Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp782178ybb; Sat, 28 Mar 2020 09:58:20 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtXf8GYHL/+bn3jdUXZ7b6R+QqveQHvdBY2fYsd/CXvyOtv38wiOKmYSnVf2R8kmRDNr6tH X-Received: by 2002:aca:5e0b:: with SMTP id s11mr2654920oib.111.1585414700324; Sat, 28 Mar 2020 09:58:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585414700; cv=none; d=google.com; s=arc-20160816; b=UA7FrgdYRJ7KHsGNBJhIJ0G7XMBM/dMTc/U33bBc1rpDB45fhzaAng8Tl3s0o9814i zKipvyYcWx7sLvc5CWal6oCKDui9GDmhq3Xazb91CuHKmq0q8uQnjvrld/XdgS7Z9fwr MjGHYJ6uDaMOCpw6CFZ4kqAIxJMMkqBRSU8tih+O7i3Q5LP5mBGLPnWUvRfBXVdYQi9d vAJJuHzyhUiZ1k8B1CTV/WlZYNQpq1dSOUhenagdnIz6/yug3Nv0LakI9oCKSnADSHOf R01ZbpCzqeqnPKbnvu4Z5IcNbB9uwOUUk324Y18yZz+a41MKAzdC3fPYx5uZccPv6jaY HeXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WLDYwWYbolvs0EFALE9dMKsppiAeImVTfUdChbO3aow=; b=zCNOQQ4X16TCzGpZ26gc47dO2UclcuVlWO+vQCCoT5IhJtr6fPLEaG0jfwkgPUhP7i IUp2vtNKg72bSFGzogYzgpQ4RdxVpa/R8JB94DPDUtNTO2kryKUoACyR7nrJd/I+lwL8 2Vy2yStSjrk00RxkU8k3ULnchkqXiT3Tv+b3c5GV9Tqb4UYFK4q7MLdq0BJD8319X8WA iTAZE3fw7F0i312AjNkbhY8E2SrDpkGuuhqstsmla9KZS1zEHfyxAOeGpEFyR0lu8ILE coZYX2Vo2P2q8ujKU/Obl4c8e4KkpCb2o3zlRElufblrvClvtCzW99Ci91pRGF7uUdm+ GGCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pPgqIvdZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w203si3756462oig.54.2020.03.28.09.58.07; Sat, 28 Mar 2020 09:58:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pPgqIvdZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726661AbgC1Q5n (ORCPT + 99 others); Sat, 28 Mar 2020 12:57:43 -0400 Received: from mail-il1-f193.google.com ([209.85.166.193]:39198 "EHLO mail-il1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726186AbgC1Q5n (ORCPT ); Sat, 28 Mar 2020 12:57:43 -0400 Received: by mail-il1-f193.google.com with SMTP id r5so11761026ilq.6; Sat, 28 Mar 2020 09:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WLDYwWYbolvs0EFALE9dMKsppiAeImVTfUdChbO3aow=; b=pPgqIvdZ9uNU7ousZa8O2z2V+0gFzTJGZ7ABV8Gxi8q3uDmusxPuaKdRJSwm57b/cL ruYb656wWLtlY53QjVAUZSag3Ic2h5PDKDET4B6KrQ4YvXehJDb8JVrBSMKU2oro5vuz Z+KZjfk5YlZ2DFwobx/GMAQIFRWYxJwHEBSDRV9fQs9ADG4BJfSyMPunk+oJg3vfD7Ua vH3VBF077y1DVtJC2Gob+dulzgj6ELBrZH1wI/SLzDii9zSBTasHK8CazQAqJ4nleT5A vXX7suRnXWPWuxdeSUACQ2lwZ4ZLKDGPZrB0AuFsd09SRFIqO1/XMt3c/OH/3YXle8+v 1zEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WLDYwWYbolvs0EFALE9dMKsppiAeImVTfUdChbO3aow=; b=QuHS9JwnV0YGnv6jbLbxNPn6CXidX43fO2vWYoQXr05QXULVtHlhOiKuo+xa1+hO4s V0R6dxR/iTunFF/AyN+P4Lvl6amVXstiIv/L//YpRoNB6F9wpk530lS6Wn4r4fo2reHv Y6u8zHFmt0f+EGQnlAaWFGSdYT4K+fqNKALDmYsgHhCw8ylhGTF+9hkIBbmGKehYb08N a0Vh5WCxW3Vpvi2A7zYYBAriWrz4yiwMYoQwqhiFGse8hOR0pN/YmC68WSeuA23StAt7 GHz2ALvf3wLAu98wcPb21l+LcxOB0XdGZc5aRvXydpRy8sjUtmIvIqG85AWD9rifrqdg JOdQ== X-Gm-Message-State: ANhLgQ0NG0IzlB5Py5nX/PLzAyFzX2Dz+CMU+wbkfZOFbAaNAeqHpXlj JP/uCPFHSe0Auy89WXHN58L6n81krN68jpj2Rjc= X-Received: by 2002:a92:77c2:: with SMTP id s185mr4244689ilc.297.1585414661819; Sat, 28 Mar 2020 09:57:41 -0700 (PDT) MIME-Version: 1.0 References: <20200328151511.22932-1-hqjagain@gmail.com> In-Reply-To: From: Qiujun Huang Date: Sun, 29 Mar 2020 00:57:29 +0800 Message-ID: Subject: Re: [PATCH] fbcon: fix null-ptr-deref in fbcon_switch To: Daniel Vetter Cc: Bartlomiej Zolnierkiewicz , Maarten Lankhorst , Sam Ravnborg , Daniel Thompson , ghalat@redhat.com, dri-devel , Linux Fbdev development list , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 29, 2020 at 12:31 AM Daniel Vetter wrote: > > On Sat, Mar 28, 2020 at 4:15 PM Qiujun Huang wrote: > > Add check for vc_cons[logo_shown].d, as it can be released by > > vt_ioctl(VT_DISALLOCATE). > > Can you pls link to the syzbot report and distill the essence of the > crash/issue here in the commit message? As-is a bit unclear what's > going on. Patch itself looks correct. https://lkml.org/lkml/2020/3/27/403 Thanks. > > Thanks, Daniel > > > Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com > > Signed-off-by: Qiujun Huang > > --- > > drivers/video/fbdev/core/fbcon.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c > > index bb6ae995c2e5..7ee0f7b55829 100644 > > --- a/drivers/video/fbdev/core/fbcon.c > > +++ b/drivers/video/fbdev/core/fbcon.c > > @@ -2254,7 +2254,7 @@ static int fbcon_switch(struct vc_data *vc) > > fbcon_update_softback(vc); > > } > > > > - if (logo_shown >= 0) { > > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > > struct vc_data *conp2 = vc_cons[logo_shown].d; > > > > if (conp2->vc_top == logo_lines > > @@ -2852,7 +2852,7 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines) > > return; > > if (vc->vc_mode != KD_TEXT || !lines) > > return; > > - if (logo_shown >= 0) { > > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > > struct vc_data *conp2 = vc_cons[logo_shown].d; > > > > if (conp2->vc_top == logo_lines > > -- > > 2.17.1 > > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > +41 (0) 79 365 57 48 - http://blog.ffwll.ch