diff --git a/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch b/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch new file mode 100644 index 0000000..0cb6043 --- /dev/null +++ b/patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch @@ -0,0 +1,61 @@ +From 1791f487f877a9e83d81c8677bd3e7b259e7cb27 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Thu, 14 Oct 2021 21:22:31 +0800 +Subject: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() +Git-commit: 1791f487f877a9e83d81c8677bd3e7b259e7cb27 +Patch-mainline: v5.18-rc1 +References: bsc#1129770 + +I got a null-ptr-deref report: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +RIP: 0010:fb_destroy_modelist+0x38/0x100 +... +Call Trace: + ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] + usb_probe_interface+0x1aa/0x3c0 [usbcore] + really_probe+0x167/0x460 +... + ret_from_fork+0x1f/0x30 + +If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will +be called to destroy modelist in the error handling path. But modelist +has not been initialized yet, so it will result in null-ptr-deref. + +Initialize modelist before calling fb_alloc_cmap() to fix this bug. + +Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Acked-by: Thomas Zimmermann +--- + drivers/video/fbdev/smscufx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c +index bfac3ee4a6422..28768c272b73d 100644 +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -1656,6 +1656,7 @@ static int ufx_usb_probe(struct usb_interface *interface, + info->par = dev; + info->pseudo_palette = dev->pseudo_palette; + info->fbops = &ufx_ops; ++ INIT_LIST_HEAD(&info->modelist); + + retval = fb_alloc_cmap(&info->cmap, 256, 0); + if (retval < 0) { +@@ -1666,8 +1667,6 @@ static int ufx_usb_probe(struct usb_interface *interface, + INIT_DELAYED_WORK(&dev->free_framebuffer_work, + ufx_free_framebuffer_work); + +- INIT_LIST_HEAD(&info->modelist); +- + retval = ufx_reg_read(dev, 0x3000, &id_rev); + check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval); + dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev); +-- +2.36.0 + diff --git a/series.conf b/series.conf index af48d0d..4b970af 100644 --- a/series.conf +++ b/series.conf @@ -61028,6 +61028,7 @@ patches.suse/NFSD-prevent-underflow-in-nfssvc_decode_writeargs.patch patches.suse/printk-Add-panic_in_progress-helper.patch patches.suse/printk-disable-optimistic-spin-during-panic.patch + patches.suse/0008-video-fbdev-smscufx-Fix-null-ptr-deref-in-ufx_usb_pr.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-hw_params-and-hw.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-read-write-and-b.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-prepare-and-hw_p.patch