Commit Graph

26 Commits

Author SHA1 Message Date
Dave Airlie f30df2fad0 drm/radeon/r600: fix tiling issues in CS checker.
The CS checker had some incorrect alignment requirements for 2D surfaces,
this made rendering to mipmap levels that were 2D broken.

Also the CB height was being worked out from the BO size, this doesn't work
at all when rendering mipmap levels, instead we work out what height userspace
wanted from slice max and use that to check it fits inside the BO, however
the DDX send the wrong slice max for an unaligned buffer so we have to workaround
for that even though its a userspace bug.

Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-10-26 10:26:35 +10:00
Alex Deucher fe725d4f22 drm/radeon/kms: only warn on mipmap size checks in r600 cs checker (v2)
The texture base address registers are in units of 256 bytes.
The original CS checker treated these offsets as bytes, so the
original check was wrong.  I fixed the units in a patch during
the 2.6.36 cycle, but this ended up breaking some existing
userspace (probably due to a bug in either userspace texture allocation
or the drm texture mipmap checker).  So for now, until we come
up with a better fix, just warn if the mipmap size it too large.
This will keep existing userspace working and it should be just
as safe as before when we were checking the wrong units.  These
are GPU MC addresses, so if they fall outside of the VRAM or
GART apertures, they end up at the GPU default page, so this should
be safe from a security perspective.

v2: Just disable the warning.  It just spams the log and there's
nothing the user can do about it.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: Jerome Glisse <glisse@freedesktop.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-09-15 11:13:09 +10:00
Dave Airlie b494d5d468 drm/radeon: drop old and broken mesa warning
This never really got fixed in mesa, and the kernel deals with the problem
just fine, so don't got reporting things that confuse people.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-08-12 09:40:05 +10:00
Alex Deucher 618145ea54 drm/radeon/kms: another r6xx/r7xx CS checker fix
add default case for buffer formats

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: Andre Maasikas <amaasikas@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-08-12 09:12:59 +10:00
Alex Deucher 1729dd33d2 drm/radeon/kms: r600 CS parser fixes
- buffer offsets in the base regs are 256b aligned so
shift properly when comparing, fixed by Andre Maasikas
- mipmap size was calculated wrong when nlevel=0
- texture bo offsets were used after the bo base address was added
- vertex resource size register is size - 1, not size

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: Andre Maasikas <amaasikas@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-08-10 10:46:47 +10:00
Dave Airlie d656ae53f6 Merge tag 'v2.6.35-rc6' into drm-radeon-next
Need this to avoid conflicts with future radeon fixes
2010-08-02 10:05:24 +10:00
Alex Deucher 40e2a5c15d drm/radeon/kms: fix CS alignment checking for tiling (v2)
Covers depth, cb, and textures. Hopefully I got this right.

v2: - fix bugs:
      https://bugs.freedesktop.org/show_bug.cgi?id=28327
      https://bugs.freedesktop.org/show_bug.cgi?id=28381
    - use ALIGNED(), IS_ALIGNED() macros

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-08-02 10:00:04 +10:00
Alex Deucher 7f81337720 drm/radeon/kms: add tiling support to the cs checker for r6xx/r7xx
Check for relocs for DB_DEPTH_INFO, CB_COLOR*_INFO, and texture
resources.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-08-02 10:00:03 +10:00
Dave Airlie 29508eb66b drm/radeon/kms: drop taking lock around crtc lookup.
We only add/remove crtcs at driver load, you cannot remove when
the GPU is running a CS packet since the fd is open, when
GPU hotplugging on radeons actually is needed all this locking
needs a review and I've started re-working kms core locking to deal
with this better. But for now avoid long delays in CS processing when
hotplug detect is happening in a different thread.

this fixes a regression introduced with hotplug detection.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-07-22 09:57:13 +10:00
Alex Deucher 5f77df368c drm/radeon/r6xx/r7xx: CS parser fixes
- Drop some more safe regs taht userspace shouldn't hit
- Constant base regs need relocs.  This allows us to use
constant buffers rather than the constant register file.
Also we don't want userspace to be able to set arbitrary
mc base values for the const caches.
- Track SQ_CONFIG so we know whether userspace is using
the cfile or constant buffers.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-03-31 13:12:17 +10:00
Alex Deucher 71b10d8762 drm/radeon/r600: fix warnings in CS checker
drivers/gpu/drm/radeon/r600_cs.c: In function ‘r600_cs_track_check’:
drivers/gpu/drm/radeon/r600_cs.c:166: warning: ‘bpe’ may be used uninitialized in this function
drivers/gpu/drm/radeon/r600_cs.c:166: note: ‘bpe’ was declared here

drivers/gpu/drm/radeon/r600_cs.c: In function ‘r600_cs_parse’:
drivers/gpu/drm/radeon/r600_cs.c:938: warning: ‘bpe’ may be used uninitialized in this function
drivers/gpu/drm/radeon/r600_cs.c:938: note: ‘bpe’ was declared here

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-18 14:20:58 +10:00
Jerome Glisse 7cb72ef4d3 drm/radeon/kms: fix r600/r700 cs checker to avoid double kfree
radeon_cs kfree the tracker structure but for r6xx/r7xx we want
to kfree it inside the parse function because we share it with
the UMS code path. Set tracker to NULL after freeing it will
avoid double free.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-12 06:48:33 +10:00
Jerome Glisse 961fb597c1 drm/radeon/kms: r600/r700 command stream checker
This patch add cs checker to r600/r700 hw. Command stream checking
will rewrite some of the cs value in order to restrict GPU access
to BO size. This doesn't break old userspace but just enforce safe
value. It should break any things that was using the r600/r700 cs
ioctl to do forbidden things (malicious software), though we are
not aware of such things.

Here is the list of thing we check :
- enforcing resource size
- enforcing color buffer slice tile max, will restrict cb access
- enforcing db buffer slice tile max, will restrict db access

We don't check for shader bigger than the BO in which they are
supposed to be, such use would lead to GPU lockup and is harmless
from security POV, as far as we can tell (note that even checking
for this wouldn't prevent someone to write bogus shader that lead
to lockup).

This patch has received as much testing as humanly possible with
old userspace to check that it didn't break such configuration.
However not all the applications out there were tested, thus it
might broke some odd, rare applications.

[airlied: fix rules for cs checker for parallel builds]

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 19:03:45 +10:00
Dave Airlie 7087e16286 drm/radeon/kms: preface warning printk with driver name
This just adds a little more info to the warning for old -ati/mesa
userspaces.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:13:55 +10:00
Jerome Glisse c8c15ff1e9 drm/radeon: r6xx/r7xx possible security issue, system ram access
This patch workaround a possible security issue which can allow
user to abuse drm on r6xx/r7xx hw to access any system ram memory.
This patch doesn't break userspace, it detect "valid" old use of
CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
the address these registers are pointing to with the one of the
last color buffer. This workaround will work for old mesa &
xf86-video-ati and any old user which did use similar register
programming pattern as those (we expect that there is no others
user of those ioctl except possibly a malicious one). This patch
add a warning if it detects such usage, warning encourage people
to update their mesa & xf86-video-ati. New userspace will submit
proper relocation.

Fix for xf86-video-ati / mesa (this kernel patch is enough to
prevent abuse, fix for userspace are to set proper cs stream and
avoid kernel warning) :
http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f

Abusing this register to perform system ram memory is not easy,
here is outline on how it could be achieve. First attacker must
have access to the drm device and be able to submit command stream
throught cs ioctl. Then attacker must build a proper command stream
for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
overwrite the GPU GART which is in VRAM. To achieve so attacker
as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
to the GPU GART, then it has to find a way to write predictable
value into those buffer (with little cleverness i believe this
can be done but this is an hard task). Once attacker have such
program it can overwritte GPU GART to program GPU gart to point
anywhere in system memory. It then can reusse same method as he
used to reprogram GART to overwritte the system ram through the
GART mapping. In the process the attacker has to be carefull to
not overwritte any sensitive area of the GART table, like ring
or IB gart entry as it will more then likely lead to GPU lockup.
Bottom line is that i think it's very hard to use this flaw
to get system ram access but in theory one can achieve so.

Side note: I am not aware of anyone ever using the GPU as an
attack vector, nevertheless we take great care in the opensource
driver to try to detect and forbid malicious use of GPU. I don't
think the closed source driver are as cautious as we are.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21 08:49:32 +10:00
Julia Lawall e265f39e1f drivers/gpu: Use kzalloc for allocating only one thing
Use kzalloc rather than kcalloc(1,...)

The use of the allocated memory that looks like an array is &p->relocs[0],
but this should be the same as p->relocs.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
@@

- kcalloc(1,
+ kzalloc(
          ...)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-12-23 10:04:02 +10:00
Alex Deucher a39533b4dd drm/radeon/r600: CS parser updates
Add some additional regs that require relocs.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-11-10 13:41:07 +10:00
Dave Airlie d4ac6a05d5 drm/radeon/kms: fix vline register for second head.
Both r100/r600 had this wrong, use the macro to extract the register
to relocate.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-10-08 11:39:16 +10:00
Jerome Glisse d39c3b8958 drm/radeon/kms: Convert RV515 to new init path and associated cleanup
Convert the rv515 asic support to new init path also add an explanation
in radeon.h about the new init path. There is also few cleanups
associated with this change (others asic calling rv515 helper
functions).

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-09-29 11:15:54 +10:00
Dave Airlie 4c57edba45 drm/r600: fix memory leak introduced with 64k malloc avoidance fix.
The legacy r600 path shares code, but doesn't share quite enough
to get the freeing correct. Free the pages here also.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-28 15:37:25 +10:00
Alex Deucher 210bed8f82 drm/radeon/r600: fix offset handling in CS parser
Need add reloc offset to the offset in the actual
packet.  Fixes use of the DRAW_INDEX packet by the 3D
driver.

[airlied: modified first one where idx_value == ib[idx+0]

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-09-26 09:09:50 +10:00
Alex Deucher 2f67c6e022 drm/radeon/kms/r600: add support for vline relocs
Provides support for anti-tearing functionality
in the ddx.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2009-09-26 07:49:00 +10:00
Dave Airlie adea4796cf drm/r600: get values from the passed in IB not the copy.
this avoids reading back the IB on AGP, also it avoids
the race where since we haven't fetched the page from the main IB
and written it to the gpu one, reading back fetches 0.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-25 14:23:47 +10:00
Dave Airlie 513bcb4655 drm/radeon/kms: don't require up to 64k allocations. (v2)
This avoids needing to do a kmalloc > PAGE_SIZE for the main
indirect buffer chunk, it adds an accessor for all reads from
the chunk and caches a single page at a time for subsequent
reads.

changes since v1:
Use a two page pool which should be the most common case
a single packet spanning > PAGE_SIZE will be hit, but I'm
having trouble seeing anywhere we currently generate anything like that.
hopefully proper short page copying at end
added parser_error flag to set deep errors instead of having to test
every ib value fetch.
fixed bug in patch that went to list.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-25 13:08:18 +10:00
Jerome Glisse 21f9a43722 drm/radeon/kms: cleanup - remove radeon_share.h
radeon_share.h was begining to give problem with include order in
respect of radeon.h. It's easier and also i think cleaner to move
what was in radeon_share.h into radeon.h. At the same time use the
extern keyword for function shared accross the module.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-14 16:10:00 +10:00
Jerome Glisse 3ce0a23d2d drm/radeon/kms: add r600 KMS support
This adds the r600 KMS + CS support to the Linux kernel.

The r600 TTM support is quite basic and still needs more
work esp around using interrupts, but the polled fencing
should work okay for now.

Also currently TTM is using memcpy to do VRAM moves,
the code is here to use a 3D blit to do this, but
isn't fully debugged yet.

Authors:
Alex Deucher <alexdeucher@gmail.com>
Dave Airlie <airlied@redhat.com>
Jerome Glisse <jglisse@redhat.com>

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-08 11:15:52 +10:00