ACK: RE: [SRU Bionic 0/1] UBUNTU: SAUCE: fbdev: remove redundant lock_fb_info

Cory Todd cory.todd at canonical.com
Fri Sep 23 23:08:20 UTC 2022 

On Sat, Sep 24, 2022 at 01:31:23AM +0300, Cengiz Can wrote:

> BugLink: https://bugs.launchpad.net/bugs/1990690
> 
> SRU Justification:
> 
> [Impact]
> One of the fixing commits for CVE-2021-33655, commit 159a96b199b4
> ("fbcon: Prevent that screen size is smaller than font size")
> introduced a redundant lock_fb_info line into the ioctl flow in fbmem.c.
> 
> Users belonging to video group may trigger a deadlock and potentially
> lock the system.
> 
> ```
> ============================================
> WARNING: possible recursive locking detected
> 4.15.0-195-generic #206 Not tainted
> --------------------------------------------
> refresh/1248 is trying to acquire lock:
>   (&fb_info->lock){+.+.}, at: [<000000004c154cfe>] lock_fb_info+0x1d/0x40
> 
> but task is already holding lock:
>   (&fb_info->lock){+.+.}, at: [<000000004c154cfe>] lock_fb_info+0x1d/0x40
> 
> other info that might help us debug this:
>   Possible unsafe locking scenario:
>         CPU0
>         ----
>    lock(&fb_info->lock);
>    lock(&fb_info->lock);
> 
> *** DEADLOCK ***
>   May be due to missing lock nesting notation
>  2 locks held by refresh/1248:
>   #0: (console_lock){+.+.}, at: [<000000008000aa2b>] do_fb_ioctl+0x435/0x5e0
>   #1: (&fb_info->lock){+.+.}, at: [<000000004c154cfe>] lock_fb_info+0x1d/0x40
> ```
> 
> [Test case]
> Ran a sample framebuffer userspace test which calls FBIOPUT_VSCREENINFO.
> 
> Verified that deadlock is producible.
> 
> After removing redundant lock_fb_info, same test program no longer
> causes a deadlock.
> 
> [Potential regressions]
> There are no new potential regressions.
> 
> Cengiz Can (1):
>   UBUNTU: SAUCE: fbdev: remove redundant lock_fb_info
> 
>  drivers/video/fbdev/core/fbmem.c | 1 -
>  1 file changed, 1 deletion(-)
> 

Acked-by: Cory Todd <cory.todd at canonical.com>

- corytodd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220923/731914df/attachment.sig>

More information about the kernel-team mailing list