From: Thomas Weißschuh <linux@weissschuh.net> mainline inclusion from mainline-v6.12-rc1 commit 929c81ade6355b87097a2a4886c10750e68626cf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY436 CVE: CVE-2025-21976 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Introduce a device-managed variant of register_framebuffer() which automatically unregisters the framebuffer on device destruction. This can simplify the error handling and resource management in drivers. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Signed-off-by: Helge Deller <deller@gmx.de> Conflicts: include/linux/fb.h [context conflicts] Signed-off-by: Xiangwei Li <liwei728@huawei.com> --- drivers/video/fbdev/core/fbmem.c | 30 ++++++++++++++++++++++++++++++ include/linux/fb.h | 1 + 2 files changed, 31 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index ee44a46a66be..990a4e63a916 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1084,6 +1084,36 @@ unregister_framebuffer(struct fb_info *fb_info) } EXPORT_SYMBOL(unregister_framebuffer); +static void devm_unregister_framebuffer(void *data) +{ + struct fb_info *info = data; + + unregister_framebuffer(info); +} + +/** + * devm_register_framebuffer - resource-managed frame buffer device registration + * @dev: device the framebuffer belongs to + * @fb_info: frame buffer info structure + * + * Registers a frame buffer device @fb_info to device @dev. + * + * Returns negative errno on error, or zero for success. + * + */ +int +devm_register_framebuffer(struct device *dev, struct fb_info *fb_info) +{ + int ret; + + ret = register_framebuffer(fb_info); + if (ret) + return ret; + + return devm_add_action_or_reset(dev, devm_unregister_framebuffer, fb_info); +} +EXPORT_SYMBOL(devm_register_framebuffer); + /** * fb_set_suspend - low level driver signals suspend * @info: framebuffer affected diff --git a/include/linux/fb.h b/include/linux/fb.h index 195513d589c2..2b917f2a2400 100644 --- a/include/linux/fb.h +++ b/include/linux/fb.h @@ -598,6 +598,7 @@ extern ssize_t fb_sys_write(struct fb_info *info, const char __user *buf, /* fbmem.c */ extern int register_framebuffer(struct fb_info *fb_info); extern void unregister_framebuffer(struct fb_info *fb_info); +extern int devm_register_framebuffer(struct device *dev, struct fb_info *fb_info); extern int fb_prepare_logo(struct fb_info *fb_info, int rotate); extern int fb_show_logo(struct fb_info *fb_info, int rotate); extern char* fb_get_buffer_offset(struct fb_info *info, struct fb_pixmap *buf, u32 size); -- 2.25.1

From: Saurabh Sengar <ssengar@linux.microsoft.com> mainline inclusion from mainline-v6.14-rc7 commit ea2f45ab0e53b255f72c85ccd99e2b394fc5fceb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY436 CVE: CVE-2025-21976 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to release the framebuffer forcefully. If this framebuffer is in use it produce the following WARN and hence this framebuffer is never released. [ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40 < snip > [ 44.111289] Call Trace: [ 44.111290] <TASK> [ 44.111291] ? show_regs+0x6c/0x80 [ 44.111295] ? __warn+0x8d/0x150 [ 44.111298] ? framebuffer_release+0x2c/0x40 [ 44.111300] ? report_bug+0x182/0x1b0 [ 44.111303] ? handle_bug+0x6e/0xb0 [ 44.111306] ? exc_invalid_op+0x18/0x80 [ 44.111308] ? asm_exc_invalid_op+0x1b/0x20 [ 44.111311] ? framebuffer_release+0x2c/0x40 [ 44.111313] ? hvfb_remove+0x86/0xa0 [hyperv_fb] [ 44.111315] vmbus_remove+0x24/0x40 [hv_vmbus] [ 44.111323] device_remove+0x40/0x80 [ 44.111325] device_release_driver_internal+0x20b/0x270 [ 44.111327] ? bus_find_device+0xb3/0xf0 Fix this by moving the release of framebuffer and assosiated memory to fb_ops.fb_destroy function, so that framebuffer framework handles it gracefully. While we fix this, also replace manual registrations/unregistration of framebuffer with devm_register_framebuffer. Fixes: 68a2d20b79b1 ("drivers/video: add Hyper-V Synthetic Video Frame Buffer Driver") Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux@outlook.com> Tested-by: Michael Kelley <mhklinux@outlook.com> Link: https://lore.kernel.org/r/1740845791-19977-3-git-send-email-ssengar@linux.mi... Signed-off-by: Wei Liu <wei.liu@kernel.org> Message-ID: <1740845791-19977-3-git-send-email-ssengar@linux.microsoft.com> Conflicts: drivers/video/fbdev/hyperv_fb.c [context conflicts] Signed-off-by: Xiangwei Li <liwei728@huawei.com> --- drivers/video/fbdev/hyperv_fb.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c index 44cd0607d66b..a33b872cfc9b 100644 --- a/drivers/video/fbdev/hyperv_fb.c +++ b/drivers/video/fbdev/hyperv_fb.c @@ -283,6 +283,8 @@ static uint screen_depth; static uint screen_fb_size; static uint dio_fb_size; /* FB size for deferred IO */ +static void hvfb_putmem(struct fb_info *info); + /* Send message to Hyper-V host */ static inline int synthvid_send(struct hv_device *hdev, struct synthvid_msg *msg) @@ -887,6 +889,17 @@ static void hvfb_cfb_imageblit(struct fb_info *p, image->width, image->height); } +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup related to + * framebuffer here. + */ +static void hvfb_destroy(struct fb_info *info) +{ + hvfb_putmem(info); + framebuffer_release(info); +} + static const struct fb_ops hvfb_ops = { .owner = THIS_MODULE, .fb_check_var = hvfb_check_var, @@ -897,6 +910,7 @@ static const struct fb_ops hvfb_ops = { .fb_imageblit = hvfb_cfb_imageblit, .fb_blank = hvfb_blank, .fb_mmap = fb_deferred_io_mmap, + .fb_destroy = hvfb_destroy, }; @@ -1198,7 +1212,7 @@ static int hvfb_probe(struct hv_device *hdev, if (ret) goto error; - ret = register_framebuffer(info); + ret = devm_register_framebuffer(&hdev->device, info); if (ret) { pr_err("Unable to register framebuffer\n"); goto error; @@ -1246,14 +1260,10 @@ static void hvfb_remove(struct hv_device *hdev) fb_deferred_io_cleanup(info); - unregister_framebuffer(info); cancel_delayed_work_sync(&par->dwork); vmbus_close(hdev->channel); hv_set_drvdata(hdev, NULL); - - hvfb_putmem(info); - framebuffer_release(info); } static int hvfb_suspend(struct hv_device *hdev) -- 2.25.1