[Top posting to make this easy processable] TWIMC, Ben (now CCed) meanwhile reported the problem as well:
https://lore.kernel.org/all/[email protected]/ There he wrote """ This can be fixed by backporting the following commits from 5.11: 7a089ec7d77f console: Delete unused con_font_copy() callback implementations 259a252c1f4e console: Delete dummy con_font_set() and con_font_default() callback implementations 4ee573086bd8 Fonts: Add charcount field to font_desc 4497364e5f61 parisc/sticore: Avoid hard-coding built-in font charcount a1ac250a82a5 fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount These all apply without fuzz and builds cleanly for x86_64 and parisc64. """ Ciao, Thorsten On 12/27/25 03:04, Barry K. Nathan wrote: > On 12/26/25 4:21 AM, Vitaly Chikunov wrote: >> Dear linux-fbdev, stable, >> >> On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote: >>> >>> On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: >>>> bit_putcs_aligned()/unaligned() derived the glyph pointer from the >>>> character value masked by 0xff/0x1ff, which may exceed the actual >>>> font's >>>> glyph count and read past the end of the built-in font array. >>>> Clamp the index to the actual glyph count before computing the address. >>>> >>>> This fixes a global out-of-bounds read reported by syzbot. >>>> >>>> Reported-by: [email protected] >>>> Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 >>>> Tested-by: [email protected] >>>> Signed-off-by: Junjie Cao <[email protected]> >>> >>> This commit is applied to v5.10.247 and causes a regression: when >>> switching VT with ctrl-alt-f2 the screen is blank or completely filled >>> with angle characters, then new text is not appearing (or not visible). >>> >>> This commit is found with git bisect from v5.10.246 to v5.10.247: >>> >>> 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit >>> commit 0998a6cb232674408a03e8561dc15aa266b2f53b >>> Author: Junjie Cao <[email protected]> >>> AuthorDate: 2025-10-20 21:47:01 +0800 >>> Commit: Greg Kroah-Hartman <[email protected]> >>> CommitDate: 2025-12-07 06:08:07 +0900 >>> >>> fbdev: bitblit: bound-check glyph index in bit_putcs* >>> >>> commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. >>> >>> bit_putcs_aligned()/unaligned() derived the glyph pointer from >>> the >>> character value masked by 0xff/0x1ff, which may exceed the >>> actual font's >>> glyph count and read past the end of the built-in font array. >>> Clamp the index to the actual glyph count before computing the >>> address. >>> >>> This fixes a global out-of-bounds read reported by syzbot. >>> >>> Reported-by: >>> [email protected] >>> Closes: https://syzkaller.appspot.com/bug? >>> extid=793cf822d213be1a74f2 >>> Tested-by: [email protected] >>> Signed-off-by: Junjie Cao <[email protected]> >>> Reviewed-by: Thomas Zimmermann <[email protected]> >>> Signed-off-by: Helge Deller <[email protected]> >>> Cc: [email protected] >>> Signed-off-by: Greg Kroah-Hartman <[email protected]> >>> >>> drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- >>> 1 file changed, 12 insertions(+), 4 deletions(-) >>> >>> The minimal reproducer in cli, after kernel is booted: >>> >>> date >/dev/tty2; chvt 2 >>> >>> and the date does not appear. >>> >>> Thanks, >>> >>> #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b >>> >>>> --- >>>> v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205- >>>> [email protected]/ >>>> v1 -> v2: >>>> - Fix indentation and add blank line after declarations with >>>> the .pl helper >>>> - No functional changes >>>> >>>> drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- >>>> 1 file changed, 12 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/ >>>> fbdev/core/bitblit.c >>>> index 9d2e59796c3e..085ffb44c51a 100644 >>>> --- a/drivers/video/fbdev/core/bitblit.c >>>> +++ b/drivers/video/fbdev/core/bitblit.c >>>> @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct >>>> vc_data *vc, struct fb_info *info, >>>> struct fb_image *image, u8 *buf, u8 *dst) >>>> { >>>> u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; >>>> + unsigned int charcnt = vc->vc_font.charcount; >> >> Perhaps, vc->vc_font.charcount (which is relied upon in the following >> comparison) is not always set correctly in v5.10.247. At least two >> commits that set vc_font.charcount are missing from v5.10.247: >> >> a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded >> built-in font charcount") >> a5a923038d70 ("fbdev: fbcon: Properly revert changes when >> vc_resize() failed") >> >> Thanks, > > I was just about to report this. > > I found two ways to fix this bug. One is to revert this patch; the other > is to apply the following 3 patches, which are already present in 5.11 > and later: > > 7a089ec7d77fe7d50f6bb7b178fa25eec9fd822b > console: Delete unused con_font_copy() callback implementations > > 4ee573086bd88ff3060dda07873bf755d332e9ba > Fonts: Add charcount field to font_desc > > a1ac250a82a5e97db71f14101ff7468291a6aaef > fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font > charcount > > (Oh, by the way, this same regression also affects 5.4.302, and the same > 3 patches fix the regression on 5.4 as well, once you manually fix merge > conflicts. Maybe it would be better to backport other additional commits > instead of fixing the merge conflicts manually, but since 5.4 is now EOL > I didn't dig that deep.) > > Once these 3 patches are applied, I wonder if a5a923038d70 now becomes > necessary for 5.10.y. For what it's worth, it applies fine and the > resulting kernel seems to run OK in brief testing. >
