R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1bce094085
android_kernel_xiaomi_sm7250/drivers/video/fbdev
History
Hyunwoo Kim 70faf9d9b6 fbdev: smscufx: Fix several use-after-free bugs 
commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream.

Several types of UAFs can occur when physically removing a USB device.

Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and
in this function, there is kref_put() that finally calls ufx_free().

This fix prevents multiple UAFs.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/
Cc: <stable@vger.kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-11-03 23:52:28 +09:00
..
aty video: fbdev: radeon: Fix memleak in radeonfb_pci_register 2020-10-29 09:55:09 +01:00
core fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters 2022-08-25 11:14:53 +02:00
geode
i810
intelfb
kyro video: fbdev: kyro: Error out if 'pixclock' equals zero 2021-09-22 11:48:04 +02:00
matrox
mb862xx
mbx
mmp
nvidia video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow 2022-04-15 14:14:55 +02:00
omap
omap2 video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() 2022-04-15 14:14:55 +02:00
riva video: fbdev: riva: Error out if 'pixclock' equals zero 2021-09-22 11:48:04 +02:00
savage
sis video: fbdev: sis: fix typos in SiS_GetModeID() 2022-08-25 11:15:24 +02:00
vermilion
via
68328fb.c
acornfb.c
acornfb.h
amba-clcd-nomadik.c
amba-clcd-nomadik.h
amba-clcd-versatile.c
amba-clcd-versatile.h
amba-clcd.c video: fbdev: amba-clcd: Fix refcount leak bugs 2022-08-25 11:15:24 +02:00
amifb.c
arcfb.c
arkfb.c video: fbdev: arkfb: Check the size of screen before memset_io() 2022-08-25 11:15:27 +02:00
asiliantfb.c video: fbdev: asiliantfb: Error out if 'pixclock' equals zero 2021-09-22 11:48:04 +02:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atafb.c video: fbdev: atari: Atari 2 bpp (STe) palette bugfix 2022-04-15 14:14:41 +02:00
atafb.h
atmel_lcdfb.c video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() 2020-12-30 11:25:54 +01:00
au1100fb.c
au1100fb.h
au1200fb.c
au1200fb.h
broadsheetfb.c
bt431.h
bt455.h
bw2.c
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c
carminefb.h
cg3.c
cg6.c
cg14.c
chipsfb.c fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() 2022-09-15 12:17:05 +02:00
cirrusfb.c video: fbdev: cirrusfb: check pixclock to avoid divide by zero 2022-04-15 14:14:55 +02:00
clps711x-fb.c
clps711xfb.c
cobalt_lcdfb.c
controlfb.c
controlfb.h
cyber2000fb.c
cyber2000fb.h
da8xx-fb.c
dnfb.c
edid.h
efifb.c
ep93xx-fb.c
fb-puv3.c
ffb.c
fm2fb.c
fsl-diu-fb.c
g364fb.c
gbefb.c
goldfishfb.c
grvga.c
gxt4500.c
hecubafb.c
hgafb.c video: hgafb: correctly handle card detect failure during probe 2021-05-26 11:48:35 +02:00
hitfb.c
hpfb.c
hyperv_fb.c video: hyperv_fb: Fix the mmap() regression for v5.4.y and older 2021-01-12 20:10:20 +01:00
i740_reg.h
i740fb.c video: fbdev: i740fb: Check the argument of i740_calc_vclk() 2022-08-25 11:15:47 +02:00
imsttfb.c Revert "video: imsttfb: fix potential NULL pointer dereferences" 2021-05-26 11:48:34 +02:00
imxfb.c
jz4740_fb.c
Kconfig fbdev: aty: SPARC64 requires FB_ATY_CT 2021-03-04 09:39:38 +01:00
leo.c
macfb.c
macmodes.c
macmodes.h
Makefile
maxinefb.c
metronomefb.c
mx3fb.c
mxsfb.c
n411.c
neofb.c
nuc900fb.c
nuc900fb.h
ocfb.c
offb.c
p9100.c
platinumfb.c
platinumfb.h
pm2fb.c fbdev: fb_pm2fb: Avoid potential divide by zero error 2022-09-05 10:26:34 +02:00
pm3fb.c
pmag-aa-fb.c
pmag-ba-fb.c
pmagb-b-fb.c
ps3fb.c
pvr2fb.c video: fbdev: pvr2fb: initialize variables 2020-11-05 11:08:39 +01:00
pxa3xx-gcu.c video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write 2022-09-28 11:02:53 +02:00
pxa3xx-gcu.h
pxa168fb.c
pxa168fb.h
pxafb.c
pxafb.h
q40fb.c
s1d13xxxfb.c
s3c2410fb.c
s3c2410fb.h
s3c-fb.c
s3fb.c video: fbdev: s3fb: Check the size of screen before memset_io() 2022-08-25 11:15:27 +02:00
sa1100fb.c
sa1100fb.h
sbuslib.c
sbuslib.h
sh7760fb.c
sh_mobile_lcdcfb.c
sh_mobile_lcdcfb.h
simplefb.c
skeletonfb.c
sm501fb.c
sm712.h
sm712fb.c video: fbdev: sm712fb: Fix crash in smtcfb_write() 2022-04-15 14:14:56 +02:00
smscufx.c fbdev: smscufx: Fix several use-after-free bugs 2022-11-03 23:52:28 +09:00
ssd1307fb.c
sstfb.c
sticore.h
stifb.c parisc: fbdev/stifb: Align graphics memory size to 4MB 2022-10-26 13:19:21 +02:00
sunxvr500.c
sunxvr1000.c
sunxvr2500.c
tcx.c
tdfxfb.c
tgafb.c
tmiofb.c
tridentfb.c
udlfb.c video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit 2022-04-15 14:14:55 +02:00
uvesafb.c
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c
vga16fb.c
vt8500lcdfb.c
vt8500lcdfb.h
vt8623fb.c video: fbdev: vt8623fb: Check the size of screen before memset_io() 2022-08-25 11:15:26 +02:00
w100fb.c video: fbdev: w100fb: Reset global state 2022-04-15 14:14:55 +02:00
w100fb.h
wm8505fb_regs.h
wm8505fb.c
wmt_ge_rops.c
wmt_ge_rops.h
xen-fbfront.c
xilinxfb.c