linux-toradex.git/drivers/char/agp/generic.c, branch v3.4.45 Linux kernel for Apalis and Colibri modules agp: Fix multi-line warning message whitespace 2012-01-06T09:32:02+00:00 Tormod Volden debian.tormod@gmail.com 2012-01-05T23:16:26+00:00 e11d0b87cde80745afe4712a19cd37bca9924a5b Signed-off-by: Tormod Volden <debian.tormod@gmail.com> Reviewed-by: Corbin Simpson <MostAwesomeDude@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 
Signed-off-by: Tormod Volden <debian.tormod@gmail.com>
Reviewed-by: Corbin Simpson <MostAwesomeDude@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
agp: fix arbitrary kernel memory writes 2011-04-21T02:16:55+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:16+00:00 194b3da873fd334ef183806db751473512af29ce pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 
pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
agp: fix OOM and buffer overflow 2011-04-21T01:51:04+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:19+00:00 b522f02184b413955f3bc952e3776ce41edc6355 page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. Another problem in agp code is not addressed in the patch - kernel memory exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to 16KB, though, there is no per-process limit. This might lead to OOM situation, which is not even solved in case of the caller death by OOM killer - the memory is allocated for another (faked) process. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 
page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
agp: kill agp_rebind_memory 2010-11-23T20:14:46+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2010-11-05T21:27:10+00:00 cb16b67b5cb33b7d6732e0c416d29d933eea13ce Its only user, intel-gtt.c is now gone. Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> 
Its only user, intel-gtt.c is now gone.

Cc: Dave Airlie <airlied@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23T20:14:45+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2010-11-05T17:40:56+00:00 f050a8abbda0efcd597c6b1825e3b9ce4d613383 The intel drm calls the chipset functions now directly. Userspace never called the corresponding ioctl, hence it can be killed, too. Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> 
The intel drm calls the chipset functions now directly. Userspace
never called the corresponding ioctl, hence it can be killed, too.

Cc: Dave Airlie <airlied@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Merge branch 'drm-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2010-10-27T01:57:59+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-10-27T01:57:59+00:00 c48c43e422c1404fd72c57d1d21a6f6d01e18900 * 'drm-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (476 commits) vmwgfx: Implement a proper GMR eviction mechanism drm/radeon/kms: fix r6xx/7xx 1D tiling CS checker v2 drm/radeon/kms: properly compute group_size on 6xx/7xx drm/radeon/kms: fix 2D tile height alignment in the r600 CS checker drm/radeon/kms/evergreen: set the clear state to the blit state drm/radeon/kms: don't poll dac load detect. gpu: Add Intel GMA500(Poulsbo) Stub Driver drm/radeon/kms: MC vram map needs to be >= pci aperture size drm/radeon/kms: implement display watermark support for evergreen drm/radeon/kms/evergreen: add some additional safe regs v2 drm/radeon/r600: fix tiling issues in CS checker. drm/i915: Move gpu_write_list to per-ring drm/i915: Invalidate the to-ring, flush the old-ring when updating domains drm/i915/ringbuffer: Write the value passed in to the tail register agp/intel: Restore valid PTE bit for Sandybridge after bdd3072 drm/i915: Fix flushing regression from 9af90d19f drm/i915/sdvo: Remove unused encoding member i915: enable AVI infoframe for intel_hdmi.c [v4] drm/i915: Fix current fb blocking for page flip drm/i915: IS_IRONLAKE is synonymous with gen == 5 ... Fix up conflicts in - drivers/gpu/drm/i915/{i915_gem.c, i915/intel_overlay.c}: due to the new simplified stack-based kmap_atomic() interface - drivers/gpu/drm/vmwgfx/vmwgfx_drv.c: added .llseek entry due to BKL removal cleanups. 
* 'drm-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (476 commits)
  vmwgfx: Implement a proper GMR eviction mechanism
  drm/radeon/kms: fix r6xx/7xx 1D tiling CS checker v2
  drm/radeon/kms: properly compute group_size on 6xx/7xx
  drm/radeon/kms: fix 2D tile height alignment in the r600 CS checker
  drm/radeon/kms/evergreen: set the clear state to the blit state
  drm/radeon/kms: don't poll dac load detect.
  gpu: Add Intel GMA500(Poulsbo) Stub Driver
  drm/radeon/kms: MC vram map needs to be >= pci aperture size
  drm/radeon/kms: implement display watermark support for evergreen
  drm/radeon/kms/evergreen: add some additional safe regs v2
  drm/radeon/r600: fix tiling issues in CS checker.
  drm/i915: Move gpu_write_list to per-ring
  drm/i915: Invalidate the to-ring, flush the old-ring when updating domains
  drm/i915/ringbuffer: Write the value passed in to the tail register
  agp/intel: Restore valid PTE bit for Sandybridge after bdd3072
  drm/i915: Fix flushing regression from 9af90d19f
  drm/i915/sdvo: Remove unused encoding member
  i915: enable AVI infoframe for intel_hdmi.c [v4]
  drm/i915: Fix current fb blocking for page flip
  drm/i915: IS_IRONLAKE is synonymous with gen == 5
  ...

Fix up conflicts in
 - drivers/gpu/drm/i915/{i915_gem.c, i915/intel_overlay.c}: due to the
   new simplified stack-based kmap_atomic() interface
 - drivers/gpu/drm/vmwgfx/vmwgfx_drv.c: added .llseek entry due to BKL
   removal cleanups.
agp: kill agp_(unmap|map)_memory 2010-09-21T10:39:52+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2010-09-12T09:07:15+00:00 aaa62591199162e6496b4f47cac4f5923bc571d1 DMA remapping was only used by the intel-gtt driver. With that code now folded into the driver, kill the agp generic support for it. Cc: Dave Airlie <airlied@linux.ie> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> 
DMA remapping was only used by the intel-gtt driver. With that
code now folded into the driver, kill the agp generic support for
it.

Cc: Dave Airlie <airlied@linux.ie>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
AGP: Warn when GATT memory cannot be set to UC 2010-09-05T12:28:34+00:00 Borislav Petkov borislav.petkov@amd.com 2010-09-03T16:39:41+00:00 1b13fe6a6e9986dbc079cbb05090be75edbffa5d This is one of those paranoid checks which should at least tell us that something is about to go haywire after we've disabled GART table walk probes which is done by default now on AMD. Signed-off-by: Borislav Petkov <borislav.petkov@amd.com> Cc: Dave Airlie <airlied@redhat.com> Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> LKML-Reference: <1283531981-7495-4-git-send-email-bp@amd64.org> Signed-off-by: Ingo Molnar <mingo@elte.hu> 
This is one of those paranoid checks which should at least tell
us that something is about to go haywire after we've disabled
GART table walk probes which is done by default now on AMD.

Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
LKML-Reference: <1283531981-7495-4-git-send-email-bp@amd64.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
agp: add no warn since we have a fallback to vmalloc paths 2010-06-15T01:02:32+00:00 Dave Airlie airlied@redhat.com 2010-06-15T01:02:05+00:00 1c48bc5f71cd7783e19fb8d9462be53f829be177 also drop the NORETRY we can probably nearly always satisfy order 1 allocs now, and again the vmalloc path is there. Signed-off-by: Dave Airlie <airlied@redhat.com> 
also drop the NORETRY we can probably nearly always satisfy order 1 allocs now,
and again the vmalloc path is there.

Signed-off-by: Dave Airlie <airlied@redhat.com>
agp: drop vmalloc flag. 2010-06-14T23:56:01+00:00 Dave Airlie airlied@redhat.com 2010-06-14T23:52:37+00:00 da931a931da85218add949266238c54b5fecd37f Since the code that was too ugly to live is upstream, we can use it now, instead of rolling our own. Signed-off-by: Dave Airlie <airlied@redhat.com> 
Since the code that was too ugly to live is upstream, we can use it now,
instead of rolling our own.

Signed-off-by: Dave Airlie <airlied@redhat.com>