Currently there is no check that the pushbuffer request bounds are inside
the TTM BO.
This allows to instruct the kernel to do relocations on user-selected
addresses, since the relocation bounds checking relies on the request
bounds.
This can oops the kernel accidentally and is easily exploitable.
This patch adds bound checking and alignment checking for ->offset and
->nr_dwords.
It also makes some variables unsigned, which should have no effect,
but prevents possible bounds checking problems.
Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This is to prevent things such as GART tables and other important GPU
structures being allocated there before we take over fbcon ourselves.
This is more of a workaround for the moment, a better solution will
require some more invasive changes, but it'll be done at some point.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This was spotted by kmemleak.
Signed-off-by: Xavier Chantry <shiningxc@gmail.com>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This fixes imac black screen (NV18 card)
Signed-off-by: Andrea Tacconi <tacconet@libero.it>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This in the very least matches the parsing of all the previously known
entries, and hopefully (at least closer to) correct for any we haven't
seen yet.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
There's a report of a TNT2 where the DCB table pointer is *not* NULL
(it contains a part of a VBIOS data string), and we assume this means
a DCB table is present, causing all kinds of hilarity.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Not an ideal solution, but it'll do for the moment for correctness. We
need to come up with a nicer way to manage inter-channel sync, the hw
is unfortunately a little lacking in this area.
Should fix some resume corruption, as well as corruption that may be seen
while under memory pressure.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Apparently the original reason for checking this was there were known
register accesses that caused hangs on some chipsets. This was more
than likely because of incorrect parsing of previous opcodes, and I
hardly think aborting a script half way through is going to be any
better (in fact, we have had bug reports where this has been the cause
of s/r failures among other things).
This patch (which has been in Fedora 12 for a long time now) removes
all checking for known register ranges, and just leaves the check to
ensure the access is within the mapped aperture to avoid an oops.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This should fix the problem with gpu hangs people have had when closing
channels.
Signed-off-by: Maarten Maathuis <madman2003@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Some upcoming G80 DMA changes will depend on this, but it's split out for
bisectibility just in case it causes some unexpected issues.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Currently Nouveau will unvalidate all buffers if it is forced to wait on
one, and then start revalidating from the beginning. While doing so, it
destroys the operation fence, causing nouveau_fence_emit to crash.
This patch fixes this bug by taking the fence object out of validate_op
and creating it just before emit. The fence pointer is initialized to 0
and unref'ed unconditionally.
In addition to fixing the bug, this prevents its reintroduction and
simplifies the code.
Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
The below is mainly an educated guess at what's going on, docs would
sure be handy... NVIDIA? :P
It appears it's possible for a ctxprog to run even while a GPU exception
is pending. The GF8 and up ctxprogs appear to have a small snippet of
code which detects this, and stalls the ctxprog until it's been handled,
which essentially looks like:
if (r2 & 0x00008000) {
r0 |= 0x80000000;
while (r0 & 0x80000000) {}
}
I don't know of any way that flag would get cleared unless the driver
intervenes (and indeed, in the cases I've seen the hang, nothing steps
in to automagically clear it for us). This patch causes the driver to
clear the flag during the PGRAPH IRQ handler.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
There's no good reason for us to have our own anymore, this is left over
from an early port to these TTM interfaces.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
It's mostly a cleanup, but in nv50_fbcon_accel_init gpu lockup
message was printed, but HWACCEL_DISBALED flag was not set.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Depending on the visual, the colours handed to us in fillrect() can either be
an actual colour, or an index into the pseudo-palette.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This should avoid a race condition on nv0x, if we're doing it with
actual PGRAPH objects and a there's a fence within the FIFO DMA fetch
area when a context switch kicks in.
In that case we get an ILLEGAL_MTHD interrupt as expected, but the
values in PGRAPH_TRAPPED_ADDR aren't calculated correctly and they're
almost useless (e.g. you can see ILLEGAL_MTHDs for the now inactive
channel, with a wrong offset/data pair).
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
It will be useful for various synchronization purposes, mostly stolen
from "[PATCH] drm/nv50: synchronize user channel after buffer object
move on kernel channel" by Maarten Maathuis.
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
- Aligning to block size should ensure that the extra size is enough.
- Using roundup, because not all sizes are powers of two.
Signed-off-by: Maarten Maathuis <madman2003@gmail.com>
struct fb_fillrect->color is not a color, but index into pseudo_palette
array
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
This partially reverts e4b41066, as this driver is intended to be
useful with any KMS driver for suitable hardware. The missing build
dependency that commit workarounded was DRM_KMS_HELPER.
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
This commit has also the following 3 bugfix commits squashed into it from
the nouveau git tree:
drm/nouveau: Fix up the tiling alignment restrictions for nv1x.
drm/nouveau: Fix up the nv2x tiling alignment restrictions.
drm/nv50: fix align typo for g9x
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
If userspace (plymouth in this case) asks for a deeper depth,
refuse it as well due to lack of resizing.
This fixes an issue since < 32MB cards went to 8bpp and plymouth
crashes on startup.
Signed-off-by: Dave Airlie <airlied@redhat.com>
With the current DRM code, an output that has been powered off
from userspace will automatically power back on when resuming
from suspend. This patch fixes this behaviour.
Tested only with the Intel i915 driver on an Intel GM45 Express
chipset.
Signed-off-by: David John <davidjon@xenontk.org>
Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
If for any reason we haven't installed handler we shouldn't try to
enable IRQ/MSI on the hw so we don't get unhandled IRQ/MSI which
makes the kernel sad.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
In some case vblank might not be initialized and we shouldn't
try to use associated function. This patch make sure this is
the case. It also export drm_vblank_cleanup so driver can cleanup
vblank if for any reason IRQ/MSI is not working.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
In some case we weren't releasing the AGP device at module unloading.
This leaded to unfunctional AGP at next module load. This patch make
sure we release the AGP bus if we acquire it.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>