From d25e5cbac4e2287c843fc8b45c50dd8e57e3a696 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Mon, 4 May 2026 12:00:28 +0200 Subject: [PATCH 1/3] auxdisplay: max6959: use regmap_assign_bits() in max6959_enable() Replace the ternary with a direct call to the regmap_assign_bits() helper and save a couple lines of code. Signed-off-by: Andy Shevchenko --- drivers/auxdisplay/max6959.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/auxdisplay/max6959.c b/drivers/auxdisplay/max6959.c index 6bbc8d48fb1b..3bdef099a225 100644 --- a/drivers/auxdisplay/max6959.c +++ b/drivers/auxdisplay/max6959.c @@ -86,10 +86,7 @@ static const struct linedisp_ops max6959_linedisp_ops = { static int max6959_enable(struct max6959_priv *priv, bool enable) { - u8 mask = REG_CONFIGURATION_S_BIT; - u8 value = enable ? mask : 0; - - return regmap_update_bits(priv->regmap, REG_CONFIGURATION, mask, value); + return regmap_assign_bits(priv->regmap, REG_CONFIGURATION, REG_CONFIGURATION_S_BIT, enable); } static void max6959_power_off(void *priv) From a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 Mon Sep 17 00:00:00 2001 From: Stepan Ionichev Date: Thu, 14 May 2026 22:43:42 +0500 Subject: [PATCH 2/3] auxdisplay: line-display: fix OOB read on zero-length message_store() linedisp_display() unconditionally reads msg[count - 1] before checking whether count is zero, so a write of zero bytes to the message sysfs attribute hits msg[-1]: write(fd, "", 0); -> message_store(..., buf, count=0) -> linedisp_display(linedisp, buf, count=0) -> msg[count - 1] == '\n' ; OOB read The kernfs write buffer for that store is a 1-byte allocation (kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0), so msg[-1] is a 1-byte read before the slab object. On a KASAN-enabled kernel this trips an out-of-bounds report and panics; on stock kernels it silently reads adjacent slab data and, if that byte happens to be '\n', the following count-- wraps ssize_t 0 to -1 and is then passed to kmemdup_nul(). linedisp_display() is reached from the message_store() sysfs callback (drivers/auxdisplay/line-display.c message attribute, mode 0644) and from the in-tree initial-message setup with count == -1, so the OOB path is only userspace-triggerable via zero-byte writes; vfs_write() does not short-circuit on count == 0 and kernfs_fop_write_iter() dispatches the store callback regardless. Guard the trailing-newline trim with a count check. The existing if (!count) block then takes the clear-display path unchanged. Affects every auxdisplay driver that registers via linedisp_register() / linedisp_attach(): ht16k33, max6959, img-ascii-lcd, seg-led-gpio. Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support") Signed-off-by: Stepan Ionichev Signed-off-by: Andy Shevchenko --- drivers/auxdisplay/line-display.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c index fb6d9294140d..915eb5cd96b2 100644 --- a/drivers/auxdisplay/line-display.c +++ b/drivers/auxdisplay/line-display.c @@ -173,7 +173,7 @@ static int linedisp_display(struct linedisp *linedisp, const char *msg, count = strlen(msg); /* if the string ends with a newline, trim it */ - if (msg[count - 1] == '\n') + if (count && msg[count - 1] == '\n') count--; if (!count) { From 4dc76c305a73bacaf330bebf723a181427bb4540 Mon Sep 17 00:00:00 2001 From: Stepan Ionichev Date: Fri, 15 May 2026 18:30:04 +0500 Subject: [PATCH 3/3] auxdisplay: Kconfig: drop unneeded quotes in PANEL_BOOT_MESSAGE dep The PANEL_BOOT_MESSAGE dependency uses a quoted-string comparison against the PANEL_CHANGE_MESSAGE bool symbol: depends on PANEL_CHANGE_MESSAGE="y" This is the only such pattern under drivers/auxdisplay/ (grep shows no other Kconfig file in the tree uses depends on FOO="y" with quotes for a plain bool symbol). The quoted form is parsed by Kconfig but is not idiomatic; the common form for the same intent is the unquoted tristate-style dependency: depends on PANEL_CHANGE_MESSAGE which evaluates true when PANEL_CHANGE_MESSAGE is y or m. Since PANEL_CHANGE_MESSAGE is declared as bool (not tristate), there is no behaviour change in practice: y is the only enabled value either form can match. Drop the quoted comparison so the dependency matches the prevailing kernel Kconfig style and so it is obvious to readers that the comparison works. Suggested-by: Andy Shevchenko Link: https://lore.kernel.org/r/CAHp75VfsA_LsbEKjxoeMdbhPbWj7OHZ7=0SYNA3c=ZLj_M94Bw@mail.gmail.com Signed-off-by: Stepan Ionichev Signed-off-by: Andy Shevchenko --- drivers/auxdisplay/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/auxdisplay/Kconfig b/drivers/auxdisplay/Kconfig index bedc6133f970..1ea7c039160c 100644 --- a/drivers/auxdisplay/Kconfig +++ b/drivers/auxdisplay/Kconfig @@ -327,7 +327,7 @@ config PANEL_CHANGE_MESSAGE say 'N' and keep the default message with the version. config PANEL_BOOT_MESSAGE - depends on PANEL_CHANGE_MESSAGE="y" + depends on PANEL_CHANGE_MESSAGE string "New initialization message" default "" help