<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/video/fbdev/core/fbcon.c, branch linux-6.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>fbcon: Fix OOB access in font allocation</title>
<updated>2025-10-02T11:48:39+00:00</updated>
<author>
<name>Thomas Zimmermann</name>
<email>tzimmermann@suse.de</email>
</author>
<published>2025-09-22T13:45:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fc19489dfaf424397ba8d03b47e8786eaed7b3fc'/>
<id>fc19489dfaf424397ba8d03b47e8786eaed7b3fc</id>
<content type='text'>
commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream.

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula &lt;jani.nikula@linux.intel.com&gt;
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201
Cc: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Cc: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Reviewed-by: Lucas De Marchi &lt;lucas.demarchi@intel.com&gt;
Reviewed-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream.

Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
introduced an out-of-bounds access by storing data and allocation sizes
in the same variable. Restore the old size calculation and use the new
variable 'alloc_size' for the allocation.

Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font")
Reported-by: Jani Nikula &lt;jani.nikula@linux.intel.com&gt;
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201
Cc: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Cc: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Reviewed-by: Lucas De Marchi &lt;lucas.demarchi@intel.com&gt;
Reviewed-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: fix integer overflow in fbcon_do_set_font</title>
<updated>2025-10-02T11:48:39+00:00</updated>
<author>
<name>Samasth Norway Ananda</name>
<email>samasth.norway.ananda@oracle.com</email>
</author>
<published>2025-09-12T17:00:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7'/>
<id>c0c01f9aa08c8e10e10e8c9ebb5be01a4eff6eb7</id>
<content type='text'>
commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream.

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
   multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
   overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream.

Fix integer overflow vulnerabilities in fbcon_do_set_font() where font
size calculations could overflow when handling user-controlled font
parameters.

The vulnerabilities occur when:
1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount
   multiplication with user-controlled values that can overflow.
2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow
3. This results in smaller allocations than expected, leading to buffer
   overflows during font data copying.

Add explicit overflow checking using check_mul_overflow() and
check_add_overflow() kernel helpers to safety validate all size
calculations before allocation.

Signed-off-by: Samasth Norway Ananda &lt;samasth.norway.ananda@oracle.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
Cc: George Kennedy &lt;george.kennedy@oracle.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Simona Vetter &lt;simona@ffwll.ch&gt;
Cc: Helge Deller &lt;deller@gmx.de&gt;
Cc: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Cc: "Ville Syrjälä" &lt;ville.syrjala@linux.intel.com&gt;
Cc: Sam Ravnborg &lt;sam@ravnborg.org&gt;
Cc: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Cc: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Cc: Kees Cook &lt;kees@kernel.org&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v5.9+
Signed-off-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbdev: Fix vmalloc out-of-bounds write in fast_imageblit</title>
<updated>2025-08-20T16:41:40+00:00</updated>
<author>
<name>Sravan Kumar Gundu</name>
<email>sravankumarlpu@gmail.com</email>
</author>
<published>2025-07-31T20:36:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cfec17721265e72e50cc69c6004fe3475cd38df2'/>
<id>cfec17721265e72e50cc69c6004fe3475cd38df2</id>
<content type='text'>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.

This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.

As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().

Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu &lt;sravankumarlpu@gmail.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.

This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.

As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().

Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu &lt;sravankumarlpu@gmail.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Fix outdated registered_fb reference in comment</title>
<updated>2025-08-15T14:38:45+00:00</updated>
<author>
<name>Shixiong Ou</name>
<email>oushixiong@kylinos.cn</email>
</author>
<published>2025-07-09T10:34:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9240dd81a05401fb445ad18f965fc494527b18c'/>
<id>e9240dd81a05401fb445ad18f965fc494527b18c</id>
<content type='text'>
[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]

The variable was renamed to fbcon_registered_fb, but this comment was
not updated along with the change. Correct it to avoid confusion.

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
[sima: Add Fixes: line.]
Signed-off-by: Simona Vetter &lt;simona.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ]

The variable was renamed to fbcon_registered_fb, but this comment was
not updated along with the change. Correct it to avoid confusion.

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info")
[sima: Add Fixes: line.]
Signed-off-by: Simona Vetter &lt;simona.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Make sure modelist not set on unregistered console</title>
<updated>2025-05-31T08:24:02+00:00</updated>
<author>
<name>Kees Cook</name>
<email>kees@kernel.org</email>
</author>
<published>2025-05-09T20:06:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cedc1b63394a866bf8663a3e40f4546f1d28c8d8'/>
<id>cedc1b63394a866bf8663a3e40f4546f1d28c8d8</id>
<content type='text'>
It looks like attempting to write to the "store_modes" sysfs node will
run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28
index -1 is out of range for type 'fb_info *[32]'
...
 fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122
 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048
 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673
 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113
 dev_attr_store+0x55/0x80 drivers/base/core.c:2439

static struct fb_info *fbcon_registered_fb[FB_MAX];
...
static signed char con2fb_map[MAX_NR_CONSOLES];
...
static struct fb_info *fbcon_info_from_console(int console)
...
        return fbcon_registered_fb[con2fb_map[console]];

If con2fb_map contains a -1 things go wrong here. Instead, return NULL,
as callers of fbcon_info_from_console() are trying to compare against
existing "info" pointers, so error handling should kick in correctly.

Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/
Signed-off-by: Kees Cook &lt;kees@kernel.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It looks like attempting to write to the "store_modes" sysfs node will
run afoul of unregistered consoles:

UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28
index -1 is out of range for type 'fb_info *[32]'
...
 fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122
 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048
 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673
 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113
 dev_attr_store+0x55/0x80 drivers/base/core.c:2439

static struct fb_info *fbcon_registered_fb[FB_MAX];
...
static signed char con2fb_map[MAX_NR_CONSOLES];
...
static struct fb_info *fbcon_info_from_console(int console)
...
        return fbcon_registered_fb[con2fb_map[console]];

If con2fb_map contains a -1 things go wrong here. Instead, return NULL,
as callers of fbcon_info_from_console() are trying to compare against
existing "info" pointers, so error handling should kick in correctly.

Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/
Signed-off-by: Kees Cook &lt;kees@kernel.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Use static attribute groups for sysfs entries</title>
<updated>2025-03-26T21:39:21+00:00</updated>
<author>
<name>Shixiong Ou</name>
<email>oushixiong@kylinos.cn</email>
</author>
<published>2025-03-14T06:09:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=26c36247a44098ccab3d16aa7d5329db87aa7236'/>
<id>26c36247a44098ccab3d16aa7d5329db87aa7236</id>
<content type='text'>
Using device_create_with_groups() to simplify creation and removal.
Same as commit 1083a7be4504 ("tty: Use static attribute groups for
sysfs entries").

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Acked-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Using device_create_with_groups() to simplify creation and removal.
Same as commit 1083a7be4504 ("tty: Use static attribute groups for
sysfs entries").

Signed-off-by: Shixiong Ou &lt;oushixiong@kylinos.cn&gt;
Acked-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Use correct erase colour for clearing in fbcon</title>
<updated>2025-03-26T21:39:19+00:00</updated>
<author>
<name>Zsolt Kajtar</name>
<email>soci@c64.rulez.org</email>
</author>
<published>2025-02-02T20:33:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=892c788d73fe4a94337ed092cb998c49fa8ecaf4'/>
<id>892c788d73fe4a94337ed092cb998c49fa8ecaf4</id>
<content type='text'>
The erase colour calculation for fbcon clearing should use get_color instead
of attr_col_ec, like everything else. The latter is similar but is not correct.
For example it's missing the depth dependent remapping and doesn't care about
blanking.

The problem can be reproduced by setting up the background colour to grey
(vt.color=0x70) and having an fbcon console set to 2bpp (4 shades of gray).
Now the background attribute should be 1 (dark gray) on the console.

If the screen is scrolled when pressing enter in a shell prompt at the bottom
line then the new line is cleared using colour 7 instead of 1. That's not
something fillrect likes (at 2bbp it expect 0-3) so the result is interesting.

This patch switches to get_color with vc_video_erase_char to determine the
erase colour from attr_col_ec. That makes the latter function redundant as
no other users were left.

Use correct erase colour for clearing in fbcon

Signed-off-by: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The erase colour calculation for fbcon clearing should use get_color instead
of attr_col_ec, like everything else. The latter is similar but is not correct.
For example it's missing the depth dependent remapping and doesn't care about
blanking.

The problem can be reproduced by setting up the background colour to grey
(vt.color=0x70) and having an fbcon console set to 2bpp (4 shades of gray).
Now the background attribute should be 1 (dark gray) on the console.

If the screen is scrolled when pressing enter in a shell prompt at the bottom
line then the new line is cleared using colour 7 instead of 1. That's not
something fillrect likes (at 2bbp it expect 0-3) so the result is interesting.

This patch switches to get_color with vc_video_erase_char to determine the
erase colour from attr_col_ec. That makes the latter function redundant as
no other users were left.

Use correct erase colour for clearing in fbcon

Signed-off-by: Zsolt Kajtar &lt;soci@c64.rulez.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: break earlier in search_fb_in_map and search_for_mapped_con</title>
<updated>2024-09-26T16:25:12+00:00</updated>
<author>
<name>Qianqiang Liu</name>
<email>qianqiang.liu@163.com</email>
</author>
<published>2024-09-26T11:59:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2555906fd53e0a5239431d44fad695b420e94fdd'/>
<id>2555906fd53e0a5239431d44fad695b420e94fdd</id>
<content type='text'>
Break the for loop immediately upon finding the target, making the
process more efficient.

Signed-off-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Break the for loop immediately upon finding the target, making the
process more efficient.

Signed-off-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Fix a NULL pointer dereference issue in fbcon_putcs</title>
<updated>2024-09-26T16:20:27+00:00</updated>
<author>
<name>Qianqiang Liu</name>
<email>qianqiang.liu@163.com</email>
</author>
<published>2024-09-25T05:29:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b97eebcce1b4f3f07a71f635d6aa3af96c236e7'/>
<id>5b97eebcce1b4f3f07a71f635d6aa3af96c236e7</id>
<content type='text'>
syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:

struct param {
	uint8_t type;
	struct tiocl_selection ts;
};

int main()
{
	struct fb_con2fbmap con2fb;
	struct param param;

	int fd = open("/dev/fb1", 0, 0);

	con2fb.console = 0x19;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);

	param.type = 2;
	param.ts.xs = 0; param.ts.ys = 0;
	param.ts.xe = 0; param.ts.ye = 0;
	param.ts.sel_mode = 0;

	int fd1 = open("/dev/tty1", O_RDWR, 0);
	ioctl(fd1, TIOCLINUX, &amp;param);

	con2fb.console = 1;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);

	return 0;
}

After calling ioctl(fd1, TIOCLINUX, &amp;param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb)
causes the kernel to follow a different execution path:

 set_con2fb_map
  -&gt; con2fb_init_display
   -&gt; fbcon_set_disp
    -&gt; redraw_screen
     -&gt; hide_cursor
      -&gt; clear_selection
       -&gt; highlight
        -&gt; invert_screen
         -&gt; do_update_region
          -&gt; fbcon_putcs
           -&gt; ops-&gt;putcs

Since ops-&gt;putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops-&gt;putcs.

Reported-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a
Tested-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
Signed-off-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:

struct param {
	uint8_t type;
	struct tiocl_selection ts;
};

int main()
{
	struct fb_con2fbmap con2fb;
	struct param param;

	int fd = open("/dev/fb1", 0, 0);

	con2fb.console = 0x19;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);

	param.type = 2;
	param.ts.xs = 0; param.ts.ys = 0;
	param.ts.xe = 0; param.ts.ye = 0;
	param.ts.sel_mode = 0;

	int fd1 = open("/dev/tty1", O_RDWR, 0);
	ioctl(fd1, TIOCLINUX, &amp;param);

	con2fb.console = 1;
	con2fb.framebuffer = 0;
	ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb);

	return 0;
}

After calling ioctl(fd1, TIOCLINUX, &amp;param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &amp;con2fb)
causes the kernel to follow a different execution path:

 set_con2fb_map
  -&gt; con2fb_init_display
   -&gt; fbcon_set_disp
    -&gt; redraw_screen
     -&gt; hide_cursor
      -&gt; clear_selection
       -&gt; highlight
        -&gt; invert_screen
         -&gt; do_update_region
          -&gt; fbcon_putcs
           -&gt; ops-&gt;putcs

Since ops-&gt;putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops-&gt;putcs.

Reported-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a
Tested-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
Signed-off-by: Qianqiang Liu &lt;qianqiang.liu@163.com&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fbcon: Use oops_in_progress instead of panic_cpu</title>
<updated>2024-07-22T15:51:29+00:00</updated>
<author>
<name>Jocelyn Falempe</name>
<email>jfalempe@redhat.com</email>
</author>
<published>2024-07-22T11:47:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c1ed27ee117da726657c10d6614995eeae33b68'/>
<id>1c1ed27ee117da726657c10d6614995eeae33b68</id>
<content type='text'>
Panic_cpu is not exported, so it can't be used if fbcon is used as
a module. Use oops_in_progress in this case, but non-fatal oops won't
be printed.

Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Closes: https://lore.kernel.org/oe-kbuild-all/202407210203.2ISiIC9m-lkp@intel.com/
Signed-off-by: Jocelyn Falempe &lt;jfalempe@redhat.com&gt;
Reviewed-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20240722114800.174558-1-jfalempe@redhat.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Panic_cpu is not exported, so it can't be used if fbcon is used as
a module. Use oops_in_progress in this case, but non-fatal oops won't
be printed.

Reported-by: kernel test robot &lt;lkp@intel.com&gt;
Closes: https://lore.kernel.org/oe-kbuild-all/202407210203.2ISiIC9m-lkp@intel.com/
Signed-off-by: Jocelyn Falempe &lt;jfalempe@redhat.com&gt;
Reviewed-by: Daniel Vetter &lt;daniel.vetter@ffwll.ch&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20240722114800.174558-1-jfalempe@redhat.com
</pre>
</div>
</content>
</entry>
</feed>
