From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Nov 2020 09:58:48 +0000 (+0100)
Subject: 5.9-stable patches
X-Git-Tag: v4.4.242~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1901cbd7b02246c1bc9c90c8ac4517883bc2e39;p=thirdparty%2Fkernel%2Fstable-queue.git

5.9-stable patches

added patches:
	tty-fix-crash-in-release_tty-if-tty-port-is-not-set.patch
	tty-serial-imx-enable-earlycon-by-default-if-imx_serial_console-is-enabled.patch
	vt-disable-kd_font_op_copy.patch
---

diff --git a/queue-5.9/series b/queue-5.9/series
index 58f2fc85230..c35c1e4ba51 100644
--- a/queue-5.9/series
+++ b/queue-5.9/series
@@ -102,3 +102,6 @@ usb-cdns3-gadget-suspicious-implicit-sign-extension.patch
 drm-nouveau-nouveau-fix-the-start-end-range-for-migr.patch
 drm-nouveau-gem-fix-refcount_t-underflow-use-after-f.patch
 arm64-smp-move-rcu_cpu_starting-earlier.patch
+vt-disable-kd_font_op_copy.patch
+tty-serial-imx-enable-earlycon-by-default-if-imx_serial_console-is-enabled.patch
+tty-fix-crash-in-release_tty-if-tty-port-is-not-set.patch
diff --git a/queue-5.9/tty-fix-crash-in-release_tty-if-tty-port-is-not-set.patch b/queue-5.9/tty-fix-crash-in-release_tty-if-tty-port-is-not-set.patch
new file mode 100644
index 00000000000..1d6e905fc0d
--- /dev/null
+++ b/queue-5.9/tty-fix-crash-in-release_tty-if-tty-port-is-not-set.patch
@@ -0,0 +1,43 @@
+From 4466d6d2f80c1193e0845d110277c56da77a6418 Mon Sep 17 00:00:00 2001
+From: Matthias Reichl <hias@horus.com>
+Date: Thu, 5 Nov 2020 13:34:32 +0100
+Subject: tty: fix crash in release_tty if tty->port is not set
+
+From: Matthias Reichl <hias@horus.com>
+
+commit 4466d6d2f80c1193e0845d110277c56da77a6418 upstream.
+
+Commit 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing
+tty_port") didn't fully prevent the crash as the cleanup path in
+tty_init_dev() calls release_tty() which dereferences tty->port
+without checking it for non-null.
+
+Add tty->port checks to release_tty to avoid the kernel crash.
+
+Fixes: 2ae0b31e0face ("tty: don't crash in tty_init_dev when missing tty_port")
+Signed-off-by: Matthias Reichl <hias@horus.com>
+Link: https://lore.kernel.org/r/20201105123432.4448-1-hias@horus.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1514,10 +1514,12 @@ static void release_tty(struct tty_struc
+ 		tty->ops->shutdown(tty);
+ 	tty_save_termios(tty);
+ 	tty_driver_remove_tty(tty->driver, tty);
+-	tty->port->itty = NULL;
++	if (tty->port)
++		tty->port->itty = NULL;
+ 	if (tty->link)
+ 		tty->link->port->itty = NULL;
+-	tty_buffer_cancel_work(tty->port);
++	if (tty->port)
++		tty_buffer_cancel_work(tty->port);
+ 	if (tty->link)
+ 		tty_buffer_cancel_work(tty->link->port);
+ 
diff --git a/queue-5.9/tty-serial-imx-enable-earlycon-by-default-if-imx_serial_console-is-enabled.patch b/queue-5.9/tty-serial-imx-enable-earlycon-by-default-if-imx_serial_console-is-enabled.patch
new file mode 100644
index 00000000000..c33a98a18dd
--- /dev/null
+++ b/queue-5.9/tty-serial-imx-enable-earlycon-by-default-if-imx_serial_console-is-enabled.patch
@@ -0,0 +1,38 @@
+From 427627a23c3e86e31113f9db9bfdca41698a0ee5 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 5 Nov 2020 21:40:26 +0100
+Subject: tty: serial: imx: enable earlycon by default if IMX_SERIAL_CONSOLE is enabled
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 427627a23c3e86e31113f9db9bfdca41698a0ee5 upstream.
+
+Since 699cc4dfd140 (tty: serial: imx: add imx earlycon driver), the earlycon
+part of imx serial is a separate driver and isn't necessarily enabled anymore
+when the console is enabled. This causes users to loose the earlycon
+functionality when upgrading their kenrel configuration via oldconfig.
+
+Enable earlycon by default when IMX_SERIAL_CONSOLE is enabled.
+
+Fixes: 699cc4dfd140 (tty: serial: imx: add imx earlycon driver)
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: https://lore.kernel.org/r/20201105204026.1818219-1-l.stach@pengutronix.de
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/Kconfig |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -522,6 +522,7 @@ config SERIAL_IMX_EARLYCON
+ 	depends on OF
+ 	select SERIAL_EARLYCON
+ 	select SERIAL_CORE_CONSOLE
++	default y if SERIAL_IMX_CONSOLE
+ 	help
+ 	  If you have enabled the earlycon on the Freescale IMX
+ 	  CPU you can make it the earlycon by answering Y to this option.
diff --git a/queue-5.9/vt-disable-kd_font_op_copy.patch b/queue-5.9/vt-disable-kd_font_op_copy.patch
new file mode 100644
index 00000000000..c5e8fc66d4d
--- /dev/null
+++ b/queue-5.9/vt-disable-kd_font_op_copy.patch
@@ -0,0 +1,117 @@
+From 3c4e0dff2095c579b142d5a0693257f1c58b4804 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sun, 8 Nov 2020 16:38:06 +0100
+Subject: vt: Disable KD_FONT_OP_COPY
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream.
+
+It's buggy:
+
+On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
+> We recently discovered a slab-out-of-bounds read in fbcon in the latest
+> kernel ( v5.10-rc2 for now ).  The root cause of this vulnerability is that
+> "fbcon_do_set_font" did not handle "vc->vc_font.data" and
+> "vc->vc_font.height" correctly, and the patch
+> <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
+> issue.
+>
+> Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
+> use  KD_FONT_OP_SET again to set a large font.height for tty1. After that,
+> we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
+> in "fbcon_do_set_font", while tty1 retains the original larger
+> height. Obviously, this will cause an out-of-bounds read, because we can
+> access a smaller vc_font.data with a larger vc_font.height.
+
+Further there was only one user ever.
+- Android's loadfont, busybox and console-tools only ever use OP_GET
+  and OP_SET
+- fbset documentation only mentions the kernel cmdline font: option,
+  not anything else.
+- systemd used OP_COPY before release 232 published in Nov 2016
+
+Now unfortunately the crucial report seems to have gone down with
+gmane, and the commit message doesn't say much. But the pull request
+hints at OP_COPY being broken
+
+https://github.com/systemd/systemd/pull/3651
+
+So in other words, this never worked, and the only project which
+foolishly every tried to use it, realized that rather quickly too.
+
+Instead of trying to fix security issues here on dead code by adding
+missing checks, fix the entire thing by removing the functionality.
+
+Note that systemd code using the OP_COPY function ignored the return
+value, so it doesn't matter what we're doing here really - just in
+case a lone server somewhere happens to be extremely unlucky and
+running an affected old version of systemd. The relevant code from
+font_copy_to_all_vcs() in systemd was:
+
+	/* copy font from active VT, where the font was uploaded to */
+	cfo.op = KD_FONT_OP_COPY;
+	cfo.height = vcs.v_active-1; /* tty1 == index 0 */
+	(void) ioctl(vcfd, KDFONTOP, &cfo);
+
+Note this just disables the ioctl, garbage collecting the now unused
+callbacks is left for -next.
+
+v2: Tetsuo found the old mail, which allowed me to find it on another
+archive. Add the link too.
+
+Acked-by: Peilin Ye <yepeilin.cs@gmail.com>
+Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
+References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
+References: https://github.com/systemd/systemd/pull/3651
+Cc: Greg KH <greg@kroah.com>
+Cc: Peilin Ye <yepeilin.cs@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c |   24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4700,27 +4700,6 @@ static int con_font_default(struct vc_da
+ 	return rc;
+ }
+ 
+-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+-{
+-	int con = op->height;
+-	int rc;
+-
+-
+-	console_lock();
+-	if (vc->vc_mode != KD_TEXT)
+-		rc = -EINVAL;
+-	else if (!vc->vc_sw->con_font_copy)
+-		rc = -ENOSYS;
+-	else if (con < 0 || !vc_cons_allocated(con))
+-		rc = -ENOTTY;
+-	else if (con == vc->vc_num)	/* nothing to do */
+-		rc = 0;
+-	else
+-		rc = vc->vc_sw->con_font_copy(vc, con);
+-	console_unlock();
+-	return rc;
+-}
+-
+ int con_font_op(struct vc_data *vc, struct console_font_op *op)
+ {
+ 	switch (op->op) {
+@@ -4731,7 +4710,8 @@ int con_font_op(struct vc_data *vc, stru
+ 	case KD_FONT_OP_SET_DEFAULT:
+ 		return con_font_default(vc, op);
+ 	case KD_FONT_OP_COPY:
+-		return con_font_copy(vc, op);
++		/* was buggy and never really used */
++		return -EINVAL;
+ 	}
+ 	return -ENOSYS;
+ }