From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Dave Airlie <airlied@redhat.com>
Subject: [2.6.22.2 review 34/84] drm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851)
Date: Tue, 7 Aug 2007 13:45:43 -0700 [thread overview]
Message-ID: <20070807204543.GI23028@kroah.com> (raw)
In-Reply-To: <20070807204157.GA23028@kroah.com>
[-- Attachment #1: drm-i915-fix-i965-secured-batchbuffer-usage.patch --]
[-- Type: text/plain, Size: 2296 bytes --]
From: Dave Airlie <airlied@redhat.com>
This 965G and above chipsets moved the batch buffer non-secure bits to
another place. This means that previous drm's allowed in-secure batchbuffers
to be submitted to the hardware from non-privileged users who are logged
into X and and have access to direct rendering.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/char/drm/i915_dma.c | 14 +++++++++++---
drivers/char/drm/i915_drv.h | 1 +
2 files changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/char/drm/i915_dma.c
+++ b/drivers/char/drm/i915_dma.c
@@ -184,6 +184,8 @@ static int i915_initialize(drm_device_t
* private backbuffer/depthbuffer usage.
*/
dev_priv->use_mi_batchbuffer_start = 0;
+ if (IS_I965G(dev)) /* 965 doesn't support older method */
+ dev_priv->use_mi_batchbuffer_start = 1;
/* Allow hardware batchbuffers unless told otherwise.
*/
@@ -517,8 +519,13 @@ static int i915_dispatch_batchbuffer(drm
if (dev_priv->use_mi_batchbuffer_start) {
BEGIN_LP_RING(2);
- OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
- OUT_RING(batch->start | MI_BATCH_NON_SECURE);
+ if (IS_I965G(dev)) {
+ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6) | MI_BATCH_NON_SECURE_I965);
+ OUT_RING(batch->start);
+ } else {
+ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
+ OUT_RING(batch->start | MI_BATCH_NON_SECURE);
+ }
ADVANCE_LP_RING();
} else {
BEGIN_LP_RING(4);
@@ -735,7 +742,8 @@ static int i915_setparam(DRM_IOCTL_ARGS)
switch (param.param) {
case I915_SETPARAM_USE_MI_BATCHBUFFER_START:
- dev_priv->use_mi_batchbuffer_start = param.value;
+ if (!IS_I965G(dev))
+ dev_priv->use_mi_batchbuffer_start = param.value;
break;
case I915_SETPARAM_TEX_LRU_LOG_GRANULARITY:
dev_priv->tex_lru_log_granularity = param.value;
--- a/drivers/char/drm/i915_drv.h
+++ b/drivers/char/drm/i915_drv.h
@@ -282,6 +282,7 @@ extern int i915_wait_ring(drm_device_t *
#define MI_BATCH_BUFFER_START (0x31<<23)
#define MI_BATCH_BUFFER_END (0xA<<23)
#define MI_BATCH_NON_SECURE (1)
+#define MI_BATCH_NON_SECURE_I965 (1<<8)
#define MI_WAIT_FOR_EVENT ((0x3<<23))
#define MI_WAIT_FOR_PLANE_A_FLIP (1<<2)
--
next prev parent reply other threads:[~2007-08-07 21:03 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070807204034.882009319@mini.kroah.org>
2007-08-07 20:41 ` [2.6.22.2 review 00/84] 2.6.22.2 -stable review Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 01/84] USB: cdc-acm: fix sysfs attribute registration bug Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 02/84] TCP FRTO retransmit bug fix Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 03/84] Fix TC deadlock Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 04/84] Fix IPCOMP crashes Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 05/84] Fix deadlocks in sparc serial console Greg KH
2007-08-07 20:42 ` [2.6.22.2 review 06/84] Add a PCI ID for santa rosas PATA controller Greg KH
2007-08-07 23:39 ` Chr
2007-08-09 19:39 ` Andrew Morton
2007-08-07 20:43 ` [2.6.22.2 review 07/84] Missing header include in ipt_iprange.h Greg KH
2007-08-07 20:43 ` [2.6.22.2 review 08/84] SCTP scope_id handling fix Greg KH
2007-08-07 20:43 ` [2.6.22.2 review 09/84] Fix rfkill IRQ flags Greg KH
2007-08-07 21:37 ` Jan Engelhardt
2007-08-09 5:24 ` Alexey Dobriyan
2007-08-07 20:43 ` [2.6.22.2 review 10/84] gen estimator timer unload race Greg KH
2007-08-07 20:43 ` [2.6.22.2 review 11/84] gen estimator deadlock fix Greg KH
2007-08-07 20:43 ` [2.6.22.2 review 12/84] Fix error queue socket lookup in ipv6 Greg KH
2007-08-07 20:43 ` [2.6.22.2 review 13/84] Fix ipv6 link down handling Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 14/84] Netpoll leak Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 15/84] Sparc64 bootup assembler bug Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 16/84] Fix ipv6 tunnel endianness bug Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 17/84] Fix sparc32 memset() Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 18/84] Fix sparc32 udelay() rounding errors Greg KH
2007-08-07 21:41 ` Jan Engelhardt
2007-08-07 20:44 ` [2.6.22.2 review 19/84] Fix TCP IPV6 MD5 bug Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 20/84] KVM: SVM: Reliably detect if SVM was disabled by BIOS Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 21/84] USB: fix warning caused by autosuspend counter going negative Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 22/84] usb-serial: Fix edgeport regression on non-EPiC devices Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 23/84] Fix reported task file values in sense data Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 24/84] aacraid: fix security hole Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 25/84] firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters) Greg KH
2007-08-07 20:44 ` [2.6.22.2 review 26/84] make timerfd return a u64 and fix the __put_user Greg KH
2007-08-07 21:44 ` Jan Engelhardt
2007-08-07 20:45 ` [2.6.22.2 review 27/84] V4L: Add check for valid control ID to v4l2_ctrl_next Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 28/84] V4L: ivtv: fix broken VBI output support Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 29/84] V4L: ivtv: fix DMA timeout when capturing VBI + another stream Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 30/84] V4L: ivtv: Add locking to ensure stream setup is atomic Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 31/84] V4L: wm8775/wm8739: Fix memory leak when unloading module Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 32/84] Input: lifebook - fix an oops on Panasonic CF-18 Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 33/84] splice: fix double page unlock Greg KH
2007-08-07 20:45 ` Greg KH [this message]
2007-08-07 20:45 ` [2.6.22.2 review 35/84] Fix leak on /proc/lockdep_stats Greg KH
2007-08-07 20:45 ` Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 36/84] CPU online file permission Greg KH
2007-08-07 20:45 ` [2.6.22.2 review 37/84] Fix user struct leakage with locked IPC shem segment Greg KH
2007-08-07 20:46 ` [2.6.22.2 review 38/84] md: handle writes to broken raid10 arrays gracefully Greg KH
2007-08-07 20:46 ` [2.6.22.2 review 39/84] md: raid10: fix use-after-free of bio Greg KH
2007-08-07 20:46 ` [2.6.22.2 review 40/84] pcmcia: give socket time to power down Greg KH
2007-08-07 20:46 ` [2.6.22.2 review 41/84] Fix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats} Greg KH
2007-08-07 20:46 ` [2.6.22.2 review 42/84] futex: pass nr_wake2 to futex_wake_op Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 43/84] "ext4_ext_put_in_cache" uses __u32 to receive physical block number Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 44/84] Include serial_reg.h with userspace headers Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 45/84] dm io: fix panic on large request Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 46/84] i386: HPET, check if the counter works Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 47/84] fw-ohci: fix "scheduling while atomic" Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 48/84] firewire: fix memory leak of fw_request instances Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 49/84] softmac: Fix ESSID problem Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 50/84] eCryptfs: ecryptfs_setattr() bugfix Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 51/84] nfsd: fix possible read-ahead cache and export table corruption Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 52/84] readahead: MIN_RA_PAGES/MAX_RA_PAGES macros Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 53/84] fs: 9p/conv.c error path fix Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 54/84] forcedeth bug fix: cicada phy Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 55/84] forcedeth bug fix: vitesse phy Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 56/84] forcedeth bug fix: realtek phy Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 57/84] acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR Greg KH
2007-08-07 20:47 ` [2.6.22.2 review 58/84] jbd commit: fix transaction dropping Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 59/84] jbd2 " Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 60/84] hugetlb: fix race in alloc_fresh_huge_page() Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 61/84] do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 62/84] uml: limit request size on COWed devices Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 63/84] sony-laptop: fix bug in event handling Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 64/84] destroy_workqueue() can livelock Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 65/84] drivers/video/macmodes.c:mac_find_mode() mustnt be __devinit Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 66/84] cfq-iosched: fix async queue behaviour Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 67/84] libata: add FUJITSU MHV2080BH to NCQ blacklist Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 68/84] ieee1394: revert "sbp2: enforce 32bit DMA mapping" Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 69/84] nfsd: fix possible oops on re-insertion of rpcsec_gss modules Greg KH
2007-08-07 20:48 ` [2.6.22.2 review 70/84] dm raid1: fix status Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 71/84] dm io: fix another panic on large request Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 72/84] dm snapshot: permit invalid activation Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 73/84] dm: disable barriers Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 74/84] cr_backlight_probe() allocates too little storage for struct cr_panel Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 75/84] ACPI: dock: fix opps after dock driver fails to initialize Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 76/84] Hangup TTY before releasing rfcomm_dev Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 77/84] Keep rfcomm_dev on the list until it is freed Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 78/84] nf_conntrack: dont track locally generated special ICMP error Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 79/84] IPV6: /proc/net/anycast6 unbalanced inet6_dev refcnt Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 80/84] sysfs: release mutex when kmalloc() failed in sysfs_open_file() Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 81/84] Netfilter: Fix logging regression Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 82/84] USB: fix for ftdi_sio quirk handling Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 83/84] sx: switch subven and subid values Greg KH
2007-08-07 20:49 ` [2.6.22.2 review 84/84] UML: exports for hostfs Greg KH
2007-08-07 21:11 ` [2.6.22.2 review 00/84] 2.6.22.2 -stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070807204543.GI23028@kroah.com \
--to=gregkh@suse.de \
--cc=airlied@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).