freebsd-nq/sys
Jean-Sébastien Pédron 1eafa5d8b0 drm: Dereference pointers given to qsort_r()'s cmp callback
drm_le_cmp() (qsort_r()'s callback) receives pointers to elements in the
array passed to qsort_r(), not the elements themselves.

Before this fix, the use of qsort_r() shuffled the array, not sorted it,
because the compare callback accessed random memory locations, not the
expected elements.

This bug triggered an infinite loop in KDE/xserver:

    1. KDE has a kded module called "randrmonitor" which queries xserver
       for current monitors at startup and then listens to RandR
       notifications from xserver.

    2. xserver handles the query from "randrmonitor" by polling the
       video device using the "drm_mode_getconnector()" ioctl. This
       ioctl returns a list of connectors and, for those with a
       connected monitor, the available modes. Each modes list is sorted
       by the kernel before returning. When xserver gets the connectors
       list, it sorts the modes lists again.

       In the case of this bug, when two modes are equal (in xserver's
       compare function PoV), their order is kept stable (ie. the
       kernel order is kept for those two modes). And because the list
       was shuffled by the kernel, the order of two equal modes was
       frequently changed in the final modes list in xserver.

    3. xserver compares the returned connectors list with the list
       obtained earlier. In particular, it compares the sorted
       modes lists for each connector. If a property of a connector
       changes (eg. modes), xserver sends a "RRNotify_OutputChange"
       notification.

       Because of the change of order between equal modes, xserver sent
       a notification after each polling of the connectors.

    4. "randrmonitor" receives a notification, triggered by its query. The
       notification doesn't contain the new connectors list, therefore, it
       asks for the new list using the same function: go back to step .

MFC after:	3 days
2013-11-25 11:15:51 +00:00
..
amd64 - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
arm Enable reset mechanism for rk3188. 2013-11-25 11:02:58 +00:00
boot Add clock frequency for rk3188 watchdog. 2013-11-25 11:02:11 +00:00
bsm Change the cap_rights_t type from uint64_t to a structure that we can extend 2013-09-05 00:09:56 +00:00
cam - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
cddl - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
compat - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
conf - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
contrib Remove 'inline' from ar9300_init_pll(), it's too big to inline. 2013-11-08 16:28:00 +00:00
crypto fix broken style(9) in r258399 2013-11-23 00:28:18 +00:00
ddb
dev drm: Dereference pointers given to qsort_r()'s cmp callback 2013-11-25 11:15:51 +00:00
fs - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
gdb rename scheduler->swapper and SI_SUB_RUN_SCHEDULER->SI_SUB_LAST 2013-07-24 09:45:31 +00:00
geom Have the GPT probe return a lower priority when the MBR is not a PMBR 2013-11-21 22:02:59 +00:00
gnu/fs/reiserfs
i386 - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
ia64 Don't enable interrupts before we call sched_throw(). Interrupts 2013-11-10 04:22:40 +00:00
isa
kern - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
kgssapi Add support for host-based (Kerberos 5 service principal) initiator 2013-07-09 01:05:28 +00:00
libkern Fix ixp425 boot2 with ARM EABI: 2013-09-29 15:19:34 +00:00
mips - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
modules - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
net - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
net80211 Fix AMRR to correctly select the initial rate. 2013-11-09 07:30:13 +00:00
netatalk The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
netgraph Eliminate duplicated & dead code. 2013-11-08 22:40:33 +00:00
netinet - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
netinet6 - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
netipsec Initialize prot variable. 2013-11-11 13:19:55 +00:00
netipx The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
netnatm Provide includes that are needed in these files, and before were read 2013-10-26 18:18:50 +00:00
netpfil The DIOCKILLSRCNODES operation was implemented with O(m*n) complexity, 2013-11-22 19:22:26 +00:00
netsmb Catch up with sb_timeo type change in r255138. This fixes 2013-11-08 08:44:09 +00:00
nfs The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
nfsclient - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
nfsserver The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
nlm Intermittent crashes in the NLM (rpc.lockd) code during system 2013-09-06 23:14:31 +00:00
ofed Fix creating a vlan over lagg over mlxen crash. 2013-11-17 20:58:31 +00:00
opencrypto - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
pc98 - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
pci Add preliminary support for RTL8168EP. 2013-10-29 05:37:05 +00:00
powerpc - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
rpc Some minor tuning to rpc/svc.c: 2013-11-14 13:51:53 +00:00
security - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
sparc64 As of r257209, all architectures have defined VM_KMEM_SIZE_SCALE. In other 2013-11-08 16:25:00 +00:00
sys - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
teken
tools - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
ufs fix white space... 2013-11-20 21:21:29 +00:00
vm When purging per-CPU UMA caches do not return empty buckets into the global 2013-11-23 13:42:56 +00:00
x86 - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
xdr
xen Remove redundant redeclaration of gdtset in sys/xen/xen-os.h, to silence 2013-10-18 17:06:13 +00:00
Makefile