Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp584182pxf; Wed, 31 Mar 2021 10:37:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2GsqwNExyuoiqT1BwfOb3GH5npaaKoz0QcGK4Ef0cJq08ZljoCJVkwLUTGNoA29eQ5UGl X-Received: by 2002:a50:f311:: with SMTP id p17mr5389118edm.188.1617212254117; Wed, 31 Mar 2021 10:37:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617212254; cv=none; d=google.com; s=arc-20160816; b=z7FmgZL67k/DU6U/EGmyxqlBYi9cS1CyMJdtPRdRYry0BABCCn+vS24S1nn0thRm/b dAEE1/7Y0z2BbfkKRSSjYY33FA+cnxQbSpBFJ0rCyBAujfTKNRbs4CVswA/YQ/342F54 JnW31hQ8uuZEYxpCZNxTfNusRybmMwy9zfnxRuhJYYaQRB2rqI2auY2y9GBxup0nds1g 9awdqvsdEcA2zXyGeeK14q5agx0cVwFmve/LevMnhYonezjePL6r52hV6GfQ7AxSieNV MZlO7d/xr9Dc1/VWtn30Bzlg83Jco6lbprC9pwLW2UbCmcFr4sJ1B2MiDd4zTIAwc8r9 pibQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jKeT/Wrhzg/IrDuB4zxNhRe8cQ0wgUjvqTgFpuhlDso=; b=Y3yWJpJ0H4MwdlYPxLAkyjSjndZ0cOaJW2unpfksl86X6/OP6IvRMsua+6UPhWBP/K XQIrgSIP5qJxXismKXlrecCQ4+S0DlED0vK/uvsUHaq35I01toNjDJXpxrByqDzBBvim W1gqreYPMz174EWOb0NDM6sHhMjUo5Bdg9rPnqsl6aTTHfBzJc1P+Ml5lL3BNpkMNQ2j DILKCPLMNj+rUa2XCz8/8KnGVv7nYBDuxkqDUX89OsYGwcgx5ZDkqR/xFOHzyV2GHaFz QU+ZMyEQ3Ha90bFy37qmpp0CPuTiZjyc6Ud0QuPMTamoUlR2PtpQ2NYloo01WJN390xu nYKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ws4NneA9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qu4si2071557ejb.219.2021.03.31.10.37.10; Wed, 31 Mar 2021 10:37:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ws4NneA9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234139AbhCaRch (ORCPT + 99 others); Wed, 31 Mar 2021 13:32:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:43332 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229615AbhCaRcJ (ORCPT ); Wed, 31 Mar 2021 13:32:09 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 65B3F6100A; Wed, 31 Mar 2021 17:32:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617211929; bh=R6hdUWDOSIo+l+ZPLsXFD7/GO3a//15OerumDzH+MCI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ws4NneA9cCNtMpAPsh7LyxzNjHyj7eH5GVbMpg1JHtA+fzG1naeJYuaYEgdW+HDT8 8uCnoLFnIvC/dK5kwMzB36wB3WcBqGWXuQCtQWgX8v9hzNiEOV4C8QV62AUw6x9RBc peMRvv/ZZ+ZrNuEWNQ3FBHMZRCcUJI+3lakFvwy0= Date: Wed, 31 Mar 2021 19:32:06 +0200 From: Greg KH To: Hassan Shahbazi Cc: daniel.vetter@ffwll.ch, jirislaby@kernel.org, yepeilin.cs@gmail.com, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] fix NULL pointer deference crash Message-ID: References: <20210331163425.8092-1-h.shahbazi.git@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210331163425.8092-1-h.shahbazi.git@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote: > The patch has fixed a NULL pointer deference crash in hiding the cursor. It > is verified by syzbot patch tester. > > Reported by: syzbot > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b > > Signed-off-by: Hassan Shahbazi > --- > drivers/video/fbdev/core/fbcon.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c > index 44a5cd2f54cc..ee252d1c43c6 100644 > --- a/drivers/video/fbdev/core/fbcon.c > +++ b/drivers/video/fbdev/core/fbcon.c > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode) > > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1; > > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1), > - get_color(vc, info, c, 0)); > + if (ops && ops->cursor) As ops obviously is not NULL here (you just used it on the line above), why are you checking it again? And what makes curser be NULL here? How can that happen? Also your subject line can use some work, please make it reflect the driver subsystem you are looking at. thanks, greg k-h