* [PATCH 6.6.y] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
[not found] <2025120119-quake-universal-d896@gregkh>
@ 2025-12-01 22:51 ` Sasha Levin
2025-12-02 7:42 ` Thomas Zimmermann
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2025-12-01 22:51 UTC (permalink / raw)
To: stable
Cc: Thomas Zimmermann, Javier Martinez Canillas, Alex Deucher,
dri-devel, nouveau, amd-gfx, linux-fbdev, Sasha Levin
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit eb76d0f5553575599561010f24c277cc5b31d003 ]
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
access in fbcon_remap_all(). Without holding the console lock the call
races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
function uses struct fb_info.node, which is set by register_framebuffer().
As the fb-helper code currently sets up VGA switcheroo before registering
the framebuffer, the value of node is -1 and therefore not a legal value.
For example, fbcon uses the value within set_con2fb_map() [1] as an index
into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
which already holds the console lock. Fbdev calls fbcon_fb_registered()
from within register_framebuffer(). Serializes the helper with VGA
switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
as parameter, it really only needs the contained fbcon state. Moving the
call to fbcon initialization is therefore cleaner than before. Only amdgpu,
i915, nouveau and radeon support vga_switcheroo. For all other drivers,
this change does nothing.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://elixir.bootlin.com/linux/v6.17/source/drivers/video/fbdev/core/fbcon.c#L2942 # [1]
Fixes: 6a9ee8af344e ("vga_switcheroo: initial implementation (v15)")
Acked-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Cc: amd-gfx@lists.freedesktop.org
Cc: linux-fbdev@vger.kernel.org
Cc: <stable@vger.kernel.org> # v2.6.34+
Link: https://patch.msgid.link/20251105161549.98836-1-tzimmermann@suse.de
[ drm_fb_helper_unregister_info() lacks vga_switcheroo code ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_fb_helper.c | 7 -------
drivers/video/fbdev/core/fbcon.c | 9 +++++++++
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index b507c1c008a3e..3891837a78414 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -30,9 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/console.h>
-#include <linux/pci.h>
#include <linux/sysrq.h>
-#include <linux/vga_switcheroo.h>
#include <drm/drm_atomic.h>
#include <drm/drm_drv.h>
@@ -1668,7 +1666,6 @@ static int drm_fb_helper_find_sizes(struct drm_fb_helper *fb_helper,
static int drm_fb_helper_single_fb_probe(struct drm_fb_helper *fb_helper)
{
struct drm_client_dev *client = &fb_helper->client;
- struct drm_device *dev = fb_helper->dev;
struct drm_fb_helper_surface_size sizes;
int ret;
@@ -1687,10 +1684,6 @@ static int drm_fb_helper_single_fb_probe(struct drm_fb_helper *fb_helper)
strcpy(fb_helper->fb->comm, "[fbcon]");
- /* Set the fb info for vgaswitcheroo clients. Does nothing otherwise. */
- if (dev_is_pci(dev->dev))
- vga_switcheroo_client_fb_set(to_pci_dev(dev->dev), fb_helper->info);
-
return 0;
}
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 78a5b22c8d150..8b2c3065c0c26 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -64,6 +64,7 @@
#include <linux/console.h>
#include <linux/string.h>
#include <linux/kd.h>
+#include <linux/pci.h>
#include <linux/slab.h>
#include <linux/fb.h>
#include <linux/fbcon.h>
@@ -75,6 +76,7 @@
#include <linux/interrupt.h>
#include <linux/crc32.h> /* For counting font checksums */
#include <linux/uaccess.h>
+#include <linux/vga_switcheroo.h>
#include <asm/irq.h>
#include "fbcon.h"
@@ -2913,6 +2915,9 @@ void fbcon_fb_unregistered(struct fb_info *info)
console_lock();
+ if (info->device && dev_is_pci(info->device))
+ vga_switcheroo_client_fb_set(to_pci_dev(info->device), NULL);
+
fbcon_registered_fb[info->node] = NULL;
fbcon_num_registered_fb--;
@@ -3046,6 +3051,10 @@ static int do_fb_registered(struct fb_info *info)
}
}
+ /* Set the fb info for vga_switcheroo clients. Does nothing otherwise. */
+ if (info->device && dev_is_pci(info->device))
+ vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
+
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 6.6.y] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
2025-12-01 22:51 ` [PATCH 6.6.y] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Sasha Levin
@ 2025-12-02 7:42 ` Thomas Zimmermann
2025-12-02 15:53 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Zimmermann @ 2025-12-02 7:42 UTC (permalink / raw)
To: Sasha Levin, stable
Cc: Javier Martinez Canillas, Alex Deucher, dri-devel, nouveau,
amd-gfx, linux-fbdev
Hi,
thanks for backporting.
You also have to remove the calls to vga_switcheroo_client_fb_set() from
these files
https://elixir.bootlin.com/linux/v6.6/source/drivers/gpu/drm/i915/display/intel_fbdev.c
https://elixir.bootlin.com/linux/v6.6/source/drivers/gpu/drm/radeon/radeon_fbdev.c
Best regards
Thomas
Am 01.12.25 um 23:51 schrieb Sasha Levin:
> From: Thomas Zimmermann <tzimmermann@suse.de>
>
> [ Upstream commit eb76d0f5553575599561010f24c277cc5b31d003 ]
>
> Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
> access in fbcon_remap_all(). Without holding the console lock the call
> races with switching outputs.
>
> VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
> function uses struct fb_info.node, which is set by register_framebuffer().
> As the fb-helper code currently sets up VGA switcheroo before registering
> the framebuffer, the value of node is -1 and therefore not a legal value.
> For example, fbcon uses the value within set_con2fb_map() [1] as an index
> into an array.
>
> Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
> result in VGA switching that does not switch fbcon correctly.
>
> Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
> which already holds the console lock. Fbdev calls fbcon_fb_registered()
> from within register_framebuffer(). Serializes the helper with VGA
> switcheroo's call to fbcon_remap_all().
>
> Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
> as parameter, it really only needs the contained fbcon state. Moving the
> call to fbcon initialization is therefore cleaner than before. Only amdgpu,
> i915, nouveau and radeon support vga_switcheroo. For all other drivers,
> this change does nothing.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Link: https://elixir.bootlin.com/linux/v6.17/source/drivers/video/fbdev/core/fbcon.c#L2942 # [1]
> Fixes: 6a9ee8af344e ("vga_switcheroo: initial implementation (v15)")
> Acked-by: Javier Martinez Canillas <javierm@redhat.com>
> Acked-by: Alex Deucher <alexander.deucher@amd.com>
> Cc: dri-devel@lists.freedesktop.org
> Cc: nouveau@lists.freedesktop.org
> Cc: amd-gfx@lists.freedesktop.org
> Cc: linux-fbdev@vger.kernel.org
> Cc: <stable@vger.kernel.org> # v2.6.34+
> Link: https://patch.msgid.link/20251105161549.98836-1-tzimmermann@suse.de
> [ drm_fb_helper_unregister_info() lacks vga_switcheroo code ]
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/gpu/drm/drm_fb_helper.c | 7 -------
> drivers/video/fbdev/core/fbcon.c | 9 +++++++++
> 2 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index b507c1c008a3e..3891837a78414 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -30,9 +30,7 @@
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #include <linux/console.h>
> -#include <linux/pci.h>
> #include <linux/sysrq.h>
> -#include <linux/vga_switcheroo.h>
>
> #include <drm/drm_atomic.h>
> #include <drm/drm_drv.h>
> @@ -1668,7 +1666,6 @@ static int drm_fb_helper_find_sizes(struct drm_fb_helper *fb_helper,
> static int drm_fb_helper_single_fb_probe(struct drm_fb_helper *fb_helper)
> {
> struct drm_client_dev *client = &fb_helper->client;
> - struct drm_device *dev = fb_helper->dev;
> struct drm_fb_helper_surface_size sizes;
> int ret;
>
> @@ -1687,10 +1684,6 @@ static int drm_fb_helper_single_fb_probe(struct drm_fb_helper *fb_helper)
>
> strcpy(fb_helper->fb->comm, "[fbcon]");
>
> - /* Set the fb info for vgaswitcheroo clients. Does nothing otherwise. */
> - if (dev_is_pci(dev->dev))
> - vga_switcheroo_client_fb_set(to_pci_dev(dev->dev), fb_helper->info);
> -
> return 0;
> }
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 78a5b22c8d150..8b2c3065c0c26 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -64,6 +64,7 @@
> #include <linux/console.h>
> #include <linux/string.h>
> #include <linux/kd.h>
> +#include <linux/pci.h>
> #include <linux/slab.h>
> #include <linux/fb.h>
> #include <linux/fbcon.h>
> @@ -75,6 +76,7 @@
> #include <linux/interrupt.h>
> #include <linux/crc32.h> /* For counting font checksums */
> #include <linux/uaccess.h>
> +#include <linux/vga_switcheroo.h>
> #include <asm/irq.h>
>
> #include "fbcon.h"
> @@ -2913,6 +2915,9 @@ void fbcon_fb_unregistered(struct fb_info *info)
>
> console_lock();
>
> + if (info->device && dev_is_pci(info->device))
> + vga_switcheroo_client_fb_set(to_pci_dev(info->device), NULL);
> +
> fbcon_registered_fb[info->node] = NULL;
> fbcon_num_registered_fb--;
>
> @@ -3046,6 +3051,10 @@ static int do_fb_registered(struct fb_info *info)
> }
> }
>
> + /* Set the fb info for vga_switcheroo clients. Does nothing otherwise. */
> + if (info->device && dev_is_pci(info->device))
> + vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
> +
> return ret;
> }
>
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 6.6.y] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
2025-12-02 7:42 ` Thomas Zimmermann
@ 2025-12-02 15:53 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2025-12-02 15:53 UTC (permalink / raw)
To: Thomas Zimmermann
Cc: Sasha Levin, stable, Javier Martinez Canillas, Alex Deucher,
dri-devel, nouveau, amd-gfx, linux-fbdev
On Tue, Dec 02, 2025 at 08:42:52AM +0100, Thomas Zimmermann wrote:
> Hi,
>
> thanks for backporting.
>
> You also have to remove the calls to vga_switcheroo_client_fb_set() from
> these files
>
> https://elixir.bootlin.com/linux/v6.6/source/drivers/gpu/drm/i915/display/intel_fbdev.c
>
> https://elixir.bootlin.com/linux/v6.6/source/drivers/gpu/drm/radeon/radeon_fbdev.c
Also, a fixed backport would be appreciated here.
thanks
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-02 15:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2025120119-quake-universal-d896@gregkh>
2025-12-01 22:51 ` [PATCH 6.6.y] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Sasha Levin
2025-12-02 7:42 ` Thomas Zimmermann
2025-12-02 15:53 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).