From 0e293213433f291349763d6b841b73a0b206e1e7 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Tue, 3 Apr 2012 14:46:12 +0100
Subject: [PATCH] agp/intel,drm/i915: Catch address-0 writes using invalid
 PTEs

Beware the evil userspace that likes to overwrite the HWS and
ringbuffers by using the GPU to detect wild writes to address 0.
---
 drivers/char/agp/intel-gtt.c        |   11 +++++++++++
 drivers/gpu/drm/i915/i915_gem_gtt.c |    3 +++
 include/drm/intel-gtt.h             |    1 +
 3 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
index 5cf47ac..01b1ee8 100644
--- a/drivers/char/agp/intel-gtt.c
+++ b/drivers/char/agp/intel-gtt.c
@@ -970,6 +970,17 @@ out_err:
 	return ret;
 }
 
+void intel_gtt_zap_range(unsigned int first_entry, unsigned int num_entries)
+{
+	unsigned int i;
+
+	for (i = first_entry; i < (first_entry + num_entries); i++) {
+		writel(0, intel_private.gtt + i);
+	}
+	readl(intel_private.gtt+i-1);
+}
+EXPORT_SYMBOL(intel_gtt_zap_range);
+
 void intel_gtt_clear_range(unsigned int first_entry, unsigned int num_entries)
 {
 	unsigned int i;
diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 64eec75..9292b8d 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -446,6 +446,9 @@ void i915_gem_init_global_gtt(struct drm_device *dev,
 {
 	drm_i915_private_t *dev_priv = dev->dev_private;
 
+	intel_gtt_zap_range(start / PAGE_SIZE, 16);
+	start += 16 * PAGE_SIZE;
+
 	/* Substract the guard page ... */
 	drm_mm_init(&dev_priv->mm.gtt_space, start, end - start - PAGE_SIZE);
 	if (INTEL_INFO(dev)->gen < 4)
diff --git a/include/drm/intel-gtt.h b/include/drm/intel-gtt.h
index 0a0001b..5feb7d8 100644
--- a/include/drm/intel-gtt.h
+++ b/include/drm/intel-gtt.h
@@ -24,6 +24,7 @@ const struct intel_gtt {
 void intel_gtt_chipset_flush(void);
 void intel_gtt_unmap_memory(struct scatterlist *sg_list, int num_sg);
 void intel_gtt_clear_range(unsigned int first_entry, unsigned int num_entries);
+void intel_gtt_zap_range(unsigned int first_entry, unsigned int num_entries);
 int intel_gtt_map_memory(struct page **pages, unsigned int num_entries,
 			 struct scatterlist **sg_list, int *num_sg);
 void intel_gtt_insert_sg_entries(struct scatterlist *sg_list,
-- 
1.7.9.1