* [PATCH] fix NULL pointer deference crash
@ 2021-03-31 16:34 ` Hassan Shahbazi
0 siblings, 0 replies; 13+ messages in thread
From: Hassan Shahbazi @ 2021-03-31 16:34 UTC (permalink / raw)
To: gregkh, daniel.vetter, jirislaby, yepeilin.cs
Cc: linux-fbdev, dri-devel, linux-kernel, Hassan Shahbazi
The patch has fixed a NULL pointer deference crash in hiding the cursor. It
is verified by syzbot patch tester.
Reported by: syzbot
https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
---
drivers/video/fbdev/core/fbcon.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 44a5cd2f54cc..ee252d1c43c6 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
- ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
- get_color(vc, info, c, 0));
+ if (ops && ops->cursor)
+ ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+ get_color(vc, info, c, 0));
}
static int scrollback_phys_max = 0;
--
2.26.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH] fix NULL pointer deference crash
@ 2021-03-31 16:34 ` Hassan Shahbazi
0 siblings, 0 replies; 13+ messages in thread
From: Hassan Shahbazi @ 2021-03-31 16:34 UTC (permalink / raw)
To: gregkh, daniel.vetter, jirislaby, yepeilin.cs
Cc: Hassan Shahbazi, linux-fbdev, linux-kernel, dri-devel
The patch has fixed a NULL pointer deference crash in hiding the cursor. It
is verified by syzbot patch tester.
Reported by: syzbot
https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
---
drivers/video/fbdev/core/fbcon.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 44a5cd2f54cc..ee252d1c43c6 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
- ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
- get_color(vc, info, c, 0));
+ if (ops && ops->cursor)
+ ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+ get_color(vc, info, c, 0));
}
static int scrollback_phys_max = 0;
--
2.26.3
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
2021-03-31 16:34 ` Hassan Shahbazi
@ 2021-03-31 17:32 ` Greg KH
-1 siblings, 0 replies; 13+ messages in thread
From: Greg KH @ 2021-03-31 17:32 UTC (permalink / raw)
To: Hassan Shahbazi
Cc: daniel.vetter, jirislaby, yepeilin.cs, linux-fbdev, dri-devel,
linux-kernel
On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> is verified by syzbot patch tester.
>
> Reported by: syzbot
> https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
>
> Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 44a5cd2f54cc..ee252d1c43c6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
>
> ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
>
> - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> - get_color(vc, info, c, 0));
> + if (ops && ops->cursor)
As ops obviously is not NULL here (you just used it on the line above),
why are you checking it again?
And what makes curser be NULL here? How can that happen?
Also your subject line can use some work, please make it reflect the
driver subsystem you are looking at.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
@ 2021-03-31 17:32 ` Greg KH
0 siblings, 0 replies; 13+ messages in thread
From: Greg KH @ 2021-03-31 17:32 UTC (permalink / raw)
To: Hassan Shahbazi
Cc: linux-fbdev, daniel.vetter, linux-kernel, dri-devel, jirislaby,
yepeilin.cs
On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> is verified by syzbot patch tester.
>
> Reported by: syzbot
> https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
>
> Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 44a5cd2f54cc..ee252d1c43c6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
>
> ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
>
> - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> - get_color(vc, info, c, 0));
> + if (ops && ops->cursor)
As ops obviously is not NULL here (you just used it on the line above),
why are you checking it again?
And what makes curser be NULL here? How can that happen?
Also your subject line can use some work, please make it reflect the
driver subsystem you are looking at.
thanks,
greg k-h
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
2021-03-31 17:32 ` Greg KH
@ 2021-04-01 6:21 ` Hassan Shahbazi
-1 siblings, 0 replies; 13+ messages in thread
From: Hassan Shahbazi @ 2021-04-01 6:21 UTC (permalink / raw)
To: Greg KH
Cc: daniel.vetter, jirislaby, yepeilin.cs, linux-fbdev, dri-devel,
linux-kernel, h.shahbazi.git
On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > is verified by syzbot patch tester.
> >
> > Reported by: syzbot
> > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> >
> > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > ---
> > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index 44a5cd2f54cc..ee252d1c43c6 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> >
> > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> >
> > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > - get_color(vc, info, c, 0));
> > + if (ops && ops->cursor)
>
> As ops obviously is not NULL here (you just used it on the line above),
> why are you checking it again?
Yes, that's right. I will remove that check and will submit a new patch.
> And what makes curser be NULL here? How can that happen?
Honestly, I don't know. I reproduced the crash on my local, followed the
stack trace, and then changed the line to avoid the crash. If you think this
patch is not the best solution, I can drop it and investigate more to find
the root cause.
> Also your subject line can use some work, please make it reflect the
> driver subsystem you are looking at.
This was a mistake, I did not intend to change the subject. I will ensure
the next patch reflects the subsystem.
> thanks,
>
> greg k-h
Best,
Hassan Shahbazi
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
@ 2021-04-01 6:21 ` Hassan Shahbazi
0 siblings, 0 replies; 13+ messages in thread
From: Hassan Shahbazi @ 2021-04-01 6:21 UTC (permalink / raw)
To: Greg KH
Cc: linux-fbdev, daniel.vetter, linux-kernel, dri-devel,
h.shahbazi.git, jirislaby, yepeilin.cs
On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > is verified by syzbot patch tester.
> >
> > Reported by: syzbot
> > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> >
> > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > ---
> > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index 44a5cd2f54cc..ee252d1c43c6 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> >
> > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> >
> > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > - get_color(vc, info, c, 0));
> > + if (ops && ops->cursor)
>
> As ops obviously is not NULL here (you just used it on the line above),
> why are you checking it again?
Yes, that's right. I will remove that check and will submit a new patch.
> And what makes curser be NULL here? How can that happen?
Honestly, I don't know. I reproduced the crash on my local, followed the
stack trace, and then changed the line to avoid the crash. If you think this
patch is not the best solution, I can drop it and investigate more to find
the root cause.
> Also your subject line can use some work, please make it reflect the
> driver subsystem you are looking at.
This was a mistake, I did not intend to change the subject. I will ensure
the next patch reflects the subsystem.
> thanks,
>
> greg k-h
Best,
Hassan Shahbazi
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
2021-04-01 6:21 ` Hassan Shahbazi
@ 2021-04-01 6:54 ` Greg KH
-1 siblings, 0 replies; 13+ messages in thread
From: Greg KH @ 2021-04-01 6:54 UTC (permalink / raw)
To: Hassan Shahbazi
Cc: daniel.vetter, jirislaby, yepeilin.cs, linux-fbdev, dri-devel,
linux-kernel
On Thu, Apr 01, 2021 at 09:21:54AM +0300, Hassan Shahbazi wrote:
> On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> > On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > > is verified by syzbot patch tester.
> > >
> > > Reported by: syzbot
> > > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> > >
> > > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > > ---
> > > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > > index 44a5cd2f54cc..ee252d1c43c6 100644
> > > --- a/drivers/video/fbdev/core/fbcon.c
> > > +++ b/drivers/video/fbdev/core/fbcon.c
> > > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> > >
> > > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> > >
> > > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > > - get_color(vc, info, c, 0));
> > > + if (ops && ops->cursor)
> >
> > As ops obviously is not NULL here (you just used it on the line above),
> > why are you checking it again?
>
> Yes, that's right. I will remove that check and will submit a new patch.
>
>
> > And what makes curser be NULL here? How can that happen?
>
> Honestly, I don't know. I reproduced the crash on my local, followed the
> stack trace, and then changed the line to avoid the crash. If you think this
> patch is not the best solution, I can drop it and investigate more to find
> the root cause.
Finding the root cause would be good to do here, so that we can
potentially fix that if it is needed.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
@ 2021-04-01 6:54 ` Greg KH
0 siblings, 0 replies; 13+ messages in thread
From: Greg KH @ 2021-04-01 6:54 UTC (permalink / raw)
To: Hassan Shahbazi
Cc: linux-fbdev, daniel.vetter, linux-kernel, dri-devel, jirislaby,
yepeilin.cs
On Thu, Apr 01, 2021 at 09:21:54AM +0300, Hassan Shahbazi wrote:
> On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> > On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > > is verified by syzbot patch tester.
> > >
> > > Reported by: syzbot
> > > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> > >
> > > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > > ---
> > > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > > index 44a5cd2f54cc..ee252d1c43c6 100644
> > > --- a/drivers/video/fbdev/core/fbcon.c
> > > +++ b/drivers/video/fbdev/core/fbcon.c
> > > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> > >
> > > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> > >
> > > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > > - get_color(vc, info, c, 0));
> > > + if (ops && ops->cursor)
> >
> > As ops obviously is not NULL here (you just used it on the line above),
> > why are you checking it again?
>
> Yes, that's right. I will remove that check and will submit a new patch.
>
>
> > And what makes curser be NULL here? How can that happen?
>
> Honestly, I don't know. I reproduced the crash on my local, followed the
> stack trace, and then changed the line to avoid the crash. If you think this
> patch is not the best solution, I can drop it and investigate more to find
> the root cause.
Finding the root cause would be good to do here, so that we can
potentially fix that if it is needed.
thanks,
greg k-h
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
2021-03-31 16:34 ` Hassan Shahbazi
(?)
(?)
@ 2021-03-31 20:02 ` Dan Carpenter
-1 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2021-03-31 20:02 UTC (permalink / raw)
To: kbuild, Hassan Shahbazi, gregkh, daniel.vetter, jirislaby,
yepeilin.cs
Cc: lkp, kbuild-all, linux-fbdev, dri-devel, linux-kernel,
Hassan Shahbazi
[-- Attachment #1: Type: text/plain, Size: 3680 bytes --]
Hi Hassan,
url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)
Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]
vim +/ops +1336 drivers/video/fbdev/core/fbcon.c
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late
06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45368 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] fix NULL pointer deference crash
@ 2021-03-31 20:02 ` Dan Carpenter
0 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2021-03-31 20:02 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 3733 bytes --]
Hi Hassan,
url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)
Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]
vim +/ops +1336 drivers/video/fbdev/core/fbcon.c
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late
06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 45368 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] fix NULL pointer deference crash
@ 2021-03-31 20:02 ` Dan Carpenter
0 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2021-03-31 20:02 UTC (permalink / raw)
To: kbuild, Hassan Shahbazi, gregkh, daniel.vetter, jirislaby,
yepeilin.cs
Cc: linux-fbdev, kbuild-all, lkp, linux-kernel, dri-devel,
Hassan Shahbazi
[-- Attachment #1: Type: text/plain, Size: 3680 bytes --]
Hi Hassan,
url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)
Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]
vim +/ops +1336 drivers/video/fbdev/core/fbcon.c
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late
06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45368 bytes --]
[-- Attachment #3: Type: text/plain, Size: 160 bytes --]
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] fix NULL pointer deference crash
@ 2021-03-31 20:02 ` Dan Carpenter
0 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2021-03-31 20:02 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 3733 bytes --]
Hi Hassan,
url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)
Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]
vim +/ops +1336 drivers/video/fbdev/core/fbcon.c
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late
06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 45368 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] fix NULL pointer deference crash
@ 2021-03-31 19:29 kernel test robot
0 siblings, 0 replies; 13+ messages in thread
From: kernel test robot @ 2021-03-31 19:29 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 4585 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <20210331163425.8092-1-h.shahbazi.git@gmail.com>
References: <20210331163425.8092-1-h.shahbazi.git@gmail.com>
TO: Hassan Shahbazi <h.shahbazi.git@gmail.com>
TO: gregkh(a)linuxfoundation.org
TO: daniel.vetter(a)ffwll.ch
TO: jirislaby(a)kernel.org
TO: yepeilin.cs(a)gmail.com
CC: linux-fbdev(a)vger.kernel.org
CC: dri-devel(a)lists.freedesktop.org
CC: linux-kernel(a)vger.kernel.org
CC: Hassan Shahbazi <h.shahbazi.git@gmail.com>
Hi Hassan,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on v5.12-rc5]
[cannot apply to next-20210331]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
:::::: branch date: 3 hours ago
:::::: commit date: 3 hours ago
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)
Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]
vim +/ops +1336 drivers/video/fbdev/core/fbcon.c
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1317
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1340
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 45368 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-04-01 6:55 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-31 16:34 [PATCH] fix NULL pointer deference crash Hassan Shahbazi
2021-03-31 16:34 ` Hassan Shahbazi
2021-03-31 17:32 ` Greg KH
2021-03-31 17:32 ` Greg KH
2021-04-01 6:21 ` Hassan Shahbazi
2021-04-01 6:21 ` Hassan Shahbazi
2021-04-01 6:54 ` Greg KH
2021-04-01 6:54 ` Greg KH
2021-03-31 20:02 ` Dan Carpenter
2021-03-31 20:02 ` Dan Carpenter
2021-03-31 20:02 ` Dan Carpenter
2021-03-31 20:02 ` Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2021-03-31 19:29 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.