<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/video, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping</title>
<updated>2020-06-11T18:05:55+00:00</updated>
<author>
<name>Jia Zhang</name>
<email>qianyue.zj@alibaba-inc.com</email>
</author>
<published>2018-01-01T01:52:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=582f3009d4511bdd12a4d88ae52da46359cd88aa'/>
<id>582f3009d4511bdd12a4d88ae52da46359cd88aa</id>
<content type='text'>
commit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream.

x86_mask is a confusing name which is hard to associate with the
processor's stepping.

Additionally, correct an indent issue in lib/cpu.c.

Signed-off-by: Jia Zhang &lt;qianyue.zj@alibaba-inc.com&gt;
[ Updated it to more recent kernels. ]
Cc: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: bp@alien8.de
Cc: tony.luck@intel.com
Link: http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue.zj@alibaba-inc.com
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Drop changes in arch/x86/lib/cpu.c
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream.

x86_mask is a confusing name which is hard to associate with the
processor's stepping.

Additionally, correct an indent issue in lib/cpu.c.

Signed-off-by: Jia Zhang &lt;qianyue.zj@alibaba-inc.com&gt;
[ Updated it to more recent kernels. ]
Cc: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: bp@alien8.de
Cc: tony.luck@intel.com
Link: http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue.zj@alibaba-inc.com
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Drop changes in arch/x86/lib/cpu.c
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>pxa168fb: Fix the function used to release some memory in an error handling path</title>
<updated>2020-05-22T20:19:22+00:00</updated>
<author>
<name>Christophe JAILLET</name>
<email>christophe.jaillet@wanadoo.fr</email>
</author>
<published>2019-08-31T10:00:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dfae25c5d2107bdfec7a06bdf910a27b24af6bd6'/>
<id>dfae25c5d2107bdfec7a06bdf910a27b24af6bd6</id>
<content type='text'>
commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.

In the probe function, some resources are allocated using 'dma_alloc_wc()',
they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.

We already use 'dma_free_wc()' in the remove function, but not in the
error handling path of the probe function.

Also, remove a useless 'PAGE_ALIGN()'. 'info-&gt;fix.smem_len' is already
PAGE_ALIGNed.

Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Reviewed-by: Lubomir Rintel &lt;lkundrak@v3.sk&gt;
CC: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
[bwh: Backported to 3.16: Use dma_free_writecombine().]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.

In the probe function, some resources are allocated using 'dma_alloc_wc()',
they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.

We already use 'dma_free_wc()' in the remove function, but not in the
error handling path of the probe function.

Also, remove a useless 'PAGE_ALIGN()'. 'info-&gt;fix.smem_len' is already
PAGE_ALIGNed.

Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Reviewed-by: Lubomir Rintel &lt;lkundrak@v3.sk&gt;
CC: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr
[bwh: Backported to 3.16: Use dma_free_writecombine().]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vgacon: Fix a UAF in vgacon_invert_region</title>
<updated>2020-04-28T18:03:40+00:00</updated>
<author>
<name>Zhang Xiaoxu</name>
<email>zhangxiaoxu5@huawei.com</email>
</author>
<published>2020-03-04T02:24:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bca2e2e83484ff63ca82c9c2c905d4e580f1a35a'/>
<id>bca2e2e83484ff63ca82c9c2c905d4e580f1a35a</id>
<content type='text'>
commit 513dc792d6060d5ef572e43852683097a8420f56 upstream.

When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [&lt;ffffffffb119f309&gt;] dump_stack+0x1e/0x20
    [&lt;ffffffffb04af957&gt;] kasan_report+0x577/0x950
    [&lt;ffffffffb04ae652&gt;] __asan_load2+0x62/0x80
    [&lt;ffffffffb090f26d&gt;] vgacon_invert_region+0x9d/0x110
    [&lt;ffffffffb0a39d95&gt;] invert_screen+0xe5/0x470
    [&lt;ffffffffb0a21dcb&gt;] set_selection+0x44b/0x12f0
    [&lt;ffffffffb0a3bfae&gt;] tioclinux+0xee/0x490
    [&lt;ffffffffb0a1d114&gt;] vt_ioctl+0xff4/0x2670
    [&lt;ffffffffb0a0089a&gt;] tty_ioctl+0x46a/0x1a10
    [&lt;ffffffffb052db3d&gt;] do_vfs_ioctl+0x5bd/0xc40
    [&lt;ffffffffb052e2f2&gt;] SyS_ioctl+0x132/0x170
    [&lt;ffffffffb11c9b1b&gt;] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    &gt;ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include &lt;stdio.h&gt;
  #include &lt;stdlib.h&gt;
  #include &lt;unistd.h&gt;
  #include &lt;fcntl.h&gt;
  #include &lt;sys/types.h&gt;
  #include &lt;sys/stat.h&gt;
  #include &lt;sys/ioctl.h&gt;
  #include &lt;linux/vt.h&gt;

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &amp;v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &amp;tioc);

    return 0;
  }

When resize the screen, update the 'vc-&gt;vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols &gt; VC_RESIZE_MAXCOL || lines &gt; VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Zhang Xiaoxu &lt;zhangxiaoxu5@huawei.com&gt;
[danvet: augment commit message to point out overflow safety]
Signed-off-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 513dc792d6060d5ef572e43852683097a8420f56 upstream.

When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [&lt;ffffffffb119f309&gt;] dump_stack+0x1e/0x20
    [&lt;ffffffffb04af957&gt;] kasan_report+0x577/0x950
    [&lt;ffffffffb04ae652&gt;] __asan_load2+0x62/0x80
    [&lt;ffffffffb090f26d&gt;] vgacon_invert_region+0x9d/0x110
    [&lt;ffffffffb0a39d95&gt;] invert_screen+0xe5/0x470
    [&lt;ffffffffb0a21dcb&gt;] set_selection+0x44b/0x12f0
    [&lt;ffffffffb0a3bfae&gt;] tioclinux+0xee/0x490
    [&lt;ffffffffb0a1d114&gt;] vt_ioctl+0xff4/0x2670
    [&lt;ffffffffb0a0089a&gt;] tty_ioctl+0x46a/0x1a10
    [&lt;ffffffffb052db3d&gt;] do_vfs_ioctl+0x5bd/0xc40
    [&lt;ffffffffb052e2f2&gt;] SyS_ioctl+0x132/0x170
    [&lt;ffffffffb11c9b1b&gt;] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    &gt;ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include &lt;stdio.h&gt;
  #include &lt;stdlib.h&gt;
  #include &lt;unistd.h&gt;
  #include &lt;fcntl.h&gt;
  #include &lt;sys/types.h&gt;
  #include &lt;sys/stat.h&gt;
  #include &lt;sys/ioctl.h&gt;
  #include &lt;linux/vt.h&gt;

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &amp;v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &amp;tioc);

    return 0;
  }

When resize the screen, update the 'vc-&gt;vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols &gt; VC_RESIZE_MAXCOL || lines &gt; VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Zhang Xiaoxu &lt;zhangxiaoxu5@huawei.com&gt;
[danvet: augment commit message to point out overflow safety]
Signed-off-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>video: fbdev: Set pixclock = 0 in goldfishfb</title>
<updated>2020-01-11T02:04:56+00:00</updated>
<author>
<name>Christoffer Dall</name>
<email>christoffer.dall@linaro.org</email>
</author>
<published>2018-07-03T15:43:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fefa18a9fe8234938e525ab4ba2c6e197c1d2ed6'/>
<id>fefa18a9fe8234938e525ab4ba2c6e197c1d2ed6</id>
<content type='text'>
commit ace6033ec5c356615eaa3582fb1946e9eaff6662 upstream.

User space Android code identifies pixclock == 0 as a sign for emulation
and will set the frame rate to 60 fps when reading this value, which is
the desired outcome.

Signed-off-by: Christoffer Dall &lt;christoffer.dall@linaro.org&gt;
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
Signed-off-by: Roman Kiryanov &lt;rkir@google.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Cc: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ace6033ec5c356615eaa3582fb1946e9eaff6662 upstream.

User space Android code identifies pixclock == 0 as a sign for emulation
and will set the frame rate to 60 fps when reading this value, which is
the desired outcome.

Signed-off-by: Christoffer Dall &lt;christoffer.dall@linaro.org&gt;
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
Signed-off-by: Roman Kiryanov &lt;rkir@google.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Cc: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/omap: fix max fclk divider for omap36xx</title>
<updated>2019-12-19T15:57:57+00:00</updated>
<author>
<name>Tomi Valkeinen</name>
<email>tomi.valkeinen@ti.com</email>
</author>
<published>2019-10-02T12:25:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4b911101a5cd44fc43c1f4f2b3f162ca58c4ac42'/>
<id>4b911101a5cd44fc43c1f4f2b3f162ca58c4ac42</id>
<content type='text'>
commit e2c4ed148cf3ec8669a1d90dc66966028e5fad70 upstream.

The OMAP36xx and AM/DM37x TRMs say that the maximum divider for DSS fclk
(in CM_CLKSEL_DSS) is 32. Experimentation shows that this is not
correct, and using divider of 32 breaks DSS with a flood or underflows
and sync losts. Dividers up to 31 seem to work fine.

There is another patch to the DT files to limit the divider correctly,
but as the DSS driver also needs to know the maximum divider to be able
to iteratively find good rates, we also need to do the fix in the DSS
driver.

Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Adam Ford &lt;aford173@gmail.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20191002122542.8449-1-tomi.valkeinen@ti.com
Tested-by: Adam Ford &lt;aford173@gmail.com&gt;
Reviewed-by: Jyri Sarha &lt;jsarha@ti.com&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e2c4ed148cf3ec8669a1d90dc66966028e5fad70 upstream.

The OMAP36xx and AM/DM37x TRMs say that the maximum divider for DSS fclk
(in CM_CLKSEL_DSS) is 32. Experimentation shows that this is not
correct, and using divider of 32 breaks DSS with a flood or underflows
and sync losts. Dividers up to 31 seem to work fine.

There is another patch to the DT files to limit the divider correctly,
but as the DSS driver also needs to know the maximum divider to be able
to iteratively find good rates, we also need to do the fix in the DSS
driver.

Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Adam Ford &lt;aford173@gmail.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20191002122542.8449-1-tomi.valkeinen@ti.com
Tested-by: Adam Ford &lt;aford173@gmail.com&gt;
Reviewed-by: Jyri Sarha &lt;jsarha@ti.com&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>video: of: display_timing: Add of_node_put() in of_get_display_timing()</title>
<updated>2019-12-10T18:01:11+00:00</updated>
<author>
<name>Douglas Anderson</name>
<email>dianders@chromium.org</email>
</author>
<published>2019-07-22T18:24:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ae9efb9abd7575453a1e2d1a96cb6d32f34ddde9'/>
<id>ae9efb9abd7575453a1e2d1a96cb6d32f34ddde9</id>
<content type='text'>
commit 4faba50edbcc1df467f8f308893edc3fdd95536e upstream.

From code inspection it can be seen that of_get_display_timing() is
lacking an of_node_put().  Add it.

Fixes: ffa3fd21de8a ("videomode: implement public of_get_display_timing()")
Signed-off-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Reviewed-by: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Thierry Reding &lt;thierry.reding@gmail.com&gt;
Cc: David Airlie &lt;airlied@linux.ie&gt;
Cc: Philipp Zabel &lt;p.zabel@pengutronix.de&gt;
Cc: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Laurent Pinchart &lt;laurent.pinchart@ideasonboard.com&gt;
Cc: Russell King &lt;linux@armlinux.org.uk&gt;
Cc: Daniel Vetter &lt;daniel@ffwll.ch&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190722182439.44844-2-dianders@chromium.org
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4faba50edbcc1df467f8f308893edc3fdd95536e upstream.

From code inspection it can be seen that of_get_display_timing() is
lacking an of_node_put().  Add it.

Fixes: ffa3fd21de8a ("videomode: implement public of_get_display_timing()")
Signed-off-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Reviewed-by: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Thierry Reding &lt;thierry.reding@gmail.com&gt;
Cc: David Airlie &lt;airlied@linux.ie&gt;
Cc: Philipp Zabel &lt;p.zabel@pengutronix.de&gt;
Cc: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Laurent Pinchart &lt;laurent.pinchart@ideasonboard.com&gt;
Cc: Russell King &lt;linux@armlinux.org.uk&gt;
Cc: Daniel Vetter &lt;daniel@ffwll.ch&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190722182439.44844-2-dianders@chromium.org
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>video: ssd1307fb: Start page range at page_offset</title>
<updated>2019-12-10T18:01:09+00:00</updated>
<author>
<name>Marko Kohtala</name>
<email>marko.kohtala@okoko.fi</email>
</author>
<published>2019-06-18T07:41:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9bffc2e4f74756168b7f8a5ed67c8b667b34d23f'/>
<id>9bffc2e4f74756168b7f8a5ed67c8b667b34d23f</id>
<content type='text'>
commit dd9782834dd9dde3624ff1acea8859f3d3e792d4 upstream.

The page_offset was only applied to the end of the page range. This caused
the display updates to cause a scrolling effect on the display because the
amount of data written to the display did not match the range display
expected.

Fixes: 301bc0675b67 ("video: ssd1307fb: Make use of horizontal addressing mode")
Signed-off-by: Marko Kohtala &lt;marko.kohtala@okoko.fi&gt;
Cc: Mark Rutland &lt;mark.rutland@arm.com&gt;
Cc: Rob Herring &lt;robh+dt@kernel.org&gt;
Cc: Daniel Vetter &lt;daniel@ffwll.ch&gt;
Cc: David Airlie &lt;airlied@linux.ie&gt;
Cc: Michal Vokáč &lt;michal.vokac@ysoft.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190618074111.9309-4-marko.kohtala@okoko.fi
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dd9782834dd9dde3624ff1acea8859f3d3e792d4 upstream.

The page_offset was only applied to the end of the page range. This caused
the display updates to cause a scrolling effect on the display because the
amount of data written to the display did not match the range display
expected.

Fixes: 301bc0675b67 ("video: ssd1307fb: Make use of horizontal addressing mode")
Signed-off-by: Marko Kohtala &lt;marko.kohtala@okoko.fi&gt;
Cc: Mark Rutland &lt;mark.rutland@arm.com&gt;
Cc: Rob Herring &lt;robh+dt@kernel.org&gt;
Cc: Daniel Vetter &lt;daniel@ffwll.ch&gt;
Cc: David Airlie &lt;airlied@linux.ie&gt;
Cc: Michal Vokáč &lt;michal.vokac@ysoft.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20190618074111.9309-4-marko.kohtala@okoko.fi
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: ssd1307fb: return proper error code if write command fails</title>
<updated>2019-12-10T18:01:09+00:00</updated>
<author>
<name>Prabhakar Lad</name>
<email>prabhakar.csengg@gmail.com</email>
</author>
<published>2015-01-15T19:05:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e354d535f45d10dc8448c52ba468497497c29753'/>
<id>e354d535f45d10dc8448c52ba468497497c29753</id>
<content type='text'>
commit 5b72ae9a901cbfbe632570f278486142b037fe51 upstream.

this patch fixes ssd1307fb_ssd1306_init() function to return
proper error codes in case of failures.

Signed-off-by: Lad, Prabhakar &lt;prabhakar.csengg@gmail.com&gt;
Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5b72ae9a901cbfbe632570f278486142b037fe51 upstream.

this patch fixes ssd1307fb_ssd1306_init() function to return
proper error codes in case of failures.

Signed-off-by: Lad, Prabhakar &lt;prabhakar.csengg@gmail.com&gt;
Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>backlight: lm3630a: Return 0 on success in update_status functions</title>
<updated>2019-09-23T20:12:06+00:00</updated>
<author>
<name>Brian Masney</name>
<email>masneyb@onstation.org</email>
</author>
<published>2019-04-24T09:25:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6417b14d06aacec51e33d2a75726f7dc06783099'/>
<id>6417b14d06aacec51e33d2a75726f7dc06783099</id>
<content type='text'>
commit d3f48ec0954c6aac736ab21c34a35d7554409112 upstream.

lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status()
both return the brightness value if the brightness was successfully
updated. Writing to these attributes via sysfs would cause a 'Bad
address' error to be returned. These functions should return 0 on
success, so let's change it to correct that error.

Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision")
Signed-off-by: Brian Masney &lt;masneyb@onstation.org&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Acked-by: Daniel Thompson &lt;daniel.thompson@linaro.org&gt;
Signed-off-by: Lee Jones &lt;lee.jones@linaro.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d3f48ec0954c6aac736ab21c34a35d7554409112 upstream.

lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status()
both return the brightness value if the brightness was successfully
updated. Writing to these attributes via sysfs would cause a 'Bad
address' error to be returned. These functions should return 0 on
success, so let's change it to correct that error.

Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision")
Signed-off-by: Brian Masney &lt;masneyb@onstation.org&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Acked-by: Daniel Thompson &lt;daniel.thompson@linaro.org&gt;
Signed-off-by: Lee Jones &lt;lee.jones@linaro.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>omap2fb: Fix stack memory disclosure</title>
<updated>2019-05-02T20:41:19+00:00</updated>
<author>
<name>Vlad Tsyrklevich</name>
<email>vlad@tsyrklevich.net</email>
</author>
<published>2019-01-11T13:34:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cce7cb83976e0413f0b1e77f70e1d0aa508e7d20'/>
<id>cce7cb83976e0413f0b1e77f70e1d0aa508e7d20</id>
<content type='text'>
commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.

Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.

Fix them by clearing the shared union used to store copied out data.

[1] https://github.com/vlad902/kernel-uninitialized-memory-checker

Signed-off-by: Vlad Tsyrklevich &lt;vlad@tsyrklevich.net&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.

Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.

Fix them by clearing the shared union used to store copied out data.

[1] https://github.com/vlad902/kernel-uninitialized-memory-checker

Signed-off-by: Vlad Tsyrklevich &lt;vlad@tsyrklevich.net&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
