Linux kernel source tree https://git.amat.us/linux/atom/drivers/gpu/drm?h=v2.6.27.55 2010-08-26T23:40:13Z 2010-08-26T23:40:13Z Dave Airlie airlied@redhat.com 2010-08-17T04:46:00Z urn:sha1:2afa902362e67ff39a9d0f5d3523ded05a1b7c70 commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream. non-critical issue, CVE-2010-2803 Userspace controls the amount of memory to be allocate, so it can get the ioctl to allocate more memory than the kernel uses, and get access to kernel stack. This can only be done for processes authenticated to the X server for DRI access, and if the user has DRI access. Fix is to just memset the data to 0 if the user doesn't copy into it in the first place. Reported-by: Kees Cook <kees@ubuntu.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2010-04-01T22:52:24Z Ben Hutchings ben@decadent.org.uk 2009-08-23T15:59:04Z urn:sha1:3807f5c31534736f3c23630b11bd4a259eaa46fd commit 7dc482dfeeeefcfd000d4271c4626937406756d7 upstream. Almost all r128's private ioctls require that the CCE state has already been initialised. However, most do not test that this has been done, and will proceed to dereference a null pointer. This may result in a security vulnerability, since some ioctls are unprivileged. This adds a macro for the common initialisation test and changes all ioctl implementations that require prior initialisation to use that macro. Also, r128_do_init_cce() does not test that the CCE state has not been initialised already. Repeated initialisation may lead to a crash or resource leak. This adds that test. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2009-05-08T21:54:33Z Zhenyu Wang zhenyu.z.wang@intel.com 2008-11-17T05:58:11Z urn:sha1:1beaf51ea30d9bc4c8b40391b230da59500835c2 commit 72021788678523047161e97b3dfed695e802a5fd upstream. This had been delayed for some time due to failure to work on the one piece of G41 hardware we had, and lack of success reports from anybody else. Current hardware appears to be OK. Signed-off-by: Zhenyu Wang <zhenyu.z.wang@intel.com> [anholt: hand-applied due to conflicts with IGD patches] Signed-off-by: Eric Anholt <eric@anholt.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:21:29Z Matthias Hopf mhopf@suse.de 2008-10-17T21:18:05Z urn:sha1:f8d61d1be61999a76cb207125d3bfb1885cd40eb commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-08-31T22:51:52Z Dave Airlie airlied@redhat.com 2008-08-31T22:51:52Z urn:sha1:6c7be29810dd85b4fe75588ec536446c1579d492 If this triggers its bad, however some machines seem to have been triggering it for ages and we didn't know until we added the debug. So downgrade the debug now so people don't call this a regression. Signed-off-by: Dave Airlie <airlied@redhat.com> 2008-08-27T21:28:45Z Linus Torvalds torvalds@linux-foundation.org 2008-08-27T21:28:45Z urn:sha1:2caf959966d540c9a2358c6b74f67aa86248e34b * 'drm-patches' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm: don't set the signal blocker on the master process. drm: don't call the vblank tasklet with irqs disabled. r300: Fix cliprect emit drm/radeon: r300_cmdbuf: Always emit INDX_BUFFER immediately after DRAW_INDEX radeon: fix some hard lockups on r3/4/500s 2008-08-24T20:35:33Z Dave Airlie airlied@linux.ie 2008-08-24T07:02:26Z urn:sha1:3e5fc80a404a24c858468030b63555cccfb3e79c There is a problem with debugging the X server and gdb crashes in the xkb startup code. This avoids the problem by allowing the master process to get signals. It should be safe as the signal blocker is mainly so that you can Ctrl-Z a 3D application without locking up the whole box. Ctrl-Z the X server isn't something many people do. Signed-off-by: Dave Airlie <airlied@redhat.com> 2008-08-24T20:35:21Z Thomas Hellstrom thomas-at-tungstengraphics-dot-com 2008-08-24T07:00:00Z urn:sha1:e5b4f19417b75a2d7c1e36934f60a3e836c4337e If a specific tasklet shares data with irq context, it needs to take a private irq-blocking spinlock within the tasklet itself. Signed-off-by: Dave Airlie <airlied@redhat.com> 2008-08-24T20:35:12Z Nicolai Haehnle nhaehnle@gmail.com 2008-08-12T23:50:12Z urn:sha1:649ffc06a62bf487b78440669bdfeb637f1d675b This makes our handling of cliprects sane. drm_clip_rect always has exclusiv bottom-right corners, but the hardware expects inclusive bottom-right corner so we adjust this here. This complements Michel Daenzer's commit 57aea290e1e0a26d1e74df6cff777eb9f03 to Mesa. See also http://bugs.freedesktop.org/show_bug.cgi?id=16123 Signed-off-by: Dave Airlie <airlied@redhat.com> 2008-08-24T20:35:05Z Nicolai Haehnle nhaehnle@gmail.com 2008-08-12T23:49:15Z urn:sha1:e2898c5fdd91f54c9c84fbf7d32edb8e4dfda574 DRAW_INDEX writes a vertex count to VAP_VF_CNTL. Docs say that behaviour is undefined (i.e. lockups happen) when this write is not followed by the right number of vertex indices. Thus we used to do the wrong thing when drawing across many cliprects was necessary, because we emitted a sequence DRAW_INDEX, DRAW_INDEX, INDX_BUFFER, INDX_BUFFER instead of DRAW_INDEX, INDX_BUFFER, DRAW_INDEX, INDX_BUFFER The latter is what we're doing now and which ought to be correct. Signed-off-by: Dave Airlie <airlied@redhat.com>