Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp834230ybb; Sat, 28 Mar 2020 11:15:05 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvaBdCb32EEmnPH0KuEBBPcazeqkX0qHGAxNFWbpQz3mU997pj74tGSHOLl6XQ2wlzlqnyD X-Received: by 2002:a9d:2aca:: with SMTP id e68mr3535568otb.324.1585419305253; Sat, 28 Mar 2020 11:15:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585419305; cv=none; d=google.com; s=arc-20160816; b=zMm1aytaGQOUFnmEytdV4TqxiWbJ3v0y9Vtn78tR/22jIVxPaGhruevaYLtRvIFWEK PnRDG4qyRL9NHUclpn2pxTbgXwRZ1CRgbpnhHl9/4M28X2ZUKHHwLePzQ+vAsWj5K42y GUXFZK0wXW906u4hOyGjG8t5Ngtng4yocCyuvHVDPVWHe8YaV1Xf8TnygMqathTBBSTa hqBXhINLrl9A+esWb67gCs84zDeXHfWZAKrcLgnBIpXX13DVibuWy8i8ckfmCxoMDAM/ EsVo6QH5HbXwyXSA4SmbjSwb0Z50gXNiu8NsWdu37GZMCFpJQMJxIaDigjpZp7+uIUny aWOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=OGAZFVUSs1TVcdXG9Qb6iy/orFrRm+z5KUEMDhcZhC0=; b=cd6Nfho9QBANadFA44tLXLtBV/AsIOesZkSsHW7D2jYR+maCkLRStq4II+Mg+rfVX2 aLY3JzLBPV2Phqdvhnhlc2Ro50g/QHw8Ar6QW8YX1a1PPPcz42MIxKHkWRvcDKovtqn4 zmdaKLbHV5XjHkvxQLY4G/7hIioIUeWCDzgxy0TXOoKO2RWRylSefnfPZ1+kXvQu9LK1 hGrFnaLsGmY+agQg6/SJFG1V2cax8p2iMls28oPrsgmhnAoAU52+nIOtSDNDSCfzxSrs tNtR5JVBD41dABaHNcva/uq7k4qSuq9IUNuVxusm02z3hRwsEJpldEpSr/CxulYrzK2L aDlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d13si3829174oij.140.2020.03.28.11.14.52; Sat, 28 Mar 2020 11:15:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726751AbgC1SNG (ORCPT + 99 others); Sat, 28 Mar 2020 14:13:06 -0400 Received: from asavdk4.altibox.net ([109.247.116.15]:35612 "EHLO asavdk4.altibox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726265AbgC1SNG (ORCPT ); Sat, 28 Mar 2020 14:13:06 -0400 Received: from ravnborg.org (unknown [158.248.194.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by asavdk4.altibox.net (Postfix) with ESMTPS id CF34D80609; Sat, 28 Mar 2020 19:13:00 +0100 (CET) Date: Sat, 28 Mar 2020 19:12:59 +0100 From: Sam Ravnborg To: Qiujun Huang Cc: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, maarten.lankhorst@linux.intel.com, daniel.thompson@linaro.org, ghalat@redhat.com, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] fbcon: fix null-ptr-deref in fbcon_switch Message-ID: <20200328181259.GA24335@ravnborg.org> References: <20200328151511.22932-1-hqjagain@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200328151511.22932-1-hqjagain@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.3 cv=XpTUx2N9 c=1 sm=1 tr=0 a=UWs3HLbX/2nnQ3s7vZ42gw==:117 a=UWs3HLbX/2nnQ3s7vZ42gw==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=kj9zAlcOel0A:10 a=hSkVLCK3AAAA:8 a=pGLkceISAAAA:8 a=UqxoRI4XFovwuTuz1dAA:9 a=CjuIK1q_8ugA:10 a=cQPPKAXgyycSBL8etih5:22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Qiujun Thanks for looking into the sysbot bugs. On Sat, Mar 28, 2020 at 11:15:10PM +0800, Qiujun Huang wrote: > Add check for vc_cons[logo_shown].d, as it can be released by > vt_ioctl(VT_DISALLOCATE). > > Reported-by: syzbot+732528bae351682f1f27@syzkaller.appspotmail.com > Signed-off-by: Qiujun Huang > --- > drivers/video/fbdev/core/fbcon.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c > index bb6ae995c2e5..7ee0f7b55829 100644 > --- a/drivers/video/fbdev/core/fbcon.c > +++ b/drivers/video/fbdev/core/fbcon.c > @@ -2254,7 +2254,7 @@ static int fbcon_switch(struct vc_data *vc) > fbcon_update_softback(vc); > } > > - if (logo_shown >= 0) { > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > struct vc_data *conp2 = vc_cons[logo_shown].d; > > if (conp2->vc_top == logo_lines > @@ -2852,7 +2852,7 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines) > return; > if (vc->vc_mode != KD_TEXT || !lines) > return; > - if (logo_shown >= 0) { > + if (logo_shown >= 0 && vc_cons_allocated(logo_shown)) { > struct vc_data *conp2 = vc_cons[logo_shown].d; > > if (conp2->vc_top == logo_lines I am not familiar with this code. But it looks like you try to avoid the sympton which is that logo_shown has a wrong value after a vc is deallocated, and do not fix the root cause. We have: vt_ioctl(VT_DISALLOCATE) | +- vc_deallocate() | +- visual_deinit() | +- vc->vc_sw->con_deinit(vc) | +- fbcon_deinit() Would it be better to update logo_shown in fbcon_deinit()? Then we will not try to do anything with the logo in fbcon_switch(). fbcon_deinit() is called with console locked so there should not be any races. I did not stare long enough on the code to come up with a patch, but this may be a better way to fix it. Sam