lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 28 Oct 2008 22:22:18 -0700
From:	Brandon Philips <bphilips@...e.de>
To:	Arjan van de Ven <arjan@...radead.org>
Cc:	Dave Airlie <airlied@...hat.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	zhenyu.z.wang@...el.com, jbarnes@...tuousgeek.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH v2] intel-agp: Avoid oops for G33 on 1MB stolen case

This is similar to f443675affe3f16dd428e46f0f7fd3f4d703eeab which was
reverted because it broke older X.org driver. This patch only fixes
the 1MB stolen case since it causes an oops.

Xorg will not work without the accompanying patch[1] but avoiding an
oops and making it possible to work with patched xorg driver is
reasonable.

[1] http://ifup.org/~philips/review/xf86-video-intel-G33-1mb.patch

Explanation of the oops:

> static void intel_i830_init_gtt_entries(void)
...
>         } else if (IS_G33) {
>         /* G33's GTT size defined in gmch_ctrl */
>                 switch (gmch_ctrl & G33_PGETBL_SIZE_MASK) {
>                 case G33_PGETBL_SIZE_1M:
>                         size = 1024;
>                         break;
...
>                 size += 4;

size = 1028

Then since we have the BIOS setting 1MB for the device in the GMCH
control we get to here:

>         } else {
>                 switch (gmch_ctrl & I855_GMCH_GMS_MASK) {
>                 case I855_GMCH_GMS_STOLEN_1M:
>                         gtt_entries = MB(1) - KB(size);
>                         break;

MB(1) = 1 * 1024 * 1024
KB(1028) = 1028 * 1024

MB(1) - KB(1028) = -4096

>         gtt_entries /= KB(4);
>         intel_private.gtt_entries = gtt_entries;

We end up with -1 in gtt_entries.

This leads to intel_i915_configure reading/writing to areas outside of
mapped memory and the oops.

Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=391261

Signed-off-by: Brandon Philips <bphilips@...e.de>

---
 drivers/char/agp/intel-agp.c |    7 +++++++
 1 file changed, 7 insertions(+)

Index: linux-2.6/drivers/char/agp/intel-agp.c
===================================================================
--- linux-2.6.orig/drivers/char/agp/intel-agp.c
+++ linux-2.6/drivers/char/agp/intel-agp.c
@@ -561,6 +561,13 @@ static void intel_i830_init_gtt_entries(
 	} else {
 		switch (gmch_ctrl & I855_GMCH_GMS_MASK) {
 		case I855_GMCH_GMS_STOLEN_1M:
+			if (IS_G33) {
+				size = 0;
+				WARN(1, KERN_WARNING
+				       "Warning: G33 chip with 1MB allocated."
+					" Older X.org Intel drivers will not"
+					" work.\n");
+			}
 			gtt_entries = MB(1) - KB(size);
 			break;
 		case I855_GMCH_GMS_STOLEN_4M:
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ