leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8a389cac1f
linux/drivers/gpu/drm/i915
History
Francisco Jerez 8a389cac1f drm/i915: Fix command parser to validate multiple register access with the same command. 
Until now the software command checker assumed that commands could
read or write at most a single register per packet.  This is not
necessarily the case, MI_LOAD_REGISTER_IMM expects a variable-length
list of offset/value pairs and writes them in sequence.  The previous
code would only check whether the first entry was valid, effectively
allowing userspace to write unrestricted registers of the MMIO space
by sending a multi-register write with a legal first register, with
potential security implications on Gen6 and 7 hardware.

Fix it by extending the drm_i915_cmd_descriptor table to represent
multi-register access and making validate_cmd() iterate for all
register offsets present in the command packet.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Reviewed-by: Zhigang Gong <zhigang.gong@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2015-06-15 16:00:28 +03:00
..
dvo_ch7xxx.c
dvo_ch7017.c
dvo_ivch.c Enabled dithering in the intel VCH DVO for 18bpp pipelines. 2015-03-30 16:39:31 +02:00
dvo_ns2501.c drm/i915: Enable dithering on NatSemi DVO2501 for Fujitsu S6010 2015-04-23 21:31:58 +02:00
dvo_sil164.c
dvo_tfp410.c
dvo.h
i915_cmd_parser.c drm/i915: Fix command parser to validate multiple register access with the same command. 2015-06-15 16:00:28 +03:00
i915_debugfs.c drm/i915: Use spinlocks for checking when to waitboost 2015-05-26 19:16:12 +02:00
i915_dma.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
i915_drv.c drm/i915/skl: Deinit/init the display at suspend/resume 2015-05-21 22:50:15 +02:00
i915_drv.h drm/i915: Fix command parser to validate multiple register access with the same command. 2015-06-15 16:00:28 +03:00
i915_gem_batch_pool.c drm/i915: Split batch pool into size buckets 2015-04-10 08:56:05 +02:00
i915_gem_batch_pool.h drm/i915: Split batch pool into size buckets 2015-04-10 08:56:05 +02:00
i915_gem_context.c drm/i915: Implement inter-engine read-read optimisations 2015-05-21 15:11:42 +02:00
i915_gem_debug.c drm/i915: Implement inter-engine read-read optimisations 2015-05-21 15:11:42 +02:00
i915_gem_dmabuf.c dma-buf: cleanup dma_buf_export() to make it easily extensible 2015-04-21 14:47:16 +05:30
i915_gem_evict.c drm/i915: kerneldoc for i915_gem_shrinker.c 2015-03-20 11:48:16 +01:00
i915_gem_execbuffer.c drm/i915: Inline check required for object syncing prior to execbuf 2015-05-21 15:11:43 +02:00
i915_gem_gtt.c drm/i915: limit PPGTT size to 2GB in 32-bit platforms 2015-05-29 19:08:22 +02:00
i915_gem_gtt.h drm/i915: Add a partial GGTT view type 2015-05-08 13:04:18 +02:00
i915_gem_render_state.c
i915_gem_render_state.h
i915_gem_shrinker.c drm/i915: Simplify object is-pinned checking for shrinker 2015-04-10 10:58:34 +02:00
i915_gem_stolen.c drm/i915: use proper FBC base register on all new platforms 2015-04-09 15:57:46 +02:00
i915_gem_tiling.c drm/i915: Simplify i915_gem_obj_is_pinned() test for set-tiling 2015-04-16 11:20:29 +02:00
i915_gem_userptr.c drm/i915: Use uninterruptible mutex_lock for userptr bo creation 2015-05-20 11:26:03 +02:00
i915_gem.c drm/i915: Don't skip request retirement if the active list is empty 2015-06-15 12:21:16 +03:00
i915_gpu_error.c drm/i915: Implement inter-engine read-read optimisations 2015-05-21 15:11:42 +02:00
i915_ioc32.c
i915_irq.c drm/i915: Use spinlocks for checking when to waitboost 2015-05-26 19:16:12 +02:00
i915_params.c drm/i915/skl: Add module parameter to select edp vswing table 2015-05-08 13:03:41 +02:00
i915_reg.h drm/i915: Throw out WIP CHV power well definitions 2015-05-28 11:13:50 +02:00
i915_suspend.c
i915_sysfs.c drm/i915/skl: Updated the act_freq_mhz_show sysfs function 2015-03-17 22:30:25 +01:00
i915_trace_points.c
i915_trace.h Merge tag 'drm-intel-next-2015-04-23-fixed' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-05-08 20:51:06 +10:00
i915_vgpu.c
i915_vgpu.h drm/i915: Add ULL postfix to VGT_MAGIC constant 2015-03-17 22:30:18 +01:00
intel_acpi.c
intel_atomic_plane.c drm/i915: Use atomic helpers for computing changed flags 2015-05-08 13:04:08 +02:00
intel_atomic.c drm/i915: Call drm helpers when duplicating crtc and plane states 2015-05-08 13:03:58 +02:00
intel_audio.c drm/i915/audio: do not mess with audio registers if port is invalid 2015-05-08 13:03:36 +02:00
intel_bios.c drm/i915/bios: be more explicit about discarding iomem address space 2015-05-20 11:26:01 +02:00
intel_bios.h drm/i915: Fix the VBT child device parsing for BSW 2015-04-10 08:56:14 +02:00
intel_crt.c drm/i915: Disable CRT port after pipe on PCH platforms 2015-05-21 23:23:16 +02:00
intel_csr.c drm/i915/skl: Fix DMC API version in firmware file name 2015-06-05 12:08:01 +03:00
intel_ddi.c drm/i915/skl: Deinit/init the display at suspend/resume 2015-05-21 22:50:15 +02:00
intel_display.c drm/i915: Return the frontbuffer flip to enable intel_crtc_enable_planes. 2015-05-29 10:18:07 +02:00
intel_dp_mst.c drm/i915: Use for_each_connector_in_state helper macro 2015-05-08 13:03:58 +02:00
intel_dp.c drm/i915: disable IPS while getting the sink CRCs 2015-05-28 11:13:53 +02:00
intel_drv.h drm/i915: Kill intel_flush_primary_plane() 2015-05-28 11:13:51 +02:00
intel_dsi_panel_vbt.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
intel_dsi_pll.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
intel_dsi.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
intel_dsi.h
intel_dvo.c drm/i915: Silence compiler warning in dvo 2015-04-29 14:37:48 +03:00
intel_fbc.c drm/i915: get rid of primary_enabled and use atomic state 2015-05-08 13:03:53 +02:00
intel_fbdev.c drm/i915: Another fbdev hack to avoid PSR on fbcon. 2015-05-29 10:18:32 +02:00
intel_fifo_underrun.c
intel_frontbuffer.c drm/i915: PSR VLV: Add single frame update. 2015-04-14 19:15:23 +02:00
intel_hdmi.c drm/i915: Disable 12bpc hdmi for now 2015-05-28 11:13:52 +02:00
intel_i2c.c drm/i915: don't register invalid gmbus pins for skl 2015-05-20 11:25:50 +02:00
intel_lrc.c drm/i915: Remove unnecessary null check in execlists_context_unqueue 2015-05-27 13:20:51 +02:00
intel_lrc.h drm/i915: Move common request allocation code into a common function 2015-04-01 07:54:30 +02:00
intel_lvds.c Linux 4.1-rc4 2015-05-20 16:23:53 +10:00
intel_modes.c
intel_opregion.c
intel_overlay.c drm/i915: Implement inter-engine read-read optimisations 2015-05-21 15:11:42 +02:00
intel_panel.c drm/i915/bxt: BLC implementation 2015-05-08 13:03:38 +02:00
intel_pm.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
intel_psr.c drm/i915: PSR VLV: Add single frame update. 2015-04-14 19:15:23 +02:00
intel_renderstate_gen6.c
intel_renderstate_gen7.c
intel_renderstate_gen8.c
intel_renderstate_gen9.c
intel_renderstate.h
intel_ringbuffer.c drm/i915: Move WaProgramL3SqcReg1Default:bdw to init_clock_gating() 2015-05-22 08:08:06 +02:00
intel_ringbuffer.h drm/i915: Split the batch pool by engine 2015-04-10 08:56:04 +02:00
intel_runtime_pm.c drm/i915: Throw out WIP CHV power well definitions 2015-05-28 11:13:50 +02:00
intel_sdvo_regs.h
intel_sdvo.c drm/i915: Disable SDVO port after the pipe on PCH platforms 2015-05-21 23:22:01 +02:00
intel_sideband.c drm/i915: s/dpio_lock/sb_lock/ 2015-05-28 11:13:51 +02:00
intel_sprite.c drm/i915: Kill intel_flush_primary_plane() 2015-05-28 11:13:51 +02:00
intel_tv.c drm/i915: Allocate connector state together with the connectors 2015-04-13 15:21:21 +03:00
intel_uncore.c Merge tag 'drm-intel-next-2015-04-23-fixed' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-05-08 20:51:06 +10:00
Kconfig Revert "drm/i915: Force clean compilation with -Werror" 2015-05-26 07:46:21 +02:00
Makefile Revert "drm/i915: Force clean compilation with -Werror" 2015-05-26 07:46:21 +02:00