mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/video/fbdev
History
Qiujun Huang e9944eb667 fbcon: fix null-ptr-deref in fbcon_switch 
commit b139f8b00d upstream.

Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.

syzkaller report: https://lkml.org/lkml/2020/3/27/403
general protection fault, probably for non-canonical address
0xdffffc000000006c: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
RIP: 0010:fbcon_switch+0x28f/0x1740
drivers/video/fbdev/core/fbcon.c:2260

Call Trace:
redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374

accessing vc_cons[logo_shown].d->vc_top causes the bug.

Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200329085647.25133-1-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-13 10:45:14 +02:00
..
aty mach64: fix image corruption due to reading accelerator registers 2018-11-21 09:19:17 +01:00
core fbcon: fix null-ptr-deref in fbcon_switch 2020-04-13 10:45:14 +02:00
geode x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping 2018-02-15 01:15:52 +01:00
i810 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
intelfb video: fbdev: intelfb: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
kyro video: fbdev: kyro: constify pci_device_id. 2017-08-01 17:20:42 +02:00
matrox video: matroxfb: Delete an error message for a failed memory allocation in matroxfb_crtc2_probe() 2018-03-28 16:34:28 +02:00
mb862xx treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mbx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmp fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
nvidia fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
omap fbdev: omapfb: off by one in omapfb_register_client() 2018-07-24 19:11:28 +02:00
omap2 omap2fb: Fix stack memory disclosure 2019-01-22 21:40:34 +01:00
riva treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
savage video: fbdev: savage: Replace mdelay with usleep_range in savage_init_hw 2018-04-24 18:11:21 +02:00
sis video: fbdev: sis: avoid mismatched prototypes 2018-03-12 17:06:52 +01:00
vermilion video: fbdev: vermilion: use 64-bit arithmetic instead of 32-bit 2018-03-12 17:06:54 +01:00
via video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
68328fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
acornfb.c
acornfb.h
amba-clcd-nomadik.c
amba-clcd-nomadik.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c
amba-clcd-versatile.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd.c video: ARM CLCD: Improve a size determination in clcdfb_probe() 2018-03-28 16:34:29 +02:00
amifb.c fb: amifb: fix build warnings when not builtin 2018-07-31 13:06:58 +02:00
arcfb.c
arkfb.c video: fbdev: arkfb: constify pci_device_id. 2017-08-01 17:20:42 +02:00
asiliantfb.c video: fbdev: asiliantfb: constify pci_device_id. 2017-08-01 17:20:41 +02:00
atafb.c
atafb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel_lcdfb.c atmel_lcdfb: support native-mode display-timings 2019-11-24 08:20:35 +01:00
au1100fb.c fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
au1100fb.h
au1200fb.c video: fbdev: fix spelling mistake: "frambuffer" -> "framebuffer" 2018-05-15 12:41:11 +02:00
au1200fb.h fbdev: au1200fb: delete duplicate header contents 2018-01-04 16:53:49 +01:00
broadsheetfb.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bt431.h
bt455.h
bw2.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
c2p.h
c2p_core.h
c2p_iplan2.c
c2p_planar.c
carminefb.c
carminefb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
carminefb_regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cg3.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
cg6.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
cg14.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
chipsfb.c fbdev: chipsfb: remove set but not used variable 'size' 2020-01-27 14:50:21 +01:00
cirrusfb.c video: fbdev: cirrusfb: mark expected switch fall-throughs 2017-11-09 18:09:32 +01:00
clps711x-fb.c video: clps711x-fb: release disp device node in probe() 2019-02-12 19:47:15 +01:00
clps711xfb.c
cobalt_lcdfb.c video: cobalt_lcdfb: constify fb_fix_screeninfo structure 2017-08-01 17:20:39 +02:00
controlfb.c
controlfb.h fbdev: controlfb: Add missing modes to fix out of bounds access 2017-11-09 18:09:33 +01:00
cyber2000fb.c video: fbdev: make fb_videomode const 2017-09-04 16:00:49 +02:00
cyber2000fb.h
da8xx-fb.c fbdev: da8xx-fb: Drop unnecessary static 2017-08-01 17:20:39 +02:00
dnfb.c video/fbdev/dnfb: Use common error handling code in dnfb_probe() 2017-11-09 18:09:31 +01:00
edid.h
efifb.c efifb: BGRT: Improve efifb_bgrt_sanity_check 2019-10-05 13:10:07 +02:00
ep93xx-fb.c
fb-puv3.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ffb.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
fm2fb.c video: fm2fb: constify zorro_device_id 2017-09-04 16:00:49 +02:00
fsl-diu-fb.c video: fbdev: fsl-diu-fb: Remove VLA usage 2018-07-24 19:11:26 +02:00
g364fb.c
gbefb.c
goldfishfb.c video: goldfishfb: fix memory leak on driver remove 2018-07-24 19:11:27 +02:00
grvga.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
gxt4500.c
hecubafb.c
hgafb.c video: hgafb: fix potential NULL pointer dereference 2019-06-15 11:54:10 +02:00
hitfb.c
hpfb.c
hyperv_fb.c use the new async probing feature for the hyperv drivers 2018-07-03 13:02:28 +02:00
i740_reg.h
i740fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
imsttfb.c video: imsttfb: fix potential NULL pointer dereferences 2019-06-15 11:54:10 +02:00
imxfb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
jz4740_fb.c
Kconfig fbdev: fix broken menu dependencies 2019-11-24 08:20:37 +01:00
leo.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
macfb.c nubus: Adopt standard linked list implementation 2018-01-16 16:47:29 +01:00
macmodes.c
macmodes.h
Makefile video: fbdev: remove unused sh_mobile_meram driver 2018-05-14 15:47:30 +02:00
maxinefb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
metronomefb.c video: fbdev: metronomefb: fix some off by one bugs 2018-07-24 19:11:26 +02:00
mx3fb.c
mxsfb.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
n411.c
neofb.c video: fbdev: neofb: constify pci_device_id. 2017-08-01 17:20:44 +02:00
nuc900fb.c
nuc900fb.h
ocfb.c
offb.c video: offb: Deallocate the color map 2018-03-12 17:06:54 +01:00
p9100.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
platinumfb.c
platinumfb.h
pm2fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
pm3fb.c video: fbdev: pm3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
pmag-aa-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmag-ba-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmagb-b-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ps3fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
pvr2fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
pxa3xx-gcu.c video: fbdev: pxa3xx_gcu: add devicetree bindings 2018-07-24 19:11:25 +02:00
pxa3xx-gcu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxa168fb.c pxa168fb: Fix the function used to release some memory in an error handling path 2020-02-24 08:34:36 +01:00
pxa168fb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxafb.c video: fbdev: pxafb: Fix "WARNING: invalid free of devm_ allocated data" 2019-01-13 09:51:10 +01:00
pxafb.h video: fbdev: pxafb: Add support for lcd-supply regulator 2018-07-24 19:11:26 +02:00
q40fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
s1d13xxxfb.c fbdev: s1d13xxxfb: remove m32r specific hacks 2018-03-26 15:56:46 +02:00
s3c-fb.c video: fbdev: s3c-fb: remove dead platform code for Exynos and S5PV210 platforms 2018-03-28 16:34:29 +02:00
s3c2410fb.c
s3c2410fb.h
s3fb.c video: fbdev: s3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
sa1100fb.c video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sa1100fb.h video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sbuslib.c fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() 2019-11-24 08:20:36 +01:00
sbuslib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sh7760fb.c
sh_mobile_lcdcfb.c video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
sh_mobile_lcdcfb.h video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
simplefb.c video: fbdev: simplefb: Stop including <linux/clk-provider.h> 2018-07-03 17:43:09 +02:00
skeletonfb.c docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
sm501fb.c video: sm501fb: Improve a size determination in sm501fb_probe() 2018-04-26 12:24:18 +02:00
sm712.h fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display 2019-05-25 18:23:36 +02:00
sm712fb.c fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough 2019-05-25 18:23:48 +02:00
smscufx.c video: smscufx: Delete an error message for a failed memory allocation in ufx_realloc_framebuffer() 2018-03-28 16:34:28 +02:00
ssd1307fb.c video: ssd1307fb: Start page range at page_offset 2019-10-07 18:56:30 +02:00
sstfb.c
sticore.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stifb.c video/fbdev/stifb: Fix spelling mistake in fall-through annotation 2018-09-26 18:50:54 +02:00
sunxvr500.c video: fbdev: sunxvr500: constify pci_device_id. 2017-08-01 17:20:43 +02:00
sunxvr1000.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
sunxvr2500.c video: fbdev: sunxvr2500: constify pci_device_id. 2017-08-01 17:20:41 +02:00
tcx.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
tdfxfb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
tgafb.c
tmiofb.c
tridentfb.c video: fbdev: tridentfb: remove deadcode on unreachable case statement 2018-07-24 19:11:28 +02:00
udlfb.c udlfb: fix some inconsistent NULL checking 2019-05-31 06:46:02 -07:00
uvesafb.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c vfb: fix video mode and line_length being set when loaded 2018-01-04 16:53:50 +01:00
vga16fb.c video: fbdev: remove redundant self assignment of 'height' 2017-12-29 19:48:43 +01:00
vt8500lcdfb.c video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe() 2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c video: fbdev: vt8623fb: constify vt8623_timing_regs 2017-08-18 19:56:40 +02:00
w100fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
w100fb.h
wm8505fb.c video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe() 2017-12-29 19:48:43 +01:00
wm8505fb_regs.h
wmt_ge_rops.c
wmt_ge_rops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-fbfront.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
xilinxfb.c video: fbdev: Fix multiple style issues in xilinxfb 2017-08-21 16:49:57 +02:00