[stable] Patch "drm/nouveau: fix notifier memory corruption bug" has been added to the 2.6.38-stable tree

Fri, 22 Apr 2011 13:23:17 -0700 

This is a note to let you know that I've just added the patch titled

    drm/nouveau: fix notifier memory corruption bug

to the 2.6.38-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-nouveau-fix-notifier-memory-corruption-bug.patch
and it can be found in the queue-2.6.38 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From a18d89ca026140eb8ac4459bf70a01c571dd9a32 Mon Sep 17 00:00:00 2001
From: Marcin Slusarz <[email protected]>
Date: Tue, 19 Apr 2011 23:50:48 +0200
Subject: drm/nouveau: fix notifier memory corruption bug

From: Marcin Slusarz <[email protected]>

commit a18d89ca026140eb8ac4459bf70a01c571dd9a32 upstream.

nouveau_bo_wr32 expects offset to be in words, but we pass value in bytes,
so after commit 73412c3854c877e5f37ad944ee8977addde4d35a ("drm/nouveau: allocate
kernel's notifier object at end of block") we started to overwrite some memory
after notifier buffer object (previously m2mf_ntfy was always 0, so it didn't
matter it was a value in bytes).

Reported-by: Dominik Brodowski <[email protected]>
Reported-by: Nigel Cunningham <[email protected]>
Signed-off-by: Marcin Slusarz <[email protected]>
Cc: Ben Skeggs <[email protected]>
Cc: Pekka Paalanen <[email protected]>
Signed-off-by: Ben Skeggs <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 drivers/gpu/drm/nouveau/nouveau_fbcon.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
@@ -181,13 +181,13 @@ nouveau_fbcon_sync(struct fb_info *info)
                OUT_RING  (chan, 0);
        }
 
-       nouveau_bo_wr32(chan->notifier_bo, chan->m2mf_ntfy + 3, 0xffffffff);
+       nouveau_bo_wr32(chan->notifier_bo, chan->m2mf_ntfy/4 + 3, 0xffffffff);
        FIRE_RING(chan);
        mutex_unlock(&chan->mutex);
 
        ret = -EBUSY;
        for (i = 0; i < 100000; i++) {
-               if (!nouveau_bo_rd32(chan->notifier_bo, chan->m2mf_ntfy + 3)) {
+               if (!nouveau_bo_rd32(chan->notifier_bo, chan->m2mf_ntfy/4 + 3)) 
{
                        ret = 0;
                        break;
                }


Patches currently in stable-queue which might be from [email protected] 
are

queue-2.6.38/drm-nouveau-fix-notifier-memory-corruption-bug.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to