laptop-kernel/drivers/video/fbdev/core, branch master

fbdev: Fix logic error in "offb" name match

2025-10-19T14:37:25Z

commit 15df28699b28d6b49dc305040c4e26a9553df07a upstream. A regression was reported to me recently whereby /dev/fb0 had disappeared from a PowerBook G3 Series "Wallstreet". The problem shows up when the "video=ofonly" parameter is passed to the kernel, which is what the bootloader does when "no video driver" is selected. The cause of the problem is the "offb" string comparison, which got mangled when it got refactored. Fix it. Cc: stable@vger.kernel.org Fixes: 93604a5ade3a ("fbdev: Handle video= parameter in video/cmdline.c") Reported-and-tested-by: Stan Johnson Signed-off-by: Finn Thain Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman

fbcon: Fix OOB access in font allocation

2025-09-23T09:36:14Z

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") introduced an out-of-bounds access by storing data and allocation sizes in the same variable. Restore the old size calculation and use the new variable 'alloc_size' for the allocation. Signed-off-by: Thomas Zimmermann Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Reported-by: Jani Nikula Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201 Cc: Samasth Norway Ananda Cc: Thomas Zimmermann Cc: George Kennedy Cc: Greg Kroah-Hartman Cc: Simona Vetter Cc: Helge Deller Cc: "Ville Syrjälä" Cc: Sam Ravnborg Cc: Qianqiang Liu Cc: Shixiong Ou Cc: Kees Cook Cc: # v5.9+ Cc: Zsolt Kajtar Reviewed-by: Lucas De Marchi Reviewed-by: Qianqiang Liu Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de

fbcon: fix integer overflow in fbcon_do_set_font

2025-09-22T07:30:08Z

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled font parameters. The vulnerabilities occur when: 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow. 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow 3. This results in smaller allocations than expected, leading to buffer overflows during font data copying. Add explicit overflow checking using check_mul_overflow() and check_add_overflow() kernel helpers to safety validate all size calculations before allocation. Signed-off-by: Samasth Norway Ananda Reviewed-by: Thomas Zimmermann Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access") Cc: George Kennedy Cc: stable Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com Cc: Greg Kroah-Hartman Cc: Simona Vetter Cc: Helge Deller Cc: Thomas Zimmermann Cc: "Ville Syrjälä" Cc: Sam Ravnborg Cc: Qianqiang Liu Cc: Shixiong Ou Cc: Kees Cook Cc: # v5.9+ Signed-off-by: Thomas Zimmermann Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com

Merge tag 'fbdev-for-6.17-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev

2025-08-08T03:43:20Z

Pull fbdev fixes for 6.17-rc1: - Revert a patch which broke VGA console - Fix an out-of-bounds access bug which may happen during console resizing when a console is mapped to a frame buffer * tag 'fbdev-for-6.17-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" fbdev: Fix vmalloc out-of-bounds write in fast_imageblit

fbdev: Fix vmalloc out-of-bounds write in fast_imageblit

2025-08-02T19:47:32Z

This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point console and new frame buffer are mapped and sets display vars. Despite failure still it continue to proceed updating the screen at later stages where vc_data is related to previous frame buffer and frame buffer info and display vars are mapped to new frame buffer and eventully leading to out-of-bounds write in fast_imageblit(). This bheviour is excepted only when fg_console is equal to requested console which is a visible console and updates screen with invalid struct references in fbcon_putcs(). Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880 Signed-off-by: Sravan Kumar Gundu Cc: stable@vger.kernel.org Signed-off-by: Helge Deller

Merge tag 'fbdev-for-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev

2025-08-02T16:58:11Z

Pull fbdev updates from Helge Deller: "One potential buffer overflow fix in the framebuffer registration function, some fixes for the imxfb, nvidiafb and simplefb drivers, and a bunch of cleanups for fbcon, kyrofb and svgalib. Framework fixes: - fix potential buffer overflow in do_register_framebuffer() [Yongzhen Zhang] Driver fixes: - imxfb: prevent null-ptr-deref [Chenyuan Yang] - nvidiafb: fix build on 32-bit ARCH=um [Johannes Berg] - nvidiafb: add depends on HAS_IOPORT [Randy Dunlap] - simplefb: Use of_reserved_mem_region_to_resource() for "memory-region" [Rob Herring] Cleanups: - fbcon: various code cleanups wrt blinking [Ville Syrjälä] - kyrofb: Convert to devm_*() functions [Giovanni Di Santi] - svgalib: Coding style cleanups [Darshan R.] - Fix typo in Kconfig text for FB_DEVICE [Daniel Palmer]" * tag 'fbdev-for-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbcon: Use 'bool' where appopriate fbcon: Introduce get_{fg,bg}_color() fbcon: fbcon_is_inactive() -> fbcon_is_active() fbcon: fbcon_cursor_noblink -> fbcon_cursor_blink fbdev: Fix typo in Kconfig text for FB_DEVICE fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fbdev: svgalib: Clean up coding style fbdev: kyro: Use devm_ioremap_wc() for screen mem fbdev: kyro: Use devm_ioremap() for mmio registers fbdev: kyro: Add missing PCI memory region request fbdev: simplefb: Use of_reserved_mem_region_to_resource() for "memory-region" fbdev: fix potential buffer overflow in do_register_framebuffer() fbdev: nvidiafb: add depends on HAS_IOPORT fbdev: nvidiafb: fix build on 32-bit ARCH=um

fbcon: Use 'bool' where appopriate

2025-07-27T17:56:52Z

Use 'bool' type where it makes more sense than 'int'. v2: Rebase due to corrected 'fbcon_cursor_blink' initial value Acked-by: Helge Deller Signed-off-by: Ville Syrjälä Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller

fbcon: Introduce get_{fg,bg}_color()

2025-07-27T17:56:52Z

Make the code more legible by adding get_{fg,bg}_color() which hide the obscure 'is_fg' parameter of get_color() from the caller. Signed-off-by: Ville Syrjälä Acked-by: Helge Deller Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller

fbcon: fbcon_is_inactive() -> fbcon_is_active()

2025-07-27T17:56:52Z

Invert fbcon_is_inactive() into fbcon_is_active(). Much easier on the poor brain when you don't have to do dobule negations all over the place. Signed-off-by: Ville Syrjälä Acked-by: Helge Deller Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller

fbcon: fbcon_cursor_noblink -> fbcon_cursor_blink

2025-07-27T17:56:51Z

Invert fbcon_cursor_noblink into fbcon_cursor_blink so that: - it matches the sysfs attribute exactly - avoids having to do these NOT operations all over the place - use bool instead of int Signed-off-by: Ville Syrjälä Signed-off-by: Helge Deller