OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers/video/fbdev
History
Tetsuo Handa 376810e5e9 fbmem: pull fbcon_update_vcs() out of fb_set_var() 
[ Upstream commit d88ca7e1a2 ]

syzbot is reporting OOB read bug in vc_do_resize() [1] caused by memcpy()
based on outdated old_{rows,row_size} values, for resize_screen() can
recurse into vc_do_resize() which changes vc->vc_{cols,rows} that outdates
old_{rows,row_size} values which were saved before calling resize_screen().

Daniel Vetter explained that resize_screen() should not recurse into
fbcon_update_vcs() path due to FBINFO_MISC_USEREVENT being still set
when calling resize_screen().

Instead of masking FBINFO_MISC_USEREVENT before calling fbcon_update_vcs(),
we can remove FBINFO_MISC_USEREVENT by calling fbcon_update_vcs() only if
fb_set_var() returned 0. This change assumes that it is harmless to call
fbcon_update_vcs() when fb_set_var() returned 0 without reaching
fb_notifier_call_chain().

[1] https://syzkaller.appspot.com/bug?id=c70c88cfd16dcf6e1d3c7f0ab8648b3144b5b25e

Reported-and-tested-by: syzbot <syzbot+c37a14770d51a085a520@syzkaller.appspotmail.com>
Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: kernel test robot <lkp@intel.com> for missing #include
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/075b7e37-3278-cd7d-31ab-c5073cfa8e92@i-love.sakura.ne.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-09-03 11:27:09 +02:00
..
aty
core fbmem: pull fbcon_update_vcs() out of fb_set_var() 2020-09-03 11:27:09 +02:00
geode
i810
intelfb
kyro
matrox
mb862xx
mbx
mmp
nvidia
omap
omap2 omapfb: fix multiple reference count leaks due to pm_runtime_get_sync 2020-09-03 11:26:45 +02:00
riva
savage video: fbdev: savage: fix memory leak on error handling path in probe 2020-08-19 08:16:00 +02:00
sis
vermilion
via
68328fb.c
Kconfig
Makefile
acornfb.c
acornfb.h
amba-clcd.c
amifb.c
arcfb.c
arkfb.c
asiliantfb.c
atafb.c
atafb.h
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atmel_lcdfb.c
au1100fb.c
au1100fb.h
au1200fb.c
au1200fb.h
broadsheetfb.c
bt431.h
bt455.h
bw2.c
c2p.h
c2p_core.h
c2p_iplan2.c
c2p_planar.c
carminefb.c
carminefb.h
carminefb_regs.h
cg3.c
cg6.c
cg14.c
chipsfb.c
cirrusfb.c
clps711x-fb.c
cobalt_lcdfb.c
controlfb.c
controlfb.h
cyber2000fb.c
cyber2000fb.h
da8xx-fb.c
dnfb.c
edid.h
efifb.c efi: avoid error message when booting under Xen 2020-08-26 10:41:04 +02:00
ep93xx-fb.c
fb-puv3.c
ffb.c
fm2fb.c
fsl-diu-fb.c
g364fb.c
gbefb.c
goldfishfb.c
grvga.c
gxt4500.c
hecubafb.c
hgafb.c
hitfb.c
hpfb.c
hyperv_fb.c
i740_reg.h
i740fb.c
imsttfb.c
imxfb.c
leo.c
macfb.c
macmodes.c
macmodes.h
maxinefb.c
metronomefb.c
mx3fb.c
n411.c
neofb.c video: fbdev: neofb: fix memory leak in neo_scan_monitor() 2020-08-19 08:16:00 +02:00
ocfb.c
offb.c
p9100.c
platinumfb.c
platinumfb.h
pm2fb.c
pm3fb.c
pmag-aa-fb.c
pmag-ba-fb.c
pmagb-b-fb.c
ps3fb.c fbmem: pull fbcon_update_vcs() out of fb_set_var() 2020-09-03 11:27:09 +02:00
pvr2fb.c
pxa3xx-gcu.c
pxa3xx-gcu.h
pxa168fb.c
pxa168fb.h
pxafb.c video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call 2020-08-19 08:16:06 +02:00
pxafb.h
q40fb.c
s1d13xxxfb.c
s3c-fb.c
s3c2410fb.c
s3c2410fb.h
s3fb.c
sa1100fb.c
sa1100fb.h
sbuslib.c
sbuslib.h
sh7760fb.c
sh_mobile_lcdcfb.c
sh_mobile_lcdcfb.h
simplefb.c
skeletonfb.c
sm501fb.c
sm712.h
sm712fb.c video: fbdev: sm712fb: fix an issue about iounmap for a wrong address 2020-08-19 08:16:06 +02:00
smscufx.c
ssd1307fb.c
sstfb.c
sticore.h
stifb.c
sunxvr500.c
sunxvr1000.c
sunxvr2500.c
tcx.c
tdfxfb.c
tgafb.c
tmiofb.c
tridentfb.c
udlfb.c
uvesafb.c
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c
vga16fb.c
vt8500lcdfb.c video: vt8500lcdfb: fix fallthrough warning 2020-06-17 16:40:33 +02:00
vt8500lcdfb.h
vt8623fb.c
w100fb.c video: fbdev: w100fb: Fix a potential double free. 2020-06-17 16:40:33 +02:00
w100fb.h
wm8505fb.c
wm8505fb_regs.h
wmt_ge_rops.c
wmt_ge_rops.h
xen-fbfront.c
xilinxfb.c