- 25 Jan, 2010 7 commits
-
-
Dave Airlie authored
* korg/drm-radeon-next: drm/radeon/kms: fix legacy get_engine/memory clock drm/radeon/kms/atom: atom parser fixes drm/radeon/kms: clean up atombios pll code drm/radeon/kms: clean up pll struct drm/radeon/kms/atom: fix crtc lock ordering drm/radeon: r6xx/r7xx possible security issue, system ram access drm/radeon/kms: r600/r700 don't test ib if ib initialization fails drm/radeon/kms: Forbid creation of framebuffer with no valid GEM object drm/radeon/kms: r600 handle irq vector ring overflow drm/radeon/kms: r600/r700 don't process IRQ if not initialized drm/radeon/kms: r600/r700 disable irq at suspend drm/radeon/kms/r4xx: cleanup atom path drm/radeon/kms: fix atombios_crtc_set_base drm/radeon/kms/atom: upstream parser updates drm/radeon/kms/atom: fix some parser bugs drm/radeon/kms: fix hardcoded mmio size in register functions drm/radeon/kms/r100: fix bug in CS parser drm/radeon/kms/r200: fix bug in CS parser drm/radeon/kms/r200: fix bug in CS parser
-
Dave Airlie authored
* 'nouveau/for-airlied' of ../drm-nouveau-next: drm/nv50: prevent switching off SOR when in use for DVI-over-DP drm/nv50: fail auxch transaction if reply count not what we expect drm/nouveau: fix failure path if userspace specifies no valid memtypes drm/nouveau: report LVDS as disconnected if lid closed drm/nv50: prevent accidently turning off encoders we're actually using drm/nv50: fix alignment of per-channel fifo cache drm/nouveau: Evict buffers in VRAM before freeing sgdma drm/nouveau: Acknowledge DMA_VTX_PROTECTION PGRAPH interrupts drm/nouveau: fix thinko in nv04_instmem.c drm/nouveau: fix a race condition in nouveau_dma_wait()
-
Luca Barbieri authored
Resending this with Thomas Hellstrom's signoff for merging into 2.6.33 ttm_bo_delayed_delete has a race condition, because after we do: kref_put(&nentry->list_kref, ttm_bo_release_list); we are not holding the list lock and not holding any reference to objects, and thus every bo in the list can be removed and freed at this point. However, we then use the next pointer we stored, which is not guaranteed to be valid. This was apparently the cause of some Nouveau oopses I experienced. This patch rewrites the function so that it keeps the reference to nentry until nentry itself is freed and we already got a reference to nentry->next. v2 updated by me according to Thomas Hellstrom's feedback. v3 proposed by Thomas Hellstrom. Commit comment updated by me. Both updates fixed minor efficiency/style issues only and all three versions should be correct. Signed-off-by:
Luca Barbieri <luca@luca-barbieri.com> Signed-off-by:
Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by:
Dave Airlie <airlied@redhat.com>
-
Ben Skeggs authored
Another hack because of us exposing each encoder block's function as an encoder rather than exposing a single encoder that deals with them all. A proper fix will come, it's just rather invasive so this hack will do until then. Signed-off-by:Ben Skeggs <bskeggs@redhat.com>
-
Ben Skeggs authored
Signed-off-by: -
Ben Skeggs authored
We need to add the buffer to the list even if we fail, otherwise the validate_fini() call won't unreserve + unreference the GEM object, making TTM very unhappy. Signed-off-by: -
Ben Skeggs authored
Also adds a module option to ignore the status reported via ACPI, in case we hit systems with broken ACPI. Signed-off-by:
-
- 24 Jan, 2010 5 commits
-
-
Alex Deucher authored
Fix a bad shift in the post div. Should fix fdo bug 26145 Signed-off-by:
Alex Deucher <alexdeucher@gmail.com> Signed-off-by:
-
Alex Deucher authored
Only reset the reg block on the initial execute table call; nested calls require the reg block not be reset on each call. Also reset the fb window and io mode. This matches the upstream parser behavior. Signed-off-by:
-
Alex Deucher authored
- split pll adjust into a separate function - use a union for SetPixelClock params Signed-off-by:
-
Alex Deucher authored
- add a new flag for fixed post div - pull the pll flags into the struct Signed-off-by:
-
Alex Deucher authored
This makes crtc_prepare and crtc_commit match. Signed-off-by:
-
- 20 Jan, 2010 14 commits
-
-
Jerome Glisse authored
This patch workaround a possible security issue which can allow user to abuse drm on r6xx/r7xx hw to access any system ram memory. This patch doesn't break userspace, it detect "valid" old use of CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte the address these registers are pointing to with the one of the last color buffer. This workaround will work for old mesa & xf86-video-ati and any old user which did use similar register programming pattern as those (we expect that there is no others user of those ioctl except possibly a malicious one). This patch add a warning if it detects such usage, warning encourage people to update their mesa & xf86-video-ati. New userspace will submit proper relocation. Fix for xf86-video-ati / mesa (this kernel patch is enough to prevent abuse, fix for userspace are to set proper cs stream and avoid kernel warning) : http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f Abusing this register to perform system ram memory is not easy, here is outline on how it could be achieve. First attacker must have access to the drm device and be able to submit command stream throught cs ioctl. Then attacker must build a proper command stream for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to overwrite the GPU GART which is in VRAM. To achieve so attacker as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point to the GPU GART, then it has to find a way to write predictable value into those buffer (with little cleverness i believe this can be done but this is an hard task). Once attacker have such program it can overwritte GPU GART to program GPU gart to point anywhere in system memory. It then can reusse same method as he used to reprogram GART to overwritte the system ram through the GART mapping. In the process the attacker has to be carefull to not overwritte any sensitive area of the GART table, like ring or IB gart entry as it will more then likely lead to GPU lockup. Bottom line is that i think it's very hard to use this flaw to get system ram access but in theory one can achieve so. Side note: I am not aware of anyone ever using the GPU as an attack vector, nevertheless we take great care in the opensource driver to try to detect and forbid malicious use of GPU. I don't think the closed source driver are as cautious as we are. Signed-off-by:
Jerome Glisse <jglisse@redhat.com> Signed-off-by:
Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
If ib initialization failed don't try to test ib as it will result in an oops (accessing NULL ib buffer ptr). Signed-off-by:
-
Jerome Glisse authored
This will avoid oops if at later point the fb is use. Trying to create a framebuffer with no valid GEM object is bogus and should be forbidden as this patch does. Signed-off-by:
-
Jerome Glisse authored
In some rare case i faced an irq overflow quickly followed by a GPU lockup (hard hang) this patch try to deal with irq vector ring overflow, so far haven't been able to reproduce it with the patch. Signed-off-by:
-
Jerome Glisse authored
In some rare case the wptr returned from the hw wasn't 0 and leaded to trick r600_process_irq that their were irq to process. Add a check to bail out if irq hasn't been initialized this will avoid oops provoqued by the rare wptr != 0 on initialization. Signed-off-by:
-
Jerome Glisse authored
To avoid hw doing anythings after we disabled PCIE GART, fully disable IRQ at suspend. Also cleanup a bit the ih structure and process function. Signed-off-by:
-
Alex Deucher authored
most of radeon_legacy_atom_set_surface() is taken care of in atombios_set_base(), so remove the duplicate setup and move the remaining bits (DISP_MERGE setup and FP2 sync) to atombios_crtc.c where they are used. Signed-off-by:
-
Alex Deucher authored
Make it call the proper backend depending on the GPU family. Right now r4xx cards with atombios modesetting enabled were using the avivo crtc base code. This also allows us to add support for new asics more easily. Signed-off-by:
-
Alex Deucher authored
Signed-off-by:
-
Alex Deucher authored
- add support for inline src params - fix shift_left/shift_right and shl/shr ops shift_* ops use inline src params, shl/r use full params - fix mask op (uses inline params) Signed-off-by:
-
Alex Deucher authored
newer asics have large mmio apertures Signed-off-by:
-
Alex Deucher authored
The first dword of PACKET3_3D_DRAW_IMMD maps to SE_VTX_FMT so the vertex size is part of the draw packet. This patch fixes a possible case where you have a command buffer that does not contain SE_VTX_FMT register write, but does contain PACKET3_3D_DRAW_IMMD. Signed-off-by:
-
Andrew Randrianasulu authored
Add missing vertex shader regs for r200. fixed fdo bug 26061 agd5f: use official reg names Signed-off-by:
-
Andrew Randrianasulu authored
The checks for CUBE and 3D textures were inverted. fixes fdo bug 24159 agd5f: added comments for clarity. Signed-off-by:
-
- 17 Jan, 2010 6 commits
-
-
Ben Skeggs authored
On most cards the DisplayPort connector is created with 2 encoders sharing a single SOR (for native DP, and for DVI-over-DP). The previous logic for turning off unused encoders didn't take into account that we could have multiple drm_encoders on a single hw encoder and ended up turning off encoders that were actually being used still. This patch fixes that issue. We probably want to look at something a bit better later on, and only expose one drm_encoder per hw encoder block. Signed-off-by: -
Ben Skeggs authored
GPU pointer to the structure is shifted right by 10 bits, so we need to align to 1024 bytes, not 256. Reported-by:
Maarten Maathuis <madman2003@gmail.com> Signed-off-by:
-
Luca Barbieri authored
Currently, we take down the sgdma engine without evicting all buffers from VRAM. The TTM device release will try to evict anything in VRAM to GART memory, but this will fail since sgdma has already been taken down. This causes an infinite loop in kernel mode on module unload. It usually doesn't happen because there aren't any buffer on close. However, if the GPU is locked up, this condition is easily triggered. This patch fixes it in the simplest way possible by cleaning VRAM right before cleaning SGDMA memory. Signed-off-by:
Francisco Jerez <currojerez@riseup.net> Signed-off-by:
-
Luca Barbieri authored
Currently Nouveau is unable to dismiss DMA_VTX_PROTECTION errors, which results in an infinite loop in the interrupt handler. These errors are caused both by bugs in the Gallium driver and by user-specified index buffers with out of bounds indices. By mmio-tracing the nVidia drivers, I found out how this is done. On DMA_VTX_PROTECTION, The nVidia driver reads the register 0x402000, always getting the value 4, and then writes 4 back to 0x402000. This patch adds that logic by reading 0x402000 and writing the same value back. It's unclear what should happen if the value read is not 4, and the current approach might not be the correct one. To test this, modify mesa/progs/trivial/vbo-drawrange.c, defining ELTOBJ to 1 and replacing indices with huge out of bounds integers. Without this patch, the GPU and/or kernel should lock up. With this patch, it should misrender as expected but not lock up. The errors are still logged since they are useful for development. This has been tested on NV49 and may not work on other cards. To find out how things work on other cards, run the aforementioned test using the blob with mmiotrace and grep for a read of the PGRAPH source register. Signed-off-by:
-
Ben Skeggs authored
Signed-off-by: -
Ben Skeggs authored
Can be triggered easily on certain cards (NV46 and NV50 of mine) by running "dmesg", the DRM's channel will lockup. Signed-off-by:
-
- 15 Jan, 2010 3 commits
-
-
Dave Airlie authored
* korg/drm-radeon-testing: drm/radeon/kms: Use radeon_agp_disable when disabling AGP drm/radeon/kms: Disable AGP is aperture size < 32M drm/radeon/kms: Fix r600 blit cleanup path drm/radeon/kms: Do not unpin buffer in fb destruction drm/radeon/kms: fix displayport->dvi connector DDC.
-
Jerome Glisse authored
X is accepting such video mode, do the same. Pointed out by Joshua Roys on IRC. Fix https://bugzilla.redhat.com/show_bug.cgi?id=540024 [fix printf to use composite not integrated :- airlied] Signed-off-by:
-
Dave Airlie authored
* 'nouveau/for-airlied' of ../drm-nouveau-next: (44 commits) drm/nouveau: check pushbuffer bounds in ioctl drm/nouveau: reserve VGA area for the moment drm/nouveau: Unset the EDID connector property when the EDID block goes away. drm/nouveau: Fallback to analog load detection when the EDID block is invalid. drm/nouveau: fix edid memleak in nouveau_connector drm/nouveau: Break some long lines. drm/nouveau: add NV18 device id to call_lvds_manufacturer_script drm/nv50: Fix typo in PGRAPH initialisation. drm/nouveau: less magic DCB 1.5 parsing drm/nouveau: assume no nv04 board has a DCB table drm/nouveau: remove PRIV0 check in nouveau_mem_close() drm/nouveau: wait on fence after bo move if validating for another channel drm/nouveau: trust init table registers are safe drm/nv50: wait for pgraph to idle before unloading the context
-
- 14 Jan, 2010 5 commits
-
-
Luca Barbieri authored
Currently there is no check that the pushbuffer request bounds are inside the TTM BO. This allows to instruct the kernel to do relocations on user-selected addresses, since the relocation bounds checking relies on the request bounds. This can oops the kernel accidentally and is easily exploitable. This patch adds bound checking and alignment checking for ->offset and ->nr_dwords. It also makes some variables unsigned, which should have no effect, but prevents possible bounds checking problems. Signed-off-by:
-
Ben Skeggs authored
This is to prevent things such as GART tables and other important GPU structures being allocated there before we take over fbcon ourselves. This is more of a workaround for the moment, a better solution will require some more invasive changes, but it'll be done at some point. Signed-off-by: -
Francisco Jerez authored
Signed-off-by:
-
Francisco Jerez authored
Signed-off-by:
-
Xavier Chantry authored
This was spotted by kmemleak. Signed-off-by:
Xavier Chantry <shiningxc@gmail.com> Signed-off-by:
-
