From cc22cd8bde39f3e4be8ca9f726a773b0270ebdbc Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Tue, 19 Dec 2006 16:39:13 +1100 Subject: drm: ioremap balanced with iounmap for drivers/char/drm ioremap must be balanced by an iounmap and failing to do so can result in a memory leak. Tested (compilation only) to make sure the files are compiling without any warning/error due to new changes Signed-off-by: Amol Lad Signed-off-by: Dave Airlie --- linux-core/drm_bufs.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'linux-core/drm_bufs.c') diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index d6ebc8d1..1ff7c90b 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -279,6 +279,8 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, list = drm_alloc(sizeof(*list), DRM_MEM_MAPS); if (!list) { + if (map->type == _DRM_REGISTERS) + drm_ioremap(map->handle, map->size, dev); drm_free(map, sizeof(*map), DRM_MEM_MAPS); return -EINVAL; } @@ -295,6 +297,8 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, ret = drm_map_handle(dev, &list->hash, user_token, 0); if (ret) { + if (map->type == _DRM_REGISTERS) + drm_ioremap(map->handle, map->size, dev); drm_free(map, sizeof(*map), DRM_MEM_MAPS); drm_free(list, sizeof(*list), DRM_MEM_MAPS); mutex_unlock(&dev->struct_mutex); -- cgit v1.2.3 From 696f2bfbd1b6da73893bce082308a43878e6ab75 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Tue, 19 Dec 2006 16:44:57 +1100 Subject: Revert "drm: ioremap balanced with iounmap for drivers/char/drm" This reverts cc22cd8bde39f3e4be8ca9f726a773b0270ebdbc commit. I put this patch incorrectly in .. will fix now --- linux-core/drm_bufs.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'linux-core/drm_bufs.c') diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index 1ff7c90b..d6ebc8d1 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -279,8 +279,6 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, list = drm_alloc(sizeof(*list), DRM_MEM_MAPS); if (!list) { - if (map->type == _DRM_REGISTERS) - drm_ioremap(map->handle, map->size, dev); drm_free(map, sizeof(*map), DRM_MEM_MAPS); return -EINVAL; } @@ -297,8 +295,6 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, ret = drm_map_handle(dev, &list->hash, user_token, 0); if (ret) { - if (map->type == _DRM_REGISTERS) - drm_ioremap(map->handle, map->size, dev); drm_free(map, sizeof(*map), DRM_MEM_MAPS); drm_free(list, sizeof(*list), DRM_MEM_MAPS); mutex_unlock(&dev->struct_mutex); -- cgit v1.2.3 From 72b5d1507a7e9c18fc0141c13819ea01c0813924 Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom Date: Tue, 19 Dec 2006 23:23:17 +0100 Subject: Security fix. Zero pages before they are handed to user space. Shared memory areas were not cleared when they are allocated and handed to user space. Sensitive information may leak. --- linux-core/drm_bufs.c | 1 + 1 file changed, 1 insertion(+) (limited to 'linux-core/drm_bufs.c') diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index d6ebc8d1..ef110c28 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -202,6 +202,7 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, drm_free(map, sizeof(*map), DRM_MEM_MAPS); return -ENOMEM; } + memset(map->handle, 0, map->size); map->offset = (unsigned long)map->handle; if (map->flags & _DRM_CONTAINS_LOCK) { /* Prevent a 2nd X Server from creating a 2nd lock */ -- cgit v1.2.3 From 672593f611df484af89e425ff5f1ea0ea074f2bb Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom Date: Wed, 20 Dec 2006 14:40:36 +0100 Subject: Replace vmalloc_32. The vmalloc_32 function together with the memset to clear the new pages are replaced with a vmalloc_user. A pre-2.6.18 compat vmalloc_user is added. Please replace any breakage on machines with > 1GB of memory. --- linux-core/drm_bufs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'linux-core/drm_bufs.c') diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index ef110c28..1ff191ad 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -195,14 +195,13 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, *maplist = list; return 0; } - map->handle = vmalloc_32(map->size); + map->handle = vmalloc_user(map->size); DRM_DEBUG("%lu %d %p\n", map->size, drm_order(map->size), map->handle); if (!map->handle) { drm_free(map, sizeof(*map), DRM_MEM_MAPS); return -ENOMEM; } - memset(map->handle, 0, map->size); map->offset = (unsigned long)map->handle; if (map->flags & _DRM_CONTAINS_LOCK) { /* Prevent a 2nd X Server from creating a 2nd lock */ -- cgit v1.2.3 From b147c3926352e4dcb9dbf53b8b12baae8ce34254 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Mon, 8 Jan 2007 10:55:49 +1100 Subject: drm: remove drm_follow_page, and drm_ioremap and ioremapfree This comes from the Re: [patch] paravirt: isolate module ops on lkml It needs some testing, please report any regressions caused. Signed-off-by: Dave Airlie --- linux-core/drm_bufs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'linux-core/drm_bufs.c') diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index 1ff191ad..8793ba0e 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -179,7 +179,7 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, } } if (map->type == _DRM_REGISTERS) - map->handle = drm_ioremap(map->offset, map->size, dev); + map->handle = ioremap(map->offset, map->size); break; case _DRM_SHM: list = drm_find_matching_map(dev, map); @@ -279,6 +279,8 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, list = drm_alloc(sizeof(*list), DRM_MEM_MAPS); if (!list) { + if (map->type == _DRM_REGISTERS) + iounmap(map->handle); drm_free(map, sizeof(*map), DRM_MEM_MAPS); return -EINVAL; } @@ -295,6 +297,8 @@ static int drm_addmap_core(drm_device_t * dev, unsigned int offset, ret = drm_map_handle(dev, &list->hash, user_token, 0); if (ret) { + if (map->type == _DRM_REGISTERS) + iounmap(map->handle); drm_free(map, sizeof(*map), DRM_MEM_MAPS); drm_free(list, sizeof(*list), DRM_MEM_MAPS); mutex_unlock(&dev->struct_mutex); @@ -402,7 +406,7 @@ int drm_rmmap_locked(drm_device_t *dev, drm_local_map_t *map) switch (map->type) { case _DRM_REGISTERS: - drm_ioremapfree(map->handle, map->size, dev); + iounmap(map->handle); /* FALLTHROUGH */ case _DRM_FRAME_BUFFER: if (drm_core_has_MTRR(dev) && map->mtrr >= 0) { -- cgit v1.2.3