From a9f57a2b9c5897cbf568bf75342204b780566de0 Mon Sep 17 00:00:00 2001 From: Roland Scheidegger Date: Tue, 10 Oct 2006 02:24:19 +0200 Subject: [PATCH 1/3] only allow specific type-3 packets to pass the verifier instead of all for r100/r200 as others might be unsafe (r300 already does this), and add checking for these we need but aren't safe. Check the RADEON_CP_INDX_BUFFER packet on both r200 and r300 as it isn't safe neither. --- shared-core/r300_cmdbuf.c | 33 ++++++++++- shared-core/radeon_state.c | 109 ++++++++++++++++++++++++++++++++++++- 2 files changed, 138 insertions(+), 4 deletions(-) diff --git a/shared-core/r300_cmdbuf.c b/shared-core/r300_cmdbuf.c index dc866823..c65ffd59 100644 --- a/shared-core/r300_cmdbuf.c +++ b/shared-core/r300_cmdbuf.c @@ -538,6 +538,36 @@ static __inline__ int r300_emit_bitblt_multi(drm_radeon_private_t *dev_priv, return 0; } +static __inline__ int r300_emit_indx_buffer(drm_radeon_private_t *dev_priv, + drm_radeon_kcmd_buffer_t *cmdbuf) +{ + u32 *cmd = (u32 *) cmdbuf->buf; + int count, ret; + RING_LOCALS; + + count=(cmd[0]>>16) & 0x3fff; + + if ((cmd[1] & 0x8000ffff) != 0x80000810) { + DRM_ERROR("Invalid indx_buffer reg address %08X\n", cmd[1]); + return DRM_ERR(EINVAL); + } + ret = r300_check_offset(dev_priv, cmd[2]); + if (ret) { + DRM_ERROR("Invalid indx_buffer offset is %08X\n", cmd[2]); + return DRM_ERR(EINVAL); + } + + BEGIN_RING(count+2); + OUT_RING(cmd[0]); + OUT_RING_TABLE((int *)(cmdbuf->buf + 4), count + 1); + ADVANCE_RING(); + + cmdbuf->buf += (count+2)*4; + cmdbuf->bufsz -= (count+2)*4; + + return 0; +} + static __inline__ int r300_emit_raw_packet3(drm_radeon_private_t *dev_priv, drm_radeon_kcmd_buffer_t *cmdbuf) { @@ -578,10 +608,11 @@ static __inline__ int r300_emit_raw_packet3(drm_radeon_private_t *dev_priv, case RADEON_CNTL_BITBLT_MULTI: return r300_emit_bitblt_multi(dev_priv, cmdbuf); + case RADEON_CP_INDX_BUFFER: /* DRAW_INDX_2 without INDX_BUFFER seems to lock up the gpu */ + return r300_emit_indx_buffer(dev_priv, cmdbuf); case RADEON_CP_3D_DRAW_IMMD_2: /* triggers drawing using in-packet vertex data */ case RADEON_CP_3D_DRAW_VBUF_2: /* triggers drawing of vertex buffers setup elsewhere */ case RADEON_CP_3D_DRAW_INDX_2: /* triggers drawing using indices to vertex buffer */ - case RADEON_CP_INDX_BUFFER: /* DRAW_INDX_2 without INDX_BUFFER seems to lock up the gpu */ case RADEON_WAIT_FOR_IDLE: case RADEON_CP_NOP: /* these packets are safe */ diff --git a/shared-core/radeon_state.c b/shared-core/radeon_state.c index b4478019..bf5e3d29 100644 --- a/shared-core/radeon_state.c +++ b/shared-core/radeon_state.c @@ -275,6 +275,8 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t * unsigned int *cmdsz) { u32 *cmd = (u32 *) cmdbuf->buf; + u32 offset, narrays; + int count, i, k; *cmdsz = 2 + ((cmd[0] & RADEON_CP_PACKET_COUNT_MASK) >> 16); @@ -288,10 +290,106 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t * return DRM_ERR(EINVAL); } - /* Check client state and fix it up if necessary */ - if (cmd[0] & 0x8000) { /* MSB of opcode: next DWORD GUI_CNTL */ - u32 offset; + switch(cmd[0] & 0xff00) { + /* XXX Are there old drivers needing other packets? */ + case RADEON_3D_DRAW_IMMD: + case RADEON_3D_DRAW_VBUF: + case RADEON_3D_DRAW_INDX: + case RADEON_WAIT_FOR_IDLE: + case RADEON_CP_NOP: + case RADEON_3D_CLEAR_ZMASK: +/* case RADEON_CP_NEXT_CHAR: + case RADEON_CP_PLY_NEXTSCAN: + case RADEON_CP_SET_SCISSORS: */ /* probably safe but will never need them? */ + /* these packets are safe */ + break; + + case RADEON_CP_3D_DRAW_IMMD_2: + case RADEON_CP_3D_DRAW_VBUF_2: + case RADEON_CP_3D_DRAW_INDX_2: + case RADEON_3D_CLEAR_HIZ: + /* safe but r200 only */ + if (dev_priv->microcode_version != UCODE_R200) { + DRM_ERROR("Invalid 3d packet for r100-class chip\n"); + return DRM_ERR(EINVAL); + } + break; + + case RADEON_3D_LOAD_VBPNTR: + count = (cmd[0] >> 16) & 0x3fff; + + if (count > 18) { /* 12 arrays max */ + DRM_ERROR("Too large payload in 3D_LOAD_VBPNTR (count=%d)\n", + count); + return DRM_ERR(EINVAL); + } + + /* carefully check packet contents */ + narrays = cmd[1] & ~0xc000; + k = 0; + i = 2; + while ((k < narrays) && (i < (count + 2))) { + i++; /* skip attribute field */ + if (radeon_check_and_fixup_offset(dev_priv, filp_priv, &cmd[i])) { + DRM_ERROR + ("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n", + k, i); + return DRM_ERR(EINVAL); + } + k++; + i++; + if (k == narrays) + break; + /* have one more to process, they come in pairs */ + if (radeon_check_and_fixup_offset(dev_priv, filp_priv, &cmd[i])) { + DRM_ERROR + ("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n", + k, i); + return DRM_ERR(EINVAL); + } + k++; + i++; + } + /* do the counts match what we expect ? */ + if ((k != narrays) || (i != (count + 2))) { + DRM_ERROR + ("Malformed 3D_LOAD_VBPNTR packet (k=%d i=%d narrays=%d count+1=%d).\n", + k, i, narrays, count + 1); + return DRM_ERR(EINVAL); + } + break; + + case RADEON_3D_RNDR_GEN_INDX_PRIM: + if (dev_priv->microcode_version != UCODE_R100) { + DRM_ERROR("Invalid 3d packet for r200-class chip\n"); + return DRM_ERR(EINVAL); + } + if (radeon_check_and_fixup_offset(dev_priv, filp_priv, &cmd[1])) { + DRM_ERROR("Invalid rndr_gen_indx offset\n"); + return DRM_ERR(EINVAL); + } + break; + + case RADEON_CP_INDX_BUFFER: + if (dev_priv->microcode_version != UCODE_R200) { + DRM_ERROR("Invalid 3d packet for r100-class chip\n"); + return DRM_ERR(EINVAL); + } + if ((cmd[1] & 0x8000ffff) != 0x80000810) { + DRM_ERROR("Invalid indx_buffer reg address %08X\n", cmd[1]); + return DRM_ERR(EINVAL); + } + if (radeon_check_and_fixup_offset(dev_priv, filp_priv, &cmd[2])) { + DRM_ERROR("Invalid indx_buffer offset is %08X\n", cmd[2]); + return DRM_ERR(EINVAL); + } + break; + + case RADEON_CNTL_HOSTDATA_BLT: + case RADEON_CNTL_PAINT_MULTI: + case RADEON_CNTL_BITBLT_MULTI: + /* MSB of opcode: next DWORD GUI_CNTL */ if (cmd[1] & (RADEON_GMC_SRC_PITCH_OFFSET_CNTL | RADEON_GMC_DST_PITCH_OFFSET_CNTL)) { offset = cmd[2] << 10; @@ -313,6 +411,11 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t * } cmd[3] = (cmd[3] & 0xffc00000) | offset >> 10; } + break; + + default: + DRM_ERROR("Invalid packet type %x\n", cmd[0] & 0xff00); + return DRM_ERR(EINVAL); } return 0; From 1bab514c0a1a535c19d53e3d39e3b351db3ab7a4 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Sat, 14 Oct 2006 23:38:20 +1000 Subject: [PATCH 2/3] remove config.h from build no longer exists kbuild does it --- linux-core/drmP.h | 1 - linux-core/drm_drawable.c | 1 - linux-core/drm_memory.c | 1 - linux-core/drm_memory.h | 1 - linux-core/drm_memory_debug.c | 1 - linux-core/drm_memory_debug.h | 1 - linux-core/drm_scatter.c | 1 - linux-core/drm_sysfs.c | 1 - linux-core/ffb_drv.c | 1 - linux-core/i810_drv.c | 1 - linux-core/i830_drv.c | 2 -- linux-core/imagine_drv.c | 1 - linux-core/mach64_drv.c | 1 - linux-core/mga_drv.c | 1 - linux-core/nv_drv.c | 1 - linux-core/r128_drv.c | 1 - linux-core/radeon_drv.c | 1 - linux-core/savage_drv.c | 1 - linux-core/sis_drv.c | 1 - linux-core/tdfx_drv.c | 1 - shared-core/drm.h | 3 --- shared-core/via_drv.c | 1 - 22 files changed, 25 deletions(-) delete mode 120000 linux-core/drm_drawable.c diff --git a/linux-core/drmP.h b/linux-core/drmP.h index 2bbec70c..1b314be1 100644 --- a/linux-core/drmP.h +++ b/linux-core/drmP.h @@ -41,7 +41,6 @@ * can build the DRM (part of PI DRI). 4/21/2000 S + B */ #include #endif /* __alpha__ */ -#include #include #include #include diff --git a/linux-core/drm_drawable.c b/linux-core/drm_drawable.c deleted file mode 120000 index d64bbe10..00000000 --- a/linux-core/drm_drawable.c +++ /dev/null @@ -1 +0,0 @@ -../shared-core/drm_drawable.c \ No newline at end of file diff --git a/linux-core/drm_memory.c b/linux-core/drm_memory.c index 9125cd47..a249382d 100644 --- a/linux-core/drm_memory.c +++ b/linux-core/drm_memory.c @@ -33,7 +33,6 @@ * OTHER DEALINGS IN THE SOFTWARE. */ -#include #include #include "drmP.h" diff --git a/linux-core/drm_memory.h b/linux-core/drm_memory.h index 4a4fd5c3..4a2c3583 100644 --- a/linux-core/drm_memory.h +++ b/linux-core/drm_memory.h @@ -33,7 +33,6 @@ * OTHER DEALINGS IN THE SOFTWARE. */ -#include #include #include #include "drmP.h" diff --git a/linux-core/drm_memory_debug.c b/linux-core/drm_memory_debug.c index 2fe7aeaa..aa1b2922 100644 --- a/linux-core/drm_memory_debug.c +++ b/linux-core/drm_memory_debug.c @@ -31,7 +31,6 @@ * OTHER DEALINGS IN THE SOFTWARE. */ -#include #include "drmP.h" #ifdef DEBUG_MEMORY diff --git a/linux-core/drm_memory_debug.h b/linux-core/drm_memory_debug.h index 706b7525..1e0a63b7 100644 --- a/linux-core/drm_memory_debug.h +++ b/linux-core/drm_memory_debug.h @@ -31,7 +31,6 @@ * OTHER DEALINGS IN THE SOFTWARE. */ -#include #include "drmP.h" typedef struct drm_mem_stats { diff --git a/linux-core/drm_scatter.c b/linux-core/drm_scatter.c index a7144f1a..e5c9f877 100644 --- a/linux-core/drm_scatter.c +++ b/linux-core/drm_scatter.c @@ -31,7 +31,6 @@ * DEALINGS IN THE SOFTWARE. */ -#include #include #include "drmP.h" diff --git a/linux-core/drm_sysfs.c b/linux-core/drm_sysfs.c index df75d7b0..e5dd0532 100644 --- a/linux-core/drm_sysfs.c +++ b/linux-core/drm_sysfs.c @@ -11,7 +11,6 @@ * */ -#include #include #include #include diff --git a/linux-core/ffb_drv.c b/linux-core/ffb_drv.c index 7b028c86..9c88f061 100644 --- a/linux-core/ffb_drv.c +++ b/linux-core/ffb_drv.c @@ -4,7 +4,6 @@ * Copyright (C) 2000 David S. Miller (davem@redhat.com) */ -#include #include #include #include diff --git a/linux-core/i810_drv.c b/linux-core/i810_drv.c index d4b73760..fc784a02 100644 --- a/linux-core/i810_drv.c +++ b/linux-core/i810_drv.c @@ -30,7 +30,6 @@ * Gareth Hughes */ -#include #include "drmP.h" #include "drm.h" #include "i810_drm.h" diff --git a/linux-core/i830_drv.c b/linux-core/i830_drv.c index 74b574aa..6416161e 100644 --- a/linux-core/i830_drv.c +++ b/linux-core/i830_drv.c @@ -32,8 +32,6 @@ * Keith Whitwell */ -#include - #include "drmP.h" #include "drm.h" #include "i830_drm.h" diff --git a/linux-core/imagine_drv.c b/linux-core/imagine_drv.c index bec2fae4..6d050999 100644 --- a/linux-core/imagine_drv.c +++ b/linux-core/imagine_drv.c @@ -22,7 +22,6 @@ /* derived from tdfx_drv.c */ -#include #include "drmP.h" #include "imagine_drv.h" diff --git a/linux-core/mach64_drv.c b/linux-core/mach64_drv.c index ba45132b..9709934d 100644 --- a/linux-core/mach64_drv.c +++ b/linux-core/mach64_drv.c @@ -27,7 +27,6 @@ * Leif Delgass */ -#include #include "drmP.h" #include "drm.h" #include "mach64_drm.h" diff --git a/linux-core/mga_drv.c b/linux-core/mga_drv.c index 3a1e4b25..2bb1e8f3 100644 --- a/linux-core/mga_drv.c +++ b/linux-core/mga_drv.c @@ -29,7 +29,6 @@ * Gareth Hughes */ -#include #include "drmP.h" #include "drm.h" #include "mga_drm.h" diff --git a/linux-core/nv_drv.c b/linux-core/nv_drv.c index a6afb024..5049473a 100644 --- a/linux-core/nv_drv.c +++ b/linux-core/nv_drv.c @@ -32,7 +32,6 @@ * Lars Knoll */ -#include #include "drmP.h" #include "nv_drv.h" diff --git a/linux-core/r128_drv.c b/linux-core/r128_drv.c index edc04b03..ef4a5cbd 100644 --- a/linux-core/r128_drv.c +++ b/linux-core/r128_drv.c @@ -29,7 +29,6 @@ * Gareth Hughes */ -#include #include "drmP.h" #include "drm.h" #include "r128_drm.h" diff --git a/linux-core/radeon_drv.c b/linux-core/radeon_drv.c index b15e983e..43b9aca0 100644 --- a/linux-core/radeon_drv.c +++ b/linux-core/radeon_drv.c @@ -29,7 +29,6 @@ * OTHER DEALINGS IN THE SOFTWARE. */ -#include #include "drmP.h" #include "drm.h" #include "radeon_drm.h" diff --git a/linux-core/savage_drv.c b/linux-core/savage_drv.c index 9f12dfe2..bb3561e6 100644 --- a/linux-core/savage_drv.c +++ b/linux-core/savage_drv.c @@ -23,7 +23,6 @@ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -#include #include "drmP.h" #include "savage_drm.h" #include "savage_drv.h" diff --git a/linux-core/sis_drv.c b/linux-core/sis_drv.c index 36a525dc..9b0b9830 100644 --- a/linux-core/sis_drv.c +++ b/linux-core/sis_drv.c @@ -25,7 +25,6 @@ * */ -#include #include "drmP.h" #include "sis_drm.h" #include "sis_drv.h" diff --git a/linux-core/tdfx_drv.c b/linux-core/tdfx_drv.c index ce1b7c5a..bc69c06a 100644 --- a/linux-core/tdfx_drv.c +++ b/linux-core/tdfx_drv.c @@ -30,7 +30,6 @@ * Gareth Hughes */ -#include #include "drmP.h" #include "tdfx_drv.h" diff --git a/shared-core/drm.h b/shared-core/drm.h index 8c0c5d22..7d7e2502 100644 --- a/shared-core/drm.h +++ b/shared-core/drm.h @@ -69,9 +69,6 @@ #endif #if defined(__linux__) -#if defined(__KERNEL__) -#include -#endif #include /* For _IO* macros */ #define DRM_IOCTL_NR(n) _IOC_NR(n) #define DRM_IOC_VOID _IOC_NONE diff --git a/shared-core/via_drv.c b/shared-core/via_drv.c index bacfe37d..33b0a42d 100644 --- a/shared-core/via_drv.c +++ b/shared-core/via_drv.c @@ -22,7 +22,6 @@ * DEALINGS IN THE SOFTWARE. */ -#include #include "drmP.h" #include "via_drm.h" #include "via_drv.h" From 561e23a7c2f06b382613d3e2ae8d23104d0949aa Mon Sep 17 00:00:00 2001 From: Michael Karcher Date: Mon, 16 Oct 2006 22:06:58 -0400 Subject: [PATCH 3/3] dev->agp_buffer_map is not initialized for AGP DMA on savages bug 8662 --- shared-core/savage_bci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/shared-core/savage_bci.c b/shared-core/savage_bci.c index 20fea40f..01121b92 100644 --- a/shared-core/savage_bci.c +++ b/shared-core/savage_bci.c @@ -725,6 +725,7 @@ static int savage_do_init_bci(drm_device_t *dev, drm_savage_init_t *init) dev_priv->status = NULL; } if (dev_priv->dma_type == SAVAGE_DMA_AGP && init->buffers_offset) { + dev->agp_buffer_token = init->buffers_offset; dev->agp_buffer_map = drm_core_findmap(dev, init->buffers_offset); if (!dev->agp_buffer_map) {