linux-stable.git/drivers/tty/vt, branch linux-4.6.y Linux kernel stable tree tty/vt/keyboard: fix OOB access in do_compute_shiftstate() 2016-07-27T15:42:21+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2016-06-27T21:12:34+00:00 78881b963f2f6302482aaa1c4486b3b4ed0d0f17 commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream. The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS, which is currently 256, whereas number of keys/buttons in input device (and therefor in key_down) is much larger - KEY_CNT - 768, and that can cause out-of-bound access when we do sym = U(key_maps[0][k]); with large 'k'. To fix it we should not attempt iterating beyond smaller of NR_KEYS and KEY_CNT. Also while at it let's switch to for_each_set_bit() instead of open-coding it. Reported-by: Sasha Levin <sasha.levin@oracle.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.

The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do

	sym = U(key_maps[0][k]);

with large 'k'.

To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.

Also while at it let's switch to for_each_set_bit() instead of open-coding
it.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty: vt: Fix soft lockup in fbcon cursor blink timer. 2016-07-27T15:42:21+00:00 David Daney david.daney@cavium.com 2016-05-17T18:41:04+00:00 68dd25deda2f7995f127abd206596c78d1fb4c09 commit 1b45996d2ebf9680ccd0db875fc668aa025f40fd upstream. We are getting somewhat random soft lockups with this signature: [ 86.992215] [<fffffc00080935e0>] el1_irq+0xa0/0x10c [ 86.997082] [<fffffc000841822c>] cursor_timer_handler+0x30/0x54 [ 87.002991] [<fffffc000810ec44>] call_timer_fn+0x54/0x1a8 [ 87.008378] [<fffffc000810ef88>] run_timer_softirq+0x1c4/0x2bc [ 87.014200] [<fffffc000809077c>] __do_softirq+0x114/0x344 [ 87.019590] [<fffffc00080af45c>] irq_exit+0x74/0x98 [ 87.024458] [<fffffc00080fac20>] __handle_domain_irq+0x98/0xfc [ 87.030278] [<fffffc000809056c>] gic_handle_irq+0x94/0x190 This is caused by the vt visual_init() function calling into fbcon_init() with a vc_cur_blink_ms value of zero. This is a transient condition, as it is later set to a non-zero value. But, if the timer happens to expire while the blink rate is zero, it goes into an endless loop, and we get soft lockup. The fix is to initialize vc_cur_blink_ms before calling the con_init() function. Signed-off-by: David Daney <david.daney@cavium.com> Acked-by: Pavel Machek <pavel@ucw.cz> Tested-by: Ming Lei <ming.lei@canonical.com> Acked-by: Scot Doyle <lkml14@scotdoyle.com> Tested-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 1b45996d2ebf9680ccd0db875fc668aa025f40fd upstream.

We are getting somewhat random soft lockups with this signature:

[   86.992215] [<fffffc00080935e0>] el1_irq+0xa0/0x10c
[   86.997082] [<fffffc000841822c>] cursor_timer_handler+0x30/0x54
[   87.002991] [<fffffc000810ec44>] call_timer_fn+0x54/0x1a8
[   87.008378] [<fffffc000810ef88>] run_timer_softirq+0x1c4/0x2bc
[   87.014200] [<fffffc000809077c>] __do_softirq+0x114/0x344
[   87.019590] [<fffffc00080af45c>] irq_exit+0x74/0x98
[   87.024458] [<fffffc00080fac20>] __handle_domain_irq+0x98/0xfc
[   87.030278] [<fffffc000809056c>] gic_handle_irq+0x94/0x190

This is caused by the vt visual_init() function calling into
fbcon_init() with a vc_cur_blink_ms value of zero.  This is a
transient condition, as it is later set to a non-zero value.  But, if
the timer happens to expire while the blink rate is zero, it goes into
an endless loop, and we get soft lockup.

The fix is to initialize vc_cur_blink_ms before calling the con_init()
function.

Signed-off-by: David Daney <david.daney@cavium.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Tested-by: Ming Lei <ming.lei@canonical.com>
Acked-by: Scot Doyle <lkml14@scotdoyle.com>
Tested-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty: vt, return error when con_startup fails 2016-06-01T19:18:03+00:00 Jiri Slaby jslaby@suse.cz 2016-05-03T15:05:54+00:00 f015378c762d260c8277cc39d5de4567be2ccb06 commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 upstream. When csw->con_startup() fails in do_register_con_driver, we return no error (i.e. 0). This was changed back in 2006 by commit 3e795de763. Before that we used to return -ENODEV. So fix the return value to be -ENODEV in that case again. Fixes: 3e795de763 ("VT binding: Add binding/unbinding support for the VT console") Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: "Dan Carpenter" <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 upstream.

When csw->con_startup() fails in do_register_con_driver, we return no
error (i.e. 0). This was changed back in 2006 by commit 3e795de763.
Before that we used to return -ENODEV.

So fix the return value to be -ENODEV in that case again.

Fixes: 3e795de763 ("VT binding: Add binding/unbinding support for the VT console")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: "Dan Carpenter" <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty: vt: initialize softcursor_original correctly 2016-02-07T07:42:25+00:00 Melchior FRANZ mfranz@aon.at 2015-11-01T18:48:18+00:00 e882f7158f102ef148a2d96eb4cb50cc88830c87 add_softcursor() stores the contents of the text buffer position in this variable before drawing the softcursor, whereas hide_softcursor() writes the value back. A value of -1 means that no cursor has been drawn and therefore no character is to be restored. softcursor_original, however, is only implicitly initialized with 0. Therefore, when hide_softcursor is called for the first time (console_init -> con_init -> redraw_screen -> hide_cursor), it wrongly writes 0x0000 in the top left corner of the text buffer. Normally, this is just as black as the rest of the screen (vc_video_erase_char) and can't be seen, but it appears as a black cursor rectangle on non-black backgrounds e.g. with boot option "vt.global_cursor_default=0 vt.color=0xf0". softcursor_original needs to be initialized with -1. Signed-off-by: Melchior FRANZ <mfranz@aon.at> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
add_softcursor() stores the contents of the text buffer position in this
variable before drawing the softcursor, whereas hide_softcursor() writes
the value back. A value of -1 means that no cursor has been drawn and
therefore no character is to be restored. softcursor_original, however,
is only implicitly initialized with 0. Therefore, when hide_softcursor
is called for the first time (console_init -> con_init -> redraw_screen
-> hide_cursor), it wrongly writes 0x0000 in the top left corner of
the text buffer. Normally, this is just as black as the rest of the
screen (vc_video_erase_char) and can't be seen, but it appears as a
black cursor rectangle on non-black backgrounds e.g. with boot option
"vt.global_cursor_default=0 vt.color=0xf0". softcursor_original needs
to be initialized with -1.

Signed-off-by: Melchior FRANZ <mfranz@aon.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty/vt/keyboard: use memdup_user to simplify code 2016-02-07T07:27:46+00:00 Saurabh Sengar saurabh.truth@gmail.com 2015-10-28T06:26:44+00:00 1051937d465665e3360ea7d9a3d2adfd86f47dd4 use memdup_user rather than duplicating implementation. found by coccinelle Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
use memdup_user rather than duplicating implementation.
found by coccinelle

Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge 4.5-rc2 into tty-next 2016-02-01T20:53:14+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-02-01T20:53:14+00:00 6e9131cc43a672003a75483d9b9db5c51015ae5f We want the tty/serial fixes in here as well to make merges easier. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We want the tty/serial fixes in here as well to make merges easier.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'staging-4.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging 2016-02-01T01:00:27+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-02-01T01:00:27+00:00 8c4e378e426d1b065a1e8d9f45b8bcc4905d3410 Pull staging fixes from Greg KH: "Here are some small staging driver fixes for 4.5-rc2. One of them predated 4.4-final, but I missed that merge window due to the holliday. The others fix reported issues that have come up recently. The tty change is needed for the speakup driver fix and has the ack of the tty driver maintainer as well, i.e. myself :) All have been in linux-next with no reported issues" * tag 'staging-4.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: Staging: speakup: fix read scrolled-back VT Staging: speakup: Fix getting port information Revert "Staging: panel: usleep_range is preferred over udelay" iio: adis_buffer: Fix out-of-bounds memory access 
Pull staging fixes from Greg KH:
 "Here are some small staging driver fixes for 4.5-rc2.

  One of them predated 4.4-final, but I missed that merge window due to
  the holliday.  The others fix reported issues that have come up
  recently.  The tty change is needed for the speakup driver fix and has
  the ack of the tty driver maintainer as well, i.e.  myself :)

  All have been in linux-next with no reported issues"

* tag 'staging-4.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  Staging: speakup: fix read scrolled-back VT
  Staging: speakup: Fix getting port information
  Revert "Staging: panel: usleep_range is preferred over udelay"
  iio: adis_buffer: Fix out-of-bounds memory access
Staging: speakup: fix read scrolled-back VT 2016-01-29T06:55:40+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2016-01-25T00:32:08+00:00 88867e3d0b7eea256c1cd432b0a3c7a21e8edf07 Previously, speakup would always read the non-scrolled part of the VT, even when the VT is scrolled back with shift-page. This patch makes vt.c export screen_pos so that speakup can use it to properly access the content of the scrolled-back VT. This was tested with both vgacon and fbcon. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Previously, speakup would always read the non-scrolled part of the VT,
even when the VT is scrolled back with shift-page.  This patch makes
vt.c export screen_pos so that speakup can use it to properly access
the content of the scrolled-back VT.

This was tested with both vgacon and fbcon.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty: Prepare for destroying line discipline on hangup 2016-01-27T23:01:44+00:00 Peter Hurley peter@hurleysoftware.com 2016-01-11T06:41:01+00:00 e55afd11a48354c810caf6b6ad4c103016a88230 tty file_operations (read/write/ioctl) wait for the ldisc reference indefinitely (until ldisc lifetime events, such as hangup or TIOCSETD, finish). Since hangup now destroys the ldisc and does not instance another copy, file_operations must now be prepared to receive a NULL ldisc reference from tty_ldisc_ref_wait(): CPU 0 CPU 1 ----- ----- (*f_op->read)() => tty_read() __tty_hangup() ... f_op = &hung_up_tty_fops; ... tty_ldisc_hangup() tty_ldisc_lock() tty_ldisc_kill() tty->ldisc = NULL tty_ldisc_unlock() ld = tty_ldisc_ref_wait() /* ld == NULL */ Instead, the action taken now is to return the same value as if the tty had been hungup a moment earlier: CPU 0 CPU 1 ----- ----- __tty_hangup() ... f_op = &hung_up_tty_fops; (*f_op->read)() => hung_up_tty_read() return 0; ... tty_ldisc_hangup() tty_ldisc_lock() tty_ldisc_kill() tty->ldisc = NULL tty_ldisc_unlock() Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
tty file_operations (read/write/ioctl) wait for the ldisc reference
indefinitely (until ldisc lifetime events, such as hangup or TIOCSETD,
finish). Since hangup now destroys the ldisc and does not instance
another copy, file_operations must now be prepared to receive a NULL
ldisc reference from tty_ldisc_ref_wait():

CPU 0                                   CPU 1
-----                                   -----
(*f_op->read)() => tty_read()
                                        __tty_hangup()
                                        ...
                                        f_op = &hung_up_tty_fops;
                                        ...
                                        tty_ldisc_hangup()
                                           tty_ldisc_lock()
                                           tty_ldisc_kill()
                                              tty->ldisc = NULL
                                           tty_ldisc_unlock()
ld = tty_ldisc_ref_wait()
/* ld == NULL */

Instead, the action taken now is to return the same value as if the
tty had been hungup a moment earlier:

CPU 0                                   CPU 1
-----                                   -----
                                        __tty_hangup()
                                        ...
                                        f_op = &hung_up_tty_fops;
(*f_op->read)() => hung_up_tty_read()
return 0;
                                        ...
                                        tty_ldisc_hangup()
                                           tty_ldisc_lock()
                                           tty_ldisc_kill()
                                              tty->ldisc = NULL
                                           tty_ldisc_unlock()

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vt: Deinline save_screen, save 238 bytes 2015-12-14T03:59:48+00:00 Denys Vlasenko dvlasenk@redhat.com 2015-10-27T17:46:47+00:00 c0f160a7355380e9b7f9c5cbb1a0f9eecf6ec601 This function compiles to 79 bytes of machine code. Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> CC: Jiri Slaby <jslaby@suse.com> CC: linux-serial@vger.kernel.org Reviewed-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This function compiles to 79 bytes of machine code.

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Jiri Slaby <jslaby@suse.com>
CC: linux-serial@vger.kernel.org
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>