From: Thomas Zimmermann <tzimmermann@suse.de> mainline inclusion from mainline-v6.11-rc1 commit 28aea43c705af174b98d01d299bb189c2ccbe085 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15309 CVE: CVE-2026-46065 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Clean up the pageref state as part of the lastclose helper. This only requires to clear the page's mapping field. The pageref and page can stay in place for the next opened instance of the frame- buffer file. With the change in the clean-up logic, there's no further need to look up pages during the lastclose cleanup. The code instead uses the existing pagerefs in its look-up table. It also avoids using smem_len, which some driver might not set correctly. v2: - fix typos in commit message (Javier) Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240419083331.7761-4-tzimmerm... Conflicts: drivers/video/fbdev/core/fb_defio.c [delete context conflicts upper the fb_deferred_io_pageref_clear()] Signed-off-by: Liu Kai <liukai284@huawei.com> --- drivers/video/fbdev/core/fb_defio.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c index b9607d5a370d..ec3db7851876 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c @@ -36,6 +36,14 @@ static struct page *fb_deferred_io_page(struct fb_info *info, unsigned long offs return page; } +static void fb_deferred_io_pageref_clear(struct fb_deferred_io_pageref *pageref) +{ + struct page *page = pageref->page; + + if (page) + page->mapping = NULL; +} + static struct fb_deferred_io_pageref *fb_deferred_io_pageref_get(struct fb_info *info, unsigned long offset, struct page *page) @@ -310,16 +318,13 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_open); static void fb_deferred_io_lastclose(struct fb_info *info) { - struct page *page; - int i; + unsigned long i; flush_delayed_work(&info->deferred_work); /* clear out the mapping that we setup */ - for (i = 0 ; i < info->fix.smem_len; i += PAGE_SIZE) { - page = fb_deferred_io_page(info, i); - page->mapping = NULL; - } + for (i = 0; i < info->npagerefs; ++i) + fb_deferred_io_pageref_clear(&info->pagerefs[i]); } void fb_deferred_io_release(struct fb_info *info) -- 2.34.1