1. 29 12月, 2008 3 次提交
    • V
      drm: fix leak of uninitialized data to userspace · 1147c9cd
      Vegard Nossum 提交于
      ...so drm_getunique() is trying to copy some uninitialized data to
      userspace. The ECX register contains the number of words that are
      left to copy -- so there are 5 * 4 = 20 bytes left. The offset of the
      first uninitialized byte (counting from the start of the string) is
      also 20 (i.e. 0xf65d2294&((1 << 5)-1) == 20). So somebody tried to
      copy 40 bytes when the string was only 19 long.
      
      In drm_set_busid() we have this code:
      
              dev->unique_len = 40;
              dev->unique = drm_alloc(dev->unique_len + 1, DRM_MEM_DRIVER);
            ...
              len = snprintf(dev->unique, dev->unique_len, pci:%04x:%02x:%02x.%d",
      
      ...so it seems that dev->unique is never updated to reflect the
      actual length of the string. The remaining bytes (20 in this case)
      are random uninitialized bytes that are copied into userspace.
      
      This patch fixes the problem by setting dev->unique_len after the
      snprintf().
      
      airlied- I've had to fix this up to store the alloced size so
      we have it for drm_free later.
      Reported-by: NSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: NVegard Nossum <vegardno@thuin.ifi.uio.no>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      1147c9cd
    • D
      drm: move to kref per-master structures. · 7c1c2871
      Dave Airlie 提交于
      This is step one towards having multiple masters sharing a drm
      device in order to get fast-user-switching to work.
      
      It splits out the information associated with the drm master
      into a separate kref counted structure, and allocates this when
      a master opens the device node. It also allows the current master
      to abdicate (say while VT switched), and a new master to take over
      the hardware.
      
      It moves the Intel and radeon drivers to using the sarea from
      within the new master structures.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      7c1c2871
    • D
      drm: cleanup exit path for module unload · e7f7ab45
      Dave Airlie 提交于
      The current sub-module unload exit path is a mess, it tries
      to abuse the idr. Just keep a list of devices per driver struct
      and free them in-order on rmmod.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      e7f7ab45
  2. 25 12月, 2008 4 次提交
  3. 24 12月, 2008 9 次提交
  4. 23 12月, 2008 7 次提交
  5. 22 12月, 2008 2 次提交
  6. 21 12月, 2008 3 次提交
  7. 20 12月, 2008 10 次提交
  8. 19 12月, 2008 2 次提交