1. 18 3月, 2014 13 次提交
  2. 17 3月, 2014 10 次提交
    • D
      drm: Fix use-after-free in the shadow-attache exit code · c94adc4a
      Daniel Vetter 提交于
      This regression has been introduced in
      
      commit b3f2333d
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Wed Dec 11 11:34:31 2013 +0100
      
          drm: restrict the device list for shadow attached drivers
      Reported-by: NDave Jones <davej@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: David Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: NDavid Herrmann <dh.herrmann@gmail.com>
      c94adc4a
    • X
      drm/fb-helper: Do the 'max_conn_count' zero check · 04cfe97e
      Xiubo Li 提交于
      Since we cannot make sure the 'max_conn_count' will always be none
      zero from the users, and then if max_conn_count equals to zero, the
      kcalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16).
      
      So this patch fix this with just doing the 'max_conn_count' zero check
      in the front of drm_fb_helper_init().
      Signed-off-by: NXiubo Li <Li.Xiubo@freescale.com>
      CC: Jani Nikula <jani.nikula@linux.intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      04cfe97e
    • D
      drm: Check if the allocation has succeeded before dereferencing newmode · 409bbf1e
      Damien Lespiau 提交于
      We allocate memory in drm_display_mode_from_vic_index() and use it
      without checking the pointer is valid. Fix that.
      Signed-off-by: NDamien Lespiau <damien.lespiau@intel.com>
      Reviewed-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      409bbf1e
    • V
      drm/fb-helper: Use drm_fb_helper_restore_fbdev_mode() in drm_fb_helper_set_par() · 366d4807
      Ville Syrjälä 提交于
      Use drm_fb_helper_restore_fbdev_mode() in drm_fb_helper_set_par() to
      make sure extra planes get disabled whenever fbcon takes over.
      
      Otherwise the code in drm_fb_helper_set_par() was already doing the
      exact same thing as drm_fb_helper_restore_fbdev_mode(), so this doesn't
      change the behaviour in any other way.
      Signed-off-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      366d4807
    • D
      Merge branch 'drm-minor' of git://people.freedesktop.org/~dvdhrm/linux into drm-next · e40d6410
      Dave Airlie 提交于
      This series contains several cleanups for the DRM-minor handling. All but the
      last one reviewed by Daniel and tested by Thierry. Initially, the series
      included patches to convert minor-handling to a common base-ID, but have
      been NACKed by Daniel so I dropped them and only included the main part in the
      last patch. With this in place, drm_global_mutex is no longer needed for
      minor-handling (but still for device unregistration..).
      There are some pending patches that try to remove the global mutex entirely, but
      they need some more reviews and thus are not included.
      * 'drm-minor' of git://people.freedesktop.org/~dvdhrm/linux:
        drm: make minors independent of global lock
        drm: inline drm_minor_get_id()
        drm: coding-style fixes in minor handling
        drm: remove redundant minor->device field
        drm: remove unneeded #ifdef CONFIG_DEBUGFS
        drm: rename drm_unplug/get_minor() to drm_minor_register/unregister()
        drm: move drm_put_minor() to drm_minor_free()
        drm: allocate minors early
        drm: add minor-lookup/release helpers
        drm: provide device-refcount
        drm: turn DRM_MINOR_* into enum
        drm: remove unused DRM_MINOR_UNASSIGNED
        drm: skip redundant minor-lookup in open path
        drm: group dev-lifetime related members
      e40d6410
    • L
      Linux 3.14-rc7 · dcb99fd9
      Linus Torvalds 提交于
      dcb99fd9
    • D
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~dvdhrm/linux into drm-next · 28b90a9e
      Dave Airlie 提交于
      This branch includes 6 minor fixes mainly for udl. Everything non-trivial was
      reviewed by Daniel and the patches have been on the list for quite some time.
      
      * 'drm-fixes' of git://people.freedesktop.org/~dvdhrm/linux:
        drm/gem: dont init "ret" in drm_gem_mmap()
        drm/crtc: add sanity checks to create_dumb()
        drm/gem: free vma-node during object-cleanup
        drm/gem: fix indentation
        drm/udl: fix Bpp calculation in dumb_create()
        drm/udl: fix error-path when damage-req fails
      28b90a9e
    • L
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 59bf6c3c
      Linus Torvalds 提交于
      Pull scheduler fixes from Ingo Molnar:
       "Three small fixes"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/clock: Prevent tracing recursion in sched_clock_cpu()
        stop_machine: Fix^2 race between stop_two_cpus() and stop_cpus()
        sched/deadline: Deny unprivileged users to set/change SCHED_DEADLINE policy
      59bf6c3c
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b44eeb4d
      Linus Torvalds 提交于
      Pull perf fixes from Ingo Molnar:
       "Misc smaller fixes"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86: Fix leak in uncore_type_init failure paths
        perf machine: Use map as success in ip__resolve_ams
        perf symbols: Fix crash in elf_section_by_name
        perf trace: Decode architecture-specific signal numbers
      b44eeb4d
    • M
      ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation · 4f87dac3
      Michael Kerrisk 提交于
      While testing and documenting the msgrcv() MSG_COPY flag that Stanislav
      Kinsbursky added in commit 4a674f34 ("ipc: introduce message queue
      copy feature" => kernel 3.8), I discovered a couple of bugs in the
      implementation.  The two bugs concern MSG_COPY interactions with other
      msgrcv() flags, namely:
      
       (A) MSG_COPY + MSG_EXCEPT
       (B) MSG_COPY + !IPC_NOWAIT
      
      The bugs are distinct (and the fix for the first one is obvious),
      however my fix for both is a single-line patch, which is why I'm
      combining them in a single mail, rather than writing two mails+patches.
      
       ===== (A) MSG_COPY + MSG_EXCEPT =====
      
      With the addition of the MSG_COPY flag, there are now two msgrcv()
      flags--MSG_COPY and MSG_EXCEPT--that modify the meaning of the 'msgtyp'
      argument in unrelated ways.  Specifying both in the same call is a
      logical error that is currently permitted, with the effect that MSG_COPY
      has priority and MSG_EXCEPT is ignored.  The call should give an error
      if both flags are specified.  The patch below implements that behavior.
      
       ===== (B) (B) MSG_COPY + !IPC_NOWAIT =====
      
      The test code that was submitted in commit 3a665531 ("selftests: IPC
      message queue copy feature test") shows MSG_COPY being used in
      conjunction with IPC_NOWAIT.  In other words, if there is no message at
      the position 'msgtyp'.  return immediately with the error in ENOMSG.
      
      What was not (fully) tested is the behavior if MSG_COPY is specified
      *without* IPC_NOWAIT, and there is an odd behavior.  If the queue
      contains less than 'msgtyp' messages, then the call blocks until the
      next message is written to the queue.  At that point, the msgrcv() call
      returns a copy of the newly added message, regardless of whether that
      message is at the ordinal position 'msgtyp'.  This is clearly bogus, and
      problematic for applications that might want to make use of the MSG_COPY
      flag.
      
      I considered the following possible solutions to this problem:
      
       (1) Force the call to block until a message *does* appear at the
           position 'msgtyp'.
      
       (2) If the MSG_COPY flag is specified, the kernel should implicitly add
           IPC_NOWAIT, so that the call fails with ENOMSG for this case.
      
       (3) If the MSG_COPY flag is specified, but IPC_NOWAIT is not, generate
           an error (probably, EINVAL is the right one).
      
      I do not know if any application would really want to have the
      functionality of solution (1), especially since an application can
      determine in advance the number of messages in the queue using msgctl()
      IPC_STAT.  Obviously, this solution would be the most work to implement.
      
      Solution (2) would have the effect of silently fixing any applications
      that tried to employ broken behavior.  However, it would mean that if we
      later decided to implement solution (1), then user-space could not
      easily detect what the kernel supports (but, since I'm somewhat doubtful
      that solution (1) is needed, I'm not sure that this is much of a
      problem).
      
      Solution (3) would have the effect of informing broken applications that
      they are doing something broken.  The downside is that this would cause
      a ABI breakage for any applications that are currently employing the
      broken behavior.  However:
      
      a) Those applications are almost certainly not getting the results they
         expect.
      b) Possibly, those applications don't even exist, because MSG_COPY is
         currently hidden behind CONFIG_CHECKPOINT_RESTORE.
      
      The upside of solution (3) is that if we later decided to implement
      solution (1), user-space could determine what the kernel supports, via
      the error return.
      
      In my view, solution (3) is mildly preferable to solution (2), and
      solution (1) could still be done later if anyone really cares.  The
      patch below implements solution (3).
      
      PS.  For anyone out there still listening, it's the usual story:
      documenting an API (and the thinking about, and the testing of the API,
      that documentation entails) is the one of the single best ways of
      finding bugs in the API, as I've learned from a lot of experience.  Best
      to do that documentation before releasing the API.
      Signed-off-by: NMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: NStanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: stable@vger.kernel.org
      Cc: Serge Hallyn <serge.hallyn@canonical.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4f87dac3
  3. 16 3月, 2014 17 次提交