git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Thomas Zimmermann <tzimmermann@suse.de>
	Tue, 24 Feb 2026 08:25:54 +0000 (09:25 +0100)
committer	Helge Deller <deller@gmx.de>
	Mon, 9 Mar 2026 12:06:48 +0000 (13:06 +0100)
commit	9ded47ad003f09a94b6a710b5c47f4aa5ceb7429
tree	461f8101d6d86ea7f488c7ea19bcf7ee2aec9d3d	tree \| snapshot
parent	24d11b25a1da6e4d55c9b8c9508f2e38b44ac741	commit \| diff

fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.

Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v2.6.22+
Signed-off-by: Helge Deller <deller@gmx.de>

drivers/video/fbdev/core/fb_defio.c		diff \| blob \| blame \| history
include/linux/fb.h		diff \| blob \| blame \| history