1. 18 3月, 2014 11 次提交
  2. 17 3月, 2014 10 次提交
    • D
      drm: Fix use-after-free in the shadow-attache exit code · c94adc4a
      Daniel Vetter 提交于
      This regression has been introduced in
      
      commit b3f2333d
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Wed Dec 11 11:34:31 2013 +0100
      
          drm: restrict the device list for shadow attached drivers
      Reported-by: NDave Jones <davej@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: David Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: NDavid Herrmann <dh.herrmann@gmail.com>
      c94adc4a
    • X
      drm/fb-helper: Do the 'max_conn_count' zero check · 04cfe97e
      Xiubo Li 提交于
      Since we cannot make sure the 'max_conn_count' will always be none
      zero from the users, and then if max_conn_count equals to zero, the
      kcalloc() will return ZERO_SIZE_PTR, which equals to ((void *)16).
      
      So this patch fix this with just doing the 'max_conn_count' zero check
      in the front of drm_fb_helper_init().
      Signed-off-by: NXiubo Li <Li.Xiubo@freescale.com>
      CC: Jani Nikula <jani.nikula@linux.intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      04cfe97e
    • D
      drm: Check if the allocation has succeeded before dereferencing newmode · 409bbf1e
      Damien Lespiau 提交于
      We allocate memory in drm_display_mode_from_vic_index() and use it
      without checking the pointer is valid. Fix that.
      Signed-off-by: NDamien Lespiau <damien.lespiau@intel.com>
      Reviewed-by: NAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      409bbf1e
    • V
      drm/fb-helper: Use drm_fb_helper_restore_fbdev_mode() in drm_fb_helper_set_par() · 366d4807
      Ville Syrjälä 提交于
      Use drm_fb_helper_restore_fbdev_mode() in drm_fb_helper_set_par() to
      make sure extra planes get disabled whenever fbcon takes over.
      
      Otherwise the code in drm_fb_helper_set_par() was already doing the
      exact same thing as drm_fb_helper_restore_fbdev_mode(), so this doesn't
      change the behaviour in any other way.
      Signed-off-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      366d4807
    • D
      Merge branch 'drm-minor' of git://people.freedesktop.org/~dvdhrm/linux into drm-next · e40d6410
      Dave Airlie 提交于
      This series contains several cleanups for the DRM-minor handling. All but the
      last one reviewed by Daniel and tested by Thierry. Initially, the series
      included patches to convert minor-handling to a common base-ID, but have
      been NACKed by Daniel so I dropped them and only included the main part in the
      last patch. With this in place, drm_global_mutex is no longer needed for
      minor-handling (but still for device unregistration..).
      There are some pending patches that try to remove the global mutex entirely, but
      they need some more reviews and thus are not included.
      * 'drm-minor' of git://people.freedesktop.org/~dvdhrm/linux:
        drm: make minors independent of global lock
        drm: inline drm_minor_get_id()
        drm: coding-style fixes in minor handling
        drm: remove redundant minor->device field
        drm: remove unneeded #ifdef CONFIG_DEBUGFS
        drm: rename drm_unplug/get_minor() to drm_minor_register/unregister()
        drm: move drm_put_minor() to drm_minor_free()
        drm: allocate minors early
        drm: add minor-lookup/release helpers
        drm: provide device-refcount
        drm: turn DRM_MINOR_* into enum
        drm: remove unused DRM_MINOR_UNASSIGNED
        drm: skip redundant minor-lookup in open path
        drm: group dev-lifetime related members
      e40d6410
    • L
      Linux 3.14-rc7 · dcb99fd9
      Linus Torvalds 提交于
      dcb99fd9
    • D
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~dvdhrm/linux into drm-next · 28b90a9e
      Dave Airlie 提交于
      This branch includes 6 minor fixes mainly for udl. Everything non-trivial was
      reviewed by Daniel and the patches have been on the list for quite some time.
      
      * 'drm-fixes' of git://people.freedesktop.org/~dvdhrm/linux:
        drm/gem: dont init "ret" in drm_gem_mmap()
        drm/crtc: add sanity checks to create_dumb()
        drm/gem: free vma-node during object-cleanup
        drm/gem: fix indentation
        drm/udl: fix Bpp calculation in dumb_create()
        drm/udl: fix error-path when damage-req fails
      28b90a9e
    • L
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 59bf6c3c
      Linus Torvalds 提交于
      Pull scheduler fixes from Ingo Molnar:
       "Three small fixes"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/clock: Prevent tracing recursion in sched_clock_cpu()
        stop_machine: Fix^2 race between stop_two_cpus() and stop_cpus()
        sched/deadline: Deny unprivileged users to set/change SCHED_DEADLINE policy
      59bf6c3c
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b44eeb4d
      Linus Torvalds 提交于
      Pull perf fixes from Ingo Molnar:
       "Misc smaller fixes"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86: Fix leak in uncore_type_init failure paths
        perf machine: Use map as success in ip__resolve_ams
        perf symbols: Fix crash in elf_section_by_name
        perf trace: Decode architecture-specific signal numbers
      b44eeb4d
    • M
      ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation · 4f87dac3
      Michael Kerrisk 提交于
      While testing and documenting the msgrcv() MSG_COPY flag that Stanislav
      Kinsbursky added in commit 4a674f34 ("ipc: introduce message queue
      copy feature" => kernel 3.8), I discovered a couple of bugs in the
      implementation.  The two bugs concern MSG_COPY interactions with other
      msgrcv() flags, namely:
      
       (A) MSG_COPY + MSG_EXCEPT
       (B) MSG_COPY + !IPC_NOWAIT
      
      The bugs are distinct (and the fix for the first one is obvious),
      however my fix for both is a single-line patch, which is why I'm
      combining them in a single mail, rather than writing two mails+patches.
      
       ===== (A) MSG_COPY + MSG_EXCEPT =====
      
      With the addition of the MSG_COPY flag, there are now two msgrcv()
      flags--MSG_COPY and MSG_EXCEPT--that modify the meaning of the 'msgtyp'
      argument in unrelated ways.  Specifying both in the same call is a
      logical error that is currently permitted, with the effect that MSG_COPY
      has priority and MSG_EXCEPT is ignored.  The call should give an error
      if both flags are specified.  The patch below implements that behavior.
      
       ===== (B) (B) MSG_COPY + !IPC_NOWAIT =====
      
      The test code that was submitted in commit 3a665531 ("selftests: IPC
      message queue copy feature test") shows MSG_COPY being used in
      conjunction with IPC_NOWAIT.  In other words, if there is no message at
      the position 'msgtyp'.  return immediately with the error in ENOMSG.
      
      What was not (fully) tested is the behavior if MSG_COPY is specified
      *without* IPC_NOWAIT, and there is an odd behavior.  If the queue
      contains less than 'msgtyp' messages, then the call blocks until the
      next message is written to the queue.  At that point, the msgrcv() call
      returns a copy of the newly added message, regardless of whether that
      message is at the ordinal position 'msgtyp'.  This is clearly bogus, and
      problematic for applications that might want to make use of the MSG_COPY
      flag.
      
      I considered the following possible solutions to this problem:
      
       (1) Force the call to block until a message *does* appear at the
           position 'msgtyp'.
      
       (2) If the MSG_COPY flag is specified, the kernel should implicitly add
           IPC_NOWAIT, so that the call fails with ENOMSG for this case.
      
       (3) If the MSG_COPY flag is specified, but IPC_NOWAIT is not, generate
           an error (probably, EINVAL is the right one).
      
      I do not know if any application would really want to have the
      functionality of solution (1), especially since an application can
      determine in advance the number of messages in the queue using msgctl()
      IPC_STAT.  Obviously, this solution would be the most work to implement.
      
      Solution (2) would have the effect of silently fixing any applications
      that tried to employ broken behavior.  However, it would mean that if we
      later decided to implement solution (1), then user-space could not
      easily detect what the kernel supports (but, since I'm somewhat doubtful
      that solution (1) is needed, I'm not sure that this is much of a
      problem).
      
      Solution (3) would have the effect of informing broken applications that
      they are doing something broken.  The downside is that this would cause
      a ABI breakage for any applications that are currently employing the
      broken behavior.  However:
      
      a) Those applications are almost certainly not getting the results they
         expect.
      b) Possibly, those applications don't even exist, because MSG_COPY is
         currently hidden behind CONFIG_CHECKPOINT_RESTORE.
      
      The upside of solution (3) is that if we later decided to implement
      solution (1), user-space could determine what the kernel supports, via
      the error return.
      
      In my view, solution (3) is mildly preferable to solution (2), and
      solution (1) could still be done later if anyone really cares.  The
      patch below implements solution (3).
      
      PS.  For anyone out there still listening, it's the usual story:
      documenting an API (and the thinking about, and the testing of the API,
      that documentation entails) is the one of the single best ways of
      finding bugs in the API, as I've learned from a lot of experience.  Best
      to do that documentation before releasing the API.
      Signed-off-by: NMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: NStanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
      Cc: stable@vger.kernel.org
      Cc: Serge Hallyn <serge.hallyn@canonical.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4f87dac3
  3. 16 3月, 2014 19 次提交
    • D
      Merge branch 'drm-minor' into drm-next · 07b48c3a
      David Herrmann 提交于
      Fix minor conflicts with drm-anon:
       - allocation/free order
       - drm_device header cleanups
      07b48c3a
    • D
      Merge branch 'drm-anon' into drm-next · afab4463
      David Herrmann 提交于
      afab4463
    • D
      drm: make minors independent of global lock · 0d639883
      David Herrmann 提交于
      We used to protect minor-lookup and setup by the global drm lock. To
      continue our attempts of dropping drm_global_mutex, this patch makes the
      minor management independent of it. Furthermore, we make it all atomic and
      switch to spin-locks instead of a mutex.
      
      Now that minor-lookup is independent, we also move the
      "drm_is_unplugged()" test into the minor-lookup path. There is no reason
      to ever return a minor for unplugged objects, so keep that logic internal.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      0d639883
    • D
      drm: inline drm_minor_get_id() · 7d86cf1a
      David Herrmann 提交于
      We can significantly simplify this helper by using plain multiplication.
      Note that we converted the minor-type to an enum earlier so this didn't
      work before.
      
      We also fix a minor range-bug here: the limit argument of idr_alloc() is
      *exclusive*, not inclusive, so we should use 64 instead of 63 as offset.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      7d86cf1a
    • D
      drm: coding-style fixes in minor handling · 1abbc437
      David Herrmann 提交于
      Properly name goto-labels, remove empty lines and use DRM_ERROR if
      possible.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      1abbc437
    • D
      drm: remove redundant minor->device field · 5817878c
      David Herrmann 提交于
      Whenever we access minor->device, we are in a minor->kdev->...->fops
      callback so the minor->kdev pointer *must* be valid. Thus, simply use
      minor->kdev->devt instead of minor->device and remove the redundant field.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      5817878c
    • D
      drm: remove unneeded #ifdef CONFIG_DEBUGFS · cb0f9323
      David Herrmann 提交于
      No need to check for DEBUGFS, we already have dummy-fallbacks in our
      headers.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      cb0f9323
    • D
      drm: rename drm_unplug/get_minor() to drm_minor_register/unregister() · afcdbc86
      David Herrmann 提交于
      drm_get_minor() no longer allocates objects, and drm_unplug_minor() is now
      the exact reverse of it. Rename it to _register/unregister() so their
      name actually says what they do.
      
      Furthermore, remove the direct minor-ptr and instead pass the minor-type.
      This way we know the actual slot of the minor and can reset it if
      required.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      afcdbc86
    • D
      drm: move drm_put_minor() to drm_minor_free() · bd9dfa98
      David Herrmann 提交于
      _put/get() are used for ref-counting, which we clearly don't do here.
      Rename it to _free() and also use the common drm_minor_* prefix.
      Furthermore, avoid passing the minor directly but instead use the type
      like the other functions do, this allows us to reset the slot.
      
      We also drop the redundant call to drm_unplug_minor() as drm_minor_free()
      is only used from paths were that has already be called.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      bd9dfa98
    • D
      drm: allocate minors early · 05b701f6
      David Herrmann 提交于
      Instead of waiting for device-registration, we now allocate minor-objects
      during device allocation. The minors are not registered or assigned an ID.
      This is still postponed to device-registration.
      
      While at it, remove the superfluous output-parameter in drm_get_minor().
      
      The reason for this early allocation is to make
      dev->primary/control/render available atomically. So once the device is
      alive, all of them are already set and we never have the situation where
      one of them is set after another (they're either NULL or set, but never
      changed). This will eventually allow us to reduce minor-ID allocation to
      one base-ID instead of a single ID for each.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      05b701f6
    • D
      drm: add minor-lookup/release helpers · 1616c525
      David Herrmann 提交于
      Instead of accessing drm_minors_idr directly, this adds a small helper to
      hide the internals. This will help us later to remove the drm_global_mutex
      requirement for minor-lookup.
      
      Furthermore, this also makes sure that minor->dev is always valid and
      takes a reference-count to the device as long as the minor is used in an
      open-file. This way, "struct file*"->private_data->dev is guaranteed to be
      valid (which it has to, as we cannot reset it).
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      1616c525
    • D
      drm: provide device-refcount · 099d1c29
      David Herrmann 提交于
      Lets not trick ourselves into thinking "drm_device" objects are not
      ref-counted. That's just utterly stupid. We manage "drm_minor" objects on
      each drm-device and each minor can have an unlimited number of open
      handles. Each of these handles has the drm_minor (and thus the drm_device)
      as private-data in the file-handle. Therefore, we may not destroy
      "drm_device" until all these handles are closed.
      
      It is *not* possible to reset all these pointers atomically and restrict
      access to them, and this is *not* how this is done! Instead, we use
      ref-counts to make sure the object is valid and not freed.
      
      Note that we currently use "dev->open_count" for that, which is *exactly*
      the same as a reference-count, just open coded. So this patch doesn't
      change any semantics on DRM devices (well, this patch just introduces the
      ref-count, anyway. Follow-up patches will replace open_count by it).
      
      Also note that generic VFS revoke support could allow us to drop this
      ref-count again. We could then just synchronously disable any fops->xy()
      calls. However, this is not the case, yet, and no such patches are
      in sight (and I seriously question the idea of dropping the ref-cnt
      again).
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      099d1c29
    • D
      drm: turn DRM_MINOR_* into enum · cb8a239b
      David Herrmann 提交于
      Use enum for DRM_MINOR_* constants to avoid hard-coding the IDs.
      Furthermore, add a DRM_MINOR_CNT so we can perform range-checks in
      follow-ups.
      
      This changes the IDs of the minor-types by -1, but they're not used as
      indices so this is fine.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      cb8a239b
    • D
      drm: remove unused DRM_MINOR_UNASSIGNED · b9a0d15c
      David Herrmann 提交于
      This constant is unused, remove it.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      b9a0d15c
    • D
      drm: skip redundant minor-lookup in open path · f4aede2e
      David Herrmann 提交于
      The drm_open_helper() function is only used internally for drm_open() so
      we can safely pass in the minor-object directly instead of the minor-id.
      This way, we avoid the additional minor IDR lookup, which we already do
      twice in drm_stub_open() and drm_open().
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      f4aede2e
    • D
      drm: group dev-lifetime related members · 45e212d2
      David Herrmann 提交于
      These members are all managed by DRM-core, lets group them together so
      they're not split across the whole device.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Reviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      45e212d2
    • D
      drm: init TTM dev_mapping in ttm_bo_device_init() · 44d847b7
      David Herrmann 提交于
      With dev->anon_inode we have a global address_space ready for operation
      right from the beginning. Therefore, there is no need to do a delayed
      setup with TTM. Instead, set dev_mapping during initialization in
      ttm_bo_device_init() and remove any "if (dev_mapping)" conditions.
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
      Cc: Alex Deucher <alexdeucher@gmail.com>
      Cc: Thomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      44d847b7
    • D
      drm: use anon-inode instead of relying on cdevs · 6796cb16
      David Herrmann 提交于
      DRM drivers share a common address_space across all character-devices of a
      single DRM device. This allows simple buffer eviction and mapping-control.
      However, DRM core currently waits for the first ->open() on any char-dev
      to mark the underlying inode as backing inode of the device. This delayed
      initialization causes ugly conditions all over the place:
        if (dev->dev_mapping)
          do_sth();
      
      To avoid delayed initialization and to stop reusing the inode of the
      char-dev, we allocate an anonymous inode for each DRM device and reset
      filp->f_mapping to it on ->open().
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      6796cb16
    • D
      drm: add pseudo filesystem for shared inodes · 31bbe16f
      David Herrmann 提交于
      Our current DRM design uses a single address_space for all users of the
      same DRM device. However, there is no way to create an anonymous
      address_space without an underlying inode. Therefore, we wait for the
      first ->open() callback on a registered char-dev and take-over the inode
      of the char-dev. This worked well so far, but has several drawbacks:
       - We screw with FS internals and rely on some non-obvious invariants like
         inode->i_mapping being the same as inode->i_data for char-devs.
       - We don't have any address_space prior to the first ->open() from
         user-space. This leads to ugly fallback code and we cannot allocate
         global objects early.
      
      As pointed out by Al-Viro, fs/anon_inode.c is *not* supposed to be used by
      drivers for anonymous inode-allocation. Therefore, this patch follows the
      proposed alternative solution and adds a pseudo filesystem mount-point to
      DRM. We can then allocate private inodes including a private address_space
      for each DRM device at initialization time.
      
      Note that we could use:
        sysfs_get_inode(sysfs_mnt->mnt_sb, drm_device->dev->kobj.sd);
      to get access to the underlying sysfs-inode of a "struct device" object.
      However, most of this information is currently hidden and it's not clear
      whether this address_space is suitable for driver access. Thus, unless
      linux allows anonymous address_space objects or driver-core provides a
      public inode per device, we're left with our own private internal mount
      point.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      31bbe16f