From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 4 Jun 2016 20:54:26 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.72~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4dd99295b27614f2cb93611970cd0f43fb6595f8;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	drm-fb_helper-fix-references-to-dev-mode_config.num_connector.patch
	drm-gma500-fix-possible-out-of-bounds-read.patch
---

diff --git a/queue-3.14/drm-fb_helper-fix-references-to-dev-mode_config.num_connector.patch b/queue-3.14/drm-fb_helper-fix-references-to-dev-mode_config.num_connector.patch
new file mode 100644
index 00000000000..f5b223621b3
--- /dev/null
+++ b/queue-3.14/drm-fb_helper-fix-references-to-dev-mode_config.num_connector.patch
@@ -0,0 +1,69 @@
+From 255f0e7c418ad95a4baeda017ae6182ba9b3c423 Mon Sep 17 00:00:00 2001
+From: Lyude <cpaul@redhat.com>
+Date: Thu, 12 May 2016 10:56:59 -0400
+Subject: drm/fb_helper: Fix references to dev->mode_config.num_connector
+
+From: Lyude <cpaul@redhat.com>
+
+commit 255f0e7c418ad95a4baeda017ae6182ba9b3c423 upstream.
+
+During boot, MST hotplugs are generally expected (even if no physical
+hotplugging occurs) and result in DRM's connector topology changing.
+This means that using num_connector from the current mode configuration
+can lead to the number of connectors changing under us. This can lead to
+some nasty scenarios in fbcon:
+
+- We allocate an array to the size of dev->mode_config.num_connectors.
+- MST hotplug occurs, dev->mode_config.num_connectors gets incremented.
+- We try to loop through each element in the array using the new value
+  of dev->mode_config.num_connectors, and end up going out of bounds
+  since dev->mode_config.num_connectors is now larger then the array we
+  allocated.
+
+fb_helper->connector_count however, will always remain consistent while
+we do a modeset in fb_helper.
+
+Note: This is just polish for 4.7, Dave Airlie's drm_connector
+refcounting fixed these bugs for real. But it's good enough duct-tape
+for stable kernel backporting, since backporting the refcounting
+changes is way too invasive.
+
+Signed-off-by: Lyude <cpaul@redhat.com>
+[danvet: Clarify why we need this. Also remove the now unused "dev"
+local variable to appease gcc.]
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-3-git-send-email-cpaul@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_fb_helper.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1347,7 +1347,6 @@ static int drm_pick_crtcs(struct drm_fb_
+ 			  int n, int width, int height)
+ {
+ 	int c, o;
+-	struct drm_device *dev = fb_helper->dev;
+ 	struct drm_connector *connector;
+ 	struct drm_connector_helper_funcs *connector_funcs;
+ 	struct drm_encoder *encoder;
+@@ -1366,7 +1365,7 @@ static int drm_pick_crtcs(struct drm_fb_
+ 	if (modes[n] == NULL)
+ 		return best_score;
+ 
+-	crtcs = kzalloc(dev->mode_config.num_connector *
++	crtcs = kzalloc(fb_helper->connector_count *
+ 			sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL);
+ 	if (!crtcs)
+ 		return best_score;
+@@ -1412,7 +1411,7 @@ static int drm_pick_crtcs(struct drm_fb_
+ 		if (score > best_score) {
+ 			best_score = score;
+ 			memcpy(best_crtcs, crtcs,
+-			       dev->mode_config.num_connector *
++			       fb_helper->connector_count *
+ 			       sizeof(struct drm_fb_helper_crtc *));
+ 		}
+ 	}
diff --git a/queue-3.14/drm-gma500-fix-possible-out-of-bounds-read.patch b/queue-3.14/drm-gma500-fix-possible-out-of-bounds-read.patch
new file mode 100644
index 00000000000..44aaa15dda0
--- /dev/null
+++ b/queue-3.14/drm-gma500-fix-possible-out-of-bounds-read.patch
@@ -0,0 +1,34 @@
+From 7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 Mon Sep 17 00:00:00 2001
+From: Itai Handler <itai_handler@hotmail.com>
+Date: Tue, 3 Nov 2015 00:20:56 +0200
+Subject: drm/gma500: Fix possible out of bounds read
+
+From: Itai Handler <itai_handler@hotmail.com>
+
+commit 7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 upstream.
+
+Fix possible out of bounds read, by adding missing comma.
+The code may read pass the end of the dsi_errors array
+when the most significant bit (bit #31) in the intr_stat register
+is set.
+This bug has been detected using CppCheck (static analysis tool).
+
+Signed-off-by: Itai Handler <itai_handler@hotmail.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
++++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
+@@ -85,7 +85,7 @@ static const char *const dsi_errors[] =
+ 	"RX Prot Violation",
+ 	"HS Generic Write FIFO Full",
+ 	"LP Generic Write FIFO Full",
+-	"Generic Read Data Avail"
++	"Generic Read Data Avail",
+ 	"Special Packet Sent",
+ 	"Tearing Effect",
+ };
diff --git a/queue-3.14/series b/queue-3.14/series
index 4ed1d7b7b9e..12528224ae0 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -12,3 +12,5 @@ pipe-fix-buffer-offset-after-partially-failed-read.patch
 powerpc-book3s64-fix-branching-to-ool-handlers-in-relocatable-kernel.patch
 xen-events-don-t-move-disabled-irqs.patch
 sunrpc-fix-stripping-of-padded-mic-tokens.patch
+drm-gma500-fix-possible-out-of-bounds-read.patch
+drm-fb_helper-fix-references-to-dev-mode_config.num_connector.patch