<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/video/fbdev, branch linux-6.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>fbcon: Fix OOB access in font allocation</title>
<updated>2025-10-02T11:48:39+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2025-09-22T13:45:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fc19489dfaf424397ba8d03b47e8786eaed7b3fc'/>
<id>fc19489dfaf424397ba8d03b47e8786eaed7b3fc</id>
<content type='text'>
commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream.

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula &lt;jani.nikula@linux.intel.com&gt;
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201
Cc: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Cc: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Reviewed-by: Lucas De Marchi &lt;lucas.demarchi@intel.com&gt;
Reviewed-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream.

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula &lt;jani.nikula@linux.intel.com&gt;
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201
Cc: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Cc: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Reviewed-by: Lucas De Marchi &lt;lucas.demarchi@intel.com&gt;
Reviewed-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: fix integer overflow in fbcon_do_set_font</title>
<updated>2025-10-02T11:48:39+00:00</updated>
<author>
<name>Samasth Norway Ananda</name>
<email>samasth.norway.ananda@oracle.com</email>
</author>
<published>2025-09-12T17:00:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7'/>
<id>c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7</id>
<content type='text'>
commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream.

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
   multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
   overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream.

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
   multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
   overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: nvidiafb: add depends on HAS_IOPORT</title>
<updated>2025-08-20T16:41:40+00:00</updated>
<author>
<name>Randy Dunlap</name>
<email>rdunlap@infradead.org</email>
</author>
<published>2025-06-15T18:36:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=490cce988beacf26d70a93b73116eec66fa3abac'/>
<id>490cce988beacf26d70a93b73116eec66fa3abac</id>
<content type='text'>
commit ecdd7df997fd992f0ec70b788e3b12258008a2bf upstream.

The nvidiafb driver uses inb()/outb() without depending on HAS_IOPORT,
which leads to build errors since kernel v6.13-rc1:
commit 6f043e757445 ("asm-generic/io.h: Remove I/O port accessors
for HAS_IOPORT=n")

Add the HAS_IOPORT dependency to prevent the build errors.

(Found in ARCH=um allmodconfig builds)

drivers/video/fbdev/nvidia/nv_accel.c: In function ‘NVDmaWait’:
include/asm-generic/io.h:596:15: error: call to ‘_outb’ declared with attribute error: outb() requires CONFIG_HAS_IOPORT
  596 | #define _outb _outb

Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: Arnd Bergmann &lt;arnd@kernel.org&gt;
Cc: Niklas Schnelle &lt;schnelle@linux.ibm.com&gt;
Cc: Antonino Daplas &lt;adaplas@gmail.com&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ecdd7df997fd992f0ec70b788e3b12258008a2bf upstream.

The nvidiafb driver uses inb()/outb() without depending on HAS_IOPORT,
which leads to build errors since kernel v6.13-rc1:
commit 6f043e757445 ("asm-generic/io.h: Remove I/O port accessors
for HAS_IOPORT=n")

Add the HAS_IOPORT dependency to prevent the build errors.

(Found in ARCH=um allmodconfig builds)

drivers/video/fbdev/nvidia/nv_accel.c: In function ‘NVDmaWait’:
include/asm-generic/io.h:596:15: error: call to ‘_outb’ declared with attribute error: outb() requires CONFIG_HAS_IOPORT
  596 | #define _outb _outb

Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: Arnd Bergmann &lt;arnd@kernel.org&gt;
Cc: Niklas Schnelle &lt;schnelle@linux.ibm.com&gt;
Cc: Antonino Daplas &lt;adaplas@gmail.com&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: Fix vmalloc out-of-bounds write in fast_imageblit</title>
<updated>2025-08-20T16:41:40+00:00</updated>
<author>
<name>Sravan Kumar Gundu</name>
<email>sravankumarlpu@gmail.com</email>
</author>
<published>2025-07-31T20:36:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cfec17721265e72e50cc69c6004fe3475cd38df2'/>
<id>cfec17721265e72e50cc69c6004fe3475cd38df2</id>
<content type='text'>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.

This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.

As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().

Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu &lt;sravankumarlpu@gmail.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.

This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.

As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().

Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu &lt;sravankumarlpu@gmail.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: fix potential buffer overflow in do_register_framebuffer()</title>
<updated>2025-08-20T16:41:21+00:00</updated>
<author>
<name>Yongzhen Zhang</name>
<email>zhangyongzhen@kylinos.cn</email>
</author>
<published>2025-07-01T09:07:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399'/>
<id>248b2aab9b2af5ecf89d9d7955a2ff20c4b4a399</id>
<content type='text'>
[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]

The current implementation may lead to buffer overflow when:
1.  Unregistration creates NULL gaps in registered_fb[]
2.  All array slots become occupied despite num_registered_fb &lt; FB_MAX
3.  The registration loop exceeds array bounds

Add boundary check to prevent registered_fb[FB_MAX] access.

Signed-off-by: Yongzhen Zhang &lt;zhangyongzhen@kylinos.cn&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]

The current implementation may lead to buffer overflow when:
1.  Unregistration creates NULL gaps in registered_fb[]
2.  All array slots become occupied despite num_registered_fb &lt; FB_MAX
3.  The registration loop exceeds array bounds

Add boundary check to prevent registered_fb[FB_MAX] access.

Signed-off-by: Yongzhen Zhang &lt;zhangyongzhen@kylinos.cn&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref</title>
<updated>2025-08-15T14:39:12+00:00</updated>
<author>
<name>Chenyuan Yang</name>
<email>chenyuan0y@gmail.com</email>
</author>
<published>2025-07-24T03:25:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f060441c153495750804133555cf0a211a856892'/>
<id>f060441c153495750804133555cf0a211a856892</id>
<content type='text'>
[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]

fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
allocate a struct fb_modelist.  If that happens, the modelist stays empty but
the driver continues to register.  Add a check for its return value to prevent
poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").

Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
Signed-off-by: Chenyuan Yang &lt;chenyuan0y@gmail.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]

fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
allocate a struct fb_modelist.  If that happens, the modelist stays empty but
the driver continues to register.  Add a check for its return value to prevent
poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").

Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
Signed-off-by: Chenyuan Yang &lt;chenyuan0y@gmail.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Fix outdated registered_fb reference in comment</title>
<updated>2025-08-15T14:38:45+00:00</updated>
<author>
<name>Shixiong Ou</name>
<email>oushixiong@kylinos.cn</email>
</author>
<published>2025-07-09T10:34:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9240dd81a05401fb445ad18f965fc494527b18c'/>
<id>e9240dd81a05401fb445ad18f965fc494527b18c</id>
<content type='text'>
[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]

The variable was renamed to fbcon_registered_fb, but this comment was
not updated along with the change. Correct it to avoid confusion.

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
[sima: Add Fixes: line.]
Signed-off-by: Simona Vetter &lt;simona.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]

The variable was renamed to fbcon_registered_fb, but this comment was
not updated along with the change. Correct it to avoid confusion.

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
[sima: Add Fixes: line.]
Signed-off-by: Simona Vetter &lt;simona.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide, timers: Rename from_timer() to timer_container_of()</title>
<updated>2025-06-08T07:07:37+00:00</updated>
<author>
<name>Ingo Molnar</name>
<email>mingo@kernel.org</email>
</author>
<published>2025-05-09T05:51:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=41cb08555c4164996d67c78b3bf1c658075b75f1'/>
<id>41cb08555c4164996d67c78b3bf1c658075b75f1</id>
<content type='text'>
Move this API to the canonical timer_*() namespace.

[ tglx: Redone against pre rc1 ]

Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Link: https://lore.kernel.org/all/aB2X0jCKQO56WdMt@gmail.com

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move this API to the canonical timer_*() namespace.

[ tglx: Redone against pre rc1 ]

Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Link: https://lore.kernel.org/all/aB2X0jCKQO56WdMt@gmail.com

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'backlight-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight</title>
<updated>2025-06-03T19:52:25+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2025-06-03T19:52:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a9dfb7db96f7bc1f30feae673aab7fdbfbc94e9c'/>
<id>a9dfb7db96f7bc1f30feae673aab7fdbfbc94e9c</id>
<content type='text'>
Pull backlight updates from Lee Jones:
 "Framebuffer Subsystem (fbdev):
   - The display's blanking status is now tracked in 'struct fb_info'
   - 'framebuffer_alloc()' initializes the blank state to FB_BLANK_UNBLANK
   - 'register_framebuffer()' sets the state to 'FB_BLANK_POWERDOWN' if
     an 'fb_blank' callback exists, ensuring 'FB_EVENT_BLANK' listeners
     correctly see the display being turned on during the first modeset
   - The 'FB_EVENT_BLANK' event data now includes both the new and the
     old blank states
   - 'fb_blank()' has been reworked to return early on errors, without
     functional changes, in preparation for further state tracking
     improvements
   - Fbdev now calls dedicated functions in the backlight subsystems to
     notify them of blank state changes, instead of relying on fbdev
     event notifiers
   - For LCDs, fbdev also calls a dedicated function to notify of mode
     changes
   - Removed the definitions for the unused fbdev event constants
     'FB_EVENT_MODE_CHANGE' and 'FB_EVENT_BLANK' from the header file

  Backlight Subsystem:
   - Implemented fbdev blank state tracking using the (newly enhanced)
     blank state information provided directly by 'FB_EVENT_BLANK'
   - Removed internal blank state tracking fields ('fb_bl_on') from
     'struct backlight_device'
   - Moved the handling of blank-state updates into a separate internal
     helper function, 'backlight_notify_blank()'
   - Removed support for fbdev events and replaced it with a dedicated
     function call interface ('backlight_notify_blank()' and
     'backlight_notify_blank_all()') for display drivers to update
     backlight status

  LCD Subsystem:
   - Moved the handling of display updates (blank events and mode
     changes) from fbdev event notifiers to separate internal helper
     functions ('lcd_notify_blank',
     'lcd_notify_mode_change')
   - Removed support for fbdev events and replaced it with dedicated
     function call interfaces ('lcd_notify_blank_all()',
     'lcd_notify_mode_change_all()')
   - The LCD subsystem now maintains its own internal list of LCD
     devices instead of relying on fbdev notifiers

  LED Backlight Trigger:
   - Moved the handling of blank-state updates into a separate internal
     helper, 'ledtrig_backlight_notify_blank()'
   - Removed support for fbdev events and replaced it with a dedicated
     function call, 'ledtrig_backlight_blank()', for fbdev to notify
     trigger of blank state changes
   - The LED backlight trigger now maintains its own internal list of
     triggers instead of relying on fbdev notifiers

  Qualcomm WLED Backlight:
   - Added a NULL check after 'devm_kasprintf()' in 'wled_configure()'
     to prevent a potential NULL pointer dereference if memory
     allocation fails"

* tag 'backlight-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
  backlight: pm8941: Add NULL check in wled_configure()
  fbdev: Remove constants of unused events
  leds: backlight trigger: Replace fb events with a dedicated function call
  leds: backlight trigger: Move blank-state handling into helper
  backlight: lcd: Replace fb events with a dedicated function call
  backlight: lcd: Move event handling into helpers
  backlight: Replace fb events with a dedicated function call
  backlight: Move blank-state handling into helper
  backlight: Implement fbdev tracking with blank state from event
  fbdev: Send old blank state in FB_EVENT_BLANK
  fbdev: Track display blanking state
  fbdev: Rework fb_blank()
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull backlight updates from Lee Jones:
 "Framebuffer Subsystem (fbdev):
   - The display's blanking status is now tracked in 'struct fb_info'
   - 'framebuffer_alloc()' initializes the blank state to FB_BLANK_UNBLANK
   - 'register_framebuffer()' sets the state to 'FB_BLANK_POWERDOWN' if
     an 'fb_blank' callback exists, ensuring 'FB_EVENT_BLANK' listeners
     correctly see the display being turned on during the first modeset
   - The 'FB_EVENT_BLANK' event data now includes both the new and the
     old blank states
   - 'fb_blank()' has been reworked to return early on errors, without
     functional changes, in preparation for further state tracking
     improvements
   - Fbdev now calls dedicated functions in the backlight subsystems to
     notify them of blank state changes, instead of relying on fbdev
     event notifiers
   - For LCDs, fbdev also calls a dedicated function to notify of mode
     changes
   - Removed the definitions for the unused fbdev event constants
     'FB_EVENT_MODE_CHANGE' and 'FB_EVENT_BLANK' from the header file

  Backlight Subsystem:
   - Implemented fbdev blank state tracking using the (newly enhanced)
     blank state information provided directly by 'FB_EVENT_BLANK'
   - Removed internal blank state tracking fields ('fb_bl_on') from
     'struct backlight_device'
   - Moved the handling of blank-state updates into a separate internal
     helper function, 'backlight_notify_blank()'
   - Removed support for fbdev events and replaced it with a dedicated
     function call interface ('backlight_notify_blank()' and
     'backlight_notify_blank_all()') for display drivers to update
     backlight status

  LCD Subsystem:
   - Moved the handling of display updates (blank events and mode
     changes) from fbdev event notifiers to separate internal helper
     functions ('lcd_notify_blank',
     'lcd_notify_mode_change')
   - Removed support for fbdev events and replaced it with dedicated
     function call interfaces ('lcd_notify_blank_all()',
     'lcd_notify_mode_change_all()')
   - The LCD subsystem now maintains its own internal list of LCD
     devices instead of relying on fbdev notifiers

  LED Backlight Trigger:
   - Moved the handling of blank-state updates into a separate internal
     helper, 'ledtrig_backlight_notify_blank()'
   - Removed support for fbdev events and replaced it with a dedicated
     function call, 'ledtrig_backlight_blank()', for fbdev to notify
     trigger of blank state changes
   - The LED backlight trigger now maintains its own internal list of
     triggers instead of relying on fbdev notifiers

  Qualcomm WLED Backlight:
   - Added a NULL check after 'devm_kasprintf()' in 'wled_configure()'
     to prevent a potential NULL pointer dereference if memory
     allocation fails"

* tag 'backlight-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight:
  backlight: pm8941: Add NULL check in wled_configure()
  fbdev: Remove constants of unused events
  leds: backlight trigger: Replace fb events with a dedicated function call
  leds: backlight trigger: Move blank-state handling into helper
  backlight: lcd: Replace fb events with a dedicated function call
  backlight: lcd: Move event handling into helpers
  backlight: Replace fb events with a dedicated function call
  backlight: Move blank-state handling into helper
  backlight: Implement fbdev tracking with blank state from event
  fbdev: Send old blank state in FB_EVENT_BLANK
  fbdev: Track display blanking state
  fbdev: Rework fb_blank()
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var</title>
<updated>2025-05-31T08:24:02+00:00</updated>
<author>
<name>Murad Masimov</name>
<email>m.masimov@mt-integration.ru</email>
</author>
<published>2025-04-28T15:34:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=05f6e183879d9785a3cdf2f08a498bc31b7a20aa'/>
<id>05f6e183879d9785a3cdf2f08a498bc31b7a20aa</id>
<content type='text'>
If fb_add_videomode() in fb_set_var() fails to allocate memory for
fb_videomode, later it may lead to a null-ptr dereference in
fb_videomode_to_var(), as the fb_info is registered while not having the
mode in modelist that is expected to be there, i.e. the one that is
described in fb_info-&gt;var.

================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901
Call Trace:
 display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929
 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071
 resize_screen drivers/tty/vt/vt.c:1176 [inline]
 vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263
 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720
 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776
 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
================================================================

The reason is that fb_info-&gt;var is being modified in fb_set_var(), and
then fb_videomode_to_var() is called. If it fails to add the mode to
fb_info-&gt;modelist, fb_set_var() returns error, but does not restore the
old value of fb_info-&gt;var. Restore fb_info-&gt;var on failure the same way
it is done earlier in the function.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If fb_add_videomode() in fb_set_var() fails to allocate memory for
fb_videomode, later it may lead to a null-ptr dereference in
fb_videomode_to_var(), as the fb_info is registered while not having the
mode in modelist that is expected to be there, i.e. the one that is
described in fb_info-&gt;var.

================================================================
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901
Call Trace:
 display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929
 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071
 resize_screen drivers/tty/vt/vt.c:1176 [inline]
 vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263
 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720
 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776
 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
================================================================

The reason is that fb_info-&gt;var is being modified in fb_set_var(), and
then fb_videomode_to_var() is called. If it fails to add the mode to
fb_info-&gt;modelist, fb_set_var() returns error, but does not restore the
old value of fb_info-&gt;var. Restore fb_info-&gt;var on failure the same way
it is done earlier in the function.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov &lt;m.masimov@mt-integration.ru&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
