09 Nov, 2020
1 commit
-
This patch forwards ipuv3 LCD external port(mxc_lcdif) driver from
imx_4.19.y kernel.Reviewed-by: Robby Cai
Signed-off-by: Liu Ying
08 Oct, 2020
1 commit
-
* tag 'v5.4.70': (3051 commits)
Linux 5.4.70
netfilter: ctnetlink: add a range check for l3/l4 protonum
ep_create_wakeup_source(): dentry name can change under you...
...Conflicts:
arch/arm/mach-imx/pm-imx6.c
arch/arm64/boot/dts/freescale/imx8mm-evk.dts
arch/arm64/boot/dts/freescale/imx8mn-ddr4-evk.dts
drivers/crypto/caam/caamalg.c
drivers/gpu/drm/imx/dw_hdmi-imx.c
drivers/gpu/drm/imx/imx-ldb.c
drivers/gpu/drm/imx/ipuv3/ipuv3-crtc.c
drivers/mmc/host/sdhci-esdhc-imx.c
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
drivers/net/ethernet/freescale/enetc/enetc.c
drivers/net/ethernet/freescale/enetc/enetc_pf.c
drivers/thermal/imx_thermal.c
drivers/usb/cdns3/ep0.c
drivers/xen/swiotlb-xen.c
sound/soc/fsl/fsl_esai.c
sound/soc/fsl/fsl_sai.cSigned-off-by: Jason Liu
23 Sep, 2020
1 commit
-
[ Upstream commit ec0972adecb391a8d8650832263a4790f3bfb4df ]
syzbot is reporting OOB read at fbcon_resize() [1], for
commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change
from causing potential out-of-bounds access") is by error using
registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was
set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains
zero for that display).We could remove tricky userfont flag [2], for we can determine it by
comparing address of the font data and addresses of built-in font data.
But since that commit is failing to fix the original OOB read [3], this
patch keeps the change minimal in case we decide to revert altogether.[1] https://syzkaller.appspot.com/bug?id=ebcbbb6576958a496500fee9cf7aa83ea00b5920
[2] https://syzkaller.appspot.com/text?tag=Patch&x=14030853900000
[3] https://syzkaller.appspot.com/bug?id=6fba8c186d97cf1011ab17660e633b1cc4e080c9Reported-by: syzbot
Signed-off-by: Tetsuo Handa
Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy
Link: https://lore.kernel.org/r/f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Sasha Levin
17 Sep, 2020
4 commits
-
commit bd018a6a75cebb511bb55a0e7690024be975fe93 upstream.
syzbot is reporting OOB read at vga_8planes_imageblit() [1], for
"cdat[y] >> 4" can become a negative value due to "const char *cdat".[1] https://syzkaller.appspot.com/bug?id=0d7a0da1557dcd1989e00cb3692b26d4173b4132
Reported-by: syzbot
Signed-off-by: Tetsuo Handa
Cc: stable
Link: https://lore.kernel.org/r/90b55ec3-d5b0-3307-9f7c-7ff5c5fd6ad3@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman -
commit 973c096f6a85e5b5f2a295126ba6928d9a6afd45 upstream.
Yunhai Zhang recently fixed a VGA software scrollback bug in commit
ebfdfeeae8c0 ("vgacon: Fix for missing check in scrollback handling"),
but that then made people look more closely at some of this code, and
there were more problems on the vgacon side, but also the fbcon software
scrollback.We don't really have anybody who maintains this code - probably because
nobody actually _uses_ it any more. Sure, people still use both VGA and
the framebuffer consoles, but they are no longer the main user
interfaces to the kernel, and haven't been for decades, so these kinds
of extra features end up bitrotting and not really being used.So rather than try to maintain a likely unused set of code, I'll just
aggressively remove it, and see if anybody even notices. Maybe there
are people who haven't jumped on the whole GUI badnwagon yet, and think
it's just a fad. And maybe those people use the scrollback code.If that turns out to be the case, we can resurrect this again, once
we've found the sucker^Wmaintainer for it who actually uses it.Reported-by: NopNop Nop
Tested-by: Willy Tarreau
Cc: 张云海
Acked-by: Andy Lutomirski
Acked-by: Willy Tarreau
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 06a0df4d1b8b13b551668e47b11fd7629033b7df upstream.
Since the softscroll code got removed, this argument is always zero and
makes no sense any more.Tested-by: Yuan Ming
Tested-by: Willy Tarreau
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 50145474f6ef4a9c19205b173da6264a644c7489 upstream.
This (and the VGA soft scrollback) turns out to have various nasty small
special cases that nobody really is willing to fight. The soft
scrollback code was really useful a few decades ago when you typically
used the console interactively as the main way to interact with the
machine, but that just isn't the case any more.So it's not worth dragging along.
Tested-by: Yuan Ming
Tested-by: Willy Tarreau
Acked-by: Bartlomiej Zolnierkiewicz
Acked-by: Daniel Vetter
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
03 Sep, 2020
3 commits
-
[ Upstream commit d88ca7e1a27eb2df056bbf37ddef62e1c73d37ea ]
syzbot is reporting OOB read bug in vc_do_resize() [1] caused by memcpy()
based on outdated old_{rows,row_size} values, for resize_screen() can
recurse into vc_do_resize() which changes vc->vc_{cols,rows} that outdates
old_{rows,row_size} values which were saved before calling resize_screen().Daniel Vetter explained that resize_screen() should not recurse into
fbcon_update_vcs() path due to FBINFO_MISC_USEREVENT being still set
when calling resize_screen().Instead of masking FBINFO_MISC_USEREVENT before calling fbcon_update_vcs(),
we can remove FBINFO_MISC_USEREVENT by calling fbcon_update_vcs() only if
fb_set_var() returned 0. This change assumes that it is harmless to call
fbcon_update_vcs() when fb_set_var() returned 0 without reaching
fb_notifier_call_chain().[1] https://syzkaller.appspot.com/bug?id=c70c88cfd16dcf6e1d3c7f0ab8648b3144b5b25e
Reported-and-tested-by: syzbot
Suggested-by: Daniel Vetter
Signed-off-by: Tetsuo Handa
Reported-by: kernel test robot for missing #include
Signed-off-by: Daniel Vetter
Link: https://patchwork.freedesktop.org/patch/msgid/075b7e37-3278-cd7d-31ab-c5073cfa8e92@i-love.sakura.ne.jp
Signed-off-by: Sasha Levin -
commit 39b3cffb8cf3111738ea993e2757ab382253d86a upstream.
Add a check to fbcon_resize() to ensure that a possible change to user font
height or user font width will not allow a font data out-of-bounds access.
NOTE: must use original charcount in calculation as font charcount can
change and cannot be used to determine the font data allocated size.Signed-off-by: George Kennedy
Cc: stable
Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/1596213192-6635-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ]
On calling pm_runtime_get_sync() the reference count of the device
is incremented. In case of failure, decrement the
reference count before returning the error.Signed-off-by: Aditya Pakki
Cc: kjlu@umn.edu
Cc: wu000273@umn.edu
Cc: Allison Randal
Cc: Thomas Gleixner
Cc: Enrico Weigelt
cc: "Andrew F. Davis"
Cc: Tomi Valkeinen
Cc: Alexios Zavras
Cc: Greg Kroah-Hartman
Cc: YueHaibing
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200614030528.128064-1-pakki001@umn.edu
Signed-off-by: Sasha Levin
26 Aug, 2020
1 commit
-
[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ]
efifb_probe() will issue an error message in case the kernel is booted
as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid
that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set.Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
Signed-off-by: Juergen Gross
Acked-by: Ard Biesheuvel
Acked-by: Bartlomiej Zolnierkiewicz
Signed-off-by: Juergen Gross
Signed-off-by: Sasha Levin
19 Aug, 2020
5 commits
-
[ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ]
'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()'
not 'dma_free_wc()'.
The correct dma_free_ function is already used in the error handling path
of the probe function.Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable")
Signed-off-by: Christophe JAILLET
Cc: Sumit Semwal
Cc: Rafael J. Wysocki
Cc: Jonathan Corbet
Cc: Viresh Kumar
Cc: Jani Nikula
cc: Mauro Carvalho Chehab
Cc: Eric Miao
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin -
[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ]
A call of the function do_take_over_console() can fail here.
The corresponding system resources were not released then.
Thus add a call of iounmap() and release_mem_region()
together with the check of a failure predicate. and also
add release_mem_region() on device removal.Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding")
Suggested-by: Bartlomiej Zolnierkiewicz
Signed-off-by: Dejin Zheng
Reviewed-by: Andy Shevchenko
Cc: Greg Kroah-Hartman
cc: Thomas Gleixner
Cc: Andrew Morton
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com
Signed-off-by: Sasha Levin -
[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ]
the sfb->fb->screen_base is not save the value get by iounmap() when
the chip id is 0x720. so iounmap() for address sfb->fb->screen_base
is not right.Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev")
Cc: Andy Shevchenko
Cc: Sudip Mukherjee
Cc: Teddy Wang
Cc: Greg Kroah-Hartman
Signed-off-by: Dejin Zheng
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com
Signed-off-by: Sasha Levin -
[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
neofb_probe() calls neo_scan_monitor() that can successfully allocate a
memory for info->monspecs.modedb and proceed to case 0x03. There it does
not free the memory and returns -1. neofb_probe() goes to label
err_scan_monitor, thus, it does not free this memory through calling
fb_destroy_modedb() as well. We can not go to label err_init_hw since
neo_scan_monitor() can fail during memory allocation. So, the patch frees
the memory directly for case 0x03.Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov
Cc: Jani Nikula
Cc: Mike Rapoport
Cc: Daniel Vetter
Cc: Andrew Morton
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
Signed-off-by: Sasha Levin -
[ Upstream commit e8d35898a78e34fc854ed9680bc3f9caedab08cd ]
savagefb_probe() calls savage_init_fb_info() that can successfully
allocate memory for info->pixmap.addr but then fail when
fb_alloc_cmap() fails. savagefb_probe() goes to label failed_init and
does not free allocated memory. It is not valid to go to label
failed_mmio since savage_init_fb_info() can fail during memory
allocation as well. So, the patch free allocated memory on the error
handling path in savage_init_fb_info() itself.Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov
Cc: Antonino Daplas
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200619162136.9010-1-novikov@ispras.ru
Signed-off-by: Sasha Levin
11 Aug, 2020
2 commits
-
commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream.
vgacon_scrollback_update() always leaves enbough room in the scrollback
buffer for the next call, but if the console size changed that room
might not actually be enough, and so we need to re-check.The check should be in the loop since vgacon_scrollback_cur->tail is
updated in the loop and count may be more than 1 when triggered by CSI M,
as Jiri's PoC:
#include
#include
#include
#include
#include
#include
#includeint main(int argc, char** argv)
{
int fd = open("/dev/tty1", O_RDWR);
unsigned short size[3] = {25, 200, 0};
ioctl(fd, 0x5609, size); // VT_RESIZEwrite(fd, "\e[1;1H", 6);
for (int i = 0; i < 30; i++)
write(fd, "\e[10M", 5);
}It leads to various crashes as vgacon_scrollback_update writes out of
the buffer:
BUG: unable to handle page fault for address: ffffc900001752a0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
RIP: 0010:mutex_unlock+0x13/0x30
...
Call Trace:
n_tty_write+0x1a0/0x4d0
tty_write+0x1a0/0x2e0Or to KASAN reports:
BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8edThis fixes CVE-2020-14331.
Reported-by: 张云海
Reported-by: Yang Yingliang
Reported-by: Kyungtae Kim
Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback)
Cc: stable@vger.kernel.org
Cc: linux-fbdev@vger.kernel.org
Cc: Linus Torvalds
Cc: Solar Designer
Cc: "Srivatsa S. Bhat"
Cc: Anthony Liguori
Cc: Yang Yingliang
Cc: Bartlomiej Zolnierkiewicz
Cc: Jiri Slaby
Signed-off-by: Yunhai Zhang
Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com
Signed-off-by: Greg Kroah-Hartman -
commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream.
The drm/omap driver was fixed to correct an issue where using a
divider of 32 breaks the DSS despite the TRM stating 32 is a valid
number. Through experimentation, it appears that 31 works, and
it is consistent with the value used by the drm/omap driver.This patch fixes the divider for fbdev driver instead of the drm.
Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
Cc: #4.5+
Signed-off-by: Adam Ford
Reviewed-by: Tomi Valkeinen
Cc: Dave Airlie
Cc: Rob Clark
[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)]
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com
Signed-off-by: Greg Kroah-Hartman
29 Jul, 2020
1 commit
-
commit 033724d6864245a11f8e04c066002e6ad22b3fd0 upstream.
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
new_cols = (cols ? cols : vc->vc_cols);
new_rows = (lines ? lines : vc->vc_rows);exception. Since cols and lines are calculated as
cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
vc_resize(vc, cols, rows);in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means thatconst int fd = open("/dev/fb0", O_ACCMODE);
struct fb_var_screeninfo var = { };
ioctl(fd, FBIOGET_VSCREENINFO, &var);
var.xres = var.yres = 1;
ioctl(fd, FBIOPUT_VSCREENINFO, &var);easily reproduces integer underflow bug explained above.
Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
Reported-and-tested-by: syzbot
Signed-off-by: Tetsuo Handa
Acked-by: Daniel Vetter
Cc: stable
Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman
24 Jun, 2020
1 commit
-
[ Upstream commit d8207c155a7c6015eb7f43739baa7dfb1fa638af ]
If probing the LP885x backlight fails after the regulators have been
enabled, then the following warning is seen when releasing the
regulators ...WARNING: CPU: 1 PID: 289 at drivers/regulator/core.c:2051 _regulator_put.part.28+0x158/0x160
Modules linked in: tegra_xudc lp855x_bl(+) host1x pwm_tegra ip_tables x_tables ipv6 nf_defrag_ipv6
CPU: 1 PID: 289 Comm: systemd-udevd Not tainted 5.6.0-rc2-next-20200224 #1
Hardware name: NVIDIA Jetson TX1 Developer Kit (DT)...
Call trace:
_regulator_put.part.28+0x158/0x160
regulator_put+0x34/0x50
devm_regulator_release+0x10/0x18
release_nodes+0x12c/0x230
devres_release_all+0x34/0x50
really_probe+0x1c0/0x370
driver_probe_device+0x58/0x100
device_driver_attach+0x6c/0x78
__driver_attach+0xb0/0xf0
bus_for_each_dev+0x68/0xc8
driver_attach+0x20/0x28
bus_add_driver+0x160/0x1f0
driver_register+0x60/0x110
i2c_register_driver+0x40/0x80
lp855x_driver_init+0x20/0x1000 [lp855x_bl]
do_one_initcall+0x58/0x1a0
do_init_module+0x54/0x1d0
load_module+0x1d80/0x21c8
__do_sys_finit_module+0xe8/0x100
__arm64_sys_finit_module+0x18/0x20
el0_svc_common.constprop.3+0xb0/0x168
do_el0_svc+0x20/0x98
el0_sync_handler+0xf4/0x1b0
el0_sync+0x140/0x180Fix this by ensuring that the regulators are disabled, if enabled, on
probe failure.Finally, ensure that the vddio regulator is disabled in the driver
remove handler.Signed-off-by: Jon Hunter
Reviewed-by: Daniel Thompson
Signed-off-by: Lee Jones
Signed-off-by: Sasha Levin
19 Jun, 2020
1 commit
-
* tag 'v5.4.47': (2193 commits)
Linux 5.4.47
KVM: arm64: Save the host's PtrAuth keys in non-preemptible context
KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception
...Conflicts:
arch/arm/boot/dts/imx6qdl.dtsi
arch/arm/mach-imx/Kconfig
arch/arm/mach-imx/common.h
arch/arm/mach-imx/suspend-imx6.S
arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
arch/powerpc/include/asm/cacheflush.h
drivers/cpufreq/imx6q-cpufreq.c
drivers/dma/imx-sdma.c
drivers/edac/synopsys_edac.c
drivers/firmware/imx/imx-scu.c
drivers/net/ethernet/freescale/fec.h
drivers/net/ethernet/freescale/fec_main.c
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
drivers/net/phy/phy_device.c
drivers/perf/fsl_imx8_ddr_perf.c
drivers/usb/cdns3/gadget.c
drivers/usb/dwc3/gadget.c
include/uapi/linux/dma-buf.hSigned-off-by: Jason Liu
17 Jun, 2020
2 commits
-
commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
the 'w100fb_restore_vidmem' function. (these functions are called
respectively from the 'suspend' and the 'resume' functions)However, it is also freed in the 'remove' function.
In order to avoid a potential double free, set the corresponding pointer
to NULL once freed in the 'w100fb_restore_vidmem' function.Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
Cc: Richard Purdie
Cc: Antonino Daplas
Cc: Bartlomiej Zolnierkiewicz
Cc: # v2.6.14+
Signed-off-by: Christophe JAILLET
Signed-off-by: Sam Ravnborg
Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman -
commit 1c49f35e9e9156273124a0cfd38b57f7a7d4828f upstream.
Fix following warning:
vt8500lcdfb.c: In function 'vt8500lcd_blank':
vt8500lcdfb.c:229:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (info->fix.visual == FB_VISUAL_PSEUDOCOLOR ||
^
vt8500lcdfb.c:233:2: note: here
case FB_BLANK_UNBLANK:
^~~~Adding a simple "fallthrough;" fixed the warning.
The fix was build tested.Signed-off-by: Sam Ravnborg
Reported-by: kbuild test robot
Fixes: e41f1a989408 ("fbdev: Implement simple blanking in pseudocolor modes for vt8500lcdfb")
Cc: Alexey Charkov
Cc: Paul Mundt
Cc: # v2.6.38+
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200412202143.GA26948@ravnborg.org
Signed-off-by: Greg Kroah-Hartman
23 Apr, 2020
2 commits
-
commit 93166f5f2e4dc593cff8ca77ef828ac6f148b0f3 upstream.
Clang warns:
../drivers/video/fbdev/core/fbmem.c:665:3: warning: misleading
indentation; statement is not part of the previous 'else'
[-Wmisleading-indentation]
if (fb_logo.depth > 4 && depth > 4) {
^
../drivers/video/fbdev/core/fbmem.c:661:2: note: previous statement is
here
else
^
../drivers/video/fbdev/core/fbmem.c:1075:3: warning: misleading
indentation; statement is not part of the previous 'if'
[-Wmisleading-indentation]
return ret;
^
../drivers/video/fbdev/core/fbmem.c:1072:2: note: previous statement is
here
if (!ret)
^
2 warnings generated.This warning occurs because there are spaces before the tabs on these
lines. Normalize the indentation in these functions so that it is
consistent with the Linux kernel coding style and clang no longer warns.Fixes: 1692b37c99d5 ("fbdev: Fix logo if logo depth is less than framebuffer depth")
Link: https://github.com/ClangBuiltLinux/linux/issues/825
Signed-off-by: Nathan Chancellor
Reviewed-by: Nick Desaulniers
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20191218030025.10064-1-natechancellor@gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.
The "fix" struct has a 2 byte hole after ->ywrapstep and the
"fix = info->fix;" assignment doesn't necessarily clear it. It depends
on the compiler. The solution is just to replace the assignment with an
memcpy().Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
Signed-off-by: Dan Carpenter
Cc: Andrew Morton
Cc: Arnd Bergmann
Cc: "Eric W. Biederman"
Cc: Andrea Righi
Cc: Daniel Vetter
Cc: Sam Ravnborg
Cc: Maarten Lankhorst
Cc: Daniel Thompson
Cc: Peter Rosin
Cc: Jani Nikula
Cc: Gerd Hoffmann
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
Signed-off-by: Greg Kroah-Hartman
13 Apr, 2020
1 commit
-
commit b139f8b00db4a8ea75a4174346eafa48041aa489 upstream.
Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.
syzkaller report: https://lkml.org/lkml/2020/3/27/403
general protection fault, probably for non-canonical address
0xdffffc000000006c: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
RIP: 0010:fbcon_switch+0x28f/0x1740
drivers/video/fbdev/core/fbcon.c:2260Call Trace:
redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374accessing vc_cons[logo_shown].d->vc_top causes the bug.
Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang
Acked-by: Sam Ravnborg
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter
Link: https://patchwork.freedesktop.org/patch/msgid/20200329085647.25133-1-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman
12 Mar, 2020
1 commit
-
commit 513dc792d6060d5ef572e43852683097a8420f56 upstream.
When syzkaller tests, there is a UAF:
BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
ffff880000100000
Read of size 2 by task syz-executor.1/16489
page:ffffea0000004000 count:0 mapcount:-127 mapping: (null)
index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[] dump_stack+0x1e/0x20
[] kasan_report+0x577/0x950
[] __asan_load2+0x62/0x80
[] vgacon_invert_region+0x9d/0x110
[] invert_screen+0xe5/0x470
[] set_selection+0x44b/0x12f0
[] tioclinux+0xee/0x490
[] vt_ioctl+0xff4/0x2670
[] tty_ioctl+0x46a/0x1a10
[] do_vfs_ioctl+0x5bd/0xc40
[] SyS_ioctl+0x132/0x170
[] system_call_fastpath+0x22/0x27
Memory state around the buggy address:
ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
>ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ffIt can be reproduce in the linux mainline by the program:
#include
#include
#include
#include
#include
#include
#include
#includestruct tiocl_selection {
unsigned short xs; /* X start */
unsigned short ys; /* Y start */
unsigned short xe; /* X end */
unsigned short ye; /* Y end */
unsigned short sel_mode; /* selection mode */
};#define TIOCL_SETSEL 2
struct tiocl {
unsigned char type;
unsigned char pad;
struct tiocl_selection sel;
};int main()
{
int fd = 0;
const char *dev = "/dev/char/4:1";struct vt_consize v = {0};
struct tiocl tioc = {0};fd = open(dev, O_RDWR, 0);
v.v_rows = 3346;
ioctl(fd, VT_RESIZEX, &v);tioc.type = TIOCL_SETSEL;
ioctl(fd, TIOCLINUX, &tioc);return 0;
}When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot
Signed-off-by: Zhang Xiaoxu
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
Signed-off-by: Greg Kroah-Hartman
08 Mar, 2020
1 commit
-
Merge Linux stable release v5.4.24 into imx_5.4.y
* tag 'v5.4.24': (3306 commits)
Linux 5.4.24
blktrace: Protect q->blk_trace with RCU
kvm: nVMX: VMWRITE checks unsupported field before read-only field
...Signed-off-by: Jason Liu
Conflicts:
arch/arm/boot/dts/imx6sll-evk.dts
arch/arm/boot/dts/imx7ulp.dtsi
arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
drivers/clk/imx/clk-composite-8m.c
drivers/gpio/gpio-mxc.c
drivers/irqchip/Kconfig
drivers/mmc/host/sdhci-of-esdhc.c
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
drivers/net/can/flexcan.c
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
drivers/net/ethernet/mscc/ocelot.c
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
drivers/net/phy/realtek.c
drivers/pci/controller/mobiveil/pcie-mobiveil-host.c
drivers/perf/fsl_imx8_ddr_perf.c
drivers/tee/optee/shm_pool.c
drivers/usb/cdns3/gadget.c
kernel/sched/cpufreq.c
net/core/xdp.c
sound/soc/fsl/fsl_esai.c
sound/soc/fsl/fsl_sai.c
sound/soc/sof/core.c
sound/soc/sof/imx/Kconfig
sound/soc/sof/loader.c
24 Feb, 2020
1 commit
-
[ Upstream commit 3c911fe799d1c338d94b78e7182ad452c37af897 ]
In the probe function, some resources are allocated using 'dma_alloc_wc()',
they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.We already use 'dma_free_wc()' in the remove function, but not in the
error handling path of the probe function.Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
PAGE_ALIGNed.Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
Signed-off-by: Christophe JAILLET
Reviewed-by: Lubomir Rintel
CC: YueHaibing
Signed-off-by: Bartlomiej Zolnierkiewicz
Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin
26 Dec, 2019
1 commit
-
Since using power domains to handle the mipi phy power
management in gpcv2 driver for mipi phy domain, remove
the legacy unncessary regulator related code for mipi
phy.Signed-off-by: Fancy Fang
Reviewed-by: Robby Cai
18 Dec, 2019
3 commits
-
sii902x hdmi cable detect thread is trigged by
event FB_EVENT_FB_REGISTERED in register_framebuffer function
when device bootup.when CONFIG_FB_MXC_OVERLAY is enabled, pixel clock has
chance to be disabled by overlay fb.
In this case cable detect thread will fail to get cable state
and sii902x hdmi will not initialized.Fix it with immediate execute the cable detect thread and
add 20ms delay to wait cable detect thread get the cable state.Signed-off-by: Sandor Yu
Reviewed-by: Robby Cai -
Fix the followed build warning.
drivers/video/fbdev/mxc/mxc_hdmi.c: In function ‘mxc_hdmi_cable_connected’:
drivers/video/fbdev/mxc/mxc_hdmi.c:1964:3: warning: this statement may fall through [-Wimplicit-fallthrough=]
mxc_hdmi_default_edid_cfg(hdmi);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/video/fbdev/mxc/mxc_hdmi.c:1966:2: note: here
case HDMI_EDID_NO_MODES:
^~~~Signed-off-by: Sandor Yu
-
commit 6039f37dd6b76641198e290f26b31c475248f567 upstream.
The bar values are little endian, not big endian. The pack
function did it right but the unpack got it wrong. Fix it.Cc: stable@vger.kernel.org
Cc: linux-media@vger.kernel.org
Cc: Martin Bugge
Cc: Hans Verkuil
Cc: Thierry Reding
Cc: Mauro Carvalho Chehab
Fixes: 2c676f378edb ("[media] hdmi: added unpack and logging functions for InfoFrames")
Signed-off-by: Ville Syrjälä
Link: https://patchwork.freedesktop.org/patch/msgid/20190919132853.30954-1-ville.syrjala@linux.intel.com
Reviewed-by: Thierry Reding
Signed-off-by: Greg Kroah-Hartman
03 Dec, 2019
3 commits
-
fix following build warning:
../drivers/video/fbdev/mxc/mxc_hdmi.c: In function 'mxc_hdmi_cable_connected':
../drivers/video/fbdev/mxc/mxc_hdmi.c:1964:3: warning: this statement may fall through [-Wimplicit-fallthrough=]
mxc_hdmi_default_edid_cfg(hdmi);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/video/fbdev/mxc/mxc_hdmi.c:1966:2: note: here
case HDMI_EDID_NO_MODES:
^~~~Signed-off-by: Robby Cai
Reviewed-by: Sandor Yu
(cherry picked from commit ca5ffb6e67b6c4ce7351285a184179bd3c20afc5) -
Since the commit
commit 212836a9929f0c91214a8a1879e6e41be0e26a6f
Author: Christoph Hellwig
Date: Fri Jul 26 08:58:36 2019 +0200dma-mapping: remove dma_{alloc,free,mmap}_writecombine
has removed dma_alloc_writecombine interface, below build
error occured:drivers/video/fbdev/mxsfb.c: In function ‘mxsfb_overlay_map_video_memory’:
drivers/video/fbdev/mxsfb.c:2059:19: error: implicit declaration of function ‘dma_alloc_writecombine’; did you mean ‘pgprot_writecombine’? [-Werror=implicit-function-declaration]
2059 | ofb->video_mem = dma_alloc_writecombine(ofb->dev,
| ^~~~~~~~~~~~~~~~~~~~~~
| pgprot_writecombine
drivers/video/fbdev/mxsfb.c:2059:17: warning: assignment to ‘void *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
2059 | ofb->video_mem = dma_alloc_writecombine(ofb->dev,
| ^
drivers/video/fbdev/mxsfb.c: In function ‘mxsfb_overlay_exit’:
drivers/video/fbdev/mxsfb.c:2134:4: error: implicit declaration of function ‘dma_free_writecombine’; did you mean ‘pgprot_writecombine’? [-Werror=implicit-function-declaration]
2134 | dma_free_writecombine(ofb->dev, ofb->video_mem_size,
| ^~~~~~~~~~~~~~~~~~~~~
| pgprot_writecombineSigned-off-by: Fancy Fang
-
Since the commit
commit cf4a3ae4ef3399179166a464af1d6b172225bef4
Author: Daniel Vetter
Date: Tue May 28 11:02:47 2019 +0200fbdev: lock_fb_info cannot fail
has changed the lock_fb_info() to void type, so cannot check its
return value anymore.Signed-off-by: Fancy Fang
02 Dec, 2019
2 commits
-
* display/next: (340 commits)
LF-94: drm: hdmi: imx: Add hdmi phy video mode valid function
drm: hdmi: imx8: fix wrong hdmi type with non-SCDC HDMI sinks
Revert "drm/imx/hdp: fix issue with non-SCDC HDMI sinks"
drm/bridge: nwl-dsi Correct the DSI init sequence
gpu: imx: framegen: Use crtc_clock instead of mode clock
... -
* origin/display/fbdev: (26 commits)
MLK-22768 video: fbdev: mxc_ipuv3_fb: Handle enabled fg properly when set-par happens on bg
video: fbdev: mxsfb: Fix writecombine/wc build error
MLK-22084: fbdev: hdmi: Fix HDCP function failed work with Sony TV
fbdev: dcic: Enable imx6 dcic driver
video: fbdev: mxc: hdmi: add hdmi framebuffer driver
...
25 Nov, 2019
2 commits
-
When we do set-par for background framebuffer without on-the-fly
flag being set, we should also unset the enabled overlay framebuffer's
on-the-fly flag, otherwise the overlay framebuffer cannot be enabled
again properly because a full mode set procedure is needed for overlay
framebuffer as it experiences a period of time when background
framebuffer stops fetching frames.Signed-off-by: Liu Ying
-
Signed-off-by: Leonard Crestez