Commit Graph

1488 Commits

Author SHA1 Message Date
Pauli Nieminen
c60a284cc4 drm/radeon: Skip dma copy test in benchmark if card doesn't have dma engine.
radeon_copy_dma is only available for r200 or newer cards.
Call to radeon_copy_dma would result to NULL pointer
dereference if benchmarking asic without dma engine.

Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 13:13:25 +10:00
Dave Airlie
6719fc663c drm/radeon/kms: fix screen clearing before fbcon.
This memset_io was added to debug something way back and got
left behind, memset the fb to black so the borders don't be all white.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-11 11:25:27 +10:00
Dave Airlie
efa8450f6c drm/radeon/kms: add quirk for VGA without DDC on rv730 XFX card.
Reported on irc by nirbheek.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-09 09:06:00 +10:00
Dave Airlie
4b9d2a2112 drm/radeon/kms: don't crash if no DDC bus on VGA/DVI connector.
This is strange - like really really strange, twilight zone of strange.
VGA ports have DDC buses, but sometimes for some reasons the BIOS
says we don't and we oops - AMD mentioned bios bugs so we'll have
to add quirks.

reported on irc by nirbheek and
https://bugzilla.redhat.com/show_bug.cgi?id=554323

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-09 08:54:42 +10:00
Dave Airlie
1ca137cdcd drm/radeon/kms: change Kconfig text to reflect the new option.
Ingo pointed out that we really don't give the user enough warning to make
a decision here. So revise the Kconfig text with a better warning.

Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-08 15:05:58 +10:00
Rafał Miłecki
38fd2c6ff5 drm/radeon/kms: suspend and resume audio stuff
Fixes FDO bug #26214

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 15:26:19 +10:00
Dave Airlie
5ff5571767 drm/radeon/kms: fix r300 vram width calculations
This was incorrect according to the docs and the UMS driver does
it like this.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 14:00:03 +10:00
Dave Airlie
a17538f93c drm/radeon/kms: rs400/480 MC setup is different than r300.
Boot testing on my rs480 laptop found the MC idle never happened
on startup, a quick check with AMD found the idle bit is in a different
place on the rs4xx than r300.

Implement a new rs400 mc idle function to fix this.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 13:40:16 +10:00
Dave Airlie
624ab4f87e drm/radeon/kms: make initial state of load detect property correct.
this was incorrect on my rs480.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 12:03:00 +10:00
Dave Airlie
23fff28a9b drm/radeon/kms: disable HDMI audio for now on rv710/rv730
Support isn't correct yet and we are getting green tinges on the
displays.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:57:42 +10:00
Jerome Glisse
655efd3dc9 drm/radeon/kms: don't call suspend path before cleaning up GPU
In suspend path we unmap the GART table while in cleaning up
path we will unbind buffer and thus try to write to unmapped
GART leading to oops. In order to avoid this we don't call the
suspend path in cleanup path. Cleanup path is clever enough
to desactive GPU like the suspend path is doing, thus this was
redondant.

Tested on: RV370, R420, RV515, RV570, RV610, RV770 (all PCIE)

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:49:52 +10:00
Andrew Morton
94cf6434a1 drivers/gpu/drm/radeon/radeon_combios.c: fix warning
drivers/gpu/drm/radeon/radeon_combios.c: In function 'radeon_combios_get_lvds_info':
drivers/gpu/drm/radeon/radeon_combios.c:893: warning: comparison is always false due to limited range of data type

Cc: Dave Airlie <airlied@linux.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:47:14 +10:00
Randy Dunlap
d7748bacbb ati_pcigart: fix printk format warning
Fix ati_pcigart printk format warning:

drivers/gpu/drm/ati_pcigart.c:115: warning: format '%Lx' expects type 'long long unsigned int', but argument 3 has type 'dma_addr_t'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
Cc: Dave Airlie <airlied@linux.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:46:48 +10:00
Pauli Nieminen
9e5b2af75a drm/r100/kms: Emit cache flush to the end of command buffer. (v2)
Cache flush is required in case CPU is accessing rendered data.

This fixes glean/readPixSanity test case and random rendering
errors in sauerbraten and warzone2100.

v2 Fix comment ordering in r100_fence_ring_emit and remove extra
   defines added in first version.

Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:45:10 +10:00
Jerome Glisse
062b389c87 drm/radeon/kms: fix regression rendering issue on R6XX/R7XX
It seems that some R6XX/R7XX silently ignore HDP flush when
programmed through ring, this patch addback an ioctl callback
to allow R6XX/R7XX hw to perform such flush through MMIO in
order to fix a regression. For more details see:

http://bugzilla.kernel.org/show_bug.cgi?id=15186

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:43:51 +10:00
Jerome Glisse
c38c7b64a2 drm/radeon/kms: move blit initialization after we disabled VGA
VGA might be overwritting VRAM and corrupt our blit shader leading
to corruption, it likely won't happen if you load fbcon right after
radeon. Thanks to Shawn Starr and Andre Maasikas for tracking down
this issue.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-05 11:43:09 +10:00
Michel Dänzer
17aafccab4 drm/radeon/kms: Fix oops after radeon_cs_parser_init() failure.
If radeon_cs_parser_init() fails, radeon_cs_ioctl() calls
radeon_cs_parser_fini() with the non-zero error value. The latter dereferenced
parser->ib which hasn't been initialized yet -> boom. Add a test for parser->ib
being non-NULL before dereferencing it.

Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 12:49:28 +10:00
Dave Airlie
f71d018798 drm/radeon/kms: move radeon KMS on/off switch out of staging.
We are happy enough that the KMS driver is stable enough for enough people
for the kms enable/disable to leave staging. Distros can now contemplate
turning this on.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:35:47 +10:00
Jerome Glisse
ff82f052d2 drm/radeon/kms: Bailout of blit if error happen & protect with mutex V3
If an error happen in r600_blit_prepare_copy report it rather
than WARNING and keeping execution. For instance if ib allocation
failed we did just warn about but then latter tried to access
NULL ib ptr causing oops. This patch also protect r600_copy_blit
with a mutex as otherwise one process might overwrite blit temporary
data with new one possibly leading to GPU lockup.

Should partialy or totaly fix:
https://bugzilla.redhat.com/show_bug.cgi?id=553279

V2 failing blit initialization is not fatal, fallback to memcpy when
this happen
V3 init blit before startup as we pin in startup, remove duplicate
code (this one was actualy tested unlike V2)

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:33:11 +10:00
Jakob Bornecrantz
5ffdb658f6 drm/vmwgfx: Don't send bad flags to the host
Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:29:59 +10:00
Peter Hanzel
c188660f6d drm/vmwgfx: Request SVGA version 2 and bail if not found
This fixes the driver not loading on older versions of VMware.

Signed-off-by: Peter Hanzel <hanzelpeter@gmail.com>
Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:29:31 +10:00
Jakob Bornecrantz
8e19a95177 drm/vmwgfx: Correctly detect 3D
Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:29:03 +10:00
Austin Yuan
110b20c3dd drm/ttm: remove unnecessary save_flags and ttm_flag_masked in ttm_bo_util.c
Signed-off-by: Austin Yuan <shengquan.yuan@gmail.com>
Acked-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:27:25 +10:00
Richard Kennedy
dd5fde6041 drm/ttm: remove padding from ttm_ref_object on 64bit builds
Re-order structure ttm_ref_object to remove 8 bytes of alignment padding
on 64 bit builds, so shrinking its size from 72 to 64 bytes allowing it
to fit into a smaller slab.

Signed-off-by: Richard Kennedy <richard@rsk.demon.co.uk>
Acked-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:24:50 +10:00
Dave Airlie
4b866288be drm/radeon/kms: release agp on error.
if we get an error, release the AGP if we've acquired it already.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:22:10 +10:00
John Kacur
2dea2e29b9 drm/kms/radeon/agp: Move the check of the aper_size after drm_acp_acquire and drm_agp_info
First call drm_agp_acquire to check if agp has been acquired.
Second call drm_agp_info to fill in the info data struct, including aper_size.
Finally do the check to see if the aper_size makes sense.

Signed-off-by: John Kacur <jkacur@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:19:31 +10:00
John Kacur
cdb6e375c3 drm/kms/radeon/agp: Fix warning, format ‘%d’ expects type ‘int’, but argument 4 has type ‘size_t’
- Fix warning by using %zu instead of %d for size_t
- Fix spelling mistake, "to" should be "too".

Signed-off-by: John Kacur <jkacur@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:19:08 +10:00
Francisco Jerez
db78e27de7 drm/ttm: Avoid conflicting reserve_memtype during ttm_tt_set_page_caching.
Fixes errors like:
> reserve_ram_pages_type failed 0x15b7a000-0x15b7b000, track 0x8, req 0x10
when a BO is moved between WC and UC areas.

Reported-by: Xavier Chantry <shiningxc@gmail.com>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Acked-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 11:15:37 +10:00
Dave Airlie
f28cf33945 drm/kms/radeon: pick digitial encoders smarter. (v3)
booting a Lenovo W500 with LVDS + DP outputs showed up a TODO we had
on our list, to pick a correct digital encoder block. The LVTMA
encoder requires the second digital encoder, all others can use any
encoder at all.

This fixes the digital encoder selection logic to enable LVDS/DP combos
to work okay.

V2: fix silly addition of connector dig_block and cleanup the other
places in the code that pick the encoder.

V3: rename to dig_encoder and clean up further - also fix
the picking algorithm.

tested on Lenovo W500 + desktop 3650 cards.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:13:15 +10:00
Dave Airlie
43c33ed87d drm/radeon/kms: use active device to pick connector for encoder
On the W500 we have UNIPHY routed to both DVI and DP, this seems
to always pick the DVI connector which means link training fails.

Switch to using active device to pick the connector, this seems
like it should be safe from a code review, and it fixes things
a bit more here.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:12:26 +10:00
Dave Airlie
97b94ccb9a drm/radeon/kms: fix incorrect logic in DP vs eDP connector checking.
This makes displayport work again here.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-02-01 10:12:17 +10:00
Dave Airlie
7087e16286 drm/radeon/kms: preface warning printk with driver name
This just adds a little more info to the warning for old -ati/mesa
userspaces.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:13:55 +10:00
Dave Airlie
f2ab3a13d2 drm/radeon/kms: drop unnecessary printks.
These printks aren't required anymore.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:13:12 +10:00
Zhenyu Wang
5fd4df4d47 drm: fix regression in fb blank handling
commit 731b5a15a3
Author: James Simmons <jsimmons@infradead.org>
Date:   Thu Oct 29 20:39:07 2009 +0000

    drm/kms: properly handle fbdev blanking

uses DRM_MODE_DPMS_ON for FB_BLANK_NORMAL, but DRM_MODE_DPMS_ON
is actually for turning output on instead of blank.

This makes fb blank broken on my T61, it put LVDS on but leave
pipe disabled which made screen totally white or caused some
'burning' effect.

[airlied: James objects to this but at this point in 2.6.33,
I can't see a patch that will fix this properly like he wants coming
in time and otherwise this is a regression - proper fix for 2.6.34
hopefully.]

Cc: James Simmons <jsimmons@infradead.org>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:04:47 +10:00
Dave Airlie
d796d8446f drm/radeon/kms: make hibernate work on IGPs
This is the least invasive fix without migrating the radeon driver
to pm_ops from what I can see. We just always migrate VRAM objects
on IGPs for now and we can fix it up later to migrate depending
on STR vs STD.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:04:42 +10:00
Thomas Hellstrom
8ba5152a3a drm/vmwgfx: Optimize memory footprint for DMA buffers.
Use VRAM whenever there is free space for DMA buffers,
but use system GMR memory if using VRAM would cause an eviction.

This significantly reduces the guest system memory usage for
VMs with a large amount of VRAM allocated.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:04:39 +10:00
Thomas Hellstrom
0eaddb28d3 drm/ttm: Allow system memory as a busy placement.
This is needed to fix a vmwgfx memory usage bug.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 16:04:30 +10:00
Dave Airlie
9299795c6e Merge remote branch 'korg/drm-radeon-next' into drm-linus
* korg/drm-radeon-next:
  drm/radeon/kms: fix legacy get_engine/memory clock
  drm/radeon/kms/atom: atom parser fixes
  drm/radeon/kms: clean up atombios pll code
  drm/radeon/kms: clean up pll struct
  drm/radeon/kms/atom: fix crtc lock ordering
  drm/radeon: r6xx/r7xx possible security issue, system ram access
  drm/radeon/kms: r600/r700 don't test ib if ib initialization fails
  drm/radeon/kms: Forbid creation of framebuffer with no valid GEM object
  drm/radeon/kms: r600 handle irq vector ring overflow
  drm/radeon/kms: r600/r700 don't process IRQ if not initialized
  drm/radeon/kms: r600/r700 disable irq at suspend
  drm/radeon/kms/r4xx: cleanup atom path
  drm/radeon/kms: fix atombios_crtc_set_base
  drm/radeon/kms/atom: upstream parser updates
  drm/radeon/kms/atom: fix some parser bugs
  drm/radeon/kms: fix hardcoded mmio size in register functions
  drm/radeon/kms/r100: fix bug in CS parser
  drm/radeon/kms/r200: fix bug in CS parser
  drm/radeon/kms/r200: fix bug in CS parser
2010-01-25 16:04:21 +10:00
Dave Airlie
8d586fe65a Merge remote branch 'nouveau/for-airlied' of ../drm-nouveau-next into drm-linus
* 'nouveau/for-airlied' of ../drm-nouveau-next:
  drm/nv50: prevent switching off SOR when in use for DVI-over-DP
  drm/nv50: fail auxch transaction if reply count not what we expect
  drm/nouveau: fix failure path if userspace specifies no valid memtypes
  drm/nouveau: report LVDS as disconnected if lid closed
  drm/nv50: prevent accidently turning off encoders we're actually using
  drm/nv50: fix alignment of per-channel fifo cache
  drm/nouveau: Evict buffers in VRAM before freeing sgdma
  drm/nouveau: Acknowledge DMA_VTX_PROTECTION PGRAPH interrupts
  drm/nouveau: fix thinko in nv04_instmem.c
  drm/nouveau: fix a race condition in nouveau_dma_wait()
2010-01-25 16:04:11 +10:00
Luca Barbieri
1a961ce09f drm/ttm: Fix race condition in ttm_bo_delayed_delete (v3, final)
Resending this with Thomas Hellstrom's signoff for merging into 2.6.33

ttm_bo_delayed_delete has a race condition, because after we do:
kref_put(&nentry->list_kref, ttm_bo_release_list);

we are not holding the list lock and not holding any reference to
objects, and thus every bo in the list can be removed and freed at
this point.

However, we then use the next pointer we stored, which is not guaranteed
to be valid.

This was apparently the cause of some Nouveau oopses I experienced.

This patch rewrites the function so that it keeps the reference to nentry
until nentry itself is freed and we already got a reference to nentry->next.

v2 updated by me according to Thomas Hellstrom's feedback.
v3 proposed by Thomas Hellstrom. Commit comment updated by me.

Both updates fixed minor efficiency/style issues only and all three versions
should be correct.

Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-25 11:43:54 +10:00
Ben Skeggs
162265367a drm/nv50: prevent switching off SOR when in use for DVI-over-DP
Another hack because of us exposing each encoder block's function as
an encoder rather than exposing a single encoder that deals with them
all.

A proper fix will come, it's just rather invasive so this hack will
do until then.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2010-01-25 10:35:33 +10:00
Ben Skeggs
0107bae01a drm/nv50: fail auxch transaction if reply count not what we expect
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2010-01-25 10:35:25 +10:00
Ben Skeggs
0208843dd5 drm/nouveau: fix failure path if userspace specifies no valid memtypes
We need to add the buffer to the list even if we fail, otherwise the
validate_fini() call won't unreserve + unreference the GEM object,
making TTM very unhappy.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2010-01-25 10:35:19 +10:00
Ben Skeggs
a1470890f2 drm/nouveau: report LVDS as disconnected if lid closed
Also adds a module option to ignore the status reported via ACPI, in case
we hit systems with broken ACPI.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2010-01-25 10:35:13 +10:00
Alex Deucher
38678d3557 drm/radeon/kms: fix legacy get_engine/memory clock
Fix a bad shift in the post div.

Should fix fdo bug 26145

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:25:38 +10:00
Alex Deucher
947bfc8304 drm/radeon/kms/atom: atom parser fixes
Only reset the reg block on the initial execute
table call; nested calls require the reg block not be
reset on each call.  Also reset the fb window and
io mode.  This matches the upstream parser behavior.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:25:05 +10:00
Alex Deucher
4eaeca3351 drm/radeon/kms: clean up atombios pll code
- split pll adjust into a separate function
- use a union for SetPixelClock params

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:24:29 +10:00
Alex Deucher
fc10332b8a drm/radeon/kms: clean up pll struct
- add a new flag for fixed post div
- pull the pll flags into the struct

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:24:23 +10:00
Alex Deucher
a348c84d95 drm/radeon/kms/atom: fix crtc lock ordering
This makes crtc_prepare and crtc_commit match.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2010-01-24 17:23:38 +10:00
Jerome Glisse
c8c15ff1e9 drm/radeon: r6xx/r7xx possible security issue, system ram access
This patch workaround a possible security issue which can allow
user to abuse drm on r6xx/r7xx hw to access any system ram memory.
This patch doesn't break userspace, it detect "valid" old use of
CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte
the address these registers are pointing to with the one of the
last color buffer. This workaround will work for old mesa &
xf86-video-ati and any old user which did use similar register
programming pattern as those (we expect that there is no others
user of those ioctl except possibly a malicious one). This patch
add a warning if it detects such usage, warning encourage people
to update their mesa & xf86-video-ati. New userspace will submit
proper relocation.

Fix for xf86-video-ati / mesa (this kernel patch is enough to
prevent abuse, fix for userspace are to set proper cs stream and
avoid kernel warning) :
http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b
http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f

Abusing this register to perform system ram memory is not easy,
here is outline on how it could be achieve. First attacker must
have access to the drm device and be able to submit command stream
throught cs ioctl. Then attacker must build a proper command stream
for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to
overwrite the GPU GART which is in VRAM. To achieve so attacker
as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point
to the GPU GART, then it has to find a way to write predictable
value into those buffer (with little cleverness i believe this
can be done but this is an hard task). Once attacker have such
program it can overwritte GPU GART to program GPU gart to point
anywhere in system memory. It then can reusse same method as he
used to reprogram GART to overwritte the system ram through the
GART mapping. In the process the attacker has to be carefull to
not overwritte any sensitive area of the GART table, like ring
or IB gart entry as it will more then likely lead to GPU lockup.
Bottom line is that i think it's very hard to use this flaw
to get system ram access but in theory one can achieve so.

Side note: I am not aware of anyone ever using the GPU as an
attack vector, nevertheless we take great care in the opensource
driver to try to detect and forbid malicious use of GPU. I don't
think the closed source driver are as cautious as we are.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21 08:49:32 +10:00