dev_priv->gart_size - 1) >= dev_priv->fb_location && + base < (dev_priv->fb_location + dev_priv->fb_size - 1)) { DRM_INFO("Can't use AGP base @0x%08lx, won't fit\n", dev->agp->base); base = 0; @@ -1574,8 +1574,8 @@ static int radeon_do_init_cp(drm_device_t * dev, drm_radeon_init_t * init) /* If not or if AGP is at 0 (Macs), try to put it elsewhere */ if (base == 0) { base = dev_priv->fb_location + dev_priv->fb_size; - if (((base + dev_priv->gart_size) & 0xfffffffful) - < base) + if (base < dev_priv->fb_location || + ((base + dev_priv->gart_size) & 0xfffffffful) < base) base = dev_priv->fb_location - dev_priv->gart_size; } -- 2.7.4