CVE-2025-68296

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup<br /> <br /> Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB<br /> access in fbcon_remap_all(). Without holding the console lock the call<br /> races with switching outputs.<br /> <br /> VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon<br /> function uses struct fb_info.node, which is set by register_framebuffer().<br /> As the fb-helper code currently sets up VGA switcheroo before registering<br /> the framebuffer, the value of node is -1 and therefore not a legal value.<br /> For example, fbcon uses the value within set_con2fb_map() [1] as an index<br /> into an array.<br /> <br /> Moving vga_switcheroo_client_fb_set() after register_framebuffer() can<br /> result in VGA switching that does not switch fbcon correctly.<br /> <br /> Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),<br /> which already holds the console lock. Fbdev calls fbcon_fb_registered()<br /> from within register_framebuffer(). Serializes the helper with VGA<br /> switcheroo&amp;#39;s call to fbcon_remap_all().<br /> <br /> Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info<br /> as parameter, it really only needs the contained fbcon state. Moving the<br /> call to fbcon initialization is therefore cleaner than before. Only amdgpu,<br /> i915, nouveau and radeon support vga_switcheroo. For all other drivers,<br /> this change does nothing.