diff --git a/shared-core/r300_cmdbuf.c b/shared-core/r300_cmdbuf.c index 0c04b5f..0e10689 100644 --- a/shared-core/r300_cmdbuf.c +++ b/shared-core/r300_cmdbuf.c @@ -720,10 +720,10 @@ static int r300_scratch(drm_radeon_priva drm_r300_cmd_header_t header) { u32 *ref_age_base; - u32 i, buf_idx, h_pending; + u32 i, h_pending; RING_LOCALS; - if (cmdbuf->bufsz < sizeof(uint64_t) + header.scratch.n_bufs * sizeof(buf_idx) ) { + if (cmdbuf->bufsz < header.scratch.n_bufs * sizeof(uint64_t)) { return DRM_ERR(EINVAL); } @@ -732,21 +732,17 @@ static int r300_scratch(drm_radeon_priva } dev_priv->scratch_ages[header.scratch.reg] ++; - + ref_age_base = (u32 *)(unsigned long)*((uint64_t *)cmdbuf->buf); - cmdbuf->buf += sizeof(uint64_t); - cmdbuf->bufsz -= sizeof(uint64_t); - for (i=0; i < header.scratch.n_bufs; i++) { - buf_idx = *(u32 *)cmdbuf->buf; - buf_idx *= 2; /* 8 bytes per buf */ - if (DRM_COPY_TO_USER(ref_age_base + buf_idx, &dev_priv->scratch_ages[header.scratch.reg], sizeof(u32))) { + + if (DRM_COPY_TO_USER(ref_age_base + i * 2, &dev_priv->scratch_ages[header.scratch.reg], sizeof(u32))) { return DRM_ERR(EINVAL); } - if (DRM_COPY_FROM_USER(&h_pending, ref_age_base + buf_idx + 1, sizeof(u32))) { + if (DRM_COPY_FROM_USER(&h_pending, ref_age_base + i * 2 + 1, sizeof(u32))) { return DRM_ERR(EINVAL); } @@ -756,18 +752,21 @@ static int r300_scratch(drm_radeon_priva h_pending--; - if (DRM_COPY_TO_USER(ref_age_base + buf_idx + 1, &h_pending, sizeof(u32))) { + if (DRM_COPY_TO_USER(ref_age_base + i * 2 + 1, &h_pending, sizeof(u32))) { return DRM_ERR(EINVAL); } - cmdbuf->buf += sizeof(buf_idx); - cmdbuf->bufsz -= sizeof(buf_idx); + cmdbuf->buf += sizeof(uint64_t); + cmdbuf->bufsz -= sizeof(uint64_t); } BEGIN_RING(2); OUT_RING( CP_PACKET0( RADEON_SCRATCH_REG0 + header.scratch.reg * 4, 0 ) ); OUT_RING( dev_priv->scratch_ages[header.scratch.reg] ); ADVANCE_RING(); + + cmdbuf->buf += sizeof(u32); + cmdbuf->bufsz -= sizeof(u32); return 0; }