From: Greg Kroah-Hartman Date: Mon, 31 Aug 2020 09:57:43 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.235~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4965139e54bbabf55cf01126382f900ae7eadef3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch serial-8250-change-lock-order-in-serial8250_do_startup.patch serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch serial-samsung-removes-the-irq-not-found-warning.patch usb-lvtest-return-proper-error-code-in-probe.patch vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch --- diff --git a/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch b/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch new file mode 100644 index 00000000000..b07bb94b2a7 --- /dev/null +++ b/queue-4.4/fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch @@ -0,0 +1,79 @@ +From 39b3cffb8cf3111738ea993e2757ab382253d86a Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Fri, 31 Jul 2020 12:33:11 -0400 +Subject: fbcon: prevent user font height or width change from causing potential out-of-bounds access + +From: George Kennedy + +commit 39b3cffb8cf3111738ea993e2757ab382253d86a upstream. + +Add a check to fbcon_resize() to ensure that a possible change to user font +height or user font width will not allow a font data out-of-bounds access. +NOTE: must use original charcount in calculation as font charcount can +change and cannot be used to determine the font data allocated size. + +Signed-off-by: George Kennedy +Cc: stable +Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/1596213192-6635-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/fbcon.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -2117,6 +2117,9 @@ static void updatescrollmode(struct disp + } + } + ++#define PITCH(w) (((w) + 7) >> 3) ++#define CALC_FONTSZ(h, p, c) ((h) * (p) * (c)) /* size = height * pitch * charcount */ ++ + static int fbcon_resize(struct vc_data *vc, unsigned int width, + unsigned int height, unsigned int user) + { +@@ -2126,6 +2129,24 @@ static int fbcon_resize(struct vc_data * + struct fb_var_screeninfo var = info->var; + int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh; + ++ if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) { ++ int size; ++ int pitch = PITCH(vc->vc_font.width); ++ ++ /* ++ * If user font, ensure that a possible change to user font ++ * height or width will not allow a font data out-of-bounds access. ++ * NOTE: must use original charcount in calculation as font ++ * charcount can change and cannot be used to determine the ++ * font data allocated size. ++ */ ++ if (pitch <= 0) ++ return -EINVAL; ++ size = CALC_FONTSZ(vc->vc_font.height, pitch, FNTCHARCNT(vc->vc_font.data)); ++ if (size > FNTSIZE(vc->vc_font.data)) ++ return -EINVAL; ++ } ++ + virt_w = FBCON_SWAP(ops->rotate, width, height); + virt_h = FBCON_SWAP(ops->rotate, height, width); + virt_fw = FBCON_SWAP(ops->rotate, vc->vc_font.width, +@@ -2587,7 +2608,7 @@ static int fbcon_set_font(struct vc_data + int size; + int i, csum; + u8 *new_data, *data = font->data; +- int pitch = (font->width+7) >> 3; ++ int pitch = PITCH(font->width); + + /* Is there a reason why fbconsole couldn't handle any charcount >256? + * If not this check should be changed to charcount < 256 */ +@@ -2603,7 +2624,7 @@ static int fbcon_set_font(struct vc_data + if (fbcon_invalid_charcount(info, charcount)) + return -EINVAL; + +- size = h * pitch * charcount; ++ size = CALC_FONTSZ(h, pitch, charcount); + + new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); + diff --git a/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch b/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch index b942c4b0ce3..5ac60413019 100644 --- a/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch +++ b/queue-4.4/powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch @@ -33,14 +33,12 @@ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1596717992-7321-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin --- - arch/powerpc/perf/core-book3s.c | 4 ++++ + arch/powerpc/perf/core-book3s.c | 4 ++++ 1 file changed, 4 insertions(+) -diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c -index 30e2e8efbe6b7..aab13558e9700 100644 --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c -@@ -2040,6 +2040,10 @@ static void record_and_restart(struct perf_event *event, unsigned long val, +@@ -2040,6 +2040,10 @@ static void record_and_restart(struct pe if (perf_event_overflow(event, &data, regs)) power_pmu_stop(event, 0); @@ -51,6 +49,3 @@ index 30e2e8efbe6b7..aab13558e9700 100644 } } --- -2.25.1 - diff --git a/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch b/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch new file mode 100644 index 00000000000..3a4b18d701b --- /dev/null +++ b/queue-4.4/serial-8250-change-lock-order-in-serial8250_do_startup.patch @@ -0,0 +1,215 @@ +From 205d300aea75623e1ae4aa43e0d265ab9cf195fd Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Mon, 17 Aug 2020 11:26:46 +0900 +Subject: serial: 8250: change lock order in serial8250_do_startup() + +From: Sergey Senozhatsky + +commit 205d300aea75623e1ae4aa43e0d265ab9cf195fd upstream. + +We have a number of "uart.port->desc.lock vs desc.lock->uart.port" +lockdep reports coming from 8250 driver; this causes a bit of trouble +to people, so let's fix it. + +The problem is reverse lock order in two different call paths: + +chain #1: + + serial8250_do_startup() + spin_lock_irqsave(&port->lock); + disable_irq_nosync(port->irq); + raw_spin_lock_irqsave(&desc->lock) + +chain #2: + + __report_bad_irq() + raw_spin_lock_irqsave(&desc->lock) + for_each_action_of_desc() + printk() + spin_lock_irqsave(&port->lock); + +Fix this by changing the order of locks in serial8250_do_startup(): + do disable_irq_nosync() first, which grabs desc->lock, and grab + uart->port after that, so that chain #1 and chain #2 have same lock + order. + +Full lockdep splat: + + ====================================================== + WARNING: possible circular locking dependency detected + 5.4.39 #55 Not tainted + ====================================================== + + swapper/0/0 is trying to acquire lock: + ffffffffab65b6c0 (console_owner){-...}, at: console_lock_spinning_enable+0x31/0x57 + + but task is already holding lock: + ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (&irq_desc_lock_class){-.-.}: + _raw_spin_lock_irqsave+0x61/0x8d + __irq_get_desc_lock+0x65/0x89 + __disable_irq_nosync+0x3b/0x93 + serial8250_do_startup+0x451/0x75c + uart_startup+0x1b4/0x2ff + uart_port_activate+0x73/0xa0 + tty_port_open+0xae/0x10a + uart_open+0x1b/0x26 + tty_open+0x24d/0x3a0 + chrdev_open+0xd5/0x1cc + do_dentry_open+0x299/0x3c8 + path_openat+0x434/0x1100 + do_filp_open+0x9b/0x10a + do_sys_open+0x15f/0x3d7 + kernel_init_freeable+0x157/0x1dd + kernel_init+0xe/0x105 + ret_from_fork+0x27/0x50 + + -> #1 (&port_lock_key){-.-.}: + _raw_spin_lock_irqsave+0x61/0x8d + serial8250_console_write+0xa7/0x2a0 + console_unlock+0x3b7/0x528 + vprintk_emit+0x111/0x17f + printk+0x59/0x73 + register_console+0x336/0x3a4 + uart_add_one_port+0x51b/0x5be + serial8250_register_8250_port+0x454/0x55e + dw8250_probe+0x4dc/0x5b9 + platform_drv_probe+0x67/0x8b + really_probe+0x14a/0x422 + driver_probe_device+0x66/0x130 + device_driver_attach+0x42/0x5b + __driver_attach+0xca/0x139 + bus_for_each_dev+0x97/0xc9 + bus_add_driver+0x12b/0x228 + driver_register+0x64/0xed + do_one_initcall+0x20c/0x4a6 + do_initcall_level+0xb5/0xc5 + do_basic_setup+0x4c/0x58 + kernel_init_freeable+0x13f/0x1dd + kernel_init+0xe/0x105 + ret_from_fork+0x27/0x50 + + -> #0 (console_owner){-...}: + __lock_acquire+0x118d/0x2714 + lock_acquire+0x203/0x258 + console_lock_spinning_enable+0x51/0x57 + console_unlock+0x25d/0x528 + vprintk_emit+0x111/0x17f + printk+0x59/0x73 + __report_bad_irq+0xa3/0xba + note_interrupt+0x19a/0x1d6 + handle_irq_event_percpu+0x57/0x79 + handle_irq_event+0x36/0x55 + handle_fasteoi_irq+0xc2/0x18a + do_IRQ+0xb3/0x157 + ret_from_intr+0x0/0x1d + cpuidle_enter_state+0x12f/0x1fd + cpuidle_enter+0x2e/0x3d + do_idle+0x1ce/0x2ce + cpu_startup_entry+0x1d/0x1f + start_kernel+0x406/0x46a + secondary_startup_64+0xa4/0xb0 + + other info that might help us debug this: + + Chain exists of: + console_owner --> &port_lock_key --> &irq_desc_lock_class + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&irq_desc_lock_class); + lock(&port_lock_key); + lock(&irq_desc_lock_class); + lock(console_owner); + + *** DEADLOCK *** + + 2 locks held by swapper/0/0: + #0: ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba + #1: ffffffffab65b5c0 (console_lock){+.+.}, at: console_trylock_spinning+0x20/0x181 + + stack backtrace: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.39 #55 + Hardware name: XXXXXX + Call Trace: + + dump_stack+0xbf/0x133 + ? print_circular_bug+0xd6/0xe9 + check_noncircular+0x1b9/0x1c3 + __lock_acquire+0x118d/0x2714 + lock_acquire+0x203/0x258 + ? console_lock_spinning_enable+0x31/0x57 + console_lock_spinning_enable+0x51/0x57 + ? console_lock_spinning_enable+0x31/0x57 + console_unlock+0x25d/0x528 + ? console_trylock+0x18/0x4e + vprintk_emit+0x111/0x17f + ? lock_acquire+0x203/0x258 + printk+0x59/0x73 + __report_bad_irq+0xa3/0xba + note_interrupt+0x19a/0x1d6 + handle_irq_event_percpu+0x57/0x79 + handle_irq_event+0x36/0x55 + handle_fasteoi_irq+0xc2/0x18a + do_IRQ+0xb3/0x157 + common_interrupt+0xf/0xf + + +Signed-off-by: Sergey Senozhatsky +Fixes: 768aec0b5bcc ("serial: 8250: fix shared interrupts issues with SMP and RT kernels") +Reported-by: Guenter Roeck +Reported-by: Raul Rangel +BugLink: https://bugs.chromium.org/p/chromium/issues/detail?id=1114800 +Link: https://lore.kernel.org/lkml/CAHQZ30BnfX+gxjPm1DUd5psOTqbyDh4EJE=2=VAMW_VDafctkA@mail.gmail.com/T/#u +Reviewed-by: Andy Shevchenko +Reviewed-by: Guenter Roeck +Tested-by: Guenter Roeck +Cc: stable +Link: https://lore.kernel.org/r/20200817022646.1484638-1-sergey.senozhatsky@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_port.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1902,6 +1902,10 @@ int serial8250_do_startup(struct uart_po + + if (port->irq) { + unsigned char iir1; ++ ++ if (port->irqflags & IRQF_SHARED) ++ disable_irq_nosync(port->irq); ++ + /* + * Test for UARTs that do not reassert THRE when the + * transmitter is idle and the interrupt has already +@@ -1911,8 +1915,6 @@ int serial8250_do_startup(struct uart_po + * allow register changes to become visible. + */ + spin_lock_irqsave(&port->lock, flags); +- if (up->port.irqflags & IRQF_SHARED) +- disable_irq_nosync(port->irq); + + wait_for_xmitr(up, UART_LSR_THRE); + serial_port_out_sync(port, UART_IER, UART_IER_THRI); +@@ -1924,9 +1926,10 @@ int serial8250_do_startup(struct uart_po + iir = serial_port_in(port, UART_IIR); + serial_port_out(port, UART_IER, 0); + ++ spin_unlock_irqrestore(&port->lock, flags); ++ + if (port->irqflags & IRQF_SHARED) + enable_irq(port->irq); +- spin_unlock_irqrestore(&port->lock, flags); + + /* + * If the interrupt is not reasserted, or we otherwise diff --git a/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch b/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch new file mode 100644 index 00000000000..1bb070769f2 --- /dev/null +++ b/queue-4.4/serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch @@ -0,0 +1,52 @@ +From 89efbe70b27dd325d8a8c177743a26b885f7faec Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 13 Aug 2020 12:59:54 +0200 +Subject: serial: pl011: Don't leak amba_ports entry on driver register error + +From: Lukas Wunner + +commit 89efbe70b27dd325d8a8c177743a26b885f7faec upstream. + +pl011_probe() calls pl011_setup_port() to reserve an amba_ports[] entry, +then calls pl011_register_port() to register the uart driver with the +tty layer. + +If registration of the uart driver fails, the amba_ports[] entry is not +released. If this happens 14 times (value of UART_NR macro), then all +amba_ports[] entries will have been leaked and driver probing is no +longer possible. (To be fair, that can only happen if the DeviceTree +doesn't contain alias IDs since they cause the same entry to be used for +a given port.) Fix it. + +Fixes: ef2889f7ffee ("serial: pl011: Move uart_register_driver call to device") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v3.15+ +Cc: Tushar Behera +Link: https://lore.kernel.org/r/138f8c15afb2f184d8102583f8301575566064a6.1597316167.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/amba-pl011.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2332,7 +2332,7 @@ static int pl011_setup_port(struct devic + + static int pl011_register_port(struct uart_amba_port *uap) + { +- int ret; ++ int ret, i; + + /* Ensure interrupts from this UART are masked and cleared */ + writew(0, uap->port.membase + UART011_IMSC); +@@ -2343,6 +2343,9 @@ static int pl011_register_port(struct ua + if (ret < 0) { + dev_err(uap->port.dev, + "Failed to register AMBA-PL011 driver\n"); ++ for (i = 0; i < ARRAY_SIZE(amba_ports); i++) ++ if (amba_ports[i] == uap) ++ amba_ports[i] = NULL; + return ret; + } + } diff --git a/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch b/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch new file mode 100644 index 00000000000..de9ed571693 --- /dev/null +++ b/queue-4.4/serial-samsung-removes-the-irq-not-found-warning.patch @@ -0,0 +1,50 @@ +From 8c6c378b0cbe0c9f1390986b5f8ffb5f6ff7593b Mon Sep 17 00:00:00 2001 +From: Tamseel Shams +Date: Mon, 10 Aug 2020 08:30:21 +0530 +Subject: serial: samsung: Removes the IRQ not found warning + +From: Tamseel Shams + +commit 8c6c378b0cbe0c9f1390986b5f8ffb5f6ff7593b upstream. + +In few older Samsung SoCs like s3c2410, s3c2412 +and s3c2440, UART IP is having 2 interrupt lines. +However, in other SoCs like s3c6400, s5pv210, +exynos5433, and exynos4210 UART is having only 1 +interrupt line. Due to this, "platform_get_irq(platdev, 1)" +call in the driver gives the following false-positive error: +"IRQ index 1 not found" on newer SoC's. + +This patch adds the condition to check for Tx interrupt +only for the those SoC's which have 2 interrupt lines. + +Tested-by: Alim Akhtar +Tested-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Alim Akhtar +Signed-off-by: Tamseel Shams +Cc: stable +Link: https://lore.kernel.org/r/20200810030021.45348-1-m.shams@samsung.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1719,9 +1719,11 @@ static int s3c24xx_serial_init_port(stru + ourport->tx_irq = ret + 1; + } + +- ret = platform_get_irq(platdev, 1); +- if (ret > 0) +- ourport->tx_irq = ret; ++ if (!s3c24xx_serial_has_interrupt_mask(port)) { ++ ret = platform_get_irq(platdev, 1); ++ if (ret > 0) ++ ourport->tx_irq = ret; ++ } + /* + * DMA is currently supported only on DT platforms, if DMA properties + * are specified. diff --git a/queue-4.4/series b/queue-4.4/series index 942b0688416..1f9136d8e7f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -37,3 +37,10 @@ s390-cio-add-cond_resched-in-the-slow_eval_known_fn-.patch scsi-ufs-fix-possible-infinite-loop-in-ufshcd_hold.patch net-gianfar-add-of_node_put-before-goto-statement.patch powerpc-perf-fix-soft-lockups-due-to-missed-interrup.patch +fbcon-prevent-user-font-height-or-width-change-from-causing-potential-out-of-bounds-access.patch +usb-lvtest-return-proper-error-code-in-probe.patch +vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch +vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch +serial-samsung-removes-the-irq-not-found-warning.patch +serial-pl011-don-t-leak-amba_ports-entry-on-driver-register-error.patch +serial-8250-change-lock-order-in-serial8250_do_startup.patch diff --git a/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch b/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch new file mode 100644 index 00000000000..a32f1b2f7e2 --- /dev/null +++ b/queue-4.4/usb-lvtest-return-proper-error-code-in-probe.patch @@ -0,0 +1,35 @@ +From 531412492ce93ea29b9ca3b4eb5e3ed771f851dd Mon Sep 17 00:00:00 2001 +From: Evgeny Novikov +Date: Wed, 5 Aug 2020 12:06:43 +0300 +Subject: USB: lvtest: return proper error code in probe + +From: Evgeny Novikov + +commit 531412492ce93ea29b9ca3b4eb5e3ed771f851dd upstream. + +lvs_rh_probe() can return some nonnegative value from usb_control_msg() +when it is less than "USB_DT_HUB_NONVAR_SIZE + 2" that is considered as +a failure. Make lvs_rh_probe() return -EINVAL in this case. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Cc: stable +Link: https://lore.kernel.org/r/20200805090643.3432-1-novikov@ispras.ru +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/lvstest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/lvstest.c ++++ b/drivers/usb/misc/lvstest.c +@@ -396,7 +396,7 @@ static int lvs_rh_probe(struct usb_inter + USB_DT_SS_HUB_SIZE, USB_CTRL_GET_TIMEOUT); + if (ret < (USB_DT_HUB_NONVAR_SIZE + 2)) { + dev_err(&hdev->dev, "wrong root hub descriptor read %d\n", ret); +- return ret; ++ return ret < 0 ? ret : -EINVAL; + } + + /* submit urb to poll interrupt endpoint */ diff --git a/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch b/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch new file mode 100644 index 00000000000..c461b565f41 --- /dev/null +++ b/queue-4.4/vt-defer-kfree-of-vc_screenbuf-in-vc_do_resize.patch @@ -0,0 +1,57 @@ +From f8d1653daec02315e06d30246cff4af72e76e54e Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 29 Jul 2020 23:57:01 +0900 +Subject: vt: defer kfree() of vc_screenbuf in vc_do_resize() + +From: Tetsuo Handa + +commit f8d1653daec02315e06d30246cff4af72e76e54e upstream. + +syzbot is reporting UAF bug in set_origin() from vc_do_resize() [1], for +vc_do_resize() calls kfree(vc->vc_screenbuf) before calling set_origin(). + +Unfortunately, in set_origin(), vc->vc_sw->con_set_origin() might access +vc->vc_pos when scroll is involved in order to manipulate cursor, but +vc->vc_pos refers already released vc->vc_screenbuf until vc->vc_pos gets +updated based on the result of vc->vc_sw->con_set_origin(). + +Preserving old buffer and tolerating outdated vc members until set_origin() +completes would be easier than preventing vc->vc_sw->con_set_origin() from +accessing outdated vc members. + +[1] https://syzkaller.appspot.com/bug?id=6649da2081e2ebdc65c0642c214b27fe91099db3 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Cc: stable +Link: https://lore.kernel.org/r/1596034621-4714-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -864,7 +864,7 @@ static int vc_do_resize(struct tty_struc + unsigned int old_rows, old_row_size; + unsigned int new_cols, new_rows, new_row_size, new_screen_size; + unsigned int user; +- unsigned short *newscreen; ++ unsigned short *oldscreen, *newscreen; + + WARN_CONSOLE_UNLOCKED(); + +@@ -946,10 +946,11 @@ static int vc_do_resize(struct tty_struc + if (new_scr_end > new_origin) + scr_memsetw((void *)new_origin, vc->vc_video_erase_char, + new_scr_end - new_origin); +- kfree(vc->vc_screenbuf); ++ oldscreen = vc->vc_screenbuf; + vc->vc_screenbuf = newscreen; + vc->vc_screenbuf_size = new_screen_size; + set_origin(vc); ++ kfree(oldscreen); + + /* do part of a reset_terminal() */ + vc->vc_top = 0; diff --git a/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch b/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch new file mode 100644 index 00000000000..8fc6bc1d19c --- /dev/null +++ b/queue-4.4/vt_ioctl-change-vt_resizex-ioctl-to-check-for-error-return-from-vc_resize.patch @@ -0,0 +1,49 @@ +From bc5269ca765057a1b762e79a1cfd267cd7bf1c46 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Fri, 31 Jul 2020 12:33:12 -0400 +Subject: vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() + +From: George Kennedy + +commit bc5269ca765057a1b762e79a1cfd267cd7bf1c46 upstream. + +vc_resize() can return with an error after failure. Change VT_RESIZEX ioctl +to save struct vc_data values that are modified and restore the original +values in case of error. + +Signed-off-by: George Kennedy +Cc: stable +Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/1596213192-6635-2-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt_ioctl.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -896,12 +896,22 @@ int vt_ioctl(struct tty_struct *tty, + console_lock(); + vcp = vc_cons[i].d; + if (vcp) { ++ int ret; ++ int save_scan_lines = vcp->vc_scan_lines; ++ int save_font_height = vcp->vc_font.height; ++ + if (v.v_vlin) + vcp->vc_scan_lines = v.v_vlin; + if (v.v_clin) + vcp->vc_font.height = v.v_clin; + vcp->vc_resize_user = 1; +- vc_resize(vcp, v.v_cols, v.v_rows); ++ ret = vc_resize(vcp, v.v_cols, v.v_rows); ++ if (ret) { ++ vcp->vc_scan_lines = save_scan_lines; ++ vcp->vc_font.height = save_font_height; ++ console_unlock(); ++ return ret; ++ } + } + console_unlock(); + }