--- /dev/null
+From fdf35a6b22247746a7053fc764d04218a9306f82 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Jan 2017 15:56:14 +0100
+Subject: drm: Fix broken VT switch with video=1366x768 option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit fdf35a6b22247746a7053fc764d04218a9306f82 upstream.
+
+I noticed that the VT switch doesn't work any longer with a Dell
+laptop with 1366x768 eDP when the machine is connected with a DP
+monitor. It behaves as if VT were switched, but the graphics remain
+frozen. Actually the keyboard works, so I could switch back to VT7
+again.
+
+I tried to track down the problem, and encountered a long story until
+we reach to this error:
+
+- The machine is booted with video=1366x768 option (the distro
+ installer seems to add it as default).
+- Recently, drm_helper_probe_single_connector_modes() deals with
+ cmdline modes, and it tries to create a new mode when no
+ matching mode is found.
+- The drm_mode_create_from_cmdline_mode() creates a mode based on
+ either CVT of GFT according to the given cmdline mode; in our case,
+ it's 1366x768.
+- Since both CVT and GFT can't express the width 1366 due to
+ alignment, the resultant mode becomes 1368x768, slightly larger than
+ the given size.
+- Later on, the atomic commit is performed, and in
+ drm_atomic_check_only(), the size of each plane is checked.
+- The size check of 1366x768 fails due to the above, and eventually
+ the whole VT switch fails.
+
+Back in the history, we've had a manual fix-up of 1368x768 in various
+places via c09dedb7a50e ("drm/edid: Add a workaround for 1366x768 HD
+panel"), but they have been all in drm_edid.c at probing the modes
+from EDID. For addressing the problem above, we need a similar hack
+to the mode newly created from cmdline, manually adjusting the width
+when the expected size is 1366 while we get 1368 instead.
+
+Fixes: eaf99c749d43 ("drm: Perform cmdline mode parsing during...")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170109145614.29454-1-tiwai@suse.de
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_modes.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/drm_modes.c
++++ b/drivers/gpu/drm/drm_modes.c
+@@ -1401,6 +1401,13 @@ drm_mode_create_from_cmdline_mode(struct
+ return NULL;
+
+ mode->type |= DRM_MODE_TYPE_USERDEF;
++ /* fix up 1368x768: GFT/CVT can't express 1366 width due to alignment */
++ if (cmd->xres == 1366 && mode->hdisplay == 1368) {
++ mode->hdisplay = 1366;
++ mode->hsync_start--;
++ mode->hsync_end--;
++ drm_mode_set_name(mode);
++ }
+ drm_mode_set_crtcinfo(mode, CRTC_INTERLACE_HALVE_V);
+ return mode;
+ }
--- /dev/null
+From 2dc705a9930b4806250fbf5a76e55266e59389f2 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 24 Jan 2017 15:18:24 -0800
+Subject: fbdev: color map copying bounds checking
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 2dc705a9930b4806250fbf5a76e55266e59389f2 upstream.
+
+Copying color maps to userspace doesn't check the value of to->start,
+which will cause kernel heap buffer OOB read due to signedness wraps.
+
+CVE-2016-8405
+
+Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Peter Pi (@heisecode) of Trend Micro
+Cc: Min Chong <mchong@google.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cma
+
+ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
+ {
+- int tooff = 0, fromoff = 0;
+- int size;
++ unsigned int tooff = 0, fromoff = 0;
++ size_t size;
+
+ if (to->start > from->start)
+ fromoff = to->start - from->start;
+ else
+ tooff = from->start - to->start;
+- size = to->len - tooff;
+- if (size > (int) (from->len - fromoff))
+- size = from->len - fromoff;
+- if (size <= 0)
++ if (fromoff >= from->len || tooff >= to->len)
++ return -EINVAL;
++
++ size = min_t(size_t, to->len - tooff, from->len - fromoff);
++ if (size == 0)
+ return -EINVAL;
+ size *= sizeof(u16);
+
+@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *f
+
+ int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
+ {
+- int tooff = 0, fromoff = 0;
+- int size;
++ unsigned int tooff = 0, fromoff = 0;
++ size_t size;
+
+ if (to->start > from->start)
+ fromoff = to->start - from->start;
+ else
+ tooff = from->start - to->start;
+- size = to->len - tooff;
+- if (size > (int) (from->len - fromoff))
+- size = from->len - fromoff;
+- if (size <= 0)
++ if (fromoff >= from->len || tooff >= to->len)
++ return -EINVAL;
++
++ size = min_t(size_t, to->len - tooff, from->len - fromoff);
++ if (size == 0)
+ return -EINVAL;
+ size *= sizeof(u16);
+
--- /dev/null
+From fd7c99142d77dc4a851879a66715abf12a3193fb Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Fri, 6 Jan 2017 17:54:51 +0000
+Subject: tile/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit fd7c99142d77dc4a851879a66715abf12a3193fb upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/tile/kernel/ptrace.c
++++ b/arch/tile/kernel/ptrace.c
+@@ -111,7 +111,7 @@ static int tile_gpr_set(struct task_stru
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct pt_regs regs;
++ struct pt_regs regs = *task_pt_regs(target);
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, ®s, 0,
+ sizeof(regs));
projects / thirdparty / kernel / stable-queue.git / commitdiff
