From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 852DF34107D; Thu, 2 Jul 2026 16:29:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009759; cv=none; b=criMp+NokcSkFbhLtCvCzJQG1d0MYApD8tGmiAKILUZ0wm8EplTCiln46bEil8CazaQsPu/eH7d2tQrhrIM61Da9Cze6yk4j7puk/S7CgGkhD4EKX/hmMdKUvBxzQN9S5iR/qElXqoLAeW55AfPLelU9Z7p/tU3XzZuCNdZVa3I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783009759; c=relaxed/simple; bh=qS3aN51RvuUH0eyDsx5Y9cy7+Cl0Rh2UBOYFXojjYvs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IQRADnCgUTWhqM4wUi0NwPO2lNF2J08ukON9+BxTLcsUW+LGI9mQoOx8bdgYRr1tMbrCHGtEKpKZPHVUMdRyLJ1J9tecxfGNHSswqTAf5+SoGirMu947k+3p+ksW5hsv8GoN24jBF4YCnL2le1qMSj/pvKKrbOJEdPrY+jqmHL8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=OJM7eNDF; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="OJM7eNDF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C1561F000E9; Thu, 2 Jul 2026 16:29:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1783009757; bh=zYWHydVmO+GSO180FcYaNa4TBJpRLeD086oEv0FnUPc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=OJM7eNDFfE+UKFUu7Dr5uhAtUDSjej/IJs+SdMd4G65Lk4HPW6D9SpbxRM0qXfa1a kuKpDxi7aVRZtfnoqLhlQAsIzIbdJattjGLkIyGeovRKOjqs54mdFODCCmA8fgIqsn MIdslygg8DZ/y9qaepiFCVrwEX0xkyJEH9klrKGQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ian Bridges , Helge Deller Subject: [PATCH 5.15 75/95] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Date: Thu, 2 Jul 2026 18:20:18 +0200 Message-ID: <20260702155110.791633836@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260702155109.196223802@linuxfoundation.org> References: <20260702155109.196223802@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ian Bridges commit 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 upstream. info->var, a framebuffer's current mode, is expected to have a matching entry in info->modelist. var_to_display() relies on this and treats a failed fb_match_mode() as "This should not happen". fb_set_var() keeps it true by adding the mode to the list on every change, and do_register_framebuffer() does the same at registration. store_modes() replaces the modelist from userspace. fb_new_modelist() validates the new modes but does not check that info->var still has a match. It relies on fbcon_new_modelist() to re-point consoles, but that only handles consoles mapped to the framebuffer. With fbcon unbound there are none, so info->var is left describing a mode that is no longer in the list. A later console takeover runs var_to_display(), where fb_match_mode() returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode. Keep the current mode in the list in fb_new_modelist(), the same way fb_set_var() does. Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Ian Bridges Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/core/fbmem.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -2061,6 +2061,18 @@ int fb_new_modelist(struct fb_info *info if (list_empty(&info->modelist)) return 1; + /* + * The new modelist may not contain the current mode (info->var), and + * fbcon_new_modelist() below only re-points consoles mapped to this + * framebuffer. Add the current mode here so info->var keeps a match + * even when fbcon is unbound. + */ + if (!fb_match_mode(&info->var, &info->modelist)) { + fb_var_to_videomode(&mode, &info->var); + if (fb_add_videomode(&mode, &info->modelist)) + return 1; + } + fbcon_new_modelist(info); return 0;