1. 21 3月, 2011 1 次提交
    • C
      drm: Fix use-after-free in drm_gem_vm_close() · b74ad5ae
      Chris Wilson 提交于
      As we may release the last reference, we need to store the device in a
      local variable in order to unlock afterwards.
      
      [   60.140768] BUG: unable to handle kernel paging request at 6b6b6b9f
      [   60.140973] IP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111
      [   60.141014] *pdpt = 0000000024a54001 *pde = 0000000000000000
      [   60.141014] Oops: 0002 [#1] PREEMPT SMP
      [   60.141014] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0A08:00/PNP0C0A:00/power_supply/BAT0/voltage_now
      [   60.141014] Modules linked in: uvcvideo ath9k pegasus ath9k_common ath9k_hw hid_egalax ath3k joydev asus_laptop sparse_keymap battery input_polldev
      [   60.141014]
      [   60.141014] Pid: 771, comm: meego-ux-daemon Not tainted 2.6.37.2-7.1 #1 EXOPC EXOPG06411/EXOPG06411
      [   60.141014] EIP: 0060:[<c1536d11>] EFLAGS: 00010046 CPU: 0
      [   60.141014] EIP is at __mutex_unlock_slowpath+0x5a/0x111
      [   60.141014] EAX: 00000100 EBX: 6b6b6b9b ECX: e9b4a1b0 EDX: e4a4e580
      [   60.141014] ESI: db162558 EDI: 00000246 EBP: e480be50 ESP: e480be44
      [   60.141014]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [   60.141014] Process meego-ux-daemon (pid: 771, ti=e480a000 task=e9b4a1b0 task.ti=e480a000)
      [   60.141014] Stack:
      [   60.141014]  e4a4e580 db162558 f5a2f838 e480be58 c1536dd0 e480be68 c125ab1b db162558
      [   60.141014]  db1624e0 e480be78 c10ba071 db162558 f760241c e480be94 c10bb0bc 000155fe
      [   60.141014]  f760241c f5a2f838 f5a2f8c8 00000000 e480bea4 c1037c24 00000000 f5a2f838
      [   60.141014] Call Trace:
      [   60.141014]  [<c1536dd0>] ? mutex_unlock+0x8/0xa
      [   60.141014]  [<c125ab1b>] ? drm_gem_vm_close+0x39/0x3d
      [   60.141014]  [<c10ba071>] ? remove_vma+0x2d/0x58
      [   60.141014]  [<c10bb0bc>] ? exit_mmap+0x126/0x13f
      [   60.141014]  [<c1037c24>] ? mmput+0x37/0x9a
      [   60.141014]  [<c10d450d>] ? exec_mmap+0x178/0x19c
      [   60.141014]  [<c1537f85>] ? _raw_spin_unlock+0x1d/0x36
      [   60.141014]  [<c10d4eb0>] ? flush_old_exec+0x42/0x75
      [   60.141014]  [<c1104442>] ? load_elf_binary+0x32a/0x922
      [   60.141014]  [<c10d3f76>] ? search_binary_handler+0x200/0x2ea
      [   60.141014]  [<c10d3ecf>] ? search_binary_handler+0x159/0x2ea
      [   60.141014]  [<c1104118>] ? load_elf_binary+0x0/0x922
      [   60.141014]  [<c10d56b2>] ? do_execve+0x1ff/0x2e6
      [   60.141014]  [<c100970e>] ? sys_execve+0x2d/0x55
      [   60.141014]  [<c1002a5a>] ? ptregs_execve+0x12/0x18
      [   60.141014]  [<c10029dc>] ? sysenter_do_call+0x12/0x3c
      [   60.141014]  [<c1530000>] ? init_centaur+0x9c/0x1ba
      [   60.141014] Code: c1 00 75 0f ba 38 01 00 00 b8 8c 3a 6c c1 e8 cc 2e b0 ff 9c 58 8d 74 26 00 89 c7 fa 90 8d 74 26 00 e8 d2 b4 b2 ff b8 00 01 00 00 <f0> 66 0f c1 43 04 38 e0 74 07 f3 90 8a 43 04 eb f5 83 3d 64 ef
      [   60.141014] EIP: [<c1536d11>] __mutex_unlock_slowpath+0x5a/0x111 SS:ESP 0068:e480be44
      [   60.141014] CR2: 000000006b6b6b9f
      Reported-by: NRusty Lynch <rusty.lynch@intel.com>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@kernel.org
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      b74ad5ae
  2. 17 3月, 2011 3 次提交
  3. 16 3月, 2011 3 次提交
    • C
      drm: Retry i2c transfer of EDID block after failure · 4819d2e4
      Chris Wilson 提交于
      Usually EDID retrieval is fine. However, sometimes, especially when the
      machine is loaded, it fails, but succeeds after a few retries.
      
      Based on a patch by Michael Buesch.
      Reported-by: NMichael Buesch <mb@bu3sch.de>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: NAlex Deucher <alexdeucher@gmail.com>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      4819d2e4
    • A
      drm/radeon/kms: fix typo in atom overscan setup · 942b0e95
      Alex Deucher 提交于
      Typo in the aspect scale setup.
      Signed-off-by: NAlex Deucher <alexdeucher@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      942b0e95
    • C
      drm: Hold the mode mutex whilst probing for sysfs status · 007c80a5
      Chris Wilson 提交于
      As detect will use hw registers and may modify structures, it needs to be
      serialised by use of the dev->mode_config.mutex. Make it so.
      
      Otherwise, we may cause random crashes as the sysfs file is queried
      whilst a concurrent hotplug poll is being run. For example:
      
      [ 1189.189626] BUG: unable to handle kernel NULL pointer dereference at 00000100
      [ 1189.189821] IP: [<e0c22019>] intel_tv_detect_type+0xa2/0x203 [i915]
      [ 1189.190020] *pde = 00000000
      [ 1189.190104] Oops: 0000 [#1] SMP
      [ 1189.190209] last sysfs file: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-SVIDEO-1/status
      [ 1189.190412] Modules linked in: mperf cpufreq_conservative cpufreq_userspace cpufreq_powersave cpufreq_stats decnet uinput fuse loop joydev snd_hd a_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm i915 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq drm_kms_helper snd_timer uvcvideo d rm snd_seq_device eeepc_laptop tpm_tis usbhid videodev i2c_algo_bit v4l1_compat snd sparse_keymap i2c_core hid serio_raw tpm psmouse evdev tpm_bios rfkill shpchp ac processor rng_c ore battery video power_supply soundcore pci_hotplug button output snd_page_alloc usb_storage uas ext3 jbd mbcache sd_mod crc_t10dif ata_generic ahci libahci ata_piix libata uhci_h cd ehci_hcd scsi_mod usbcore thermal atl2 thermal_sys nls_base [last unloaded: scsi_wait_scan]
      [ 1189.192007]
      [ 1189.192007] Pid: 1464, comm: upowerd Not tainted 2.6.37-2-686 #1 ASUSTeK Computer INC. 701/701
      [ 1189.192007] EIP: 0060:[<e0c22019>] EFLAGS: 00010246 CPU: 0
      [ 1189.192007] EIP is at intel_tv_detect_type+0xa2/0x203 [i915]
      [ 1189.192007] EAX: 00000000 EBX: dca74000 ECX: e0f68004 EDX: 00068004
      [ 1189.192007] ESI: dd110c00 EDI: 400c0c37 EBP: dca7429c ESP: de365e2c
      [ 1189.192007]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      [ 1189.192007] Process upowerd (pid: 1464, ti=de364000 task=dcc8acb0 task.ti=de364000)
      [ 1189.192007] Stack: Mar 15 03:43:23 hostname kernel: [ 1189.192007]  e0c2cda4 70000000 400c0c30 00000000 dd111000 de365e54 de365f24 dd110c00
      [ 1189.192007]  e0c22203 01000000 00000003 00000000 00000000 00000000 00000000 4353544e
      [ 1189.192007]  30383420 00000069 00000000 00000000 00000000 00000000 00000000 00000000
      [ 1189.192007] Call Trace: Mar 15 03:43:23 hostname kernel: [ 1189.192007]  [<e0c22203>] ?  intel_tv_detect+0x89/0x12d [i915]
      [ 1189.192007]  [<e0a9dcef>] ?  status_show+0x0/0x2f [drm]
      [ 1189.192007]  [<e0a9dd03>] ?  status_show+0x14/0x2f [drm]
      
      [Digression: what is upowerd doing reading those power hungry files?]
      Reported-by: NPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@kernel.org
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      007c80a5
  4. 14 3月, 2011 9 次提交
  5. 13 3月, 2011 1 次提交
  6. 11 3月, 2011 2 次提交
  7. 08 3月, 2011 3 次提交
  8. 07 3月, 2011 4 次提交
  9. 06 3月, 2011 2 次提交
  10. 04 3月, 2011 3 次提交
  11. 03 3月, 2011 9 次提交