Catalin and kmemleak spotted a leak of a VC screen buffer in
vc_allocate() due to the following chain of events:

	vc_allocate()
	  visual_init(init=1)
	    vc->vc_sw->con_init(init=1)
              fbcon_init()
	        vc_resize()
	          vc->screen_buf = kmalloc()
	  vc->screen_buf = kmalloc()

The common way for the VC drivers is to set the screen dimension
parameters manually in the init case and only call vc_resize() for
!init - which allocates a screen buffer according to the new
dimensions.

fbcon instead would do vc_resize() unconditionally and afterwards set
the dimensions manually (again) for !init - i.e. completely upside
down.  The vc_resize() allocated buffer would then get lost by
vc_allocate() allocating a fresh one.

Use vc_resize() only for actual resizing to close the leak.

Set the dimensions manually only in initialization mode to remove the
redundant setting in resize mode.

The kmemleak trace from Catalin:

unreferenced object 0xde158000 (size 12288):
  comm "Xorg", pid 1439, jiffies 4294961016
  hex dump (first 32 bytes):
    20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00   . . . . . . . .
    20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00   . . . . . . . .
  backtrace:
    [<c006f74b>] __save_stack_trace+0x17/0x1c
    [<c006f81d>] create_object+0xcd/0x188
    [<c01f5457>] kmemleak_alloc+0x1b/0x3c
    [<c006e303>] __kmalloc+0xdb/0xe8
    [<c012cc4b>] vc_do_resize+0x73/0x1e0
    [<c012cdf1>] vc_resize+0x15/0x18
    [<c011afc1>] fbcon_init+0x1f9/0x2b8
    [<c0129e87>] visual_init+0x9f/0xdc
    [<c012aff3>] vc_allocate+0x7f/0xfc
    [<c012b087>] con_open+0x17/0x80
    [<c0120e43>] tty_open+0x1f7/0x2e4
    [<c0072fa1>] chrdev_open+0x101/0x118
    [<c006ffad>] __dentry_open+0x105/0x1cc
    [<c00700fd>] nameidata_to_filp+0x2d/0x38
    [<c00788cd>] do_filp_open+0x2c1/0x54c
    [<c006fdff>] do_sys_open+0x3b/0xb4
Reported-by: NCatalin Marinas <catalin.marinas@arm.com>
Signed-off-by: NJohannes Weiner <hannes@cmpxchg.org>
Tested-by: NCatalin Marinas <catalin.marinas@arm.com>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Tested-by: NDave Young <hidave.darkstar@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This fixes a bug caused by changing pointers (viafb_mode, viafb_mode1)
assigned by module_param.  It reduces driver complexity by not needlessly
changing these vars as they are only read once and removing now
superfluous code.

On unpatched kernels loading viafb with viafb_mode or viafb_mode1 option
used and afterwards unloading it results in:

kernel BUG at mm/slub.c:2926!
invalid opcode: 0000 [#1] PREEMPT
last sysfs file: /sys/devices/virtual/block/loop0/removable
Modules linked in: snd_hda_codec_realtek snd_hda_intel snd_hda_codec
snd_hwdep snd_pcm rtl8187 snd_timer eeprom_93cx6 mmc_block snd soundcore
via_sdmmc fb snd_page_alloc i2c_algo_bit i2c_viapro ehci_hcd uhci_hcd
cfbcopyarea mmc_core cfbimgblt cfbfillrect video output [last unloaded:
viafb]

  Pid: 3355, comm: rmmod Not tainted (2.6.31-rc1 #0)
  EIP: 0060:[<c106a759>] EFLAGS: 00010246 CPU: 0
  EIP is at kfree+0x80/0xda
  EAX: c17c2da0 EBX: dc7edbdc ECX: 0000010f EDX: 00000000
  ESI: c102c700 EDI: dc7ed8fa EBP: d703ff2c ESP: d703ff20
   DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
  Process rmmod (pid: 3355, ti=d703e000 task=db1412c0 task.ti=d703e000)
  Stack:
   dc7edbdc 00000014 00000016 d703ff40 c102c700 dc7f45d4 dc7f45d4 00000880
   d703ff4c c103e571 00000000 d703ffac c103e751 66616976 da140062 db89ba80
   00000328 d702edf8 db89ba80 d703ff9c c105d0f0 00000200 da14f898 00000014
  Call Trace:
   [<c102c700>] ? destroy_params+0x1e/0x2b
   [<c103e571>] ? free_module+0xa2/0xd7
   [<c103e751>] ? sys_delete_module+0x1ab/0x1da
   [<c105d0f0>] ? do_munmap+0x20a/0x225
   [<c10029b4>] ? sysenter_do_call+0x12/0x26
  Code: 10 76 7a 8d 87 00 00 00 40 c1 e8 0c c1 e0 05 03 05 1c 87 41 c1 66 83 38 00 79 03 8b 40 0c 8b 10 84 d2 78 12 66 f7 c2 00 c0 75 04 <0f> 0b eb fe e8 6f 5a fe ff eb 47 8b 55 04 8b 58 0c 9c 5e fa 3b
  EIP: [<c106a759>] kfree+0x80/0xda SS:ESP 0068:d703ff20

This is caused by the current code changing the pointers assigned by
module_param.  During unload it tries to free the memory the pointers
point at which is now part of an internal structure.

The patch simply avoids changing the pointers.  This is okay as they are
read only once during the initialization process.
Signed-off-by: NFlorian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: Scott Fang <ScottFang@viatech.com.cn>
Cc: Joseph Chan <JosephChan@via.com.tw>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fix the rotate_ud() function not to crash in case of a font which has not
a width of multiple by 8: The inner loop of the font pixel copy should not
access a bit outside the font memory area.  Subtract the shift offset from
the font width will prevent this.
Signed-off-by: NStefani Seibold <stefani@seibold.net>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: NHelge Deller <deller@gmx.de>

Signed-off-by: NKristoffer Ericson <kristoffer.ericson@gmail.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fixed off-by-one bug in loop indexes - some elements beyond windows' array
were accessed, which might result in memory access violations when
removing/suspending the device.
Signed-off-by: NPawel Osciak <p.osciak@samsung.com>
Reviewed-by: NKyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Cc: Ben Dooks <ben-linux@fluff.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

There's some odd bug in gcc-4.2 where it miscompiles a simple loop whent
he loop counter is of type 'unsigned char' and it should count to 128.

The compiler will incorrectly decide that a trivial loop like this:

	unsigned char i, ...

	for (i = 0; i < 128; i++) {
		..

is endless, and will compile it to a single instruction that just
branches to itself.

This was triggered by the addition of '-fno-strict-overflow', and we
could play games with compiler versions and go back to '-fwrapv'
instead, but the trivial way to avoid it is to just make the loop
induction variable be an 'int' instead.

Thanks to Krzysztof Oledzki for reporting and testing and to Troy Moure
for digging through assembler differences and finding it.
Reported-and-tested-by: NKrzysztof Oledzki <olel@ans.pl>
Found-by: NTroy Moure <twmoure@szypr.net>
Gcc-bug-acked-by: NIan Lance Taylor <iant@google.com>
Cc: stable@kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Users get confused by this driver.  It's really a special purpose
embedded driver, and causes a lot of problems if enabled.  So hide it
under EMBEDDED by default, and make sure it doesn't get enabled with
the i915 DRM driver.

Dave, I'm hoping you can feed this to Linus through your tree.  It's
appropriate for 2.6.31 I think.
Signed-off-by: NJesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: NDave Airlie <airlied@linux.ie>

dev_set/get_drvdata() should be used instead, as driver_data is going
away.


Cc: Imre Deak <imre.deak@nokia.com>
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Acked-by: NTrilok Soni <soni.trilok@gmail.com>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Felipe Contreras <felipe.contreras@nokia.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

* Remove smp_lock.h from files which don't need it (including some headers!)
* Add smp_lock.h to files which do need it
* Make smp_lock.h include conditional in hardirq.h
  It's needed only for one kernel_locked() usage which is under CONFIG_PREEMPT

  This will make hardirq.h inclusion cheaper for every PREEMPT=n config
  (which includes allmodconfig/allyesconfig, BTW)
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove call to the mx3fb_set_par() and the mx3fb_blank() before the
register_framebuffer().

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove call to the fb_set_par() before the register_framebuffer().

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove not needed locking of the fb_info->mm_lock mutex before a
frambuffer is registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove call to the fsl_diu_set_par before the register_framebuffer().

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Tested-by: N"Kai Jiang" <b18973@freescale.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Commit 5fd29d6c ("printk: clean up
handling of log-levels and newlines") changed printk semantics.  printk
lines with multiple KERN_<level> prefixes are no longer emitted as
before the patch.

<level> is now included in the output on each additional use.

Remove all uses of multiple KERN_<level>s in formats.
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This reverts commit 4148df9b.

Let's hope that the mm_lock initialization is now correct with all
drivers, following Krzysztof's patches.
Requested-by: NKrzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant locking by the mm_lock mutex before a second head of
matrox framebuffer is registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant call to the matroxfb_update_fix() before matrox
frambuffer is registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant call to the w100fb_set_par() before w100 frambuffer is
registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant locking of the fb_info->mm_lock mutex before the
frambuffer is registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant call to the encode_fix() before i810 frambuffer is
registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

A trivial update to move hitfb over to dev_pm_ops.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

Follows the sh_mobile_lcdcfb change.

Also fixes up a memory leak with cmap allocation.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

All fb_info structures need to be allocated with framebuffer_alloc() due
to special initialization. Switch over to it.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>

This way they'll be properly initialized early enough for users that may
touch them before the framebuffer has been registered.

Drivers that allocate their fb_info structure some other way (like
matrocfb's broken static allocation) need to be fixed up appropriately.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Correct the CLKVAL_F field value of VIDEO MAIN CONTROLLER 0 REGITSTER.

Frame Rate is 1 / [ { (VSPW+1) + (VBPD+1) + (LIINEVAL + 1) + (VFPD+1)
} x {(HSPW+1) + (HBPD +1)
+ (HFPD+1) + (HOZVAL + 1) } x { ( CLKVAL+1 ) / ( Frequency of Clock
source ) } ] and VCLK = Video Clock Source / (CLKVAL +1).

therefore CLKVAL_F should be "CLKVAL_F = Frequency of Clock source / pixel
clock * refresh".

for this, I added refresh value in platform data like below.

static struct s3c_fb_pd_win xxx_fb_win0 = {
	/* this is to ensure we use win0 */
	.win_mode = {
		.refresh	= 60,
		.pixclock	= (66+4+2+480)*(15+5+3+800),
		.left_margin	= 66,
		.right_margin	= 2,
		.upper_margin	= 15,
		.lower_margin	= 3,
		.hsync_len	= 4,
		.vsync_len	= 5,
		.xres		= 480,
		.yres		= 800,
	},
	.max_bpp	= 32,
	.default_bpp	= 24,
};

static struct s3c_fb_platdata xxx_lcd_pdata __initdata = {
	.win[0]		= &xxx_fb_win0,
	.vidcon0	= VIDCON0_VIDOUT_RGB | VIDCON0_PNRMODE_RGB,
	.vidcon1	= VIDCON1_INV_HSYNC | VIDCON1_INV_VSYNC
			| VIDCON1_INV_VCLK | VIDCON1_INV_VDEN,
	.setup_gpio	= s5pc1xx_fb_gpio_setup_24bpp,
};

xxx_machine_init()
{
                   .
                   .
                   .
               s3c_fb_set_platdata(&xxx_lcd_pdata);
}

platform data defined in machine code should be setting using
s3c_fb_set_platdata().
Signed-off-by: NInKi Dae <inki.dae@samsung.com>
Cc: Kyungmin Park <kmpark@infradead.org>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Remove redundant call to the sisfb_get_fix() before sis frambuffer is
registered.

This fixes a problem with uninitialized the fb_info->mm_lock mutex
introduced by the commit 537a1bf0 " fbdev: add mutex for fb_mmap
locking"
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Tested-by: NWu Zhangjin <wuzhangjin@gmail.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Commit 537a1bf0 (fbdev: add mutex for
fb_mmap locking) introduces a ->mm_lock mutex for protecting smem
assignments. Unfortunately in the case of sm501fb these happen quite
early in the initialization code, well before the mutex_init() that takes
place in register_framebuffer(), leading to:

   Badness at kernel/mutex.c:207

   Pid : 1, Comm:          swapper
   CPU : 0                 Not tainted  (2.6.31-rc1-00284-g529ba0d9-dirty #2273)

   PC is at __mutex_lock_slowpath+0x72/0x1bc
   PR is at __mutex_lock_slowpath+0x66/0x1bc
   ...

matroxfb appears to have the same issue and has solved it with an early
mutex_init(), so we do the same for sm501fb.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
Cc: Krzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: NYoichi Yuasa <yuasa@linux-mips.org>
Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

When suspending, pwm-bl sets duty cycle to 0, and shuts down the pwm
device.

This patch ensure that the platform code is called before that
(through the notify callback_, leaving a chance for the platform code
to configure GPIOs (shutting off the backlight, for example), much like
it is done during normal operations.
Signed-off-by: NMarc Zyngier <maz@misterjones.org>
Signed-off-by: NEric Miao <eric.y.miao@gmail.com>

Fix this build error when CONFIG_STI_CONSOLE is not set
drivers/video/stifb.c:1337: undefined reference to `sti_get_rom'
Signed-off-by: NAlexander Beregalov <a.beregalov@gmail.com>
Signed-off-by: NKyle McMartin <kyle@mcmartin.ca>

Since writenotify on uncached vmas is unsupported in 2.6.31,
live with cached framebuffer memory in the deferred io
case for now and flush the dcache before forcing refresh.
Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
Acked-by: NMagnus damm <damm@igel.co.jp>

Block writes require 64 byte alignment.  Since block writes could be used
with SGRAM or WRAM also refine the memory type detection to check for
either type before deciding to use the 64 byte alignment.
Signed-off-by: NVille Syrjala <syrjala@sci.fi>
Tested-by: NMikulas Patocka <mpatocka@redhat.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Apparently HP OmniBook 500's BIOS doesn't like the way atyfb reprograms
the hardware. The BIOS will simply hang after a reboot. Fix the problem
by restoring the hardware to it's original state on reboot.
Signed-off-by: NVille Syrjala <syrjala@sci.fi>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Add a mutex to avoid a circular locking problem between the mm layer
semaphore and fbdev ioctl mutex through the fb_mmap() call.

Also, add mutex to all places where smem_start and smem_len fields change
so the mutex inside the fb_mmap() is actually used.  Changing of these
fields before calling the framebuffer_register() are not mutexed.

This is 2.6.31 material.  It removes one lockdep (fb_mmap() and
register_framebuffer()) but there is still another one (fb_release() and
register_framebuffer()).  It also cleans up handling of the smem_start and
smem_len fields used by mutexed section of the fb_mmap().
Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: <stable@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

On bootup nvidiafb prints the following on my Apple G5:

	nvidiafb: CRTC 1appears to have a CRT attached

There should be a space between the '1' and the 'appears'.  Add it.
Signed-off-by: NMikael Pettersson <mikpe@it.uu.se>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

There is  a crash in tdo24m module caused by a call to kmalloc with
the second parameter sizeof(flag) instead of flag.
Signed-off-by: NAviv Laufer <aviv.laufer@gmail.com>
Signed-off-by: NRichard Purdie <rpurdie@linux.intel.com>

Do not accept VESA modes by the "vga=" kernel parameter if there is no
frame buffer driver compiled-in to handle it.

Also, there is a comment added to the Kconfig description after Werner
Lemberg's suggestion

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13249Signed-off-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
Reported-by: NWerner Lemberg <wl@gnu.org>
Cc: Michal Januszewski <spock@gentoo.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The xilinxfb driver is improperly casting a physical address to a
u32, and the probe routine isn't as straight forward as it could be.
(discovered by gcc spitting out warnings on most recent change to
xilinxfb driver).

This patch fixes the cast and simplifies the probe path.
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
Tested-by: NJohn Linn <john.linn@xilinx.com>

Signed-off-by: NMike Frysinger <vapier@gentoo.org>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>