The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 78d9161d2bcd442d93d917339297ffa057dbee8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024042951-barbell-aeration-a1ce@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..

Possible dependencies:

78d9161d2bcd ("fbdev: fix incorrect address computation in deferred IO") 3ed3811283dd ("fbdev: Refactor implementation of page_mkwrite") 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") 856082f021a2 ("fbdev: defio: fix the pagelist corruption") 8c30e2d81bfd ("fbdev: Don't sort deferred-I/O pages by default") 105a940416fc ("fbdev/defio: Early-out if page is already enlisted") 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper") aa15c677cc34 ("drm/fb-helper: Fix vertical damage clipping") a3c286dcef7f ("drm/fb-helper: Fix clip rectangle height")

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001 From: Nam Cao namcao@linutronix.de Date: Tue, 23 Apr 2024 13:50:53 +0200 Subject: [PATCH] fbdev: fix incorrect address computation in deferred IO

With deferred IO enabled, a page fault happens when data is written to the framebuffer device. Then driver determines which page is being updated by calculating the offset of the written virtual address within the virtual memory area, and uses this offset to get the updated page within the internal buffer. This page is later copied to hardware (thus the name "deferred IO").

This offset calculation is only correct if the virtual memory area is mapped to the beginning of the internal buffer. Otherwise this is wrong. For example, if users do: mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);

Then the virtual memory area will mapped at offset 0xff000 within the internal buffer. This offset 0xff000 is not accounted for, and wrong page is updated.

Correct the calculation by using vmf->pgoff instead. With this change, the variable "offset" will no longer hold the exact offset value, but it is rounded down to multiples of PAGE_SIZE. But this is still correct, because this variable is only used to calculate the page offset.

Reported-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@ora... Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") Cc: stable@vger.kernel.org Signed-off-by: Nam Cao namcao@linutronix.de Reviewed-by: Thomas Zimmermann tzimmermann@suse.de Tested-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Signed-off-by: Thomas Zimmermann tzimmermann@suse.de Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@l...

diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c index dae96c9f61cf..806ecd32219b 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c @@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long */ static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf) { - unsigned long offset = vmf->address - vmf->vma->vm_start; + unsigned long offset = vmf->pgoff << PAGE_SHIFT; struct page *page = vmf->page;

file_update_time(vmf->vma->vm_file);