user/sven/linux.git/drivers/video/fbdev, branch v5.15.81 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.15.81 2022-11-10T17:15:32Z fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards 2022-11-10T17:15:32Z Helge Deller deller@gmx.de 2022-10-14T18:01:17Z urn:sha1:2f07635876bdbf8591c508b3793efebea2e73ee5 [ Upstream commit 776d875fd4cbb3884860ea7f63c3958f02b0c80e ] When the text console is scrolling text upwards it calls the fillrect() function to empty the new line. The current implementation doesn't seem to work correctly on HCRX cards in 32-bit mode and leave garbage in that line instead. Fix it by falling back to standard cfb_fillrect() in that case. Signed-off-by: Helge Deller <deller@gmx.de> Cc: <stable@vger.kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> video/fbdev/stifb: Implement the stifb_fillrect() function 2022-11-10T17:15:32Z Helge Deller deller@gmx.de 2022-01-13T15:35:53Z urn:sha1:154934c74f976b8d35820e8f53a0c2800d651dd0 [ Upstream commit 9c379c65241707e44072139d782bc2dfec9b4ab3 ] The stifb driver (for Artist/HCRX graphics on PA-RISC) was missing the fillrect function. Tested on a 715/64 PA-RISC machine and in qemu. Signed-off-by: Helge Deller <deller@gmx.de> Stable-dep-of: 776d875fd4cb ("fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards") Signed-off-by: Sasha Levin <sashal@kernel.org> fbdev: smscufx: Fix several use-after-free bugs 2022-11-03T14:59:12Z Hyunwoo Kim imv4bel@gmail.com 2022-10-21T01:15:44Z urn:sha1:cc6a7249842fceda7574ceb63275a2d5e99d2862 commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream. Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/ Cc: <stable@vger.kernel.org> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> fbdev: smscufx: Fix use-after-free in ufx_ops_open() 2022-10-26T10:34:26Z Hyunwoo Kim imv4bel@gmail.com 2022-09-25T13:32:43Z urn:sha1:2b0897e33682a332167b7d355eec28693b62119e commit 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c upstream. A race condition may occur if the user physically removes the USB device while calling open() for this device node. This is a race condition between the ufx_ops_open() function and the ufx_usb_disconnect() function, which may eventually result in UAF. So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> parisc: fbdev/stifb: Align graphics memory size to 4MB 2022-10-26T10:34:22Z Helge Deller deller@gmx.de 2022-10-14T08:13:55Z urn:sha1:af3aaee08df8127422e03e5e1291f91cbb5d4f09 commit aca7c13d3bee81a968337a5515411409ae9d095d upstream. Independend of the current graphics resolution, adjust the reported graphics card memory size to the next 4MB boundary. This fixes the fbtest program which expects a naturally aligned size. Signed-off-by: Helge Deller <deller@gmx.de> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write 2022-09-23T12:15:51Z Hyunwoo Kim imv4bel@gmail.com 2022-06-20T14:17:46Z urn:sha1:ab5140c6ddd7473509e12f468948de91138b124e [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user(). Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> video: fbdev: i740fb: Error out if 'pixclock' equals zero 2022-09-23T12:15:49Z Zheyu Ma zheyuma97@gmail.com 2022-04-04T08:47:17Z urn:sha1:59b756da49bfa51a00a0b58b4147ce2652bc3d28 commit 15cf0b82271b1823fb02ab8c377badba614d95d5 upstream. The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var(). The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() 2022-09-15T09:30:01Z Yang Yingliang yangyingliang@huawei.com 2022-08-19T08:57:52Z urn:sha1:fc5a2a9616f38d4c3fe49d196ea5827ced80a3a7 [ Upstream commit 07c55c9803dea748d17a054000cbf1913ce06399 ] Add missing pci_disable_device() in error path in chipsfb_pci_init(). Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> fbdev: fbcon: Destroy mutex on freeing struct fb_info 2022-09-15T09:30:01Z Shigeru Yoshida syoshida@redhat.com 2022-08-21T11:17:31Z urn:sha1:c3abfd6ce2f3833151a4501e80a48f824b3b5f4d [ Upstream commit 58559dfc1ebba2ae0c7627dc8f8991ae1984c6e3 ] It's needed to destroy bl_curve_mutex on freeing struct fb_info since the mutex is embedded in the structure and initialized when it's allocated. Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> fbdev: fb_pm2fb: Avoid potential divide by zero error 2022-09-05T08:30:07Z Letu Ren fantasquex@gmail.com 2022-08-18T10:44:24Z urn:sha1:34c3dea1189525cd533071ed5c176fc4ea8d982b commit 19f953e7435644b81332dd632ba1b2d80b1e37af upstream. In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be copied from user, then go through `fb_set_var()` and `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`. Along the path, `var->pixclock` won't be modified. This function checks whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is zero, there will be a divide by zero error. So, it is necessary to check whether denominator is zero to avoid crash. As this bug is found by Syzkaller, logs are listed below. divide error in pm2fb_check_var Call Trace: <TASK> fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Reported-by: Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: Letu Ren <fantasquex@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>