[kernel] r15267 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Maximilian Attems maks at alioth.debian.org
Wed Feb 24 12:07:40 UTC 2010 

Author: maks
Date: Wed Feb 24 12:07:35 2010
New Revision: 15267

Log:
add radeon fix for mem corruption in low mem

Reported-by: Julien Cristau <jcristau at debian.org>

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/radeon_block_ability_userspace_app.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/9

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Wed Feb 24 01:07:52 2010	(r15266)
+++ dists/sid/linux-2.6/debian/changelog	Wed Feb 24 12:07:35 2010	(r15267)
@@ -31,6 +31,9 @@
   * Bump ABI to 3.
   * drm/i915: give up on 8xx lid status.
   * vgaarb: fix "target=default" passing.
+  * drm/radeon: block ability for userspace app to trash 0 page and beyond.
+    (closes: #550562)
+
 
   [ Bastian Blank ]
   * Restrict access to sensitive SysRq keys by default.

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/radeon_block_ability_userspace_app.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/radeon_block_ability_userspace_app.patch	Wed Feb 24 12:07:35 2010	(r15267)
@@ -0,0 +1,73 @@
+From 2812f9c43c50cbf0e17118e7ae7d82e44d74a1dd Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied at redhat.com>
+Date: Wed, 24 Feb 2010 17:17:13 +1000
+Subject: [PATCH] drm/radeon: block ability for userspace app to trash 0 page and beyond
+
+radeon's have a special ability to passthrough writes in their internal
+memory space directly to PCI, this ability means that if some of the internal
+surfaces like the depth buffer point at 0x0, any writes to these will
+go directly to RAM at 0x0 via PCI busmastering.
+
+Now mesa used to always emit clears after emitting state, since the
+radeon mesa driver was refactored a year or more ago, it was found it
+could generate a clear request without ever sending any setup state to the
+card. So the clear would attempt to clear the depth buffer at 0x0, which
+would overwrite main memory at this point. fs corruption ensues.
+
+Also once one app did this correctly, it would never get set back to 0
+making this messy to reproduce.
+
+The kernel should block this from happening as mesa runs without privs,
+though it does require the user be connected to the current running X session.
+
+This patch implements a check to make sure the depth offset has been set
+before a depth clear occurs and if it finds one it prints a warning and
+ignores the depth clear request. There is also a mesa fix to avoid sending
+the badness going into mesa.
+
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ drivers/gpu/drm/radeon/radeon_drv.h   |    2 ++
+ drivers/gpu/drm/radeon/radeon_state.c |    6 ++++++
+ 2 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h
+index b058316..0c08953 100644
+--- a/drivers/gpu/drm/radeon/radeon_drv.h
++++ b/drivers/gpu/drm/radeon/radeon_drv.h
+@@ -267,6 +267,8 @@ typedef struct drm_radeon_private {
+ 
+ 	u32 scratch_ages[5];
+ 
++	int have_z_offset;
++
+ 	/* starting from here on, data is preserved accross an open */
+ 	uint32_t flags;		/* see radeon_chip_flags */
+ 	resource_size_t fb_aper_offset;
+diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
+index 38537d9..f089493 100644
+--- a/drivers/gpu/drm/radeon/radeon_state.c
++++ b/drivers/gpu/drm/radeon/radeon_state.c
+@@ -101,6 +101,7 @@ static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
+ 			DRM_ERROR("Invalid depth buffer offset\n");
+ 			return -EINVAL;
+ 		}
++		dev_priv->have_z_offset = 1;
+ 		break;
+ 
+ 	case RADEON_EMIT_PP_CNTL:
+@@ -876,6 +877,11 @@ static void radeon_cp_dispatch_clear(struct drm_device * dev,
+ 		if (tmp & RADEON_BACK)
+ 			flags |= RADEON_FRONT;
+ 	}
++	if (flags & (RADEON_DEPTH|RADEON_STENCIL)) {
++		if (!dev_priv->have_z_offset)
++			printk_once(KERN_ERR "radeon: illegal depth clear request. Buggy mesa detected - please update.\n");
++		flags &= ~(RADEON_DEPTH | RADEON_STENCIL);
++	}
+ 
+ 	if (flags & (RADEON_FRONT | RADEON_BACK)) {
+ 
+-- 
+1.6.5.2
+

Modified: dists/sid/linux-2.6/debian/patches/series/9
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/9	Wed Feb 24 01:07:52 2010	(r15266)
+++ dists/sid/linux-2.6/debian/patches/series/9	Wed Feb 24 12:07:35 2010	(r15267)
@@ -23,3 +23,4 @@
 + features/arm/dns323-rev-a1-powerled.patch
 + bugfix/all/vgaarb-fix-target-default-passing.patch
 + bugfix/all/fs-exec.c-fix-initial-stack-reservation.patch
++ bugfix/all/radeon_block_ability_userspace_app.patch

More information about the Kernel-svn-changes mailing list