From 1697d470590bf6e80d6f4be6f84e3e21a1a54cd7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 9 Jul 2022 10:26:40 +0200 Subject: [PATCH] 5.4-stable patches added patches: fbcon-disallow-setting-font-bigger-than-screen-size.patch fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch fbdev-fbmem-fix-logo-center-image-dx-issue.patch fbmem-check-virtual-screen-sizes-in-fb_set_var.patch iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch video-of_display_timing.h-include-errno.h.patch --- ...setting-font-bigger-than-screen-size.patch | 37 +++++++ ...creen-size-is-smaller-than-font-size.patch | 99 +++++++++++++++++++ ...fbmem-fix-logo-center-image-dx-issue.patch | 33 +++++++ ...k-virtual-screen-sizes-in-fb_set_var.patch | 40 ++++++++ ...-d-fix-pci-bus-rescan-device-hot-add.patch | 57 +++++++++++ queue-5.4/series | 6 ++ ...-of_display_timing.h-include-errno.h.patch | 33 +++++++ 7 files changed, 305 insertions(+) create mode 100644 queue-5.4/fbcon-disallow-setting-font-bigger-than-screen-size.patch create mode 100644 queue-5.4/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch create mode 100644 queue-5.4/fbdev-fbmem-fix-logo-center-image-dx-issue.patch create mode 100644 queue-5.4/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch create mode 100644 queue-5.4/iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch create mode 100644 queue-5.4/video-of_display_timing.h-include-errno.h.patch diff --git a/queue-5.4/fbcon-disallow-setting-font-bigger-than-screen-size.patch b/queue-5.4/fbcon-disallow-setting-font-bigger-than-screen-size.patch new file mode 100644 index 00000000000..32cf514af0e --- /dev/null +++ b/queue-5.4/fbcon-disallow-setting-font-bigger-than-screen-size.patch @@ -0,0 +1,37 @@ +From 65a01e601dbba8b7a51a2677811f70f783766682 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 25 Jun 2022 12:56:49 +0200 +Subject: fbcon: Disallow setting font bigger than screen size + +From: Helge Deller + +commit 65a01e601dbba8b7a51a2677811f70f783766682 upstream. + +Prevent that users set a font size which is bigger than the physical screen. +It's unlikely this may happen (because screens are usually much larger than the +fonts and each font char is limited to 32x32 pixels), but it may happen on +smaller screens/LCD displays. + +Signed-off-by: Helge Deller +Reviewed-by: Daniel Vetter +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2490,6 +2490,11 @@ static int fbcon_set_font(struct vc_data + if (charcount != 256 && charcount != 512) + return -EINVAL; + ++ /* font bigger than screen resolution ? */ ++ if (w > FBCON_SWAP(info->var.rotate, info->var.xres, info->var.yres) || ++ h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres)) ++ return -EINVAL; ++ + /* Make sure drawing engine can handle the font */ + if (!(info->pixmap.blit_x & (1 << (font->width - 1))) || + !(info->pixmap.blit_y & (1 << (font->height - 1)))) diff --git a/queue-5.4/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch b/queue-5.4/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch new file mode 100644 index 00000000000..474c755ca46 --- /dev/null +++ b/queue-5.4/fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch @@ -0,0 +1,99 @@ +From e64242caef18b4a5840b0e7a9bff37abd4f4f933 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 25 Jun 2022 13:00:34 +0200 +Subject: fbcon: Prevent that screen size is smaller than font size + +From: Helge Deller + +commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream. + +We need to prevent that users configure a screen size which is smaller than the +currently selected font size. Otherwise rendering chars on the screen will +access memory outside the graphics memory region. + +This patch adds a new function fbcon_modechange_possible() which +implements this check and which later may be extended with other checks +if necessary. The new function is called from the FBIOPUT_VSCREENINFO +ioctl handler in fbmem.c, which will return -EINVAL if userspace asked +for a too small screen size. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ + drivers/video/fbdev/core/fbmem.c | 4 +++- + include/linux/fbcon.h | 4 ++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2761,6 +2761,34 @@ void fbcon_update_vcs(struct fb_info *in + } + EXPORT_SYMBOL(fbcon_update_vcs); + ++/* let fbcon check if it supports a new screen resolution */ ++int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var) ++{ ++ struct fbcon_ops *ops = info->fbcon_par; ++ struct vc_data *vc; ++ unsigned int i; ++ ++ WARN_CONSOLE_UNLOCKED(); ++ ++ if (!ops) ++ return 0; ++ ++ /* prevent setting a screen size which is smaller than font size */ ++ for (i = first_fb_vc; i <= last_fb_vc; i++) { ++ vc = vc_cons[i].d; ++ if (!vc || vc->vc_mode != KD_TEXT || ++ registered_fb[con2fb_map[i]] != info) ++ continue; ++ ++ if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) || ++ vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres)) ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(fbcon_modechange_possible); ++ + int fbcon_mode_deleted(struct fb_info *info, + struct fb_videomode *mode) + { +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1114,7 +1114,9 @@ static long do_fb_ioctl(struct fb_info * + return -EFAULT; + console_lock(); + lock_fb_info(info); +- ret = fb_set_var(info, &var); ++ ret = fbcon_modechange_possible(info, &var); ++ if (!ret) ++ ret = fb_set_var(info, &var); + if (!ret) + fbcon_update_vcs(info, var.activate & FB_ACTIVATE_ALL); + unlock_fb_info(info); +--- a/include/linux/fbcon.h ++++ b/include/linux/fbcon.h +@@ -15,6 +15,8 @@ void fbcon_new_modelist(struct fb_info * + void fbcon_get_requirement(struct fb_info *info, + struct fb_blit_caps *caps); + void fbcon_fb_blanked(struct fb_info *info, int blank); ++int fbcon_modechange_possible(struct fb_info *info, ++ struct fb_var_screeninfo *var); + void fbcon_update_vcs(struct fb_info *info, bool all); + void fbcon_remap_all(struct fb_info *info); + int fbcon_set_con2fb_map_ioctl(void __user *argp); +@@ -33,6 +35,8 @@ static inline void fbcon_new_modelist(st + static inline void fbcon_get_requirement(struct fb_info *info, + struct fb_blit_caps *caps) {} + static inline void fbcon_fb_blanked(struct fb_info *info, int blank) {} ++static inline int fbcon_modechange_possible(struct fb_info *info, ++ struct fb_var_screeninfo *var) { return 0; } + static inline void fbcon_update_vcs(struct fb_info *info, bool all) {} + static inline void fbcon_remap_all(struct fb_info *info) {} + static inline int fbcon_set_con2fb_map_ioctl(void __user *argp) { return 0; } diff --git a/queue-5.4/fbdev-fbmem-fix-logo-center-image-dx-issue.patch b/queue-5.4/fbdev-fbmem-fix-logo-center-image-dx-issue.patch new file mode 100644 index 00000000000..6e84c461edf --- /dev/null +++ b/queue-5.4/fbdev-fbmem-fix-logo-center-image-dx-issue.patch @@ -0,0 +1,33 @@ +From 955f04766d4e6eb94bf3baa539e096808c74ebfb Mon Sep 17 00:00:00 2001 +From: Guiling Deng +Date: Tue, 28 Jun 2022 09:36:41 -0700 +Subject: fbdev: fbmem: Fix logo center image dx issue + +From: Guiling Deng + +commit 955f04766d4e6eb94bf3baa539e096808c74ebfb upstream. + +Image.dx gets wrong value because of missing '()'. + +If xres == logo->width and n == 1, image.dx = -16. + +Signed-off-by: Guiling Deng +Fixes: 3d8b1933eb1c ("fbdev: fbmem: add config option to center the bootup logo") +Cc: stable@vger.kernel.org # v5.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -512,7 +512,7 @@ static int fb_show_logo_line(struct fb_i + + while (n && (n * (logo->width + 8) - 8 > xres)) + --n; +- image.dx = (xres - n * (logo->width + 8) - 8) / 2; ++ image.dx = (xres - (n * (logo->width + 8) - 8)) / 2; + image.dy = y ?: (yres - logo->height) / 2; + } else { + image.dx = 0; diff --git a/queue-5.4/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch b/queue-5.4/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch new file mode 100644 index 00000000000..532cd7f7258 --- /dev/null +++ b/queue-5.4/fbmem-check-virtual-screen-sizes-in-fb_set_var.patch @@ -0,0 +1,40 @@ +From 6c11df58fd1ac0aefcb3b227f72769272b939e56 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 29 Jun 2022 15:53:55 +0200 +Subject: fbmem: Check virtual screen sizes in fb_set_var() + +From: Helge Deller + +commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream. + +Verify that the fbdev or drm driver correctly adjusted the virtual +screen sizes. On failure report the failing driver and reject the screen +size change. + +Signed-off-by: Helge Deller +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1014,6 +1014,16 @@ fb_set_var(struct fb_info *info, struct + if (ret) + return ret; + ++ /* verify that virtual resolution >= physical resolution */ ++ if (var->xres_virtual < var->xres || ++ var->yres_virtual < var->yres) { ++ pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n", ++ info->fix.id, ++ var->xres_virtual, var->yres_virtual, ++ var->xres, var->yres); ++ return -EINVAL; ++ } ++ + if ((var->activate & FB_ACTIVATE_MASK) != FB_ACTIVATE_NOW) + return 0; + diff --git a/queue-5.4/iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch b/queue-5.4/iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch new file mode 100644 index 00000000000..d40f9fa6010 --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch @@ -0,0 +1,57 @@ +From 316f92a705a4c2bf4712135180d56f3cca09243a Mon Sep 17 00:00:00 2001 +From: Yian Chen +Date: Fri, 20 May 2022 17:21:15 -0700 +Subject: iommu/vt-d: Fix PCI bus rescan device hot add + +From: Yian Chen + +commit 316f92a705a4c2bf4712135180d56f3cca09243a upstream. + +Notifier calling chain uses priority to determine the execution +order of the notifiers or listeners registered to the chain. +PCI bus device hot add utilizes the notification mechanism. + +The current code sets low priority (INT_MIN) to Intel +dmar_pci_bus_notifier and postpones DMAR decoding after adding +new device into IOMMU. The result is that struct device pointer +cannot be found in DRHD search for the new device's DMAR/IOMMU. +Subsequently, the device is put under the "catch-all" IOMMU +instead of the correct one. This could cause system hang when +device TLB invalidation is sent to the wrong IOMMU. Invalidation +timeout error and hard lockup have been observed and data +inconsistency/crush may occur as well. + +This patch fixes the issue by setting a positive priority(1) for +dmar_pci_bus_notifier while the priority of IOMMU bus notifier +uses the default value(0), therefore DMAR decoding will be in +advance of DRHD search for a new device to find the correct IOMMU. + +Following is a 2-step example that triggers the bug by simulating +PCI device hot add behavior in Intel Sapphire Rapids server. + +echo 1 > /sys/bus/pci/devices/0000:6a:01.0/remove +echo 1 > /sys/bus/pci/rescan + +Fixes: 59ce0515cdaf ("iommu/vt-d: Update DRHD/RMRR/ATSR device scope") +Cc: stable@vger.kernel.org # v3.15+ +Reported-by: Zhang, Bernice +Signed-off-by: Jacob Pan +Signed-off-by: Yian Chen +Link: https://lore.kernel.org/r/20220521002115.1624069-1-yian.chen@intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -363,7 +363,7 @@ static int dmar_pci_bus_notifier(struct + + static struct notifier_block dmar_pci_bus_nb = { + .notifier_call = dmar_pci_bus_notifier, +- .priority = INT_MIN, ++ .priority = 1, + }; + + static struct dmar_drhd_unit * diff --git a/queue-5.4/series b/queue-5.4/series index 71c22a97ba2..d46bbff2cea 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -5,3 +5,9 @@ can-grcan-grcan_probe-remove-extra-of_node_get.patch can-gs_usb-gs_usb_open-close-fix-memory-leak.patch usbnet-fix-memory-leak-in-error-case.patch net-rose-fix-uaf-bug-caused-by-rose_t0timer_expiry.patch +iommu-vt-d-fix-pci-bus-rescan-device-hot-add.patch +fbdev-fbmem-fix-logo-center-image-dx-issue.patch +fbmem-check-virtual-screen-sizes-in-fb_set_var.patch +fbcon-disallow-setting-font-bigger-than-screen-size.patch +fbcon-prevent-that-screen-size-is-smaller-than-font-size.patch +video-of_display_timing.h-include-errno.h.patch diff --git a/queue-5.4/video-of_display_timing.h-include-errno.h.patch b/queue-5.4/video-of_display_timing.h-include-errno.h.patch new file mode 100644 index 00000000000..d4279e918c7 --- /dev/null +++ b/queue-5.4/video-of_display_timing.h-include-errno.h.patch @@ -0,0 +1,33 @@ +From 3663a2fb325b8782524f3edb0ae32d6faa615109 Mon Sep 17 00:00:00 2001 +From: Hsin-Yi Wang +Date: Fri, 1 Jul 2022 01:33:29 +0800 +Subject: video: of_display_timing.h: include errno.h + +From: Hsin-Yi Wang + +commit 3663a2fb325b8782524f3edb0ae32d6faa615109 upstream. + +If CONFIG_OF is not enabled, default of_get_display_timing() returns an +errno, so include the header. + +Fixes: 422b67e0b31a ("videomode: provide dummy inline functions for !CONFIG_OF") +Suggested-by: Stephen Boyd +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Stephen Boyd +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + include/video/of_display_timing.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/video/of_display_timing.h ++++ b/include/video/of_display_timing.h +@@ -8,6 +8,8 @@ + #ifndef __LINUX_OF_DISPLAY_TIMING_H + #define __LINUX_OF_DISPLAY_TIMING_H + ++#include ++ + struct device_node; + struct display_timing; + struct display_timings; -- 2.47.3