AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-11-24 04:30:52 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
641fd86f8e
linux_dsm_epyc7002/drivers/video/fbdev
History
Zhen Lei 087bff9acd fbmem: Do not delete the mode that is still in use 
commit 0af778269a522c988ef0b4188556aba97fb420cc upstream.

The execution of fb_delete_videomode() is not based on the result of the
previous fbcon_mode_deleted(). As a result, the mode is directly deleted,
regardless of whether it is still in use, which may cause UAF.

==================================================================
BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \
drivers/video/fbdev/core/modedb.c:924
Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962

CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 print_address_description+0x6c/0x640 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924
 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746
 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975
 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 18960:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1541 [inline]
 slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574
 slab_free mm/slub.c:3139 [inline]
 kfree+0xca/0x3d0 mm/slub.c:4121
 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104
 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978
 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 13ff178ccd ("fbcon: Call fbcon_mode_deleted/new_modelist directly")
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Cc: <stable@vger.kernel.org> # v5.3+
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210712085544.2828-1-thunder.leizhen@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-20 16:05:37 +02:00
..
aty fbdev: aty: remove CONFIG_PM container 2020-09-18 14:45:44 +02:00
core fbmem: Do not delete the mode that is still in use 2021-07-20 16:05:37 +02:00
geode fbdev: lxfb: use generic power management 2020-09-08 13:33:10 +02:00
i810 video: fbdev: i810: use true,false for bool variables 2020-05-06 19:29:10 +02:00
intelfb drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
kyro video: fbdev: kyro: remove set but not used 'ulCoreClock' 2020-09-08 13:33:31 +02:00
matrox treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
mb862xx video: fbdev: mb862xx: remove set but not used variable 'mdr' 2020-04-08 12:09:15 +02:00
mmp treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
nvidia Merge drm/drm-next into drm-misc-next 2020-09-14 18:11:40 +02:00
omap treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
omap2 omapfb: fix spelling mistake "propert" -> "property" 2020-09-08 13:33:05 +02:00
riva treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
savage fbdev: savagefb: use generic power management 2020-09-08 13:33:15 +02:00
sis Merge drm/drm-next into drm-misc-next 2020-09-14 18:11:40 +02:00
vermilion remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
via Merge drm/drm-next into drm-misc-next 2020-09-14 18:11:40 +02:00
68328fb.c video/fbdev/68328fb: Remove dead code 2020-01-03 14:27:43 +01:00
acornfb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
acornfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
amba-clcd.c Partially revert "video: fbdev: amba-clcd: Retire elder CLCD driver" 2020-09-30 16:37:39 +02:00
amifb.c video: fbdev: amifb: add FIXMEs about {put,get}_user() failures 2020-07-10 16:17:20 +02:00
arcfb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
arkfb.c fbdev: arkfb: use generic power management 2020-09-08 13:33:20 +02:00
asiliantfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
atafb_iplan2p2.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p4.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p8.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_mfb.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_utils.h
atafb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
atafb.h
atmel_lcdfb.c video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() 2020-12-30 11:53:13 +01:00
au1100fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1100fb.h au1100fb: fix DMA API abuse 2019-06-03 16:00:08 +02:00
au1200fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
au1200fb.h
broadsheetfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
bt431.h
bt455.h
bw2.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
c2p_core.h fbdev: c2p: Use BUILD_BUG() instead of custom solution 2020-03-09 11:12:19 +01:00
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
carminefb.h
cg3.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg6.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cg14.c fbdev: cg14fb: use resource_size 2020-01-15 17:31:50 +01:00
chipsfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cirrusfb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
clps711x-fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
cobalt_lcdfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
controlfb.c powerpc fixes for 5.9 #4 2020-08-30 10:56:12 -07:00
controlfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cyber2000fb.c fbdev: cyber2000fb: use generic power management 2020-09-08 13:33:16 +02:00
cyber2000fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
da8xx-fb.c fbdev: da8xx-fb: go to proper label on error handling paths in probe 2020-07-10 16:17:28 +02:00
dnfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
edid.h
efifb.c efi: avoid error message when booting under Xen 2020-08-20 06:26:22 +02:00
ep93xx-fb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
ffb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fm2fb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
fsl-diu-fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
g364fb.c fbdev/g364fb: Fix build failure 2020-02-19 10:58:22 -08:00
gbefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
goldfishfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
grvga.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
gxt4500.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
hecubafb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
hgafb.c video: hgafb: correctly handle card detect failure during probe 2021-05-26 12:06:57 +02:00
hitfb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
hpfb.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
hyperv_fb.c video: hyperv_fb: Fix a double free in hvfb_probe 2021-04-07 15:00:11 +02:00
i740_reg.h
i740fb.c fbdev: i740fb: use generic power management 2020-09-08 13:33:17 +02:00
imsttfb.c Revert "video: imsttfb: fix potential NULL pointer dereferences" 2021-05-26 12:06:54 +02:00
imxfb.c video: fbdev: imxfb: Fix an error message 2021-07-14 16:56:15 +02:00
Kconfig fbdev: aty: SPARC64 requires FB_ATY_CT 2021-03-04 11:37:36 +01:00
leo.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
macfb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
macmodes.c
macmodes.h
Makefile drm next for 5.10-rc1 2020-10-15 10:46:16 -07:00
maxinefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
metronomefb.c video: fbdev: Replace HTTP links with HTTPS ones 2020-07-20 11:47:29 +02:00
mx3fb.c fbdev: mx3fb: const pointer to ipu_di_signal_cfg 2020-04-12 22:09:35 +02:00
n411.c
neofb.c video: fbdev: neofb: fix memory leak in neo_scan_monitor() 2020-07-10 16:17:24 +02:00
ocfb.c video: ocfb: Use devm_platform_ioremap_resource() in ocfb_probe() 2020-01-03 14:27:49 +01:00
offb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
p9100.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
platinumfb.h
pm2fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
pm3fb.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
pmag-aa-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmag-ba-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
pmagb-b-fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
ps3fb.c fbmem: pull fbcon_update_vcs() out of fb_set_var() 2020-08-04 07:37:23 +02:00
pvr2fb.c video: fbdev: pvr2fb: initialize variables 2020-08-05 19:47:22 +02:00
pxa3xx-gcu.c misc: cleanup minor number definitions in c file into miscdevice.h 2020-03-18 12:27:03 +01:00
pxa3xx-gcu.h
pxa168fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
pxa168fb.h
pxafb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
pxafb.h video: pxafb: Remove cpufreq policy notifier 2019-08-26 10:02:02 +02:00
q40fb.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
s1d13xxxfb.c fbdev: s1d13xxxfb: add missed unregister_framebuffer in remove 2020-04-17 15:50:12 +02:00
s3c2410fb-regs-lcd.h fbdev: s3c2410fb: remove mach header dependency 2020-08-20 17:48:12 +02:00
s3c2410fb.c fbdev: s3c2410fb: remove mach header dependency 2020-08-20 17:48:12 +02:00
s3c2410fb.h
s3c-fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
s3fb.c fbdev: s3fb: use generic power management 2020-09-08 13:33:19 +02:00
sa1100fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sa1100fb.h ARM/fbdev: sa11x0: Switch to use GPIO descriptors 2020-04-17 15:50:11 +02:00
sbuslib.c fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() 2018-10-08 12:57:36 +02:00
sbuslib.h
sh7760fb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
sh_mobile_lcdcfb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sh_mobile_lcdcfb.h fbdev/sh_mobile: remove sh_mobile_lcdc_display_notify 2019-06-12 20:28:11 +02:00
simplefb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
skeletonfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sm501fb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sm712.h fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display 2019-04-01 17:46:59 +02:00
sm712fb.c fbdev: sm712fb: handle ioremap() errors in probe 2020-09-08 13:33:02 +02:00
smscufx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
ssd1307fb.c video: fbdev: ssd1307fb: Added support to Column offset 2020-09-08 13:33:03 +02:00
sstfb.c video: fbdev: sstfb: replace spurious snprintf() with sprintf() 2020-09-08 13:33:24 +02:00
sticore.h parisc/sticon: Add user font support 2020-10-15 08:12:59 +02:00
stifb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sunxvr500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr1000.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
sunxvr2500.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tcx.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tdfxfb.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tgafb.c video: fbdev: tgafb: Avoid comma separated statements 2020-09-08 13:33:25 +02:00
tmiofb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
tridentfb.c drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
udlfb.c udlfb: Fix memory leak in dlfb_usb_probe 2021-03-07 12:34:04 +01:00
uvesafb.c video: fbdev: uvesafb: fix "noblank" option handling 2020-06-21 09:58:55 +02:00
valkyriefb.c video: fbdev: valkyriefb.c: fix warning comparing pointer to 0 2020-05-06 21:04:45 +02:00
valkyriefb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
vesafb.c video: fbdev: vesafb: add missed release_region 2020-04-17 15:50:14 +02:00
vfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00
vga16fb.c Merge drm/drm-next into drm-misc-next 2020-09-14 18:11:40 +02:00
vt8500lcdfb.c video: vt8500lcdfb: fix fallthrough warning 2020-04-17 15:50:08 +02:00
vt8500lcdfb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
vt8623fb.c fbdev: vt8623fb: use generic power management 2020-09-08 13:33:18 +02:00
w100fb.c video: fbdev: w100fb: Fix a potential double free. 2020-05-06 20:22:25 +02:00
w100fb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wm8505fb_regs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wm8505fb.c video: fbdev: wm8505fb: fix sparse warnings about using incorrect types 2020-03-02 16:32:04 +01:00
wmt_ge_rops.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
wmt_ge_rops.h
xen-fbfront.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
xilinxfb.c video: constify fb ops across all drivers 2019-12-05 10:57:53 +02:00