Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v4.1.21 2015-01-29T02:37:41+00:00 2015-01-29T02:37:41+00:00 Wang, Yalin Yalin.Wang@sonymobile.com 2015-01-28T05:57:34+00:00 urn:sha1:e410055331c2f474872b364dce3d4042418e892b Change agp_free_page_array to use kvfree function, remove the duplicated code. Signed-off-by: Yalin Wang <yalin.wang@sonymobile.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2014-02-07T23:10:19+00:00 Paul Gortmaker paul.gortmaker@windriver.com 2014-01-21T21:22:59+00:00 urn:sha1:4c020b032b8a15966e1207b71144ffbb75697e29 None of these files are actually using any __init type directives and hence don't need to include <linux/init.h>. Most are just a left over from __devinit and __cpuinit removal, or simply due to code getting copied from one driver to the next. Cc: David Airlie <airlied@linux.ie> Cc: Matt Mackall <mpm@selenic.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kukjin Kim <kgene.kim@samsung.com> Cc: Corey Minyard <minyard@acm.org> Cc: Chris Metcalf <cmetcalf@tilera.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Peter Huewe <peterhuewe@gmx.de> Cc: Ashley Lai <ashley@ashleylai.com> Cc: Marcel Selhorst <tpmdd@selhorst.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-01-07T00:49:22+00:00 Bjorn Helgaas bhelgaas@google.com 2014-01-04T01:26:58+00:00 urn:sha1:e501b3d87f003dfad8fcbd0f55ae17ea52495a56 Per the AGP 3.0 spec, APBASE is a standard PCI BAR and may be either 32 bits or 64 bits wide. Many drivers read APBASE directly, but they only handled 32-bit BARs. The PCI core reads APBASE at enumeration-time. Use pci_bus_address() instead of reading it again in the driver. This works correctly for both 32-bit and 64-bit BARs. Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> 2012-04-12T16:56:21+00:00 Santosh Nayak santoshprasadnayak@gmail.com 2012-04-05T06:01:44+00:00 urn:sha1:ae85226ebe474c9ecfc257191edca184b70ffbc2 Replace "void *" by "u32 __iomem *" to silence sparse warning. Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2012-04-12T16:56:17+00:00 Santosh Nayak santoshprasadnayak@gmail.com 2012-04-05T06:01:08+00:00 urn:sha1:971ca4717830c03a50e1ad9993c85601a0496de7 'break' is unnecessary after 'return' statement. Remove all such 'break' as clean up. Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2012-01-06T09:32:02+00:00 Tormod Volden debian.tormod@gmail.com 2012-01-05T23:16:26+00:00 urn:sha1:e11d0b87cde80745afe4712a19cd37bca9924a5b Signed-off-by: Tormod Volden <debian.tormod@gmail.com> Reviewed-by: Corbin Simpson <MostAwesomeDude@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2011-04-21T02:16:55+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:16+00:00 urn:sha1:194b3da873fd334ef183806db751473512af29ce pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2011-04-21T01:51:04+00:00 Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:19+00:00 urn:sha1:b522f02184b413955f3bc952e3776ce41edc6355 page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. Another problem in agp code is not addressed in the patch - kernel memory exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to 16KB, though, there is no per-process limit. This might lead to OOM situation, which is not even solved in case of the caller death by OOM killer - the memory is allocated for another (faked) process. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2010-11-23T20:14:46+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2010-11-05T21:27:10+00:00 urn:sha1:cb16b67b5cb33b7d6732e0c416d29d933eea13ce Its only user, intel-gtt.c is now gone. Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> 2010-11-23T20:14:45+00:00 Daniel Vetter daniel.vetter@ffwll.ch 2010-11-05T17:40:56+00:00 urn:sha1:f050a8abbda0efcd597c6b1825e3b9ce4d613383 The intel drm calls the chipset functions now directly. Userspace never called the corresponding ioctl, hence it can be killed, too. Cc: Dave Airlie <airlied@gmail.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>