summaryrefslogtreecommitdiff
path: root/sys/dev
diff options
context:
space:
mode:
authorMark Kettenis <kettenis@cvs.openbsd.org>2013-12-06 20:13:30 +0000
committerMark Kettenis <kettenis@cvs.openbsd.org>2013-12-06 20:13:30 +0000
commit236f5968eef75c8e14b0b020bb15cc2f53b5041e (patch)
tree997911376710400d6f0cbb3f81eb1cc1cafcf02a /sys/dev
parentedfd16c0b58792bac00b4159c0e9ce7496fca65e (diff)
It seems to be possible to truncate an object while it is still mapped.
Don't panic in that case but force a page fault instead. Hopefully this fixes the panic during coredump that deraadt@ reported.
Diffstat (limited to 'sys/dev')
-rw-r--r--sys/dev/pci/drm/i915/i915_gem.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/i915/i915_gem.c b/sys/dev/pci/drm/i915/i915_gem.c
index 0453c341fd0..d00431c72a4 100644
--- a/sys/dev/pci/drm/i915/i915_gem.c
+++ b/sys/dev/pci/drm/i915/i915_gem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: i915_gem.c,v 1.54 2013/12/05 13:29:56 kettenis Exp $ */
+/* $OpenBSD: i915_gem.c,v 1.55 2013/12/06 20:13:29 kettenis Exp $ */
/*
* Copyright (c) 2008-2009 Owain G. Ainsworth <oga@openbsd.org>
*
@@ -1402,7 +1402,13 @@ i915_gem_fault(struct drm_gem_object *gem_obj, struct uvm_faultinfo *ufi,
dev_priv->entries++;
- KASSERT(obj->base.map);
+ if (!obj->base.map) {
+ uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap,
+ &obj->base.uobj, NULL);
+ dev_priv->entries--;
+ return (VM_PAGER_BAD);
+ }
+
offset -= obj->base.map->ext;
if (rw_enter(&dev->dev_lock, RW_NOSLEEP | RW_READ) != 0) {