From patchwork Fri Apr 26 14:59:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Grzegorz Halat X-Patchwork-Id: 10919265 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 485CC14B6 for ; Fri, 26 Apr 2019 14:59:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 37BA428D2C for ; Fri, 26 Apr 2019 14:59:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2BA8428D3A; Fri, 26 Apr 2019 14:59:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE12728D2C for ; Fri, 26 Apr 2019 14:59:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726120AbfDZO75 (ORCPT ); Fri, 26 Apr 2019 10:59:57 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:53097 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726334AbfDZO75 (ORCPT ); Fri, 26 Apr 2019 10:59:57 -0400 Received: by mail-wm1-f66.google.com with SMTP id j13so4228125wmh.2 for ; Fri, 26 Apr 2019 07:59:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0F1ut/UAEkuWPG6wyrTkb2MOpdQOgWB7mvJpKTT59BU=; b=GmlRB3wz6lVNmb7P6xtMVEfx+vlwP93wQ+Jp+Yt+NoPOq8UaPwygrEcl4hjiMonXCi 1VnqgZvmCWEc694zpF2uYtf9voI57My73BEC57wg+7WXMZx+lG4QKOC2Vv+cxGQSPOJy raqQm6vyohDMd3HiKPOaRAnf/galwvz77CDjT1T3wPMhlffwnWfexYmuTTqiqcixfrdm LQhpm8shW2nXflSK3lzRf+yi3Iu4YwiU5sfBJbUTqmIMiAVBAUK0wLHWe9wiDP1Ehp5P 5ardzWhTlD2UbMcPQey+cyqSCEngUv1HRMOTHEyK/JB8hWc3RWGy9vSyKeOHLV6VAMND KpmQ== X-Gm-Message-State: APjAAAVutH2sDJ6ev6KZzoDQ1AXsxK7p19jlfFKHX4A4qbILQhCjL6+U M6Gy3LlW5y3A7z0NNuphZZX7w2Cpqveoaw== X-Google-Smtp-Source: APXvYqxEDHX3RX1VU3ahGAdeJZGdA9q1eCc3kzTBPkzej1x+UXiJVhjEQMMD3k/lpzctoYR3HN2EUg== X-Received: by 2002:a7b:c053:: with SMTP id u19mr7711277wmc.63.1556290795318; Fri, 26 Apr 2019 07:59:55 -0700 (PDT) Received: from dhcp129-106.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.googlemail.com with ESMTPSA id h123sm6572282wme.6.2019.04.26.07.59.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 07:59:54 -0700 (PDT) From: Grzegorz Halat To: linux-kernel@vger.kernel.org Cc: Bartlomiej Zolnierkiewicz , Greg Kroah-Hartman , Jiri Slaby , linux-fbdev@vger.kernel.org, Oleksandr Natalenko , Grzegorz Halat Subject: [PATCH] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Date: Fri, 26 Apr 2019 16:59:46 +0200 Message-Id: <20190426145946.26537-1-ghalat@redhat.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP After memory allocation failure vc_allocate() doesn't clean up data which has been initialized in visual_init(). In case of fbcon this leads to divide-by-0 in fbcon_init() on next open of the same tty. memory allocation in vc_allocate() may fail here: 1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); on next open() fbcon_init() skips vc_font.data initialization: 1088: if (!p->fontdata) { division by zero in fbcon_init() happens here: 1149: new_cols /= vc->vc_font.width; Additional check is needed in fbcon_deinit() to prevent usage of uninitialized vc_screenbuf: 1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf) 1252: set_vc_hi_font(vc, false); Crash: #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4 [exception RIP: fbcon_init+463] RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246 ... #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c #9 [ffffc90001eafbc8] con_install at ffffffff8154f624 ... Signed-off-by: Grzegorz Halat Acked-by: Bartlomiej Zolnierkiewicz --- drivers/tty/vt/vt.c | 11 +++++++++-- drivers/video/fbdev/core/fbcon.c | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 650c66886c80..ec85d195678f 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *vc, int num, int init) vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; } + +static void visual_deinit(struct vc_data *vc) +{ + vc->vc_sw->con_deinit(vc); + module_put(vc->vc_sw->owner); +} + int vc_allocate(unsigned int currcons) /* return 0 on success */ { struct vt_notifier_param param; @@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */ return 0; err_free: + visual_deinit(vc); kfree(vc); vc_cons[currcons].d = NULL; return -ENOMEM; @@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned int currcons) param.vc = vc = vc_cons[currcons].d; atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m); vcs_remove_sysfs(currcons); - vc->vc_sw->con_deinit(vc); + visual_deinit(vc); put_pid(vc->vt_pid); - module_put(vc->vc_sw->owner); vc_uniscr_set(vc, NULL); kfree(vc->vc_screenbuf); vc_cons[currcons].d = NULL; diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index cd059a801662..c59b23f6e9ba 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1248,7 +1248,7 @@ static void fbcon_deinit(struct vc_data *vc) if (free_font) vc->vc_font.data = NULL; - if (vc->vc_hi_font_mask) + if (vc->vc_hi_font_mask && vc->vc_screenbuf) set_vc_hi_font(vc, false); if (!con_is_bound(&fb_con))