<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/tty/vt, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>vt: selection, push sel_lock up</title>
<updated>2020-04-28T18:03:42+00:00</updated>
<author>
<name>Jiri Slaby</name>
<email>jslaby@suse.cz</email>
</author>
<published>2020-02-28T11:54:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=54c522782fd11a720f959ee9cb5a15bb9580343d'/>
<id>54c522782fd11a720f959ee9cb5a15bb9580343d</id>
<content type='text'>
commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream.

sel_lock cannot nest in the console lock. Thanks to syzkaller, the
kernel states firmly:

&gt; WARNING: possible circular locking dependency detected
&gt; 5.6.0-rc3-syzkaller #0 Not tainted
&gt; ------------------------------------------------------
&gt; syz-executor.4/20336 is trying to acquire lock:
&gt; ffff8880a2e952a0 (&amp;tty-&gt;termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
&gt;
&gt; but task is already holding lock:
&gt; ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
&gt;
&gt; which lock already depends on the new lock.
&gt;
&gt; the existing dependency chain (in reverse order) is:
&gt;
&gt; -&gt; #2 (sel_lock){+.+.}:
&gt;        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
&gt;        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
&gt;        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
&gt;        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
&gt;        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_SETSEL).
Locks held on the path: console_lock -&gt; sel_lock

&gt; -&gt; #1 (console_lock){+.+.}:
&gt;        console_lock+0x46/0x70 kernel/printk/printk.c:2289
&gt;        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
&gt;        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
&gt;        do_tty_write drivers/tty/tty_io.c:962 [inline]
&gt;        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046

This is write().
Locks held on the path: termios_rwsem -&gt; console_lock

&gt; -&gt; #0 (&amp;tty-&gt;termios_rwsem){++++}:
&gt;        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
&gt;        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
&gt;        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
&gt;        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
&gt;        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
&gt;        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
&gt;        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_PASTESEL).
Locks held on the path: sel_lock -&gt; termios_rwsem

&gt; other info that might help us debug this:
&gt;
&gt; Chain exists of:
&gt;   &amp;tty-&gt;termios_rwsem --&gt; console_lock --&gt; sel_lock

Clearly. From the above, we have:
 console_lock -&gt; sel_lock
 sel_lock -&gt; termios_rwsem
 termios_rwsem -&gt; console_lock

Fix this by reversing the console_lock -&gt; sel_lock dependency in
ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream.

sel_lock cannot nest in the console lock. Thanks to syzkaller, the
kernel states firmly:

&gt; WARNING: possible circular locking dependency detected
&gt; 5.6.0-rc3-syzkaller #0 Not tainted
&gt; ------------------------------------------------------
&gt; syz-executor.4/20336 is trying to acquire lock:
&gt; ffff8880a2e952a0 (&amp;tty-&gt;termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
&gt;
&gt; but task is already holding lock:
&gt; ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
&gt;
&gt; which lock already depends on the new lock.
&gt;
&gt; the existing dependency chain (in reverse order) is:
&gt;
&gt; -&gt; #2 (sel_lock){+.+.}:
&gt;        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
&gt;        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
&gt;        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
&gt;        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
&gt;        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_SETSEL).
Locks held on the path: console_lock -&gt; sel_lock

&gt; -&gt; #1 (console_lock){+.+.}:
&gt;        console_lock+0x46/0x70 kernel/printk/printk.c:2289
&gt;        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
&gt;        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
&gt;        do_tty_write drivers/tty/tty_io.c:962 [inline]
&gt;        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046

This is write().
Locks held on the path: termios_rwsem -&gt; console_lock

&gt; -&gt; #0 (&amp;tty-&gt;termios_rwsem){++++}:
&gt;        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
&gt;        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
&gt;        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
&gt;        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
&gt;        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
&gt;        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
&gt;        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364

This is ioctl(TIOCL_PASTESEL).
Locks held on the path: sel_lock -&gt; termios_rwsem

&gt; other info that might help us debug this:
&gt;
&gt; Chain exists of:
&gt;   &amp;tty-&gt;termios_rwsem --&gt; console_lock --&gt; sel_lock

Clearly. From the above, we have:
 console_lock -&gt; sel_lock
 sel_lock -&gt; termios_rwsem
 termios_rwsem -&gt; console_lock

Fix this by reversing the console_lock -&gt; sel_lock dependency in
ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vt: selection, push console lock down</title>
<updated>2020-04-28T18:03:42+00:00</updated>
<author>
<name>Jiri Slaby</name>
<email>jslaby@suse.cz</email>
</author>
<published>2020-02-28T11:54:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f443603c73b85db566373875ca8890ef0910f083'/>
<id>f443603c73b85db566373875ca8890ef0910f083</id>
<content type='text'>
commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f upstream.

We need to nest the console lock in sel_lock, so we have to push it down
a bit. Fortunately, the callers of set_selection_* just lock the console
lock around the function call. So moving it down is easy.

In the next patch, we switch the order.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f upstream.

We need to nest the console lock in sel_lock, so we have to push it down
a bit. Fortunately, the callers of set_selection_* just lock the console
lock around the function call. So moving it down is easy.

In the next patch, we switch the order.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vt: selection, close sel_buffer race</title>
<updated>2020-04-28T18:03:41+00:00</updated>
<author>
<name>Jiri Slaby</name>
<email>jslaby@suse.cz</email>
</author>
<published>2020-02-10T08:11:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a93c3b40fc3d2264b1b11c469319c7cbefb80c46'/>
<id>a93c3b40fc3d2264b1b11c469319c7cbefb80c46</id>
<content type='text'>
commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream.

syzkaller reported this UAF:
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184

CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
...
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
 tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
 paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
 tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
 vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
 vfs_ioctl fs/ioctl.c:47 [inline]

It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
while the other frees it and reallocates a new one for another
selection. Add a mutex to close this race.

The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
other selection global variables (like sel_start, sel_end, and sel_cons)
are protected only in set_selection_user. The other functions need quite
some more work to close the races of the variables there. This is going
to happen later.

This likely fixes (I am unsure as there is no reproducer provided) bug
206361 too. It was marked as CVE-2020-8648.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com
References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream.

syzkaller reported this UAF:
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184

CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
...
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
 tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
 paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
 tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
 vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
 tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
 vfs_ioctl fs/ioctl.c:47 [inline]

It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
while the other frees it and reallocates a new one for another
selection. Add a mutex to close this race.

The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
other selection global variables (like sel_start, sel_end, and sel_cons)
are protected only in set_selection_user. The other functions need quite
some more work to close the races of the variables there. This is going
to happen later.

This likely fixes (I am unsure as there is no reproducer provided) bug
206361 too. It was marked as CVE-2020-8648.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com
References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vt: selection, handle pending signals in paste_selection</title>
<updated>2020-04-28T18:03:41+00:00</updated>
<author>
<name>Jiri Slaby</name>
<email>jslaby@suse.cz</email>
</author>
<published>2020-02-10T08:11:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2b553bde7725bdd5faf19088eee4031ccdc256cd'/>
<id>2b553bde7725bdd5faf19088eee4031ccdc256cd</id>
<content type='text'>
commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream.

When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
waiting for a tty to unthrottle. But signals are not handled at all.
Normally, this is not a problem as tty_ldisc_receive_buf receives all
the goods and a user has no reason to interrupt the task.

There are two scenarios where this matters:
1) when the tty is throttled and a signal is sent to the process, it
   spins on a CPU until the tty is unthrottled. schedule() does not
   really echedule, but returns immediately, of course.
2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
   and the loop simply does not proceed and spins forever (causing the
   tty to throttle, but the code never sleeps, the same as above). This
   sometimes happens as there is a race in the sel_buffer handling code.

So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
in case a signal is pending.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - No need to include &lt;linux/sched/signal.h&gt;
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream.

When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
waiting for a tty to unthrottle. But signals are not handled at all.
Normally, this is not a problem as tty_ldisc_receive_buf receives all
the goods and a user has no reason to interrupt the task.

There are two scenarios where this matters:
1) when the tty is throttled and a signal is sent to the process, it
   spins on a CPU until the tty is unthrottled. schedule() does not
   really echedule, but returns immediately, of course.
2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
   and the loop simply does not proceed and spins forever (causing the
   tty to throttle, but the code never sleeps, the same as above). This
   sometimes happens as there is a race in the sel_buffer handling code.

So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
in case a signal is pending.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - No need to include &lt;linux/sched/signal.h&gt;
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tty: vt: Fix !TASK_RUNNING diagnostic warning from paste_selection()</title>
<updated>2020-04-28T18:03:40+00:00</updated>
<author>
<name>Peter Hurley</name>
<email>peter@hurleysoftware.com</email>
</author>
<published>2015-07-13T00:47:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a0c13fc21e90c5d811cc6b546841ad4ee9a56f98'/>
<id>a0c13fc21e90c5d811cc6b546841ad4ee9a56f98</id>
<content type='text'>
commit 61e86cc90af49cecef9c54ccea1f572fbcb695ac upstream.

Pasting text with gpm on a VC produced warning [1]. Reset task state
to TASK_RUNNING in the paste_selection() loop, if the loop did not
sleep.

[1]
WARNING: CPU: 6 PID: 1960 at /home/peter/src/kernels/mainline/kernel/sched/core.c:7286 __might_sleep+0x7f/0x90()
do not call blocking ops when !TASK_RUNNING; state=1 set at [&lt;ffffffff8151805e&gt;] paste_selection+0x9e/0x1a0
Modules linked in: btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c .....
CPU: 6 PID: 1960 Comm: gpm Not tainted 4.1.0-rc7+tty-xeon+debug #rc7+tty
Hardware name: Dell Inc. Precision WorkStation T5400  /0RW203, BIOS A11 04/30/2012
 ffffffff81c9c0a0 ffff8802b0fd3ac8 ffffffff8185778a 0000000000000001
 ffff8802b0fd3b18 ffff8802b0fd3b08 ffffffff8108039a ffffffff82ae8510
 ffffffff81c9ce00 0000000000000015 0000000000000000 0000000000000000
Call Trace:
 [&lt;ffffffff8185778a&gt;] dump_stack+0x4f/0x7b
 [&lt;ffffffff8108039a&gt;] warn_slowpath_common+0x8a/0xc0
 [&lt;ffffffff81080416&gt;] warn_slowpath_fmt+0x46/0x50
 [&lt;ffffffff810ddced&gt;] ? __lock_acquire+0xe2d/0x13a0
 [&lt;ffffffff8151805e&gt;] ? paste_selection+0x9e/0x1a0
 [&lt;ffffffff8151805e&gt;] ? paste_selection+0x9e/0x1a0
 [&lt;ffffffff810ad4ff&gt;] __might_sleep+0x7f/0x90
 [&lt;ffffffff8185f76a&gt;] down_read+0x2a/0xa0
 [&lt;ffffffff810bb1d8&gt;] ? sched_clock_cpu+0xb8/0xe0
 [&lt;ffffffff8150d1dc&gt;] n_tty_receive_buf_common+0x4c/0xba0
 [&lt;ffffffff810dc875&gt;] ? mark_held_locks+0x75/0xa0
 [&lt;ffffffff81861c95&gt;] ? _raw_spin_unlock_irqrestore+0x65/0x80
 [&lt;ffffffff810b49a1&gt;] ? get_parent_ip+0x11/0x50
 [&lt;ffffffff8150dd44&gt;] n_tty_receive_buf2+0x14/0x20
 [&lt;ffffffff81518117&gt;] paste_selection+0x157/0x1a0
 [&lt;ffffffff810b77b0&gt;] ? wake_up_state+0x20/0x20
 [&lt;ffffffff815203f8&gt;] tioclinux+0xb8/0x2c0
 [&lt;ffffffff81515bfe&gt;] vt_ioctl+0xaee/0x11a0
 [&lt;ffffffff810baf75&gt;] ? sched_clock_local+0x25/0x90
 [&lt;ffffffff810bbe11&gt;] ? vtime_account_user+0x91/0xa0
 [&lt;ffffffff8150810c&gt;] tty_ioctl+0x20c/0xe20
 [&lt;ffffffff810bbe11&gt;] ? vtime_account_user+0x91/0xa0
 [&lt;ffffffff810b49a1&gt;] ? get_parent_ip+0x11/0x50
 [&lt;ffffffff810b4a69&gt;] ? preempt_count_sub+0x49/0x50
 [&lt;ffffffff811ab71c&gt;] ? context_tracking_exit+0x5c/0x290
 [&lt;ffffffff811ab71c&gt;] ? context_tracking_exit+0x5c/0x290
 [&lt;ffffffff81248b98&gt;] do_vfs_ioctl+0x318/0x570
 [&lt;ffffffff810dca8d&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff810dc9b5&gt;] ? trace_hardirqs_on_caller+0x115/0x1e0
 [&lt;ffffffff81254acc&gt;] ? __fget_light+0x6c/0xa0
 [&lt;ffffffff81248e71&gt;] SyS_ioctl+0x81/0xa0
 [&lt;ffffffff81862832&gt;] system_call_fastpath+0x16/0x7a

Signed-off-by: Peter Hurley &lt;peter@hurleysoftware.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 61e86cc90af49cecef9c54ccea1f572fbcb695ac upstream.

Pasting text with gpm on a VC produced warning [1]. Reset task state
to TASK_RUNNING in the paste_selection() loop, if the loop did not
sleep.

[1]
WARNING: CPU: 6 PID: 1960 at /home/peter/src/kernels/mainline/kernel/sched/core.c:7286 __might_sleep+0x7f/0x90()
do not call blocking ops when !TASK_RUNNING; state=1 set at [&lt;ffffffff8151805e&gt;] paste_selection+0x9e/0x1a0
Modules linked in: btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c .....
CPU: 6 PID: 1960 Comm: gpm Not tainted 4.1.0-rc7+tty-xeon+debug #rc7+tty
Hardware name: Dell Inc. Precision WorkStation T5400  /0RW203, BIOS A11 04/30/2012
 ffffffff81c9c0a0 ffff8802b0fd3ac8 ffffffff8185778a 0000000000000001
 ffff8802b0fd3b18 ffff8802b0fd3b08 ffffffff8108039a ffffffff82ae8510
 ffffffff81c9ce00 0000000000000015 0000000000000000 0000000000000000
Call Trace:
 [&lt;ffffffff8185778a&gt;] dump_stack+0x4f/0x7b
 [&lt;ffffffff8108039a&gt;] warn_slowpath_common+0x8a/0xc0
 [&lt;ffffffff81080416&gt;] warn_slowpath_fmt+0x46/0x50
 [&lt;ffffffff810ddced&gt;] ? __lock_acquire+0xe2d/0x13a0
 [&lt;ffffffff8151805e&gt;] ? paste_selection+0x9e/0x1a0
 [&lt;ffffffff8151805e&gt;] ? paste_selection+0x9e/0x1a0
 [&lt;ffffffff810ad4ff&gt;] __might_sleep+0x7f/0x90
 [&lt;ffffffff8185f76a&gt;] down_read+0x2a/0xa0
 [&lt;ffffffff810bb1d8&gt;] ? sched_clock_cpu+0xb8/0xe0
 [&lt;ffffffff8150d1dc&gt;] n_tty_receive_buf_common+0x4c/0xba0
 [&lt;ffffffff810dc875&gt;] ? mark_held_locks+0x75/0xa0
 [&lt;ffffffff81861c95&gt;] ? _raw_spin_unlock_irqrestore+0x65/0x80
 [&lt;ffffffff810b49a1&gt;] ? get_parent_ip+0x11/0x50
 [&lt;ffffffff8150dd44&gt;] n_tty_receive_buf2+0x14/0x20
 [&lt;ffffffff81518117&gt;] paste_selection+0x157/0x1a0
 [&lt;ffffffff810b77b0&gt;] ? wake_up_state+0x20/0x20
 [&lt;ffffffff815203f8&gt;] tioclinux+0xb8/0x2c0
 [&lt;ffffffff81515bfe&gt;] vt_ioctl+0xaee/0x11a0
 [&lt;ffffffff810baf75&gt;] ? sched_clock_local+0x25/0x90
 [&lt;ffffffff810bbe11&gt;] ? vtime_account_user+0x91/0xa0
 [&lt;ffffffff8150810c&gt;] tty_ioctl+0x20c/0xe20
 [&lt;ffffffff810bbe11&gt;] ? vtime_account_user+0x91/0xa0
 [&lt;ffffffff810b49a1&gt;] ? get_parent_ip+0x11/0x50
 [&lt;ffffffff810b4a69&gt;] ? preempt_count_sub+0x49/0x50
 [&lt;ffffffff811ab71c&gt;] ? context_tracking_exit+0x5c/0x290
 [&lt;ffffffff811ab71c&gt;] ? context_tracking_exit+0x5c/0x290
 [&lt;ffffffff81248b98&gt;] do_vfs_ioctl+0x318/0x570
 [&lt;ffffffff810dca8d&gt;] ? trace_hardirqs_on+0xd/0x10
 [&lt;ffffffff810dc9b5&gt;] ? trace_hardirqs_on_caller+0x115/0x1e0
 [&lt;ffffffff81254acc&gt;] ? __fget_light+0x6c/0xa0
 [&lt;ffffffff81248e71&gt;] SyS_ioctl+0x81/0xa0
 [&lt;ffffffff81862832&gt;] system_call_fastpath+0x16/0x7a

Signed-off-by: Peter Hurley &lt;peter@hurleysoftware.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tty: vt: keyboard: reject invalid keycodes</title>
<updated>2020-02-11T20:03:48+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2019-11-22T20:42:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=970405d201c855ba4ace20bbf548c5ee6e69ef28'/>
<id>970405d201c855ba4ace20bbf548c5ee6e69ef28</id>
<content type='text'>
commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.

Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.

Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.

Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.

Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tty/vt: fix write/write race in ioctl(KDSKBSENT) handler</title>
<updated>2019-09-23T20:11:35+00:00</updated>
<author>
<name>Sergei Trofimovich</name>
<email>slyfox@gentoo.org</email>
</author>
<published>2019-03-10T21:24:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a6dad8719092ba7d8838dde2fb8f41c7c8a4432'/>
<id>8a6dad8719092ba7d8838dde2fb8f41c7c8a4432</id>
<content type='text'>
commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 &lt;f3&gt; 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;

    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
CC: Jiri Slaby &lt;jslaby@suse.com&gt;
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich &lt;slyfox@gentoo.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 &lt;f3&gt; 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;

    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    loadkeys -q windowkeys ru4 &amp;
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
CC: Jiri Slaby &lt;jslaby@suse.com&gt;
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich &lt;slyfox@gentoo.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vt: invoke notifier on screen size change</title>
<updated>2019-05-02T20:41:26+00:00</updated>
<author>
<name>Nicolas Pitre</name>
<email>nicolas.pitre@linaro.org</email>
</author>
<published>2019-01-09T03:55:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=678767958a8133c168df41e08b73687e182dcbd5'/>
<id>678767958a8133c168df41e08b73687e182dcbd5</id>
<content type='text'>
commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.

User space using poll() on /dev/vcs devices are not awaken when a
screen size change occurs. Let's fix that.

Signed-off-by: Nicolas Pitre &lt;nico@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.

User space using poll() on /dev/vcs devices are not awaken when a
screen size change occurs. Let's fix that.

Signed-off-by: Nicolas Pitre &lt;nico@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vt: always call notifier with the console lock held</title>
<updated>2019-05-02T20:41:25+00:00</updated>
<author>
<name>Nicolas Pitre</name>
<email>nicolas.pitre@linaro.org</email>
</author>
<published>2019-01-09T03:55:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1bff709b8fb3c80b065922c5ab4c84de34d932d3'/>
<id>1bff709b8fb3c80b065922c5ab4c84de34d932d3</id>
<content type='text'>
commit 7e1d226345f89ad5d0216a9092c81386c89b4983 upstream.

Every invocation of notify_write() and notify_update() is performed
under the console lock, except for one case. Let's fix that.

Signed-off-by: Nicolas Pitre &lt;nico@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7e1d226345f89ad5d0216a9092c81386c89b4983 upstream.

Every invocation of notify_write() and notify_update() is performed
under the console lock, except for one case. Let's fix that.

Signed-off-by: Nicolas Pitre &lt;nico@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tty: vt_ioctl: fix potential Spectre v1</title>
<updated>2018-12-16T22:09:20+00:00</updated>
<author>
<name>Gustavo A. R. Silva</name>
<email>gustavo@embeddedor.com</email>
</author>
<published>2018-08-16T20:30:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=458697ab18b512445ac273ce68a9f8fd623fc0a3'/>
<id>458697ab18b512445ac273ce68a9f8fd623fc0a3</id>
<content type='text'>
commit e97267cb4d1ee01ca0929638ec0fcbb0904f903d upstream.

vsa.console is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/tty/vt/vt_ioctl.c:711 vt_ioctl() warn: potential spectre issue
'vc_cons' [r]

Fix this by sanitizing vsa.console before using it to index vc_cons

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&amp;m=152449131114778&amp;w=2

Signed-off-by: Gustavo A. R. Silva &lt;gustavo@embeddedor.com&gt;
Reviewed-by: Alan Cox &lt;alan@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e97267cb4d1ee01ca0929638ec0fcbb0904f903d upstream.

vsa.console is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/tty/vt/vt_ioctl.c:711 vt_ioctl() warn: potential spectre issue
'vc_cons' [r]

Fix this by sanitizing vsa.console before using it to index vc_cons

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&amp;m=152449131114778&amp;w=2

Signed-off-by: Gustavo A. R. Silva &lt;gustavo@embeddedor.com&gt;
Reviewed-by: Alan Cox &lt;alan@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
