linux-stable.git/drivers/video/fbdev, branch master Linux kernel stable tree fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free 2026-05-04T08:35:55+00:00 Rajat Gupta rajgupt@qti.qualcomm.com 2026-05-04T03:51:10+00:00 8de779dc40d35d39fa07387b6f921eb11df0f511 dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation. Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: stable@vger.kernel.org Signed-off-by: Helge Deller <deller@gmx.de> 
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.

Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.

Tested with PoC using dummy_hcd + raw_gadget USB device emulation.

Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: defio: Remove duplicate include of linux/module.h 2026-04-28T12:18:51+00:00 Chen Ni nichen@iscas.ac.cn 2026-04-28T03:17:25+00:00 0b996ae54d876b41c52dd7cfc512eb008a47d781 Remove duplicate inclusion of linux/module.h in fb_defio.c to clean up redundant code. Signed-off-by: Chen Ni <nichen@iscas.ac.cn> Signed-off-by: Helge Deller <deller@gmx.de> 
Remove duplicate inclusion of linux/module.h in fb_defio.c to clean up
redundant code.

Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: hgafb: Request memory region before ioremap 2026-04-22T15:02:55+00:00 Hardik Phalet hardik.phalet@pm.me 2026-03-10T12:30:27+00:00 448aaf54d3ae1b73dfcf723c9f8a02c2116f3358 The driver calls ioremap() on the HGA video memory at 0xb0000 without first reserving the physical address range. This leaves the kernel resource tree incomplete and can cause silent conflicts with other drivers claiming the same range. Add a devm_request_mem_region() call before ioremap() in hga_card_detect() to reserve the memory region. Signed-off-by: Hardik Phalet <hardik.phalet@pm.me> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Helge Deller <deller@gmx.de> 
The driver calls ioremap() on the HGA video memory at 0xb0000 without
first reserving the physical address range. This leaves the kernel
resource tree incomplete and can cause silent conflicts with other
drivers claiming the same range.

Add a devm_request_mem_region() call before ioremap() in
hga_card_detect() to reserve the memory region.

Signed-off-by: Hardik Phalet <hardik.phalet@pm.me>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: clps711x-fb: Request memory region for MMIO 2026-04-22T14:46:40+00:00 Amit Barzilai amit.barzilai22@gmail.com 2026-04-20T13:44:23+00:00 a40c0e815962b1f691d7ea12f7ddd42063c49f08 Use devm_platform_get_and_ioremap_resource() for resource 0 (the MMIO control register range) instead of open-coding platform_get_resource() and devm_ioremap() separately. The helper requests the memory region before mapping it, which registers the range in /proc/iomem and prevents another driver from mapping the same registers. This makes resource 0 consistent with resource 1 (the framebuffer), which already uses devm_platform_get_and_ioremap_resource(). Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Amit Barzilai <amit.barzilai22@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> 
Use devm_platform_get_and_ioremap_resource() for resource 0 (the MMIO
control register range) instead of open-coding platform_get_resource()
and devm_ioremap() separately. The helper requests the memory region
before mapping it, which registers the range in /proc/iomem and prevents
another driver from mapping the same registers.

This makes resource 0 consistent with resource 1 (the framebuffer),
which already uses devm_platform_get_and_ioremap_resource().

Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Amit Barzilai <amit.barzilai22@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: cobalt_lcdfb: Request memory region 2026-04-22T14:46:40+00:00 Amit Barzilai amit.barzilai22@gmail.com 2026-04-20T13:44:22+00:00 d2386d9e3eb4c12f55f6131ab69cc65f13b5af80 Use devm_platform_get_and_ioremap_resource() instead of open-coding platform_get_resource() and devm_ioremap() separately. The helper requests the memory region before mapping it, which registers the range in /proc/iomem and prevents another driver from mapping the same registers. Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Amit Barzilai <amit.barzilai22@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> 
Use devm_platform_get_and_ioremap_resource() instead of open-coding
platform_get_resource() and devm_ioremap() separately. The helper
requests the memory region before mapping it, which registers the range
in /proc/iomem and prevents another driver from mapping the same
registers.

Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Amit Barzilai <amit.barzilai22@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: atyfb: Fix spelling mistake "enfore" -> "enforce" 2026-04-22T13:55:48+00:00 Ethan Carter Edwards ethan@ethancedwards.com 2026-04-19T00:45:50+00:00 b1aaf1110107dd17bee3618379cd35a816141c6c Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com> Signed-off-by: Helge Deller <deller@gmx.de> 
Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: savage: fix probe-path EDID cleanup leaks 2026-04-22T13:45:38+00:00 Yuho Choi dbgh9129@gmail.com 2026-04-20T05:19:26+00:00 9b8a9a3a6f57edd02b7c8db14a316e6fab7fa772 When CONFIG_FB_SAVAGE_I2C is enabled, savagefb_probe() can build both an EDID-derived monspecs.modedb and a modelist from it before later failing. The normal success path frees monspecs.modedb after the initial mode selection, but the probe error path only deletes the I2C busses and misses the EDID-derived allocations. Free both the modelist and monspecs.modedb on the failed: unwind path. Co-developed-by: Myeonghun Pak <mhun512@gmail.com> Signed-off-by: Myeonghun Pak <mhun512@gmail.com> Co-developed-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Ijae Kim <ae878000@gmail.com> Co-developed-by: Taegyu Kim <tmk5904@psu.edu> Signed-off-by: Taegyu Kim <tmk5904@psu.edu> Signed-off-by: Yuho Choi <dbgh9129@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> 
When CONFIG_FB_SAVAGE_I2C is enabled, savagefb_probe() can build both an
EDID-derived monspecs.modedb and a modelist from it before later failing.

The normal success path frees monspecs.modedb after the initial mode selection,
but the probe error path only deletes the I2C busses and misses the
EDID-derived allocations.

Free both the modelist and monspecs.modedb on the failed: unwind path.

Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: offb: fix PCI device reference leak on probe failure 2026-04-22T13:45:38+00:00 Yuho Choi dbgh9129@gmail.com 2026-04-20T01:01:18+00:00 869b93ba04088713596e68453c1146f52f713290 offb_init_nodriver() gets a referenced PCI device with pci_get_device(). If pci_enable_device() fails, the function returns without dropping that reference. Release the PCI device reference before returning from the pci_enable_device() failure path. Fixes: 5bda8f7b5468 ("video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device") Co-developed-by: Myeonghun Pak <mhun512@gmail.com> Signed-off-by: Myeonghun Pak <mhun512@gmail.com> Co-developed-by: Ijae Kim <ae878000@gmail.com> Signed-off-by: Ijae Kim <ae878000@gmail.com> Co-developed-by: Taegyu Kim <tmk5904@psu.edu> Signed-off-by: Taegyu Kim <tmk5904@psu.edu> Signed-off-by: Yuho Choi <dbgh9129@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> 
offb_init_nodriver() gets a referenced PCI device with pci_get_device().
If pci_enable_device() fails, the function returns without dropping that
reference.

Release the PCI device reference before returning from the
pci_enable_device() failure path.

Fixes: 5bda8f7b5468 ("video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO 2026-04-10T14:54:38+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-09T13:23:46+00:00 a31e4518bec70333a0a98f2946a12b53b45fe5b9 Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. Cc: Bernie Thompson <bernie@plugable.com> Cc: Helge Deller <deller@gmx.de> Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support") Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Helge Deller <deller@gmx.de> 
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.

Cc: Bernie Thompson <bernie@plugable.com>
Cc: Helge Deller <deller@gmx.de>
Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Helge Deller <deller@gmx.de>
fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO 2026-04-10T14:54:35+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-09T13:23:14+00:00 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. Cc: Helge Deller <deller@gmx.de> Assisted-by: gregkh_clanker_t1000 Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Helge Deller <deller@gmx.de> 
Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
by zero error"), we also need to prevent that same crash from happening
in the udlfb driver as it uses pixclock directly when dividing, which
will crash.

Cc: Helge Deller <deller@gmx.de>
Assisted-by: gregkh_clanker_t1000
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Helge Deller <deller@gmx.de>