From: Greg Kroah-Hartman Date: Wed, 1 Sep 2021 08:43:16 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.283~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db2ff0740770493b348da46b122bc197032e0759;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: fbmem-add-margin-check-to-fb_check_caps.patch vt_kdsetmode-extend-console-locking.patch --- diff --git a/queue-4.4/fbmem-add-margin-check-to-fb_check_caps.patch b/queue-4.4/fbmem-add-margin-check-to-fb_check_caps.patch new file mode 100644 index 00000000000..e31f42da401 --- /dev/null +++ b/queue-4.4/fbmem-add-margin-check-to-fb_check_caps.patch @@ -0,0 +1,42 @@ +From a49145acfb975d921464b84fe00279f99827d816 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Tue, 7 Jul 2020 15:26:03 -0400 +Subject: fbmem: add margin check to fb_check_caps() + +From: George Kennedy + +commit a49145acfb975d921464b84fe00279f99827d816 upstream. + +A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting +or yres setting in struct fb_var_screeninfo will result in a +KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as +the margins are being cleared. The margins are cleared in +chunks and if the xres setting or yres setting is a value of +zero upto the chunk size, the failure will occur. + +Add a margin check to validate xres and yres settings. + +Signed-off-by: George Kennedy +Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com +Reviewed-by: Dan Carpenter +Cc: Dhaval Giani +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1001,6 +1001,10 @@ fb_set_var(struct fb_info *info, struct + goto done; + } + ++ /* bitfill_aligned() assumes that it's at least 8x8 */ ++ if (var->xres < 8 || var->yres < 8) ++ return -EINVAL; ++ + ret = info->fbops->fb_check_var(var, info); + + if (ret) diff --git a/queue-4.4/series b/queue-4.4/series index 38bd93485c6..16c1ae70f27 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -5,3 +5,5 @@ e1000e-fix-the-max-snoop-no-snoop-latency-for-10m.patch net-marvell-fix-mvneta_tx_in_prgrs-bit-number.patch virtio-improve-vq-broken-access-to-avoid-any-compile.patch vringh-use-wiov-used-to-check-for-read-write-desc-or.patch +vt_kdsetmode-extend-console-locking.patch +fbmem-add-margin-check-to-fb_check_caps.patch diff --git a/queue-4.4/vt_kdsetmode-extend-console-locking.patch b/queue-4.4/vt_kdsetmode-extend-console-locking.patch new file mode 100644 index 00000000000..acfa9315027 --- /dev/null +++ b/queue-4.4/vt_kdsetmode-extend-console-locking.patch @@ -0,0 +1,46 @@ +From 2287a51ba822384834dafc1c798453375d1107c7 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 30 Aug 2021 08:55:18 -0700 +Subject: vt_kdsetmode: extend console locking + +From: Linus Torvalds + +commit 2287a51ba822384834dafc1c798453375d1107c7 upstream. + +As per the long-suffering comment. + +Reported-by: Minh Yuan +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt_ioctl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -487,16 +487,19 @@ int vt_ioctl(struct tty_struct *tty, + ret = -EINVAL; + goto out; + } +- /* FIXME: this needs the console lock extending */ +- if (vc->vc_mode == (unsigned char) arg) ++ console_lock(); ++ if (vc->vc_mode == (unsigned char) arg) { ++ console_unlock(); + break; ++ } + vc->vc_mode = (unsigned char) arg; +- if (console != fg_console) ++ if (console != fg_console) { ++ console_unlock(); + break; ++ } + /* + * explicitly blank/unblank the screen if switching modes + */ +- console_lock(); + if (arg == KD_TEXT) + do_unblank_screen(1); + else