diff options
author | Mark Kettenis <kettenis@cvs.openbsd.org> | 2013-12-06 20:13:30 +0000 |
---|---|---|
committer | Mark Kettenis <kettenis@cvs.openbsd.org> | 2013-12-06 20:13:30 +0000 |
commit | 236f5968eef75c8e14b0b020bb15cc2f53b5041e (patch) | |
tree | 997911376710400d6f0cbb3f81eb1cc1cafcf02a /sys/dev | |
parent | edfd16c0b58792bac00b4159c0e9ce7496fca65e (diff) |
It seems to be possible to truncate an object while it is still mapped.
Don't panic in that case but force a page fault instead. Hopefully this
fixes the panic during coredump that deraadt@ reported.
Diffstat (limited to 'sys/dev')
-rw-r--r-- | sys/dev/pci/drm/i915/i915_gem.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/i915/i915_gem.c b/sys/dev/pci/drm/i915/i915_gem.c index 0453c341fd0..d00431c72a4 100644 --- a/sys/dev/pci/drm/i915/i915_gem.c +++ b/sys/dev/pci/drm/i915/i915_gem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i915_gem.c,v 1.54 2013/12/05 13:29:56 kettenis Exp $ */ +/* $OpenBSD: i915_gem.c,v 1.55 2013/12/06 20:13:29 kettenis Exp $ */ /* * Copyright (c) 2008-2009 Owain G. Ainsworth <oga@openbsd.org> * @@ -1402,7 +1402,13 @@ i915_gem_fault(struct drm_gem_object *gem_obj, struct uvm_faultinfo *ufi, dev_priv->entries++; - KASSERT(obj->base.map); + if (!obj->base.map) { + uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap, + &obj->base.uobj, NULL); + dev_priv->entries--; + return (VM_PAGER_BAD); + } + offset -= obj->base.map->ext; if (rw_enter(&dev->dev_lock, RW_NOSLEEP | RW_READ) != 0) { |