Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
sarea_priv needs to be NULL before i915_initialized is called to
properly reset it. The stale value produces a panic any time something
opens/closes drm without calling initialize. i.e. version checking
The user visible ioctl does this, but since we call into GEM internals
directly, we have to flush things ourselves. Fixes initial fb console
corruption.
This makes our handling of cliprects sane. drm_clip_rect always has exclusive
bottom-right corners, but the hardware expects inclusive bottom-right corners,
so we adjust this here.
This complements Michel Daenzer's commit 57aea290e1e0a26d1e74df6cff777eb9f038f1f8
to Mesa. See also http://bugs.freedesktop.org/show_bug.cgi?id=16123 .
This is around 3x or so speedup, since we would read wide rows at a time, and
clflush each tile 8 times as a result. We'll want code related to this anyway
when we do fault-based per-page clflushing for sw fallbacks.
DRAW_INDEX writes a vertex count to VAP_VF_CNTL. Docs say that behaviour
is undefined (i.e. lockups happen) when this write is not followed by the
right number of vertex indices.
Thus we used to do the wrong thing when drawing across many cliprects was
necessary, because we emitted a sequence
DRAW_INDEX, DRAW_INDEX, INDX_BUFFER, INDX_BUFFER
instead of
DRAW_INDEX, INDX_BUFFER, DRAW_INDEX, INDX_BUFFER
The latter is what we're doing now and which ought to be correct.
This is an initial import of the atom bios parser with modesetting support
for r500 hw using atombios. It also includes a simple memory manager
layer that translates a radeon GEM style interface onto TTM internally.
So far this memory manager has only been used for pinned object allocation
for the DDX to test modesetting.
This resolves a panic on FreeBSD which was caused by trying
to re-initialize the swap lock. It's just much easier to
initialize all of the locks at load time. It should also
ensure that the vblank structures are available earlier.
Thanks to the reworked vblank-rework, we can just use the hardware frame
counter directly, and make the RADEON_PARAM_VBLANK_CRTC getparam just return
what was set by the corresponding setparam.
We depend on the VM fully now for memory protection, separate DMA objects
for VRAM and GART are unneccesary. However, until the next interface break
(soon) a client can't depend on the objects being the same and must still
call NV_OBJ_SET_DMA_* methods appropriately.
Remove the unused (and broken) "in vblank" code now that the core has
been fixed to use a counter while interrupts are enabled. Also make the
vblank pipe get/set ioctls into dumb stub functions, since with the new
code we can no longer let userspace control whether vblank interrupts
are enabled, or the core code will misbehave.
modifications to make it work correctly on my test hardware (altered the
backlight write function, made it enable the legacy backlight controller
interrupts on mobile hardware, sorted the interrupt function so we don't
get an excessive number of vblank interrupts). This lets the backlight
keys on my T61 work properly, though there's a 750msec or so delay
between the request and the brightness actually changing - this sounds
awfully like the hardware spinning waiting for a status flag to become
ready, but as far as I can tell they're all set correctly. If anyone can
figure out what's wrong here, it'd be nice to know.
Some of the functions are still stubs and just tell the hardware that
the request was successful. These can be filled in as kernel modesetting
gets integrated. I think it's worth getting this in anyway, since it's
required for backlight control to work properly on some new platforms.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Various chips have exciting interactions between the CPU and the GPU's
different ways of accessing interleaved memory, so we need some kernel
assistance in determining how it works.
Only fully tested on GM965 so far.
- There is one fb, used for as many outputs as possible.
- Eventually smaller screens will be scaled to see the full console, but for the moment this'll do.
When scheduled swaps occur, we need to blit between front & back buffers. I
the buffers are tiled, we need to set the appropriate XY_SRC_COPY tile bit,
only on 965 chips, since it will cause corruption on pre-965 (e.g. 945).
Bug reported by and fix tested by Tomas Janousek <tomi@nomi.cz>.
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
We won't get a PFIFO context switch when the same channel ID is recreated if
the hw still thinks the channel is already active, which causes fun issues.
Should allow X to be stopped and started without tearing down the entire
card state in lastclose().
This avoids seeing garbage from engine setup etc before X gets around
to pointing the CRTCs at a new scanout buffer. Not actually a noticable
problem before G80 as PRAMIN is forced to the end of VRAM by the hardware
already.
We won't get a PFIFO context switch when the same channel ID is recreated if
the hw still thinks the channel is already active, which causes fun issues.
Should allow X to be stopped and started without tearing down the entire
card state in lastclose().
With the interrupt enable/disable using only the mask register, it was wrong
to use the enable register to detect which pipes had vblank detection
turned on. Also, as we keep a local copy of the mask register around, and
MSI machines smack the hardware during the interrupt handler, it is more
efficient and more correct to use the local copy.
It would be nice if one day the DRM driver was the canonical source for
register definitions and core macros. To that end, this patch cleans things up
quite a bit, removing redundant definitions (some with different names
referring to the same register) and generally tidying up the header file.
Clean up queues, free objects. On the next entervt, unmark the hardware to
let the user try again (presumably after resetting the chip). Someday we'll
automatically recover...
We depend on the VM fully now for memory protection, separate DMA objects
for VRAM and GART are unneccesary. However, until the next interface break
(soon) a client can't depend on the objects being the same and must still
call NV_OBJ_SET_DMA_* methods appropriately.
This avoids seeing garbage from engine setup etc before X gets around
to pointing the CRTCs at a new scanout buffer. Not actually a noticable
problem before G80 as PRAMIN is forced to the end of VRAM by the hardware
already.