<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/video/fbdev/core/fbcon.c, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-26T13:07:38+00:00</updated>
<entry>
<title>fbcon: fix NULL pointer dereference for a console without vc_data</title>
<updated>2026-06-26T13:07:38+00:00</updated>
<author>
<name>Ian Bridges</name>
<email>icb@fastmail.org</email>
</author>
<published>2026-06-24T21:11:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5fae9a928482d4845bca169a3a098789203a1ca4'/>
<id>urn:sha1:5fae9a928482d4845bca169a3a098789203a1ca4</id>
<content type='text'>
fbcon_new_modelist() runs when a framebuffer's modelist changes. For each
console mapped to it with fb_display[i].mode set, it reads vc_cons[i].d and
passes the vc_num to fbcon_set_disp(). This assumes a console with a mode
set has a vc_data, but it can be NULL. fbcon_set_disp() sets
fb_display[i].mode before it checks vc_data, and fbcon_deinit() leaves the
mode set after the vc_data is freed. fbcon_new_modelist() then dereferences
the NULL vc_data.

Keep fb_display[i].mode set only while the console has a vc_data. Check
vc_data before setting the mode in fbcon_set_disp(), and clear the mode in
fbcon_deinit(). The existing mode check in fbcon_new_modelist() then skips
such consoles.

Reported-by: syzbot+42525d636f430fd5d983@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=42525d636f430fd5d983
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Ian Bridges &lt;icb@fastmail.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()</title>
<updated>2026-06-25T16:15:48+00:00</updated>
<author>
<name>Mingyu Wang</name>
<email>25181214217@stu.xidian.edu.cn</email>
</author>
<published>2026-06-25T16:03:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8fdc8c2057eea08d40ce2c8eed41ff9e451c65c2'/>
<id>urn:sha1:8fdc8c2057eea08d40ce2c8eed41ff9e451c65c2</id>
<content type='text'>
When fbcon_do_set_font() fails (e.g., due to a memory allocation failure
inside vc_resize() under heavy memory pressure), it jumps to the `err_out`
label to roll back the console state. However, the current rollback logic
forgets to restore the `hi_font` state, leading to a severe state machine
corruption.

Earlier in the function, `set_vc_hi_font()` might be called to change
`vc-&gt;vc_hi_font_mask` and mutate the screen buffer. If `vc_resize()`
subsequently fails, the `err_out` path restores `vc_font.charcount`
but entirely skips rolling back the `vc_hi_font_mask` and the screen
buffer.

This mismatch leaves the terminal in a desynchronized state. Because
`vc_hi_font_mask` remains set, the VT subsystem will still accept
character indices greater than 255 from userspace and write them to the
screen buffer. Subsequent rendering calls (e.g., `fbcon_putcs()`) will
then use these inflated indices to access the reverted, 256-character
font array, leading to a deterministic out-of-bounds read and potential
kernel memory disclosure.

Fix this by adding the missing rollback logic for the `hi_font` mask
and screen buffer in the error path.

Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
Cc: stable@vger.kernel.org
Signed-off-by: Mingyu Wang &lt;25181214217@stu.xidian.edu.cn&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbcon: correct CONFIG_FB_TILEBLITTING macro name in #endif comment</title>
<updated>2026-06-09T14:00:11+00:00</updated>
<author>
<name>Ethan Nelson-Moore</name>
<email>enelsonmoore@gmail.com</email>
</author>
<published>2026-06-09T03:35:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f5c147fda9c6c553bfc2b86e0734b4594f2a9a7d'/>
<id>urn:sha1:f5c147fda9c6c553bfc2b86e0734b4594f2a9a7d</id>
<content type='text'>
A comment in drivers/video/fbdev/core/fbcon.c incorrectly refers to
CONFIG_MISC_TILEBLITTING instead of CONFIG_FB_TILEBLITTING. Correct it.

Discovered while searching for CONFIG_* symbols referenced in code but
not defined in any Kconfig file.

Signed-off-by: Ethan Nelson-Moore &lt;enelsonmoore@gmail.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbdev: Do not export fbcon from fbdev</title>
<updated>2026-06-09T14:00:11+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2026-05-27T15:14:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=98c2b2551b22d975f8f94ad19169a06339da3d8a'/>
<id>urn:sha1:98c2b2551b22d975f8f94ad19169a06339da3d8a</id>
<content type='text'>
There are no callers of fbcon outside fbdev. Move the declarations
into the internal header.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbdev: Wrap user-invoked calls to fb_set_var() in helper</title>
<updated>2026-06-09T14:00:10+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2026-05-27T15:14:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6f611e5e5f3327cf2e2daabe6ee5acac58cc784e'/>
<id>urn:sha1:6f611e5e5f3327cf2e2daabe6ee5acac58cc784e</id>
<content type='text'>
Handle fbcon during display updates in fb_set_var_from_user(). Check
with fbcon if the mode change is possible, update hardware state and
finally update fbcon. Update all callers.

Only the FBIOPUT_VSCREENINFO ioctl currently does all steps. Other
mode-changes callers in sysfs and driver code are missing fbcon-related
steps.

With the new helper, ps3fb and sh_mobile_lcdcfb no longer maintain
fbcon state themselves.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbcon: don't suspend/resume when vc is graphics mode</title>
<updated>2026-06-09T14:00:10+00:00</updated>
<author>
<name>Lu Yao</name>
<email>yaolu@kylinos.cn</email>
</author>
<published>2026-04-30T06:01:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=70d9d5f5fcd940f627bd403aaa6f65de724eef6b'/>
<id>urn:sha1:70d9d5f5fcd940f627bd403aaa6f65de724eef6b</id>
<content type='text'>
Don't need to do suspend/resume for fbcon in graphic mode.

Doing this may cause error, eg:
  At the beginning, starting the Xorg with single screen and then an
  external screen was plugged in. After logging out in Xorg, fbdev
  info may using screen which is connected later on for info always
  using first connected connector in list in func 'drm_setup_crtcs_fb'.
  Then, S3 executed, fbcon found that the information did not match
  and do atomic to switch fb. However, Xorg will not re-bind the crtc
  fb but continues doing ioctl. At this time, the fb is incorrect.

With some modifications by Helge Deller.

Signed-off-by: Lu Yao &lt;yaolu@kylinos.cn&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbcon: Use correct type for vc_resize() return value</title>
<updated>2026-06-07T16:25:42+00:00</updated>
<author>
<name>Jiacheng Yu</name>
<email>yujiacheng3@huawei.com</email>
</author>
<published>2026-05-14T09:19:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=84202754fb1727dc3ee87f47104e4162ecc8ba3a'/>
<id>urn:sha1:84202754fb1727dc3ee87f47104e4162ecc8ba3a</id>
<content type='text'>
The return value of vc_resize() is int, but fbcon_set_disp() stores it
in an unsigned long variable. While the !ret check happens to work
correctly by coincidence (negative values become large positive values),
the types should match. Use int instead.

Eliminates the following W=3 warning:

  drivers/video/fbdev/core/fbcon.c: In function 'fbcon_set_disp':
  drivers/video/fbdev/core/fbcon.c:1494:14: warning: implicit conversion from 'int' to 'unsigned long' [-Wconversion]

Fixes: af0db3c1f898 ("fbdev: Fix vmalloc out-of-bounds write in fast_imageblit")
Cc: stable@vger.kernel.org # v6.17+
Signed-off-by: Jiacheng Yu &lt;yujiacheng3@huawei.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbcon: Put font-rotation state into separate struct</title>
<updated>2026-04-07T15:38:07+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2026-04-07T09:23:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=98e5b6d0699d5055623f2f070594b08b255eb1ce'/>
<id>urn:sha1:98e5b6d0699d5055623f2f070594b08b255eb1ce</id>
<content type='text'>
Move all temporary state of the font-rotation code into the struct
rotated in struct fbcon_par. Protect it with the Kconfig symbol
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION. Avoids mixing it up with fbcon's
regular state.

v2:
- fix typos

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>fbcon: Fill cursor mask in helper function</title>
<updated>2026-04-07T15:38:07+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2026-04-07T09:23:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6903bd692057f1daee5a4860f13fe97a9906489a'/>
<id>urn:sha1:6903bd692057f1daee5a4860f13fe97a9906489a</id>
<content type='text'>
Fbcon creates a cursor shape on the fly from the user-configured
settings. The logic to create a glyph with the cursor's bitmap mask
is duplicated in four places. In the cases that involve console
rotation, the implementation further rotates the cursor glyph for
displaying.

Consolidate all cursor-mask creation in a single helper. Update the
callers accordingly. For console rotation, use the glyph helpers to
rotate the created cursor glyph to the correct orientation.

v2:
- fix sparse truncated-bits warning

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>lib/fonts: Store font data for user space with font_data_export()</title>
<updated>2026-03-09T14:47:21+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2026-03-09T14:14:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c37bd7c8d36f760c064de2639423866dc0270997'/>
<id>urn:sha1:c37bd7c8d36f760c064de2639423866dc0270997</id>
<content type='text'>
Add font_data_export() and update consoles to use it.

The helper font_data_export() is based on code in fbcon_get_font().
It extends the size of a single glyph to match the requested vpitch,
which us usually 32 bytes for fonts from user space. Internal fonts
have a pitch according to the glyph's height.

The implementation of font_data_export() differs in several ways from
the original code. The original implementation distinguished between
different pitches of the font data. This is not necessary as the pitch
is a parameter in the copying.

There was also special handling for a font pitch of 3 bytes, which got
expanded to 4 bytes (with trailing bits on each scanline). The logic
originated from long before git history exists even in the historical
tree. So it is not clear why this was implemented. It is not what user
space expects. The setfont utitlity loads font with 3-bytes pitches and
expects to read such fonts with a 3-byte pitch. For any font width, the
font pitch is always the width extended to the next multiple of 8. See
[1] for the user-space font-reading code.

With the changes to handling the font pitches, font_data_export() replaces
the original code's various special cases with a single copying logic.

v3:
- fix typos (Helge)

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://github.com/legionus/kbd/blob/v2.9.0/src/libkfont/kdfontop.c#L73 # [1]
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
</feed>
