From 377e81b207c8b5a8eb5d50563233d60b9ed00325 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 26 Jan 2017 16:40:18 +0100 Subject: [PATCH] 4.4-stable patches added patches: drm-fix-broken-vt-switch-with-video-1366x768-option.patch fbdev-color-map-copying-bounds-checking.patch tile-ptrace-preserve-previous-registers-for-short-regset-write.patch --- ...vt-switch-with-video-1366x768-option.patch | 71 ++++++++++++++++ ...ev-color-map-copying-bounds-checking.patch | 82 +++++++++++++++++++ ...ous-registers-for-short-regset-write.patch | 32 ++++++++ 3 files changed, 185 insertions(+) create mode 100644 queue-4.4/drm-fix-broken-vt-switch-with-video-1366x768-option.patch create mode 100644 queue-4.4/fbdev-color-map-copying-bounds-checking.patch create mode 100644 queue-4.4/tile-ptrace-preserve-previous-registers-for-short-regset-write.patch diff --git a/queue-4.4/drm-fix-broken-vt-switch-with-video-1366x768-option.patch b/queue-4.4/drm-fix-broken-vt-switch-with-video-1366x768-option.patch new file mode 100644 index 00000000000..2334df62761 --- /dev/null +++ b/queue-4.4/drm-fix-broken-vt-switch-with-video-1366x768-option.patch @@ -0,0 +1,71 @@ +From fdf35a6b22247746a7053fc764d04218a9306f82 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Jan 2017 15:56:14 +0100 +Subject: drm: Fix broken VT switch with video=1366x768 option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit fdf35a6b22247746a7053fc764d04218a9306f82 upstream. + +I noticed that the VT switch doesn't work any longer with a Dell +laptop with 1366x768 eDP when the machine is connected with a DP +monitor. It behaves as if VT were switched, but the graphics remain +frozen. Actually the keyboard works, so I could switch back to VT7 +again. + +I tried to track down the problem, and encountered a long story until +we reach to this error: + +- The machine is booted with video=1366x768 option (the distro + installer seems to add it as default). +- Recently, drm_helper_probe_single_connector_modes() deals with + cmdline modes, and it tries to create a new mode when no + matching mode is found. +- The drm_mode_create_from_cmdline_mode() creates a mode based on + either CVT of GFT according to the given cmdline mode; in our case, + it's 1366x768. +- Since both CVT and GFT can't express the width 1366 due to + alignment, the resultant mode becomes 1368x768, slightly larger than + the given size. +- Later on, the atomic commit is performed, and in + drm_atomic_check_only(), the size of each plane is checked. +- The size check of 1366x768 fails due to the above, and eventually + the whole VT switch fails. + +Back in the history, we've had a manual fix-up of 1368x768 in various +places via c09dedb7a50e ("drm/edid: Add a workaround for 1366x768 HD +panel"), but they have been all in drm_edid.c at probing the modes +from EDID. For addressing the problem above, we need a similar hack +to the mode newly created from cmdline, manually adjusting the width +when the expected size is 1366 while we get 1368 instead. + +Fixes: eaf99c749d43 ("drm: Perform cmdline mode parsing during...") +Signed-off-by: Takashi Iwai +Link: http://patchwork.freedesktop.org/patch/msgid/20170109145614.29454-1-tiwai@suse.de +Reviewed-by: Ville Syrjälä +Signed-off-by: Ville Syrjälä +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_modes.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/drm_modes.c ++++ b/drivers/gpu/drm/drm_modes.c +@@ -1401,6 +1401,13 @@ drm_mode_create_from_cmdline_mode(struct + return NULL; + + mode->type |= DRM_MODE_TYPE_USERDEF; ++ /* fix up 1368x768: GFT/CVT can't express 1366 width due to alignment */ ++ if (cmd->xres == 1366 && mode->hdisplay == 1368) { ++ mode->hdisplay = 1366; ++ mode->hsync_start--; ++ mode->hsync_end--; ++ drm_mode_set_name(mode); ++ } + drm_mode_set_crtcinfo(mode, CRTC_INTERLACE_HALVE_V); + return mode; + } diff --git a/queue-4.4/fbdev-color-map-copying-bounds-checking.patch b/queue-4.4/fbdev-color-map-copying-bounds-checking.patch new file mode 100644 index 00000000000..be9e7b23fb8 --- /dev/null +++ b/queue-4.4/fbdev-color-map-copying-bounds-checking.patch @@ -0,0 +1,82 @@ +From 2dc705a9930b4806250fbf5a76e55266e59389f2 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 24 Jan 2017 15:18:24 -0800 +Subject: fbdev: color map copying bounds checking + +From: Kees Cook + +commit 2dc705a9930b4806250fbf5a76e55266e59389f2 upstream. + +Copying color maps to userspace doesn't check the value of to->start, +which will cause kernel heap buffer OOB read due to signedness wraps. + +CVE-2016-8405 + +Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Reported-by: Peter Pi (@heisecode) of Trend Micro +Cc: Min Chong +Cc: Dan Carpenter +Cc: Tomi Valkeinen +Cc: Bartlomiej Zolnierkiewicz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/drivers/video/fbdev/core/fbcmap.c ++++ b/drivers/video/fbdev/core/fbcmap.c +@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cma + + int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to) + { +- int tooff = 0, fromoff = 0; +- int size; ++ unsigned int tooff = 0, fromoff = 0; ++ size_t size; + + if (to->start > from->start) + fromoff = to->start - from->start; + else + tooff = from->start - to->start; +- size = to->len - tooff; +- if (size > (int) (from->len - fromoff)) +- size = from->len - fromoff; +- if (size <= 0) ++ if (fromoff >= from->len || tooff >= to->len) ++ return -EINVAL; ++ ++ size = min_t(size_t, to->len - tooff, from->len - fromoff); ++ if (size == 0) + return -EINVAL; + size *= sizeof(u16); + +@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *f + + int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to) + { +- int tooff = 0, fromoff = 0; +- int size; ++ unsigned int tooff = 0, fromoff = 0; ++ size_t size; + + if (to->start > from->start) + fromoff = to->start - from->start; + else + tooff = from->start - to->start; +- size = to->len - tooff; +- if (size > (int) (from->len - fromoff)) +- size = from->len - fromoff; +- if (size <= 0) ++ if (fromoff >= from->len || tooff >= to->len) ++ return -EINVAL; ++ ++ size = min_t(size_t, to->len - tooff, from->len - fromoff); ++ if (size == 0) + return -EINVAL; + size *= sizeof(u16); + diff --git a/queue-4.4/tile-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.4/tile-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..454c386d145 --- /dev/null +++ b/queue-4.4/tile-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,32 @@ +From fd7c99142d77dc4a851879a66715abf12a3193fb Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Fri, 6 Jan 2017 17:54:51 +0000 +Subject: tile/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit fd7c99142d77dc4a851879a66715abf12a3193fb upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +Signed-off-by: Dave Martin +Signed-off-by: Chris Metcalf +Signed-off-by: Greg Kroah-Hartman + +--- + arch/tile/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/tile/kernel/ptrace.c ++++ b/arch/tile/kernel/ptrace.c +@@ -111,7 +111,7 @@ static int tile_gpr_set(struct task_stru + const void *kbuf, const void __user *ubuf) + { + int ret; +- struct pt_regs regs; ++ struct pt_regs regs = *task_pt_regs(target); + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, ®s, 0, + sizeof(regs)); -- 2.47.3