1. 09 Feb, 2005 3 commits
    • Dave Airlie's avatar
      Merge starflyer.(none):/foo/airlied/bitkeeper/linux-2.5 · 7dcd6234
      Dave Airlie authored
      into starflyer.(none):/foo/airlied/bitkeeper/drm-latest
      7dcd6234
    • Dave Airlie's avatar
      drm: fix race condition in radeon driver · 4b5d2381
      Dave Airlie authored
      Close a race which could allow for privilege escalation by users with DRI
      privileges on Radeon hardware.  Essentially, a malicious program could submit
      a packet containing an offset (possibly in main memory) to be rendered from/to,
      while a separate thread switched that offset in userspace rapidly between a
      valid value and an invalid one.  radeon_check_and_fixup_offset() would pull the
      offset in from user space, check it, and spit it back out to user space to be
      copied in later by the emit code.  It would sometimes catch the bad value, but
      sometimes the malicious program could modify it after the check and get an
      invalid offset rendered from/to.
      
      Fix this by allocating a temporary buffer and copying the data in at once.
      While here, make the cliprects stuff not do the VERIFYAREA_READ and
      COPY_FROM_USER_UNCHECKED gymnastics, avoiding a lock order reversal on FreeBSD.
      Performance impact is negligible  -- no difference on r200 to ~1% improvement on
      rv200 in quake3 tests (P4 1Ghz, demofour at 1024x768, n=4 or 5)
      
      From: Eric Anholt <anholt@freebsd.org>
      Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
      4b5d2381
    • Dave Airlie's avatar
      Invalid bound check of driver defined ioctls in drm_ioctl · 149d5cef
      Dave Airlie authored
      Bug fd.o 2489
      Reporter: Aapo Tahkola <aet@rasterburn.org>
      Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
      149d5cef
  2. 07 Feb, 2005 17 commits
  3. 06 Feb, 2005 20 commits