Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2025-09-30T21:21:34+00:00 2025-09-30T21:21:34+00:00 Janne Grunau j@jannau.net 2025-09-15T06:36:41+00:00 urn:sha1:da1bb9135213744e7ec398826c8f2e843de4fb94 The pm_domain cleanup can not be devres managed as it uses struct simplefb_par which is allocated within struct fb_info by framebuffer_alloc(). This allocation is explicitly freed by unregister_framebuffer() in simplefb_remove(). Devres managed cleanup runs after the device remove call and thus can no longer access struct simplefb_par. Call simplefb_detach_genpds() explicitly from simplefb_destroy() like the cleanup functions for clocks and regulators. Fixes an use after free on M2 Mac mini during aperture_remove_conflicting_devices() using the downstream asahi kernel with Debian's kernel config. For unknown reasons this started to consistently dereference an invalid pointer in v6.16.3 based kernels. [ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220 [ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227 [ 6.750697] [ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY [ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC [ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT) [ 6.752189] Call trace: [ 6.752190] show_stack+0x34/0x98 (C) [ 6.752194] dump_stack_lvl+0x60/0x80 [ 6.752197] print_report+0x17c/0x4d8 [ 6.752201] kasan_report+0xb4/0x100 [ 6.752206] __asan_report_load4_noabort+0x20/0x30 [ 6.752209] simplefb_detach_genpds+0x58/0x220 [ 6.752213] devm_action_release+0x50/0x98 [ 6.752216] release_nodes+0xd0/0x2c8 [ 6.752219] devres_release_all+0xfc/0x178 [ 6.752221] device_unbind_cleanup+0x28/0x168 [ 6.752224] device_release_driver_internal+0x34c/0x470 [ 6.752228] device_release_driver+0x20/0x38 [ 6.752231] bus_remove_device+0x1b0/0x380 [ 6.752234] device_del+0x314/0x820 [ 6.752238] platform_device_del+0x3c/0x1e8 [ 6.752242] platform_device_unregister+0x20/0x50 [ 6.752246] aperture_detach_platform_device+0x1c/0x30 [ 6.752250] aperture_detach_devices+0x16c/0x290 [ 6.752253] aperture_remove_conflicting_devices+0x34/0x50 ... [ 6.752343] [ 6.967409] Allocated by task 62: [ 6.970724] kasan_save_stack+0x3c/0x70 [ 6.974560] kasan_save_track+0x20/0x40 [ 6.978397] kasan_save_alloc_info+0x40/0x58 [ 6.982670] __kasan_kmalloc+0xd4/0xd8 [ 6.986420] __kmalloc_noprof+0x194/0x540 [ 6.990432] framebuffer_alloc+0xc8/0x130 [ 6.994444] simplefb_probe+0x258/0x2378 ... [ 7.054356] [ 7.055838] Freed by task 227: [ 7.058891] kasan_save_stack+0x3c/0x70 [ 7.062727] kasan_save_track+0x20/0x40 [ 7.066565] kasan_save_free_info+0x4c/0x80 [ 7.070751] __kasan_slab_free+0x6c/0xa0 [ 7.074675] kfree+0x10c/0x380 [ 7.077727] framebuffer_release+0x5c/0x90 [ 7.081826] simplefb_destroy+0x1b4/0x2c0 [ 7.085837] put_fb_info+0x98/0x100 [ 7.089326] unregister_framebuffer+0x178/0x320 [ 7.093861] simplefb_remove+0x3c/0x60 [ 7.097611] platform_remove+0x60/0x98 [ 7.101361] device_remove+0xb8/0x160 [ 7.105024] device_release_driver_internal+0x2fc/0x470 [ 7.110256] device_release_driver+0x20/0x38 [ 7.114529] bus_remove_device+0x1b0/0x380 [ 7.118628] device_del+0x314/0x820 [ 7.122116] platform_device_del+0x3c/0x1e8 [ 7.126302] platform_device_unregister+0x20/0x50 [ 7.131012] aperture_detach_platform_device+0x1c/0x30 [ 7.136157] aperture_detach_devices+0x16c/0x290 [ 7.140779] aperture_remove_conflicting_devices+0x34/0x50 ... Reported-by: Daniel Huhardeaux <tech@tootai.net> Cc: stable@vger.kernel.org Fixes: 92a511a568e44 ("fbdev/simplefb: Add support for generic power-domains") Signed-off-by: Janne Grunau <j@jannau.net> Reviewed-by: Hans de Goede <hansg@kernel.org> Signed-off-by: Helge Deller <deller@gmx.de> 2025-07-27T17:56:51+00:00 Rob Herring (Arm) robh@kernel.org 2025-07-03T18:35:13+00:00 urn:sha1:c80de50c192f135a78f6c924818b2f5cd6ca7524 Use the newly added of_reserved_mem_region_to_resource() function to handle "memory-region" properties. The error handling is a bit different. "memory-region" is optional, so failed lookup is not an error. But then an error in of_address_to_resource() is treated as an error. However, that distinction is not really important. Either the region is available and usable or it is not. So now, it is just of_reserved_mem_region_to_resource() which is checked for an error. Signed-off-by: Rob Herring (Arm) <robh@kernel.org> Signed-off-by: Helge Deller <deller@gmx.de> 2024-10-08T19:47:18+00:00 Uwe Kleine-König u.kleine-koenig@baylibre.com 2024-10-07T16:35:17+00:00 urn:sha1:01ecc142ef7c8c5081a39be81c1d8ab7c10dd7b8 After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/video/fbdev to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. While touching these files, make indention of the struct initializer consistent in several files. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Helge Deller <deller@gmx.de> 2023-12-14T09:31:45+00:00 Brian Masney bmasney@redhat.com 2023-12-12T19:57:54+00:00 urn:sha1:4350aa21cca48a5d951ba108290bad703fbc0630 When the power domains cannot be parsed, the message is incorrectly logged as an info message. Let's change this to an error since an error is returned. Fixes: 92a511a568e4 ("fbdev/simplefb: Add support for generic power-domains") Signed-off-by: Brian Masney <bmasney@redhat.com> Acked-by: Andrew Halaney <ahalaney@redhat.com> Acked-by: Javier Martinez Canillas <javierm@redhat.com> Acked-by: Thierry Reding <treding@nvidia.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20231212195754.232303-1-bmasney@redhat.com 2023-11-22T08:51:16+00:00 Richard Acayan mailingradian@gmail.com 2023-11-22T00:54:59+00:00 urn:sha1:9c6894320f49c146270623bb37cd700db7cf13df When the power domains are missing, the call to of_count_phandle_with_args fails with -ENOENT. The power domains are not required and there are some device trees that do not specify them. Suppress this error to fix devices without power domains attached to simplefb. Fixes: 92a511a568e4 ("fbdev/simplefb: Add support for generic power-domains") Closes: https://lore.kernel.org/linux-fbdev/ZVwFNfkqjrvhFHM0@radian Signed-off-by: Richard Acayan <mailingradian@gmail.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20231122005457.330066-3-mailingradian@gmail.com 2023-11-02T10:17:40+00:00 Thierry Reding treding@nvidia.com 2023-11-01T17:20:17+00:00 urn:sha1:92a511a568e44cf11681a2223cae4d576a1a515d The simple-framebuffer device tree bindings document the power-domains property, so make sure that simplefb supports it. This ensures that the power domains remain enabled as long as simplefb is active. v2: - remove unnecessary call to simplefb_detach_genpds() since that's already done automatically by devres - fix crash if power-domains property is missing in DT Signed-off-by: Thierry Reding <treding@nvidia.com> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20231101172017.3872242-3-thierry.reding@gmail.com 2023-11-02T10:17:31+00:00 Thierry Reding treding@nvidia.com 2023-11-01T17:20:16+00:00 urn:sha1:8ddfc01ace51c85a2333fb9a9cbea34d9f87885d The simple-framebuffer bindings specify that the "memory-region" property can be used as an alternative to the "reg" property to define the framebuffer memory used by the display hardware. Implement support for this in the simplefb driver. Reviewed-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Thierry Reding <treding@nvidia.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20231101172017.3872242-2-thierry.reding@gmail.com 2023-08-04T13:54:38+00:00 Thomas Zimmermann tzimmermann@suse.de 2023-08-03T18:36:04+00:00 urn:sha1:367984eb70a79af20e3361a60723e744709bb372 Set struct fb_ops and with FB_DEFAULT_IOMEM_OPS, fbdev's initializer for I/O memory. Sets the callbacks to the cfb_ and fb_io_ functions. Select the correct modules with Kconfig's FB_IOMEM_HELPERS token. The macro and token set the currently selected values, so there is no functional change. v3: * use _IOMEM_ in commit message v2: * updated to use _IOMEM_ tokens Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Sam Ravnborg <sam@ravnborg.org> Acked-by: Helge Deller <deller@gmx.de> Cc: Hans de Goede <hdegoede@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230803184034.6456-40-tzimmermann@suse.de 2023-07-24T14:50:38+00:00 Thomas Zimmermann tzimmermann@suse.de 2023-07-15T18:51:47+00:00 urn:sha1:b3e148d730b7255dfcfb080c8633146e44b83b0c The flag FBINFO_DEFAULT is 0 and has no effect, as struct fbinfo.flags has been allocated to zero by framebuffer_alloc(). So do not set it. Flags should signal differences from the default values. After cleaning up all occurrences of FBINFO_DEFAULT, the token will be removed. v4: * clarify commit message (Geert, Dan) v2: * fix commit message (Miguel) Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Acked-by: Sam Ravnborg <sam@ravnborg.org> Cc: Helge Deller <deller@gmx.de> Cc: Nicolas Ferre <nicolas.ferre@microchip.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Ferenc Bakonyi <fero@drama.obuda.kando.hu> Cc: "K. Y. Srinivasan" <kys@microsoft.com> Cc: Haiyang Zhang <haiyangz@microsoft.com> Cc: Wei Liu <wei.liu@kernel.org> Cc: Dexuan Cui <decui@microsoft.com> Cc: Antonino Daplas <adaplas@gmail.com> Cc: Maik Broemme <mbroemme@libmpq.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Nicholas Piggin <npiggin@gmail.com> Cc: Christophe Leroy <christophe.leroy@csgroup.eu> Cc: Kristoffer Ericson <kristoffer.ericson@gmail.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Steve Glendinning <steve.glendinning@shawell.net> Cc: Bernie Thompson <bernie@plugable.com> Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de> Link: https://patchwork.freedesktop.org/patch/msgid/20230715185343.7193-6-tzimmermann@suse.de 2023-04-24T09:48:32+00:00 Uwe Kleine-König u.kleine-koenig@pengutronix.de 2023-03-18T23:54:17+00:00 urn:sha1:4ba34066a29bd9db89525ed5c18d1838658402eb The .remove() callback for a platform driver returns an int which makes many driver authors wrongly assume it's possible to do error handling by returning an error code. However the value returned is (mostly) ignored and this typically results in resource leaks. To improve here there is a quest to make the remove callback return void. In the first step of this quest all drivers are converted to .remove_new() which already returns void. Trivially convert this driver from always returning zero in the remove callback to the void returning variant. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Helge Deller <deller@gmx.de>