2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* linux/drivers/video/console/bitblit.c -- BitBlitting Operation
|
|
|
|
|
*
|
|
|
|
|
* Originally from the 'accel_*' routines in drivers/video/console/fbcon.c
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2004 Antonino Daplas <adaplas @pol.net>
|
|
|
|
|
*
|
|
|
|
|
* This file is subject to the terms and conditions of the GNU General Public
|
|
|
|
|
* License. See the file COPYING in the main directory of this archive for
|
|
|
|
|
* more details.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/fb.h>
|
|
|
|
|
#include <linux/vt_kern.h>
|
|
|
|
|
#include <linux/console.h>
|
|
|
|
|
#include <asm/types.h>
|
|
|
|
|
#include "fbcon.h"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Accelerated handlers.
|
|
|
|
|
*/
|
2010-08-11 01:02:29 +00:00
|
|
|
static void update_attr(u8 *dst, u8 *src, int attribute,
|
2005-04-16 22:20:36 +00:00
|
|
|
struct vc_data *vc)
|
|
|
|
|
{
|
|
|
|
|
int i, offset = (vc->vc_font.height < 10) ? 1 : 2;
|
2009-09-22 23:47:41 +00:00
|
|
|
int width = DIV_ROUND_UP(vc->vc_font.width, 8);
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned int cellsize = vc->vc_font.height * width;
|
|
|
|
|
u8 c;
|
|
|
|
|
|
|
|
|
|
offset = cellsize - (offset * width);
|
|
|
|
|
for (i = 0; i < cellsize; i++) {
|
|
|
|
|
c = src[i];
|
|
|
|
|
if (attribute & FBCON_ATTRIBUTE_UNDERLINE && i >= offset)
|
|
|
|
|
c = 0xff;
|
|
|
|
|
if (attribute & FBCON_ATTRIBUTE_BOLD)
|
|
|
|
|
c |= c >> 1;
|
|
|
|
|
if (attribute & FBCON_ATTRIBUTE_REVERSE)
|
|
|
|
|
c = ~c;
|
|
|
|
|
dst[i] = c;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Revert "fbdev: Garbage collect fbdev scrolling acceleration, part 1 (from TODO list)"
This reverts commit b3ec8cdf457e5e63d396fe1346cc788cf7c1b578.
Revert the second (of 2) commits which disabled scrolling acceleration
in fbcon/fbdev. It introduced a regression for fbdev-supported graphic
cards because of the performance penalty by doing screen scrolling by
software instead of using the existing graphic card 2D hardware
acceleration.
Console scrolling acceleration was disabled by dropping code which
checked at runtime the driver hardware capabilities for the
BINFO_HWACCEL_COPYAREA or FBINFO_HWACCEL_FILLRECT flags and if set, it
enabled scrollmode SCROLL_MOVE which uses hardware acceleration to move
screen contents. After dropping those checks scrollmode was hard-wired
to SCROLL_REDRAW instead, which forces all graphic cards to redraw every
character at the new screen position when scrolling.
This change effectively disabled all hardware-based scrolling acceleration for
ALL drivers, because now all kind of 2D hardware acceleration (bitblt,
fillrect) in the drivers isn't used any longer.
The original commit message mentions that only 3 DRM drivers (nouveau, omapdrm
and gma500) used hardware acceleration in the past and thus code for checking
and using scrolling acceleration is obsolete.
This statement is NOT TRUE, because beside the DRM drivers there are around 35
other fbdev drivers which depend on fbdev/fbcon and still provide hardware
acceleration for fbdev/fbcon.
The original commit message also states that syzbot found lots of bugs in fbcon
and thus it's "often the solution to just delete code and remove features".
This is true, and the bugs - which actually affected all users of fbcon,
including DRM - were fixed, or code was dropped like e.g. the support for
software scrollback in vgacon (commit 973c096f6a85).
So to further analyze which bugs were found by syzbot, I've looked through all
patches in drivers/video which were tagged with syzbot or syzkaller back to
year 2005. The vast majority fixed the reported issues on a higher level, e.g.
when screen is to be resized, or when font size is to be changed. The few ones
which touched driver code fixed a real driver bug, e.g. by adding a check.
But NONE of those patches touched code of either the SCROLL_MOVE or the
SCROLL_REDRAW case.
That means, there was no real reason why SCROLL_MOVE had to be ripped-out and
just SCROLL_REDRAW had to be used instead. The only reason I can imagine so far
was that SCROLL_MOVE wasn't used by DRM and as such it was assumed that it
could go away. That argument completely missed the fact that SCROLL_MOVE is
still heavily used by fbdev (non-DRM) drivers.
Some people mention that using memcpy() instead of the hardware acceleration is
pretty much the same speed. But that's not true, at least not for older graphic
cards and machines where we see speed decreases by factor 10 and more and thus
this change leads to console responsiveness way worse than before.
That's why the original commit is to be reverted. By reverting we
reintroduce hardware-based scrolling acceleration and fix the
performance regression for fbdev drivers.
There isn't any impact on DRM when reverting those patches.
Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org # v5.16+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20220202135531.92183-2-deller@gmx.de
2022-02-02 13:55:29 +00:00
|
|
|
static void bit_bmove(struct vc_data *vc, struct fb_info *info, int sy,
|
|
|
|
|
int sx, int dy, int dx, int height, int width)
|
|
|
|
|
{
|
|
|
|
|
struct fb_copyarea area;
|
|
|
|
|
|
|
|
|
|
area.sx = sx * vc->vc_font.width;
|
|
|
|
|
area.sy = sy * vc->vc_font.height;
|
|
|
|
|
area.dx = dx * vc->vc_font.width;
|
|
|
|
|
area.dy = dy * vc->vc_font.height;
|
|
|
|
|
area.height = height * vc->vc_font.height;
|
|
|
|
|
area.width = width * vc->vc_font.width;
|
|
|
|
|
|
|
|
|
|
info->fbops->fb_copyarea(info, &area);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static void bit_clear(struct vc_data *vc, struct fb_info *info, int sy,
|
|
|
|
|
int sx, int height, int width)
|
|
|
|
|
{
|
|
|
|
|
int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
|
|
|
|
|
struct fb_fillrect region;
|
|
|
|
|
|
2008-02-06 09:39:45 +00:00
|
|
|
region.color = attr_bgcol_ec(bgshift, vc, info);
|
2005-04-16 22:20:36 +00:00
|
|
|
region.dx = sx * vc->vc_font.width;
|
|
|
|
|
region.dy = sy * vc->vc_font.height;
|
|
|
|
|
region.width = width * vc->vc_font.width;
|
|
|
|
|
region.height = height * vc->vc_font.height;
|
|
|
|
|
region.rop = ROP_COPY;
|
|
|
|
|
|
|
|
|
|
info->fbops->fb_fillrect(info, ®ion);
|
|
|
|
|
}
|
|
|
|
|
|
2005-09-09 20:10:04 +00:00
|
|
|
static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info,
|
|
|
|
|
const u16 *s, u32 attr, u32 cnt,
|
|
|
|
|
u32 d_pitch, u32 s_pitch, u32 cellsize,
|
|
|
|
|
struct fb_image *image, u8 *buf, u8 *dst)
|
|
|
|
|
{
|
|
|
|
|
u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
|
|
|
|
|
u32 idx = vc->vc_font.width >> 3;
|
|
|
|
|
u8 *src;
|
|
|
|
|
|
|
|
|
|
while (cnt--) {
|
|
|
|
|
src = vc->vc_font.data + (scr_readw(s++)&
|
|
|
|
|
charmask)*cellsize;
|
|
|
|
|
|
|
|
|
|
if (attr) {
|
|
|
|
|
update_attr(buf, src, attr, vc);
|
|
|
|
|
src = buf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (likely(idx == 1))
|
|
|
|
|
__fb_pad_aligned_buffer(dst, d_pitch, src, idx,
|
|
|
|
|
image->height);
|
|
|
|
|
else
|
|
|
|
|
fb_pad_aligned_buffer(dst, d_pitch, src, idx,
|
|
|
|
|
image->height);
|
|
|
|
|
|
|
|
|
|
dst += s_pitch;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info->fbops->fb_imageblit(info, image);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void bit_putcs_unaligned(struct vc_data *vc,
|
|
|
|
|
struct fb_info *info, const u16 *s,
|
|
|
|
|
u32 attr, u32 cnt, u32 d_pitch,
|
|
|
|
|
u32 s_pitch, u32 cellsize,
|
|
|
|
|
struct fb_image *image, u8 *buf,
|
|
|
|
|
u8 *dst)
|
|
|
|
|
{
|
|
|
|
|
u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
|
|
|
|
|
u32 shift_low = 0, mod = vc->vc_font.width % 8;
|
|
|
|
|
u32 shift_high = 8;
|
|
|
|
|
u32 idx = vc->vc_font.width >> 3;
|
|
|
|
|
u8 *src;
|
|
|
|
|
|
|
|
|
|
while (cnt--) {
|
|
|
|
|
src = vc->vc_font.data + (scr_readw(s++)&
|
|
|
|
|
charmask)*cellsize;
|
|
|
|
|
|
|
|
|
|
if (attr) {
|
|
|
|
|
update_attr(buf, src, attr, vc);
|
|
|
|
|
src = buf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fb_pad_unaligned_buffer(dst, d_pitch, src, idx,
|
|
|
|
|
image->height, shift_high,
|
|
|
|
|
shift_low, mod);
|
|
|
|
|
shift_low += mod;
|
|
|
|
|
dst += (shift_low >= 8) ? s_pitch : s_pitch - 1;
|
|
|
|
|
shift_low &= 7;
|
|
|
|
|
shift_high = 8 - shift_low;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info->fbops->fb_imageblit(info, image);
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static void bit_putcs(struct vc_data *vc, struct fb_info *info,
|
|
|
|
|
const unsigned short *s, int count, int yy, int xx,
|
|
|
|
|
int fg, int bg)
|
|
|
|
|
{
|
|
|
|
|
struct fb_image image;
|
2009-09-22 23:47:41 +00:00
|
|
|
u32 width = DIV_ROUND_UP(vc->vc_font.width, 8);
|
2005-09-09 20:10:04 +00:00
|
|
|
u32 cellsize = width * vc->vc_font.height;
|
|
|
|
|
u32 maxcnt = info->pixmap.size/cellsize;
|
|
|
|
|
u32 scan_align = info->pixmap.scan_align - 1;
|
|
|
|
|
u32 buf_align = info->pixmap.buf_align - 1;
|
|
|
|
|
u32 mod = vc->vc_font.width % 8, cnt, pitch, size;
|
|
|
|
|
u32 attribute = get_attribute(info, scr_readw(s));
|
|
|
|
|
u8 *dst, *buf = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
image.fg_color = fg;
|
|
|
|
|
image.bg_color = bg;
|
|
|
|
|
image.dx = xx * vc->vc_font.width;
|
|
|
|
|
image.dy = yy * vc->vc_font.height;
|
|
|
|
|
image.height = vc->vc_font.height;
|
|
|
|
|
image.depth = 1;
|
|
|
|
|
|
2005-09-09 20:10:04 +00:00
|
|
|
if (attribute) {
|
2012-07-30 19:09:49 +00:00
|
|
|
buf = kmalloc(cellsize, GFP_ATOMIC);
|
2005-09-09 20:10:04 +00:00
|
|
|
if (!buf)
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
while (count) {
|
|
|
|
|
if (count > maxcnt)
|
2005-09-09 20:10:04 +00:00
|
|
|
cnt = maxcnt;
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
2005-09-09 20:10:04 +00:00
|
|
|
cnt = count;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
image.width = vc->vc_font.width * cnt;
|
2009-09-22 23:47:41 +00:00
|
|
|
pitch = DIV_ROUND_UP(image.width, 8) + scan_align;
|
2005-04-16 22:20:36 +00:00
|
|
|
pitch &= ~scan_align;
|
|
|
|
|
size = pitch * image.height + buf_align;
|
|
|
|
|
size &= ~buf_align;
|
|
|
|
|
dst = fb_get_buffer_offset(info, &info->pixmap, size);
|
|
|
|
|
image.data = dst;
|
2005-09-09 20:10:04 +00:00
|
|
|
|
|
|
|
|
if (!mod)
|
|
|
|
|
bit_putcs_aligned(vc, info, s, attribute, cnt, pitch,
|
|
|
|
|
width, cellsize, &image, buf, dst);
|
|
|
|
|
else
|
|
|
|
|
bit_putcs_unaligned(vc, info, s, attribute, cnt,
|
|
|
|
|
pitch, width, cellsize, &image,
|
|
|
|
|
buf, dst);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
image.dx += cnt * vc->vc_font.width;
|
|
|
|
|
count -= cnt;
|
2005-09-09 20:10:04 +00:00
|
|
|
s += cnt;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* buf is always NULL except when in monochrome mode, so in this case
|
|
|
|
|
it's a gain to check buf against NULL even though kfree() handles
|
|
|
|
|
NULL pointers just fine */
|
|
|
|
|
if (unlikely(buf))
|
|
|
|
|
kfree(buf);
|
2005-09-09 20:10:04 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
|
2017-08-18 17:56:40 +00:00
|
|
|
int color, int bottom_only)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
unsigned int cw = vc->vc_font.width;
|
|
|
|
|
unsigned int ch = vc->vc_font.height;
|
|
|
|
|
unsigned int rw = info->var.xres - (vc->vc_cols*cw);
|
|
|
|
|
unsigned int bh = info->var.yres - (vc->vc_rows*ch);
|
|
|
|
|
unsigned int rs = info->var.xres - rw;
|
|
|
|
|
unsigned int bs = info->var.yres - bh;
|
|
|
|
|
struct fb_fillrect region;
|
|
|
|
|
|
2017-08-18 17:56:40 +00:00
|
|
|
region.color = color;
|
2005-04-16 22:20:36 +00:00
|
|
|
region.rop = ROP_COPY;
|
|
|
|
|
|
fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.
Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
new_cols = (cols ? cols : vc->vc_cols);
new_rows = (lines ? lines : vc->vc_rows);
exception. Since cols and lines are calculated as
cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
vc_resize(vc, cols, rows);
in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means that
const int fd = open("/dev/fb0", O_ACCMODE);
struct fb_var_screeninfo var = { };
ioctl(fd, FBIOGET_VSCREENINFO, &var);
var.xres = var.yres = 1;
ioctl(fd, FBIOPUT_VSCREENINFO, &var);
easily reproduces integer underflow bug explained above.
Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.
[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-15 01:51:02 +00:00
|
|
|
if ((int) rw > 0 && !bottom_only) {
|
2005-04-16 22:20:36 +00:00
|
|
|
region.dx = info->var.xoffset + rs;
|
|
|
|
|
region.dy = 0;
|
|
|
|
|
region.width = rw;
|
|
|
|
|
region.height = info->var.yres_virtual;
|
|
|
|
|
info->fbops->fb_fillrect(info, ®ion);
|
|
|
|
|
}
|
|
|
|
|
|
fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.
Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
new_cols = (cols ? cols : vc->vc_cols);
new_rows = (lines ? lines : vc->vc_rows);
exception. Since cols and lines are calculated as
cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
vc_resize(vc, cols, rows);
in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means that
const int fd = open("/dev/fb0", O_ACCMODE);
struct fb_var_screeninfo var = { };
ioctl(fd, FBIOGET_VSCREENINFO, &var);
var.xres = var.yres = 1;
ioctl(fd, FBIOPUT_VSCREENINFO, &var);
easily reproduces integer underflow bug explained above.
Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.
[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-15 01:51:02 +00:00
|
|
|
if ((int) bh > 0) {
|
2005-04-16 22:20:36 +00:00
|
|
|
region.dx = info->var.xoffset;
|
|
|
|
|
region.dy = info->var.yoffset + bs;
|
|
|
|
|
region.width = rs;
|
|
|
|
|
region.height = bh;
|
|
|
|
|
info->fbops->fb_fillrect(info, ®ion);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-22 11:03:43 +00:00
|
|
|
static void bit_cursor(struct vc_data *vc, struct fb_info *info, bool enable,
|
2020-09-08 17:56:27 +00:00
|
|
|
int fg, int bg)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct fb_cursor cursor;
|
2006-01-10 04:52:56 +00:00
|
|
|
struct fbcon_ops *ops = info->fbcon_par;
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned short charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
|
2009-09-22 23:47:41 +00:00
|
|
|
int w = DIV_ROUND_UP(vc->vc_font.width, 8), c;
|
2020-06-15 07:48:33 +00:00
|
|
|
int y = real_y(ops->p, vc->state.y);
|
2020-06-15 07:48:58 +00:00
|
|
|
int attribute, use_sw = vc->vc_cursor_type & CUR_SW;
|
2005-11-07 09:00:35 +00:00
|
|
|
int err = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
char *src;
|
|
|
|
|
|
|
|
|
|
cursor.set = 0;
|
|
|
|
|
|
2023-05-27 06:41:09 +00:00
|
|
|
if (!vc->vc_font.data)
|
|
|
|
|
return;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
c = scr_readw((u16 *) vc->vc_pos);
|
|
|
|
|
attribute = get_attribute(info, c);
|
|
|
|
|
src = vc->vc_font.data + ((c & charmask) * (w * vc->vc_font.height));
|
|
|
|
|
|
|
|
|
|
if (ops->cursor_state.image.data != src ||
|
|
|
|
|
ops->cursor_reset) {
|
|
|
|
|
ops->cursor_state.image.data = src;
|
|
|
|
|
cursor.set |= FB_CUR_SETIMAGE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (attribute) {
|
|
|
|
|
u8 *dst;
|
|
|
|
|
|
treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@
(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@
(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)
// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@
- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@
(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@
(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 20:55:00 +00:00
|
|
|
dst = kmalloc_array(w, vc->vc_font.height, GFP_ATOMIC);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!dst)
|
|
|
|
|
return;
|
|
|
|
|
kfree(ops->cursor_data);
|
|
|
|
|
ops->cursor_data = dst;
|
|
|
|
|
update_attr(dst, src, attribute, vc);
|
|
|
|
|
src = dst;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ops->cursor_state.image.fg_color != fg ||
|
|
|
|
|
ops->cursor_state.image.bg_color != bg ||
|
|
|
|
|
ops->cursor_reset) {
|
|
|
|
|
ops->cursor_state.image.fg_color = fg;
|
|
|
|
|
ops->cursor_state.image.bg_color = bg;
|
|
|
|
|
cursor.set |= FB_CUR_SETCMAP;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-15 07:48:33 +00:00
|
|
|
if ((ops->cursor_state.image.dx != (vc->vc_font.width * vc->state.x)) ||
|
2005-04-16 22:20:36 +00:00
|
|
|
(ops->cursor_state.image.dy != (vc->vc_font.height * y)) ||
|
|
|
|
|
ops->cursor_reset) {
|
2020-06-15 07:48:33 +00:00
|
|
|
ops->cursor_state.image.dx = vc->vc_font.width * vc->state.x;
|
2005-04-16 22:20:36 +00:00
|
|
|
ops->cursor_state.image.dy = vc->vc_font.height * y;
|
|
|
|
|
cursor.set |= FB_CUR_SETPOS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ops->cursor_state.image.height != vc->vc_font.height ||
|
|
|
|
|
ops->cursor_state.image.width != vc->vc_font.width ||
|
|
|
|
|
ops->cursor_reset) {
|
|
|
|
|
ops->cursor_state.image.height = vc->vc_font.height;
|
|
|
|
|
ops->cursor_state.image.width = vc->vc_font.width;
|
|
|
|
|
cursor.set |= FB_CUR_SETSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ops->cursor_state.hot.x || ops->cursor_state.hot.y ||
|
|
|
|
|
ops->cursor_reset) {
|
|
|
|
|
ops->cursor_state.hot.x = cursor.hot.y = 0;
|
|
|
|
|
cursor.set |= FB_CUR_SETHOT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (cursor.set & FB_CUR_SETSIZE ||
|
2006-01-10 04:52:56 +00:00
|
|
|
vc->vc_cursor_type != ops->p->cursor_shape ||
|
2005-04-16 22:20:36 +00:00
|
|
|
ops->cursor_state.mask == NULL ||
|
|
|
|
|
ops->cursor_reset) {
|
treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@
(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@
(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)
// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@
- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@
(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@
(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 20:55:00 +00:00
|
|
|
char *mask = kmalloc_array(w, vc->vc_font.height, GFP_ATOMIC);
|
2005-04-16 22:20:36 +00:00
|
|
|
int cur_height, size, i = 0;
|
|
|
|
|
u8 msk = 0xff;
|
|
|
|
|
|
|
|
|
|
if (!mask)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
kfree(ops->cursor_state.mask);
|
|
|
|
|
ops->cursor_state.mask = mask;
|
|
|
|
|
|
2006-01-10 04:52:56 +00:00
|
|
|
ops->p->cursor_shape = vc->vc_cursor_type;
|
2005-04-16 22:20:36 +00:00
|
|
|
cursor.set |= FB_CUR_SETSHAPE;
|
|
|
|
|
|
2020-06-15 07:48:57 +00:00
|
|
|
switch (CUR_SIZE(ops->p->cursor_shape)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
case CUR_NONE:
|
|
|
|
|
cur_height = 0;
|
|
|
|
|
break;
|
|
|
|
|
case CUR_UNDERLINE:
|
|
|
|
|
cur_height = (vc->vc_font.height < 10) ? 1 : 2;
|
|
|
|
|
break;
|
|
|
|
|
case CUR_LOWER_THIRD:
|
|
|
|
|
cur_height = vc->vc_font.height/3;
|
|
|
|
|
break;
|
|
|
|
|
case CUR_LOWER_HALF:
|
|
|
|
|
cur_height = vc->vc_font.height >> 1;
|
|
|
|
|
break;
|
|
|
|
|
case CUR_TWO_THIRDS:
|
|
|
|
|
cur_height = (vc->vc_font.height << 1)/3;
|
|
|
|
|
break;
|
|
|
|
|
case CUR_BLOCK:
|
|
|
|
|
default:
|
|
|
|
|
cur_height = vc->vc_font.height;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
size = (vc->vc_font.height - cur_height) * w;
|
|
|
|
|
while (size--)
|
|
|
|
|
mask[i++] = ~msk;
|
|
|
|
|
size = cur_height * w;
|
|
|
|
|
while (size--)
|
|
|
|
|
mask[i++] = msk;
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-22 11:03:43 +00:00
|
|
|
ops->cursor_state.enable = enable && !use_sw;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
cursor.image.data = src;
|
|
|
|
|
cursor.image.fg_color = ops->cursor_state.image.fg_color;
|
|
|
|
|
cursor.image.bg_color = ops->cursor_state.image.bg_color;
|
|
|
|
|
cursor.image.dx = ops->cursor_state.image.dx;
|
|
|
|
|
cursor.image.dy = ops->cursor_state.image.dy;
|
|
|
|
|
cursor.image.height = ops->cursor_state.image.height;
|
|
|
|
|
cursor.image.width = ops->cursor_state.image.width;
|
|
|
|
|
cursor.hot.x = ops->cursor_state.hot.x;
|
|
|
|
|
cursor.hot.y = ops->cursor_state.hot.y;
|
|
|
|
|
cursor.mask = ops->cursor_state.mask;
|
|
|
|
|
cursor.enable = ops->cursor_state.enable;
|
|
|
|
|
cursor.image.depth = 1;
|
|
|
|
|
cursor.rop = ROP_XOR;
|
|
|
|
|
|
2005-11-07 09:00:35 +00:00
|
|
|
if (info->fbops->fb_cursor)
|
|
|
|
|
err = info->fbops->fb_cursor(info, &cursor);
|
|
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
|
soft_cursor(info, &cursor);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
ops->cursor_reset = 0;
|
|
|
|
|
}
|
|
|
|
|
|
[PATCH] fbcon: Console Rotation - Prepare fbcon for console rotation
This patch series implements generic code to rotate the console at 90, 180,
and 270 degrees. The implementation is completely done in the framebuffer
console level, thus no changes to the framebuffer layer or to the drivers
are needed.
Console rotation is required by some Sharp-based devices where the natural
orientation of the display is not at 0 degrees. Also, users that have
displays that can pivot will benefit by having a console in portrait mode
if they so desire.
The choice to implement the code in the console layer rather than in the
framebuffer layer is due to the following reasons:
- it's fast
- it does not require driver changes
- it can coexist with devices that can rotate the display at the hardware level
- it complements graphics applications that can do display rotation
The changes to core fbcon are minimal-- recognition of the console
rotation angle so it can swap directions, origins and axes (xres vs yres,
xpanstep vs ypanstep, xoffset vs yoffset, etc) and storage of the rotation
angle per display. The bulk of the code that does the actual drawing to the
screen are placed in separate files. Each angle of rotation has separate
methods (bmove, clear, putcs, cursor, update_start which is derived from
update_var, and clear_margins). To mimimize processing time, the fontdata
are pre-rotated at each console switch (only if the font or the angle has
changed).
The option can be compiled out (CONFIG_FRAMEBUFFER_CONSOLE_ROTATION = n) if
rotation is not needed.
Choosing the rotation angle can be done in several ways:
1. boot option fbcon=rotate:n, where
n = 0 - normal
n = 1 - 90 degrees (clockwise)
n = 2 - 180 degrees (upside down)
n = 3 - 270 degrees (counterclockwise)
2. echo n > /sys/class/graphics/fb[num]/con_rotate
where n is the same as described above. It sets the angle of rotation
of the current console
3 echo n > /sys/class/graphics/fb[num]/con_rotate_all
where n is the same as described above. Globally sets the angle of
rotation.
GOTCHAS:
The option, especially at angles of 90 and 270 degrees, will exercise
the least used code of drivers. Namely, at these angles, panning is done
in the x-axis, so it can reveal bugs in the driver if xpanstep is set
incorrectly. A workaround is to set xpanstep = 0.
Secondly, at these angles, the framebuffer memory access can be
unaligned if (fontheight * bpp) % 32 ~= 0 which can reveal bugs in the drivers
imageblit, fillrect and copyarea functions. (I think cfbfillrect may have
this buglet). A workaround is to use a standard 8x16 font.
Speed:
The scrolling speed difference between 0 and 180 degrees is minimal,
somewhere areound 1-2%. At 90 or 270 degress, speed drops down to a vicinity
of 30-40%. This is understandable because the blit direction is across the
framebuffer "direction." Scrolling will be helped at these angles if xpanstep
is not equal to zero, use of 8x16 fonts, and setting xres_virtual >= xres * 2.
Note: The code is tested on little-endian only, so I don't know if it will
work in big-endian. Please let me know, it will take only less than a minute
of your time.
This patch prepares fbcon for console rotation and contains the following
changes:
- add rotate field in struct fbcon_ops to keep fbcon's current rotation
angle
- add con_rotate field in struct display to store per-display rotation angle
- create a private copy of the current var to fbcon. This will prevent
fbcon from directly manipulating info->var, especially the fields xoffset,
yoffset and vmode.
- add ability to swap pertinent axes (xres, yres; xpanstep, ypanstep; etc)
depending on the rotation angle
- change global update_var() (function that sets the screen start address)
as an fbcon method update_start. This is required because the axes, start
offset, and/or direction can be reversed depending on the rotation angle.
- add fbcon method rotate_font() which will rotate each character bitmap to
the correct angle of rotation.
- add fbcon boot option 'rotate' to select the angle of rotation at bootime.
Currently does nothing until all patches are applied.
Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-09 05:39:09 +00:00
|
|
|
static int bit_update_start(struct fb_info *info)
|
|
|
|
|
{
|
|
|
|
|
struct fbcon_ops *ops = info->fbcon_par;
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = fb_pan_display(info, &ops->var);
|
|
|
|
|
ops->var.xoffset = info->var.xoffset;
|
|
|
|
|
ops->var.yoffset = info->var.yoffset;
|
|
|
|
|
ops->var.vmode = info->var.vmode;
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
void fbcon_set_bitops(struct fbcon_ops *ops)
|
|
|
|
|
{
|
Revert "fbdev: Garbage collect fbdev scrolling acceleration, part 1 (from TODO list)"
This reverts commit b3ec8cdf457e5e63d396fe1346cc788cf7c1b578.
Revert the second (of 2) commits which disabled scrolling acceleration
in fbcon/fbdev. It introduced a regression for fbdev-supported graphic
cards because of the performance penalty by doing screen scrolling by
software instead of using the existing graphic card 2D hardware
acceleration.
Console scrolling acceleration was disabled by dropping code which
checked at runtime the driver hardware capabilities for the
BINFO_HWACCEL_COPYAREA or FBINFO_HWACCEL_FILLRECT flags and if set, it
enabled scrollmode SCROLL_MOVE which uses hardware acceleration to move
screen contents. After dropping those checks scrollmode was hard-wired
to SCROLL_REDRAW instead, which forces all graphic cards to redraw every
character at the new screen position when scrolling.
This change effectively disabled all hardware-based scrolling acceleration for
ALL drivers, because now all kind of 2D hardware acceleration (bitblt,
fillrect) in the drivers isn't used any longer.
The original commit message mentions that only 3 DRM drivers (nouveau, omapdrm
and gma500) used hardware acceleration in the past and thus code for checking
and using scrolling acceleration is obsolete.
This statement is NOT TRUE, because beside the DRM drivers there are around 35
other fbdev drivers which depend on fbdev/fbcon and still provide hardware
acceleration for fbdev/fbcon.
The original commit message also states that syzbot found lots of bugs in fbcon
and thus it's "often the solution to just delete code and remove features".
This is true, and the bugs - which actually affected all users of fbcon,
including DRM - were fixed, or code was dropped like e.g. the support for
software scrollback in vgacon (commit 973c096f6a85).
So to further analyze which bugs were found by syzbot, I've looked through all
patches in drivers/video which were tagged with syzbot or syzkaller back to
year 2005. The vast majority fixed the reported issues on a higher level, e.g.
when screen is to be resized, or when font size is to be changed. The few ones
which touched driver code fixed a real driver bug, e.g. by adding a check.
But NONE of those patches touched code of either the SCROLL_MOVE or the
SCROLL_REDRAW case.
That means, there was no real reason why SCROLL_MOVE had to be ripped-out and
just SCROLL_REDRAW had to be used instead. The only reason I can imagine so far
was that SCROLL_MOVE wasn't used by DRM and as such it was assumed that it
could go away. That argument completely missed the fact that SCROLL_MOVE is
still heavily used by fbdev (non-DRM) drivers.
Some people mention that using memcpy() instead of the hardware acceleration is
pretty much the same speed. But that's not true, at least not for older graphic
cards and machines where we see speed decreases by factor 10 and more and thus
this change leads to console responsiveness way worse than before.
That's why the original commit is to be reverted. By reverting we
reintroduce hardware-based scrolling acceleration and fix the
performance regression for fbdev drivers.
There isn't any impact on DRM when reverting those patches.
Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org # v5.16+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20220202135531.92183-2-deller@gmx.de
2022-02-02 13:55:29 +00:00
|
|
|
ops->bmove = bit_bmove;
|
2005-04-16 22:20:36 +00:00
|
|
|
ops->clear = bit_clear;
|
|
|
|
|
ops->putcs = bit_putcs;
|
|
|
|
|
ops->clear_margins = bit_clear_margins;
|
|
|
|
|
ops->cursor = bit_cursor;
|
[PATCH] fbcon: Console Rotation - Prepare fbcon for console rotation
This patch series implements generic code to rotate the console at 90, 180,
and 270 degrees. The implementation is completely done in the framebuffer
console level, thus no changes to the framebuffer layer or to the drivers
are needed.
Console rotation is required by some Sharp-based devices where the natural
orientation of the display is not at 0 degrees. Also, users that have
displays that can pivot will benefit by having a console in portrait mode
if they so desire.
The choice to implement the code in the console layer rather than in the
framebuffer layer is due to the following reasons:
- it's fast
- it does not require driver changes
- it can coexist with devices that can rotate the display at the hardware level
- it complements graphics applications that can do display rotation
The changes to core fbcon are minimal-- recognition of the console
rotation angle so it can swap directions, origins and axes (xres vs yres,
xpanstep vs ypanstep, xoffset vs yoffset, etc) and storage of the rotation
angle per display. The bulk of the code that does the actual drawing to the
screen are placed in separate files. Each angle of rotation has separate
methods (bmove, clear, putcs, cursor, update_start which is derived from
update_var, and clear_margins). To mimimize processing time, the fontdata
are pre-rotated at each console switch (only if the font or the angle has
changed).
The option can be compiled out (CONFIG_FRAMEBUFFER_CONSOLE_ROTATION = n) if
rotation is not needed.
Choosing the rotation angle can be done in several ways:
1. boot option fbcon=rotate:n, where
n = 0 - normal
n = 1 - 90 degrees (clockwise)
n = 2 - 180 degrees (upside down)
n = 3 - 270 degrees (counterclockwise)
2. echo n > /sys/class/graphics/fb[num]/con_rotate
where n is the same as described above. It sets the angle of rotation
of the current console
3 echo n > /sys/class/graphics/fb[num]/con_rotate_all
where n is the same as described above. Globally sets the angle of
rotation.
GOTCHAS:
The option, especially at angles of 90 and 270 degrees, will exercise
the least used code of drivers. Namely, at these angles, panning is done
in the x-axis, so it can reveal bugs in the driver if xpanstep is set
incorrectly. A workaround is to set xpanstep = 0.
Secondly, at these angles, the framebuffer memory access can be
unaligned if (fontheight * bpp) % 32 ~= 0 which can reveal bugs in the drivers
imageblit, fillrect and copyarea functions. (I think cfbfillrect may have
this buglet). A workaround is to use a standard 8x16 font.
Speed:
The scrolling speed difference between 0 and 180 degrees is minimal,
somewhere areound 1-2%. At 90 or 270 degress, speed drops down to a vicinity
of 30-40%. This is understandable because the blit direction is across the
framebuffer "direction." Scrolling will be helped at these angles if xpanstep
is not equal to zero, use of 8x16 fonts, and setting xres_virtual >= xres * 2.
Note: The code is tested on little-endian only, so I don't know if it will
work in big-endian. Please let me know, it will take only less than a minute
of your time.
This patch prepares fbcon for console rotation and contains the following
changes:
- add rotate field in struct fbcon_ops to keep fbcon's current rotation
angle
- add con_rotate field in struct display to store per-display rotation angle
- create a private copy of the current var to fbcon. This will prevent
fbcon from directly manipulating info->var, especially the fields xoffset,
yoffset and vmode.
- add ability to swap pertinent axes (xres, yres; xpanstep, ypanstep; etc)
depending on the rotation angle
- change global update_var() (function that sets the screen start address)
as an fbcon method update_start. This is required because the axes, start
offset, and/or direction can be reversed depending on the rotation angle.
- add fbcon method rotate_font() which will rotate each character bitmap to
the correct angle of rotation.
- add fbcon boot option 'rotate' to select the angle of rotation at bootime.
Currently does nothing until all patches are applied.
Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-11-09 05:39:09 +00:00
|
|
|
ops->update_start = bit_update_start;
|
|
|
|
|
ops->rotate_font = NULL;
|
|
|
|
|
|
|
|
|
|
if (ops->rotate)
|
|
|
|
|
fbcon_set_rotate(ops);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|