4.4-stable patches

added patches:
	fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch
	serial-8250-change-lock-order-in-serial8250_do_startup.patch
	serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch
	serial-samsung-removes-the-irq-not-found-warning.patch
	usb-lvtest-return-proper-error-code-in-probe.patch
	vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch
	vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch

diff --git a/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch b/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch
new file mode 100644 (file)
index 0000000..b07bb94
--- /dev/null
+++ b/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch
@@ -0,0 +1,79 @@
+From 39b3cffb8cf3111738ea993e2757ab382253d86a Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Fri, 31 Jul 2020 12:33:11 -0400
+Subject: fbcon: prevent user font height or width change from causing potential out-of-bounds access
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit 39b3cffb8cf3111738ea993e2757ab382253d86a upstream.
+
+Add a check to fbcon_resize() to ensure that a possible change to user font
+height or user font width will not allow a font data out-of-bounds access.
+NOTE: must use original charcount in calculation as font charcount can
+change and cannot be used to determine the font data allocated size.
+
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/1596213192-6635-1-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/console/fbcon.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/console/fbcon.c
++++ b/drivers/video/console/fbcon.c
+@@ -2117,6 +2117,9 @@ static void updatescrollmode(struct disp
+       }
+ }
+ 
++#define PITCH(w) (((w) + 7) >> 3)
++#define CALC_FONTSZ(h, p, c) ((h) * (p) * (c)) /* size = height * pitch * charcount */
++
+ static int fbcon_resize(struct vc_data *vc, unsigned int width, 
+                       unsigned int height, unsigned int user)
+ {
+@@ -2126,6 +2129,24 @@ static int fbcon_resize(struct vc_data *
+       struct fb_var_screeninfo var = info->var;
+       int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh;
+ 
++      if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) {
++              int size;
++              int pitch = PITCH(vc->vc_font.width);
++
++              /*
++               * If user font, ensure that a possible change to user font
++               * height or width will not allow a font data out-of-bounds access.
++               * NOTE: must use original charcount in calculation as font
++               * charcount can change and cannot be used to determine the
++               * font data allocated size.
++               */
++              if (pitch <= 0)
++                      return -EINVAL;
++              size = CALC_FONTSZ(vc->vc_font.height, pitch, FNTCHARCNT(vc->vc_font.data));
++              if (size > FNTSIZE(vc->vc_font.data))
++                      return -EINVAL;
++      }
++
+       virt_w = FBCON_SWAP(ops->rotate, width, height);
+       virt_h = FBCON_SWAP(ops->rotate, height, width);
+       virt_fw = FBCON_SWAP(ops->rotate, vc->vc_font.width,
+@@ -2587,7 +2608,7 @@ static int fbcon_set_font(struct vc_data
+       int size;
+       int i, csum;
+       u8 *new_data, *data = font->data;
+-      int pitch = (font->width+7) >> 3;
++      int pitch = PITCH(font->width);
+ 
+       /* Is there a reason why fbconsole couldn't handle any charcount >256?
+        * If not this check should be changed to charcount < 256 */
+@@ -2603,7 +2624,7 @@ static int fbcon_set_font(struct vc_data
+       if (fbcon_invalid_charcount(info, charcount))
+               return -EINVAL;
+ 
+-      size = h * pitch * charcount;
++      size = CALC_FONTSZ(h, pitch, charcount);
+ 
+       new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
+ 

diff --git a/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch b/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch
index b942c4b0ce3147ac3e5756c201174f99c07bd5dc..5ac60413019d7813ca5af622912be097ca0bdfe8 100644 (file)
--- a/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch
+++ b/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch
@@ -33,14 +33,12 @@ Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
 Link: https://lore.kernel.org/r/1596717992-7321-1-git-send-email-atrajeev@linux.vnet.ibm.com
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- arch/powerpc/perf/core-book3s.c | 4 ++++
+ arch/powerpc/perf/core-book3s.c |    4 ++++
  1 file changed, 4 insertions(+)
 
-diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
-index 30e2e8efbe6b7..aab13558e9700 100644
 --- a/arch/powerpc/perf/core-book3s.c
 +++ b/arch/powerpc/perf/core-book3s.c
-@@ -2040,6 +2040,10 @@ static void record_and_restart(struct perf_event *event, unsigned long val,
+@@ -2040,6 +2040,10 @@ static void record_and_restart(struct pe
  
                if (perf_event_overflow(event, &data, regs))
                        power_pmu_stop(event, 0);
@@ -51,6 +49,3 @@ index 30e2e8efbe6b7..aab13558e9700 100644
        }
  }
  
--- 
-2.25.1
-

diff --git a/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch b/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch
new file mode 100644 (file)
index 0000000..3a4b18d
--- /dev/null
+++ b/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch
@@ -0,0 +1,215 @@
+From 205d300aea75623e1ae4aa43e0d265ab9cf195fd Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Date: Mon, 17 Aug 2020 11:26:46 +0900
+Subject: serial: 8250: change lock order in serial8250_do_startup()
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+commit 205d300aea75623e1ae4aa43e0d265ab9cf195fd upstream.
+
+We have a number of "uart.port->desc.lock vs desc.lock->uart.port"
+lockdep reports coming from 8250 driver; this causes a bit of trouble
+to people, so let's fix it.
+
+The problem is reverse lock order in two different call paths:
+
+chain #1:
+
+ serial8250_do_startup()
+  spin_lock_irqsave(&port->lock);
+   disable_irq_nosync(port->irq);
+    raw_spin_lock_irqsave(&desc->lock)
+
+chain #2:
+
+  __report_bad_irq()
+   raw_spin_lock_irqsave(&desc->lock)
+    for_each_action_of_desc()
+     printk()
+      spin_lock_irqsave(&port->lock);
+
+Fix this by changing the order of locks in serial8250_do_startup():
+ do disable_irq_nosync() first, which grabs desc->lock, and grab
+ uart->port after that, so that chain #1 and chain #2 have same lock
+ order.
+
+Full lockdep splat:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.4.39 #55 Not tainted
+ ======================================================
+
+ swapper/0/0 is trying to acquire lock:
+ ffffffffab65b6c0 (console_owner){-...}, at: console_lock_spinning_enable+0x31/0x57
+
+ but task is already holding lock:
+ ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (&irq_desc_lock_class){-.-.}:
+        _raw_spin_lock_irqsave+0x61/0x8d
+        __irq_get_desc_lock+0x65/0x89
+        __disable_irq_nosync+0x3b/0x93
+        serial8250_do_startup+0x451/0x75c
+        uart_startup+0x1b4/0x2ff
+        uart_port_activate+0x73/0xa0
+        tty_port_open+0xae/0x10a
+        uart_open+0x1b/0x26
+        tty_open+0x24d/0x3a0
+        chrdev_open+0xd5/0x1cc
+        do_dentry_open+0x299/0x3c8
+        path_openat+0x434/0x1100
+        do_filp_open+0x9b/0x10a
+        do_sys_open+0x15f/0x3d7
+        kernel_init_freeable+0x157/0x1dd
+        kernel_init+0xe/0x105
+        ret_from_fork+0x27/0x50
+
+ -> #1 (&port_lock_key){-.-.}:
+        _raw_spin_lock_irqsave+0x61/0x8d
+        serial8250_console_write+0xa7/0x2a0
+        console_unlock+0x3b7/0x528
+        vprintk_emit+0x111/0x17f
+        printk+0x59/0x73
+        register_console+0x336/0x3a4
+        uart_add_one_port+0x51b/0x5be
+        serial8250_register_8250_port+0x454/0x55e
+        dw8250_probe+0x4dc/0x5b9
+        platform_drv_probe+0x67/0x8b
+        really_probe+0x14a/0x422
+        driver_probe_device+0x66/0x130
+        device_driver_attach+0x42/0x5b
+        __driver_attach+0xca/0x139
+        bus_for_each_dev+0x97/0xc9
+        bus_add_driver+0x12b/0x228
+        driver_register+0x64/0xed
+        do_one_initcall+0x20c/0x4a6
+        do_initcall_level+0xb5/0xc5
+        do_basic_setup+0x4c/0x58
+        kernel_init_freeable+0x13f/0x1dd
+        kernel_init+0xe/0x105
+        ret_from_fork+0x27/0x50
+
+ -> #0 (console_owner){-...}:
+        __lock_acquire+0x118d/0x2714
+        lock_acquire+0x203/0x258
+        console_lock_spinning_enable+0x51/0x57
+        console_unlock+0x25d/0x528
+        vprintk_emit+0x111/0x17f
+        printk+0x59/0x73
+        __report_bad_irq+0xa3/0xba
+        note_interrupt+0x19a/0x1d6
+        handle_irq_event_percpu+0x57/0x79
+        handle_irq_event+0x36/0x55
+        handle_fasteoi_irq+0xc2/0x18a
+        do_IRQ+0xb3/0x157
+        ret_from_intr+0x0/0x1d
+        cpuidle_enter_state+0x12f/0x1fd
+        cpuidle_enter+0x2e/0x3d
+        do_idle+0x1ce/0x2ce
+        cpu_startup_entry+0x1d/0x1f
+        start_kernel+0x406/0x46a
+        secondary_startup_64+0xa4/0xb0
+
+ other info that might help us debug this:
+
+ Chain exists of:
+   console_owner --> &port_lock_key --> &irq_desc_lock_class
+
+  Possible unsafe locking scenario:
+
+        CPU0                    CPU1
+        ----                    ----
+   lock(&irq_desc_lock_class);
+                                lock(&port_lock_key);
+                                lock(&irq_desc_lock_class);
+   lock(console_owner);
+
+  *** DEADLOCK ***
+
+ 2 locks held by swapper/0/0:
+  #0: ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba
+  #1: ffffffffab65b5c0 (console_lock){+.+.}, at: console_trylock_spinning+0x20/0x181
+
+ stack backtrace:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.39 #55
+ Hardware name: XXXXXX
+ Call Trace:
+  <IRQ>
+  dump_stack+0xbf/0x133
+  ? print_circular_bug+0xd6/0xe9
+  check_noncircular+0x1b9/0x1c3
+  __lock_acquire+0x118d/0x2714
+  lock_acquire+0x203/0x258
+  ? console_lock_spinning_enable+0x31/0x57
+  console_lock_spinning_enable+0x51/0x57
+  ? console_lock_spinning_enable+0x31/0x57
+  console_unlock+0x25d/0x528
+  ? console_trylock+0x18/0x4e
+  vprintk_emit+0x111/0x17f
+  ? lock_acquire+0x203/0x258
+  printk+0x59/0x73
+  __report_bad_irq+0xa3/0xba
+  note_interrupt+0x19a/0x1d6
+  handle_irq_event_percpu+0x57/0x79
+  handle_irq_event+0x36/0x55
+  handle_fasteoi_irq+0xc2/0x18a
+  do_IRQ+0xb3/0x157
+  common_interrupt+0xf/0xf
+  </IRQ>
+
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Fixes: 768aec0b5bcc ("serial: 8250: fix shared interrupts issues with SMP and RT kernels")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reported-by: Raul Rangel <rrangel@google.com>
+BugLink: https://bugs.chromium.org/p/chromium/issues/detail?id=1114800
+Link: https://lore.kernel.org/lkml/CAHQZ30BnfX+gxjPm1DUd5psOTqbyDh4EJE=2=VAMW_VDafctkA@mail.gmail.com/T/#u
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200817022646.1484638-1-sergey.senozhatsky@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_port.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1902,6 +1902,10 @@ int serial8250_do_startup(struct uart_po
+ 
+       if (port->irq) {
+               unsigned char iir1;
++
++              if (port->irqflags & IRQF_SHARED)
++                      disable_irq_nosync(port->irq);
++
+               /*
+                * Test for UARTs that do not reassert THRE when the
+                * transmitter is idle and the interrupt has already
+@@ -1911,8 +1915,6 @@ int serial8250_do_startup(struct uart_po
+                * allow register changes to become visible.
+                */
+               spin_lock_irqsave(&port->lock, flags);
+-              if (up->port.irqflags & IRQF_SHARED)
+-                      disable_irq_nosync(port->irq);
+ 
+               wait_for_xmitr(up, UART_LSR_THRE);
+               serial_port_out_sync(port, UART_IER, UART_IER_THRI);
+@@ -1924,9 +1926,10 @@ int serial8250_do_startup(struct uart_po
+               iir = serial_port_in(port, UART_IIR);
+               serial_port_out(port, UART_IER, 0);
+ 
++              spin_unlock_irqrestore(&port->lock, flags);
++
+               if (port->irqflags & IRQF_SHARED)
+                       enable_irq(port->irq);
+-              spin_unlock_irqrestore(&port->lock, flags);
+ 
+               /*
+                * If the interrupt is not reasserted, or we otherwise

diff --git a/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch b/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch
new file mode 100644 (file)
index 0000000..1bb0707
--- /dev/null
+++ b/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch
@@ -0,0 +1,52 @@
+From 89efbe70b27dd325d8a8c177743a26b885f7faec Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 13 Aug 2020 12:59:54 +0200
+Subject: serial: pl011: Don't leak amba_ports entry on driver register error
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 89efbe70b27dd325d8a8c177743a26b885f7faec upstream.
+
+pl011_probe() calls pl011_setup_port() to reserve an amba_ports[] entry,
+then calls pl011_register_port() to register the uart driver with the
+tty layer.
+
+If registration of the uart driver fails, the amba_ports[] entry is not
+released.  If this happens 14 times (value of UART_NR macro), then all
+amba_ports[] entries will have been leaked and driver probing is no
+longer possible.  (To be fair, that can only happen if the DeviceTree
+doesn't contain alias IDs since they cause the same entry to be used for
+a given port.)   Fix it.
+
+Fixes: ef2889f7ffee ("serial: pl011: Move uart_register_driver call to device")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v3.15+
+Cc: Tushar Behera <tushar.behera@linaro.org>
+Link: https://lore.kernel.org/r/138f8c15afb2f184d8102583f8301575566064a6.1597316167.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/amba-pl011.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -2332,7 +2332,7 @@ static int pl011_setup_port(struct devic
+ 
+ static int pl011_register_port(struct uart_amba_port *uap)
+ {
+-      int ret;
++      int ret, i;
+ 
+       /* Ensure interrupts from this UART are masked and cleared */
+       writew(0, uap->port.membase + UART011_IMSC);
+@@ -2343,6 +2343,9 @@ static int pl011_register_port(struct ua
+               if (ret < 0) {
+                       dev_err(uap->port.dev,
+                               "Failed to register AMBA-PL011 driver\n");
++                      for (i = 0; i < ARRAY_SIZE(amba_ports); i++)
++                              if (amba_ports[i] == uap)
++                                      amba_ports[i] = NULL;
+                       return ret;
+               }
+       }

diff --git a/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch b/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch
new file mode 100644 (file)
index 0000000..de9ed57
--- /dev/null
+++ b/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch
@@ -0,0 +1,50 @@
+From 8c6c378b0cbe0c9f1390986b5f8ffb5f6ff7593b Mon Sep 17 00:00:00 2001
+From: Tamseel Shams <m.shams@samsung.com>
+Date: Mon, 10 Aug 2020 08:30:21 +0530
+Subject: serial: samsung: Removes the IRQ not found warning
+
+From: Tamseel Shams <m.shams@samsung.com>
+
+commit 8c6c378b0cbe0c9f1390986b5f8ffb5f6ff7593b upstream.
+
+In few older Samsung SoCs like s3c2410, s3c2412
+and s3c2440, UART IP is having 2 interrupt lines.
+However, in other SoCs like s3c6400, s5pv210,
+exynos5433, and exynos4210 UART is having only 1
+interrupt line. Due to this, "platform_get_irq(platdev, 1)"
+call in the driver gives the following false-positive error:
+"IRQ index 1 not found" on newer SoC's.
+
+This patch adds the condition to check for Tx interrupt
+only for the those SoC's which have 2 interrupt lines.
+
+Tested-by: Alim Akhtar <alim.akhtar@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Tamseel Shams <m.shams@samsung.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200810030021.45348-1-m.shams@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/samsung.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1719,9 +1719,11 @@ static int s3c24xx_serial_init_port(stru
+               ourport->tx_irq = ret + 1;
+       }
+ 
+-      ret = platform_get_irq(platdev, 1);
+-      if (ret > 0)
+-              ourport->tx_irq = ret;
++      if (!s3c24xx_serial_has_interrupt_mask(port)) {
++              ret = platform_get_irq(platdev, 1);
++              if (ret > 0)
++                      ourport->tx_irq = ret;
++      }
+       /*
+        * DMA is currently supported only on DT platforms, if DMA properties
+        * are specified.

diff --git a/queue-4.4/series b/queue-4.4/series
index 942b06884168dffae7a724e63b080b1aab441a18..1f9136d8e7f25383bef856564c1714167424ee48 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -37,3 +37,10 @@ s390-cio-add-cond_resched-in-the-slow_eval_known_fn-.patch
 scsi-ufs-fix-possible-infinite-loop-in-ufshcd_hold.patch
 net-gianfar-add-of_node_put-before-goto-statement.patch
 powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch
+fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch
+usb-lvtest-return-proper-error-code-in-probe.patch
+vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch
+vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch
+serial-samsung-removes-the-irq-not-found-warning.patch
+serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch
+serial-8250-change-lock-order-in-serial8250_do_startup.patch

diff --git a/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch b/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch
new file mode 100644 (file)
index 0000000..a32f1b2
--- /dev/null
+++ b/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch
@@ -0,0 +1,35 @@
+From 531412492ce93ea29b9ca3b4eb5e3ed771f851dd Mon Sep 17 00:00:00 2001
+From: Evgeny Novikov <novikov@ispras.ru>
+Date: Wed, 5 Aug 2020 12:06:43 +0300
+Subject: USB: lvtest: return proper error code in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+commit 531412492ce93ea29b9ca3b4eb5e3ed771f851dd upstream.
+
+lvs_rh_probe() can return some nonnegative value from usb_control_msg()
+when it is less than "USB_DT_HUB_NONVAR_SIZE + 2" that is considered as
+a failure. Make lvs_rh_probe() return -EINVAL in this case.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200805090643.3432-1-novikov@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/lvstest.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/lvstest.c
++++ b/drivers/usb/misc/lvstest.c
+@@ -396,7 +396,7 @@ static int lvs_rh_probe(struct usb_inter
+                       USB_DT_SS_HUB_SIZE, USB_CTRL_GET_TIMEOUT);
+       if (ret < (USB_DT_HUB_NONVAR_SIZE + 2)) {
+               dev_err(&hdev->dev, "wrong root hub descriptor read %d\n", ret);
+-              return ret;
++              return ret < 0 ? ret : -EINVAL;
+       }
+ 
+       /* submit urb to poll interrupt endpoint */

diff --git a/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch b/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch
new file mode 100644 (file)
index 0000000..c461b56
--- /dev/null
+++ b/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch
@@ -0,0 +1,57 @@
+From f8d1653daec02315e06d30246cff4af72e76e54e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 29 Jul 2020 23:57:01 +0900
+Subject: vt: defer kfree() of vc_screenbuf in vc_do_resize()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit f8d1653daec02315e06d30246cff4af72e76e54e upstream.
+
+syzbot is reporting UAF bug in set_origin() from vc_do_resize() [1], for
+vc_do_resize() calls kfree(vc->vc_screenbuf) before calling set_origin().
+
+Unfortunately, in set_origin(), vc->vc_sw->con_set_origin() might access
+vc->vc_pos when scroll is involved in order to manipulate cursor, but
+vc->vc_pos refers already released vc->vc_screenbuf until vc->vc_pos gets
+updated based on the result of vc->vc_sw->con_set_origin().
+
+Preserving old buffer and tolerating outdated vc members until set_origin()
+completes would be easier than preventing vc->vc_sw->con_set_origin() from
+accessing outdated vc members.
+
+[1] https://syzkaller.appspot.com/bug?id=6649da2081e2ebdc65c0642c214b27fe91099db3
+
+Reported-by: syzbot <syzbot+9116ecc1978ca3a12f43@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1596034621-4714-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -864,7 +864,7 @@ static int vc_do_resize(struct tty_struc
+       unsigned int old_rows, old_row_size;
+       unsigned int new_cols, new_rows, new_row_size, new_screen_size;
+       unsigned int user;
+-      unsigned short *newscreen;
++      unsigned short *oldscreen, *newscreen;
+ 
+       WARN_CONSOLE_UNLOCKED();
+ 
+@@ -946,10 +946,11 @@ static int vc_do_resize(struct tty_struc
+       if (new_scr_end > new_origin)
+               scr_memsetw((void *)new_origin, vc->vc_video_erase_char,
+                           new_scr_end - new_origin);
+-      kfree(vc->vc_screenbuf);
++      oldscreen = vc->vc_screenbuf;
+       vc->vc_screenbuf = newscreen;
+       vc->vc_screenbuf_size = new_screen_size;
+       set_origin(vc);
++      kfree(oldscreen);
+ 
+       /* do part of a reset_terminal() */
+       vc->vc_top = 0;

diff --git a/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch b/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch
new file mode 100644 (file)
index 0000000..8fc6bc1
--- /dev/null
+++ b/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch
@@ -0,0 +1,49 @@
+From bc5269ca765057a1b762e79a1cfd267cd7bf1c46 Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Fri, 31 Jul 2020 12:33:12 -0400
+Subject: vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit bc5269ca765057a1b762e79a1cfd267cd7bf1c46 upstream.
+
+vc_resize() can return with an error after failure. Change VT_RESIZEX ioctl
+to save struct vc_data values that are modified and restore the original
+values in case of error.
+
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/1596213192-6635-2-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt_ioctl.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -896,12 +896,22 @@ int vt_ioctl(struct tty_struct *tty,
+                       console_lock();
+                       vcp = vc_cons[i].d;
+                       if (vcp) {
++                              int ret;
++                              int save_scan_lines = vcp->vc_scan_lines;
++                              int save_font_height = vcp->vc_font.height;
++
+                               if (v.v_vlin)
+                                       vcp->vc_scan_lines = v.v_vlin;
+                               if (v.v_clin)
+                                       vcp->vc_font.height = v.v_clin;
+                               vcp->vc_resize_user = 1;
+-                              vc_resize(vcp, v.v_cols, v.v_rows);
++                              ret = vc_resize(vcp, v.v_cols, v.v_rows);
++                              if (ret) {
++                                      vcp->vc_scan_lines = save_scan_lines;
++                                      vcp->vc_font.height = save_font_height;
++                                      console_unlock();
++                                      return ret;
++                              }
+                       }
+                       console_unlock();
+               }