From 4802ce11778664a69b308c5aa9b95350b76793be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
Date: Wed, 10 Jun 2015 17:20:11 +0200
Subject: [PATCH] drm/amdgpu: fix UVD/VCE VM emulation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index f6b224a69b3a..f09b2cba40ca 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -564,21 +564,33 @@ static int amdgpu_cs_ib_fill(struct amdgpu_device *adev,
 			return r;
 
 		if (ring->funcs->parse_cs) {
+			struct amdgpu_bo_va_mapping *m;
 			struct amdgpu_bo *aobj = NULL;
-			void *kptr;
+			uint64_t offset;
+			uint8_t *kptr;
 
-			amdgpu_cs_find_mapping(parser, chunk_ib->va_start, &aobj);
+			m = amdgpu_cs_find_mapping(parser, chunk_ib->va_start,
+						   &aobj);
 			if (!aobj) {
 				DRM_ERROR("IB va_start is invalid\n");
 				return -EINVAL;
 			}
 
+			if ((chunk_ib->va_start + chunk_ib->ib_bytes) >
+			    (m->it.last + 1) * AMDGPU_GPU_PAGE_SIZE) {
+				DRM_ERROR("IB va_start+ib_bytes is invalid\n");
+				return -EINVAL;
+			}
+
 			/* the IB should be reserved at this point */
-			r = amdgpu_bo_kmap(aobj, &kptr);
+			r = amdgpu_bo_kmap(aobj, (void **)&kptr);
 			if (r) {
 				return r;
 			}
 
+			offset = ((uint64_t)m->it.start) * AMDGPU_GPU_PAGE_SIZE;
+			kptr += chunk_ib->va_start - offset;
+
 			r =  amdgpu_ib_get(ring, NULL, chunk_ib->ib_bytes, ib);
 			if (r) {
 				DRM_ERROR("Failed to get ib !\n");