This is a note to let you know that I've just added the patch titled
drm/sysfb: Do not dereference NULL pointer in plane reset
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From [email protected] Mon Nov 3 21:50:23
>2025
From: Sasha Levin <[email protected]>
Date: Mon, 3 Nov 2025 07:47:27 -0500
Subject: drm/sysfb: Do not dereference NULL pointer in plane reset
To: [email protected]
Cc: Thomas Zimmermann <[email protected]>, Dan Carpenter
<[email protected]>, Melissa Wen <[email protected]>, Maarten
Lankhorst <[email protected]>, Maxime Ripard
<[email protected]>, David Airlie <[email protected]>, Simona Vetter
<[email protected]>, [email protected], Javier Martinez Canillas
<[email protected]>, Sasha Levin <[email protected]>
Message-ID: <[email protected]>
From: Thomas Zimmermann <[email protected]>
[ Upstream commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 ]
The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
deref that pointer, but forward NULL to the other plane-reset helpers.
Clears plane->state to NULL.
v2:
- fix typo in commit description (Javier)
Signed-off-by: Thomas Zimmermann <[email protected]>
Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers")
Reported-by: Dan Carpenter <[email protected]>
Closes: https://lore.kernel.org/dri-devel/[email protected]/
Cc: Thomas Zimmermann <[email protected]>
Cc: Melissa Wen <[email protected]>
Cc: Maarten Lankhorst <[email protected]>
Cc: Maxime Ripard <[email protected]>
Cc: David Airlie <[email protected]>
Cc: Simona Vetter <[email protected]>
Cc: [email protected]
Cc: <[email protected]> # v5.15+
Reviewed-by: Javier Martinez Canillas <[email protected]>
Link: https://patch.msgid.link/[email protected]
[ removed drm_format_conv_state_init() call ]
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/drm_gem_atomic_helper.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_gem_atomic_helper.c
+++ b/drivers/gpu/drm/drm_gem_atomic_helper.c
@@ -301,7 +301,11 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla
void __drm_gem_reset_shadow_plane(struct drm_plane *plane,
struct drm_shadow_plane_state
*shadow_plane_state)
{
- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
+ if (shadow_plane_state) {
+ __drm_atomic_helper_plane_reset(plane,
&shadow_plane_state->base);
+ } else {
+ __drm_atomic_helper_plane_reset(plane, NULL);
+ }
}
EXPORT_SYMBOL(__drm_gem_reset_shadow_plane);
Patches currently in stable-queue which might be from [email protected] are
queue-6.6/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch
queue-6.6/cpuidle-governors-menu-select-polling-state-in-some-more-cases.patch
queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
queue-6.6/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
queue-6.6/s390-pci-restore-irq-unconditionally-for-the-zpci-device.patch
queue-6.6/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch
queue-6.6/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch
queue-6.6/net-hns3-return-error-code-when-function-fails.patch
queue-6.6/mptcp-fix-msg_peek-stream-corruption.patch
queue-6.6/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch
queue-6.6/drm-etnaviv-fix-flush-sequence-logic.patch
queue-6.6/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch
queue-6.6/s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch
queue-6.6/crypto-aspeed-acry-convert-to-platform-remove-callba.patch
queue-6.6/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch
queue-6.6/drm-msm-a6xx-fix-gmu-firmware-parser.patch
queue-6.6/cpuidle-governors-menu-rearrange-main-loop-in-menu_select.patch
queue-6.6/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch
queue-6.6/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch
queue-6.6/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch
queue-6.6/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch
queue-6.6/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch
queue-6.6/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
queue-6.6/alsa-usb-audio-fix-control-pipe-direction.patch
queue-6.6/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
queue-6.6/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603
queue-6.6/usbnet-prevents-free-active-kevent.patch
queue-6.6/bpf-do-not-audit-capability-check-in-do_jit.patch
queue-6.6/crypto-aspeed-fix-double-free-caused-by-devm.patch
queue-6.6/net-phy-dp83867-disable-eee-support-as-not-implemented.patch
queue-6.6/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch
queue-6.6/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
