From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org, jejb@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Oleg Nesterov <oleg@tv-sign.ru>,
Krzysztof Helt <krzysztof.h1@poczta.fm>
Subject: [patch 01/17] fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles
Date: Sat, 18 Oct 2008 11:33:55 -0700 [thread overview]
Message-ID: <20081018183355.GB14035@suse.de> (raw)
In-Reply-To: <20081018183334.GA14035@suse.de>
[-- Attachment #1: fbcon_set_all_vcs-fix-kernel-crash-when-switching-the-rotated-consoles.patch --]
[-- Type: text/plain, Size: 4014 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Oleg Nesterov <oleg@tv-sign.ru>
commit 232fb69a53a5ec3f22a8104d447abe4806848a8f upstream
echo 3 >> /sys/class/graphics/fbcon/rotate_all, then switch to another
console. Result:
BUG: unable to handle kernel paging request at ffffc20005d00000
IP: [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109
PGD 7e228067 PUD 7e229067 PMD 7bc1f067 PTE 0
Oops: 0002 [1] SMP
CPU 1
Modules linked in: [...a lot...]
Pid: 10, comm: events/1 Not tainted 2.6.26.5-45.fc9.x86_64 #1
RIP: 0010:[bitfill_aligned+149/265] [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109
RSP: 0018:ffff81007d811bc8 EFLAGS: 00010216
RAX: ffffc20005d00000 RBX: 0000000000000000 RCX: 0000000000000400
RDX: 0000000000000000 RSI: ffffc20005d00000 RDI: ffffffffffffffff
RBP: ffff81007d811be0 R08: 0000000000000400 R09: 0000000000000040
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000010000
R13: ffffffff811632f0 R14: 0000000000000006 R15: ffff81007cb85400
FS: 0000000000000000(0000) GS:ffff81007e004780(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: ffffc20005d00000 CR3: 0000000000201000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process events/1 (pid: 10, threadinfo ffff81007d810000, task ffff81007d808000)
Stack: ffff81007c9d75a0 0000000000000000 0000000000000000 ffff81007d811c80
ffffffff81163a61 ffff810000000000 ffffffff8115f9c8 0000001000000000
0000000100aaaaaa 000000007cd0d4a0 fffffd8a00000800 0001000000000000
Call Trace:
[cfb_fillrect+523/798] cfb_fillrect+0x20b/0x31e
[soft_cursor+416/436] ? soft_cursor+0x1a0/0x1b4
[ccw_clear_margins+205/263] ccw_clear_margins+0xcd/0x107
[fbcon_clear_margins+59/61] fbcon_clear_margins+0x3b/0x3d
[fbcon_switch+1291/1466] fbcon_switch+0x50b/0x5ba
[redraw_screen+261/481] redraw_screen+0x105/0x1e1
[ccw_cursor+0/1869] ? ccw_cursor+0x0/0x74d
[complete_change_console+48/190] complete_change_console+0x30/0xbe
[change_console+115/120] change_console+0x73/0x78
[console_callback+0/292] ? console_callback+0x0/0x124
[console_callback+97/292] console_callback+0x61/0x124
[schedule_delayed_work+25/30] ? schedule_delayed_work+0x19/0x1e
[run_workqueue+139/282] run_workqueue+0x8b/0x11a
[worker_thread+221/238] worker_thread+0xdd/0xee
[autoremove_wake_function+0/56] ? autoremove_wake_function+0x0/0x38
[worker_thread+0/238] ? worker_thread+0x0/0xee
[kthread+73/118] kthread+0x49/0x76
[child_rip+10/18] child_rip+0xa/0x12
[kthread+0/118] ? kthread+0x0/0x76
[child_rip+0/18] ? child_rip+0x0/0x12
Because fbcon_set_all_vcs()->FBCON_SWAP() uses display->rotate == 0 instead
of fbcon_ops->rotate, and vc_resize() has no effect because it is called with
new_cols/rows == ->vc_cols/rows.
Tested on 2.6.26.5-45.fc9.x86_64, but
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git seems to
have the same problem.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/video/console/fbcon.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -2996,8 +2996,8 @@ static void fbcon_set_all_vcs(struct fb_
p = &fb_display[vc->vc_num];
set_blitting_type(vc, info);
var_to_display(p, &info->var, info);
- cols = FBCON_SWAP(p->rotate, info->var.xres, info->var.yres);
- rows = FBCON_SWAP(p->rotate, info->var.yres, info->var.xres);
+ cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
+ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
vc_resize(vc, cols, rows);
--
next prev parent reply other threads:[~2008-10-18 19:03 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081018182721.521723254@mini.kroah.org>
2008-10-18 18:33 ` [patch 00/17] 2.6.27-stable review Greg KH
2008-10-18 18:33 ` Greg KH [this message]
2008-10-18 18:33 ` [patch 02/17] modules: fix module "notes" kobject leak Greg KH
2008-10-18 18:34 ` [patch 03/17] Driver core: Fix cleanup in device_create_vargs() Greg KH
2008-10-18 18:34 ` [patch 04/17] Driver core: Clarify device cleanup Greg KH
2008-10-18 18:34 ` [patch 05/17] ath9k/mac80211: disallow fragmentation in ath9k, report to userspace Greg KH
2008-10-18 18:34 ` [patch 06/17] md: Fix rdev_size_store with size == 0 Greg KH
2008-10-18 18:34 ` [patch 07/17] xfs: fix remount rw with unrecognized options Greg KH
2008-10-18 18:34 ` [patch 08/17] ath9k: fix oops on trying to hold the wrong spinlock Greg KH
2008-10-18 18:34 ` [patch 09/17] OHCI: Allow broken controllers to auto-stop Greg KH
2008-10-18 18:34 ` [patch 10/17] USB: OHCI: fix endless polling behavior Greg KH
2008-10-18 18:34 ` [patch 11/17] USB: Fix s3c2410_udc usb speed handling Greg KH
2008-10-18 18:34 ` [patch 12/17] USB: EHCI: log a warning if ehci-hcd is not loaded first Greg KH
2008-10-18 18:34 ` [patch 13/17] usb gadget: cdc ethernet notification bugfix Greg KH
2008-10-18 18:34 ` [patch 14/17] usb: musb_hdrc build fixes Greg KH
2008-10-18 18:34 ` [patch 15/17] drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) Greg KH
2008-10-18 18:34 ` [patch 16/17] DVB: au0828: add support for another USB id for Hauppauge HVR950Q Greg KH
2008-10-18 18:34 ` [patch 17/17] DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick Greg KH
2008-10-18 18:36 ` [patch 00/17] 2.6.27-stable review Greg KH
2008-10-23 1:01 ` Josh Boyer
2008-10-23 4:53 ` [stable] " Greg KH
2008-10-23 10:33 ` Josh Boyer
2008-10-23 15:33 ` Greg KH
2008-10-23 15:47 ` Josh Boyer
2008-10-23 15:51 ` Greg KH
2008-10-23 5:06 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081018183355.GB14035@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jejb@kernel.org \
--cc=jmforbes@linuxtx.org \
--cc=krzysztof.h1@poczta.fm \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=oleg@tv-sign.ru \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.