--- /dev/null
+From 4466d6d2f80c1193e0845d110277c56da77a6418 Mon Sep 17 00:00:00 2001
+From: Matthias Reichl <hias@horus.com>
+Date: Thu, 5 Nov 2020 13:34:32 +0100
+Subject: tty: fix crash in release_tty if tty->port is not set
+
+From: Matthias Reichl <hias@horus.com>
+
+commit 4466d6d2f80c1193e0845d110277c56da77a6418 upstream.
+
+Commit 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing
+tty_port") didn't fully prevent the crash as the cleanup path in
+tty_init_dev() calls release_tty() which dereferences tty->port
+without checking it for non-null.
+
+Add tty->port checks to release_tty to avoid the kernel crash.
+
+Fixes: 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing tty_port")
+Signed-off-by: Matthias Reichl <hias@horus.com>
+Link: https://lore.kernel.org/r/20201105123432.4448-1-hias@horus.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1514,10 +1514,12 @@ static void release_tty(struct tty_struc
+ tty->ops->shutdown(tty);
+ tty_save_termios(tty);
+ tty_driver_remove_tty(tty->driver, tty);
+- tty->port->itty = NULL;
++ if (tty->port)
++ tty->port->itty = NULL;
+ if (tty->link)
+ tty->link->port->itty = NULL;
+- tty_buffer_cancel_work(tty->port);
++ if (tty->port)
++ tty_buffer_cancel_work(tty->port);
+ if (tty->link)
+ tty_buffer_cancel_work(tty->link->port);
+
--- /dev/null
+From 427627a23c3e86e31113f9db9bfdca41698a0ee5 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 5 Nov 2020 21:40:26 +0100
+Subject: tty: serial: imx: enable earlycon by default if IMX_SERIAL_CONSOLE is enabled
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 427627a23c3e86e31113f9db9bfdca41698a0ee5 upstream.
+
+Since 699cc4dfd140 (tty: serial: imx: add imx earlycon driver), the earlycon
+part of imx serial is a separate driver and isn't necessarily enabled anymore
+when the console is enabled. This causes users to loose the earlycon
+functionality when upgrading their kenrel configuration via oldconfig.
+
+Enable earlycon by default when IMX_SERIAL_CONSOLE is enabled.
+
+Fixes: 699cc4dfd140 (tty: serial: imx: add imx earlycon driver)
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: https://lore.kernel.org/r/20201105204026.1818219-1-l.stach@pengutronix.de
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -522,6 +522,7 @@ config SERIAL_IMX_EARLYCON
+ depends on OF
+ select SERIAL_EARLYCON
+ select SERIAL_CORE_CONSOLE
++ default y if SERIAL_IMX_CONSOLE
+ help
+ If you have enabled the earlycon on the Freescale IMX
+ CPU you can make it the earlycon by answering Y to this option.
--- /dev/null
+From 3c4e0dff2095c579b142d5a0693257f1c58b4804 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sun, 8 Nov 2020 16:38:06 +0100
+Subject: vt: Disable KD_FONT_OP_COPY
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream.
+
+It's buggy:
+
+On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
+> We recently discovered a slab-out-of-bounds read in fbcon in the latest
+> kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that
+> "fbcon_do_set_font" did not handle "vc->vc_font.data" and
+> "vc->vc_font.height" correctly, and the patch
+> <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
+> issue.
+>
+> Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
+> use KD_FONT_OP_SET again to set a large font.height for tty1. After that,
+> we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
+> in "fbcon_do_set_font", while tty1 retains the original larger
+> height. Obviously, this will cause an out-of-bounds read, because we can
+> access a smaller vc_font.data with a larger vc_font.height.
+
+Further there was only one user ever.
+- Android's loadfont, busybox and console-tools only ever use OP_GET
+ and OP_SET
+- fbset documentation only mentions the kernel cmdline font: option,
+ not anything else.
+- systemd used OP_COPY before release 232 published in Nov 2016
+
+Now unfortunately the crucial report seems to have gone down with
+gmane, and the commit message doesn't say much. But the pull request
+hints at OP_COPY being broken
+
+https://github.com/systemd/systemd/pull/3651
+
+So in other words, this never worked, and the only project which
+foolishly every tried to use it, realized that rather quickly too.
+
+Instead of trying to fix security issues here on dead code by adding
+missing checks, fix the entire thing by removing the functionality.
+
+Note that systemd code using the OP_COPY function ignored the return
+value, so it doesn't matter what we're doing here really - just in
+case a lone server somewhere happens to be extremely unlucky and
+running an affected old version of systemd. The relevant code from
+font_copy_to_all_vcs() in systemd was:
+
+ /* copy font from active VT, where the font was uploaded to */
+ cfo.op = KD_FONT_OP_COPY;
+ cfo.height = vcs.v_active-1; /* tty1 == index 0 */
+ (void) ioctl(vcfd, KDFONTOP, &cfo);
+
+Note this just disables the ioctl, garbage collecting the now unused
+callbacks is left for -next.
+
+v2: Tetsuo found the old mail, which allowed me to find it on another
+archive. Add the link too.
+
+Acked-by: Peilin Ye <yepeilin.cs@gmail.com>
+Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
+References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
+References: https://github.com/systemd/systemd/pull/3651
+Cc: Greg KH <greg@kroah.com>
+Cc: Peilin Ye <yepeilin.cs@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4700,27 +4700,6 @@ static int con_font_default(struct vc_da
+ return rc;
+ }
+
+-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+-{
+- int con = op->height;
+- int rc;
+-
+-
+- console_lock();
+- if (vc->vc_mode != KD_TEXT)
+- rc = -EINVAL;
+- else if (!vc->vc_sw->con_font_copy)
+- rc = -ENOSYS;
+- else if (con < 0 || !vc_cons_allocated(con))
+- rc = -ENOTTY;
+- else if (con == vc->vc_num) /* nothing to do */
+- rc = 0;
+- else
+- rc = vc->vc_sw->con_font_copy(vc, con);
+- console_unlock();
+- return rc;
+-}
+-
+ int con_font_op(struct vc_data *vc, struct console_font_op *op)
+ {
+ switch (op->op) {
+@@ -4731,7 +4710,8 @@ int con_font_op(struct vc_data *vc, stru
+ case KD_FONT_OP_SET_DEFAULT:
+ return con_font_default(vc, op);
+ case KD_FONT_OP_COPY:
+- return con_font_copy(vc, op);
++ /* was buggy and never really used */
++ return -EINVAL;
+ }
+ return -ENOSYS;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
