Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.39 2024-06-12T09:11:56+00:00 2024-06-12T09:11:56+00:00 Tony Lindgren tony@atomide.com 2024-02-28T06:35:32+00:00 urn:sha1:5fdc39e02494e1eaddd816a03e02716e4fc462fb [ Upstream commit 01c0cce88c5480cc2505b79330246ef12eda938f ] Commit 95da53d63dcf ("drm/omapdrm: Use regular fbdev I/O helpers") stopped console from updating for command mode displays because there is no damage handling in fb_sys_write() unlike we had earlier in drm_fb_helper_sys_write(). Let's fix the issue by adding FB_GEN_DEFAULT_DEFERRED_DMAMEM_OPS and FB_DMAMEM_HELPERS_DEFERRED as suggested by Thomas. We cannot use the FB_DEFAULT_DEFERRED_OPS as fb_deferred_io_mmap() won't work properly for write-combine. Fixes: 95da53d63dcf ("drm/omapdrm: Use regular fbdev I/O helpers") Suggested-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240228063540.4444-3-tony@atomide.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-06-12T09:11:56+00:00 Thomas Zimmermann tzimmermann@suse.de 2023-09-27T07:26:34+00:00 urn:sha1:c00e8fd749502c02085534c60b1edca4fc479c91 [ Upstream commit 6b180f66c0dd6266eeb2f74b59ee79a9f14fe430 ] Provide helpers for accessing I/O memory in a helper module. The fbdev core uses these helpers, so select the module unconditionally for fbdev. Drivers will later be able to select the module individually and the helpers will become optional. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230927074722.6197-2-tzimmermann@suse.de Stable-dep-of: 01c0cce88c54 ("drm/omapdrm: Fix console with deferred ops") Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-05-02T14:32:46+00:00 Nam Cao namcao@linutronix.de 2024-04-23T11:50:53+00:00 urn:sha1:8986ea3539566a19cb98eeb757fda9182c2a7902 commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream. With deferred IO enabled, a page fault happens when data is written to the framebuffer device. Then driver determines which page is being updated by calculating the offset of the written virtual address within the virtual memory area, and uses this offset to get the updated page within the internal buffer. This page is later copied to hardware (thus the name "deferred IO"). This offset calculation is only correct if the virtual memory area is mapped to the beginning of the internal buffer. Otherwise this is wrong. For example, if users do: mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); Then the virtual memory area will mapped at offset 0xff000 within the internal buffer. This offset 0xff000 is not accounted for, and wrong page is updated. Correct the calculation by using vmf->pgoff instead. With this change, the variable "offset" will no longer hold the exact offset value, but it is rounded down to multiples of PAGE_SIZE. But this is still correct, because this variable is only used to calculate the page offset. Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") Cc: <stable@vger.kernel.org> Signed-off-by: Nam Cao <namcao@linutronix.de> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-04-13T11:07:40+00:00 Roman Smirnov r.smirnov@omp.ru 2024-03-19T08:13:44+00:00 urn:sha1:3d4b909704bf2114f64f87363fa22b5ef8ac4a33 [ Upstream commit c2d953276b8b27459baed1277a4fdd5dd9bd4126 ] The expression htotal * vtotal can have a zero value on overflow. It is necessary to prevent division by zero like in fb_var_to_videomode(). Found by Linux Verification Center (linuxtesting.org) with Svace. Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-03-06T14:48:38+00:00 Jiri Slaby (SUSE) jirislaby@kernel.org 2024-02-08T11:44:11+00:00 urn:sha1:73a6bd68a1342f3a44cac9dffad81ad6a003e520 [ Upstream commit 00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f ] Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the "system"/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It's rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: <TASK> con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later 'if' is now protected by 'old_userfont' and not 'old_data' as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.) Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org> Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") Reported-and-tested-by: Ubisectech Sirius <bugreport@ubisectech.com> Cc: Ubisectech Sirius <bugreport@ubisectech.com> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: Helge Deller <deller@gmx.de> Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20240208114411.14604-1-jirislaby@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:35:45+00:00 Nam Cao namcao@linutronix.de 2023-12-18T09:57:31+00:00 urn:sha1:2db6388d8a7f315ec8dddcf7f21632efb2703cb9 commit 33cd6ea9c0673517cdb06ad5c915c6f22e9615fc upstream. When framebuffer gets closed, the queued deferred IO gets cancelled. This can cause some last display data to vanish. This is problematic for users who send a still image to the framebuffer, then close the file: the image may never appear. To ensure none of display data get lost, flush the queued deferred IO first before closing. Another possible solution is to delete the cancel_delayed_work_sync() instead. The difference is that the display may appear some time after closing. However, the clearing of page mapping after this needs to be removed too, because the page mapping is used by the deferred work. It is not completely obvious whether it is okay to not clear the page mapping. For a patch intended for stable trees, go with the simple and obvious solution. Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support") Cc: stable@vger.kernel.org Signed-off-by: Nam Cao <namcao@linutronix.de> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-25T23:35:45+00:00 Nam Cao namcao@linutronix.de 2023-12-18T09:57:30+00:00 urn:sha1:1e3b051e971475219980e9a8698cbe8e39a09c88 commit 15e4c1f462279b4e128f27de48133e0debe9e0df upstream. The driver's fsync() is supposed to flush any pending operation to hardware. It is implemented in this driver by cancelling the queued deferred IO first, then schedule it for "immediate execution" by calling schedule_delayed_work() again with delay=0. However, setting delay=0 only means the work is scheduled immediately, it does not mean the work is executed immediately. There is no guarantee that the work is finished after schedule_delayed_work() returns. After this driver's fsync() returns, there can still be pending work. Furthermore, if close() is called by users immediately after fsync(), the pending work gets cancelled and fsync() may do nothing. To ensure that the deferred IO completes, use flush_delayed_work() instead. Write operations to this driver either write to the device directly, or invoke schedule_delayed_work(); so by flushing the workqueue, it can be guaranteed that all previous writes make it to the device. Fixes: 5e841b88d23d ("fb: fsync() method for deferred I/O flush.") Cc: stable@vger.kernel.org Signed-off-by: Nam Cao <namcao@linutronix.de> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-10-18T00:14:22+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-10-18T00:14:22+00:00 urn:sha1:06dc10eae55b5ceabfef287a7e5f16ceea204aa0 Pull fbdev fixes and cleanups from Helge Deller: "Various minor fixes, cleanups and annotations for atyfb, sa1100fb, omapfb, uvesafb and mmp" * tag 'fbdev-for-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: core: syscopyarea: fix sloppy typing fbdev: core: cfbcopyarea: fix sloppy typing fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() fbdev: uvesafb: Remove uvesafb_exec() prototype from include/video/uvesafb.h fbdev: sa1100fb: mark sa1100fb_init() static fbdev: omapfb: fix some error codes fbdev: atyfb: only use ioremap_uc() on i386 and ia64 fbdev: mmp: Annotate struct mmp_path with __counted_by fbdev: mmp: Annotate struct mmphw_ctrl with __counted_by 2023-10-16T21:22:53+00:00 Sergey Shtylyov s.shtylyov@omp.ru 2023-10-13T20:50:24+00:00 urn:sha1:e8e4a470b677511f9d1ad4f3cef32adc1d9a60ca In sys_copyarea(), the local variable bits_per_line is needlessly typed as *unsigned long* -- which is a 32-bit type on the 32-bit arches and a 64-bit type on the 64-bit arches; that variable's value is derived from the __u32 typed fb_fix_screeninfo::line_length field (multiplied by 8u) and a 32-bit *unsigned int* type should still be enough to store the # of bits per line. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Helge Deller <deller@gmx.de> 2023-10-16T21:22:53+00:00 Sergey Shtylyov s.shtylyov@omp.ru 2023-10-13T20:50:23+00:00 urn:sha1:7f33df94cf0156f64eee9509bd9b4a178990f613 In cfb_copyarea(), the local variable bits_per_line is needlessly typed as *unsigned long* -- which is a 32-bit type on the 32-bit arches and a 64-bit type on the 64-bit arches; that variable's value is derived from the __u32 typed fb_fix_screeninfo::line_length field (multiplied by 8u) and a 32-bit *unsigned int* type should still be enough to store the # of bits per line. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Signed-off-by: Helge Deller <deller@gmx.de>