Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp765930ybb; Sat, 28 Mar 2020 09:32:49 -0700 (PDT) X-Google-Smtp-Source: ADFU+vt1neOykUxvCJhlJJzgrZ7ewPvb1lKrS+e94PU6F/JebAE95b4rO8hU0D4Tc520ZTtO82aR X-Received: by 2002:aca:5208:: with SMTP id g8mr2600850oib.169.1585413169350; Sat, 28 Mar 2020 09:32:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585413169; cv=none; d=google.com; s=arc-20160816; b=NCQMy6zt2FrgxosIs2jdBYFw4hSPZ6h6tk1UKTKVC1TTB+FTY/sVaILohq8bj4nJCF mtqjFOrxtRZDJR3feCbKAIrUV3a+qrr93+Qp6XmoRJniYWn96NIvNlupasvBjKRSVuss nsKXsntGob15esXk3iX3P2id5s3S2yEZUnBGoBwwCDImKJdS3L2ceiAkBbSSql58CU+j H2I0g3LzbCSSzYnyDA9FuygCKG6RhZuM3OzDtoa7CR6kf+qVg3SXl6rLJYuUH+AVe3th Yf3mjApxiBeXzPopsQpq6wEJamsGL8ALqjaCJP4/0Y7G6elY3O9VhArC1wv6yN96TzEg Vm5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Tepq1jSwDCN89tryT39lGx5t8RvfKo7KJYe9WreZN8E=; b=Hn8McWEwpeauG1+itVpJRI/daPWRSfX4wXQm6+ImO9aR5vwHJB2kjSB+L5BtxsNEBU M/7QfUgCgCRdmlJrpINxyVsLmYADLcqONXAx/9av7eS/BgkyZQgOwrqGWaN9YV32ik7v Pfp7Dg4nuPGyAWOkD9M97l5KboXhckSAjRzWrnO98QuDKHzj3TC1MmOBHwT37Q4eCI6W +fllOWl6pkqB/CPP21C5NQCGO7MyklKOGqwtQP5taByhu9MXpl0/uade6LjOw+euuqcV PUuvyXP4L/lQDGcu5oIbEDKRZkqYi4+yh6Wnincz/dqcCbHaf68skvxDqPRukafWu7Rs BisA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=Godxthak; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w65si3928847oif.134.2020.03.28.09.32.37; Sat, 28 Mar 2020 09:32:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=Godxthak; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727247AbgC1Qbs (ORCPT + 99 others); Sat, 28 Mar 2020 12:31:48 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:46706 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727183AbgC1Qbr (ORCPT ); Sat, 28 Mar 2020 12:31:47 -0400 Received: by mail-ot1-f66.google.com with SMTP id 111so13218945oth.13 for ; Sat, 28 Mar 2020 09:31:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tepq1jSwDCN89tryT39lGx5t8RvfKo7KJYe9WreZN8E=; b=Godxthakoj8WDjgl/1xUDzE5sUEkmS4LTviBbCzV6Ma0iDh5GdRhECpcZTGY2Edk7W +klahkVThDTocA6UalroXBd3d/s1yNbA1MoKTHR6rFBKeI3CDoSMNENbizT8hyxv+Zk7 JFJYO5cqHODkH5KbjguHKYz6RZCBCYW+cVUwg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tepq1jSwDCN89tryT39lGx5t8RvfKo7KJYe9WreZN8E=; b=tVgW3Pj9ECGYAIaNj2+Tk/JsiWDilnfcJrXYtsFvTPpB/dV1WqPtMmcjy1wzwn0h9I xyVvRhZOw5vNg+EnekINpXhKQQCMdD01mJloVnUBiMVG+ZegriKbIYl00mvtDu1Bgg66 Is+SC2PF4fcC7KO2gQb0j1Yp6MyJhW6L/ZX2NXWDGcidK8yLPRq0862oCrkYz1rYMY6I x6Ivc5pq56XFeXylV2TPrgsHYYPczK6buqRHBcyTvfSO45l6I7//HTaeTRQ0d7dF/kU8 IBHh9k6RQI3xYCBCsROr6+72BDQzHE+EC73oCZ7ozdrf5N9u1IiZ18h1AgCciEwnzyhZ jzWQ== X-Gm-Message-State: ANhLgQ0JMoOsmjA81rfqVsHXuFuBmLbXXqu2/zjNIwDzxSexw0zgLRwj gHrVh2C0IsGB3U1qO+Ubjns4jYmlnNDoUMCOTcXzkmuh X-Received: by 2002:a9d:7696:: with SMTP id j22mr3344521otl.188.1585413105299; Sat, 28 Mar 2020 09:31:45 -0700 (PDT) MIME-Version: 1.0 References: <20200328151511.22932-1-hqjagain@gmail.com> In-Reply-To: <20200328151511.22932-1-hqjagain@gmail.com> From: Daniel Vetter Date: Sat, 28 Mar 2020 17:31:34 +0100 Message-ID: Subject: Re: [PATCH] fbcon: fix null-ptr-deref in fbcon_switch To: Qiujun Huang Cc: Bartlomiej Zolnierkiewicz , Maarten Lankhorst , Sam Ravnborg , Daniel Thompson , ghalat@redhat.com, dri-devel , Linux Fbdev development list , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 28, 2020 at 4:15 PM Qiujun Huang wrote: > Add check for vc_cons[logo_shown].d, as it can be released by > vt_ioctl(VT_DISALLOCATE). Can you pls link to the syzbot report and distill the essence of the crash/issue here in the commit message? As-is a bit unclear what's going on. Patch itself looks correct. Thanks, Daniel > Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com > Signed-off-by: Qiujun Huang > --- > drivers/video/fbdev/core/fbcon.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c > index bb6ae995c2e5..7ee0f7b55829 100644 > --- a/drivers/video/fbdev/core/fbcon.c > +++ b/drivers/video/fbdev/core/fbcon.c > @@ -2254,7 +2254,7 @@ static int fbcon_switch(struct vc_data *vc) > fbcon_update_softback(vc); > } > > - if (logo_shown >= 0) { > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > struct vc_data *conp2 = vc_cons[logo_shown].d; > > if (conp2->vc_top == logo_lines > @@ -2852,7 +2852,7 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines) > return; > if (vc->vc_mode != KD_TEXT || !lines) > return; > - if (logo_shown >= 0) { > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > struct vc_data *conp2 = vc_cons[logo_shown].d; > > if (conp2->vc_top == logo_lines > -- > 2.17.1 > -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch