privileges on Radeon hardware. Essentially, a malicious program could
submit a packet containing an offset (possibly in main memory) to be
rendered from/to, while a separate thread switched that offset in
userspace rapidly between a valid value and an invalid one.
radeon_check_and_fixup_offset() would pull the offset in from user
space, check it, and spit it back out to user space to be copied in
later by the emit code. It would sometimes catch the bad value, but
sometimes the malicious program could modify it after the check and get
an invalid offset rendered from/to.
Fix this by allocating a temporary buffer and copying the data in at once.
While here, make the cliprects stuff not do the VERIFYAREA_READ and
COPY_FROM_USER_UNCHECKED gymnastics, avoiding a lock order reversal on
FreeBSD. Performance impact is negligible -- no difference on r200 to
~1% improvement on rv200 in quake3 tests (P4 1Ghz, demofour at
1024x768, n=4 or 5).
the 2D driver initializes MC_FB_LOCATION and related registers sanely
the DRM deduces the layout from these registers
clients use the new SETPARAM ioctl to tell the DRM where they think the
framebuffer is located in the card's address space
the DRM uses all this information to check client state and fix it up if
necessary
This is a prerequisite for things like direct rendering with IGP chips and
video capturing.
DRM_*MEMORYBARRIER we had were related to an MMIO space. This means
arch-specific code on the BSDs, unfortunately. Also add
DRM_MEMORYBARRIER() and change the DRM_READMEMORYBARRIER()s that used
to be read/write barriers to it.
use correct address for ring read pointer writeback (yes, we seem to have
been running with bogus values for the ring read pointer, which
'worked' because the return value of radeon_wait_ring() is never
checked and the ring usually never fills up)
pageflipping after a mode switch
take current page into account in AdjustFrame(); writing the CRTC offset
via the CP was probably a bad idea as this can happen asynchronously,
reverted
take frame offset into account when flipping pages
handle CRTC2 as well for pageflipping (untested)
preserve GEN_INT_CNTL on mode switches to prevent interrupts from getting
disabled
Roland Scheidegger
Dave Airlie
Eric Anholt
Jon Smirl
Michel Daenzer
Keith Whitwell
David Dawes
Ian Romanick
Alan Hourihane
Brian Paul