* Re: [PATCH 3/3] Documentation: fb: Split toctree
From: Randy Dunlap @ 2025-09-21 4:08 UTC (permalink / raw)
To: Bagas Sanjaya, Linux Kernel Mailing List, Linux Documentation,
Linux Framebuffer, Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Mauro Carvalho Chehab, Ard Biesheuvel,
Arvind Sankar
In-Reply-To: <20250919003640.14867-4-bagasdotme@gmail.com>
On 9/18/25 5:36 PM, Bagas Sanjaya wrote:
> Framebuffer docs toctree consists of driver-independent docs
> (e.g. API docs) and driver-specific docs. The latter has much
> more entries.
>
> Group the docs into separate toctrees.
>
> Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
LGTM. Thanks.
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
> ---
> Documentation/fb/index.rst | 80 +++++++++++++++++++++-----------------
> 1 file changed, 45 insertions(+), 35 deletions(-)
>
> diff --git a/Documentation/fb/index.rst b/Documentation/fb/index.rst
> index 33e3c49f885695..e2f7488b6e2e42 100644
> --- a/Documentation/fb/index.rst
> +++ b/Documentation/fb/index.rst
> @@ -4,42 +4,52 @@
> Frame Buffer
> ============
>
> -.. toctree::
> - :maxdepth: 1
> +General information
> +===================
>
> - api
> - arkfb
> - aty128fb
> - cirrusfb
> - cmap_xfbdev
> - deferred_io
> - efifb
> - ep93xx-fb
> - fbcon
> - framebuffer
> - gxfb
> - intel810
> - internals
> - lxfb
> - matroxfb
> - metronomefb
> - modedb
> - pvr2fb
> - pxafb
> - s3fb
> - sa1100fb
> - sh7760fb
> - sisfb
> - sm501
> - sm712fb
> - sstfb
> - tgafb
> - tridentfb
> - udlfb
> - uvesafb
> - vesafb
> - viafb
> - vt8623fb
> +.. toctree::
> + :maxdepth: 1
> +
> + api
> + cmap_xfbdev
> + deferred_io
> + fbcon
> + framebuffer
> + internals
> + modedb
> +
> +Driver documentation
> +====================
> +
> +.. toctree::
> + :maxdepth: 1
> +
> + arkfb
> + aty128fb
> + cirrusfb
> + efifb
> + ep93xx-fb
> + gxfb
> + intel810
> + lxfb
> + matroxfb
> + metronomefb
> + pvr2fb
> + pxafb
> + s3fb
> + sa1100fb
> + sh7760fb
> + sisfb
> + sm501
> + sm712fb
> + sstfb
> + tgafb
> + tridentfb
> + udlfb
> + uvesafb
> + vesafb
> + viafb
> + vt8623fb
>
> .. only:: subproject and html
>
--
~Randy
^ permalink raw reply
* Re: [PATCH 2/3] Documentation: fb: Retitle driver docs
From: Randy Dunlap @ 2025-09-21 4:08 UTC (permalink / raw)
To: Bagas Sanjaya, Linux Kernel Mailing List, Linux Documentation,
Linux Framebuffer, Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Mauro Carvalho Chehab, Ard Biesheuvel,
Arvind Sankar
In-Reply-To: <20250919003640.14867-3-bagasdotme@gmail.com>
Hi,
I would change a couple of the headings, but otherwise
looks good.
On 9/18/25 5:36 PM, Bagas Sanjaya wrote:
> Many framebuffer driver docs are copied from vesafb docs as their
> template, including "What is <driver name>" title. Such title
> implies the introductory section, however, and not the whole docs.
>
> Retitle them.
>
> Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
> ---
> Documentation/fb/aty128fb.rst | 8 +++-----
> Documentation/fb/efifb.rst | 6 +++---
> Documentation/fb/gxfb.rst | 8 +++-----
> Documentation/fb/lxfb.rst | 9 +++------
> Documentation/fb/matroxfb.rst | 9 +++------
> Documentation/fb/pvr2fb.rst | 6 +++---
> Documentation/fb/sa1100fb.rst | 9 +++------
> Documentation/fb/sisfb.rst | 6 +++---
> Documentation/fb/sm712fb.rst | 6 +++---
> Documentation/fb/tgafb.rst | 6 +++---
> Documentation/fb/udlfb.rst | 6 +++---
> Documentation/fb/vesafb.rst | 6 +++---
> 12 files changed, 36 insertions(+), 49 deletions(-)
>
> diff --git a/Documentation/fb/aty128fb.rst b/Documentation/fb/aty128fb.rst
> index 3f107718f933fc..0da8070a552165 100644
> --- a/Documentation/fb/aty128fb.rst
> +++ b/Documentation/fb/aty128fb.rst
> @@ -1,8 +1,6 @@
> -=================
> -What is aty128fb?
> -=================
> -
> -.. [This file is cloned from VesaFB/matroxfb]
> +=========================================
> +aty128fb - ATI Rage128 framebuffer driver
> +=========================================
>
> This is a driver for a graphic framebuffer for ATI Rage128 based devices
> on Intel and PPC boxes.
> diff --git a/Documentation/fb/efifb.rst b/Documentation/fb/efifb.rst
> index 6badff64756f49..3d4aab406dee0a 100644
> --- a/Documentation/fb/efifb.rst
> +++ b/Documentation/fb/efifb.rst
> @@ -1,6 +1,6 @@
> -==============
> -What is efifb?
> -==============
> +===================================
> +efifb - Generic EFI platform driver
> +===================================
>
> This is a generic EFI platform driver for systems with UEFI firmware. The
> system must be booted via the EFI stub for this to be usable. efifb supports
> diff --git a/Documentation/fb/gxfb.rst b/Documentation/fb/gxfb.rst
> index 5738709bccbbf3..3fda485606bdc1 100644
> --- a/Documentation/fb/gxfb.rst
> +++ b/Documentation/fb/gxfb.rst
> @@ -1,8 +1,6 @@
> -=============
> -What is gxfb?
> -=============
> -
> -.. [This file is cloned from VesaFB/aty128fb]
> +=======================================
> +gxfb - AMD Geode GX2 framebuffer driver
> +=======================================
>
> This is a graphics framebuffer driver for AMD Geode GX2 based processors.
>
> diff --git a/Documentation/fb/lxfb.rst b/Documentation/fb/lxfb.rst
> index 863e6b98fbae55..0a176ab376e30e 100644
> --- a/Documentation/fb/lxfb.rst
> +++ b/Documentation/fb/lxfb.rst
> @@ -1,9 +1,6 @@
> -=============
> -What is lxfb?
> -=============
> -
> -.. [This file is cloned from VesaFB/aty128fb]
> -
> +======================================
> +lxfb - AMD Geode LX framebuffer driver
> +======================================
>
> This is a graphics framebuffer driver for AMD Geode LX based processors.
>
> diff --git a/Documentation/fb/matroxfb.rst b/Documentation/fb/matroxfb.rst
> index 6158c49c857148..34cafaa00bab19 100644
> --- a/Documentation/fb/matroxfb.rst
> +++ b/Documentation/fb/matroxfb.rst
> @@ -1,9 +1,6 @@
> -=================
> -What is matroxfb?
> -=================
> -
> -.. [This file is cloned from VesaFB. Thanks go to Gerd Knorr]
> -
> +==================================
> +matroxfb driver for Matrox devices
> +==================================
Add a '-' after matroxfb
>
> This is a driver for a graphic framebuffer for Matrox devices on
> Alpha, Intel and PPC boxes.
> diff --git a/Documentation/fb/pvr2fb.rst b/Documentation/fb/pvr2fb.rst
> index fcf2c21c8fcfeb..315ce085a5855b 100644
> --- a/Documentation/fb/pvr2fb.rst
> +++ b/Documentation/fb/pvr2fb.rst
> @@ -1,6 +1,6 @@
> -===============
> -What is pvr2fb?
> -===============
> +===============================================
> +pvr2fb - PowerVR 2 graphics frame buffer driver
> +===============================================
>
> This is a driver for PowerVR 2 based graphics frame buffers, such as the
> one found in the Dreamcast.
> diff --git a/Documentation/fb/sa1100fb.rst b/Documentation/fb/sa1100fb.rst
> index 67e2650e017d12..c5ca019b361a94 100644
> --- a/Documentation/fb/sa1100fb.rst
> +++ b/Documentation/fb/sa1100fb.rst
> @@ -1,9 +1,6 @@
> -=================
> -What is sa1100fb?
> -=================
> -
> -.. [This file is cloned from VesaFB/matroxfb]
> -
> +=================================================
> +sa1100fb - SA-1100 LCD graphic framebuffer driver
> +=================================================
>
> This is a driver for a graphic framebuffer for the SA-1100 LCD
> controller.
> diff --git a/Documentation/fb/sisfb.rst b/Documentation/fb/sisfb.rst
> index 8f4e502ea12ea7..9982f5ee05601b 100644
> --- a/Documentation/fb/sisfb.rst
> +++ b/Documentation/fb/sisfb.rst
> @@ -1,6 +1,6 @@
> -==============
> -What is sisfb?
> -==============
> +=====================================
> +sisfb - SiS framebuffer device driver
> +=====================================
>
> sisfb is a framebuffer device driver for SiS (Silicon Integrated Systems)
> graphics chips. Supported are:
> diff --git a/Documentation/fb/sm712fb.rst b/Documentation/fb/sm712fb.rst
> index 8e000f80b5bc6d..abbc6efae25f46 100644
> --- a/Documentation/fb/sm712fb.rst
> +++ b/Documentation/fb/sm712fb.rst
> @@ -1,6 +1,6 @@
> -================
> -What is sm712fb?
> -================
> +==========================================================
> +sm712fb - Silicon Motion SM712 graphics framebuffer driver
> +==========================================================
>
> This is a graphics framebuffer driver for Silicon Motion SM712 based processors.
>
> diff --git a/Documentation/fb/tgafb.rst b/Documentation/fb/tgafb.rst
> index 0c50d2134aa433..f0944da1ea5ef1 100644
> --- a/Documentation/fb/tgafb.rst
> +++ b/Documentation/fb/tgafb.rst
> @@ -1,6 +1,6 @@
> -==============
> -What is tgafb?
> -==============
> +=======================================
> +tgafb - TGA graphics framebuffer driver
> +=======================================
>
> This is a driver for DECChip 21030 based graphics framebuffers, a.k.a. TGA
> cards, which are usually found in older Digital Alpha systems. The
> diff --git a/Documentation/fb/udlfb.rst b/Documentation/fb/udlfb.rst
> index 99cfbb7a192238..9e75ac6b07c36a 100644
> --- a/Documentation/fb/udlfb.rst
> +++ b/Documentation/fb/udlfb.rst
> @@ -1,6 +1,6 @@
> -==============
> -What is udlfb?
> -==============
> +==================================
> +udlfb - DisplayLink USB 2.0 driver
> +==================================
>
> This is a driver for DisplayLink USB 2.0 era graphics chips.
>
> diff --git a/Documentation/fb/vesafb.rst b/Documentation/fb/vesafb.rst
> index f890a4f5623b45..5ffb35efd4538a 100644
> --- a/Documentation/fb/vesafb.rst
> +++ b/Documentation/fb/vesafb.rst
> @@ -1,6 +1,6 @@
> -===============
> -What is vesafb?
> -===============
> +===========================================
> +Generic graphic framebuffer driver (vesafb)
> +===========================================
vesafb - Generic graphic framebuffer driver
>
> This is a generic driver for a graphic framebuffer on intel boxes.
>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Thanks.
--
~Randy
^ permalink raw reply
* Re: [PATCH 1/3] Documentation: fb: ep93xx: Demote section headings
From: Randy Dunlap @ 2025-09-21 4:09 UTC (permalink / raw)
To: Bagas Sanjaya, Linux Kernel Mailing List, Linux Documentation,
Linux Framebuffer, Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Mauro Carvalho Chehab, Ard Biesheuvel,
Arvind Sankar
In-Reply-To: <20250919003640.14867-2-bagasdotme@gmail.com>
On 9/18/25 5:36 PM, Bagas Sanjaya wrote:
> Section headings are formatted the same as title heading, thus
> increasing number of entries in framebuffer toctree. Demote them.
>
> Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Looks good. Thanks.
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
> ---
> Documentation/fb/ep93xx-fb.rst | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/Documentation/fb/ep93xx-fb.rst b/Documentation/fb/ep93xx-fb.rst
> index 1dd67f4688c751..93b3494f530979 100644
> --- a/Documentation/fb/ep93xx-fb.rst
> +++ b/Documentation/fb/ep93xx-fb.rst
> @@ -41,7 +41,6 @@ your board initialisation function::
>
> ep93xx_register_fb(&some_board_fb_info);
>
> -=====================
> Video Attribute Flags
> =====================
>
> @@ -79,7 +78,6 @@ EP93XXFB_USE_SDCSN2 Use SDCSn[2] for the framebuffer.
> EP93XXFB_USE_SDCSN3 Use SDCSn[3] for the framebuffer.
> =============================== ======================================
>
> -==================
> Platform callbacks
> ==================
>
> @@ -101,7 +99,6 @@ obtained as follows::
> /* Board specific framebuffer setup */
> }
>
> -======================
> Setting the video mode
> ======================
>
> @@ -119,7 +116,6 @@ set when the module is installed::
>
> modprobe ep93xx-fb video=320x240
>
> -==============
> Screenpage bug
> ==============
>
--
~Randy
^ permalink raw reply
* [syzbot] [fbdev?] KASAN: slab-out-of-bounds Read in fb_pad_unaligned_buffer (4)
From: syzbot @ 2025-09-22 4:15 UTC (permalink / raw)
To: deller, dri-devel, linux-fbdev, linux-kernel, simona,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: b320789d6883 Linux 6.17-rc4
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16ceae62580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d4703ac89d9e185a
dashboard link: https://syzkaller.appspot.com/bug?extid=55e03490a0175b8dd81d
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/daf1f6c847dd/disk-b320789d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fbeb0bd5d987/vmlinux-b320789d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a85084f8e16b/bzImage-b320789d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55e03490a0175b8dd81d@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in fb_pad_unaligned_buffer+0x3b8/0x440 drivers/video/fbdev/core/fbmem.c:110
Read of size 1 at addr ffff888075fb54e4 by task syz.0.1621/12752
CPU: 1 UID: 0 PID: 12752 Comm: syz.0.1621 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
fb_pad_unaligned_buffer+0x3b8/0x440 drivers/video/fbdev/core/fbmem.c:110
bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:129 [inline]
bit_putcs+0x870/0xde0 drivers/video/fbdev/core/bitblit.c:187
fbcon_putcs+0x384/0x4a0 drivers/video/fbdev/core/fbcon.c:1327
con_flush drivers/tty/vt/vt.c:2746 [inline]
do_con_write+0xfed/0x8280 drivers/tty/vt/vt.c:3173
con_write+0x23/0xb0 drivers/tty/vt/vt.c:3516
process_output_block drivers/tty/n_tty.c:561 [inline]
n_tty_write+0x41c/0x11e0 drivers/tty/n_tty.c:2377
iterate_tty_write drivers/tty/tty_io.c:1006 [inline]
file_tty_write.constprop.0+0x504/0x9b0 drivers/tty/tty_io.c:1081
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7d3/0x11d0 fs/read_write.c:686
ksys_write+0x12a/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f5fb8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1f60a10038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1f5fdc6180 RCX: 00007f1f5fb8ebe9
RDX: 0000000000001066 RSI: 0000200000001640 RDI: 0000000000000009
RBP: 00007f1f5fc11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1f5fdc6218 R14: 00007f1f5fdc6180 R15: 00007ffc8f9c3728
</TASK>
Allocated by task 10009:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
fbcon_set_font+0x434/0xb80 drivers/video/fbdev/core/fbcon.c:2536
con_font_set drivers/tty/vt/vt.c:4887 [inline]
con_font_op+0x7fb/0xf50 drivers/tty/vt/vt.c:4934
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x48f/0x30a0 drivers/tty/vt/vt_ioctl.c:751
tty_ioctl+0x661/0x1680 drivers/tty/tty_io.c:2792
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888075fb5000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 468 bytes to the right of
allocated 784-byte region [ffff888075fb5000, ffff888075fb5310)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75fb0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001d7ec01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 37, tgid 37 (kworker/u8:3), ts 77706432678, free_ts 77578310551
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab mm/slub.c:2655 [inline]
new_slab+0x247/0x330 mm/slub.c:2709
___slab_alloc+0xcf2/0x1740 mm/slub.c:3891
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
ieee802_11_parse_elems_full+0x1db/0x3780 net/mac80211/parse.c:1011
ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2462 [inline]
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2469 [inline]
ieee80211_inform_bss+0x10b/0x1140 net/mac80211/scan.c:79
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0x8e7/0x1df0 net/wireless/scan.c:2379
cfg80211_inform_bss_data+0x224/0x3bd0 net/wireless/scan.c:3234
cfg80211_inform_bss_frame_data+0x26f/0x750 net/wireless/scan.c:3325
ieee80211_bss_info_update+0x310/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1573 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1905/0x2fd0 net/mac80211/ibss.c:1600
ieee80211_iface_process_skb net/mac80211/iface.c:1699 [inline]
ieee80211_iface_work+0xe2e/0x1360 net/mac80211/iface.c:1753
page last free pid 5220 tgid 5220 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4236
getname_flags.part.0+0x4c/0x550 fs/namei.c:146
getname_flags+0x93/0xf0 include/linux/audit.h:322
do_readlinkat+0xb4/0x3a0 fs/stat.c:575
__do_sys_readlink fs/stat.c:613 [inline]
__se_sys_readlink fs/stat.c:610 [inline]
__x64_sys_readlink+0x78/0xc0 fs/stat.c:610
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888075fb5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888075fb5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888075fb5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888075fb5500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888075fb5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* Re: [PATCH] fbcon: fix integer overflow in fbcon_do_set_font
From: Thomas Zimmermann @ 2025-09-22 6:24 UTC (permalink / raw)
To: Samasth Norway Ananda, simona, deller
Cc: linux-fbdev, dri-devel, linux-kernel
In-Reply-To: <20250912170023.3931881-1-samasth.norway.ananda@oracle.com>
Am 12.09.25 um 19:00 schrieb Samasth Norway Ananda:
> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
> size calculations could overflow when handling user-controlled font
> parameters.
>
> The vulnerabilities occur when:
> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
> multiplication with user-controlled values that can overflow.
> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
> 3. This results in smaller allocations than expected, leading to buffer
> overflows during font data copying.
>
> Add explicit overflow checking using check_mul_overflow() and
> check_add_overflow() kernel helpers to safety validate all size
> calculations before allocation.
>
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Thanks a lot for the patch.
> ---
> drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 55f5731e94c3..a507d05f8fea 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2531,9 +2531,16 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> if (fbcon_invalid_charcount(info, charcount))
> return -EINVAL;
>
> - size = CALC_FONTSZ(h, pitch, charcount);
> + /* Check for integer overflow in font size calculation */
> + if (check_mul_overflow(h, pitch, &size) ||
> + check_mul_overflow(size, charcount, &size))
> + return -EINVAL;
> +
> + /* Check for overflow in allocation size calculation */
> + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
> + return -EINVAL;
>
> - new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> + new_data = kmalloc(size, GFP_USER);
>
> if (!new_data)
> return -ENOMEM;
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
^ permalink raw reply
* Re: [PATCH] fbdev: Delay the setting of fbcon_ops to fix KASAN issues
From: Thomas Zimmermann @ 2025-09-22 6:31 UTC (permalink / raw)
To: Zizhi Wo, deller, lee, jani.nikula, oushixiong, soci
Cc: linux-kernel, linux-fbdev, dri-devel, yangerkun
In-Reply-To: <20250905024340.337521-1-wozizhi@huaweicloud.com>
Hi
Am 05.09.25 um 04:43 schrieb Zizhi Wo:
> [BUG]
> Recently, we encountered a KASAN warning as follows:
>
> kasan_report+0xaf/0xe0 mm/kasan/report.c:588
> fb_pad_aligned_buffer+0x12f/0x150 drivers/video/fbdev/core/fbmem.c:116
> ccw_putcs_aligned drivers/video/fbdev/core/fbcon_ccw.c:119 [inline]
> ccw_putcs+0x9ac/0xbb0 drivers/video/fbdev/core/fbcon_ccw.c:175
> fbcon_putcs+0x329/0x3f0 drivers/video/fbdev/core/fbcon.c:1297
> do_update_region+0x3de/0x670 drivers/tty/vt/vt.c:623
> invert_screen+0x1de/0x600 drivers/tty/vt/vt.c:748
> highlight drivers/tty/vt/selection.c:57 [inline]
> clear_selection+0x5e/0x70 drivers/tty/vt/selection.c:81
> vc_do_resize+0xc8e/0xf40 drivers/tty/vt/vt.c:1206
> fbcon_modechanged+0x489/0x7a0 drivers/video/fbdev/core/fbcon.c:2705
> fbcon_set_all_vcs+0x1e0/0x600 drivers/video/fbdev/core/fbcon.c:2752
> fbcon_rotate_all drivers/video/fbdev/core/fbcon.c:250 [inline]
> ...
>
> reproduce[probabilistic, depending on the width and height of vc_font, as
> well as the value of "p" in do_update_region()]:
Which font sizes trigger the bug?
> 1) echo 2 > /sys/devices/virtual/graphics/fbcon/rotate_all
> 2) echo 3 > /sys/devices/virtual/graphics/fbcon/rotate_all
>
> [CAUSE]
> The root cause is that fbcon_modechanged() first sets the current rotate's
> corresponding ops. Subsequently, during vc_resize(), it may trigger
> clear_selection(), and in fbcon_putcs->ccw_putcs[rotate=3], this can result
> in an out-of-bounds access to "src". This happens because ops->fontbuffer
> is reallocated in fbcon_rotate_font():
> 1) When rotate=2, its size is (width + 7) / 8 * height
> 2) When rotate=3, its size is (height + 7) / 8 * width
>
> And the call to fbcon_rotate_font() occurs after clear_selection(). In
> other words, the fontbuffer is allocated using the size calculated from the
> previous rotation[2], but before reallocating it with the new size,
> con_putcs is already using the new rotation[3]:
We recently reworked the way rotation callbacks are set. [1] Does the
bug still happen with [1] applied?
[1] https://patchwork.freedesktop.org/series/153056/#rev2
Best regards
Thomas
>
> rotate_all_store
> fbcon_rotate_all
> fbcon_set_all_vcs
> fbcon_modechanged
> ...
> fbcon_set_rotate
> fbcon_rotate_ccw
> ops->putcs = ccw_putcs // set rotate 3 ops
> vc_resize
> ...
> clear_selection
> highlight
> ...
> do_update_region
> fbcon_putcs
> ccw_putcs_aligned
> src = ops->fontbuffer + (scr_readw(s--) & charmask)*cellsize
> fb_pad_aligned_buffer----[src KASAN!!!]
> update_screen
> redraw_screen
> fbcon_switch
> fbcon_rotate_font
> dst = kmalloc_array(len, d_cellsize, GFP_KERNEL)
> ops->fontbuffer = dst
>
> [FIX]
> Considering that when the rotation changes, clear_selection() should clear
> the previously selected region and not consider the new rotation yet.
> Therefore, the assignment to fbcon_ops for the newly set rotate can be
> postponed to fbcon_rotate_font(), since the fontbuffer is regenerated
> there. To avoid affecting other code paths, fbcon_set_rotate() will
> temporarily continue assigning fbcon_ops based on cur_rotate not rotate.
>
> Signed-off-by: Zizhi Wo <wozizhi@huaweicloud.com>
> ---
> drivers/video/fbdev/core/fbcon_rotate.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon_rotate.c b/drivers/video/fbdev/core/fbcon_rotate.c
> index ec3c883400f7..d76446da24d4 100644
> --- a/drivers/video/fbdev/core/fbcon_rotate.c
> +++ b/drivers/video/fbdev/core/fbcon_rotate.c
> @@ -70,6 +70,7 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc)
> src += s_cellsize;
> dst += d_cellsize;
> }
> + fbcon_rotate_ud(ops);
> break;
> case FB_ROTATE_CW:
> for (i = len; i--; ) {
> @@ -78,6 +79,7 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc)
> src += s_cellsize;
> dst += d_cellsize;
> }
> + fbcon_rotate_cw(ops);
> break;
> case FB_ROTATE_CCW:
> for (i = len; i--; ) {
> @@ -86,6 +88,7 @@ static int fbcon_rotate_font(struct fb_info *info, struct vc_data *vc)
> src += s_cellsize;
> dst += d_cellsize;
> }
> + fbcon_rotate_ccw(ops);
> break;
> }
>
> @@ -97,7 +100,7 @@ void fbcon_set_rotate(struct fbcon_ops *ops)
> {
> ops->rotate_font = fbcon_rotate_font;
>
> - switch(ops->rotate) {
> + switch (ops->cur_rotate) {
> case FB_ROTATE_CW:
> fbcon_rotate_cw(ops);
> break;
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
^ permalink raw reply
* Re: [PATCH] fbcon: fix integer overflow in fbcon_do_set_font
From: Thomas Zimmermann @ 2025-09-22 6:34 UTC (permalink / raw)
To: Samasth Norway Ananda, simona, deller
Cc: linux-fbdev, dri-devel, linux-kernel
In-Reply-To: <20250912170023.3931881-1-samasth.norway.ananda@oracle.com>
Am 12.09.25 um 19:00 schrieb Samasth Norway Ananda:
> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
> size calculations could overflow when handling user-controlled font
> parameters.
>
> The vulnerabilities occur when:
> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
> multiplication with user-controlled values that can overflow.
> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
> 3. This results in smaller allocations than expected, leading to buffer
> overflows during font data copying.
>
> Add explicit overflow checking using check_mul_overflow() and
> check_add_overflow() kernel helpers to safety validate all size
> calculations before allocation.
>
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change
from causing potential out-of-bounds access")
Cc: George Kennedy <george.kennedy@oracle.com>
Cc: stable <stable@vger.kernel.org>
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Helge Deller <deller@gmx.de>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Qianqiang Liu <qianqiang.liu@163.com>
Cc: Shixiong Ou <oushixiong@kylinos.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org> # v5.9+
> ---
> drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 55f5731e94c3..a507d05f8fea 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2531,9 +2531,16 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> if (fbcon_invalid_charcount(info, charcount))
> return -EINVAL;
>
> - size = CALC_FONTSZ(h, pitch, charcount);
> + /* Check for integer overflow in font size calculation */
> + if (check_mul_overflow(h, pitch, &size) ||
> + check_mul_overflow(size, charcount, &size))
> + return -EINVAL;
> +
> + /* Check for overflow in allocation size calculation */
> + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
> + return -EINVAL;
>
> - new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> + new_data = kmalloc(size, GFP_USER);
>
> if (!new_data)
> return -ENOMEM;
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
^ permalink raw reply
* [PATCH] MAINTAINERS: Add dedicated entry for fbcon
From: Thomas Zimmermann @ 2025-09-22 7:57 UTC (permalink / raw)
To: simona, deller; +Cc: dri-devel, linux-fbdev, linux-kernel, Thomas Zimmermann
While fbdev as a whole is obsolete, fbcon is still relevant for
most Linux systems. But it's been under-maintained for some time.
I'm volunteering to keep an eye on fbcon.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
---
MAINTAINERS | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 838ae3c2b6fc..749844664f8e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -9666,6 +9666,25 @@ S: Maintained
W: https://floatingpoint.billm.au/
F: arch/x86/math-emu/
+FRAMEBUFFER CONSOLE
+M: Thomas Zimmermann <tzimmermann@suse.de>
+L: dri-devel@lists.freedesktop.org
+L: linux-fbdev@vger.kernel.org
+S: Maintained
+T: git https://gitlab.freedesktop.org/drm/misc/kernel.git
+F: Documentation/fb/fbcon.rst
+F: drivers/video/fbdev/core/bitblit.c
+F: drivers/video/fbdev/core/fb_logo.c
+F: drivers/video/fbdev/core/fbcon.c
+F: drivers/video/fbdev/core/fbcon.h
+F: drivers/video/fbdev/core/fbcon_ccw.c
+F: drivers/video/fbdev/core/fbcon_cw.c
+F: drivers/video/fbdev/core/fbcon_rotate.c
+F: drivers/video/fbdev/core/fbcon_rotate.h
+F: drivers/video/fbdev/core/fbcon_ud.c
+F: drivers/video/fbdev/core/softcursor.c
+F: drivers/video/fbdev/core/tileblit.c
+
FRAMEBUFFER CORE
M: Simona Vetter <simona@ffwll.ch>
S: Odd Fixes
--
2.51.0
^ permalink raw reply related
* Re: [PATCH 2/3] Documentation: fb: Retitle driver docs
From: Bagas Sanjaya @ 2025-09-22 10:21 UTC (permalink / raw)
To: Randy Dunlap, Linux Kernel Mailing List, Linux Documentation,
Linux Framebuffer, Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Mauro Carvalho Chehab, Ard Biesheuvel,
Arvind Sankar
In-Reply-To: <222d551c-fb01-4a8c-9b83-daef019b6795@infradead.org>
[-- Attachment #1: Type: text/plain, Size: 7070 bytes --]
On Sat, Sep 20, 2025 at 09:08:57PM -0700, Randy Dunlap wrote:
> > diff --git a/Documentation/fb/aty128fb.rst b/Documentation/fb/aty128fb.rst
> > index 3f107718f933fc..0da8070a552165 100644
> > --- a/Documentation/fb/aty128fb.rst
> > +++ b/Documentation/fb/aty128fb.rst
> > @@ -1,8 +1,6 @@
> > -=================
> > -What is aty128fb?
> > -=================
> > -
> > -.. [This file is cloned from VesaFB/matroxfb]
> > +=========================================
> > +aty128fb - ATI Rage128 framebuffer driver
> > +=========================================
> >
> > This is a driver for a graphic framebuffer for ATI Rage128 based devices
> > on Intel and PPC boxes.
> > diff --git a/Documentation/fb/efifb.rst b/Documentation/fb/efifb.rst
> > index 6badff64756f49..3d4aab406dee0a 100644
> > --- a/Documentation/fb/efifb.rst
> > +++ b/Documentation/fb/efifb.rst
> > @@ -1,6 +1,6 @@
> > -==============
> > -What is efifb?
> > -==============
> > +===================================
> > +efifb - Generic EFI platform driver
> > +===================================
> >
> > This is a generic EFI platform driver for systems with UEFI firmware. The
> > system must be booted via the EFI stub for this to be usable. efifb supports
> > diff --git a/Documentation/fb/gxfb.rst b/Documentation/fb/gxfb.rst
> > index 5738709bccbbf3..3fda485606bdc1 100644
> > --- a/Documentation/fb/gxfb.rst
> > +++ b/Documentation/fb/gxfb.rst
> > @@ -1,8 +1,6 @@
> > -=============
> > -What is gxfb?
> > -=============
> > -
> > -.. [This file is cloned from VesaFB/aty128fb]
> > +=======================================
> > +gxfb - AMD Geode GX2 framebuffer driver
> > +=======================================
> >
> > This is a graphics framebuffer driver for AMD Geode GX2 based processors.
> >
> > diff --git a/Documentation/fb/lxfb.rst b/Documentation/fb/lxfb.rst
> > index 863e6b98fbae55..0a176ab376e30e 100644
> > --- a/Documentation/fb/lxfb.rst
> > +++ b/Documentation/fb/lxfb.rst
> > @@ -1,9 +1,6 @@
> > -=============
> > -What is lxfb?
> > -=============
> > -
> > -.. [This file is cloned from VesaFB/aty128fb]
> > -
> > +======================================
> > +lxfb - AMD Geode LX framebuffer driver
> > +======================================
> >
> > This is a graphics framebuffer driver for AMD Geode LX based processors.
> >
> > diff --git a/Documentation/fb/matroxfb.rst b/Documentation/fb/matroxfb.rst
> > index 6158c49c857148..34cafaa00bab19 100644
> > --- a/Documentation/fb/matroxfb.rst
> > +++ b/Documentation/fb/matroxfb.rst
> > @@ -1,9 +1,6 @@
> > -=================
> > -What is matroxfb?
> > -=================
> > -
> > -.. [This file is cloned from VesaFB. Thanks go to Gerd Knorr]
> > -
> > +==================================
> > +matroxfb driver for Matrox devices
> > +==================================
>
> Add a '-' after matroxfb
>
> >
> > This is a driver for a graphic framebuffer for Matrox devices on
> > Alpha, Intel and PPC boxes.
> > diff --git a/Documentation/fb/pvr2fb.rst b/Documentation/fb/pvr2fb.rst
> > index fcf2c21c8fcfeb..315ce085a5855b 100644
> > --- a/Documentation/fb/pvr2fb.rst
> > +++ b/Documentation/fb/pvr2fb.rst
> > @@ -1,6 +1,6 @@
> > -===============
> > -What is pvr2fb?
> > -===============
> > +===============================================
> > +pvr2fb - PowerVR 2 graphics frame buffer driver
> > +===============================================
> >
> > This is a driver for PowerVR 2 based graphics frame buffers, such as the
> > one found in the Dreamcast.
> > diff --git a/Documentation/fb/sa1100fb.rst b/Documentation/fb/sa1100fb.rst
> > index 67e2650e017d12..c5ca019b361a94 100644
> > --- a/Documentation/fb/sa1100fb.rst
> > +++ b/Documentation/fb/sa1100fb.rst
> > @@ -1,9 +1,6 @@
> > -=================
> > -What is sa1100fb?
> > -=================
> > -
> > -.. [This file is cloned from VesaFB/matroxfb]
> > -
> > +=================================================
> > +sa1100fb - SA-1100 LCD graphic framebuffer driver
> > +=================================================
> >
> > This is a driver for a graphic framebuffer for the SA-1100 LCD
> > controller.
> > diff --git a/Documentation/fb/sisfb.rst b/Documentation/fb/sisfb.rst
> > index 8f4e502ea12ea7..9982f5ee05601b 100644
> > --- a/Documentation/fb/sisfb.rst
> > +++ b/Documentation/fb/sisfb.rst
> > @@ -1,6 +1,6 @@
> > -==============
> > -What is sisfb?
> > -==============
> > +=====================================
> > +sisfb - SiS framebuffer device driver
> > +=====================================
> >
> > sisfb is a framebuffer device driver for SiS (Silicon Integrated Systems)
> > graphics chips. Supported are:
> > diff --git a/Documentation/fb/sm712fb.rst b/Documentation/fb/sm712fb.rst
> > index 8e000f80b5bc6d..abbc6efae25f46 100644
> > --- a/Documentation/fb/sm712fb.rst
> > +++ b/Documentation/fb/sm712fb.rst
> > @@ -1,6 +1,6 @@
> > -================
> > -What is sm712fb?
> > -================
> > +==========================================================
> > +sm712fb - Silicon Motion SM712 graphics framebuffer driver
> > +==========================================================
> >
> > This is a graphics framebuffer driver for Silicon Motion SM712 based processors.
> >
> > diff --git a/Documentation/fb/tgafb.rst b/Documentation/fb/tgafb.rst
> > index 0c50d2134aa433..f0944da1ea5ef1 100644
> > --- a/Documentation/fb/tgafb.rst
> > +++ b/Documentation/fb/tgafb.rst
> > @@ -1,6 +1,6 @@
> > -==============
> > -What is tgafb?
> > -==============
> > +=======================================
> > +tgafb - TGA graphics framebuffer driver
> > +=======================================
> >
> > This is a driver for DECChip 21030 based graphics framebuffers, a.k.a. TGA
> > cards, which are usually found in older Digital Alpha systems. The
> > diff --git a/Documentation/fb/udlfb.rst b/Documentation/fb/udlfb.rst
> > index 99cfbb7a192238..9e75ac6b07c36a 100644
> > --- a/Documentation/fb/udlfb.rst
> > +++ b/Documentation/fb/udlfb.rst
> > @@ -1,6 +1,6 @@
> > -==============
> > -What is udlfb?
> > -==============
> > +==================================
> > +udlfb - DisplayLink USB 2.0 driver
> > +==================================
> >
> > This is a driver for DisplayLink USB 2.0 era graphics chips.
> >
> > diff --git a/Documentation/fb/vesafb.rst b/Documentation/fb/vesafb.rst
> > index f890a4f5623b45..5ffb35efd4538a 100644
> > --- a/Documentation/fb/vesafb.rst
> > +++ b/Documentation/fb/vesafb.rst
> > @@ -1,6 +1,6 @@
> > -===============
> > -What is vesafb?
> > -===============
> > +===========================================
> > +Generic graphic framebuffer driver (vesafb)
> > +===========================================
>
> vesafb - Generic graphic framebuffer driver
>
I'll apply your suggestions in v2.
Thanks.
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
* [PATCH v2 3/3] Documentation: fb: Split toctree
From: Bagas Sanjaya @ 2025-09-22 10:36 UTC (permalink / raw)
To: Linux Kernel Mailing List, Linux Documentation, Linux Framebuffer,
Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Bagas Sanjaya, Mauro Carvalho Chehab,
Ard Biesheuvel, Arvind Sankar, Randy Dunlap
In-Reply-To: <20250922103615.42925-2-bagasdotme@gmail.com>
Framebuffer docs toctree consists of driver-independent docs
(e.g. API docs) and driver-specific docs. The latter has much
more entries.
Group the docs into separate toctrees.
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
---
Documentation/fb/index.rst | 80 +++++++++++++++++++++-----------------
1 file changed, 45 insertions(+), 35 deletions(-)
diff --git a/Documentation/fb/index.rst b/Documentation/fb/index.rst
index 33e3c49f885695..e2f7488b6e2e42 100644
--- a/Documentation/fb/index.rst
+++ b/Documentation/fb/index.rst
@@ -4,42 +4,52 @@
Frame Buffer
============
-.. toctree::
- :maxdepth: 1
+General information
+===================
- api
- arkfb
- aty128fb
- cirrusfb
- cmap_xfbdev
- deferred_io
- efifb
- ep93xx-fb
- fbcon
- framebuffer
- gxfb
- intel810
- internals
- lxfb
- matroxfb
- metronomefb
- modedb
- pvr2fb
- pxafb
- s3fb
- sa1100fb
- sh7760fb
- sisfb
- sm501
- sm712fb
- sstfb
- tgafb
- tridentfb
- udlfb
- uvesafb
- vesafb
- viafb
- vt8623fb
+.. toctree::
+ :maxdepth: 1
+
+ api
+ cmap_xfbdev
+ deferred_io
+ fbcon
+ framebuffer
+ internals
+ modedb
+
+Driver documentation
+====================
+
+.. toctree::
+ :maxdepth: 1
+
+ arkfb
+ aty128fb
+ cirrusfb
+ efifb
+ ep93xx-fb
+ gxfb
+ intel810
+ lxfb
+ matroxfb
+ metronomefb
+ pvr2fb
+ pxafb
+ s3fb
+ sa1100fb
+ sh7760fb
+ sisfb
+ sm501
+ sm712fb
+ sstfb
+ tgafb
+ tridentfb
+ udlfb
+ uvesafb
+ vesafb
+ viafb
+ vt8623fb
.. only:: subproject and html
--
An old man doll... just what I always wanted! - Clara
^ permalink raw reply related
* [PATCH v2 1/3] Documentation: fb: ep93xx: Demote section headings
From: Bagas Sanjaya @ 2025-09-22 10:36 UTC (permalink / raw)
To: Linux Kernel Mailing List, Linux Documentation, Linux Framebuffer,
Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Bagas Sanjaya, Mauro Carvalho Chehab,
Ard Biesheuvel, Arvind Sankar, Randy Dunlap
In-Reply-To: <20250922103615.42925-2-bagasdotme@gmail.com>
Section headings are formatted the same as title heading, thus
increasing number of entries in framebuffer toctree. Demote them.
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
---
Documentation/fb/ep93xx-fb.rst | 4 ----
1 file changed, 4 deletions(-)
diff --git a/Documentation/fb/ep93xx-fb.rst b/Documentation/fb/ep93xx-fb.rst
index 1dd67f4688c751..93b3494f530979 100644
--- a/Documentation/fb/ep93xx-fb.rst
+++ b/Documentation/fb/ep93xx-fb.rst
@@ -41,7 +41,6 @@ your board initialisation function::
ep93xx_register_fb(&some_board_fb_info);
-=====================
Video Attribute Flags
=====================
@@ -79,7 +78,6 @@ EP93XXFB_USE_SDCSN2 Use SDCSn[2] for the framebuffer.
EP93XXFB_USE_SDCSN3 Use SDCSn[3] for the framebuffer.
=============================== ======================================
-==================
Platform callbacks
==================
@@ -101,7 +99,6 @@ obtained as follows::
/* Board specific framebuffer setup */
}
-======================
Setting the video mode
======================
@@ -119,7 +116,6 @@ set when the module is installed::
modprobe ep93xx-fb video=320x240
-==============
Screenpage bug
==============
--
An old man doll... just what I always wanted! - Clara
^ permalink raw reply related
* [PATCH v2 2/3] Documentation: fb: Retitle driver docs
From: Bagas Sanjaya @ 2025-09-22 10:36 UTC (permalink / raw)
To: Linux Kernel Mailing List, Linux Documentation, Linux Framebuffer,
Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Bagas Sanjaya, Mauro Carvalho Chehab,
Ard Biesheuvel, Arvind Sankar, Randy Dunlap
In-Reply-To: <20250922103615.42925-2-bagasdotme@gmail.com>
Many framebuffer driver docs are copied from vesafb docs as their
template, including "What is <driver name>" title. Such title
implies the introductory section, however, and not the whole docs.
Retitle them.
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
---
Documentation/fb/aty128fb.rst | 8 +++-----
Documentation/fb/efifb.rst | 6 +++---
Documentation/fb/gxfb.rst | 8 +++-----
Documentation/fb/lxfb.rst | 9 +++------
Documentation/fb/matroxfb.rst | 9 +++------
Documentation/fb/pvr2fb.rst | 6 +++---
Documentation/fb/sa1100fb.rst | 9 +++------
Documentation/fb/sisfb.rst | 6 +++---
Documentation/fb/sm712fb.rst | 6 +++---
Documentation/fb/tgafb.rst | 6 +++---
Documentation/fb/udlfb.rst | 6 +++---
Documentation/fb/vesafb.rst | 6 +++---
12 files changed, 36 insertions(+), 49 deletions(-)
diff --git a/Documentation/fb/aty128fb.rst b/Documentation/fb/aty128fb.rst
index 3f107718f933fc..0da8070a552165 100644
--- a/Documentation/fb/aty128fb.rst
+++ b/Documentation/fb/aty128fb.rst
@@ -1,8 +1,6 @@
-=================
-What is aty128fb?
-=================
-
-.. [This file is cloned from VesaFB/matroxfb]
+=========================================
+aty128fb - ATI Rage128 framebuffer driver
+=========================================
This is a driver for a graphic framebuffer for ATI Rage128 based devices
on Intel and PPC boxes.
diff --git a/Documentation/fb/efifb.rst b/Documentation/fb/efifb.rst
index 6badff64756f49..3d4aab406dee0a 100644
--- a/Documentation/fb/efifb.rst
+++ b/Documentation/fb/efifb.rst
@@ -1,6 +1,6 @@
-==============
-What is efifb?
-==============
+===================================
+efifb - Generic EFI platform driver
+===================================
This is a generic EFI platform driver for systems with UEFI firmware. The
system must be booted via the EFI stub for this to be usable. efifb supports
diff --git a/Documentation/fb/gxfb.rst b/Documentation/fb/gxfb.rst
index 5738709bccbbf3..3fda485606bdc1 100644
--- a/Documentation/fb/gxfb.rst
+++ b/Documentation/fb/gxfb.rst
@@ -1,8 +1,6 @@
-=============
-What is gxfb?
-=============
-
-.. [This file is cloned from VesaFB/aty128fb]
+=======================================
+gxfb - AMD Geode GX2 framebuffer driver
+=======================================
This is a graphics framebuffer driver for AMD Geode GX2 based processors.
diff --git a/Documentation/fb/lxfb.rst b/Documentation/fb/lxfb.rst
index 863e6b98fbae55..0a176ab376e30e 100644
--- a/Documentation/fb/lxfb.rst
+++ b/Documentation/fb/lxfb.rst
@@ -1,9 +1,6 @@
-=============
-What is lxfb?
-=============
-
-.. [This file is cloned from VesaFB/aty128fb]
-
+======================================
+lxfb - AMD Geode LX framebuffer driver
+======================================
This is a graphics framebuffer driver for AMD Geode LX based processors.
diff --git a/Documentation/fb/matroxfb.rst b/Documentation/fb/matroxfb.rst
index 6158c49c857148..8ac7534a2e6168 100644
--- a/Documentation/fb/matroxfb.rst
+++ b/Documentation/fb/matroxfb.rst
@@ -1,9 +1,6 @@
-=================
-What is matroxfb?
-=================
-
-.. [This file is cloned from VesaFB. Thanks go to Gerd Knorr]
-
+================================================
+matroxfb - Framebuffer driver for Matrox devices
+================================================
This is a driver for a graphic framebuffer for Matrox devices on
Alpha, Intel and PPC boxes.
diff --git a/Documentation/fb/pvr2fb.rst b/Documentation/fb/pvr2fb.rst
index fcf2c21c8fcfeb..315ce085a5855b 100644
--- a/Documentation/fb/pvr2fb.rst
+++ b/Documentation/fb/pvr2fb.rst
@@ -1,6 +1,6 @@
-===============
-What is pvr2fb?
-===============
+===============================================
+pvr2fb - PowerVR 2 graphics frame buffer driver
+===============================================
This is a driver for PowerVR 2 based graphics frame buffers, such as the
one found in the Dreamcast.
diff --git a/Documentation/fb/sa1100fb.rst b/Documentation/fb/sa1100fb.rst
index 67e2650e017d12..c5ca019b361a94 100644
--- a/Documentation/fb/sa1100fb.rst
+++ b/Documentation/fb/sa1100fb.rst
@@ -1,9 +1,6 @@
-=================
-What is sa1100fb?
-=================
-
-.. [This file is cloned from VesaFB/matroxfb]
-
+=================================================
+sa1100fb - SA-1100 LCD graphic framebuffer driver
+=================================================
This is a driver for a graphic framebuffer for the SA-1100 LCD
controller.
diff --git a/Documentation/fb/sisfb.rst b/Documentation/fb/sisfb.rst
index 8f4e502ea12ea7..9982f5ee05601b 100644
--- a/Documentation/fb/sisfb.rst
+++ b/Documentation/fb/sisfb.rst
@@ -1,6 +1,6 @@
-==============
-What is sisfb?
-==============
+=====================================
+sisfb - SiS framebuffer device driver
+=====================================
sisfb is a framebuffer device driver for SiS (Silicon Integrated Systems)
graphics chips. Supported are:
diff --git a/Documentation/fb/sm712fb.rst b/Documentation/fb/sm712fb.rst
index 8e000f80b5bc6d..abbc6efae25f46 100644
--- a/Documentation/fb/sm712fb.rst
+++ b/Documentation/fb/sm712fb.rst
@@ -1,6 +1,6 @@
-================
-What is sm712fb?
-================
+==========================================================
+sm712fb - Silicon Motion SM712 graphics framebuffer driver
+==========================================================
This is a graphics framebuffer driver for Silicon Motion SM712 based processors.
diff --git a/Documentation/fb/tgafb.rst b/Documentation/fb/tgafb.rst
index 0c50d2134aa433..f0944da1ea5ef1 100644
--- a/Documentation/fb/tgafb.rst
+++ b/Documentation/fb/tgafb.rst
@@ -1,6 +1,6 @@
-==============
-What is tgafb?
-==============
+=======================================
+tgafb - TGA graphics framebuffer driver
+=======================================
This is a driver for DECChip 21030 based graphics framebuffers, a.k.a. TGA
cards, which are usually found in older Digital Alpha systems. The
diff --git a/Documentation/fb/udlfb.rst b/Documentation/fb/udlfb.rst
index 99cfbb7a192238..9e75ac6b07c36a 100644
--- a/Documentation/fb/udlfb.rst
+++ b/Documentation/fb/udlfb.rst
@@ -1,6 +1,6 @@
-==============
-What is udlfb?
-==============
+==================================
+udlfb - DisplayLink USB 2.0 driver
+==================================
This is a driver for DisplayLink USB 2.0 era graphics chips.
diff --git a/Documentation/fb/vesafb.rst b/Documentation/fb/vesafb.rst
index f890a4f5623b45..d8241e38bb28d6 100644
--- a/Documentation/fb/vesafb.rst
+++ b/Documentation/fb/vesafb.rst
@@ -1,6 +1,6 @@
-===============
-What is vesafb?
-===============
+===========================================
+vesafb - Generic graphic framebuffer driver
+===========================================
This is a generic driver for a graphic framebuffer on intel boxes.
--
An old man doll... just what I always wanted! - Clara
^ permalink raw reply related
* [PATCH v2 0/3] framebuffer docs toctree index refactoring
From: Bagas Sanjaya @ 2025-09-22 10:36 UTC (permalink / raw)
To: Linux Kernel Mailing List, Linux Documentation, Linux Framebuffer,
Linux DRI Development
Cc: Helge Deller, Jonathan Corbet, Sudip Mukherjee, Teddy Wang,
Bernie Thompson, Bagas Sanjaya, Mauro Carvalho Chehab,
Ard Biesheuvel, Arvind Sankar
Hi,
Here is simple toctree refactoring for framebuffer documentation,
based on docs-next tree. Simple because it only splits the toctree
in patch [3/3] into two sections.
Enjoy!
Changes since v1 [1]:
* Apply proofreading suggestions (Randy, [2/3])
* Add review tags (Randy)
[1]: https://lore.kernel.org/linux-doc/20250919003640.14867-1-bagasdotme@gmail.com/
Bagas Sanjaya (3):
Documentation: fb: ep93xx: Demote section headings
Documentation: fb: Retitle driver docs
Documentation: fb: Split toctree
Documentation/fb/aty128fb.rst | 8 ++--
Documentation/fb/efifb.rst | 6 +--
Documentation/fb/ep93xx-fb.rst | 4 --
Documentation/fb/gxfb.rst | 8 ++--
Documentation/fb/index.rst | 80 +++++++++++++++++++---------------
Documentation/fb/lxfb.rst | 9 ++--
Documentation/fb/matroxfb.rst | 9 ++--
Documentation/fb/pvr2fb.rst | 6 +--
Documentation/fb/sa1100fb.rst | 9 ++--
Documentation/fb/sisfb.rst | 6 +--
Documentation/fb/sm712fb.rst | 6 +--
Documentation/fb/tgafb.rst | 6 +--
Documentation/fb/udlfb.rst | 6 +--
Documentation/fb/vesafb.rst | 6 +--
14 files changed, 81 insertions(+), 88 deletions(-)
base-commit: 348011753d99b146c190aae262ee361d03cb0c5e
--
An old man doll... just what I always wanted! - Clara
^ permalink raw reply
* Re: [PATCH] fbdev: Delay the setting of fbcon_ops to fix KASAN issues
From: Zizhi Wo @ 2025-09-22 11:42 UTC (permalink / raw)
To: Thomas Zimmermann, deller, lee, jani.nikula, oushixiong, soci
Cc: linux-kernel, linux-fbdev, dri-devel, yangerkun
In-Reply-To: <97658279-73a4-4d30-817b-6dcd47a11d6b@suse.de>
在 2025/9/22 14:31, Thomas Zimmermann 写道:
> Hi
>
> Am 05.09.25 um 04:43 schrieb Zizhi Wo:
>> [BUG]
>> Recently, we encountered a KASAN warning as follows:
>>
>> kasan_report+0xaf/0xe0 mm/kasan/report.c:588
>> fb_pad_aligned_buffer+0x12f/0x150 drivers/video/fbdev/core/fbmem.c:116
>> ccw_putcs_aligned drivers/video/fbdev/core/fbcon_ccw.c:119 [inline]
>> ccw_putcs+0x9ac/0xbb0 drivers/video/fbdev/core/fbcon_ccw.c:175
>> fbcon_putcs+0x329/0x3f0 drivers/video/fbdev/core/fbcon.c:1297
>> do_update_region+0x3de/0x670 drivers/tty/vt/vt.c:623
>> invert_screen+0x1de/0x600 drivers/tty/vt/vt.c:748
>> highlight drivers/tty/vt/selection.c:57 [inline]
>> clear_selection+0x5e/0x70 drivers/tty/vt/selection.c:81
>> vc_do_resize+0xc8e/0xf40 drivers/tty/vt/vt.c:1206
>> fbcon_modechanged+0x489/0x7a0 drivers/video/fbdev/core/fbcon.c:2705
>> fbcon_set_all_vcs+0x1e0/0x600 drivers/video/fbdev/core/fbcon.c:2752
>> fbcon_rotate_all drivers/video/fbdev/core/fbcon.c:250 [inline]
>> ...
>>
>> reproduce[probabilistic, depending on the width and height of vc_font, as
>> well as the value of "p" in do_update_region()]:
>
> Which font sizes trigger the bug?
As far as I can remember, op.width = 32 and op.height = 12;
And I also do the TIOCL_SETSEL ioctl to set vc_sel.start && vc_sel.end
>
>> 1) echo 2 > /sys/devices/virtual/graphics/fbcon/rotate_all
>> 2) echo 3 > /sys/devices/virtual/graphics/fbcon/rotate_all
>>
>> [CAUSE]
>> The root cause is that fbcon_modechanged() first sets the current
>> rotate's
>> corresponding ops. Subsequently, during vc_resize(), it may trigger
>> clear_selection(), and in fbcon_putcs->ccw_putcs[rotate=3], this can
>> result
>> in an out-of-bounds access to "src". This happens because ops->fontbuffer
>> is reallocated in fbcon_rotate_font():
>> 1) When rotate=2, its size is (width + 7) / 8 * height
>> 2) When rotate=3, its size is (height + 7) / 8 * width
>>
>> And the call to fbcon_rotate_font() occurs after clear_selection(). In
>> other words, the fontbuffer is allocated using the size calculated
>> from the
>> previous rotation[2], but before reallocating it with the new size,
>> con_putcs is already using the new rotation[3]:
>
> We recently reworked the way rotation callbacks are set. [1] Does the
> bug still happen with [1] applied?
>
> [1] https://patchwork.freedesktop.org/series/153056/#rev2
Sorry, my reproduction script has been cleaned up because some time has
passed. But the root cause of the issue is still setting ops too early,
which leads to vc_resize() calling clear_selection(), then eventually
.putcs. This uses the updated rotation-related functions on the previous
region, which may cause out-of-bounds access.
If this patch series does not ensure that the old putcs is used in the
context of clear_selection() during vc_resize(), the problem may still
exist?
Thanks,
Zizhi Wo
>
> Best regards
> Thomas
>
>>
>> rotate_all_store
>> fbcon_rotate_all
>> fbcon_set_all_vcs
>> fbcon_modechanged
>> ...
>> fbcon_set_rotate
>> fbcon_rotate_ccw
>> ops->putcs = ccw_putcs // set rotate 3 ops
>> vc_resize
>> ...
>> clear_selection
>> highlight
>> ...
>> do_update_region
>> fbcon_putcs
>> ccw_putcs_aligned
>> src = ops->fontbuffer + (scr_readw(s--) & charmask)*cellsize
>> fb_pad_aligned_buffer----[src KASAN!!!]
>> update_screen
>> redraw_screen
>> fbcon_switch
>> fbcon_rotate_font
>> dst = kmalloc_array(len, d_cellsize, GFP_KERNEL)
>> ops->fontbuffer = dst
>>
>> [FIX]
>> Considering that when the rotation changes, clear_selection() should
>> clear
>> the previously selected region and not consider the new rotation yet.
>> Therefore, the assignment to fbcon_ops for the newly set rotate can be
>> postponed to fbcon_rotate_font(), since the fontbuffer is regenerated
>> there. To avoid affecting other code paths, fbcon_set_rotate() will
>> temporarily continue assigning fbcon_ops based on cur_rotate not rotate.
>>
>> Signed-off-by: Zizhi Wo <wozizhi@huaweicloud.com>
>> ---
>> drivers/video/fbdev/core/fbcon_rotate.c | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/video/fbdev/core/fbcon_rotate.c
>> b/drivers/video/fbdev/core/fbcon_rotate.c
>> index ec3c883400f7..d76446da24d4 100644
>> --- a/drivers/video/fbdev/core/fbcon_rotate.c
>> +++ b/drivers/video/fbdev/core/fbcon_rotate.c
>> @@ -70,6 +70,7 @@ static int fbcon_rotate_font(struct fb_info *info,
>> struct vc_data *vc)
>> src += s_cellsize;
>> dst += d_cellsize;
>> }
>> + fbcon_rotate_ud(ops);
>> break;
>> case FB_ROTATE_CW:
>> for (i = len; i--; ) {
>> @@ -78,6 +79,7 @@ static int fbcon_rotate_font(struct fb_info *info,
>> struct vc_data *vc)
>> src += s_cellsize;
>> dst += d_cellsize;
>> }
>> + fbcon_rotate_cw(ops);
>> break;
>> case FB_ROTATE_CCW:
>> for (i = len; i--; ) {
>> @@ -86,6 +88,7 @@ static int fbcon_rotate_font(struct fb_info *info,
>> struct vc_data *vc)
>> src += s_cellsize;
>> dst += d_cellsize;
>> }
>> + fbcon_rotate_ccw(ops);
>> break;
>> }
>> @@ -97,7 +100,7 @@ void fbcon_set_rotate(struct fbcon_ops *ops)
>> {
>> ops->rotate_font = fbcon_rotate_font;
>> - switch(ops->rotate) {
>> + switch (ops->cur_rotate) {
>> case FB_ROTATE_CW:
>> fbcon_rotate_cw(ops);
>> break;
>
^ permalink raw reply
* Re: [PATCH] fbcon: fix integer overflow in fbcon_do_set_font
From: Jani Nikula @ 2025-09-22 12:43 UTC (permalink / raw)
To: Samasth Norway Ananda, simona, deller
Cc: linux-fbdev, dri-devel, linux-kernel, tzimmermann
In-Reply-To: <20250912170023.3931881-1-samasth.norway.ananda@oracle.com>
On Fri, 12 Sep 2025, Samasth Norway Ananda <samasth.norway.ananda@oracle.com> wrote:
> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
> size calculations could overflow when handling user-controlled font
> parameters.
>
> The vulnerabilities occur when:
> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
> multiplication with user-controlled values that can overflow.
> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
> 3. This results in smaller allocations than expected, leading to buffer
> overflows during font data copying.
>
> Add explicit overflow checking using check_mul_overflow() and
> check_add_overflow() kernel helpers to safety validate all size
> calculations before allocation.
>
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 55f5731e94c3..a507d05f8fea 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2531,9 +2531,16 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> if (fbcon_invalid_charcount(info, charcount))
> return -EINVAL;
>
> - size = CALC_FONTSZ(h, pitch, charcount);
> + /* Check for integer overflow in font size calculation */
> + if (check_mul_overflow(h, pitch, &size) ||
> + check_mul_overflow(size, charcount, &size))
> + return -EINVAL;
> +
> + /* Check for overflow in allocation size calculation */
> + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
This change stores the intermediate value into size, but fails to take
into account that size is used just a bit later in the function,
expecting the original size:
new_data += FONT_EXTRA_WORDS * sizeof(int);
FNTSIZE(new_data) = size;
REFCOUNT(new_data) = 0; /* usage counter */
for (i=0; i< charcount; i++) {
memcpy(new_data + i*h*pitch, data + i*vpitch*pitch, h*pitch);
}
/* Since linux has a nice crc32 function use it for counting font
* checksums. */
csum = crc32(0, new_data, size);
What was supposed to address an unlikely integer overflow seems to have
caused a real buffer overflow [1].
BR,
Jani.
[1] https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
> + return -EINVAL;
>
> - new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> + new_data = kmalloc(size, GFP_USER);
>
> if (!new_data)
> return -ENOMEM;
--
Jani Nikula, Intel
^ permalink raw reply
* Re: [PATCH] fbcon: fix integer overflow in fbcon_do_set_font
From: Jani Nikula @ 2025-09-22 12:49 UTC (permalink / raw)
To: Samasth Norway Ananda, simona, deller
Cc: linux-fbdev, dri-devel, linux-kernel, tzimmermann
In-Reply-To: <12cfe7be56a4eeed0f32d8da69d06f0490a9eec9@intel.com>
On Mon, 22 Sep 2025, Jani Nikula <jani.nikula@linux.intel.com> wrote:
> On Fri, 12 Sep 2025, Samasth Norway Ananda <samasth.norway.ananda@oracle.com> wrote:
>> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
>> size calculations could overflow when handling user-controlled font
>> parameters.
>>
>> The vulnerabilities occur when:
>> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
>> multiplication with user-controlled values that can overflow.
>> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
>> 3. This results in smaller allocations than expected, leading to buffer
>> overflows during font data copying.
>>
>> Add explicit overflow checking using check_mul_overflow() and
>> check_add_overflow() kernel helpers to safety validate all size
>> calculations before allocation.
>>
>> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
>> ---
>> drivers/video/fbdev/core/fbcon.c | 11 +++++++++--
>> 1 file changed, 9 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
>> index 55f5731e94c3..a507d05f8fea 100644
>> --- a/drivers/video/fbdev/core/fbcon.c
>> +++ b/drivers/video/fbdev/core/fbcon.c
>> @@ -2531,9 +2531,16 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
>> if (fbcon_invalid_charcount(info, charcount))
>> return -EINVAL;
>>
>> - size = CALC_FONTSZ(h, pitch, charcount);
>> + /* Check for integer overflow in font size calculation */
>> + if (check_mul_overflow(h, pitch, &size) ||
>> + check_mul_overflow(size, charcount, &size))
>> + return -EINVAL;
>> +
>> + /* Check for overflow in allocation size calculation */
>> + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
>
> This change stores the intermediate value into size, but fails to take
> into account that size is used just a bit later in the function,
> expecting the original size:
>
> new_data += FONT_EXTRA_WORDS * sizeof(int);
> FNTSIZE(new_data) = size;
> REFCOUNT(new_data) = 0; /* usage counter */
> for (i=0; i< charcount; i++) {
> memcpy(new_data + i*h*pitch, data + i*vpitch*pitch, h*pitch);
> }
>
> /* Since linux has a nice crc32 function use it for counting font
> * checksums. */
> csum = crc32(0, new_data, size);
>
> What was supposed to address an unlikely integer overflow seems to have
> caused a real buffer overflow [1].
The overflow of 16 bytes matches FONT_EXTRA_WORDS * sizeof(int):
memcmp: detected buffer overflow: 8208 byte read of buffer size 8192
> BR,
> Jani.
>
>
> [1] https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
>
>> + return -EINVAL;
>>
>> - new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
>> + new_data = kmalloc(size, GFP_USER);
>>
>> if (!new_data)
>> return -ENOMEM;
--
Jani Nikula, Intel
^ permalink raw reply
* [syzbot] [fbdev?] KASAN: slab-out-of-bounds Read in soft_cursor (2)
From: syzbot @ 2025-09-22 12:50 UTC (permalink / raw)
To: deller, dri-devel, linux-fbdev, linux-kernel, simona,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: f83ec76bf285 Linux 6.17-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17147b12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f01d8629880e620
dashboard link: https://syzkaller.appspot.com/bug?extid=ae44b38396335bd847cd
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-f83ec76b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdedf70f8797/vmlinux-f83ec76b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5bf9318d9242/bzImage-f83ec76b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae44b38396335bd847cd@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x458/0xa10 drivers/video/fbdev/core/softcursor.c:70
Read of size 3 at addr ffff888054a70d7d by task kworker/2:2/3582
CPU: 2 UID: 0 PID: 3582 Comm: kworker/2:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
__asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
soft_cursor+0x458/0xa10 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0xe8c/0x17e0 drivers/video/fbdev/core/bitblit.c:370
fb_flashcursor drivers/video/fbdev/core/fbcon.c:408 [inline]
fb_flashcursor+0x30d/0x400 drivers/video/fbdev/core/fbcon.c:377
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 10710:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4376 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
fbcon_set_font+0x434/0xb80 drivers/video/fbdev/core/fbcon.c:2536
con_font_set drivers/tty/vt/vt.c:4887 [inline]
con_font_op+0x7fb/0xf50 drivers/tty/vt/vt.c:4934
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x48f/0x30a0 drivers/tty/vt/vt_ioctl.c:751
tty_ioctl+0x661/0x1680 drivers/tty/tty_io.c:2792
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888054a70800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 621 bytes to the right of
allocated 784-byte region [ffff888054a70800, ffff888054a70b10)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54a70
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b842dc0 ffffea0000d94e00 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b842dc0 ffffea0000d94e00 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001529c01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 12, tgid 12 (kworker/u32:0), ts 114834271157, free_ts 113350555070
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
neigh_alloc net/core/neighbour.c:522 [inline]
___neigh_create+0x14e6/0x28c0 net/core/neighbour.c:656
ip6_finish_output2+0x1299/0x2020 net/ipv6/ip6_output.c:132
__ip6_finish_output+0x3cd/0x1010 net/ipv6/ip6_output.c:215
ip6_finish_output net/ipv6/ip6_output.c:226 [inline]
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x1ca/0x3e0 net/ipv6/ip6_output.c:248
dst_output include/net/dst.h:461 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
ndisc_send_skb+0xa66/0x1e30 net/ipv6/ndisc.c:512
ndisc_send_rs+0x129/0x670 net/ipv6/ndisc.c:722
addrconf_dad_completed+0x49d/0x10d0 net/ipv6/addrconf.c:4360
addrconf_dad_work+0x855/0x14e0 net/ipv6/addrconf.c:4268
page last free pid 60 tgid 60 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_kmalloc+0x8a/0xb0 mm/kasan/common.c:396
kmalloc_noprof include/linux/slab.h:905 [inline]
netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:664 [inline]
netdevice_event+0x365/0x9d0 drivers/infiniband/core/roce_gid_mgmt.c:823
notifier_call_chain+0xb9/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
unregister_netdevice_many_notify+0xf76/0x24c0 net/core/dev.c:12166
unregister_netdevice_many net/core/dev.c:12229 [inline]
default_device_exit_batch+0x853/0xaf0 net/core/dev.c:12733
ops_exit_list net/core/net_namespace.c:204 [inline]
ops_undo_list+0x360/0xab0 net/core/net_namespace.c:251
cleanup_net+0x408/0x890 net/core/net_namespace.c:682
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888054a70c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888054a70c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888054a70d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888054a70d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888054a70e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* [PATCH] fbcon: Fix OOB access in font allocation
From: Thomas Zimmermann @ 2025-09-22 13:45 UTC (permalink / raw)
To: jani.nikula, samasth.norway.ananda, simona, deller
Cc: linux-fbdev, dri-devel, Thomas Zimmermann, George Kennedy,
Greg Kroah-Hartman, Ville Syrjälä, Sam Ravnborg,
Qianqiang Liu, Shixiong Ou, Kees Cook, stable, Zsolt Kajtar
Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: George Kennedy <george.kennedy@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Helge Deller <deller@gmx.de>
Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Qianqiang Liu <qianqiang.liu@163.com>
Cc: Shixiong Ou <oushixiong@kylinos.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org> # v5.9+
Cc: Zsolt Kajtar <soci@c64.rulez.org>
---
drivers/video/fbdev/core/fbcon.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 5fade44931b8..c1c0cdd7597c 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
unsigned charcount = font->charcount;
int w = font->width;
int h = font->height;
- int size;
+ int size, alloc_size;
int i, csum;
u8 *new_data, *data = font->data;
int pitch = PITCH(font->width);
@@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
return -EINVAL;
/* Check for overflow in allocation size calculation */
- if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
+ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
return -EINVAL;
- new_data = kmalloc(size, GFP_USER);
+ new_data = kmalloc(alloc_size, GFP_USER);
if (!new_data)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related
* Re: [PATCH v2 4/5] fbdev/simplefb: Sort headers correctly
From: Luca Weiss @ 2025-09-22 14:07 UTC (permalink / raw)
To: Javier Martinez Canillas, Luca Weiss, Hans de Goede,
Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, David Airlie,
Simona Vetter, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Helge Deller
Cc: linux-fbdev, dri-devel, devicetree, linux-kernel
In-Reply-To: <87o6u9d3kg.fsf@minerva.mail-host-address-is-not-set>
Hi all,
On Fri Jun 27, 2025 at 9:52 AM CEST, Javier Martinez Canillas wrote:
> Luca Weiss <luca.weiss@fairphone.com> writes:
>
>> Make sure the headers are sorted alphabetically to ensure consistent
>> code.
>>
>> Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
>> ---
>
> Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
While there's still some open questions surrounding dt-bindings and how
exactly to do that, I think it would be good to pick up the two
"Sort headers correctly" patches so that they already get in. They're
good to have in any case in my opinion.
Regards
Luca
^ permalink raw reply
* Re: [PATCH] fbcon: Fix OOB access in font allocation
From: Lucas De Marchi @ 2025-09-22 18:12 UTC (permalink / raw)
To: Thomas Zimmermann
Cc: jani.nikula, samasth.norway.ananda, simona, deller, linux-fbdev,
dri-devel, George Kennedy, Greg Kroah-Hartman,
Ville Syrjälä, Sam Ravnborg, Qianqiang Liu, Shixiong Ou,
Kees Cook, stable, Zsolt Kajtar
In-Reply-To: <20250922134619.257684-1-tzimmermann@suse.de>
On Mon, Sep 22, 2025 at 03:45:54PM +0200, Thomas Zimmermann wrote:
>Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
>introduced an out-of-bounds access by storing data and allocation sizes
>in the same variable. Restore the old size calculation and use the new
>variable 'alloc_size' for the allocation.
>
>Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
>Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
>Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
>Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
this one too:
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
thanks
Lucas De Marchi
>Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
>Cc: Thomas Zimmermann <tzimmermann@suse.de>
>Cc: George Kennedy <george.kennedy@oracle.com>
>Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>Cc: Simona Vetter <simona@ffwll.ch>
>Cc: Helge Deller <deller@gmx.de>
>Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
>Cc: Sam Ravnborg <sam@ravnborg.org>
>Cc: Qianqiang Liu <qianqiang.liu@163.com>
>Cc: Shixiong Ou <oushixiong@kylinos.cn>
>Cc: Kees Cook <kees@kernel.org>
>Cc: <stable@vger.kernel.org> # v5.9+
>Cc: Zsolt Kajtar <soci@c64.rulez.org>
>---
> drivers/video/fbdev/core/fbcon.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
>index 5fade44931b8..c1c0cdd7597c 100644
>--- a/drivers/video/fbdev/core/fbcon.c
>+++ b/drivers/video/fbdev/core/fbcon.c
>@@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> unsigned charcount = font->charcount;
> int w = font->width;
> int h = font->height;
>- int size;
>+ int size, alloc_size;
> int i, csum;
> u8 *new_data, *data = font->data;
> int pitch = PITCH(font->width);
>@@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> return -EINVAL;
>
> /* Check for overflow in allocation size calculation */
>- if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
>+ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
> return -EINVAL;
>
>- new_data = kmalloc(size, GFP_USER);
>+ new_data = kmalloc(alloc_size, GFP_USER);
>
> if (!new_data)
> return -ENOMEM;
>--
>2.51.0
>
^ permalink raw reply
* Re: [PATCH] fbcon: Fix OOB access in font allocation
From: Qianqiang Liu @ 2025-09-23 1:26 UTC (permalink / raw)
To: Thomas Zimmermann
Cc: jani.nikula, samasth.norway.ananda, simona, deller, linux-fbdev,
dri-devel, George Kennedy, Greg Kroah-Hartman,
Ville Syrjälä, Sam Ravnborg, Shixiong Ou, Kees Cook,
stable, Zsolt Kajtar
In-Reply-To: <20250922134619.257684-1-tzimmermann@suse.de>
On Mon, Sep 22, 2025 at 03:45:54PM +0200, Thomas Zimmermann wrote:
> Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> introduced an out-of-bounds access by storing data and allocation sizes
> in the same variable. Restore the old size calculation and use the new
> variable 'alloc_size' for the allocation.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
> Reported-by: Jani Nikula <jani.nikula@linux.intel.com>
> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
> Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: George Kennedy <george.kennedy@oracle.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Simona Vetter <simona@ffwll.ch>
> Cc: Helge Deller <deller@gmx.de>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Sam Ravnborg <sam@ravnborg.org>
> Cc: Qianqiang Liu <qianqiang.liu@163.com>
> Cc: Shixiong Ou <oushixiong@kylinos.cn>
> Cc: Kees Cook <kees@kernel.org>
> Cc: <stable@vger.kernel.org> # v5.9+
> Cc: Zsolt Kajtar <soci@c64.rulez.org>
> ---
> drivers/video/fbdev/core/fbcon.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 5fade44931b8..c1c0cdd7597c 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> unsigned charcount = font->charcount;
> int w = font->width;
> int h = font->height;
> - int size;
> + int size, alloc_size;
> int i, csum;
> u8 *new_data, *data = font->data;
> int pitch = PITCH(font->width);
> @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
> return -EINVAL;
>
> /* Check for overflow in allocation size calculation */
> - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
> + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size))
> return -EINVAL;
>
> - new_data = kmalloc(size, GFP_USER);
> + new_data = kmalloc(alloc_size, GFP_USER);
>
> if (!new_data)
> return -ENOMEM;
> --
> 2.51.0
Reviewed-by: Qianqiang Liu <qianqiang.liu@163.com>
--
Best,
Qianqiang Liu
^ permalink raw reply
* [PATCH] fbdev/radeon: Update stale product link in Kconfig/FB_RADEON
From: Sukrut Heroorkar @ 2025-09-23 8:41 UTC (permalink / raw)
To: Helge Deller, Thomas Zimmermann, Arnd Bergmann, Sukrut Heroorkar,
Randy Dunlap, Gonzalo Silvalde Blanco, Bartosz Golaszewski,
open list:FRAMEBUFFER LAYER, open list:FRAMEBUFFER LAYER,
open list
Cc: skhan, david.hunter.linux
The previous Radeon product page link was no longer valid. Repalce
it with the current working link.
Signed-off-by: Sukrut Heroorkar <hsukrut3@gmail.com>
---
drivers/video/fbdev/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
index c21484d15f0c..3037455adf48 100644
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -949,7 +949,7 @@ config FB_RADEON
don't need to choose this to run the Radeon in plain VGA mode.
There is a product page at
- https://products.amd.com/en-us/GraphicCardResult.aspx
+ https://www.amd.com/en/products/specifications/graphics.html
config FB_RADEON_I2C
bool "DDC/I2C for ATI Radeon support"
--
2.43.0
^ permalink raw reply related
* [PATCH] fbcon: Set fb_display[i]->mode to NULL when the mode is released
From: Quanmin Yan @ 2025-09-23 11:06 UTC (permalink / raw)
To: simona
Cc: deller, linux-kernel, linux-fbdev, =dri-devel, yanquanmin1,
wangkefeng.wang, zuoze1, sunnanyong
Recently, we discovered the following issue through syzkaller:
BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
Read of size 4 at addr ff11000001b3c69c by task syz.xxx
...
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_address_description.constprop.0+0x2c/0x390
print_report+0xb9/0x280
kasan_report+0xb8/0xf0
fb_mode_is_equal+0x285/0x2f0
fbcon_mode_deleted+0x129/0x180
fb_set_var+0xe7f/0x11d0
do_fb_ioctl+0x6a0/0x750
fb_ioctl+0xe0/0x140
__x64_sys_ioctl+0x193/0x210
do_syscall_64+0x5f/0x9c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The issue occurs in the function fb_mode_is_equal(p->mode, mode), I also
noticed that when freeing the memory related to fb_info->modelist, there's
no attempt to set the corresponding fb_display[i]->mode to NULL after
freeing. Based on analysis, the root cause of this bug appears to be that
a certain p->mode has become a wild pointer.
I've identified two code paths for freeing modelist->mode:
1. fb_delete_videomode - removes videomode entry from modelist.
2. fb_destroy_modelist - destroys the entire modelist.
Analysis shows that fb_delete_videomode path should have been fixed in
a previous patch[1]. Therefore, the current bug is likely triggered
through the fb_destroy_modelist path. I've found a reproducible test case:
1. With /dev/fb0 already registered in the system, load a kernel module
to register a new device /dev/fb1;
2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
3. Switch console from fb to VGA (to allow normal rmmod of the ko);
4. Unload the kernel module - at this point fb1's modelist is freed, leaving
a wild pointer in fb_display[];
5. Trigger the bug via system calls through fb0 attempting to delete a mode
from fb0.
To prevent similar issues from recurring, consider traversing fb_display[]
whenever releasing a mode from fb_info. If the corresponding mode exists
in fb_display[], set its pointer to NULL.
[1] https://lore.kernel.org/all/20210712085544.2828-1-thunder.leizhen@huawei.com/
Signed-off-by: Quanmin Yan <yanquanmin1@huawei.com>
---
This is my first time working on fb issues. If there are any misunderstandings
in my analysis, I would appreciate corrections from the community.
drivers/video/fbdev/core/fbcon.c | 11 +++++++++++
drivers/video/fbdev/core/modedb.c | 7 +++++++
include/linux/fbcon.h | 2 ++
3 files changed, 20 insertions(+)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index b062b05f4128..bfbf79d6cd05 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2803,6 +2803,17 @@ int fbcon_mode_deleted(struct fb_info *info,
return found;
}
+void fb_display_clean_videomode(struct fb_videomode *m)
+{
+ struct fbcon_display *p;
+
+ for (int i = first_fb_vc; i <= last_fb_vc; i++) {
+ p = &fb_display[i];
+ if (p->mode == m)
+ p->mode = NULL;
+ }
+}
+
#ifdef CONFIG_VT_HW_CONSOLE_BINDING
static void fbcon_unbind(void)
{
diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c
index 53a610948c4a..5a0ee96ebefa 100644
--- a/drivers/video/fbdev/core/modedb.c
+++ b/drivers/video/fbdev/core/modedb.c
@@ -16,6 +16,7 @@
#include <linux/slab.h>
#include <linux/fb.h>
#include <linux/kernel.h>
+#include <linux/fbcon.h>
#undef DEBUG
@@ -1100,6 +1101,7 @@ void fb_delete_videomode(const struct fb_videomode *mode,
modelist = list_entry(pos, struct fb_modelist, list);
m = &modelist->mode;
if (fb_mode_is_equal(m, mode)) {
+ fb_display_clean_videomode(m);
list_del(pos);
kfree(pos);
}
@@ -1113,8 +1115,13 @@ void fb_delete_videomode(const struct fb_videomode *mode,
void fb_destroy_modelist(struct list_head *head)
{
struct list_head *pos, *n;
+ struct fb_modelist *modelist;
+ struct fb_videomode *m;
list_for_each_safe(pos, n, head) {
+ modelist = list_entry(pos, struct fb_modelist, list);
+ m = &modelist->mode;
+ fb_display_clean_videomode(m);
list_del(pos);
kfree(pos);
}
diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h
index 81f0e698acbf..2b5e93aeaaff 100644
--- a/include/linux/fbcon.h
+++ b/include/linux/fbcon.h
@@ -18,6 +18,7 @@ void fbcon_suspended(struct fb_info *info);
void fbcon_resumed(struct fb_info *info);
int fbcon_mode_deleted(struct fb_info *info,
struct fb_videomode *mode);
+void fb_display_clean_videomode(struct fb_videomode *m);
void fbcon_new_modelist(struct fb_info *info);
void fbcon_get_requirement(struct fb_info *info,
struct fb_blit_caps *caps);
@@ -38,6 +39,7 @@ static inline void fbcon_suspended(struct fb_info *info) {}
static inline void fbcon_resumed(struct fb_info *info) {}
static inline int fbcon_mode_deleted(struct fb_info *info,
struct fb_videomode *mode) { return 0; }
+static inline void fb_display_clean_videomode(struct fb_videomode *m) {}
static inline void fbcon_new_modelist(struct fb_info *info) {}
static inline void fbcon_get_requirement(struct fb_info *info,
struct fb_blit_caps *caps) {}
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v2 4/5] fbdev/simplefb: Sort headers correctly
From: Thomas Zimmermann @ 2025-09-23 14:04 UTC (permalink / raw)
To: Luca Weiss, Javier Martinez Canillas, Hans de Goede,
Maarten Lankhorst, Maxime Ripard, David Airlie, Simona Vetter,
Rob Herring, Krzysztof Kozlowski, Conor Dooley, Helge Deller
Cc: linux-fbdev, dri-devel, devicetree, linux-kernel
In-Reply-To: <DCZDZ037P56C.3MS3HI55IN41J@fairphone.com>
Hi
Am 22.09.25 um 16:07 schrieb Luca Weiss:
> Hi all,
>
> On Fri Jun 27, 2025 at 9:52 AM CEST, Javier Martinez Canillas wrote:
>> Luca Weiss <luca.weiss@fairphone.com> writes:
>>
>>> Make sure the headers are sorted alphabetically to ensure consistent
>>> code.
>>>
>>> Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
>>> ---
>> Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
> While there's still some open questions surrounding dt-bindings and how
> exactly to do that, I think it would be good to pick up the two
> "Sort headers correctly" patches so that they already get in. They're
> good to have in any case in my opinion.
Good idea. I've added them to drm-misc-next.
Best regards
Thomas
>
> Regards
> Luca
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)
^ permalink raw reply
* [PATCH] fbcon: fix buffer overflow in fbcon_set_font
From: Simon Richter @ 2025-09-23 15:06 UTC (permalink / raw)
To: linux-fbdev, dri-devel, linux-kernel; +Cc: Simon Richter, stable
Commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe introduced overflow
checking for the font allocation size calculation, but in doing so moved
the addition of the size for font housekeeping data out of the kmalloc
call.
As a result, the calculated size now includes those extra bytes, which
marks the same number of bytes beyond the allocation as valid font data.
The crc32() call and the later memcmp() in fbcon_set_font() already perform
an out-of-bounds read, the latter is flagged on ppc64el:
memcmp: detected buffer overflow: 4112 byte read of buffer size 4096
when loading Lat15-Fixed16.psf.gz.
Since the addition of the extra size should only go into the kmalloc()
call, calculate this size in a separate variable.
Signed-off-by: Simon Richter <Simon.Richter@hogyros.de>
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Cc: stable <stable@vger.kernel.org> #v5.9+
---
drivers/video/fbdev/core/fbcon.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 5fade44931b8..a3fbf42c57d9 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
unsigned charcount = font->charcount;
int w = font->width;
int h = font->height;
- int size;
+ int size, allocsize;
int i, csum;
u8 *new_data, *data = font->data;
int pitch = PITCH(font->width);
@@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font,
return -EINVAL;
/* Check for overflow in allocation size calculation */
- if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size))
+ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &allocsize))
return -EINVAL;
- new_data = kmalloc(size, GFP_USER);
+ new_data = kmalloc(allocsize, GFP_USER);
if (!new_data)
return -ENOMEM;
--
2.47.3
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox