aboutsummaryrefslogtreecommitdiff
path: root/drivers/tty/vt
AgeCommit message (Collapse)Author
2020-09-27vt_ioctl: make VT_RESIZEX behave like VT_RESIZETetsuo Handa
syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than actual font height calculated by con_font_set() from ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates minimal amount of memory based on actual font height calculated by con_font_set(), use of vt_resizex() can cause UAF/OOB read for font data. VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX. #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */ #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */ So far we are not aware of syzbot reports caused by setting non-zero value to v_vlin parameter. But given that it is possible that nobody is using VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters. Therefore, this patch effectively makes VT_RESIZEX behave like VT_RESIZE, with emitting a message if somebody is still using v_clin and/or v_vlin parameters. [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 Reported-by: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+16469b5e8e5a72e9131e@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-31Merge 5.9-rc3 into tty-nextGreg Kroah-Hartman
We need the tty/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-26Merge tag 'tty-5.9-rc3' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are a few small TTY/Serial/vt fixes for 5.9-rc3 Included in here are: - qcom serial fixes - vt ioctl and core bugfixes - pl011 serial driver fixes - 8250 serial driver fixes - other misc serial driver fixes and for good measure: - fbcon fix for syzbot found problem. All of these have been in linux-next for a while with no reported issues" * tag 'tty-5.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: serial: imx: add dependence and build for earlycon serial: samsung: Removes the IRQ not found warning serial: 8250: change lock order in serial8250_do_startup() serial: stm32: avoid kernel warning on absence of optional IRQ serial: pl011: Fix oops on -EPROBE_DEFER serial: pl011: Don't leak amba_ports entry on driver register error serial: 8250_exar: Fix number of ports for Commtech PCIe cards tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup serial: qcom_geni_serial: Fix recent kdb hang vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() fbcon: prevent user font height or width change from causing potential out-of-bounds access vt: defer kfree() of vc_screenbuf in vc_do_resize()
2020-08-24Revert "vc_screen: extract vcs_read_buf_header"Jiri Slaby
This reverts commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e, because Syzkaller reports a use-after-free, a write in vcs_read: BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 Write of size 2 at addr ffff8880a8014000 by task syz-executor.5/16936 CPU: 1 PID: 16936 Comm: syz-executor.5 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: ... kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 There are two issues with the patch: 1) vcs_read rounds the 'count' *up* to an even number. So if we read odd bytes from the header (3 bytes in the reproducer), the second byte of a (2-byte/ushort) write to temporary con_buf won't fit. It is because with the patch applied, we only subtract the real number read (3 bytes) and not the whole header (4 bytes). 2) in this scenario, we perform unaligned accesses now: there are 2-byte/ushort writes to odd addresses. Due to the same reason as above. Revert this for now, re-think and retry later. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: syzbot+ad1f53726c3bd11180cb@syzkaller.appspotmail.com Fixes: b1c32fcfadf5 ("vc_screen: extract vcs_read_buf_header") Cc: akpm@linux-foundation.org Cc: nico@fluxnic.net Link: https://lore.kernel.org/r/20200824095425.4376-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-23treewide: Use fallthrough pseudo-keywordGustavo A. R. Silva
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
2020-08-18tty: vt, fix kernel-docJiri Slaby
As in the previous patches, fix kernel-doc in vt. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085655.12071-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: prune macrosJiri Slaby
Do not undefine random words. I guess this was here as there were macros with such generic names somewhere. I very doubt they still exist. So drop these. And remove a spare blank line. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-16-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_headerJiri Slaby
The attribute header handling is terrible in vcs_read_buf. Separate it to a new function and simply do memmove (of up to 4 bytes) to the start of the con_buf -- if user seeked. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-15-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_bufJiri Slaby
And finally, move the attributes buffer handling to a separate function. Leaving vcs_read quite compact. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-14-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_noattrJiri Slaby
Now, move the code for no-attributes handling to a separate function. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-13-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_uniJiri Slaby
The same as making write more readable, extract unicode handling from vcs_read. The other two cases (w/ and w/o attributes) will follow. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-12-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vs_screen: kill tmp_count from vcs_readJiri Slaby
Both tmp_count computations and the single use can be eliminated using min(). Do so. Side note: we need HEADER_SIZE to be unsigned for min() not to complain. Fix that too as all its other uses do not mind. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-11-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: sanitize types in vcs_readJiri Slaby
* pos is derived from the passed ppos, so make it long enough, i.e. loff_t * attr and uni_mode are booleans, so... * size is limited by vcs_size() which returns an int * read, p, orig_count and this_round are always ">= 0" and "< size", so uint is enough * row, col, and max_col are derived from vc->vc_cols (uint) and p, so make them uint too * tmp_count is derived from this_round, so make it an uint too. * use u16 * for org (instead of unsigned short *). No need to initialize org too. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-10-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: eliminate ifdefs from vcs_write_bufJiri Slaby
Introduce a new inline function called vc_compile_le16 and do the shifts and ORs there. Depending on LE x BE. I tried cpu_to_le16, but it ends up with worse assembly on BE for whatever reason -- the compiler seems to be unable to optimize the swap. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-9-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_write_bufJiri Slaby
This is the counterpart of the previous patch: here, we extract buffer writing with attributes from vcs_write. Now, there is no need for org to be initialized to NULL. The org0 check before update_region() confuses compilers, so check org instead. It provides the same semantics. And it also eliminates the need for initialization of org0. We switch the branches of the attr 'if' too, as the inversion brings only confusion now. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-8-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_write_buf_noattrJiri Slaby
vcs_write is too long to be readable. Extract buffer handling w/o attributes from there to a separate function. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-7-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: sanitize types in vcs_writeJiri Slaby
* ret can carry error codes, so make it signed, i.e. ssize_t * pos is derived from the passed ppos, so make it long enough, i.e. loff_t * attr is a boolean, so... * size is limited by vcs_size() which returns an int * written, p, orig_count and this_round are always ">= 0" and "< size", so uint is enough * col and max_col are derived from vc->vc_cols (uint) and p, so make them uint too * place con_buf0 and con_buf declaration to a single line Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: rewrite vcs_size to accept vc, not inodeJiri Slaby
It is weird to fetch the information from the inode over and over. Read and write already have the needed information, so rewrite vcs_size to accept a vc, attr and unicode and adapt vcs_lseek to that. Also make sure all sites check the return value of vcs_size for errors. And document it using kernel-doc. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-5-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: document and cleanup vcs_vcJiri Slaby
Document parameters of vcs_vc and make viewed a bool. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-4-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc: propagate "viewed as bool" from screenpos upJiri Slaby
viewed is used as a flag, i.e. bool. So treat is as such in most of the places. vcs_vc is handled in the next patch. Note: the last parameter of invert_screen was misnamed in the declaration since 1.1.92. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vt: declare xy for get/putconsxy properlyJiri Slaby
That is: 1) call the parameter 'xy' to denote what it really is, not generic 'p' 2) tell the compiler and users that we expect an array: * with at least 2 chars (static 2) * which we don't modify in putconsxy (const) Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vt: make vc_data pointers const in selection.hJiri Slaby
There are many functions declared in selection.h which only read from struct vc_data passed as a parameter. Make all those uses const to hint the compiler a bit. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()George Kennedy
vc_resize() can return with an error after failure. Change VT_RESIZEX ioctl to save struct vc_data values that are modified and restore the original values in case of error. Signed-off-by: George Kennedy <george.kennedy@oracle.com> Cc: stable <stable@vger.kernel.org> Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/1596213192-6635-2-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vt: defer kfree() of vc_screenbuf in vc_do_resize()Tetsuo Handa
syzbot is reporting UAF bug in set_origin() from vc_do_resize() [1], for vc_do_resize() calls kfree(vc->vc_screenbuf) before calling set_origin(). Unfortunately, in set_origin(), vc->vc_sw->con_set_origin() might access vc->vc_pos when scroll is involved in order to manipulate cursor, but vc->vc_pos refers already released vc->vc_screenbuf until vc->vc_pos gets updated based on the result of vc->vc_sw->con_set_origin(). Preserving old buffer and tolerating outdated vc members until set_origin() completes would be easier than preventing vc->vc_sw->con_set_origin() from accessing outdated vc members. [1] https://syzkaller.appspot.com/bug?id=6649da2081e2ebdc65c0642c214b27fe91099db3 Reported-by: syzbot <syzbot+9116ecc1978ca3a12f43@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/1596034621-4714-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-06Merge tag 'tty-5.9-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial updates from Greg KH: "Here is the large set of TTY and Serial driver patches for 5.9-rc1. Lots of bugfixes in here, thanks to syzbot fuzzing for serial and vt and console code. Other highlights include: - much needed vt/vc code cleanup from Jiri Slaby - 8250 driver fixes and additions - various serial driver updates and feature enhancements - locking cleanup for serial/console initializations - other minor cleanups All of these have been in linux-next with no reported issues" * tag 'tty-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (90 commits) MAINTAINERS: enlist Greg formally for console stuff vgacon: Fix for missing check in scrollback handling Revert "serial: 8250: Let serial core initialise spin lock" serial: 8250: Let serial core initialise spin lock tty: keyboard, do not speculate on func_table index serial: stm32: Add RS485 RTS GPIO control serial: 8250_dw: Fix common clocks usage race condition serial: 8250_dw: Pass the same rate to the clk round and set rate methods serial: 8250_dw: Simplify the ref clock rate setting procedure serial: 8250: Add 8250 port clock update method tty: serial: imx: add imx earlycon driver tty: serial: imx: enable imx serial console port as module tty/synclink: remove leftover bits of non-PCI card support tty: Use the preferred form for passing the size of a structure type tty: Fix identation issues in struct serial_struct32 tty: Avoid the use of one-element arrays serial: msm_serial: add sparse context annotation serial: pmac_zilog: add sparse context annotation newport_con: vc_color is now in state serial: imx: use hrtimers for rs485 delays ...
2020-08-04Merge tag 'tasklets-v5.9-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull tasklets API update from Kees Cook: "These are the infrastructure updates needed to support converting the tasklet API to something more modern (and hopefully for removal further down the road). There is a 300-patch series waiting in the wings to get set out to subsystem maintainers, but these changes need to be present in the kernel first. Since this has some treewide changes, I carried this series for -next instead of paining Thomas with it in -tip, but it's got his Ack. This is similar to the timer_struct modernization from a while back, but not nearly as messy (I hope). :) - Prepare for tasklet API modernization (Romain Perier, Allen Pais, Kees Cook)" * tag 'tasklets-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: tasklet: Introduce new initialization API treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() usb: gadget: udc: Avoid tasklet passing a global
2020-07-31tty: keyboard, do not speculate on func_table indexJiri Slaby
It is very unlikely for processor to speculate on the func_table index. The index is uchar and func_table is of size 256. So the compiler would need to screw up and generate a really bad code. But to stay on the safe side, forbid speculation on this user passed index. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Jiri Kosina <jikos@kernel.org> Link: https://lore.kernel.org/r/20200730105546.24268-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-30treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()Kees Cook
This converts all the existing DECLARE_TASKLET() (and ...DISABLED) macros with DECLARE_TASKLET_OLD() in preparation for refactoring the tasklet callback type. All existing DECLARE_TASKLET() users had a "0" data argument, it has been removed here as well. Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Kees Cook <keescook@chromium.org>
2020-07-27Merge 5.8-rc7 into tty-nextGreg Kroah-Hartman
we need the tty/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-21tty: vt: Replace HTTP links with HTTPS onesAlexander A. Klimov
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200718133452.24290-1-grandmaster@al2klimov.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-21vt: Reject zero-sized screen buffer size.Tetsuo Handa
syzbot is reporting general protection fault in do_con_write() [1] caused by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0 caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate() from con_install() from tty_init_dev() from tty_open() on such console causes vc->vc_pos == 0x10000000e due to ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1). I don't think that a console with 0 column or 0 row makes sense. And it seems that vc_do_resize() does not intend to allow resizing a console to 0 column or 0 row due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Theoretically, cols and rows can be any range as long as 0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g. cols == 1048576 && rows == 2 is possible) because of vc->vc_size_row = vc->vc_cols << 1; vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate(). Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return an error, and con_write() will not be called on a console with 0 column or 0 row. We need to make sure that integer overflow in visual_init() won't happen. Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying 1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate() will be practically fine. This patch does not touch con_init(), for returning -EINVAL there does not help when we are not returning -ENOMEM. [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8 Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-01tty/vt: Do not warn when huge selection requestedAlexey Kardashevskiy
The tty TIOCL_SETSEL ioctl allocates a memory buffer big enough for text selection area. The maximum allowed console size is VC_RESIZE_MAXCOL * VC_RESIZE_MAXROW == 32767*32767 == ~1GB and typical MAX_ORDER is set to allow allocations lot less than than (circa 16MB). So it is quite possible to trigger huge allocation (and syzkaller just did that) which is going to fail (which is fine) with a backtrace in mm/page_alloc.c at WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) and this may trigger panic (if panic_on_warn is enabled) and leak kernel addresses to dmesg. This passes __GFP_NOWARN to kmalloc_array to avoid unnecessary user- triggered WARN_ON. Note that the error is not ignored and the warning is still printed. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Link: https://lore.kernel.org/r/20200617070444.116704-1-aik@ozlabs.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24tty/vt: check allocation size in con_set_unimap()Denis Efremov
The vmemdup_user() function has no 2-factor argument form. Use array_size() to check for the overflow. Signed-off-by: Denis Efremov <efremov@linux.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20200603102804.2110817-1-efremov@linux.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move perm checks level upJiri Slaby
Synchronize with others and check perm directly in vt_k_ioctl. We do not need to pass perm to do_fontx_ioctl and do_unimap_ioctl then. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-38-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move vt_kdsetmode out of vt_k_ioctlJiri Slaby
It's too long to be inlined. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-37-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move vt_io_fontreset out of vt_io_ioctlJiri Slaby
This also eliminates the ifdeffery by using if and __is_defined. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-36-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move vt_resizex out of vt_ioctlJiri Slaby
It's too long to be inlined. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-35-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move vt_reldisp out of vt_ioctlJiri Slaby
It's too long to be inlined. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-34-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move vt_setactivate out of vt_ioctlJiri Slaby
It's too long to be inlined. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-33-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move io ioctls to a separate functionJiri Slaby
We create a new vt_io_ioctl here and move there all the IO ioctls. This makes vt_ioctl significantly smaller. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-32-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: move K* ioctls to a separate functionJiri Slaby
We create a new vt_k_ioctl here and move there all the K* ioctls. This makes vt_ioctl significantly smaller. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-31-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: eliminate use of uival and ucvalJiri Slaby
They were used for the first parameter of put_user. But put_user accepts constants in the parameter and also determines the type only by the second parameter. So we can safely drop these helpers and simplify the code a bit. Including the removal of set_int label. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-30-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt_ioctl: eliminate ret & breaks in vt_ioctlJiri Slaby
This is still a leftover from BKL, when we locked it around vt_ioctl's code. We can return instead of breaks in the switch loop. And we can return in case of errors too. This allows for sifting of the code to the left in some cases. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-29-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: simplify noncolor attributes in build_attrJiri Slaby
All the attributes are bools, so do a simple shift instead of tests and constants as bool is either 0 or 1. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-28-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: remove superfluous parens in invert_screen and build_attrJiri Slaby
There were too many parentheses in invert_screen, remove them and align the code in invert_screen a bit. No functional change intended. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-27-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: use newly defined CUR_* macrosJiri Slaby
We defined macros for all the magic constants in the previous patch. So let us use the macro in the code now. No functional change intended. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Thomas Winischhofer <thomas@winischhofer.net> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com> Cc: Helge Deller <deller@gmx.de> Cc: linux-usb@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linux-fbdev@vger.kernel.org Cc: linux-parisc@vger.kernel.org Acked-by: Helge Deller <deller@gmx.de> Link: https://lore.kernel.org/r/20200615074910.19267-26-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: redefine world of cursor macrosJiri Slaby
The cursor code used to use magic constants, ANDs, ORs, and some macros. Redefine all this to make some sense. In particular: * Drop CUR_DEFAULT, which is CUR_UNDERLINE. CUR_DEFAULT was used only for cur_default variable initialization, so use CUR_UNDERLINE there to make obvious what's the default. * Drop CUR_HWMASK. Instead, define CUR_SIZE() which explains it more. And use it all over the places. * Define few more masks and bits which will be used in next patches instead of magic constants. * Define CUR_MAKE to build up cursor value. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Cc: dri-devel@lists.freedesktop.org Cc: linux-fbdev@vger.kernel.org Link: https://lore.kernel.org/r/20200615074910.19267-25-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: whitespace and paren cleanup in add_softcursorJiri Slaby
Format add_softcursor according to CodingStyle. Until now, it was a mess of letters. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-24-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: synchronize types and use min in csi_XJiri Slaby
All the types are unsinged ints -- even the vpar passed to the function. So unify them and use min() to compute count instead of explicit comparison. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-23-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-24vt: make tc write more obvious in vc_con_write_normalJiri Slaby
Nested ternary operators spread over 4 lines are really evil for reading. Turn the outer one to proper 'if'. Now, we see, there is a common path, so the code can be simplified. This way, the code is understandable now. Checked using symbolic execution (klee), that the old and new behaviors are the same. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200615074910.19267-22-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>