Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-03-04T12:21:43+00:00 2026-03-04T12:21:43+00:00 Thomas Zimmermann tzimmermann@suse.de 2026-02-09T16:15:43+00:00 urn:sha1:07a0de6d01b16626bc34ebc074a86b9ec1ffa54b [ Upstream commit 30baedeeeab524172abc0b58cb101e8df86b5be8 ] The field inverse in struct fbcon_display is unused. Remove it. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Cc: <stable@vger.kernel.org> # v6.0+ Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-04T12:21:43+00:00 René Rebe rene@exactco.de 2026-02-05T15:49:58+00:00 urn:sha1:f80615d76900b78293906099c7f980556285d823 [ Upstream commit b28da0d092461ac239ff034a8ac3129320177ba3 ] Fix Sun FFB1 corrupted video out ([1] and [2]) by disabling overlay and initializing window mode to a known state. The issue never appeared on my FFB2+/vertical nor Elite3D/M6. It could also depend on the PROM version. /SUNW,ffb@1e,0: FFB at 000001fc00000000, type 11, DAC pnum[236c] rev[10] manuf_rev[4] X (II) /dev/fb0: Detected FFB1, Z-buffer, Single-buffered. X (II) /dev/fb0: BT9068 (PAC1) ramdac detected (with normal cursor control) X (II) /dev/fb0: Detected Creator/Creator3D [1] https://www.instagram.com/p/DUTcSmSjSem/ [2] https://chaos.social/@ReneRebe/116023241660154102 Signed-off-by: René Rebe <rene@exactco.de> Cc: stable@kernel.org Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-04T12:21:42+00:00 Thomas Fourier fourier.thomas@gmail.com 2026-01-12T14:00:27+00:00 urn:sha1:2cd2f988a8bd2da227f5c3cfa0cbf3a9a287ddc3 [ Upstream commit 88b3b9924337336a31cefbe99a22ed09401be74a ] fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not freed if the error path is reached. Fixes: e7b995371fe1 ("video: vt8500: Add devicetree support for vt8500-fb and wm8505-fb") Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-04T12:21:42+00:00 Andrey Vatoropin a.vatoropin@crpt.ru 2025-12-17T09:11:05+00:00 urn:sha1:f57b61624c86ef8f87f6e6b7dd0755de03d90e89 [ Upstream commit 011a0502801c8536f64141a2b61362c14f456544 ] If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d1baa4ffa677 ("fbcon: set_con2fb_map fixes") Cc: stable@vger.kernel.org Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-04T12:21:42+00:00 Hans de Goede johannes.goede@oss.qualcomm.com 2025-12-21T16:57:40+00:00 urn:sha1:8d9fda63d1f3fb540d808fb4632f28c845501bd9 [ Upstream commit 68eeb0871e986ae5462439dae881e3a27bcef85f ] The fbdev sysfs attributes are registered after sending the uevent for the device creation, leaving a race window where e.g. udev rules may not be able to access the sysfs attributes because the registration is not done yet. Fix this by switching to device_create_with_groups(). This also results in a nice cleanup. After switching to device_create_with_groups() all that is left of fb_init_device() is setting the drvdata and that can be passed to device_create[_with_groups]() too. After which fb_init_device() can be completely removed. Dropping fb_init_device() + fb_cleanup_device() in turn allows removing fb_info.class_flag as they were the only user of this field. Fixes: 5fc830d6aca1 ("fbdev: Register sysfs groups through device_add_group") Cc: stable@vger.kernel.org Cc: Shixiong Ou <oushixiong@kylinos.cn> Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-02-26T23:01:19+00:00 Felix Gu ustc.gu@gmail.com 2026-02-03T12:14:58+00:00 urn:sha1:b024a8efee0f55d330a1cdd3eac8f79ac5acd3be [ Upstream commit ce4e25198a6aaaaf36248edf8daf3d744ec8e309 ] In au1200fb_drv_probe(), when platform_get_irq fails(), it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. Fixes: 4e88761f5f8c ("fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-02-19T15:33:24+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2025-12-28T13:17:03+00:00 urn:sha1:f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02 commit 120adae7b42faa641179270c067864544a50ab69 upstream. The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. Reported-by: Tianchu Chen <flynnnchen@tencent.com> Cc: stable <stable@kernel.org> Cc: Steve Glendinning <steve.glendinning@shawell.net> Cc: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-02-19T15:33:24+00:00 Guangshuo Li lgs201920130244@gmail.com 2025-12-07T07:25:32+00:00 urn:sha1:73f0391e92d404da68f7484e57c106c5e673dc7e commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream. A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-06T23:41:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-06T23:41:26+00:00 urn:sha1:0d1d44032f7b8b9edb14e82315fdf504740940c1 Pull fbdev updates from Helge Deller: "The Termius 10x18 console bitmap font has been added. It is good match for modern 13-16 inch laptop displays with resolutions like 1280x800 and 1440x900 pixels. The gbefb and tcx.c drivers got some fixes to restore X11 support, pxafb was not actually clamping input values and the ssd1307fb driver leaked memory in the failure path. The other patches convert some common drivers to use dev_info() and dev_dbg() instead of printk(). Summary: Framework updates: - fonts: Add Terminus 10x18 console font [Neilay Kharwadkar] Driver fixes: - gbefb: fix to use physical address instead of dma address [René Rebe] - tcx.c fix mem_map to correct smem_start offset [René Rebe] - pxafb: Fix multiple clamped values in pxafb_adjust_timing [Thorsten Blum] - ssd1307fb: fix potential page leak in ssd1307fb_probe() [Abdun Nihaal] Cleanups: - vga16fb: Request memory region [Javier Garcia] - vga16fb: replace printk() with dev_*() in probe [Vivek BalachandharTN] - vesafb, gxt4500fb, tridentfb: Use dev_dbg() instead of printk() [Javier Garcia] - i810: use dev_info() [Shi Hao]" * tag 'fbdev-for-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() fbdev: i810: use appopriate log interface dev_info fbdev: tridentfb: replace printk() with dev_*() in probe lib/fonts: Add Terminus 10x18 console font fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing fbdev: tcx.c fix mem_map to correct smem_start offset fbdev: gxt4500fb: Use dev_err instead of printk fbdev: gbefb: fix to use physical address instead of dma address fbdev: vesafb: Use dev_* fn's instead printk fbdev: vga16fb: Request memory region fbdev: vga16fb: replace printk() with dev_*() in probe 2025-12-05T10:29:14+00:00 Abdun Nihaal nihaal@cse.iitm.ac.in 2025-12-03T03:55:44+00:00 urn:sha1:164312662ae9764b83b84d97afb25c42eb2be473 The page allocated for vmem using __get_free_pages() is not freed on the error paths after it. Fix that by adding a corresponding __free_pages() call to the error path. Fixes: facd94bc458a ("fbdev: ssd1307fb: Allocate page aligned video memory.") Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in> Signed-off-by: Helge Deller <deller@gmx.de>