Hi Robert,
On Mon, Aug 29, 2022 at 11:03 PM Robert Foss wrote:
>
> On Sat, 16 Jul 2022 at 10:13, Zheyu Ma wrote:
> >
> > When removing the module we will get the following warning:
> >
> > [ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregiste
idges are probed
before registration")
Signed-off-by: Zheyu Ma
---
Changes in v2:
- Alignment format
---
drivers/gpu/drm/bridge/megachips-stdp-ge-b850v3-fw.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/megachips-stdp-ge-b850
Hello,
On Thu, Aug 4, 2022 at 10:43 PM Ondrej Zajicek wrote:
>
> On Thu, Aug 04, 2022 at 08:41:22PM +0800, Zheyu Ma wrote:
> > In the function *_set_par(), the value of 'screen_size' is
> > calculated by the user input. If the user provides the improper value,
> &
In the function *_set_par(), the value of 'screen_size' is
calculated by the user input. If the user provides the improper value,
the value of 'screen_size' may larger than 'info->screen_size', which
may cause a bug in the memset_io().
Zheyu Ma (3):
video: f
set_var+0x604/0xeb0
[ 54.083836] do_fb_ioctl+0x234/0x670
Fix the this by checking the value of 'screen_size' before memset_io().
Fixes: a268422de8bf ("[PATCH] fbdev driver for S3 Trio/Virge")
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/s3fb.c | 2 ++
1 file changed, 2 i
9.399130] fb_set_var+0x604/0xeb0
[ 659.399161] do_fb_ioctl+0x234/0x670
[ 659.399189] fb_ioctl+0xdd/0x130
Fix the this by checking the value of 'screen_size' before memset_io().
Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards")
Signed-off-by: Zheyu Ma
---
3.339146] fb_set_var+0x604/0xeb0
[ 583.339181] do_fb_ioctl+0x234/0x670
[ 583.339209] fb_ioctl+0xdd/0x130
Fix the this by checking the value of 'screen_size' before memset_io().
Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623")
Signed-off-by: Zheyu Ma
---
Hi,
On Mon, Aug 1, 2022 at 12:35 PM Helge Deller wrote:
>
> * Zheyu Ma :
> > I found a bug in the arkfb driver in the latest kernel, which may cause DoS.
> >
> > The reason for this bug is that the user controls some input to ioctl,
> > making 'mode' 0x7
ev/core/fbmem.c:1189
Fix this by checking the argument of i740_calc_vclk() first.
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/i740fb.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c
index 09dd85553d4f.
argument of ark_set_pixclock() first.
Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards")
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/arkfb.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/arkfb.c b/drivers/vide
< 0) {
perror("Failed to call the ioctl");
return 1;
}
return 0;
}
The easiest patch is to check the value of the argument 'pixclock' in
the ark_set_pixclock function, but this is perhaps too late, should we
do this check earlier? I'm not sure, so I'll report this bug to you.
regards,
Zheyu Ma
> 0b 49 8d 5f 38 48 89 df be 04 00 00 00 e8 df 2e 73 ff b8
ff ff
[ 15.416529] Call Trace:
[ 15.416896] hdm_probe+0xf3d/0x1090 [most_usb]
Since I'm not familiar with the driver, I ask for your help to solve
the warning.
regards,
Zheyu Ma
, stdp4028) do not probe at the same time, so
the driver does not call ge_b850v3_resgiter() when probing, causing the
driver to try to remove the object that has not been initialized.
Fix this by checking whether both the bridges are probed.
Signed-off-by: Zheyu Ma
---
drivers/gpu/drm/bridge/megachips
On Fri, Apr 8, 2022 at 3:50 AM Helge Deller wrote:
>
> On 4/4/22 10:47, Zheyu Ma wrote:
> > The userspace program could pass any values to the driver through
> > ioctl() interface. If the driver doesn't check the value of 'pixclock',
> > it may cause div
>>>
> >>> On Sun, Apr 3, 2022 at 5:41 PM Helge Deller wrote:
> >>>> On 4/3/22 13:26, Zheyu Ma wrote:
> >>>>> I found a bug in the function i740fb_set_par().
> >>>>
> >>>> Nice catch!
> >>>>
> >>
+0x3b/0x90
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/s3fb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c
index 5c74253e7b2c..b93c8eb02336 100644
--- a/drivers/video/fbdev/s3fb.c
+++ b/drivers/video/fbdev/s3fb.c
@@ -5
or: [#1] PREEMPT SMP KASAN PTI
[ 76.603712] RIP: 0010:arkfb_set_par+0x10fc/0x24f0
[ 76.603762] Call Trace:
[ 76.603764]
[ 76.603773] fb_set_var+0x604/0xeb0
[ 76.603827] do_fb_ioctl+0x234/0x670
[ 76.603873] fb_ioctl+0xdd/0x130
[ 76.603881] do_syscall_64+0x3b/0x90
Signed-off-b
or: [#1] PREEMPT SMP KASAN PTI
[ 38.260733] RIP: 0010:tridentfb_check_var+0x853/0xe60
[ 38.260791] Call Trace:
[ 38.260793]
[ 38.260796] fb_set_var+0x367/0xeb0
[ 38.260879] do_fb_ioctl+0x234/0x670
[ 38.260922] fb_ioctl+0xdd/0x130
[ 38.260930] do_syscall_64+0x3b/0x90
do_syscall_64+0x3b/0x90
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/vt8623fb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c
index 7a959e5ba90b..a92a8c670cf0 100644
--- a/drivers/video/fbdev/vt8623fb.c
+++ b/drive
error: [#1] PREEMPT SMP KASAN PTI
[ 33.404932] RIP: 0010:kyrofb_set_par+0x30d/0xd80
[ 33.404976] Call Trace:
[ 33.404978]
[ 33.404987] fb_set_var+0x604/0xeb0
[ 33.405038] do_fb_ioctl+0x234/0x670
[ 33.405083] fb_ioctl+0xdd/0x130
[ 33.405091] do_syscall_64+0x3b/0x90
[#1] PREEMPT SMP KASAN PTI
[ 49.704593] RIP: 0010:neofb_set_par+0x190f/0x49a0
[ 49.704635] Call Trace:
[ 49.704636]
[ 49.704650] fb_set_var+0x604/0xeb0
[ 49.704702] do_fb_ioctl+0x234/0x670
[ 49.704745] fb_ioctl+0xdd/0x130
[ 49.704753] do_syscall_64+0x3b/0x90
Signed-off-by: Zhe
0x670 drivers/video/fbdev/core/fbmem.c:1112
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/i740fb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/dri
rg/all/ypgbhmtlqqb1k...@ravnborg.org/
Zheyu Ma (7):
video: fbdev: i740fb: Error out if 'pixclock' equals zero
video: fbdev: neofb: Fix the check of 'var->pixclock'
video: fbdev: kyro: Error out if 'lineclock' equals zero
video: fbdev: vt8623fb: Error out if 'pix
On Sun, Apr 3, 2022, 23:02 Helge Deller wrote:
> On 4/3/22 13:26, Zheyu Ma wrote:
> > Hi,
> >
> > I found a bug in the function i740fb_set_par().
>
> Nice catch!
>
> > When the user calls the ioctl system call without setting the value to
> > 'var-&
.c:1112
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
Regards,
Zheyu Ma
On Tue, Mar 22, 2022 at 10:27 PM Daniel Vetter wrote:
>
> On Mon, Mar 21, 2022 at 09:02:47PM +0800, Zheyu Ma wrote:
> > On Thu, Mar 17, 2022 at 6:49 PM Daniel Vetter wrote:
> > >
> > > On Fri, Mar 11, 2022 at 07:23:02AM +, Zheyu Ma wrote:
> >
On Thu, Mar 17, 2022 at 6:49 PM Daniel Vetter wrote:
>
> On Fri, Mar 11, 2022 at 07:23:02AM +, Zheyu Ma wrote:
> > The user program can control the 'drm_buf_desc::flags' via ioctl system
> > call and enter the function drm_legacy_addbufs_agp(). If the driver
&g
/0xae
Fix this bug by adding a check.
Signed-off-by: Zheyu Ma
---
drivers/gpu/drm/drm_bufs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index fcca21e8efac..4fe2363b1e34 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/
Hi,
On Thu, Mar 3, 2022 at 12:49 AM Helge Deller wrote:
>
> On 3/2/22 15:33, Zheyu Ma wrote:
> > When the sm712fb driver writes three bytes to the framebuffer, the
> > driver will crash:
> >
> > BUG: unable to handle page fault for address: c90001ff
/0x340
ksys_write+0xce/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fix it by removing the open-coded endianness fixup-code.
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/sm712fb.c | 21 -
1 file changed, 4 insertions(+), 17 deletions
On Sat, Feb 26, 2022 at 11:03 PM Helge Deller wrote:
>
> * Zheyu Ma :
> > I found a minor in the smtcfb_read() function of the driver sm712fb.
> >
> > This read function can not handle the case that the size of the
> > buffer is 3 and does not check for it
read+0x230/0x3e0
[ 2432.626551] Call Trace:
[ 2432.626770]
[ 2432.626950] vfs_read+0x198/0xa00
[ 2432.627225] ? do_sys_openat2+0x27d/0x350
[ 2432.627552] ? __fget_light+0x54/0x340
[ 2432.627871] ksys_read+0xce/0x190
[ 2432.628143] do_syscall_64+0x43/0x90
Regards,
Zheyu Ma
/0x340
[ 1830.931504] ksys_write+0xce/0x190
[ 1830.931784] do_syscall_64+0x43/0x90
Regards,
Zheyu Ma
gt; index 93802ab..099ddcb 100644
> > > > --- a/drivers/video/fbdev/cirrusfb.c
> > > > +++ b/drivers/video/fbdev/cirrusfb.c
> > > > @@ -477,6 +477,9 @@ static int cirrusfb_check_pixclock(const struct
fb_var_screeninfo *var,
> > > > struct cirrusfb_info *
3196] cleanup_module+0x15/0x1c [savagefb]
[ 37.343543] __se_sys_delete_module+0x398/0x490
[ 37.343881] __x64_sys_delete_module+0x56/0x60
[ 37.344221] do_syscall_64+0x4d/0xc0
[ 37.344492] entry_SYSCALL_64_after_hwframe+0x44/0xae
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/core/fbmem.
__mutex_lock+0x620/0x1190
[ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0
[ 33.397190] do_fb_ioctl+0x31e/0x700
Signed-off-by: Zheyu Ma
---
Changes in v2:
- Make commit log more descriptive
---
drivers/video/fbdev/riva/fbdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/v
se+0x483/0x810
[ 103.074224] ? __fget_files+0x217/0x3d0
[ 103.074234] ? __fget_files+0x239/0x3d0
[ 103.074243] ? do_fb_ioctl+0x700/0x700
[ 103.074250] fb_ioctl+0xe6/0x130
Signed-off-by: Zheyu Ma
---
Changes in v2:
- Make commmit log more descriptive
---
drivers/video/fbdev/kyro/fbdev.c |
? trace_hardirqs_on+0x6a/0x1c0
[ 43.861978] do_fb_ioctl+0x31e/0x700
Signed-off-by: Zheyu Ma
---
Changes in v2:
- Make commit log more descriptive
---
drivers/video/fbdev/asiliantfb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video
Zheyu Ma (3):
video: fbdev: asiliantfb: Error out if 'pixclock' equals zero
video: fbdev: kyro: Error out if 'pixclock' equals zero
video: fbdev: riva: Error out if 'pixclock' equals zero
drivers/video/fbdev/asiliantfb.c | 3 +++
drivers/video/fbdev/kyro/
On Mon, Jul 26, 2021 at 4:18 AM Sam Ravnborg wrote:
>
> Hi Zheyu,
>
> On Sun, Jul 25, 2021 at 02:10:51AM +0000, Zheyu Ma wrote:
> > Zheyu Ma (3):
> > video: fbdev: kyro: add a check against divide error
> > video: fbdev: riva: add a check against divide error
? trace_hardirqs_on+0x6a/0x1c0
[ 43.861978] do_fb_ioctl+0x31e/0x700
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/asiliantfb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c
index 3e006da47752..84c56f525889 100644
__mutex_lock+0x620/0x1190
[ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0
[ 33.397190] do_fb_ioctl+0x31e/0x700
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/riva/fbdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/f
se+0x483/0x810
[ 103.074224] ? __fget_files+0x217/0x3d0
[ 103.074234] ? __fget_files+0x239/0x3d0
[ 103.074243] ? do_fb_ioctl+0x700/0x700
[ 103.074250] fb_ioctl+0xe6/0x130
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/kyro/fbdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/dri
Zheyu Ma (3):
video: fbdev: kyro: add a check against divide error
video: fbdev: riva: add a check against divide error
video: fbdev: asiliantfb: add a check against divide error
drivers/video/fbdev/asiliantfb.c | 3 +++
drivers/video/fbdev/kyro/fbdev.c | 3 +++
drivers/video/fbdev/riva
_irqrestore+0x46/0x60
[ 53.094085] ? trace_hardirqs_on+0x6a/0x1c0
[ 53.094096] do_fb_ioctl+0x31e/0x700
Signed-off-by: Zheyu Ma
---
drivers/video/fbdev/neofb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
index c0f4f402da3f
On Tue, Jul 20, 2021 at 2:50 AM Sam Ravnborg wrote:
>
> Hi Zheyu,
> On Wed, Jul 14, 2021 at 04:09:22AM +0000, Zheyu Ma wrote:
> > The user can pass in any value to the driver through the 'ioctl'
> > interface. The driver dost not check, which may cause DoS bugs.
&g
7.914358 ] radeon_driver_load_kms+0x13a/0x200
[7.914358 ] ? radeon_driver_unload_kms+0xe0/0xe0
[7.914358 ] drm_dev_register+0x1db/0x290
[7.914358 ] radeon_pci_probe+0x16a/0x230
[7.914358 ] local_pci_probe+0x4a/0xb0
Signed-off-by: Zheyu Ma
---
drivers/gpu/drm/ttm/ttm_range_manager.c | 3 +
fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739
do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
Signed-off-by: Zheyu Ma
---
Changes in v2:
- Validate
ideo/fbdev/core/fbmem.c:1185
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739
do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
Signed-off-by
49 matches
Mail list logo
