diff options
author | Christian Birchinger <joker@gentoo.org> | 2004-12-25 02:56:50 +0000 |
---|---|---|
committer | Christian Birchinger <joker@gentoo.org> | 2004-12-25 02:56:50 +0000 |
commit | d555c720ba140a32bc80c914b95e53f4ccc79389 (patch) | |
tree | da31fe1545db8b73fc54d17fb365deac297bd2bd /sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch | |
parent | New version (Manifest recommit) (diff) | |
download | gentoo-2-d555c720ba140a32bc80c914b95e53f4ccc79389.tar.gz gentoo-2-d555c720ba140a32bc80c914b95e53f4ccc79389.tar.bz2 gentoo-2-d555c720ba140a32bc80c914b95e53f4ccc79389.zip |
Fixed the #72452 and #74464 security holes
Diffstat (limited to 'sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch')
-rw-r--r-- | sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch | 321 |
1 files changed, 321 insertions, 0 deletions
diff --git a/sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch b/sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch new file mode 100644 index 000000000000..53b777acaac5 --- /dev/null +++ b/sys-kernel/sparc-sources/files/linux-2.4.28-CAN-2004-1056.patch @@ -0,0 +1,321 @@ +diff -ur linux-2.4.28/drivers/char/drm/i810.h linux-2.4.28.plasmaroo/drivers/char/drm/i810.h +--- linux-2.4.28/drivers/char/drm/i810.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810.h 2004-12-23 16:26:31.000000000 +0000 +@@ -114,4 +114,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i810_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c +--- linux-2.4.28/drivers/char/drm/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i810_dma.c 2004-12-23 16:27:16.000000000 +0000 +@@ -948,10 +948,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -973,10 +970,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL; + +@@ -1004,10 +998,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1026,10 +1017,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1064,10 +1052,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1174,11 +1159,7 @@ + if (copy_from_user(&mc, (drm_i810_mc_t *)arg, sizeof(mc))) + return -EFAULT; + +- +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_mc called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_mc(dev, dma->buflist[mc.idx], mc.used, + mc.last_render ); +@@ -1223,10 +1204,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_fstatus called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + return I810_READ(0x30008); + } + +@@ -1237,10 +1215,7 @@ + drm_device_t *dev = priv->dev; + drm_i810_private_t *dev_priv = (drm_i810_private_t *)dev->dev_private; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_ov0_flip called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + //Tell the overlay to update + I810_WRITE(0x30000,dev_priv->overlay_physical | 0x80000000); +diff -ur linux-2.4.28/drivers/char/drm/i830.h linux-2.4.28.plasmaroo/drivers/char/drm/i830.h +--- linux-2.4.28/drivers/char/drm/i830.h 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830.h 2004-12-23 16:31:33.000000000 +0000 +@@ -154,4 +154,14 @@ + #define DRIVER_AGP_BUFFERS_MAP( dev ) \ + ((drm_i830_private_t *)((dev)->dev_private))->buffer_map + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + #endif +diff -ur linux-2.4.28/drivers/char/drm/i830_dma.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c +--- linux-2.4.28/drivers/char/drm/i830_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_dma.c 2004-12-23 16:32:08.000000000 +0000 +@@ -1330,10 +1330,7 @@ + drm_file_t *priv = filp->private_data; + drm_device_t *dev = priv->dev; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_flush_queue(dev); + return 0; +@@ -1354,10 +1351,7 @@ + if (copy_from_user(&vertex, (drm_i830_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i830 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1384,10 +1378,7 @@ + if (copy_from_user(&clear, (drm_i830_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + /* GH: Someone's doing nasty things... */ + if (!dev->dev_private) { +@@ -1409,10 +1400,7 @@ + + DRM_DEBUG("i830_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i830_dma_dispatch_swap( dev ); + return 0; +@@ -1453,10 +1441,7 @@ + + DRM_DEBUG("%s\n", __FUNCTION__); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_flip_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (!dev_priv->page_flipping) + i830_do_init_pageflip( dev ); +@@ -1495,10 +1480,7 @@ + if (copy_from_user(&d, (drm_i830_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +diff -ur linux-2.4.28/drivers/char/drm/i830_irq.c linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c +--- linux-2.4.28/drivers/char/drm/i830_irq.c 2003-11-28 18:26:20.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm/i830_irq.c 2004-12-23 16:39:47.000000000 +0000 +@@ -130,10 +130,7 @@ + drm_i830_irq_emit_t emit; + int result; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i830_irq_emit called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if ( !dev_priv ) { + DRM_ERROR( "%s called with no initialization\n", __FUNCTION__ ); +diff -ur linux-2.4.28/drivers/char/drm-4.0/drmP.h linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h +--- linux-2.4.28/drivers/char/drm-4.0/drmP.h 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/drmP.h 2004-12-23 16:21:30.000000000 +0000 +@@ -294,6 +294,16 @@ + #define DRM_BUFCOUNT(x) ((x)->count - DRM_LEFTCOUNT(x)) + #define DRM_WAITCOUNT(dev,idx) DRM_BUFCOUNT(&dev->queuelist[idx]->waitlist) + ++#define LOCK_TEST_WITH_RETURN( dev ) \ ++do { \ ++ if ( !_DRM_LOCK_IS_HELD( dev->lock.hw_lock->lock ) || \ ++ dev->lock.pid != current->pid ) { \ ++ DRM_ERROR( "%s called without lock held\n", \ ++ __FUNCTION__ ); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++ + typedef int drm_ioctl_t(struct inode *inode, struct file *filp, + unsigned int cmd, unsigned long arg); + +diff -ur linux-2.4.28/drivers/char/drm-4.0/i810_dma.c linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c +--- linux-2.4.28/drivers/char/drm-4.0/i810_dma.c 2004-02-18 13:36:31.000000000 +0000 ++++ linux-2.4.28.plasmaroo/drivers/char/drm-4.0/i810_dma.c 2004-12-23 16:21:30.000000000 +0000 +@@ -1249,10 +1249,7 @@ + drm_device_t *dev = priv->dev; + + DRM_DEBUG("i810_flush_ioctl\n"); +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_flush_ioctl called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_flush_queue(dev); + return 0; +@@ -1274,10 +1271,7 @@ + if (copy_from_user(&vertex, (drm_i810_vertex_t *)arg, sizeof(vertex))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma_vertex called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n", + vertex.idx, vertex.used, vertex.discard); +@@ -1308,10 +1302,7 @@ + if (copy_from_user(&clear, (drm_i810_clear_t *)arg, sizeof(clear))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_clear_bufs called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_clear( dev, clear.flags, + clear.clear_color, +@@ -1327,10 +1318,7 @@ + + DRM_DEBUG("i810_swap_bufs\n"); + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_swap_buf called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + i810_dma_dispatch_swap( dev ); + return 0; +@@ -1366,10 +1354,7 @@ + if (copy_from_user(&d, (drm_i810_dma_t *)arg, sizeof(d))) + return -EFAULT; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + d.granted = 0; + +@@ -1399,10 +1384,7 @@ + drm_i810_buf_priv_t *buf_priv; + drm_device_dma_t *dma = dev->dma; + +- if(!_DRM_LOCK_IS_HELD(dev->lock.hw_lock->lock)) { +- DRM_ERROR("i810_dma called without lock held\n"); +- return -EINVAL; +- } ++ LOCK_TEST_WITH_RETURN(dev); + + if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d))) + return -EFAULT; |