--- /dev/null
+From a49145acfb975d921464b84fe00279f99827d816 Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Tue, 7 Jul 2020 15:26:03 -0400
+Subject: fbmem: add margin check to fb_check_caps()
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit a49145acfb975d921464b84fe00279f99827d816 upstream.
+
+A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
+or yres setting in struct fb_var_screeninfo will result in a
+KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
+the margins are being cleared. The margins are cleared in
+chunks and if the xres setting or yres setting is a value of
+zero upto the chunk size, the failure will occur.
+
+Add a margin check to validate xres and yres settings.
+
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Dhaval Giani <dhaval.giani@oracle.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbmem.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1001,6 +1001,10 @@ fb_set_var(struct fb_info *info, struct
+ goto done;
+ }
+
++ /* bitfill_aligned() assumes that it's at least 8x8 */
++ if (var->xres < 8 || var->yres < 8)
++ return -EINVAL;
++
+ ret = info->fbops->fb_check_var(var, info);
+
+ if (ret)
--- /dev/null
+From 2287a51ba822384834dafc1c798453375d1107c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Aug 2021 08:55:18 -0700
+Subject: vt_kdsetmode: extend console locking
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2287a51ba822384834dafc1c798453375d1107c7 upstream.
+
+As per the long-suffering comment.
+
+Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -487,16 +487,19 @@ int vt_ioctl(struct tty_struct *tty,
+ ret = -EINVAL;
+ goto out;
+ }
+- /* FIXME: this needs the console lock extending */
+- if (vc->vc_mode == (unsigned char) arg)
++ console_lock();
++ if (vc->vc_mode == (unsigned char) arg) {
++ console_unlock();
+ break;
++ }
+ vc->vc_mode = (unsigned char) arg;
+- if (console != fg_console)
++ if (console != fg_console) {
++ console_unlock();
+ break;
++ }
+ /*
+ * explicitly blank/unblank the screen if switching modes
+ */
+- console_lock();
+ if (arg == KD_TEXT)
+ do_unblank_screen(1);
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
