Commit Graph

11 Commits

Author SHA1 Message Date
Jerome Glisse c8c15ff1e9 drm/radeon: r6xx/r7xx possible security issue, system ram access
This patch workaround a possible security issue which can allow
user to abuse drm on r6xx/r7xx hw to access any system ram memory.
This patch doesn't break userspace, it detect "valid" old use of
CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
the address these registers are pointing to with the one of the
last color buffer. This workaround will work for old mesa &
xf86-video-ati and any old user which did use similar register
programming pattern as those (we expect that there is no others
user of those ioctl except possibly a malicious one). This patch
add a warning if it detects such usage, warning encourage people
to update their mesa & xf86-video-ati. New userspace will submit
proper relocation.

Fix for xf86-video-ati / mesa (this kernel patch is enough to
prevent abuse, fix for userspace are to set proper cs stream and
avoid kernel warning) :
http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f

Abusing this register to perform system ram memory is not easy,
here is outline on how it could be achieve. First attacker must
have access to the drm device and be able to submit command stream
throught cs ioctl. Then attacker must build a proper command stream
for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
overwrite the GPU GART which is in VRAM. To achieve so attacker
as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
to the GPU GART, then it has to find a way to write predictable
value into those buffer (with little cleverness i believe this
can be done but this is an hard task). Once attacker have such
program it can overwritte GPU GART to program GPU gart to point
anywhere in system memory. It then can reusse same method as he
used to reprogram GART to overwritte the system ram through the
GART mapping. In the process the attacker has to be carefull to
not overwritte any sensitive area of the GART table, like ring
or IB gart entry as it will more then likely lead to GPU lockup.
Bottom line is that i think it's very hard to use this flaw
to get system ram access but in theory one can achieve so.

Side note: I am not aware of anyone ever using the GPU as an
attack vector, nevertheless we take great care in the opensource
driver to try to detect and forbid malicious use of GPU. I don't
think the closed source driver are as cautious as we are.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21 08:49:32 +10:00
Alex Deucher b500f68045 drm/radeon/kms: add regs and irq tracking bits for hpd
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-12-08 10:46:34 +10:00
Alex Deucher d8f60cfc93 drm/radeon/kms: Add support for interrupts on r6xx/r7xx chips (v3)
This enables the use of interrupts on r6xx/r7xx hardware.
Interrupts are implemented via a ring buffer.  The GPU adds
interrupts vectors to the ring and the host reads them off
in the interrupt handler.  The interrupt controller requires
firmware like the CP.  This firmware must be installed and
accessble to the firmware loader for interrupts to function.

MSIs don't seem to work on my RS780.  They work fine on all
my discrete cards.  I'm not sure about other RS780s or
RS880s.  I've disabled MSIs on RS780 and RS880, but it would
probably be worth checking on some other systems.

v2 - fix some checkpatch.pl problems;
     re-read the disp int status reg if we restart the ih;

v3 - remove the irq handler if r600_irq_init() fails;
     remove spinlock in r600_ih_ring_fini();
     move ih rb overflow check to r600_get_ih_wptr();
     move irq ack to separate function;

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-12-02 14:00:06 +10:00
Dave Airlie 23956dfa82 drm/radeon/kms: add HDP flushing for all GPUs.
rendercheck under kms on r600s was failing due to HDP flushing not happening.

This adds HDP flushing to the object wait function for r100->r700 families.

rendercheck passes basic tests on r600 with this change.

Acked-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-12-02 11:37:11 +10:00
Linus Torvalds 6b46362c0e Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (52 commits)
  drm/kms: Init the CRTC info fields for modes forced from the command line.
  drm/radeon/r600: CS parser updates
  drm/radeon/kms: add debugfs for power management for AtomBIOS devices
  drm/radeon/kms: initial mode validation support
  drm/radeon/kms/atom/dce3: call transmitter init on mode set
  drm/radeon/kms: store detailed connector info
  drm/radeon/kms/atom/dce3: fix up usPixelClock calculation for Transmitter tables
  drm/radeon/kms/r600: fix rs880 support v2
  drm/radeon/kms/r700: fix some typos in chip init
  drm/radeon/kms: remove some misleading debugging output
  drm/radeon/kms: stop putting VRAM at 0 in MC space on r600s.
  drm/radeon/kms: disable D1VGA and D2VGA if enabled
  drm/radeon/kms: Don't RMW CP_RB_CNTL
  drm/radeon/kms: fix coherency issues on AGP cards.
  drm/radeon/kms: fix rc410 suspend/resume.
  drm/radeon/kms: add quirk for hp dc5750
  drm/radeon/kms/atom: fix potential oops in spread spectrum code
  drm/kms: typo fix
  drm/radeon/kms/atom: Make card_info per device
  drm/radeon/kms/atom: Fix DVO support
  ...
2009-11-11 11:32:04 -08:00
Alex Deucher a39533b4dd drm/radeon/r600: CS parser updates
Add some additional regs that require relocs.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-11-10 13:41:07 +10:00
Alex Deucher 5885b7a9f4 drm/radeon/kms: fix vram_width calculation on r6xx/r7xx
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-10-26 13:28:19 +10:00
Dave Airlie c1176d6f03 Merge branch 'drm-next' of ../drm-next into drm-linus
conflict in radeon since new init path merged with vga arb code.

Conflicts:
	drivers/gpu/drm/radeon/radeon.h
	drivers/gpu/drm/radeon/radeon_asic.h
	drivers/gpu/drm/radeon/radeon_device.c
2009-10-08 14:03:05 +10:00
Jerome Glisse 1a029b768f drm/radeon/kms: Fix AGP support for R600/RV770 family (v2)
For AGP to work unmapped access must cover VRAM & AGP as
AGP is treated like VRAM by the GPU (ie physical address).
This patch properly setup the virtual memory system aperture
to cover AGP if AGP is enabled. It seems that there is memory
corruption after resume when using AGP (RV770 seems unaffected
thought). Version 2 just fix merge issue with updated AGP
fallback patch.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-10-08 09:40:04 +10:00
Dave Airlie 28d520433b drm/vgaarb: add VGA arbitration support to the drm and kms.
VGA arb requires DRM support for non-kms drivers, to turn on/off
irqs when disabling the mem/io regions.

VGA arb requires KMS support for GPUs where we can turn off VGA
decoding. Currently we know how to do this for intel and radeon
kms drivers, which allows them to be removed from the arbiter.

This patch comes from Fedora rawhide kernel.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-21 15:00:27 +10:00
Jerome Glisse 3ce0a23d2d drm/radeon/kms: add r600 KMS support
This adds the r600 KMS + CS support to the Linux kernel.

The r600 TTM support is quite basic and still needs more
work esp around using interrupts, but the polled fencing
should work okay for now.

Also currently TTM is using memcpy to do VRAM moves,
the code is here to use a 3D blit to do this, but
isn't fully debugged yet.

Authors:
Alex Deucher <alexdeucher@gmail.com>
Dave Airlie <airlied@redhat.com>
Jerome Glisse <jglisse@redhat.com>

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2009-09-08 11:15:52 +10:00