- 20 Jan, 2010 14 commits
-
-
Jerome Glisse authored
This patch workaround a possible security issue which can allow user to abuse drm on r6xx/r7xx hw to access any system ram memory. This patch doesn't break userspace, it detect "valid" old use of CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte the address these registers are pointing to with the one of the last color buffer. This workaround will work for old mesa & xf86-video-ati and any old user which did use similar register programming pattern as those (we expect that there is no others user of those ioctl except possibly a malicious one). This patch add a warning if it detects such usage, warning encourage people to update their mesa & xf86-video-ati. New userspace will submit proper relocation. Fix for xf86-video-ati / mesa (this kernel patch is enough to prevent abuse, fix for userspace are to set proper cs stream and avoid kernel warning) : http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f Abusing this register to perform system ram memory is not easy, here is outline on how it could be achieve. First attacker must have access to the drm device and be able to submit command stream throught cs ioctl. Then attacker must build a proper command stream for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to overwrite the GPU GART which is in VRAM. To achieve so attacker as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point to the GPU GART, then it has to find a way to write predictable value into those buffer (with little cleverness i believe this can be done but this is an hard task). Once attacker have such program it can overwritte GPU GART to program GPU gart to point anywhere in system memory. It then can reusse same method as he used to reprogram GART to overwritte the system ram through the GART mapping. In the process the attacker has to be carefull to not overwritte any sensitive area of the GART table, like ring or IB gart entry as it will more then likely lead to GPU lockup. Bottom line is that i think it's very hard to use this flaw to get system ram access but in theory one can achieve so. Side note: I am not aware of anyone ever using the GPU as an attack vector, nevertheless we take great care in the opensource driver to try to detect and forbid malicious use of GPU. I don't think the closed source driver are as cautious as we are. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
If ib initialization failed don't try to test ib as it will result in an oops (accessing NULL ib buffer ptr). Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
This will avoid oops if at later point the fb is use. Trying to create a framebuffer with no valid GEM object is bogus and should be forbidden as this patch does. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
In some rare case i faced an irq overflow quickly followed by a GPU lockup (hard hang) this patch try to deal with irq vector ring overflow, so far haven't been able to reproduce it with the patch. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
In some rare case the wptr returned from the hw wasn't 0 and leaded to trick r600_process_irq that their were irq to process. Add a check to bail out if irq hasn't been initialized this will avoid oops provoqued by the rare wptr != 0 on initialization. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Jerome Glisse authored
To avoid hw doing anythings after we disabled PCIE GART, fully disable IRQ at suspend. Also cleanup a bit the ih structure and process function. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
most of radeon_legacy_atom_set_surface() is taken care of in atombios_set_base(), so remove the duplicate setup and move the remaining bits (DISP_MERGE setup and FP2 sync) to atombios_crtc.c where they are used. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
Make it call the proper backend depending on the GPU family. Right now r4xx cards with atombios modesetting enabled were using the avivo crtc base code. This also allows us to add support for new asics more easily. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
- add support for inline src params - fix shift_left/shift_right and shl/shr ops shift_* ops use inline src params, shl/r use full params - fix mask op (uses inline params) Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
newer asics have large mmio apertures Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Alex Deucher authored
The first dword of PACKET3_3D_DRAW_IMMD maps to SE_VTX_FMT so the vertex size is part of the draw packet. This patch fixes a possible case where you have a command buffer that does not contain SE_VTX_FMT register write, but does contain PACKET3_3D_DRAW_IMMD. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Andrew Randrianasulu authored
Add missing vertex shader regs for r200. fixed fdo bug 26061 agd5f: use official reg names Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
Andrew Randrianasulu authored
The checks for CUBE and 3D textures were inverted. fixes fdo bug 24159 agd5f: added comments for clarity. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
-
- 14 Jan, 2010 5 commits
-
-
Jerome Glisse authored
Use same common function to disable agp so we replace the GART callback by the proper one when we do so. This fix oops if radeon_agp_init report failure. This patch also move radeon_agp_init out of *_mc_init for r600 & rv770 so that we can have a similar behavior than for previous hw, ie if agp_init fails it will fallback to GPU GART and disable AGP. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
radeon KMS need a GART of at least 32M to properly work. This patch check the AGP aperture size and disable if it's less than 32M. Note than unlike non KMS path we don't staticaly allocate AGP memory so we are not wasting memory not used by graphic processing. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
r600 blit cleanup path need to check if a bo was allocated before trying to free or unpin it. This patch add this check and avoid oops when the initialization on r6xx or r7xx hw fails. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
It's not necessary to unpin buffer in fb destruction. pin/unpin need to be balanced and we don't pin in fb creation. We pin when an fb is associated to a crtc and unpin when the fb is disassociated from the crtc. Note: Maybe we should take reference on fb in set_base callback so fb doesn't disappear until it's unbind from ctrc. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Dave Airlie authored
It appears that attempting AUXCH DDC breaks the subsequent attempt to do DDC over the i2c lines, so use the sink type to determine if we should be doing AUXCH or i2c DDC. This fixes my DVI monitor plugged into DP->DVI convertor. Signed-off-by: Dave Airlie <airlied@redhat.com>
-
- 13 Jan, 2010 5 commits
-
-
Dave Airlie authored
Testing GTT ready might be more correct but cp.ready works fine and has been tested on irc by 2-3 ppl. fixes bug k.org 15035 and fd.o 25733 Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Michel Dänzer authored
Signed-off-by: Michel Dänzer <daenzer@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Due to heat issues. Fixes fdo bug 25992 v2: fix typo noticed by Maarten Maathuis Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Unhandled vectors can be safely ignored, no need to spam the kernel log by default. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Based on radeonfb code and recent ddx fix. v2: minor formatting fix from Michel Dänzer Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Reviewed-by: Michel Dänzer <michel@daenzer.net> Tested-by: Michel Dänzer <michel@daenzer.net> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
- 11 Jan, 2010 1 commit
-
-
Alex Deucher authored
- r4xx/rs6xx: add support for extended pixel shader instruction/temp regs - r5xx: add SM3 regs Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
- 08 Jan, 2010 13 commits
-
-
Jerome Glisse authored
If for any reason we haven't installed handler we shouldn't try to enable IRQ/MSI on the hw so we don't get unhandled IRQ/MSI which makes the kernel sad. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
In some case vblank might not be initialized and we shouldn't try to use associated function. This patch make sure this is the case. It also export drm_vblank_cleanup so driver can cleanup vblank if for any reason IRQ/MSI is not working. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alexander Beregalov authored
Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
In some case we weren't releasing the AGP device at module unloading. This leaded to unfunctional AGP at next module load. This patch make sure we release the AGP bus if we acquire it. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Jerome Glisse authored
R300 family will hard lockup if host path read cache flush is done through MMIO to HOST_PATH_CNTL. But scheduling same flush through ring seems harmless. This patch remove the hdp_flush callback and add a flush after each fence emission which means a flush after each IB schedule. Thus we should have same behavior without the hard lockup. Tested on R100,R200,R300,R400,R500,R600,R700 family. V2: Adjust fence counts in r600_blit_prepare_copy() Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Corbin Simpson authored
Long story short, this fixes sporadic hardlocks with my rv410 during times of intense 2D acceleration (Flash on Fx3). V2: Fix indentation and move errata_fini to suspend function so we don't leak scratch register over suspend/resume cycle. V3: Move scratch_reg to asic specific structure (aim is to slowly move stuff to asic specific structure and avoid poluting radeon_device struct with asic specific variables) Signed-off-by: Corbin Simpson <MostAwesomeDude@gmail.com> Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
This detects if the sideport memory is enabled and if it is VRAM is evicted on suspend/resume. This should fix s/r issues on some IGPs. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Darren Jenkins authored
There are a couple of array overruns, and some associated confusion in the code. This is just a wild guess at what the code should actually look like. Coverity CID: 13305 13306 agd5f: fix up the original intent of the timing code Signed-off-by: Darren Jenkins <darrenrjenkins@gmail.com> Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
This is displayport used for internal connections such as laptop panels and systems with integrated monitors. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Add a new connector type for eDP (embedded displayport) eDP is more or less the same as DP but there are some cases when you might want to handle it separately. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Makes it easier to keep in sync with ddx and the upstream AMD versions. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Alex Deucher authored
Also remove the problematic enums that were unused remnants from the ddx. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
- 07 Jan, 2010 2 commits
-
-
Luca Tettamanti authored
The mask happens to be the same, but the IH is reading the status, not the not the control register. Signed-off-by: Luca Tettamanti <kronos.it@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Darren Jenkins authored
If a NULL value is possible, the dereference should only occur after the NULL test. Coverity CID: 13338 Signed-off-by: Darren Jenkins <darrenrjenkins@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
-