+++ /dev/null
-From f8ec13985c08b1e96b6e8ef325d2aa26918a5665 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 25 Oct 2020 19:51:24 +0800
-Subject: nvme-rdma: handle unexpected nvme completion data length
-
-From: zhenwei pi <pizhenwei@bytedance.com>
-
-[ Upstream commit 25c1ca6ecaba3b751d3f7ff92d5cddff3b05f8d0 ]
-
-Receiving a zero length message leads to the following warnings because
-the CQE is processed twice:
-
-refcount_t: underflow; use-after-free.
-WARNING: CPU: 0 PID: 0 at lib/refcount.c:28
-
-RIP: 0010:refcount_warn_saturate+0xd9/0xe0
-Call Trace:
- <IRQ>
- nvme_rdma_recv_done+0xf3/0x280 [nvme_rdma]
- __ib_process_cq+0x76/0x150 [ib_core]
- ...
-
-Sanity check the received data length, to avoids this.
-
-Thanks to Chao Leng & Sagi for suggestions.
-
-Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
-Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
-Signed-off-by: Christoph Hellwig <hch@lst.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/nvme/host/rdma.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
-index ab4f8db2a8cac..5c1245bbf9a1d 100644
---- a/drivers/nvme/host/rdma.c
-+++ b/drivers/nvme/host/rdma.c
-@@ -1199,6 +1199,14 @@ static int __nvme_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc, int tag)
- return 0;
- }
-
-+ /* sanity checking for received data length */
-+ if (unlikely(wc->byte_len < len)) {
-+ dev_err(queue->ctrl->ctrl.device,
-+ "Unexpected nvme completion length(%d)\n", wc->byte_len);
-+ nvme_rdma_error_recovery(queue->ctrl);
-+ return;
-+ }
-+
- ib_dma_sync_single_for_cpu(ibdev, qe->dma, len, DMA_FROM_DEVICE);
- /*
- * AEN requests are special as they don't time out and can
---
-2.27.0
-
--- /dev/null
+From 3c4e0dff2095c579b142d5a0693257f1c58b4804 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sun, 8 Nov 2020 16:38:06 +0100
+Subject: vt: Disable KD_FONT_OP_COPY
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream.
+
+It's buggy:
+
+On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
+> We recently discovered a slab-out-of-bounds read in fbcon in the latest
+> kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that
+> "fbcon_do_set_font" did not handle "vc->vc_font.data" and
+> "vc->vc_font.height" correctly, and the patch
+> <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
+> issue.
+>
+> Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
+> use KD_FONT_OP_SET again to set a large font.height for tty1. After that,
+> we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
+> in "fbcon_do_set_font", while tty1 retains the original larger
+> height. Obviously, this will cause an out-of-bounds read, because we can
+> access a smaller vc_font.data with a larger vc_font.height.
+
+Further there was only one user ever.
+- Android's loadfont, busybox and console-tools only ever use OP_GET
+ and OP_SET
+- fbset documentation only mentions the kernel cmdline font: option,
+ not anything else.
+- systemd used OP_COPY before release 232 published in Nov 2016
+
+Now unfortunately the crucial report seems to have gone down with
+gmane, and the commit message doesn't say much. But the pull request
+hints at OP_COPY being broken
+
+https://github.com/systemd/systemd/pull/3651
+
+So in other words, this never worked, and the only project which
+foolishly every tried to use it, realized that rather quickly too.
+
+Instead of trying to fix security issues here on dead code by adding
+missing checks, fix the entire thing by removing the functionality.
+
+Note that systemd code using the OP_COPY function ignored the return
+value, so it doesn't matter what we're doing here really - just in
+case a lone server somewhere happens to be extremely unlucky and
+running an affected old version of systemd. The relevant code from
+font_copy_to_all_vcs() in systemd was:
+
+ /* copy font from active VT, where the font was uploaded to */
+ cfo.op = KD_FONT_OP_COPY;
+ cfo.height = vcs.v_active-1; /* tty1 == index 0 */
+ (void) ioctl(vcfd, KDFONTOP, &cfo);
+
+Note this just disables the ioctl, garbage collecting the now unused
+callbacks is left for -next.
+
+v2: Tetsuo found the old mail, which allowed me to find it on another
+archive. Add the link too.
+
+Acked-by: Peilin Ye <yepeilin.cs@gmail.com>
+Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
+References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
+References: https://github.com/systemd/systemd/pull/3651
+Cc: Greg KH <greg@kroah.com>
+Cc: Peilin Ye <yepeilin.cs@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4235,27 +4235,6 @@ static int con_font_default(struct vc_da
+ return rc;
+ }
+
+-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+-{
+- int con = op->height;
+- int rc;
+-
+-
+- console_lock();
+- if (vc->vc_mode != KD_TEXT)
+- rc = -EINVAL;
+- else if (!vc->vc_sw->con_font_copy)
+- rc = -ENOSYS;
+- else if (con < 0 || !vc_cons_allocated(con))
+- rc = -ENOTTY;
+- else if (con == vc->vc_num) /* nothing to do */
+- rc = 0;
+- else
+- rc = vc->vc_sw->con_font_copy(vc, con);
+- console_unlock();
+- return rc;
+-}
+-
+ int con_font_op(struct vc_data *vc, struct console_font_op *op)
+ {
+ switch (op->op) {
+@@ -4266,7 +4245,8 @@ int con_font_op(struct vc_data *vc, stru
+ case KD_FONT_OP_SET_DEFAULT:
+ return con_font_default(vc, op);
+ case KD_FONT_OP_COPY:
+- return con_font_copy(vc, op);
++ /* was buggy and never really used */
++ return -EINVAL;
+ }
+ return -ENOSYS;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
