Index: bsd-core/drmP.h
===================================================================
RCS file: /cvs/dri/drm/bsd-core/drmP.h,v
retrieving revision 1.66
diff -u -r1.66 drmP.h
--- bsd-core/drmP.h	17 Aug 2005 22:59:00 -0000	1.66
+++ bsd-core/drmP.h	18 Aug 2005 20:12:54 -0000
@@ -524,6 +524,7 @@
 struct drm_file {
 	TAILQ_ENTRY(drm_file) link;
 	int		  authenticated;
+	int		  master;
 	int		  minor;
 	pid_t		  pid;
 	uid_t		  uid;
@@ -585,6 +586,7 @@
 
 typedef struct drm_sg_mem {
 	unsigned long   handle;
+	void            *virtual;
 	int             pages;
 	dma_addr_t	*busaddr;
 	drm_dma_handle_t *dmah;	/* Handle to PCI memory for ATI PCIGART table */
Index: bsd-core/drm_bufs.c
===================================================================
RCS file: /cvs/dri/drm/bsd-core/drm_bufs.c,v
retrieving revision 1.38
diff -u -r1.38 drm_bufs.c
--- bsd-core/drm_bufs.c	5 Aug 2005 03:50:23 -0000	1.38
+++ bsd-core/drm_bufs.c	18 Aug 2005 20:12:54 -0000
@@ -113,11 +113,12 @@
 	/* Check if this is just another version of a kernel-allocated map, and
 	 * just hand that back if so.
 	 */
-	if (type == _DRM_REGISTERS || type == _DRM_FRAME_BUFFER)
-	{
+	if (type == _DRM_REGISTERS || type == _DRM_FRAME_BUFFER ||
+	    type == _DRM_SHM) {
 		DRM_LOCK();
 		TAILQ_FOREACH(map, &dev->maplist, link) {
-			if (map->type == type && map->offset == offset) {
+			if (map->type == type &&
+			    (map->offset == offset || map->type == _DRM_SHM)) {
 				map->size = size;
 				DRM_DEBUG("Found kernel map %d\n", type);
 				goto done;
@@ -171,8 +172,25 @@
 		}
 		break;
 	case _DRM_AGP:
-		map->offset += dev->agp->base;
-		map->mtrr   = dev->agp->mtrr; /* for getmap */
+		{
+			drm_agp_mem_t *entry;
+			int valid = 0;
+
+			map->offset += dev->agp->base;
+			map->mtrr   = dev->agp->mtrr; /* for getmap */
+			for (entry = dev->agp->memory; entry;
+			    entry = entry->next)
+				if ((map->offset >= entry->bound) &&
+				    (map->offset + map->size <=
+				    entry->bound + entry->pages * PAGE_SIZE)) {
+					valid = 1;
+					break;
+				}
+			if (!valid) {
+				free(map, M_DRM);
+				return DRM_ERR(EACCES);
+			}
+		}
 		break;
 	case _DRM_SCATTER_GATHER:
 		if (!dev->sg) {
@@ -186,7 +204,7 @@
 		    0xfffffffful);
 		if (map->dmah == NULL) {
 			free(map, M_DRM);
-			return ENOMEM;
+			return DRM_ERR(ENOMEM);
 		}
 		map->handle = map->dmah->vaddr;
 		map->offset = map->dmah->busaddr;
@@ -223,6 +241,9 @@
 
 	DRM_COPY_FROM_USER_IOCTL(request, (drm_map_t *)data, sizeof(drm_map_t));
 
+	if (DRM_SUSER(p) && request.type != _DRM_AGP)
+		return DRM_ERR(EACCES);
+
 	err = drm_addmap(dev, request.offset, request.size, request.type,
 	    request.flags, &map);
 	if (err != 0)
@@ -342,6 +363,7 @@
 {
 	drm_device_dma_t *dma = dev->dma;
 	drm_buf_entry_t *entry;
+	drm_agp_mem_t *agp_entry;
 	drm_buf_t *buf;
 	unsigned long offset;
 	unsigned long agp_offset;
@@ -352,7 +374,7 @@
 	int page_order;
 	int total;
 	int byte_count;
-	int i;
+	int i, valid;
 	drm_buf_t **temp_buflist;
 
 	count = request->count;
@@ -375,6 +397,22 @@
 	DRM_DEBUG( "page_order: %d\n",  page_order );
 	DRM_DEBUG( "total:      %d\n",  total );
 
+	/* Make sure buffers are located in AGP memory that we own */
+	valid = 0;
+	for (agp_entry = dev->agp->memory; agp_entry;
+	    agp_entry = agp_entry->next) {
+		if ((agp_offset >= agp_entry->bound) &&
+		    (agp_offset + total * count <=
+		    agp_entry->bound + agp_entry->pages * PAGE_SIZE)) {
+			valid = 1;
+			break;
+		}
+	}
+	if (!valid) {
+		DRM_DEBUG("zone invalid\n");
+		return DRM_ERR(EINVAL);
+	}
+
 	entry = &dma->bufs[order];
 
 	entry->buflist = malloc(count * sizeof(*entry->buflist), M_DRM,
@@ -538,7 +576,6 @@
 			buf->used    = 0;
 			buf->offset  = (dma->byte_count + byte_count + offset);
 			buf->address = ((char *)dmah->vaddr + offset);
-			buf->bus_address = dmah->busaddr + offset;
 			buf->next    = NULL;
 			buf->pending = 0;
 			buf->filp    = NULL;
@@ -742,6 +779,9 @@
 
 	DRM_SPINLOCK(&dev->dma_lock);
 
+	if (DRM_SUSER(DRM_CURPROC))
+		return DRM_ERR(EACCES);
+
 	if (request->count < 0 || request->count > 4096)
 		return DRM_ERR(EINVAL);
 	
@@ -773,6 +813,9 @@
 
 	DRM_SPINLOCK(&dev->dma_lock);
 
+	if (DRM_SUSER(DRM_CURPROC))
+		return DRM_ERR(EACCES);
+
 	if (request->count < 0 || request->count > 4096)
 		return DRM_ERR(EINVAL);
 	
Index: bsd-core/drm_context.c
===================================================================
RCS file: /cvs/dri/drm/bsd-core/drm_context.c,v
retrieving revision 1.22
diff -u -r1.22 drm_context.c
--- bsd-core/drm_context.c	5 Aug 2005 03:50:23 -0000	1.22
+++ bsd-core/drm_context.c	18 Aug 2005 20:12:54 -0000
@@ -228,14 +228,17 @@
 int drm_resctx(DRM_IOCTL_ARGS)
 {
 	drm_ctx_res_t res;
+	drm_ctx_t ctx;
 	int i;
 
 	DRM_COPY_FROM_USER_IOCTL( res, (drm_ctx_res_t *)data, sizeof(res) );
 
 	if ( res.count >= DRM_RESERVED_CONTEXTS ) {
+		bzero(&ctx, sizeof(ctx));
 		for ( i = 0 ; i < DRM_RESERVED_CONTEXTS ; i++ ) {
+			ctx.handle = i;
 			if ( DRM_COPY_TO_USER( &res.contexts[i],
-					   &i, sizeof(i) ) )
+					   &ctx, sizeof(ctx) ) )
 				return DRM_ERR(EFAULT);
 		}
 	}
Index: bsd-core/drm_drv.c
===================================================================
RCS file: /cvs/dri/drm/bsd-core/drm_drv.c,v
retrieving revision 1.66
diff -u -r1.66 drm_drv.c
--- bsd-core/drm_drv.c	12 Aug 2005 17:18:08 -0000	1.66
+++ bsd-core/drm_drv.c	18 Aug 2005 20:12:54 -0000
@@ -33,6 +33,7 @@
 
 #include "drmP.h"
 #include "drm.h"
+#include "drm_sarea.h"
 
 int drm_debug_flag = 0;
 
@@ -357,10 +358,17 @@
 
 static int drm_firstopen(drm_device_t *dev)
 {
+	drm_local_map_t *map;
 	int i;
 
 	DRM_SPINLOCK_ASSERT(&dev->dev_lock);
 
+	/* prebuild the SAREA */
+	i = drm_addmap(dev, 0, SAREA_MAX, _DRM_SHM,
+		       _DRM_CONTAINS_LOCK, &map);
+	if (i != 0)
+		return i;
+
 	if (dev->driver.firstopen)
 		dev->driver.firstopen(dev);
 
@@ -388,7 +396,6 @@
 		dev->magiclist[i].tail = NULL;
 	}
 
-	dev->lock.hw_lock = NULL;
 	dev->lock.lock_queue = 0;
 	dev->irq_enabled = 0;
 	dev->context_flag = 0;
@@ -853,7 +860,7 @@
 	 */
 	if ((ioctl->root_only && DRM_SUSER(p)) ||
 	    (ioctl->auth_needed && !priv->authenticated) ||
-	    (ioctl->master && !DRM_SUSER(p)))
+	    (ioctl->master && !priv->master))
 		return EACCES;
 
 	if (is_driver_ioctl)
Index: bsd-core/drm_fops.c
===================================================================
RCS file: /cvs/dri/drm/bsd-core/drm_fops.c,v
retrieving revision 1.19
diff -u -r1.19 drm_fops.c
--- bsd-core/drm_fops.c	5 Aug 2005 03:50:23 -0000	1.19
+++ bsd-core/drm_fops.c	18 Aug 2005 20:12:54 -0000
@@ -88,6 +88,8 @@
 		priv->refs		= 1;
 		priv->minor		= m;
 		priv->ioctl_count 	= 0;
+
+		/* for compatibility root is always authenticated */
 		priv->authenticated	= !DRM_SUSER(p);
 
 		if (dev->driver.open) {
@@ -99,6 +101,9 @@
 			}
 		}
 
+		/* first opener automatically becomes master */
+		priv->master = TAILQ_EMPTY(&dev->files) ? 1 : 0;
+
 		TAILQ_INSERT_TAIL(&dev->files, priv, link);
 	}
 	DRM_UNLOCK();