This is a note to let you know that I've just added the patch titled
drm/sysfb: Do not dereference NULL pointer in plane reset
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From [email protected] Tue Nov 4 00:22:28
>2025
From: Sasha Levin <[email protected]>
Date: Mon, 3 Nov 2025 10:06:26 -0500
Subject: drm/sysfb: Do not dereference NULL pointer in plane reset
To: [email protected]
Cc: Thomas Zimmermann <[email protected]>, Dan Carpenter
<[email protected]>, Melissa Wen <[email protected]>, Maarten
Lankhorst <[email protected]>, Maxime Ripard
<[email protected]>, David Airlie <[email protected]>, Simona Vetter
<[email protected]>, [email protected], Javier Martinez Canillas
<[email protected]>, Sasha Levin <[email protected]>
Message-ID: <[email protected]>
From: Thomas Zimmermann <[email protected]>
[ Upstream commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 ]
The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
deref that pointer, but forward NULL to the other plane-reset helpers.
Clears plane->state to NULL.
v2:
- fix typo in commit description (Javier)
Signed-off-by: Thomas Zimmermann <[email protected]>
Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers")
Reported-by: Dan Carpenter <[email protected]>
Closes: https://lore.kernel.org/dri-devel/[email protected]/
Cc: Thomas Zimmermann <[email protected]>
Cc: Melissa Wen <[email protected]>
Cc: Maarten Lankhorst <[email protected]>
Cc: Maxime Ripard <[email protected]>
Cc: David Airlie <[email protected]>
Cc: Simona Vetter <[email protected]>
Cc: [email protected]
Cc: <[email protected]> # v5.15+
Reviewed-by: Javier Martinez Canillas <[email protected]>
Link: https://patch.msgid.link/[email protected]
[ removed drm_format_conv_state_init() call ]
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/drm_gem_atomic_helper.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_gem_atomic_helper.c
+++ b/drivers/gpu/drm/drm_gem_atomic_helper.c
@@ -282,7 +282,11 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla
void __drm_gem_reset_shadow_plane(struct drm_plane *plane,
struct drm_shadow_plane_state
*shadow_plane_state)
{
- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
+ if (shadow_plane_state) {
+ __drm_atomic_helper_plane_reset(plane,
&shadow_plane_state->base);
+ } else {
+ __drm_atomic_helper_plane_reset(plane, NULL);
+ }
}
EXPORT_SYMBOL(__drm_gem_reset_shadow_plane);
Patches currently in stable-queue which might be from [email protected] are
queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
queue-5.15/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
queue-5.15/x86-bugs-fix-reporting-of-lfence-retpoline.patch
queue-5.15/arch-back-to-std-gnu89-in-v5.18.patch
queue-5.15/dt-bindings-usb-dwc3-imx8mp-dma-range-is-required-only-for-imx8mp.patch
queue-5.15/btrfs-use-smp_mb__after_atomic-when-forcing-cow-in-c.patch
queue-5.15/x86-boot-compile-boot-code-with-std-gnu11-too.patch
queue-5.15/xhci-dbc-improve-performance-by-removing-delay-in-transfer-event-polling.patch
queue-5.15/net-hns3-return-error-code-when-function-fails.patch
queue-5.15/btrfs-scrub-replace-max_t-min_t-with-clamp-in-scrub_.patch
queue-5.15/xhci-dbc-poll-at-different-rate-depending-on-data-transfer-activity.patch
queue-5.15/xhci-dbc-avoid-event-polling-busyloop-if-pending-rx-transfers-are-inactive.patch
queue-5.15/ravb-exclude-gptp-feature-support-for-rz-g2l.patch
queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340
queue-5.15/mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch
queue-5.15/drm-etnaviv-fix-flush-sequence-logic.patch
queue-5.15/serial-8250_dw-use-devm_add_action_or_reset.patch
queue-5.15/xhci-dbc-allow-users-to-modify-dbc-poll-interval-via-sysfs.patch
queue-5.15/drm-msm-a6xx-fix-gmu-firmware-parser.patch
queue-5.15/serial-8250_dw-handle-reset-control-deassert-error.patch
queue-5.15/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch
queue-5.15/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
queue-5.15/alsa-usb-audio-fix-control-pipe-direction.patch
queue-5.15/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
queue-5.15/btrfs-always-drop-log-root-tree-reference-in-btrfs_r.patch
queue-5.15/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
queue-5.15/xhci-dbc-provide-sysfs-option-to-configure-dbc-descriptors.patch
queue-5.15/libbpf-normalize-pt_regs_xxx-macro-definitions.patch
queue-5.15/block-make-req_op_zone_open-a-write-operation.patch
queue-5.15/revert-docs-process-howto-replace-c89-with-c11.patch
queue-5.15/usbnet-prevents-free-active-kevent.patch
queue-5.15/net-ravb-enforce-descriptor-type-ordering.patch
queue-5.15/xhci-dbc-fix-bogus-1024-byte-prefix-if-ttydbc-read-races-with-stall-event.patch
queue-5.15/bpf-do-not-audit-capability-check-in-do_jit.patch
queue-5.15/riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch
queue-5.15/net-phy-dp83867-disable-eee-support-as-not-implemented.patch
queue-5.15/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
