| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Jun 2009 10:18:02 +0200 From: Thomas Hellström <thomas@...pmail.org> To: Dave Airlie <airlied@...ux.ie> CC: Linus Torvalds <torvalds@...ux-foundation.org>, Alex Deucher <alexdeucher@...il.com>, Andrew Lutomirski <luto@....edu>, dri-devel@...ts.sf.net, Jerome Glisse <jglisse@...hat.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [git pull] drm: previous pull req + 1. Dave Airlie wrote: >> On Sun, 21 Jun 2009, Andrew Lutomirski wrote: >> >>>> Anyway, here's a totally UNTESTED patch that hopefully gives a warning on >>>> where exactly we set the invalid bits. Andy, mind trying it out? You >>>> should get the warnign much earlier, and it should have a much more useful >>>> back-trace. >>>> >>> Your patch worked. Photo attached. >>> >> Ok. >> >> So it's fb_mmap() that uses an invalid page frame number when it does the >> "io_remap_pfn_range()" thing. >> >> And the way it gets that page frame number is basically >> >> - Offset (in bytes) from start of mapping: >> >> off = vma->vm_pgoff << PAGE_SHIFT; >> .. >> >> - frame buffer start address: >> >> /* frame buffer memory */ >> start = info->fix.smem_start; >> len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len); >> .. >> off += start; >> >> - do the remap: >> >> io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, .. >> >> and there has been no changes to this logic in drivers/video/fbmem.c >> lately. >> >> What *has* changed is that we have a newradeon driver, and it looks like >> that new radeon driver is crap, and does this: >> >> info->fix.smem_start = (unsigned long)fbptr; >> >> which is totally screwed up. It assigns a _virtual_ address to that >> "smem_start" thing, even though it should be a physical one. >> >> I don't know the radeon driver, so I don't know where to find the physical >> address. It's also possible that there is no good single physical >> address, and the radeon driver should implement a "fb_mmap" function. >> >> Does this patch make the warning and the oops at least go away? Obviously >> it won't result in a working frame buffer, but that's a separate issue >> >> Linus >> > > I noticed the same bogus line myself last night, I'll get Jerome to look > at it since its his code, he was trying to be smart about how the > radeon fbdev emulation should work, but fbdev isn't smart enough to do > what he wants, so I've asked him to go back to the dumb pin the fbcon in > VRAM until we can fix fbdev to do some sort of prepare/commit type hooks > around blocks of reads/writes. > > With the safe method we end up with an 8MB pinned fbcon on 32MB in some > scenarios, which is still totally unacceptable from a user pov. > > There is a ttm_fbdev_mmap() function in TTM that may help in this situation. As with the standard ttm mmap it's using fault() which means it's possible to move out the backing buffer object if you first reserve it and then call unmap_mapping_range() on the relevant fbdev address space to kill existing user-space mappings. We've experimented a little with this on the Poulsbo / Moorestown KMS driver (we threw out the fbcon buffer when the X server was switched in) but the problem turned out to be that fbdev always expects an always present _kernel_ mapping and it seemed a bit too hard to block accesses to that mapping while it was torn down and set up again to point to the new location. In particular, the fbdev acceleration hooks seems to be called from atomic context. It would be very helpful if we could introduce an fbdev mutex that protects fbdev accesses to the kernel map and to the fbdev acceleration functions. /Thomas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists