From d8636a2717bb3da2a7ce2154bf08de90bb8c87b0 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Tue, 21 Aug 2012 16:29:47 +1000 Subject: fbcon: fix race condition between console lock and cursor timer (v1.1) So we've had a fair few reports of fbcon handover breakage between efi/vesafb and i915 surface recently, so I dedicated a couple of days to finding the problem. Essentially the last thing we saw was the conflicting framebuffer message and that was all. So after much tracing with direct netconsole writes (printks under console_lock not so useful), I think I found the race. Thread A (driver load) Thread B (timer thread) unbind_con_driver -> | bind_con_driver -> | vc->vc_sw->con_deinit -> | fbcon_deinit -> | console_lock() | | | | fbcon_flashcursor timer fires | console_lock() <- blocked for A | | fbcon_del_cursor_timer -> del_timer_sync (BOOM) Of course because all of this is under the console lock, we never see anything, also since we also just unbound the active console guess what we never see anything. Hopefully this fixes the problem for anyone seeing vesafb->kms driver handoff. v1.1: add comment suggestion from Alan. Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie --- drivers/video/console/fbcon.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'drivers/video') diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c index 2e471c22abf..88e92041d8f 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -372,8 +372,15 @@ static void fb_flashcursor(struct work_struct *work) struct vc_data *vc = NULL; int c; int mode; + int ret; + + /* FIXME: we should sort out the unbind locking instead */ + /* instead we just fail to flash the cursor if we can't get + * the lock instead of blocking fbcon deinit */ + ret = console_trylock(); + if (ret == 0) + return; - console_lock(); if (ops && ops->currcon != -1) vc = vc_cons[ops->currcon].d; -- cgit v1.2.2 From e432964a3c5ce517fd93101ae3875172ee958b65 Mon Sep 17 00:00:00 2001 From: Paul Cercueil Date: Tue, 24 Jul 2012 03:00:24 +0200 Subject: fbcon: prevent possible buffer overflow. Signed-off-by: Paul Cercueil Signed-off-by: Florian Tobias Schandinat --- drivers/video/console/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/video') diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c index 88e92041d8f..fdefa8fd72c 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -449,7 +449,7 @@ static int __init fb_console_setup(char *this_opt) while ((options = strsep(&this_opt, ",")) != NULL) { if (!strncmp(options, "font:", 5)) - strcpy(fontname, options + 5); + strlcpy(fontname, options + 5, sizeof(fontname)); if (!strncmp(options, "scrollback:", 11)) { options += 11; -- cgit v1.2.2 From 72caa5fb948ef818fe1332848e9c61b10687ce7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Pr=C3=A9mont?= Date: Mon, 30 Jul 2012 21:09:49 +0200 Subject: fbcon: Fix bit_putcs() call to kmalloc(s, GFP_KERNEL) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switch to kmalloc(,GFP_ATOMIC) in bit_putcs to fix below trace: [ 9.771812] BUG: sleeping function called from invalid context at /usr/src/linux-git/mm/slub.c:943 [ 9.771814] in_atomic(): 1, irqs_disabled(): 1, pid: 1063, name: mount [ 9.771818] Pid: 1063, comm: mount Not tainted 3.5.0-jupiter-00003-g8d858b1-dirty #2 [ 9.771819] Call Trace: [ 9.771838] [] __might_sleep+0xcb/0xe0 [ 9.771844] [] __kmalloc+0xb4/0x1c0 [ 9.771851] [] ? queue_work+0x1a/0x30 [ 9.771854] [] ? queue_delayed_work+0xf/0x30 [ 9.771862] [] ? bit_putcs+0xf2/0x3e0 [ 9.771865] [] ? schedule_delayed_work+0x11/0x20 [ 9.771868] [] bit_putcs+0xf2/0x3e0 [ 9.771875] [] ? get_color.clone.14+0x28/0x100 [ 9.771878] [] fbcon_putcs+0x11f/0x130 [ 9.771882] [] ? bit_clear+0xe0/0xe0 [ 9.771885] [] fbcon_redraw.clone.21+0x11d/0x160 [ 9.771889] [] fbcon_scroll+0x79d/0xe10 [ 9.771892] [] ? get_color.clone.14+0x28/0x100 [ 9.771897] [] scrup+0x64/0xd0 [ 9.771900] [] lf+0x2b/0x60 [ 9.771903] [] vt_console_print+0x1d5/0x2f0 [ 9.771907] [] ? register_vt_notifier+0x20/0x20 [ 9.771913] [] call_console_drivers.clone.5+0xa5/0xc0 [ 9.771916] [] console_unlock+0x2fe/0x3c0 [ 9.771920] [] vprintk_emit+0x2e6/0x300 [ 9.771924] [] printk+0x38/0x3a [ 9.771931] [] reiserfs_remount+0x2ae/0x3e0 [ 9.771934] [] ? reiserfs_fill_super+0xb00/0xb00 [ 9.771939] [] do_remount_sb+0xab/0x150 [ 9.771943] [] ? ns_capable+0x46/0x70 [ 9.771948] [] do_mount+0x20c/0x6b0 [ 9.771955] [] ? strndup_user+0x34/0x50 [ 9.771958] [] sys_mount+0x6c/0xa0 [ 9.771964] [] sysenter_do_call+0x12/0x26 According to comment in bit_putcs() that kammloc() call only happens when fbcon is drawing to a monochrome framebuffer (which is my case with hid-picolcd). Signed-off-by: Bruno Prémont Signed-off-by: Florian Tobias Schandinat --- drivers/video/console/bitblit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/video') diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c index 28b1a834906..61b182bf32a 100644 --- a/drivers/video/console/bitblit.c +++ b/drivers/video/console/bitblit.c @@ -162,7 +162,7 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, image.depth = 1; if (attribute) { - buf = kmalloc(cellsize, GFP_KERNEL); + buf = kmalloc(cellsize, GFP_ATOMIC); if (!buf) return; } -- cgit v1.2.2 From 01817d194a5c078696ac4a31b5d8b99a6a9e40c7 Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Sat, 4 Aug 2012 14:00:30 +0200 Subject: drivers/video/auo_k190x.c: drop kfree of devm_kzalloc's data Using kfree to free data allocated with devm_kzalloc causes double frees. The semantic patch that fixes this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x; @@ x = devm_kzalloc(...) ... ?-kfree(x); // Signed-off-by: Julia Lawall Signed-off-by: Florian Tobias Schandinat --- drivers/video/auo_k190x.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'drivers/video') diff --git a/drivers/video/auo_k190x.c b/drivers/video/auo_k190x.c index 77da6a2f43d..c03ecdd31e4 100644 --- a/drivers/video/auo_k190x.c +++ b/drivers/video/auo_k190x.c @@ -987,7 +987,6 @@ err_regfb: fb_dealloc_cmap(&info->cmap); err_cmap: fb_deferred_io_cleanup(info); - kfree(info->fbdefio); err_defio: vfree((void *)info->screen_base); err_irq: @@ -1022,7 +1021,6 @@ int __devexit auok190x_common_remove(struct platform_device *pdev) fb_dealloc_cmap(&info->cmap); fb_deferred_io_cleanup(info); - kfree(info->fbdefio); vfree((void *)info->screen_base); -- cgit v1.2.2 From 25682362564fa0c950d9afe798def2ec9c3676a2 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 18 Aug 2012 18:55:41 +0300 Subject: video: mb862xxfb: prevent divide by zero bug Do a sanity check on these before using them as divisors. Signed-off-by: Dan Carpenter Acked-by: Anatolij Gustschin Signed-off-by: Florian Tobias Schandinat --- drivers/video/mb862xx/mb862xxfbdrv.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/video') diff --git a/drivers/video/mb862xx/mb862xxfbdrv.c b/drivers/video/mb862xx/mb862xxfbdrv.c index 00ce1f34b49..57d940be5f3 100644 --- a/drivers/video/mb862xx/mb862xxfbdrv.c +++ b/drivers/video/mb862xx/mb862xxfbdrv.c @@ -328,6 +328,8 @@ static int mb862xxfb_ioctl(struct fb_info *fbi, unsigned int cmd, case MB862XX_L1_SET_CFG: if (copy_from_user(l1_cfg, argp, sizeof(*l1_cfg))) return -EFAULT; + if (l1_cfg->dh == 0 || l1_cfg->dw == 0) + return -EINVAL; if ((l1_cfg->sw >= l1_cfg->dw) && (l1_cfg->sh >= l1_cfg->dh)) { /* downscaling */ outreg(cap, GC_CAP_CSC, -- cgit v1.2.2 From 35d678664873041026171b4b5e1cec49299e33a0 Mon Sep 17 00:00:00 2001 From: Tomi Valkeinen Date: Tue, 21 Aug 2012 09:09:47 +0300 Subject: OMAPDSS: Fix SDI PLL locking Commit f476ae9dab3234532d41d36beb4ba7be838fa786 (OMAPDSS: APPLY: Remove DISPC writes to manager's lcd parameters in interface) broke the SDI output, as it causes the SDI PLL locking to fail. LCLK and PCLK divisors are located in shadow registers, and we normally write them to DISPC registers when enabling the output. However, SDI uses pck-free as source clock for its PLL, and pck-free is affected by the divisors. And as we need the PLL before enabling the output, we need to write the divisors early. It seems just writing to the DISPC register is enough, and we don't need to care about the shadow register mechanism for pck-free. The exact reason for this is unknown. Signed-off-by: Tomi Valkeinen Reported-by: Aaro Koskinen Signed-off-by: Florian Tobias Schandinat --- drivers/video/omap2/dss/sdi.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'drivers/video') diff --git a/drivers/video/omap2/dss/sdi.c b/drivers/video/omap2/dss/sdi.c index 5d31699fbd3..f43bfe17b3b 100644 --- a/drivers/video/omap2/dss/sdi.c +++ b/drivers/video/omap2/dss/sdi.c @@ -105,6 +105,20 @@ int omapdss_sdi_display_enable(struct omap_dss_device *dssdev) sdi_config_lcd_manager(dssdev); + /* + * LCLK and PCLK divisors are located in shadow registers, and we + * normally write them to DISPC registers when enabling the output. + * However, SDI uses pck-free as source clock for its PLL, and pck-free + * is affected by the divisors. And as we need the PLL before enabling + * the output, we need to write the divisors early. + * + * It seems just writing to the DISPC register is enough, and we don't + * need to care about the shadow register mechanism for pck-free. The + * exact reason for this is unknown. + */ + dispc_mgr_set_clock_div(dssdev->manager->id, + &sdi.mgr_config.clock_info); + dss_sdi_init(dssdev->phy.sdi.datapairs); r = dss_sdi_enable(); if (r) -- cgit v1.2.2 From c1c52848cef52e157468b8879fc3cae23b6f3a99 Mon Sep 17 00:00:00 2001 From: Grazvydas Ignotas Date: Tue, 21 Aug 2012 09:09:48 +0300 Subject: OMAPFB: fix framebuffer console colors omapfb does not currently set pseudo palette correctly for color depths above 16bpp, making red text invisible, command like echo -e '\e[0;31mRED' > /dev/tty1 will display nothing on framebuffer console in 24bpp mode. This is because temporary variable is declared incorrectly, fix it. Signed-off-by: Grazvydas Ignotas Cc: stable@vger.kernel.org # v3.x Signed-off-by: Tomi Valkeinen Signed-off-by: Florian Tobias Schandinat --- drivers/video/omap2/omapfb/omapfb-main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/video') diff --git a/drivers/video/omap2/omapfb/omapfb-main.c b/drivers/video/omap2/omapfb/omapfb-main.c index 08ec1a7103f..fc671d3d800 100644 --- a/drivers/video/omap2/omapfb/omapfb-main.c +++ b/drivers/video/omap2/omapfb/omapfb-main.c @@ -1192,7 +1192,7 @@ static int _setcolreg(struct fb_info *fbi, u_int regno, u_int red, u_int green, break; if (regno < 16) { - u16 pal; + u32 pal; pal = ((red >> (16 - var->red.length)) << var->red.offset) | ((green >> (16 - var->green.length)) << -- cgit v1.2.2