Bug#285563: kernel-source-2.4.27: drm locking fix missing in 2.4 kernels

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#285563: kernel-source-2.4.27: drm locking fix missing in 2.4 kernels
From: dann frazier <dannf@hp.com>
Date: Mon, 13 Dec 2004 23:33:09 -0700
Message-id: <[🔎] 20041214063309.8705F3B626C@krebs>
Reply-to: dann frazier <dannf@hp.com>, 285563@bugs.debian.org

Package: kernel
Version: 2.4.27-6
Severity: important

The fix for CAN-2004-1056, added in 2.6.8-11, also applies to 2.4 - however,
I don't think it will compile, because 2.4 doesn't define the
LOCK_TEST_WITH_RETURN() in drmP.h.

from 2.6.8's changelog:
  * [SECURITY] Fix insufficient locking checks in DRM code;
    CAN-2004-1056 (Fabio M. Di Nitto).

I've attached a backport of the patch from 2.6 w/ this macro missing.

Sorry for being lazy and not fixing it myself - I don't have time to look at
it now, but I also didn't want us to collectively forget about it.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: ia64
Kernel: Linux 2.6.9-1-mckinley
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages kernel-source-2.4.27 depends on:
ii  binutils             2.15.90.0.3-0dannf1 The GNU assembler, linker and bina
ii  bzip2                1.0.2-2             high-quality block-sorting file co
ii  coreutils [fileutils 5.2.1-2             The GNU core utilities
ii  fileutils            5.2.1-2             The GNU file management utilities 

-- no debconf information

diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c kernel-source-2.4.27/drivers/char/drm/i810_dma.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i810_dma.c	2004-12-01 03:07:54.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i810_dma.c	2004-12-13 22:18:50.404864367 -0700
@@ -952,10 +952,7 @@
    	drm_file_t	  *priv	  = filp->private_data;
    	drm_device_t	  *dev	  = priv->dev;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_flush_ioctl called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp );
 
    	i810_flush_queue(dev);
    	return 0;
@@ -977,10 +974,7 @@
 	if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex)))
 		return -EFAULT;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_dma_vertex called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp );
 
 	if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
 
@@ -1008,10 +1002,7 @@
    	if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear)))
 		return -EFAULT;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_clear_bufs called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp );
 
  	/* GH: Someone's doing nasty things... */
  	if (!dev->dev_private) {
@@ -1030,10 +1021,8 @@
 	drm_file_t *priv = filp->private_data;
 	drm_device_t *dev = priv->dev;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_swap_buf called without lock held\n");
-		return -EINVAL;
-	}
+
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	i810_dma_dispatch_swap( dev );
    	return 0;
@@ -1068,10 +1057,7 @@
    	if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d)))
 		return -EFAULT;
 
-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_dma called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	d.granted = 0;
 
@@ -1179,10 +1165,7 @@
 		return -EFAULT;
 
 
-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_dma_mc called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used,
 		mc.last_render );
@@ -1227,10 +1210,7 @@
 	drm_device_t *dev = priv->dev;
 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
 
-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_fstatus called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 	return I810_READ(0x30008);
 }
 
@@ -1241,10 +1221,7 @@
 	drm_device_t *dev = priv->dev;
 	drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private;
 
-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i810_ov0_flip called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	//Tell the overlay to update
 	I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000);
diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c kernel-source-2.4.27/drivers/char/drm/i830_dma.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i830_dma.c	2004-02-18 06:36:31.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i830_dma.c	2004-12-13 22:15:53.955647778 -0700
@@ -1330,10 +1330,7 @@
    	drm_file_t	  *priv	  = filp->private_data;
    	drm_device_t	  *dev	  = priv->dev;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_flush_ioctl called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
    	i830_flush_queue(dev);
    	return 0;
@@ -1354,10 +1351,7 @@
 	if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex)))
 		return -EFAULT;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_dma_vertex called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n",
 		  vertex.idx, vertex.used, vertex.discard);
@@ -1384,10 +1378,7 @@
    	if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear)))
 		return -EFAULT;
    
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_clear_bufs called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	/* GH: Someone's doing nasty things... */
 	if (!dev->dev_private) {
@@ -1409,10 +1400,7 @@
    
 	DRM_DEBUG("i830_swap_bufs\n");
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_swap_buf called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	i830_dma_dispatch_swap( dev );
    	return 0;
@@ -1453,10 +1441,7 @@
 
 	DRM_DEBUG("%s\n", __FUNCTION__);
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_flip_buf called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	if (!dev_priv->page_flipping) 
 		i830_do_init_pageflip( dev );
@@ -1495,10 +1480,7 @@
    	if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d)))
 		return -EFAULT;
    
-	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_dma called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 	
 	d.granted = 0;
 
diff -urN kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c kernel-source-2.4.27/drivers/char/drm/i830_irq.c
--- kernel-source-2.4.27.orig/drivers/char/drm/i830_irq.c	2003-11-28 11:26:20.000000000 -0700
+++ kernel-source-2.4.27/drivers/char/drm/i830_irq.c	2004-12-13 22:15:53.965413403 -0700
@@ -130,10 +130,7 @@
 	drm_i830_irq_emit_t emit;
 	int result;
 
-   	if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) {
-		DRM_ERROR("i830_irq_emit called without lock held\n");
-		return -EINVAL;
-	}
+	LOCK_TEST_WITH_RETURN( dev, filp ); 
 
 	if ( !dev_priv ) {
 		DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ );

Reply to:

Prev by Date: Bug#284015: kernel-image-2.6.9-1-686: DMA timeout error
Next by Date: Bug#284221: Bug #284221: acenic firmware situation summary
Previous by thread: Bug#100421: Get it together
Next by thread: Bug#284221: Bug #284221: acenic firmware situation summary
Index(es):
- Date
- Thread