redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers
History
Tetsuo Handa 376810e5e9 fbmem: pull fbcon_update_vcs() out of fb_set_var() 
[ Upstream commit d88ca7e1a2 ]

syzbot is reporting OOB read bug in vc_do_resize() [1] caused by memcpy()
based on outdated old_{rows,row_size} values, for resize_screen() can
recurse into vc_do_resize() which changes vc->vc_{cols,rows} that outdates
old_{rows,row_size} values which were saved before calling resize_screen().

Daniel Vetter explained that resize_screen() should not recurse into
fbcon_update_vcs() path due to FBINFO_MISC_USEREVENT being still set
when calling resize_screen().

Instead of masking FBINFO_MISC_USEREVENT before calling fbcon_update_vcs(),
we can remove FBINFO_MISC_USEREVENT by calling fbcon_update_vcs() only if
fb_set_var() returned 0. This change assumes that it is harmless to call
fbcon_update_vcs() when fb_set_var() returned 0 without reaching
fb_notifier_call_chain().

[1] https://syzkaller.appspot.com/bug?id=c70c88cfd16dcf6e1d3c7f0ab8648b3144b5b25e

Reported-and-tested-by: syzbot <syzbot+c37a14770d51a085a520@syzkaller.appspotmail.com>
Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: kernel test robot <lkp@intel.com> for missing #include
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/075b7e37-3278-cd7d-31ab-c5073cfa8e92@i-love.sakura.ne.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-09-03 11:27:09 +02:00
..
accessibility
acpi ACPICA: Do not increment operation_region reference counts for field units 2020-08-19 08:16:05 +02:00
amba
android binder: Prevent context manager from incrementing ref 0 2020-08-11 15:33:35 +02:00
ata ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 15:37:03 -04:00
atm atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent 2020-08-11 15:33:38 +02:00
auxdisplay
base device property: Fix the secondary firmware node handling in set_primary_fwnode() 2020-09-03 11:27:05 +02:00
bcma
block block: loop: set discard granularity and alignment for block device backed loop 2020-09-03 11:27:01 +02:00
bluetooth Bluetooth: hci_serdev: Only unregister device if it was registered 2020-08-19 08:16:16 +02:00
bus bus: ti-sysc: Add missing quirk flags for usb_host_hs 2020-08-19 08:16:00 +02:00
cdrom
char tpm: Unify the mismatching TPM space buffer sizes 2020-08-19 08:16:27 +02:00
clk clk: bcm2835: Do not use prediv with bcm2711's PLLs 2020-08-21 13:05:35 +02:00
clocksource arm64: arch_timer: Disable the compat vdso for cores affected by ARM64_WORKAROUND_1418040 2020-07-22 09:32:51 +02:00
connector
counter counter: 104-quad-8: Add lock guards - generic interface 2020-05-02 08:48:44 +02:00
cpufreq cpufreq: intel_pstate: Fix EPP setting via sysfs in active mode 2020-09-03 11:26:53 +02:00
cpuidle cpuidle: Fix three reference count leaks 2020-06-22 09:31:10 +02:00
crypto crypto: caam - Remove broken arc4 support 2020-08-21 13:05:32 +02:00
dax device-dax: don't leak kernel memory to user space after unloading kmem 2020-05-27 17:46:48 +02:00
dca
devfreq PM / devfreq: rk3399_dmc: Fix kernel oops when rockchip,pmu is absent 2020-09-03 11:26:50 +02:00
dio
dma dmaengine: ioat setting ioat timeout as module parameter 2020-07-29 10:18:37 +02:00
dma-buf dmabuf: use spinlock to access dmabuf->name 2020-07-29 10:18:29 +02:00
edac EDAC/{i7core,sb,pnd2,skx}: Fix error event severity 2020-09-03 11:26:53 +02:00
eisa
extcon extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' 2020-06-24 17:50:36 +02:00
firewire
firmware efi: add missed destroy_workqueue when efisubsys_init fails 2020-08-26 10:41:07 +02:00
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:18:31 +02:00
fsi
gnss gnss: sirf: fix error return code in sirf_probe() 2020-06-22 09:31:20 +02:00
gpio gpio: arizona: put pm_runtime in case of failure 2020-07-29 10:18:26 +02:00
gpu drm/i915: Fix cmd parser desc matching with masks 2020-09-03 11:27:09 +02:00
greybus
hid HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands 2020-09-03 11:27:01 +02:00
hsi
hv Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23) 2020-08-11 15:33:38 +02:00
hwmon hwmon: (nct7904) Correct divide by 0 2020-09-03 11:26:54 +02:00
hwspinlock
hwtracing coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() 2020-08-19 08:16:14 +02:00
i2c i2c: rcar: in slave mode, clear NACK earlier 2020-09-03 11:26:55 +02:00
i3c
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:36:53 +01:00
idle
iio iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() 2020-08-21 13:05:24 +02:00
infiniband RDMA/bnxt_re: Do not add user qps to flushlist 2020-08-26 10:41:05 +02:00
input Input: psmouse - add a newline when printing 'proto' by sysfs 2020-08-26 10:40:55 +02:00
interconnect
iommu iommu/iova: Don't BUG on invalid PFNs 2020-09-03 11:26:43 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:46:47 +02:00
irqchip irqchip/stm32-exti: Avoid losing interrupts due to clearing pending bits by mistake 2020-09-03 11:27:06 +02:00
isdn
leds leds: core: Flush scheduled work for system suspend 2020-08-19 08:16:11 +02:00
lightnvm
macintosh macintosh/via-macii: Access autopoll_devs when inside lock 2020-08-19 08:16:15 +02:00
mailbox mailbox: zynqmp-ipi: Fix NULL vs IS_ERR() check in zynqmp_ipi_mbox_probe() 2020-06-24 17:50:36 +02:00
mcb
md bcache: avoid nr_stripes overflow in bcache_device_init() 2020-08-26 10:40:48 +02:00
media media: gpio-ir-tx: improve precision of transmitted signal due to scheduling 2020-09-03 11:26:53 +02:00
memory
memstick
message scsi: mptscsih: Fix read sense data size 2020-07-16 08:16:36 +02:00
mfd mfd: intel-lpss: Add Intel Tiger Lake PCH-H PCI IDs 2020-09-03 11:26:43 +02:00
misc cxl: Fix kobject memleak 2020-08-19 08:16:08 +02:00
mmc mmc: renesas_sdhi_internal_dmac: clean up the code for dma complete 2020-08-21 13:05:32 +02:00
mtd mtd: rawnand: fsl_upm: Remove unused mtd var 2020-08-21 13:05:30 +02:00
mux
net net: gianfar: Add of_node_put() before goto statement 2020-09-03 11:27:00 +02:00
nfc nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame 2020-08-05 09:59:50 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-24 17:50:41 +02:00
nubus
nvdimm libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr 2020-08-21 13:05:35 +02:00
nvme nvme: multipath: round-robin: fix single non-optimized path case 2020-09-03 11:26:55 +02:00
nvmem nvmem: qfprom: remove incorrect write support 2020-06-10 20:24:57 +02:00
of of: of_mdio: Correct loop scanning logic 2020-07-22 09:32:55 +02:00
opp opp: Enable resources again if they were disabled earlier 2020-08-26 10:40:53 +02:00
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:16:26 +02:00
parport
pci PCI: qcom: Add missing reset for ipq806x 2020-09-03 11:26:53 +02:00
pcmcia
perf drivers/perf: Prevent forced unbinding of PMU drivers 2020-07-29 10:18:40 +02:00
phy phy: armada-38x: fix NETA lockup when repeatedly switching speeds 2020-08-19 08:16:14 +02:00
pinctrl pinctrl: ingenic: Properly detect GPIO direction when configured for IRQ 2020-08-21 13:05:29 +02:00
platform platform/chrome: cros_ec_ishtp: Fix a double-unlock issue 2020-08-21 13:05:30 +02:00
pnp
power power: supply: check if calc_soc succeeded in pm860x_init_battery 2020-08-19 08:16:16 +02:00
powercap
pps
ps3
ptp
pwm pwm: bcm-iproc: handle clk_get_rate() return 2020-08-21 13:05:34 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:46:48 +02:00
ras
regulator regulator: fix memory leak on error path of regulator_register() 2020-08-19 08:15:57 +02:00
remoteproc remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load 2020-08-21 13:05:29 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:36:41 +01:00
rpmsg
rtc rtc: goldfish: Enable interrupt in set_alarm() when necessary 2020-08-26 10:40:54 +02:00
s390 s390/cio: add cond_resched() in the slow_eval_known_fn() loop 2020-09-03 11:26:59 +02:00
sbus
scsi Revert "scsi: qla2xxx: Fix crash on qla2x00_mailbox_command" 2020-09-03 11:27:00 +02:00
sfi
sh
siox
slimbus slimbus: core: Fix mismatch in of_node_get/put 2020-07-22 09:33:08 +02:00
soc soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag 2020-08-19 08:15:59 +02:00
soundwire soundwire: intel: fix memory leak with devm_kasprintf 2020-07-22 09:33:00 +02:00
spi spi: stm32: always perform registers configuration prior to transfer 2020-09-03 11:26:58 +02:00
spmi spmi: pmic-arb: Set lockdep class for hierarchical irq domains 2020-02-19 19:53:07 +01:00
ssb
staging staging: rtl8192u: fix a dubious looking mask before a shift 2020-08-19 08:16:13 +02:00
target scsi: target: Fix xcopy sess release leak 2020-09-03 11:26:44 +02:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 21:22:49 +00:00
thermal thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor() 2020-08-19 08:16:14 +02:00
thunderbolt thunderbolt: Prevent crash if non-active NVMem file is read 2020-02-28 17:22:13 +01:00
tty serial: 8250: change lock order in serial8250_do_startup() 2020-09-03 11:27:04 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-22 09:33:13 +02:00
usb usb: dwc3: gadget: Handle ZLP for sg requests 2020-09-03 11:27:09 +02:00
vfio vfio/type1: Add proper error unwind for vfio_iommu_replay() 2020-08-26 10:41:03 +02:00
vhost vhost/scsi: fix up req type endian-ness 2020-08-05 09:59:42 +02:00
video fbmem: pull fbcon_update_vcs() out of fb_set_var() 2020-09-03 11:27:09 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-22 09:33:11 +02:00
virtio virtio_ring: Avoid loop when vq is broken in virtqueue_poll 2020-08-26 10:40:57 +02:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:36:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:36:48 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:31:26 +02:00
watchdog watchdog: initialize device before misc_register 2020-08-21 13:05:36 +02:00
xen XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information. 2020-09-03 11:27:04 +02:00
zorro
Kconfig
Makefile