GIT f0976337968a31122ad4d32440d4c3b80b65b643 git+ssh://master.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6.git#drm-mm commit Author: Dave Airlie Date: Sun Feb 18 18:23:11 2007 +1100 drm: add missing NULL assignment Signed-off-by: Dave Airlie commit 73fdbeb1e4ce9aabf94933ae203c9d44fdea6695 Author: Michel Dänzer Date: Sun Feb 18 18:03:21 2007 +1100 drm/radeon: Fix u32 overflows when determining AGP base address in card space. The overflows could lead to the AGP aperture overlapping the framebuffer are in the card's address space when the latter is located at the very end of th 32 bit address space, which would result in a freeze on X server startup, probably because the card read commands from the framebuffer instead of from AGP. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392915 . Signed-off-by: Dave Airlie commit 497db0d3027679e7830c490c917d08f43aa9ee7b Author: Dave Airlie Date: Sun Feb 18 17:14:09 2007 +1100 drm: port over use_vmalloc code from git hashtab Signed-off-by: Dave Airlie commit 9b3915044373735bdbadcc9e4bb75c6a217baa9d Author: Dave Airlie Date: Sun Feb 18 17:13:39 2007 +1100 drm: fix crash with fops lock and fixup sarea/page size locking Signed-off-by: Dave Airlie commit b20eebcf182392362a8333a74444dea24b17d068 Author: Dave Airlie Date: Sat Feb 10 12:07:47 2007 +1100 drm: bring bufs code from git tree. This checks the AGP mappings are in a valid place and also fixes the size check in the vm.. Signed-off-by: Dave Airlie commit e96c53eee73f2c450bdaa2912576692a8dd95ee7 Author: Dave Airlie Date: Sat Feb 10 11:53:13 2007 +1100 drm: move protection stuff into separate function Signed-off-by: Dave Airlie commit 00389f602410142d893582961b47ea89ed61bfbd Author: Ahmed S. Darwish Date: Fri Feb 9 10:30:10 2007 +1100 drm: Use ARRAY_SIZE macro when appropriate Use ARRAY_SIZE macro already defined in kernel.h Signed-off-by: Ahmed S. Darwish Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit b89deda538a2082ba4f9efaf115f8d0286ebcd3b Author: Randy Dunlap Date: Fri Feb 9 10:28:21 2007 +1100 drm: update README.drm (bugzilla #7933) From: Randy Dunlap Update URLs in drivers/char/drm/README.drm, to take care of kernel bugzilla Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 3cbbc9043123ac14a4b68ddb1284a1d4fdac1fa1 Author: Adrian Bunk Date: Fri Feb 9 10:25:22 2007 +1100 drm: remove unused exports This patch removes two unused exports. Signed-off-by: Adrian Bunk Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie drivers/char/drm/README.drm | 16 ++++----- drivers/char/drm/drm_bufs.c | 75 +++++++++++++++++++++++++++++++++++----- drivers/char/drm/drm_fops.c | 6 ++- drivers/char/drm/drm_hashtab.c | 17 ++++++++- drivers/char/drm/drm_hashtab.h | 1 + drivers/char/drm/drm_mm.c | 2 - drivers/char/drm/drm_proc.c | 2 + drivers/char/drm/drm_vm.c | 46 ++++++++++++++----------- drivers/char/drm/radeon_cp.c | 8 ++-- 9 files changed, 125 insertions(+), 48 deletions(-) diff --git a/drivers/char/drm/README.drm b/drivers/char/drm/README.drm index 6441e01..af74cd7 100644 --- a/drivers/char/drm/README.drm +++ b/drivers/char/drm/README.drm @@ -1,6 +1,6 @@ ************************************************************ * For the very latest on DRI development, please see: * -* http://dri.sourceforge.net/ * +* http://dri.freedesktop.org/ * ************************************************************ The Direct Rendering Manager (drm) is a device-independent kernel-level @@ -26,21 +26,19 @@ ways: Documentation on the DRI is available from: - http://precisioninsight.com/piinsights.html + http://dri.freedesktop.org/wiki/Documentation + http://sourceforge.net/project/showfiles.php?group_id=387 + http://dri.sourceforge.net/doc/ For specific information about kernel-level support, see: The Direct Rendering Manager, Kernel Support for the Direct Rendering Infrastructure - http://precisioninsight.com/dr/drm.html + http://dri.sourceforge.net/doc/drm_low_level.html Hardware Locking for the Direct Rendering Infrastructure - http://precisioninsight.com/dr/locking.html + http://dri.sourceforge.net/doc/hardware_locking_low_level.html A Security Analysis of the Direct Rendering Infrastructure - http://precisioninsight.com/dr/security.html + http://dri.sourceforge.net/doc/security_low_level.html -************************************************************ -* For the very latest on DRI development, please see: * -* http://dri.sourceforge.net/ * -************************************************************ diff --git a/drivers/char/drm/drm_bufs.c b/drivers/char/drm/drm_bufs.c index a6828cc..c113458 100644 --- a/drivers/char/drm/drm_bufs.c +++ b/drivers/char/drm/drm_bufs.c @@ -57,7 +57,8 @@ static drm_map_list_t *drm_find_matching list_for_each(list, &dev->maplist->head) { drm_map_list_t *entry = list_entry(list, drm_map_list_t, head); if (entry->map && map->type == entry->map->type && - entry->map->offset == map->offset) { + ((entry->map->offset == map->offset) || + (map->type == _DRM_SHM && map->flags==_DRM_CONTAINS_LOCK))) { return entry; } } @@ -180,8 +181,20 @@ #endif if (map->type == _DRM_REGISTERS) map->handle = ioremap(map->offset, map->size); break; - case _DRM_SHM: + list = drm_find_matching_map(dev, map); + if (list != NULL) { + if(list->map->size != map->size) { + DRM_DEBUG("Matching maps of type %d with " + "mismatched sizes, (%ld vs %ld)\n", + map->type, map->size, list->map->size); + list->map->size = map->size; + } + + drm_free(map, sizeof(*map), DRM_MEM_MAPS); + *maplist = list; + return 0; + } map->handle = vmalloc_user(map->size); DRM_DEBUG("%lu %d %p\n", map->size, drm_order(map->size), map->handle); @@ -200,15 +213,45 @@ #endif dev->sigdata.lock = dev->lock.hw_lock = map->handle; /* Pointer to lock */ } break; - case _DRM_AGP: - if (drm_core_has_AGP(dev)) { + case _DRM_AGP: { + drm_agp_mem_t *entry; + int valid = 0; + + if (!drm_core_has_AGP(dev)) { + drm_free(map, sizeof(*map), DRM_MEM_MAPS); + return -EINVAL; + } #ifdef __alpha__ - map->offset += dev->hose->mem_space->start; + map->offset += dev->hose->mem_space->start; #endif - map->offset += dev->agp->base; - map->mtrr = dev->agp->agp_mtrr; /* for getmap */ + /* Note: dev->agp->base may actually be 0 when the DRM + * is not in control of AGP space. But if user space is + * it should already have added the AGP base itself. + */ + map->offset += dev->agp->base; + map->mtrr = dev->agp->agp_mtrr; /* for getmap */ + + /* This assumes the DRM is in total control of AGP space. + * It's not always the case as AGP can be in the control + * of user space (i.e. i810 driver). So this loop will get + * skipped and we double check that dev->agp->memory is + * actually set as well as being invalid before EPERM'ing + */ + for (entry = dev->agp->memory; entry; entry = entry->next) { + if ((map->offset >= entry->bound) && + (map->offset + map->size <= entry->bound + entry->pages * PAGE_SIZE)) { + valid = 1; + break; + } } + if (dev->agp->memory && !valid) { + drm_free(map, sizeof(*map), DRM_MEM_MAPS); + return -EPERM; + } + DRM_DEBUG("AGP offset = 0x%08lx, size = 0x%08lx\n", map->offset, map->size); + break; + } case _DRM_SCATTER_GATHER: if (!dev->sg) { drm_free(map, sizeof(*map), DRM_MEM_MAPS); @@ -267,7 +310,7 @@ #endif *maplist = list; return 0; -} + } int drm_addmap(drm_device_t * dev, unsigned int offset, unsigned int size, drm_map_type_t type, @@ -519,6 +562,7 @@ int drm_addbufs_agp(drm_device_t * dev, { drm_device_dma_t *dma = dev->dma; drm_buf_entry_t *entry; + drm_agp_mem_t *agp_entry; drm_buf_t *buf; unsigned long offset; unsigned long agp_offset; @@ -529,7 +573,7 @@ int drm_addbufs_agp(drm_device_t * dev, int page_order; int total; int byte_count; - int i; + int i, valid; drm_buf_t **temp_buflist; if (!dma) @@ -560,6 +604,19 @@ int drm_addbufs_agp(drm_device_t * dev, if (dev->queue_count) return -EBUSY; /* Not while in use */ + /* Make sure buffers are located in AGP memory that we own */ + valid = 0; + for (agp_entry = dev->agp->memory; agp_entry; agp_entry = agp_entry->next) { + if ((agp_offset >= agp_entry->bound) && + (agp_offset + total * count <= agp_entry->bound + agp_entry->pages * PAGE_SIZE)) { + valid = 1; + break; + } + } + if (dev->agp->memory && !valid) { + DRM_DEBUG("zone invalid\n"); + return -EINVAL; + } spin_lock(&dev->count_lock); if (dev->buf_use) { spin_unlock(&dev->count_lock); diff --git a/drivers/char/drm/drm_fops.c b/drivers/char/drm/drm_fops.c index 898f47d..afe5f07 100644 --- a/drivers/char/drm/drm_fops.c +++ b/drivers/char/drm/drm_fops.c @@ -46,6 +46,7 @@ static int drm_setup(drm_device_t * dev) drm_local_map_t *map; int i; int ret; + u32 sareapage; if (dev->driver->firstopen) { ret = dev->driver->firstopen(dev); @@ -56,7 +57,8 @@ static int drm_setup(drm_device_t * dev) dev->magicfree.next = NULL; /* prebuild the SAREA */ - i = drm_addmap(dev, 0, SAREA_MAX, _DRM_SHM, _DRM_CONTAINS_LOCK, &map); + sareapage = max(SAREA_MAX, PAGE_SIZE); + i = drm_addmap(dev, 0, sareapage, _DRM_SHM, _DRM_CONTAINS_LOCK, &map); if (i != 0) return i; @@ -84,7 +86,7 @@ static int drm_setup(drm_device_t * dev) INIT_LIST_HEAD(&dev->ctxlist->head); dev->vmalist = NULL; - dev->sigdata.lock = dev->lock.hw_lock = NULL; + dev->sigdata.lock = NULL; init_waitqueue_head(&dev->lock.lock_queue); dev->queue_count = 0; dev->queue_reserved = 0; diff --git a/drivers/char/drm/drm_hashtab.c b/drivers/char/drm/drm_hashtab.c index a0b2d68..31acb62 100644 --- a/drivers/char/drm/drm_hashtab.c +++ b/drivers/char/drm/drm_hashtab.c @@ -43,7 +43,16 @@ int drm_ht_create(drm_open_hash_t *ht, u ht->size = 1 << order; ht->order = order; ht->fill = 0; - ht->table = vmalloc(ht->size*sizeof(*ht->table)); + ht->table = NULL; + ht->use_vmalloc = ((ht->size * sizeof(*ht->table)) > PAGE_SIZE); + if (!ht->use_vmalloc) { + ht->table = drm_calloc(ht->size, sizeof(*ht->table), + DRM_MEM_HASHTAB); + } + if (!ht->table) { + ht->use_vmalloc = 1; + ht->table = vmalloc(ht->size*sizeof(*ht->table)); + } if (!ht->table) { DRM_ERROR("Out of memory for hash table\n"); return -ENOMEM; @@ -183,7 +192,11 @@ int drm_ht_remove_item(drm_open_hash_t * void drm_ht_remove(drm_open_hash_t *ht) { if (ht->table) { - vfree(ht->table); + if (ht->use_vmalloc) + vfree(ht->table); + else + drm_free(ht->table, ht->size * sizeof(*ht->table), + DRM_MEM_HASHTAB); ht->table = NULL; } } diff --git a/drivers/char/drm/drm_hashtab.h b/drivers/char/drm/drm_hashtab.h index 40afec0..613091c 100644 --- a/drivers/char/drm/drm_hashtab.h +++ b/drivers/char/drm/drm_hashtab.h @@ -47,6 +47,7 @@ typedef struct drm_open_hash{ unsigned int order; unsigned int fill; struct hlist_head *table; + int use_vmalloc; } drm_open_hash_t; diff --git a/drivers/char/drm/drm_mm.c b/drivers/char/drm/drm_mm.c index 9b46b85..2ec1d9f 100644 --- a/drivers/char/drm/drm_mm.c +++ b/drivers/char/drm/drm_mm.c @@ -274,7 +274,6 @@ int drm_mm_init(drm_mm_t * mm, unsigned return drm_mm_create_tail_node(mm, start, size); } -EXPORT_SYMBOL(drm_mm_init); void drm_mm_takedown(drm_mm_t * mm) { @@ -295,4 +294,3 @@ void drm_mm_takedown(drm_mm_t * mm) drm_free(entry, sizeof(*entry), DRM_MEM_MM); } -EXPORT_SYMBOL(drm_mm_takedown); diff --git a/drivers/char/drm/drm_proc.c b/drivers/char/drm/drm_proc.c index 7fd0da7..b204498 100644 --- a/drivers/char/drm/drm_proc.c +++ b/drivers/char/drm/drm_proc.c @@ -72,7 +72,7 @@ #if DRM_DEBUG_CODE #endif }; -#define DRM_PROC_ENTRIES (sizeof(drm_proc_list)/sizeof(drm_proc_list[0])) +#define DRM_PROC_ENTRIES ARRAY_SIZE(drm_proc_list) /** * Initialize the DRI proc filesystem for a device. diff --git a/drivers/char/drm/drm_vm.c b/drivers/char/drm/drm_vm.c index 54a6328..9e3f259 100644 --- a/drivers/char/drm/drm_vm.c +++ b/drivers/char/drm/drm_vm.c @@ -41,6 +41,30 @@ #endif static void drm_vm_open(struct vm_area_struct *vma); static void drm_vm_close(struct vm_area_struct *vma); +pgprot_t drm_io_prot(uint32_t map_type, struct vm_area_struct *vma) +{ + pgprot_t tmp = vm_get_page_prot(vma->vm_flags); + +#if defined(__i386__) || defined(__x86_64__) + if (boot_cpu_data.x86 > 3 && map_type != _DRM_AGP) { + pgprot_val(tmp) |= _PAGE_PCD; + pgprot_val(tmp) &= ~_PAGE_PWT; + } +#elif defined(__powerpc__) + pgprot_val(tmp) |= _PAGE_NO_CACHE; + if (map_type == _DRM_REGISTERS) + pgprot_val(tmp) |= _PAGE_GUARDED; +#endif +#if defined(__ia64__) + if (efi_range_is_wc(vma->vm_start, vma->vm_end - + vma->vm_start)) + tmp = pgprot_writecombine(tmp); + else + tmp = pgprot_noncached(tmp); +#endif + return tmp; +} + /** * \c nopage method for AGP virtual memory. * @@ -565,7 +589,7 @@ #endif return -EPERM; /* Check for valid size. */ - if (map->size != vma->vm_end - vma->vm_start) + if (map->size < vma->vm_end - vma->vm_start) return -EINVAL; if (!capable(CAP_SYS_ADMIN) && (map->flags & _DRM_READ_ONLY)) { @@ -600,25 +624,9 @@ #endif /* fall through to _DRM_FRAME_BUFFER... */ case _DRM_FRAME_BUFFER: case _DRM_REGISTERS: -#if defined(__i386__) || defined(__x86_64__) - if (boot_cpu_data.x86 > 3 && map->type != _DRM_AGP) { - pgprot_val(vma->vm_page_prot) |= _PAGE_PCD; - pgprot_val(vma->vm_page_prot) &= ~_PAGE_PWT; - } -#elif defined(__powerpc__) - pgprot_val(vma->vm_page_prot) |= _PAGE_NO_CACHE; - if (map->type == _DRM_REGISTERS) - pgprot_val(vma->vm_page_prot) |= _PAGE_GUARDED; -#endif - vma->vm_flags |= VM_IO; /* not in core dump */ -#if defined(__ia64__) - if (efi_range_is_wc(vma->vm_start, vma->vm_end - vma->vm_start)) - vma->vm_page_prot = - pgprot_writecombine(vma->vm_page_prot); - else - vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); -#endif offset = dev->driver->get_reg_ofs(dev); + vma->vm_flags |= VM_IO; /* not in core dump */ + vma->vm_page_prot = drm_io_prot(map->type, vma); #ifdef __sparc__ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); if (io_remap_pfn_range(vma, vma->vm_start, diff --git a/drivers/char/drm/radeon_cp.c b/drivers/char/drm/radeon_cp.c index 5ed9656..c1850ec 100644 --- a/drivers/char/drm/radeon_cp.c +++ b/drivers/char/drm/radeon_cp.c @@ -1560,8 +1560,8 @@ #if __OS_HAS_AGP if (dev_priv->flags & RADEON_IS_AGP) { base = dev->agp->base; /* Check if valid */ - if ((base + dev_priv->gart_size) > dev_priv->fb_location && - base < (dev_priv->fb_location + dev_priv->fb_size)) { + if ((base + dev_priv->gart_size - 1) >= dev_priv->fb_location && + base < (dev_priv->fb_location + dev_priv->fb_size - 1)) { DRM_INFO("Can't use AGP base @0x%08lx, won't fit\n", dev->agp->base); base = 0; @@ -1571,8 +1571,8 @@ #endif /* If not or if AGP is at 0 (Macs), try to put it elsewhere */ if (base == 0) { base = dev_priv->fb_location + dev_priv->fb_size; - if (((base + dev_priv->gart_size) & 0xfffffffful) - < base) + if (base < dev_priv->fb_location || + ((base + dev_priv->gart_size) & 0xfffffffful) < base) base = dev_priv->fb_location - dev_priv->gart_size; }