--- /dev/null
+From 2e90ca68b0d2f5548804f22f0dd61145516171e3 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 21 Feb 2020 12:43:35 -0800
+Subject: floppy: check FDC index for errors before assigning it
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream.
+
+Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in
+wait_til_ready().
+
+Which on the face of it can't happen, since as Willy Tarreau points out,
+the function does no particular memory access. Except through the FDCS
+macro, which just indexes a static allocation through teh current fdc,
+which is always checked against N_FDC.
+
+Except the checking happens after we've already assigned the value.
+
+The floppy driver is a disgrace (a lot of it going back to my original
+horrd "design"), and has no real maintainer. Nobody has the hardware,
+and nobody really cares. But it still gets used in virtual environment
+because it's one of those things that everybody supports.
+
+The whole thing should be re-written, or at least parts of it should be
+seriously cleaned up. The 'current fdc' index, which is used by the
+FDCS macro, and which is often shadowed by a local 'fdc' variable, is a
+prime example of how not to write code.
+
+But because nobody has the hardware or the motivation, let's just fix up
+the immediate problem with a nasty band-aid: test the fdc index before
+actually assigning it to the static 'fdc' variable.
+
+Reported-by: Jordy Zomer <jordy@simplyhacker.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -853,14 +853,17 @@ static void reset_fdc_info(int mode)
+ /* selects the fdc and drive, and enables the fdc's input/dma. */
+ static void set_fdc(int drive)
+ {
++ unsigned int new_fdc = fdc;
++
+ if (drive >= 0 && drive < N_DRIVE) {
+- fdc = FDC(drive);
++ new_fdc = FDC(drive);
+ current_drive = drive;
+ }
+- if (fdc != 1 && fdc != 0) {
++ if (new_fdc >= N_FDC) {
+ pr_info("bad fdc value\n");
+ return;
+ }
++ fdc = new_fdc;
+ set_dor(fdc, ~0, 8);
+ #if N_FDC > 1
+ set_dor(1 - fdc, ~8, 0);
usb-misc-iowarrior-add-support-for-the-28-and-28l-devices.patch
usb-misc-iowarrior-add-support-for-the-100-device.patch
e1000e-use-rtnl_lock-to-prevent-race-conditions-between-net-and-pci-pm.patch
+floppy-check-fdc-index-for-errors-before-assigning-it.patch
+vt-fix-scrollback-flushing-on-background-consoles.patch
+vt-selection-handle-pending-signals-in-paste_selection.patch
+vt-selection-close-sel_buffer-race.patch
+vt-vt_ioctl-fix-race-in-vt_resizex.patch
+staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
+staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
--- /dev/null
+From 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 27 Jan 2020 15:56:16 -0800
+Subject: staging: android: ashmem: Disallow ashmem memory from being remapped
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream.
+
+When ashmem file is mmapped, the resulting vma->vm_file points to the
+backing shmem file with the generic fops that do not check ashmem
+permissions like fops of ashmem do. If an mremap is done on the ashmem
+region, then the permission checks will be skipped. Fix that by disallowing
+mapping operation on the backing shmem file.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable <stable@vger.kernel.org> # 4.4,4.9,4.14,4.18,5.4
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -351,8 +351,23 @@ static inline vm_flags_t calc_vm_may_fla
+ _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC);
+ }
+
++static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma)
++{
++ /* do not allow to mmap ashmem backing shmem file directly */
++ return -EPERM;
++}
++
++static unsigned long
++ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr,
++ unsigned long len, unsigned long pgoff,
++ unsigned long flags)
++{
++ return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
++}
++
+ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
+ {
++ static struct file_operations vmfile_fops;
+ struct ashmem_area *asma = file->private_data;
+ int ret = 0;
+
+@@ -393,6 +408,19 @@ static int ashmem_mmap(struct file *file
+ }
+ vmfile->f_mode |= FMODE_LSEEK;
+ asma->file = vmfile;
++ /*
++ * override mmap operation of the vmfile so that it can't be
++ * remapped which would lead to creation of a new vma with no
++ * asma permission checks. Have to override get_unmapped_area
++ * as well to prevent VM_BUG_ON check for f_ops modification.
++ */
++ if (!vmfile_fops.mmap) {
++ vmfile_fops = *vmfile->f_op;
++ vmfile_fops.mmap = ashmem_vmfile_mmap;
++ vmfile_fops.get_unmapped_area =
++ ashmem_vmfile_get_unmapped_area;
++ }
++ vmfile->f_op = &vmfile_fops;
+ }
+ get_file(asma->file);
+
--- /dev/null
+From 93134df520f23f4e9998c425b8987edca7016817 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 4 Feb 2020 19:34:02 +0000
+Subject: staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 93134df520f23f4e9998c425b8987edca7016817 upstream.
+
+bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
+values add minus operator to always yield positive.
+
+fixes issue where rx sensitivity is always set to maximum because
+the unsigned numbers were always greater then 100.
+
+Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/aceac98c-6e69-3ce1-dfec-2bf27b980221@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6656/dpc.c
++++ b/drivers/staging/vt6656/dpc.c
+@@ -130,7 +130,7 @@ int vnt_rx_data(struct vnt_private *priv
+
+ vnt_rf_rssi_to_dbm(priv, *rssi, &rx_dbm);
+
+- priv->bb_pre_ed_rssi = (u8)rx_dbm + 1;
++ priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1;
+ priv->current_rssi = priv->bb_pre_ed_rssi;
+
+ skb_pull(skb, 8);
--- /dev/null
+From 3f4ef485be9d54040b695f32ec76d0f1ea50bbf3 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nico@fluxnic.net>
+Date: Tue, 28 Jan 2020 12:50:33 -0500
+Subject: vt: fix scrollback flushing on background consoles
+
+From: Nicolas Pitre <nico@fluxnic.net>
+
+commit 3f4ef485be9d54040b695f32ec76d0f1ea50bbf3 upstream.
+
+Commit a6dbe4427559 ("vt: perform safe console erase in the right
+order") provided fixes to an earlier commit by gathering all console
+scrollback flushing operations in a function of its own. This includes
+the invocation of vc_sw->con_switch() as previously done through a
+update_screen() call. That commit failed to carry over the
+con_is_visible() conditional though, as well as cursor handling, which
+caused problems when "\e[3J" was written to a background console.
+
+One could argue for preserving the call to update_screen(). However
+this does far more than we need, and it is best to remove scrollback
+assumptions from it. Instead let's gather the minimum needed to actually
+perform scrollback flushing properly in that one place.
+
+While at it, let's document the vc_sw->con_switch() side effect being
+relied upon.
+
+Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
+Reported-and-tested-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.2001281205560.1655@knanqh.ubzr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -936,10 +936,21 @@ static void flush_scrollback(struct vc_d
+ WARN_CONSOLE_UNLOCKED();
+
+ set_origin(vc);
+- if (vc->vc_sw->con_flush_scrollback)
++ if (vc->vc_sw->con_flush_scrollback) {
+ vc->vc_sw->con_flush_scrollback(vc);
+- else
++ } else if (con_is_visible(vc)) {
++ /*
++ * When no con_flush_scrollback method is provided then the
++ * legacy way for flushing the scrollback buffer is to use
++ * a side effect of the con_switch method. We do it only on
++ * the foreground console as background consoles have no
++ * scrollback buffers in that case and we obviously don't
++ * want to switch to them.
++ */
++ hide_cursor(vc);
+ vc->vc_sw->con_switch(vc);
++ set_cursor(vc);
++ }
+ }
+
+ /*
--- /dev/null
+From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 10 Feb 2020 09:11:31 +0100
+Subject: vt: selection, close sel_buffer race
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream.
+
+syzkaller reported this UAF:
+BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
+Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184
+
+CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+Call Trace:
+...
+ kasan_report+0xe/0x20 mm/kasan/common.c:634
+ n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
+ tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
+ paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
+ tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
+ vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
+ tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
+ vfs_ioctl fs/ioctl.c:47 [inline]
+
+It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
+and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
+while the other frees it and reallocates a new one for another
+selection. Add a mutex to close this race.
+
+The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
+other selection global variables (like sel_start, sel_end, and sel_cons)
+are protected only in set_selection_user. The other functions need quite
+some more work to close the races of the variables there. This is going
+to happen later.
+
+This likely fixes (I am unsure as there is no reproducer provided) bug
+206361 too. It was marked as CVE-2020-8648.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com
+References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/selection.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/vt/selection.c
++++ b/drivers/tty/vt/selection.c
+@@ -16,6 +16,7 @@
+ #include <linux/tty.h>
+ #include <linux/sched.h>
+ #include <linux/mm.h>
++#include <linux/mutex.h>
+ #include <linux/slab.h>
+ #include <linux/types.h>
+
+@@ -45,6 +46,7 @@ static volatile int sel_start = -1; /*
+ static int sel_end;
+ static int sel_buffer_lth;
+ static char *sel_buffer;
++static DEFINE_MUTEX(sel_lock);
+
+ /* clear_selection, highlight and highlight_pointer can be called
+ from interrupt (via scrollback/front) */
+@@ -186,7 +188,7 @@ int set_selection_kernel(struct tiocl_se
+ char *bp, *obp;
+ int i, ps, pe, multiplier;
+ u32 c;
+- int mode;
++ int mode, ret = 0;
+
+ poke_blanked_console();
+
+@@ -212,6 +214,7 @@ int set_selection_kernel(struct tiocl_se
+ if (ps > pe) /* make sel_start <= sel_end */
+ swap(ps, pe);
+
++ mutex_lock(&sel_lock);
+ if (sel_cons != vc_cons[fg_console].d) {
+ clear_selection();
+ sel_cons = vc_cons[fg_console].d;
+@@ -257,9 +260,10 @@ int set_selection_kernel(struct tiocl_se
+ break;
+ case TIOCL_SELPOINTER:
+ highlight_pointer(pe);
+- return 0;
++ goto unlock;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto unlock;
+ }
+
+ /* remove the pointer */
+@@ -281,7 +285,7 @@ int set_selection_kernel(struct tiocl_se
+ else if (new_sel_start == sel_start)
+ {
+ if (new_sel_end == sel_end) /* no action required */
+- return 0;
++ goto unlock;
+ else if (new_sel_end > sel_end) /* extend to right */
+ highlight(sel_end + 2, new_sel_end);
+ else /* contract from right */
+@@ -309,7 +313,8 @@ int set_selection_kernel(struct tiocl_se
+ if (!bp) {
+ printk(KERN_WARNING "selection: kmalloc() failed\n");
+ clear_selection();
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto unlock;
+ }
+ kfree(sel_buffer);
+ sel_buffer = bp;
+@@ -334,7 +339,9 @@ int set_selection_kernel(struct tiocl_se
+ }
+ }
+ sel_buffer_lth = bp - sel_buffer;
+- return 0;
++unlock:
++ mutex_unlock(&sel_lock);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(set_selection_kernel);
+
+@@ -364,6 +371,7 @@ int paste_selection(struct tty_struct *t
+ tty_buffer_lock_exclusive(&vc->port);
+
+ add_wait_queue(&vc->paste_wait, &wait);
++ mutex_lock(&sel_lock);
+ while (sel_buffer && sel_buffer_lth > pasted) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (signal_pending(current)) {
+@@ -371,7 +379,9 @@ int paste_selection(struct tty_struct *t
+ break;
+ }
+ if (tty_throttled(tty)) {
++ mutex_unlock(&sel_lock);
+ schedule();
++ mutex_lock(&sel_lock);
+ continue;
+ }
+ __set_current_state(TASK_RUNNING);
+@@ -380,6 +390,7 @@ int paste_selection(struct tty_struct *t
+ count);
+ pasted += count;
+ }
++ mutex_unlock(&sel_lock);
+ remove_wait_queue(&vc->paste_wait, &wait);
+ __set_current_state(TASK_RUNNING);
+
--- /dev/null
+From 687bff0cd08f790d540cfb7b2349f0d876cdddec Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 10 Feb 2020 09:11:30 +0100
+Subject: vt: selection, handle pending signals in paste_selection
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream.
+
+When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
+waiting for a tty to unthrottle. But signals are not handled at all.
+Normally, this is not a problem as tty_ldisc_receive_buf receives all
+the goods and a user has no reason to interrupt the task.
+
+There are two scenarios where this matters:
+1) when the tty is throttled and a signal is sent to the process, it
+ spins on a CPU until the tty is unthrottled. schedule() does not
+ really echedule, but returns immediately, of course.
+2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
+ and the loop simply does not proceed and spins forever (causing the
+ tty to throttle, but the code never sleeps, the same as above). This
+ sometimes happens as there is a race in the sel_buffer handling code.
+
+So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
+in case a signal is pending.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/selection.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/selection.c
++++ b/drivers/tty/vt/selection.c
+@@ -29,6 +29,8 @@
+ #include <linux/console.h>
+ #include <linux/tty_flip.h>
+
++#include <linux/sched/signal.h>
++
+ /* Don't take this from <ctype.h>: 011-015 on the screen aren't spaces */
+ #define isspace(c) ((c) == ' ')
+
+@@ -350,6 +352,7 @@ int paste_selection(struct tty_struct *t
+ unsigned int count;
+ struct tty_ldisc *ld;
+ DECLARE_WAITQUEUE(wait, current);
++ int ret = 0;
+
+ console_lock();
+ poke_blanked_console();
+@@ -363,6 +366,10 @@ int paste_selection(struct tty_struct *t
+ add_wait_queue(&vc->paste_wait, &wait);
+ while (sel_buffer && sel_buffer_lth > pasted) {
+ set_current_state(TASK_INTERRUPTIBLE);
++ if (signal_pending(current)) {
++ ret = -EINTR;
++ break;
++ }
+ if (tty_throttled(tty)) {
+ schedule();
+ continue;
+@@ -378,6 +385,6 @@ int paste_selection(struct tty_struct *t
+
+ tty_buffer_unlock_exclusive(&vc->port);
+ tty_ldisc_deref(ld);
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(paste_selection);
--- /dev/null
+From 6cd1ed50efd88261298577cd92a14f2768eddeeb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 10 Feb 2020 11:07:21 -0800
+Subject: vt: vt_ioctl: fix race in VT_RESIZEX
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6cd1ed50efd88261298577cd92a14f2768eddeeb upstream.
+
+We need to make sure vc_cons[i].d is not NULL after grabbing
+console_lock(), or risk a crash.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]
+CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0x123/0x180 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45b399
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399
+RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c
+Modules linked in:
+---[ end trace 80970faf7a67eb77 ]---
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -876,15 +876,20 @@ int vt_ioctl(struct tty_struct *tty,
+ return -EINVAL;
+
+ for (i = 0; i < MAX_NR_CONSOLES; i++) {
++ struct vc_data *vcp;
++
+ if (!vc_cons[i].d)
+ continue;
+ console_lock();
+- if (v.v_vlin)
+- vc_cons[i].d->vc_scan_lines = v.v_vlin;
+- if (v.v_clin)
+- vc_cons[i].d->vc_font.height = v.v_clin;
+- vc_cons[i].d->vc_resize_user = 1;
+- vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
++ vcp = vc_cons[i].d;
++ if (vcp) {
++ if (v.v_vlin)
++ vcp->vc_scan_lines = v.v_vlin;
++ if (v.v_clin)
++ vcp->vc_font.height = v.v_clin;
++ vcp->vc_resize_user = 1;
++ vc_resize(vcp, v.v_cols, v.v_rows);
++ }
+ console_unlock();
+ }
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
