bsd-core/drm_drv.c | 2 +-
bsd-core/drm_fops.c | 2 +-
bsd-core/drm_lock.c | 10 ++++------
libdrm/intel/intel_bufmgr_fake.c | 17 +++++++++--------
libdrm/intel/intel_bufmgr_gem.c | 2 +-
shared-core/i915_dma.c | 2 +-
6 files changed, 17 insertions(+), 18 deletions(-)
New commits:
commit 1d930fc75b99a89fc77d35d8f95f2877cfd5d7f0
Author: Matthias Hopf <[EMAIL PROTECTED]>
Date: Sat Oct 25 12:11:44 2008 -0400
drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
diff --git a/shared-core/i915_dma.c b/shared-core/i915_dma.c
index 619e6ac..93bfcba 100644
--- a/shared-core/i915_dma.c
+++ b/shared-core/i915_dma.c
@@ -1225,7 +1225,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH
),
DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH),
- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page,
DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
#ifdef I915_HAVE_BUFFER
DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH),
#endif
commit b7d54b1dba8eba24da1b9cdd2116a26b98365b81
Author: Xiang, Haihao <[EMAIL PROTECTED]>
Date: Fri Oct 24 16:35:00 2008 +0800
intel: Also total child_size of the target_bos. Partial fix #17964.
diff --git a/libdrm/intel/intel_bufmgr_fake.c b/libdrm/intel/intel_bufmgr_fake.c
index c82ce5a..c9545b3 100644
--- a/libdrm/intel/intel_bufmgr_fake.c
+++ b/libdrm/intel/intel_bufmgr_fake.c
@@ -1193,9 +1193,10 @@ dri_fake_emit_reloc(dri_bo *reloc_buf,
dri_fake_bo_reference_locked(target_buf);
- if (!target_fake->is_static)
+ if (!target_fake->is_static) {
reloc_fake->child_size += ALIGN(target_buf->size,
target_fake->alignment);
-
+ reloc_fake->child_size += target_fake->child_size;
+ }
r->target_buf = target_buf;
r->offset = offset;
r->last_target_offset = target_buf->offset;
commit 8256c347cc80db0371b40b34ee8a163908d50079
Author: Robert Noland <[EMAIL PROTECTED]>
Date: Thu Oct 23 15:46:32 2008 -0400
[FreeBSD] We should use dev2unit() rather than minor()
diff --git a/bsd-core/drm_drv.c b/bsd-core/drm_drv.c
index 725e5a9..afcad19 100644
--- a/bsd-core/drm_drv.c
+++ b/bsd-core/drm_drv.c
@@ -534,7 +534,7 @@ int drm_open(struct cdev *kdev, int flags, int fmt,
DRM_STRUCTPROC *p)
struct drm_device *dev = NULL;
int retcode = 0;
- dev = DRIVER_SOFTC(minor(kdev));
+ dev = DRIVER_SOFTC(dev2unit(kdev));
DRM_DEBUG("open_count = %d\n", dev->open_count);
diff --git a/bsd-core/drm_fops.c b/bsd-core/drm_fops.c
index c6a8d19..e4cf846 100644
--- a/bsd-core/drm_fops.c
+++ b/bsd-core/drm_fops.c
@@ -41,7 +41,7 @@ int drm_open_helper(struct cdev *kdev, int flags, int fmt,
DRM_STRUCTPROC *p,
struct drm_device *dev)
{
struct drm_file *priv;
- int m = minor(kdev);
+ int m = dev2unit(kdev);
int retcode;
if (flags & O_EXCL)
commit 7dbeb18777a4dc1e7eb3c6bc4da3e72456afc8fc
Author: Robert Noland <[EMAIL PROTECTED]>
Date: Thu Oct 23 15:42:49 2008 -0400
[FreeBSD] This check isn't correct and causes at least mga to lockup.
diff --git a/bsd-core/drm_lock.c b/bsd-core/drm_lock.c
index 685b0ea..dec7281 100644
--- a/bsd-core/drm_lock.c
+++ b/bsd-core/drm_lock.c
@@ -102,17 +102,15 @@ int drm_unlock(struct drm_device *dev, void *data, struct
drm_file *file_priv)
{
struct drm_lock *lock = data;
+ DRM_DEBUG("%d (pid %d) requests unlock (0x%08x), flags = 0x%08x\n",
+ lock->context, DRM_CURRENTPID, dev->lock.hw_lock->lock,
+ lock->flags);
+
if (lock->context == DRM_KERNEL_CONTEXT) {
DRM_ERROR("Process %d using kernel context %d\n",
DRM_CURRENTPID, lock->context);
return EINVAL;
}
- /* Check that the context unlock being requested actually matches
- * who currently holds the lock.
- */
- if (!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock) ||
- _DRM_LOCKING_CONTEXT(dev->lock.hw_lock->lock) != lock->context)
- return EINVAL;
DRM_SPINLOCK(&dev->tsk_lock);
if (dev->locked_task_call != NULL) {
commit a59ea02ff839fa0801763a90beb8b232b933c746
Author: Keith Packard <[EMAIL PROTECTED]>
Date: Thu Oct 16 21:15:01 2008 -0700
intel: ioctl is not defined to return -errno
Don't count on ioctl returning -errno; use errno directly.
Signed-off-by: Keith Packard <[EMAIL PROTECTED]>
Signed-off-by: Eric Anholt <[EMAIL PROTECTED]>
diff --git a/libdrm/intel/intel_bufmgr_gem.c b/libdrm/intel/intel_bufmgr_gem.c
index 33853c4..081eb2a 100644
--- a/libdrm/intel/intel_bufmgr_gem.c
+++ b/libdrm/intel/intel_bufmgr_gem.c
@@ -790,7 +790,7 @@ dri_gem_bo_exec(dri_bo *bo, int used,
do {
ret = ioctl(bufmgr_gem->fd, DRM_IOCTL_I915_GEM_EXECBUFFER, &execbuf);
- } while (ret == -EAGAIN);
+ } while (ret != 0 && errno == EAGAIN);
intel_update_buffer_offsets (bufmgr_gem);
commit 769197c8f16eaf3c0a476a4459e535afd4a939cb
Author: Xiang, Haihao <[EMAIL PROTECTED]>
Date: Thu Oct 16 10:37:30 2008 +0800
intel: avoid deadlock in intel_bufmgr_fake.
diff --git a/libdrm/intel/intel_bufmgr_fake.c b/libdrm/intel/intel_bufmgr_fake.c
index 8e476c4..c82ce5a 100644
--- a/libdrm/intel/intel_bufmgr_fake.c
+++ b/libdrm/intel/intel_bufmgr_fake.c
@@ -1053,12 +1053,10 @@ dri_fake_bo_unmap(dri_bo *bo)
}
static void
-dri_fake_kick_all(dri_bufmgr_fake *bufmgr_fake)
+dri_fake_kick_all_locked(dri_bufmgr_fake *bufmgr_fake)
{
struct block *block, *tmp;
- pthread_mutex_lock(&bufmgr_fake->lock);
-
bufmgr_fake->performed_rendering = 0;
/* okay for ever BO that is on the HW kick it off.
seriously not afraid of the POLICE right now */
@@ -1073,7 +1071,6 @@ dri_fake_kick_all(dri_bufmgr_fake *bufmgr_fake)
bo_fake->dirty = 1;
}
- pthread_mutex_unlock(&bufmgr_fake->lock);
}
static int
@@ -1358,7 +1355,7 @@ dri_fake_bo_exec(dri_bo *bo, int used,
if (bufmgr_fake->fail == 1) {
if (retry_count == 0) {
retry_count++;
- dri_fake_kick_all(bufmgr_fake);
+ dri_fake_kick_all_locked(bufmgr_fake);
bufmgr_fake->fail = 0;
goto restart;
} else /* dump out the memory here */
@@ -1369,8 +1366,10 @@ dri_fake_bo_exec(dri_bo *bo, int used,
if (bufmgr_fake->exec != NULL) {
int ret = bufmgr_fake->exec(bo, used, bufmgr_fake->exec_priv);
- if (ret != 0)
+ if (ret != 0) {
+ pthread_mutex_unlock(&bufmgr_fake->lock);
return ret;
+ }
} else {
batch.start = bo->offset;
batch.used = used;
@@ -1382,6 +1381,7 @@ dri_fake_bo_exec(dri_bo *bo, int used,
if (drmCommandWrite(bufmgr_fake->fd, DRM_I915_BATCHBUFFER, &batch,
sizeof(batch))) {
drmMsg("DRM_I915_BATCHBUFFER: %d\n", -errno);
+ pthread_mutex_unlock(&bufmgr_fake->lock);
return -errno;
}
}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
