From: Greg Kroah-Hartman Date: Wed, 26 Feb 2020 08:41:57 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.215~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcd76daef1dd8df333700476f893c493c05eb3da;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: floppy-check-fdc-index-for-errors-before-assigning-it.patch staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch vt-fix-scrollback-flushing-on-background-consoles.patch vt-selection-close-sel_buffer-race.patch vt-selection-handle-pending-signals-in-paste_selection.patch vt-vt_ioctl-fix-race-in-vt_resizex.patch --- diff --git a/queue-5.4/floppy-check-fdc-index-for-errors-before-assigning-it.patch b/queue-5.4/floppy-check-fdc-index-for-errors-before-assigning-it.patch new file mode 100644 index 00000000000..668c9a050a4 --- /dev/null +++ b/queue-5.4/floppy-check-fdc-index-for-errors-before-assigning-it.patch @@ -0,0 +1,65 @@ +From 2e90ca68b0d2f5548804f22f0dd61145516171e3 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 21 Feb 2020 12:43:35 -0800 +Subject: floppy: check FDC index for errors before assigning it + +From: Linus Torvalds + +commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream. + +Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in +wait_til_ready(). + +Which on the face of it can't happen, since as Willy Tarreau points out, +the function does no particular memory access. Except through the FDCS +macro, which just indexes a static allocation through teh current fdc, +which is always checked against N_FDC. + +Except the checking happens after we've already assigned the value. + +The floppy driver is a disgrace (a lot of it going back to my original +horrd "design"), and has no real maintainer. Nobody has the hardware, +and nobody really cares. But it still gets used in virtual environment +because it's one of those things that everybody supports. + +The whole thing should be re-written, or at least parts of it should be +seriously cleaned up. The 'current fdc' index, which is used by the +FDCS macro, and which is often shadowed by a local 'fdc' variable, is a +prime example of how not to write code. + +But because nobody has the hardware or the motivation, let's just fix up +the immediate problem with a nasty band-aid: test the fdc index before +actually assigning it to the static 'fdc' variable. + +Reported-by: Jordy Zomer +Cc: Willy Tarreau +Cc: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -853,14 +853,17 @@ static void reset_fdc_info(int mode) + /* selects the fdc and drive, and enables the fdc's input/dma. */ + static void set_fdc(int drive) + { ++ unsigned int new_fdc = fdc; ++ + if (drive >= 0 && drive < N_DRIVE) { +- fdc = FDC(drive); ++ new_fdc = FDC(drive); + current_drive = drive; + } +- if (fdc != 1 && fdc != 0) { ++ if (new_fdc >= N_FDC) { + pr_info("bad fdc value\n"); + return; + } ++ fdc = new_fdc; + set_dor(fdc, ~0, 8); + #if N_FDC > 1 + set_dor(1 - fdc, ~8, 0); diff --git a/queue-5.4/series b/queue-5.4/series index 81b07b84b1a..a56a7f81127 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -13,3 +13,10 @@ usb-misc-iowarrior-add-support-for-2-oemed-devices.patch usb-misc-iowarrior-add-support-for-the-28-and-28l-devices.patch usb-misc-iowarrior-add-support-for-the-100-device.patch e1000e-use-rtnl_lock-to-prevent-race-conditions-between-net-and-pci-pm.patch +floppy-check-fdc-index-for-errors-before-assigning-it.patch +vt-fix-scrollback-flushing-on-background-consoles.patch +vt-selection-handle-pending-signals-in-paste_selection.patch +vt-selection-close-sel_buffer-race.patch +vt-vt_ioctl-fix-race-in-vt_resizex.patch +staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch +staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch diff --git a/queue-5.4/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch b/queue-5.4/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch new file mode 100644 index 00000000000..91b94a34cad --- /dev/null +++ b/queue-5.4/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch @@ -0,0 +1,73 @@ +From 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Mon, 27 Jan 2020 15:56:16 -0800 +Subject: staging: android: ashmem: Disallow ashmem memory from being remapped + +From: Suren Baghdasaryan + +commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream. + +When ashmem file is mmapped, the resulting vma->vm_file points to the +backing shmem file with the generic fops that do not check ashmem +permissions like fops of ashmem do. If an mremap is done on the ashmem +region, then the permission checks will be skipped. Fix that by disallowing +mapping operation on the backing shmem file. + +Reported-by: Jann Horn +Signed-off-by: Suren Baghdasaryan +Cc: stable # 4.4,4.9,4.14,4.18,5.4 +Signed-off-by: Todd Kjos +Reviewed-by: Joel Fernandes (Google) +Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -351,8 +351,23 @@ static inline vm_flags_t calc_vm_may_fla + _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); + } + ++static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ /* do not allow to mmap ashmem backing shmem file directly */ ++ return -EPERM; ++} ++ ++static unsigned long ++ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr, ++ unsigned long len, unsigned long pgoff, ++ unsigned long flags) ++{ ++ return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); ++} ++ + static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) + { ++ static struct file_operations vmfile_fops; + struct ashmem_area *asma = file->private_data; + int ret = 0; + +@@ -393,6 +408,19 @@ static int ashmem_mmap(struct file *file + } + vmfile->f_mode |= FMODE_LSEEK; + asma->file = vmfile; ++ /* ++ * override mmap operation of the vmfile so that it can't be ++ * remapped which would lead to creation of a new vma with no ++ * asma permission checks. Have to override get_unmapped_area ++ * as well to prevent VM_BUG_ON check for f_ops modification. ++ */ ++ if (!vmfile_fops.mmap) { ++ vmfile_fops = *vmfile->f_op; ++ vmfile_fops.mmap = ashmem_vmfile_mmap; ++ vmfile_fops.get_unmapped_area = ++ ashmem_vmfile_get_unmapped_area; ++ } ++ vmfile->f_op = &vmfile_fops; + } + get_file(asma->file); + diff --git a/queue-5.4/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch b/queue-5.4/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch new file mode 100644 index 00000000000..17ec5b047e6 --- /dev/null +++ b/queue-5.4/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch @@ -0,0 +1,36 @@ +From 93134df520f23f4e9998c425b8987edca7016817 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Tue, 4 Feb 2020 19:34:02 +0000 +Subject: staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. + +From: Malcolm Priestley + +commit 93134df520f23f4e9998c425b8987edca7016817 upstream. + +bb_pre_ed_rssi is an u8 rx_dm always returns negative signed +values add minus operator to always yield positive. + +fixes issue where rx sensitivity is always set to maximum because +the unsigned numbers were always greater then 100. + +Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.") +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/aceac98c-6e69-3ce1-dfec-2bf27b980221@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/dpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/vt6656/dpc.c ++++ b/drivers/staging/vt6656/dpc.c +@@ -130,7 +130,7 @@ int vnt_rx_data(struct vnt_private *priv + + vnt_rf_rssi_to_dbm(priv, *rssi, &rx_dbm); + +- priv->bb_pre_ed_rssi = (u8)rx_dbm + 1; ++ priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1; + priv->current_rssi = priv->bb_pre_ed_rssi; + + skb_pull(skb, 8); diff --git a/queue-5.4/vt-fix-scrollback-flushing-on-background-consoles.patch b/queue-5.4/vt-fix-scrollback-flushing-on-background-consoles.patch new file mode 100644 index 00000000000..a776434b073 --- /dev/null +++ b/queue-5.4/vt-fix-scrollback-flushing-on-background-consoles.patch @@ -0,0 +1,61 @@ +From 3f4ef485be9d54040b695f32ec76d0f1ea50bbf3 Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 28 Jan 2020 12:50:33 -0500 +Subject: vt: fix scrollback flushing on background consoles + +From: Nicolas Pitre + +commit 3f4ef485be9d54040b695f32ec76d0f1ea50bbf3 upstream. + +Commit a6dbe4427559 ("vt: perform safe console erase in the right +order") provided fixes to an earlier commit by gathering all console +scrollback flushing operations in a function of its own. This includes +the invocation of vc_sw->con_switch() as previously done through a +update_screen() call. That commit failed to carry over the +con_is_visible() conditional though, as well as cursor handling, which +caused problems when "\e[3J" was written to a background console. + +One could argue for preserving the call to update_screen(). However +this does far more than we need, and it is best to remove scrollback +assumptions from it. Instead let's gather the minimum needed to actually +perform scrollback flushing properly in that one place. + +While at it, let's document the vc_sw->con_switch() side effect being +relied upon. + +Signed-off-by: Nicolas Pitre +Reported-and-tested-by: Lukas Wunner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.2001281205560.1655@knanqh.ubzr +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -936,10 +936,21 @@ static void flush_scrollback(struct vc_d + WARN_CONSOLE_UNLOCKED(); + + set_origin(vc); +- if (vc->vc_sw->con_flush_scrollback) ++ if (vc->vc_sw->con_flush_scrollback) { + vc->vc_sw->con_flush_scrollback(vc); +- else ++ } else if (con_is_visible(vc)) { ++ /* ++ * When no con_flush_scrollback method is provided then the ++ * legacy way for flushing the scrollback buffer is to use ++ * a side effect of the con_switch method. We do it only on ++ * the foreground console as background consoles have no ++ * scrollback buffers in that case and we obviously don't ++ * want to switch to them. ++ */ ++ hide_cursor(vc); + vc->vc_sw->con_switch(vc); ++ set_cursor(vc); ++ } + } + + /* diff --git a/queue-5.4/vt-selection-close-sel_buffer-race.patch b/queue-5.4/vt-selection-close-sel_buffer-race.patch new file mode 100644 index 00000000000..39b299e5b61 --- /dev/null +++ b/queue-5.4/vt-selection-close-sel_buffer-race.patch @@ -0,0 +1,155 @@ +From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 10 Feb 2020 09:11:31 +0100 +Subject: vt: selection, close sel_buffer race + +From: Jiri Slaby + +commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream. + +syzkaller reported this UAF: +BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 +Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 + +CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Call Trace: +... + kasan_report+0xe/0x20 mm/kasan/common.c:634 + n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 + tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 + paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 + tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 + vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 + tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 + vfs_ioctl fs/ioctl.c:47 [inline] + +It is due to a race between parallel paste_selection (TIOCL_PASTESEL) +and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, +while the other frees it and reallocates a new one for another +selection. Add a mutex to close this race. + +The mutex takes care properly of sel_buffer and sel_buffer_lth only. The +other selection global variables (like sel_start, sel_end, and sel_cons) +are protected only in set_selection_user. The other functions need quite +some more work to close the races of the variables there. This is going +to happen later. + +This likely fixes (I am unsure as there is no reproducer provided) bug +206361 too. It was marked as CVE-2020-8648. + +Signed-off-by: Jiri Slaby +Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com +References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 +Cc: stable +Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/selection.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -45,6 +46,7 @@ static volatile int sel_start = -1; /* + static int sel_end; + static int sel_buffer_lth; + static char *sel_buffer; ++static DEFINE_MUTEX(sel_lock); + + /* clear_selection, highlight and highlight_pointer can be called + from interrupt (via scrollback/front) */ +@@ -186,7 +188,7 @@ int set_selection_kernel(struct tiocl_se + char *bp, *obp; + int i, ps, pe, multiplier; + u32 c; +- int mode; ++ int mode, ret = 0; + + poke_blanked_console(); + +@@ -212,6 +214,7 @@ int set_selection_kernel(struct tiocl_se + if (ps > pe) /* make sel_start <= sel_end */ + swap(ps, pe); + ++ mutex_lock(&sel_lock); + if (sel_cons != vc_cons[fg_console].d) { + clear_selection(); + sel_cons = vc_cons[fg_console].d; +@@ -257,9 +260,10 @@ int set_selection_kernel(struct tiocl_se + break; + case TIOCL_SELPOINTER: + highlight_pointer(pe); +- return 0; ++ goto unlock; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto unlock; + } + + /* remove the pointer */ +@@ -281,7 +285,7 @@ int set_selection_kernel(struct tiocl_se + else if (new_sel_start == sel_start) + { + if (new_sel_end == sel_end) /* no action required */ +- return 0; ++ goto unlock; + else if (new_sel_end > sel_end) /* extend to right */ + highlight(sel_end + 2, new_sel_end); + else /* contract from right */ +@@ -309,7 +313,8 @@ int set_selection_kernel(struct tiocl_se + if (!bp) { + printk(KERN_WARNING "selection: kmalloc() failed\n"); + clear_selection(); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto unlock; + } + kfree(sel_buffer); + sel_buffer = bp; +@@ -334,7 +339,9 @@ int set_selection_kernel(struct tiocl_se + } + } + sel_buffer_lth = bp - sel_buffer; +- return 0; ++unlock: ++ mutex_unlock(&sel_lock); ++ return ret; + } + EXPORT_SYMBOL_GPL(set_selection_kernel); + +@@ -364,6 +371,7 @@ int paste_selection(struct tty_struct *t + tty_buffer_lock_exclusive(&vc->port); + + add_wait_queue(&vc->paste_wait, &wait); ++ mutex_lock(&sel_lock); + while (sel_buffer && sel_buffer_lth > pasted) { + set_current_state(TASK_INTERRUPTIBLE); + if (signal_pending(current)) { +@@ -371,7 +379,9 @@ int paste_selection(struct tty_struct *t + break; + } + if (tty_throttled(tty)) { ++ mutex_unlock(&sel_lock); + schedule(); ++ mutex_lock(&sel_lock); + continue; + } + __set_current_state(TASK_RUNNING); +@@ -380,6 +390,7 @@ int paste_selection(struct tty_struct *t + count); + pasted += count; + } ++ mutex_unlock(&sel_lock); + remove_wait_queue(&vc->paste_wait, &wait); + __set_current_state(TASK_RUNNING); + diff --git a/queue-5.4/vt-selection-handle-pending-signals-in-paste_selection.patch b/queue-5.4/vt-selection-handle-pending-signals-in-paste_selection.patch new file mode 100644 index 00000000000..9cf0a296802 --- /dev/null +++ b/queue-5.4/vt-selection-handle-pending-signals-in-paste_selection.patch @@ -0,0 +1,73 @@ +From 687bff0cd08f790d540cfb7b2349f0d876cdddec Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 10 Feb 2020 09:11:30 +0100 +Subject: vt: selection, handle pending signals in paste_selection + +From: Jiri Slaby + +commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream. + +When pasting a selection to a vt, the task is set as INTERRUPTIBLE while +waiting for a tty to unthrottle. But signals are not handled at all. +Normally, this is not a problem as tty_ldisc_receive_buf receives all +the goods and a user has no reason to interrupt the task. + +There are two scenarios where this matters: +1) when the tty is throttled and a signal is sent to the process, it + spins on a CPU until the tty is unthrottled. schedule() does not + really echedule, but returns immediately, of course. +2) when the sel_buffer becomes invalid, KASAN prevents any reads from it + and the loop simply does not proceed and spins forever (causing the + tty to throttle, but the code never sleeps, the same as above). This + sometimes happens as there is a race in the sel_buffer handling code. + +So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR +in case a signal is pending. + +Signed-off-by: Jiri Slaby +Cc: stable +Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/selection.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -29,6 +29,8 @@ + #include + #include + ++#include ++ + /* Don't take this from : 011-015 on the screen aren't spaces */ + #define isspace(c) ((c) == ' ') + +@@ -350,6 +352,7 @@ int paste_selection(struct tty_struct *t + unsigned int count; + struct tty_ldisc *ld; + DECLARE_WAITQUEUE(wait, current); ++ int ret = 0; + + console_lock(); + poke_blanked_console(); +@@ -363,6 +366,10 @@ int paste_selection(struct tty_struct *t + add_wait_queue(&vc->paste_wait, &wait); + while (sel_buffer && sel_buffer_lth > pasted) { + set_current_state(TASK_INTERRUPTIBLE); ++ if (signal_pending(current)) { ++ ret = -EINTR; ++ break; ++ } + if (tty_throttled(tty)) { + schedule(); + continue; +@@ -378,6 +385,6 @@ int paste_selection(struct tty_struct *t + + tty_buffer_unlock_exclusive(&vc->port); + tty_ldisc_deref(ld); +- return 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(paste_selection); diff --git a/queue-5.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch b/queue-5.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch new file mode 100644 index 00000000000..9cc33ce0978 --- /dev/null +++ b/queue-5.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch @@ -0,0 +1,102 @@ +From 6cd1ed50efd88261298577cd92a14f2768eddeeb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 10 Feb 2020 11:07:21 -0800 +Subject: vt: vt_ioctl: fix race in VT_RESIZEX + +From: Eric Dumazet + +commit 6cd1ed50efd88261298577cd92a14f2768eddeeb upstream. + +We need to make sure vc_cons[i].d is not NULL after grabbing +console_lock(), or risk a crash. + +general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347] +CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883 +Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40 +RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000 +RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340 +RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d +R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d +R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f +FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0x123/0x180 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x45b399 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399 +RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c +Modules linked in: +---[ end trace 80970faf7a67eb77 ]--- +RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883 +Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40 +RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000 +RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340 +RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d +R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d +R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f +FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: stable +Reported-by: syzbot +Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -876,15 +876,20 @@ int vt_ioctl(struct tty_struct *tty, + return -EINVAL; + + for (i = 0; i < MAX_NR_CONSOLES; i++) { ++ struct vc_data *vcp; ++ + if (!vc_cons[i].d) + continue; + console_lock(); +- if (v.v_vlin) +- vc_cons[i].d->vc_scan_lines = v.v_vlin; +- if (v.v_clin) +- vc_cons[i].d->vc_font.height = v.v_clin; +- vc_cons[i].d->vc_resize_user = 1; +- vc_resize(vc_cons[i].d, v.v_cols, v.v_rows); ++ vcp = vc_cons[i].d; ++ if (vcp) { ++ if (v.v_vlin) ++ vcp->vc_scan_lines = v.v_vlin; ++ if (v.v_clin) ++ vcp->vc_font.height = v.v_clin; ++ vcp->vc_resize_user = 1; ++ vc_resize(vcp, v.v_cols, v.v_rows); ++ } + console_unlock(); + } + break;