1. 17 Aug, 2010 2 commits
    • Dave Airlie's avatar
      drm: block userspace under allocating buffer and having drivers overwrite it (v2) · 1b2f1489
      Dave Airlie authored
      With the current screwed but its ABI, ioctls for the drm, Linus pointed out that we could allow userspace to specify the allocation size, but we pass it to the driver which then uses it blindly to store a struct. Now if userspace specifies the allocation size as smaller than the driver needs, the driver can possibly overwrite memory.
      
      This patch restructures the driver ioctls so we store the structure size we are expecting, and make sure we allocate at least that size. The copy from/to userspace are still restricted to the size the user specifies, this allows ioctl structs to grow on both sides of the equation.
      
      Up until now we didn't really use the DRM_IOCTL defines in the kernel, so this cleans them up and adds them for nouveau.
      
      v2:
      fix nouveau pushbuf arg (thanks to Ben for pointing it out)
      Reported-by: default avatarLinus Torvalds <torvalds@linuxfoundation.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      1b2f1489
    • Dave Airlie's avatar
      drm: stop information leak of old kernel stack. · b9f0aee8
      Dave Airlie authored
      non-critical issue, CVE-2010-2803
      
      Userspace controls the amount of memory to be allocate, so it can
      get the ioctl to allocate more memory than the kernel uses, and get
      access to kernel stack. This can only be done for processes authenticated
      to the X server for DRI access, and if the user has DRI access.
      
      Fix is to just memset the data to 0 if the user doesn't copy into
      it in the first place.
      Reported-by: default avatarKees Cook <kees@ubuntu.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      b9f0aee8
  2. 12 Aug, 2010 2 commits
  3. 11 Aug, 2010 7 commits
    • Benjamin Herrenschmidt's avatar
      drm/radeon: Add probing of clocks from device-tree · 7b044f40
      Benjamin Herrenschmidt authored
      When we find no ROM we understand and a device-tree is present, see
      if we can retreive clock info from there.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      7b044f40
    • Dave Airlie's avatar
      drm/radeon: drop old and broken mesa warning · b494d5d4
      Dave Airlie authored
      This never really got fixed in mesa, and the kernel deals with the problem
      just fine, so don't got reporting things that confuse people.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      b494d5d4
    • Benjamin Herrenschmidt's avatar
      drm/radeon: Fix pci_map_page() error checking · a30f6fb7
      Benjamin Herrenschmidt authored
      0 is a valid DMA address from pci_map_page(), use pci_dma_mapping_error()
      instead to check for errors
      
      [airlied: fix warning + two other places with errors.]
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      a30f6fb7
    • Chris Wilson's avatar
      drm: Remove count_lock for calling lastclose() after 58474713 (v2) · 1a72d65d
      Chris Wilson authored
      When removing of the BKL the locking around lastclose() was rearranged
      and resulted in the holding of the open_count spinlock over the call
      into drm_lastclose(). The drivers were not ready for this path to be
      atomic - it may indeed involve long waits to release old objects and
      cleanup the GPU - and so we ended up scheduling whilst atomic.
      
      [   54.625598] BUG: scheduling while atomic: X/3546/0x00000002
      [   54.625600] Modules linked in: sco bridge stp llc input_polldev rfcomm bnep l2cap crc16 sch_sfq ipv6 md_mod acpi_cpufreq mperf cryptd aes_x86_64 aes_generic xts gf128mul dm_crypt dm_mod btusb bluetooth usbhid hid zaurus cdc_ether usbnet mii cdc_wdm cdc_acm uvcvideo videodev v4l1_compat v4l2_compat_ioctl32 snd_hda_codec_conexant arc4 pcmcia ecb snd_hda_intel joydev sdhci_pci sdhci snd_hda_codec tpm_tis firewire_ohci mmc_core e1000e uhci_hcd thinkpad_acpi nvram yenta_socket pcmcia_rsrc pcmcia_core tpm wmi sr_mod firewire_core iwlagn ehci_hcd snd_hwdep snd_pcm usbcore tpm_bios thermal led_class snd_timer iwlcore snd soundcore ac snd_page_alloc pcspkr psmouse serio_raw battery sg mac80211 evdev cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support cdrom processor crc_itu_t rfkill xfs exportfs sd_mod crc_t10dif ahci libahci libata scsi_mod [last unloaded: scsi_wait_scan]
      [   54.625663] Pid: 3546, comm: X Not tainted 2.6.35-04771-g17879857 #301
      [   54.625665] Call Trace:
      [   54.625671]  [<ffffffff8102d599>] __schedule_bug+0x57/0x5c
      [   54.625675]  [<ffffffff81384141>] schedule+0xe5/0x832
      [   54.625679]  [<ffffffff81163e77>] ? put_dec+0x20/0x3c
      [   54.625682]  [<ffffffff81384dd4>] schedule_timeout+0x275/0x29f
      [   54.625686]  [<ffffffff810455e1>] ? process_timeout+0x0/0xb
      [   54.625688]  [<ffffffff81384e17>] schedule_timeout_uninterruptible+0x19/0x1b
      [   54.625691]  [<ffffffff81045893>] msleep+0x16/0x1d
      [   54.625695]  [<ffffffff812a2e53>] i9xx_crtc_dpms+0x273/0x2ae
      [   54.625698]  [<ffffffff812a18be>] intel_crtc_dpms+0x28/0xe7
      [   54.625702]  [<ffffffff811ec0fa>] drm_helper_disable_unused_functions+0xf0/0x118
      [   54.625705]  [<ffffffff811ecde3>] drm_crtc_helper_set_config+0x644/0x7c8
      [   54.625708]  [<ffffffff811f12dd>] ? drm_copy_field+0x40/0x50
      [   54.625711]  [<ffffffff811ebca2>] drm_fb_helper_force_kernel_mode+0x3e/0x85
      [   54.625713]  [<ffffffff811ebcf2>] drm_fb_helper_restore+0x9/0x24
      [   54.625717]  [<ffffffff81290a41>] i915_driver_lastclose+0x2b/0x5c
      [   54.625720]  [<ffffffff811f14a7>] drm_lastclose+0x44/0x2ad
      [   54.625722]  [<ffffffff811f1ed2>] drm_release+0x5c6/0x609
      [   54.625726]  [<ffffffff810d1275>] fput+0x109/0x1c7
      [   54.625728]  [<ffffffff810ce5e4>] filp_close+0x61/0x6b
      [   54.625731]  [<ffffffff810ce680>] sys_close+0x92/0xd4
      [   54.625734]  [<ffffffff81002a2b>] system_call_fastpath+0x16/0x1b
      
      v2: The spinlock is actually superfluous as access to open_count is
      entirely serialised by drm_global_mutex and so can be dropped. The
      count_lock spinlock instead appears to be used to protect access to
      dev->buf_alloc and dev->buf_use.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      1a72d65d
    • Marek Olšák's avatar
      drm/radeon/kms: allow FG_ALPHA_VALUE on r5xx · 6ffe28f5
      Marek Olšák authored
      This is a CS checker fix. I need this for FP16 alpha-test.
      Signed-off-by: default avatarMarek Olšák <maraeo@gmail.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      6ffe28f5
    • Alex Deucher's avatar
      drm/radeon/kms: another r6xx/r7xx CS checker fix · 618145ea
      Alex Deucher authored
      add default case for buffer formats
      Signed-off-by: default avatarAlex Deucher <alexdeucher@gmail.com>
      Cc: Andre Maasikas <amaasikas@gmail.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      618145ea
    • Davidlohr Bueso's avatar
      DRM: Replace kmalloc/memset combos with kzalloc · 94e3370e
      Davidlohr Bueso authored
      Currently most, if not all, memory allocation in drm_bufs.c is followed by initializing the memory with 0.
      
      Replace the use of kmalloc+memset with kzalloc.
      Signed-off-by: default avatarDavidlohr Bueso <dave@gnu.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      94e3370e
  4. 10 Aug, 2010 16 commits
  5. 09 Aug, 2010 10 commits
  6. 05 Aug, 2010 3 commits