<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/video, branch v4.9.162</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>fbdev: fbcon: Fix unregister crash when more than one framebuffer</title>
<updated>2019-02-12T18:44:57+00:00</updated>
<author>
<name>Noralf Trønnes</name>
<email>noralf@tronnes.org</email>
</author>
<published>2018-12-20T18:13:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=38e753847b70d6eb0f68e4d48b95c32ff042718d'/>
<id>38e753847b70d6eb0f68e4d48b95c32ff042718d</id>
<content type='text'>
[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ]

When unregistering fbdev using unregister_framebuffer(), any bound
console will unbind automatically. This is working fine if this is the
only framebuffer, resulting in a switch to the dummy console. However if
there is a fb0 and I unregister fb1 having a bound console, I eventually
get a crash. The fastest way for me to trigger the crash is to do a
reboot, resulting in this splat:

[   76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c
[   76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm]
[   76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4
[   76.478933] Hardware name: BCM2835
[   76.478949] Backtrace:
[   76.478995] [&lt;c010d388&gt;] (dump_backtrace) from [&lt;c010d670&gt;] (show_stack+0x20/0x24)
[   76.479022]  r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81
[   76.479060] [&lt;c010d650&gt;] (show_stack) from [&lt;c08e82f4&gt;] (dump_stack+0x20/0x28)
[   76.479102] [&lt;c08e82d4&gt;] (dump_stack) from [&lt;c0120070&gt;] (__warn+0xec/0x12c)
[   76.479134] [&lt;c011ff84&gt;] (__warn) from [&lt;c01201e4&gt;] (warn_slowpath_null+0x4c/0x58)
[   76.479165]  r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84
[   76.479197] [&lt;c0120198&gt;] (warn_slowpath_null) from [&lt;c0139e84&gt;] (__queue_work+0x2d4/0x41c)
[   76.479222]  r6:d7666a00 r5:c0e918ee r4:dbc4e700
[   76.479251] [&lt;c0139bb0&gt;] (__queue_work) from [&lt;c013a02c&gt;] (queue_work_on+0x60/0x88)
[   76.479281]  r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00
[   76.479298]  r4:20000113
[   76.479348] [&lt;c0139fcc&gt;] (queue_work_on) from [&lt;c0496c28&gt;] (cursor_timer_handler+0x30/0x54)
[   76.479374]  r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc
[   76.479413] [&lt;c0496bf8&gt;] (cursor_timer_handler) from [&lt;c0178744&gt;] (call_timer_fn+0x100/0x230)
[   76.479435]  r4:c0e9192f r3:d758a340
[   76.479465] [&lt;c0178644&gt;] (call_timer_fn) from [&lt;c0178980&gt;] (expire_timers+0x10c/0x12c)
[   76.479495]  r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8
[   76.479513]  r4:d8a8fabc
[   76.479541] [&lt;c0178874&gt;] (expire_timers) from [&lt;c0179630&gt;] (run_timer_softirq+0xa8/0x184)
[   76.479570]  r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280
[   76.479603] [&lt;c0179588&gt;] (run_timer_softirq) from [&lt;c0102404&gt;] (__do_softirq+0x1ac/0x3fc)
[   76.479632]  r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002
[   76.479650]  r4:c0eb65ec
[   76.479686] [&lt;c0102258&gt;] (__do_softirq) from [&lt;c0124d10&gt;] (irq_exit+0xe8/0x168)
[   76.479716]  r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0
[   76.479734]  r4:00000000
[   76.479764] [&lt;c0124c28&gt;] (irq_exit) from [&lt;c016b72c&gt;] (__handle_domain_irq+0x94/0xb0)
[   76.479793] [&lt;c016b698&gt;] (__handle_domain_irq) from [&lt;c01021dc&gt;] (bcm2835_handle_irq+0x3c/0x48)
[   76.479823]  r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8
[   76.479851] [&lt;c01021a0&gt;] (bcm2835_handle_irq) from [&lt;c01019f0&gt;] (__irq_svc+0x70/0x98)

The problem is in the console rebinding in fbcon_fb_unbind(). It uses the
virtual console index as the new framebuffer index to bind the console(s)
to. The correct way is to use the con2fb_map lookup table to find the
framebuffer index.

Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer")
Signed-off-by: Noralf Trønnes &lt;noralf@tronnes.org&gt;
Reviewed-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Acked-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ]

When unregistering fbdev using unregister_framebuffer(), any bound
console will unbind automatically. This is working fine if this is the
only framebuffer, resulting in a switch to the dummy console. However if
there is a fb0 and I unregister fb1 having a bound console, I eventually
get a crash. The fastest way for me to trigger the crash is to do a
reboot, resulting in this splat:

[   76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c
[   76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm]
[   76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4
[   76.478933] Hardware name: BCM2835
[   76.478949] Backtrace:
[   76.478995] [&lt;c010d388&gt;] (dump_backtrace) from [&lt;c010d670&gt;] (show_stack+0x20/0x24)
[   76.479022]  r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81
[   76.479060] [&lt;c010d650&gt;] (show_stack) from [&lt;c08e82f4&gt;] (dump_stack+0x20/0x28)
[   76.479102] [&lt;c08e82d4&gt;] (dump_stack) from [&lt;c0120070&gt;] (__warn+0xec/0x12c)
[   76.479134] [&lt;c011ff84&gt;] (__warn) from [&lt;c01201e4&gt;] (warn_slowpath_null+0x4c/0x58)
[   76.479165]  r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84
[   76.479197] [&lt;c0120198&gt;] (warn_slowpath_null) from [&lt;c0139e84&gt;] (__queue_work+0x2d4/0x41c)
[   76.479222]  r6:d7666a00 r5:c0e918ee r4:dbc4e700
[   76.479251] [&lt;c0139bb0&gt;] (__queue_work) from [&lt;c013a02c&gt;] (queue_work_on+0x60/0x88)
[   76.479281]  r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00
[   76.479298]  r4:20000113
[   76.479348] [&lt;c0139fcc&gt;] (queue_work_on) from [&lt;c0496c28&gt;] (cursor_timer_handler+0x30/0x54)
[   76.479374]  r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc
[   76.479413] [&lt;c0496bf8&gt;] (cursor_timer_handler) from [&lt;c0178744&gt;] (call_timer_fn+0x100/0x230)
[   76.479435]  r4:c0e9192f r3:d758a340
[   76.479465] [&lt;c0178644&gt;] (call_timer_fn) from [&lt;c0178980&gt;] (expire_timers+0x10c/0x12c)
[   76.479495]  r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8
[   76.479513]  r4:d8a8fabc
[   76.479541] [&lt;c0178874&gt;] (expire_timers) from [&lt;c0179630&gt;] (run_timer_softirq+0xa8/0x184)
[   76.479570]  r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280
[   76.479603] [&lt;c0179588&gt;] (run_timer_softirq) from [&lt;c0102404&gt;] (__do_softirq+0x1ac/0x3fc)
[   76.479632]  r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002
[   76.479650]  r4:c0eb65ec
[   76.479686] [&lt;c0102258&gt;] (__do_softirq) from [&lt;c0124d10&gt;] (irq_exit+0xe8/0x168)
[   76.479716]  r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0
[   76.479734]  r4:00000000
[   76.479764] [&lt;c0124c28&gt;] (irq_exit) from [&lt;c016b72c&gt;] (__handle_domain_irq+0x94/0xb0)
[   76.479793] [&lt;c016b698&gt;] (__handle_domain_irq) from [&lt;c01021dc&gt;] (bcm2835_handle_irq+0x3c/0x48)
[   76.479823]  r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8
[   76.479851] [&lt;c01021a0&gt;] (bcm2835_handle_irq) from [&lt;c01019f0&gt;] (__irq_svc+0x70/0x98)

The problem is in the console rebinding in fbcon_fb_unbind(). It uses the
virtual console index as the new framebuffer index to bind the console(s)
to. The correct way is to use the con2fb_map lookup table to find the
framebuffer index.

Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer")
Signed-off-by: Noralf Trønnes &lt;noralf@tronnes.org&gt;
Reviewed-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Acked-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: fbmem: behave better with small rotated displays and many CPUs</title>
<updated>2019-02-12T18:44:56+00:00</updated>
<author>
<name>Peter Rosin</name>
<email>peda@axentia.se</email>
</author>
<published>2018-12-20T18:13:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=06df6307c6e4a6735be96ee515b9a80f3a9ae051'/>
<id>06df6307c6e4a6735be96ee515b9a80f3a9ae051</id>
<content type='text'>
[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ]

Blitting an image with "negative" offsets is not working since there
is no clipping. It hopefully just crashes. For the bootup logo, there
is protection so that blitting does not happen as the image is drawn
further and further to the right (ROTATE_UR) or further and further
down (ROTATE_CW). There is however no protection when drawing in the
opposite directions (ROTATE_UD and ROTATE_CCW).

Add back this protection.

The regression is 20-odd years old but the mindless warning-killing
mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove
positive test on unsigned values") is also to blame, methinks.

Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates")
Signed-off-by: Peter Rosin &lt;peda@axentia.se&gt;
Cc: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Fabian Frederick &lt;ffrederick@users.sourceforge.net&gt;
Cc: Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;
cc: Geoff Levand &lt;geoff@infradead.org&gt;
Cc: James Simmons &lt;jsimmons@users.sf.net&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ]

Blitting an image with "negative" offsets is not working since there
is no clipping. It hopefully just crashes. For the bootup logo, there
is protection so that blitting does not happen as the image is drawn
further and further to the right (ROTATE_UR) or further and further
down (ROTATE_CW). There is however no protection when drawing in the
opposite directions (ROTATE_UD and ROTATE_CCW).

Add back this protection.

The regression is 20-odd years old but the mindless warning-killing
mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove
positive test on unsigned values") is also to blame, methinks.

Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates")
Signed-off-by: Peter Rosin &lt;peda@axentia.se&gt;
Cc: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Cc: Fabian Frederick &lt;ffrederick@users.sourceforge.net&gt;
Cc: Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;
cc: Geoff Levand &lt;geoff@infradead.org&gt;
Cc: James Simmons &lt;jsimmons@users.sf.net&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>video: clps711x-fb: release disp device node in probe()</title>
<updated>2019-02-12T18:44:56+00:00</updated>
<author>
<name>Alexey Khoroshilov</name>
<email>khoroshilov@ispras.ru</email>
</author>
<published>2018-12-20T18:13:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=55e7919907f076f585edab28a99dc83bd0971dcd'/>
<id>55e7919907f076f585edab28a99dc83bd0971dcd</id>
<content type='text'>
[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ]

clps711x_fb_probe() increments refcnt of disp device node by
of_parse_phandle() and leaves it undecremented on both
successful and error paths.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov &lt;khoroshilov@ispras.ru&gt;
Cc: Alexander Shiyan &lt;shc_work@mail.ru&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ]

clps711x_fb_probe() increments refcnt of disp device node by
of_parse_phandle() and leaves it undecremented on both
successful and error paths.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov &lt;khoroshilov@ispras.ru&gt;
Cc: Alexander Shiyan &lt;shc_work@mail.ru&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>omap2fb: Fix stack memory disclosure</title>
<updated>2019-01-23T07:10:55+00:00</updated>
<author>
<name>Vlad Tsyrklevich</name>
<email>vlad@tsyrklevich.net</email>
</author>
<published>2019-01-11T13:34:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f5a7973c32a39b2e16ef31f0f95ba47fcdac5b76'/>
<id>f5a7973c32a39b2e16ef31f0f95ba47fcdac5b76</id>
<content type='text'>
commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.

Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.

Fix them by clearing the shared union used to store copied out data.

[1] https://github.com/vlad902/kernel-uninitialized-memory-checker

Signed-off-by: Vlad Tsyrklevich &lt;vlad@tsyrklevich.net&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.

Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.

Fix them by clearing the shared union used to store copied out data.

[1] https://github.com/vlad902/kernel-uninitialized-memory-checker

Signed-off-by: Vlad Tsyrklevich &lt;vlad@tsyrklevich.net&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mach64: fix image corruption due to reading accelerator registers</title>
<updated>2018-11-21T08:26:00+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mpatocka@redhat.com</email>
</author>
<published>2018-10-08T10:57:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7ecf24877ea8c25625c904ac30f051c6a4bc7878'/>
<id>7ecf24877ea8c25625c904ac30f051c6a4bc7878</id>
<content type='text'>
commit c09bcc91bb94ed91f1391bffcbe294963d605732 upstream.

Reading the registers without waiting for engine idle returns
unpredictable values. These unpredictable values result in display
corruption - if atyfb_imageblit reads the content of DP_PIX_WIDTH with the
bit DP_HOST_TRIPLE_EN set (from previous invocation), the driver would
never ever clear the bit, resulting in display corruption.

We don't want to wait for idle because it would degrade performance, so
this patch modifies the driver so that it never reads accelerator
registers.

HOST_CNTL doesn't have to be read, we can just write it with
HOST_BYTE_ALIGN because no other part of the driver cares if
HOST_BYTE_ALIGN is set.

DP_PIX_WIDTH is written in the functions atyfb_copyarea and atyfb_fillrect
with the default value and in atyfb_imageblit with the value set according
to the source image data.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c09bcc91bb94ed91f1391bffcbe294963d605732 upstream.

Reading the registers without waiting for engine idle returns
unpredictable values. These unpredictable values result in display
corruption - if atyfb_imageblit reads the content of DP_PIX_WIDTH with the
bit DP_HOST_TRIPLE_EN set (from previous invocation), the driver would
never ever clear the bit, resulting in display corruption.

We don't want to wait for idle because it would degrade performance, so
this patch modifies the driver so that it never reads accelerator
registers.

HOST_CNTL doesn't have to be read, we can just write it with
HOST_BYTE_ALIGN because no other part of the driver cares if
HOST_BYTE_ALIGN is set.

DP_PIX_WIDTH is written in the functions atyfb_copyarea and atyfb_fillrect
with the default value and in atyfb_imageblit with the value set according
to the source image data.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mach64: fix display corruption on big endian machines</title>
<updated>2018-11-21T08:25:59+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mpatocka@redhat.com</email>
</author>
<published>2018-10-08T10:57:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6bd9b55243e6caafec1d245c475d6dc4d842e6c4'/>
<id>6bd9b55243e6caafec1d245c475d6dc4d842e6c4</id>
<content type='text'>
commit 3c6c6a7878d00a3ac997a779c5b9861ff25dfcc8 upstream.

The code for manual bit triple is not endian-clean. It builds the variable
"hostdword" using byte accesses, therefore we must read the variable with
"le32_to_cpu".

The patch also enables (hardware or software) bit triple only if the image
is monochrome (image-&gt;depth). If we want to blit full-color image, we
shouldn't use the triple code.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3c6c6a7878d00a3ac997a779c5b9861ff25dfcc8 upstream.

The code for manual bit triple is not endian-clean. It builds the variable
"hostdword" using byte accesses, therefore we must read the variable with
"le32_to_cpu".

The patch also enables (hardware or software) bit triple only if the image
is monochrome (image-&gt;depth). If we want to blit full-color image, we
shouldn't use the triple code.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>efi/fb: Correct PCI_STD_RESOURCE_END usage</title>
<updated>2018-11-10T15:42:45+00:00</updated>
<author>
<name>Bjorn Helgaas</name>
<email>bhelgaas@google.com</email>
</author>
<published>2017-05-19T19:37:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d4260b280d0c3666a3e5f348e83e85735678eb4'/>
<id>2d4260b280d0c3666a3e5f348e83e85735678eb4</id>
<content type='text'>
[ Upstream commit 92a16c86299c64f58f320e491977408ba31b8c3c ]

PCI_STD_RESOURCE_END is (confusingly) the index of the last valid BAR, not
the *number* of BARs.  To iterate through all possible BARs, we need to
include PCI_STD_RESOURCE_END.

Fixes: 55d728a40d36 ("efi/fb: Avoid reconfiguration of BAR that covers the framebuffer")
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 92a16c86299c64f58f320e491977408ba31b8c3c ]

PCI_STD_RESOURCE_END is (confusingly) the index of the last valid BAR, not
the *number* of BARs.  To iterate through all possible BARs, we need to
include PCI_STD_RESOURCE_END.

Fixes: 55d728a40d36 ("efi/fb: Avoid reconfiguration of BAR that covers the framebuffer")
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>pxa168fb: prepare the clock</title>
<updated>2018-11-10T15:42:43+00:00</updated>
<author>
<name>Lubomir Rintel</name>
<email>lkundrak@v3.sk</email>
</author>
<published>2018-09-26T16:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8641700477533c354d6733aeafc97f5ac5ca21e6'/>
<id>8641700477533c354d6733aeafc97f5ac5ca21e6</id>
<content type='text'>
[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]

Add missing prepare/unprepare operations for fbi-&gt;clk,
this fixes following kernel warning:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
  Enabling unprepared disp0_clk
  Modules linked in:
  CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
  Hardware name: Marvell MMP2 (Device Tree Support)
  [&lt;c010f7cc&gt;] (unwind_backtrace) from [&lt;c010cc6c&gt;] (show_stack+0x10/0x14)
  [&lt;c010cc6c&gt;] (show_stack) from [&lt;c011dab4&gt;] (__warn+0xd8/0xf0)
  [&lt;c011dab4&gt;] (__warn) from [&lt;c011db10&gt;] (warn_slowpath_fmt+0x44/0x6c)
  [&lt;c011db10&gt;] (warn_slowpath_fmt) from [&lt;c043898c&gt;] (clk_core_enable+0x2c/0x1b0)
  [&lt;c043898c&gt;] (clk_core_enable) from [&lt;c0439ec8&gt;] (clk_core_enable_lock+0x18/0x2c)
  [&lt;c0439ec8&gt;] (clk_core_enable_lock) from [&lt;c0436698&gt;] (pxa168fb_probe+0x464/0x6ac)
  [&lt;c0436698&gt;] (pxa168fb_probe) from [&lt;c04779a0&gt;] (platform_drv_probe+0x48/0x94)
  [&lt;c04779a0&gt;] (platform_drv_probe) from [&lt;c0475bec&gt;] (driver_probe_device+0x328/0x470)
  [&lt;c0475bec&gt;] (driver_probe_device) from [&lt;c0475de4&gt;] (__driver_attach+0xb0/0x124)
  [&lt;c0475de4&gt;] (__driver_attach) from [&lt;c0473c38&gt;] (bus_for_each_dev+0x64/0xa0)
  [&lt;c0473c38&gt;] (bus_for_each_dev) from [&lt;c0474ee0&gt;] (bus_add_driver+0x1b8/0x230)
  [&lt;c0474ee0&gt;] (bus_add_driver) from [&lt;c0476a20&gt;] (driver_register+0xac/0xf0)
  [&lt;c0476a20&gt;] (driver_register) from [&lt;c0102dd4&gt;] (do_one_initcall+0xb8/0x1f0)
  [&lt;c0102dd4&gt;] (do_one_initcall) from [&lt;c0b010a0&gt;] (kernel_init_freeable+0x294/0x2e0)
  [&lt;c0b010a0&gt;] (kernel_init_freeable) from [&lt;c07e9eb8&gt;] (kernel_init+0x8/0x10c)
  [&lt;c07e9eb8&gt;] (kernel_init) from [&lt;c01010e8&gt;] (ret_from_fork+0x14/0x2c)
  Exception stack(0xd008bfb0 to 0xd008bff8)
  bfa0:                                     00000000 00000000 00000000 00000000
  bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
  ---[ end trace c0af40f9e2ed7cb4 ]---

Signed-off-by: Lubomir Rintel &lt;lkundrak@v3.sk&gt;
[b.zolnierkie: enhance patch description a bit]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]

Add missing prepare/unprepare operations for fbi-&gt;clk,
this fixes following kernel warning:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
  Enabling unprepared disp0_clk
  Modules linked in:
  CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
  Hardware name: Marvell MMP2 (Device Tree Support)
  [&lt;c010f7cc&gt;] (unwind_backtrace) from [&lt;c010cc6c&gt;] (show_stack+0x10/0x14)
  [&lt;c010cc6c&gt;] (show_stack) from [&lt;c011dab4&gt;] (__warn+0xd8/0xf0)
  [&lt;c011dab4&gt;] (__warn) from [&lt;c011db10&gt;] (warn_slowpath_fmt+0x44/0x6c)
  [&lt;c011db10&gt;] (warn_slowpath_fmt) from [&lt;c043898c&gt;] (clk_core_enable+0x2c/0x1b0)
  [&lt;c043898c&gt;] (clk_core_enable) from [&lt;c0439ec8&gt;] (clk_core_enable_lock+0x18/0x2c)
  [&lt;c0439ec8&gt;] (clk_core_enable_lock) from [&lt;c0436698&gt;] (pxa168fb_probe+0x464/0x6ac)
  [&lt;c0436698&gt;] (pxa168fb_probe) from [&lt;c04779a0&gt;] (platform_drv_probe+0x48/0x94)
  [&lt;c04779a0&gt;] (platform_drv_probe) from [&lt;c0475bec&gt;] (driver_probe_device+0x328/0x470)
  [&lt;c0475bec&gt;] (driver_probe_device) from [&lt;c0475de4&gt;] (__driver_attach+0xb0/0x124)
  [&lt;c0475de4&gt;] (__driver_attach) from [&lt;c0473c38&gt;] (bus_for_each_dev+0x64/0xa0)
  [&lt;c0473c38&gt;] (bus_for_each_dev) from [&lt;c0474ee0&gt;] (bus_add_driver+0x1b8/0x230)
  [&lt;c0474ee0&gt;] (bus_add_driver) from [&lt;c0476a20&gt;] (driver_register+0xac/0xf0)
  [&lt;c0476a20&gt;] (driver_register) from [&lt;c0102dd4&gt;] (do_one_initcall+0xb8/0x1f0)
  [&lt;c0102dd4&gt;] (do_one_initcall) from [&lt;c0b010a0&gt;] (kernel_init_freeable+0x294/0x2e0)
  [&lt;c0b010a0&gt;] (kernel_init_freeable) from [&lt;c07e9eb8&gt;] (kernel_init+0x8/0x10c)
  [&lt;c07e9eb8&gt;] (kernel_init) from [&lt;c01010e8&gt;] (ret_from_fork+0x14/0x2c)
  Exception stack(0xd008bfb0 to 0xd008bff8)
  bfa0:                                     00000000 00000000 00000000 00000000
  bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
  ---[ end trace c0af40f9e2ed7cb4 ]---

Signed-off-by: Lubomir Rintel &lt;lkundrak@v3.sk&gt;
[b.zolnierkie: enhance patch description a bit]
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mach64: detect the dot clock divider correctly on sparc</title>
<updated>2018-10-18T07:13:21+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mpatocka@redhat.com</email>
</author>
<published>2018-08-17T19:19:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9f5095da2d8dd82a85974fbd4318bf8a0f9c0f32'/>
<id>9f5095da2d8dd82a85974fbd4318bf8a0f9c0f32</id>
<content type='text'>
commit 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 upstream.

On Sun Ultra 5, it happens that the dot clock is not set up properly for
some videomodes. For example, if we set the videomode "r1024x768x60" in
the firmware, Linux would incorrectly set a videomode with refresh rate
180Hz when booting (suprisingly, my LCD monitor can display it, although
display quality is very low).

The reason is this: Older mach64 cards set the divider in the register
VCLK_POST_DIV. The register has four 2-bit fields (the field that is
actually used is specified in the lowest two bits of the register
CLOCK_CNTL). The 2 bits select divider "1, 2, 4, 8". On newer mach64 cards,
there's another bit added - the top four bits of PLL_EXT_CNTL extend the
divider selection, so we have possible dividers "1, 2, 4, 8, 3, 5, 6, 12".
The Linux driver clears the top four bits of PLL_EXT_CNTL and never sets
them, so it can work regardless if the card supports them. However, the
sparc64 firmware may set these extended dividers during boot - and the
mach64 driver detects incorrect dot clock in this case.

This patch makes the driver read the additional divider bit from
PLL_EXT_CNTL and calculate the initial refresh rate properly.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Cc: stable@vger.kernel.org
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 upstream.

On Sun Ultra 5, it happens that the dot clock is not set up properly for
some videomodes. For example, if we set the videomode "r1024x768x60" in
the firmware, Linux would incorrectly set a videomode with refresh rate
180Hz when booting (suprisingly, my LCD monitor can display it, although
display quality is very low).

The reason is this: Older mach64 cards set the divider in the register
VCLK_POST_DIV. The register has four 2-bit fields (the field that is
actually used is specified in the lowest two bits of the register
CLOCK_CNTL). The 2 bits select divider "1, 2, 4, 8". On newer mach64 cards,
there's another bit added - the top four bits of PLL_EXT_CNTL extend the
divider selection, so we have possible dividers "1, 2, 4, 8, 3, 5, 6, 12".
The Linux driver clears the top four bits of PLL_EXT_CNTL and never sets
them, so it can work regardless if the card supports them. However, the
sparc64 firmware may set these extended dividers during boot - and the
mach64 driver detects incorrect dot clock in this case.

This patch makes the driver read the additional divider bit from
PLL_EXT_CNTL and calculate the initial refresh rate properly.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Cc: stable@vger.kernel.org
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Reviewed-by: Ville Syrjälä &lt;syrjala@sci.fi&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev/omapfb: fix omapfb_memory_read infoleak</title>
<updated>2018-10-13T07:18:53+00:00</updated>
<author>
<name>Tomi Valkeinen</name>
<email>tomi.valkeinen@ti.com</email>
</author>
<published>2018-09-26T16:11:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22feb4d4f4547a495b51c6a03c55989643ac712a'/>
<id>22feb4d4f4547a495b51c6a03c55989643ac712a</id>
<content type='text'>
commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream.

OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width &amp; height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Reported-by: Jann Horn &lt;jannh@google.com&gt;
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon &lt;will.deacon@arm.com&gt;
Cc: Jann Horn &lt;jannh@google.com&gt;
Cc: Tony Lindgren &lt;tony@atomide.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream.

OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width &amp; height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen &lt;tomi.valkeinen@ti.com&gt;
Reported-by: Jann Horn &lt;jannh@google.com&gt;
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon &lt;will.deacon@arm.com&gt;
Cc: Jann Horn &lt;jannh@google.com&gt;
Cc: Tony Lindgren &lt;tony@atomide.com&gt;
Signed-off-by: Bartlomiej Zolnierkiewicz &lt;b.zolnierkie@samsung.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
