From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Feb 2015 03:06:35 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v3.18.6~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f5165cadc5b0bd44062132d32a2d4120b1bb662;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	drm-i915-only-fence-tiled-region-of-object.patch
---

diff --git a/queue-3.14/drm-i915-only-fence-tiled-region-of-object.patch b/queue-3.14/drm-i915-only-fence-tiled-region-of-object.patch
new file mode 100644
index 00000000000..85eec35b512
--- /dev/null
+++ b/queue-3.14/drm-i915-only-fence-tiled-region-of-object.patch
@@ -0,0 +1,46 @@
+From af1a7301c7cf8912dca03065d448c4437c5c239f Mon Sep 17 00:00:00 2001
+From: Bob Paauwe <bob.j.paauwe@intel.com>
+Date: Thu, 18 Dec 2014 09:51:26 -0800
+Subject: drm/i915: Only fence tiled region of object.
+
+From: Bob Paauwe <bob.j.paauwe@intel.com>
+
+commit af1a7301c7cf8912dca03065d448c4437c5c239f upstream.
+
+When creating a fence for a tiled object, only fence the area that
+makes up the actual tiles.  The object may be larger than the tiled
+area and if we allow those extra addresses to be fenced, they'll
+get converted to addresses beyond where the object is mapped. This
+opens up the possiblity of writes beyond the end of object.
+
+To prevent this, we adjust the size of the fence to only encompass
+the area that makes up the actual tiles.  The extra space is considered
+un-tiled and now behaves as if it was a linear object.
+
+Testcase: igt/gem_tiled_fence_overflow
+Reported-by: Dan Hettena <danh@ghs.com>
+Signed-off-by: Bob Paauwe <bob.j.paauwe@intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2893,6 +2893,13 @@ static void i965_write_fence_reg(struct
+ 		u32 size = i915_gem_obj_ggtt_size(obj);
+ 		uint64_t val;
+ 
++		/* Adjust fence size to match tiled area */
++		if (obj->tiling_mode != I915_TILING_NONE) {
++			uint32_t row_size = obj->stride *
++				(obj->tiling_mode == I915_TILING_Y ? 32 : 8);
++			size = (size / row_size) * row_size;
++		}
++
+ 		val = (uint64_t)((i915_gem_obj_ggtt_offset(obj) + size - 4096) &
+ 				 0xfffff000) << 32;
+ 		val |= i915_gem_obj_ggtt_offset(obj) & 0xfffff000;
diff --git a/queue-3.14/series b/queue-3.14/series
index 9e6ae8577c2..bbcaf138e38 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -23,3 +23,4 @@ dm-cache-fix-missing-err_ptr-returns-and-handling.patch
 spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch
 regulator-core-fix-race-condition-in-regulator_put.patch
 drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch
+drm-i915-only-fence-tiled-region-of-object.patch