r2179 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Sat, 08 Jan 2005 03:46:52 +0100
Author: horms
Date: 2005-01-08 03:46:51 +0100 (Sat, 08 Jan 2005)
New Revision: 2179
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
Removed:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Log:
Fix insufficient locking checks in DRM code; CAN-2004-1056
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-08 01:44:52 UTC (rev 2178)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-01-08 02:46:51 UTC (rev 2179)
@@ -1,19 +1,17 @@
-kernel-source-2.4.27 (2.4.27-9) UNRELEASED; urgency=low
+kernel-source-2.4.27 (2.4.27-8) UNRELEASED; urgency=low
+ * add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
+ to ensure that the permissions of the files in this package are
+ sensible. (Closes: Bug#288279) (Simon Horman)
* [SECURITY] Fix vulnerability in the ELF loader code allowing
local attacker to execute code as root; CAN-2004-1235.
(closes: #289155) (Maximilian Attems)
+ * 121_drm-locking-checks-1.diff 121_drm-locking-checks-2.diff:
+ [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056
+ (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (Closes: Bug#285563)
- --
+ -- Simon Horman <horms@debian.org> Fri, 7 Jan 2005 16:48:31 +0900
-kernel-source-2.4.27 (2.4.27-8) unstable; urgency=low
-
- * add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
- to ensure that the permissions of the files in this package are
- sensible. (Closes: Bug#288279) (Simon Horman)
-
- -- Simon Horman <horms@debian.org> Fri, 7 Jan 2005 14:59:03 +0900
-
kernel-source-2.4.27 (2.4.27-7) unstable; urgency=low
* 113-unix-serialization.diff:
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-1.diff 2005-01-08 01:44:52 UTC (rev 2178)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-1.diff 2005-01-08 02:46:51 UTC (rev 2179)
@@ -0,0 +1,196 @@
+# origin: Fabio M. Di Nitto
+# cset: none
+# inclusion: pending inclusion
+# description: Fix insufficient locking checks in DRM code; CAN-2004-1056
+# revision date: 2004-12-13
+
+diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c kernel-source-2.4.27/drivers/char/drm/i810_dma.c
+--- kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c 2004-12-01 03:07:54.000000000 -0700
++++ kernel-source-2.4.27/drivers/char/drm/i810_dma.c 2004-12-13 22:18:50.404864367 -0700
+@@ -952,10 +952,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_flush_queue(dev);
+ return 0;
+@@ -977,10 +974,7 @@
+ if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
+@@ -1008,10 +1002,7 @@
+ if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1030,10 +1021,8 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_swap( dev );
+ return 0;
+@@ -1068,10 +1057,7 @@
+ if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+@@ -1179,10 +1165,7 @@
+ return -EFAULT;
+
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_dma_mc called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
+ mc.last_render );
+@@ -1227,10 +1210,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_fstatus called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+ return I810_READ(0x30008);
+ }
+
+@@ -1241,10 +1221,7 @@
+ drm_device_t *dev = priv->dev;
+ drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i810_ov0_flip called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ //Tell the overlay to update
+ I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
+diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c kernel-source-2.4.27/drivers/char/drm/i830_dma.c
+--- kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c 2004-02-18 06:36:31.000000000 -0700
++++ kernel-source-2.4.27/drivers/char/drm/i830_dma.c 2004-12-13 22:15:53.955647778 -0700
+@@ -1330,10 +1330,7 @@
+ drm_file_t *priv = filp->private_data;
+ drm_device_t *dev = priv->dev;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flush_ioctl called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_flush_queue(dev);
+ return 0;
+@@ -1354,10 +1351,7 @@
+ if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma_vertex called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
+ vertex.idx, vertex.used, vertex.discard);
+@@ -1384,10 +1378,7 @@
+ if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_clear_bufs called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ /* GH: Someone's doing nasty things... */
+ if (!dev->dev_private) {
+@@ -1409,10 +1400,7 @@
+
+ DRM_DEBUG("i830_swap_bufs\n");
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_swap_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ i830_dma_dispatch_swap( dev );
+ return 0;
+@@ -1453,10 +1441,7 @@
+
+ DRM_DEBUG("%s\n", __FUNCTION__);
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_flip_buf called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if (!dev_priv->page_flipping)
+ i830_do_init_pageflip( dev );
+@@ -1495,10 +1480,7 @@
+ if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
+ return -EFAULT;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_dma called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ d.granted = 0;
+
+diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c kernel-source-2.4.27/drivers/char/drm/i830_irq.c
+--- kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c 2003-11-28 11:26:20.000000000 -0700
++++ kernel-source-2.4.27/drivers/char/drm/i830_irq.c 2004-12-13 22:15:53.965413403 -0700
+@@ -130,10 +130,7 @@
+ drm_i830_irq_emit_t emit;
+ int result;
+
+- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
+- DRM_ERROR("i830_irq_emit called without lock held\n");
+- return -EINVAL;
+- }
++ LOCK_TEST_WITH_RETURN( dev, filp );
+
+ if ( !dev_priv ) {
+ DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-2.diff 2005-01-08 01:44:52 UTC (rev 2178)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/121_drm-locking-checks-2.diff 2005-01-08 02:46:51 UTC (rev 2179)
@@ -0,0 +1,98 @@
+# origin: torvalds (BitKeeper)
+# cset: 1.971.58.39 (2.6) key=3e868ffdWSVmjpKhisQ9Y-t4YQuXkg (Modified)
+# inclusion: upstream
+# descrition: Update direct-rendering to current DRI CVS tree.
+# revision date: Fri, 07 Jan 2005 16:14:09 +0900
+#
+# Note this patch has been modified. All components eccept for the addition
+# of LOCK_TEST_WITH_RETURN drivers/char/drm/drmP.h have been removed.
+# This portion has been updated to correlate locks using pid instead
+# of filp as the latter does not exist in 2.4.27. This idea was taken from
+# http://mirror.clarkson.edu/pub/distributions/gentoo-portage/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-CAN-2004-1056.patch
+# -- Horms 7th January 2004
+#
+# S rset: ChangeSet|1.971.58.38..1.971.58.39
+# D rset: drivers/char/drm/drm_agpsupport.h|1.15..1.16
+# D rset: drivers/char/drm/i830_dma.c|1.12..1.13
+# D rset: drivers/char/drm/drm_proc.h|1.8..1.9
+# D rset: drivers/char/drm/r128_cce.c|1.9..1.10
+# D rset: drivers/char/drm/r128_state.c|1.10..1.11
+# D rset: drivers/char/drm/radeon_cp.c|1.15..1.16
+# D rset: drivers/char/drm/drm_bufs.h|1.9..1.10
+# D rset: drivers/char/drm/drm_ioctl.h|1.8..1.9
+# D rset: drivers/char/drm/i830.h|1.5..1.6
+# D rset: drivers/char/drm/i810.h|1.5..1.6
+# D rset: drivers/char/drm/i810_dma.c|1.20..1.21
+# D rset: drivers/char/drm/i830_drm.h|1.5..1.6
+# D rset: drivers/char/drm/mga_state.c|1.12..1.13
+# D rset: drivers/char/drm/gamma_drv.h|1.5..1.6
+# D rset: drivers/char/drm/radeon_drv.h|1.17..1.18
+# D rset: drivers/char/drm/drm_fops.h|1.8..1.9
+# D rset: drivers/char/drm/drm_dma.h|1.10..1.11
+# D rset: drivers/char/drm/radeon_drm.h|1.11..1.12
+# D rset: drivers/char/drm/drm_lock.h|1.6..1.7
+# D rset: drivers/char/drm/sis_mm.c|1.4..1.5
+# D rset: drivers/char/drm/i830_drv.h|1.6..1.7
+# I rset: drivers/char/drm/drmP.h|1.17..1.18
+# D rset: drivers/char/drm/drm_drv.h|1.14..1.15
+# D rset: BitKeeper/deleted/.del-drm_lists.h~8e5aa1ea5d68c6c1|1.6..1.7
+# D rset: drivers/char/drm/radeon_state.c|1.18..1.19
+# D rset: drivers/char/drm/Kconfig|1.2..1.3
+# D rset: drivers/char/drm/radeon_mem.c|1.5..1.6
+# D rset: drivers/char/drm/mga_dma.c|1.10..1.11
+# D rset: drivers/char/drm/mga_drv.h|1.11..1.12
+# D rset: drivers/char/drm/radeon.h|1.9..1.10
+# D rset: drivers/char/drm/drm_os_linux.h|1.7..1.8
+# D rset: drivers/char/drm/gamma_dma.c|1.8..1.9
+# D rset: drivers/char/drm/radeon_irq.c|1.7..1.8
+# D rset: drivers/char/drm/i810_drv.h|1.7..1.8
+# D rset: drivers/char/drm/Makefile|1.15..1.16
+# D rset: drivers/char/drm/sis.h|1.4..1.5
+# D rset: drivers/char/drm/r128_drv.h|1.12..1.13
+# D rset: drivers/char/drm/i830_irq.c|1.0..1.1
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2003/03/29 22:34:37-08:00 torvalds@home.transmeta.com
+# Update direct-rendering to current DRI CVS tree.
+#
+# This adds support for i830 interrupt handling, and new improved
+# lock context keying. See per-file comments for more detail, as this
+# commit sadly mixes up a few different things (that's what you get
+# for not tracking the changes at a fine enough granularity).
+#
+# drivers/char/drm/drmP.h
+# 2003/03/29 22:34:33-08:00 torvalds@home.transmeta.com +20 -5
+# Make the DRI locking use "struct file" as the fundamental identity of
+# a direct-rendering context. This fixes various leaks, and makes sure
+# that we don't get confused by the file descriptor being released.
+#
+--- 1.17/drivers/char/drm/drmP.h 2002-12-19 02:56:28 +09:00
++++ 1.18/drivers/char/drm/drmP.h 2003-03-30 15:34:33 +09:00
+@@ -268,6 +269,17 @@
+ (_map) = (_dev)->context_sareas[_ctx]; \
+ } while(0)
+
++#define LOCK_TEST_WITH_RETURN( dev, filp ) \
++do { \
++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \
++ dev->lock.pid != current->pid ) { \
++ DRM_ERROR( "%s called without lock held\n", \
++ __FUNCTION__ ); \
++ return -EINVAL; \
++ } \
++} while (0)
++
++
+ typedef int drm_ioctl_t( struct inode *inode, struct file *filp,
+ unsigned int cmd, unsigned long arg );
+
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-08 01:44:52 UTC (rev 2178)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-8 2005-01-08 02:46:51 UTC (rev 2179)
@@ -0,0 +1,3 @@
++ 121_drm-locking-checks-1.diff
++ 121_drm-locking-checks-2.diff
++ sec_brk-locked.dpatch
Deleted: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-01-08 01:44:52 UTC (rev 2178)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-01-08 02:46:51 UTC (rev 2179)
@@ -1 +0,0 @@
-+ sec_brk-locked.dpatch