linux/drivers/video/fbdev/core
Qiujun Huang b139f8b00d fbcon: fix null-ptr-deref in fbcon_switch
Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.

syzkaller report: https://lkml.org/lkml/2020/3/27/403
general protection fault, probably for non-canonical address
0xdffffc000000006c: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
RIP: 0010:fbcon_switch+0x28f/0x1740
drivers/video/fbdev/core/fbcon.c:2260

Call Trace:
redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374

accessing vc_cons[logo_shown].d->vc_top causes the bug.

Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200329085647.25133-1-hqjagain@gmail.com
2020-03-31 09:59:38 +02:00
..
Makefile fbdev: remove object duplication in Makefile 2020-01-15 17:31:52 +01:00
bitblit.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cfbcopyarea.c framebuffer: fix screen corruption when copying 2014-09-30 13:39:50 +03:00
cfbfillrect.c
cfbimgblt.c
fb_cmdline.c video/fbdev: refactor video= cmdline parsing 2019-02-08 19:24:47 +01:00
fb_ddc.c fb_ddc: Allow I2C adapters without SCL read capability 2015-09-30 10:46:55 +03:00
fb_defio.c video: fb_defio: preserve user fb_ops 2019-12-03 11:10:19 +02:00
fb_draw.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fb_notify.c
fb_sys_fops.c
fbcmap.c fbdev: lock_fb_info cannot fail 2019-06-12 20:28:38 +02:00
fbcon.c fbcon: fix null-ptr-deref in fbcon_switch 2020-03-31 09:59:38 +02:00
fbcon.h fbcon: s/struct display/struct fbcon_display/ 2019-06-12 20:27:34 +02:00
fbcon_ccw.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fbcon_cw.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fbcon_rotate.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fbcon_rotate.h fbcon: Make fbcon a built-time depency for fbdev 2017-08-01 17:32:07 +02:00
fbcon_ud.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
fbcvt.c fbdev: fix CVT vertical front and back porch values 2015-01-27 13:35:37 +02:00
fbmem.c fbmem: Adjust indentation in fb_prepare_logo and fb_blank 2020-01-15 17:31:47 +01:00
fbmon.c fbdev: Ditch fb_edid_add_monspecs 2019-07-23 14:17:22 +02:00
fbsysfs.c fbdev: remove FBINFO_MISC_USEREVENT around fb_blank 2019-06-12 20:30:06 +02:00
modedb.c fbdev: Ditch fb_edid_add_monspecs 2019-07-23 14:17:22 +02:00
softcursor.c fbcon: Make fbcon a built-time depency for fbdev 2017-08-01 17:32:07 +02:00
svgalib.c
syscopyarea.c video: fbdev: fix sys_copyarea 2015-01-30 09:46:59 +02:00
sysfillrect.c
sysimgblt.c
tileblit.c fbcon: add fbcon=margin:<color> command line option 2017-08-18 19:56:40 +02:00