summaryrefslogtreecommitdiffstats
path: root/drivers/tty/vt
Commit message (Collapse)AuthorAgeFilesLines
* vt/fbcon: deinitialize resources in visual_init() after failed memory allocationGrzegorz Halat2019-05-241-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After memory allocation failure vc_allocate() doesn't clean up data which has been initialized in visual_init(). In case of fbcon this leads to divide-by-0 in fbcon_init() on next open of the same tty. memory allocation in vc_allocate() may fail here: 1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); on next open() fbcon_init() skips vc_font.data initialization: 1088: if (!p->fontdata) { division by zero in fbcon_init() happens here: 1149: new_cols /= vc->vc_font.width; Additional check is needed in fbcon_deinit() to prevent usage of uninitialized vc_screenbuf: 1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf) 1252: set_vc_hi_font(vc, false); Crash: #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4 [exception RIP: fbcon_init+463] RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246 ... #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c #9 [ffffc90001eafbc8] con_install at ffffffff8154f624 ... Signed-off-by: Grzegorz Halat <ghalat@redhat.com> Reviewed-by: Oleksandr Natalenko <oleksandr@redhat.com> Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Merge tag 'tty-5.2-rc1' of ↵Linus Torvalds2019-05-088-14/+37
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial updates from Greg KH: "Here is the "big" set of tty/serial driver patches for 5.2-rc1. It's really pretty small, not much happening in this portion of the kernel at the moment. When the "highlight" is the movement of the documentation from .txt to .rst files, it's a good merge window. There's a number of small fixes and updates over the various serial drivers, and a new "tty null" driver for those embedded systems that like to make things even smaller and not break things. All of these have been in linux-next for a while with no reported issues" * tag 'tty-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (45 commits) tty: serial: add driver for the SiFive UART dt-bindings: serial: add documentation for the SiFive UART driver serial: uartps: Add support for cts-override dt-bindings: xilinx-uartps: Add support for cts-override serial: milbeaut_usio: Fix error handling in probe and remove tty: rocket: deprecate the rp_ioctl tty: rocket: Remove RCPK_GET_STRUCT ioctl tty: update obsolete termios comment tty: serial_core: fix error code returned by uart_register_driver() serial: 8250-mtk: modify baudrate setting serial: 8250-mtk: add follow control docs: serial: convert docs to ReST and rename to *.rst serial: 8250_exar: Adjust IOT2000 matching TTY: serial_core, add ->install serial: Fix using plain integer instead of Null pointer tty:serial_core: Spelling mistake tty: Add NULL TTY driver tty: vt: keyboard: Allow Unicode compose base char Revert "tty: fix NULL pointer issue when tty_port ops is not set" serial: Add Milbeaut serial control ...
| * Merge 5.1-rc6 into tty-nextGreg Kroah-Hartman2019-04-211-1/+2
| |\ | | | | | | | | | | | | | | | We want the serial/tty fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | tty: vt: keyboard: Allow Unicode compose base charReinis Danne2019-04-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pass Unicode character to k_unicode handler function to honor possible accent_table definition. With introduction of KDSKBDIACRUC ioctl, it has been possible to set compose characters (diacr, base and result) to any Unicode character (below 0xf000 code point) as defined in struct kbdiacruc. But it does not work with characters beyond Latin-1 as base, because they are printed early and not passed to any of the handler functions, thus breaking compose and dead keys. It affects keyboard layouts defining such characters on level 1 and relying on dead keys to access level 3 (e.g., lv-modern with some modifications for extra characters on level 3 for ē, ā and ī keys). Signed-off-by: Reinis Danne <rei4dan@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | tty/vt: avoid high order pages allocation on GIO_UNIMAP ioctlKonstantin Khorenko2019-04-161-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | GIO_UNIMAP can easily result in a high order allocation, seen 6th order allocation on radeondrmfb: fbcon: radeondrmfb (fb0) is primary device Console: switching to colour frame buffer device 160x64 radeon 0000:01:05.0: fb0: radeondrmfb frame buffer device WARNING: CPU: 0 PID: 78661 at mm/page_alloc.c:3532 __alloc_pages_nodemask+0x1b1/0x600 order 6 >= 3, gfp 0x40d0 The warning is generated by a debug patch. At the same time it's safe to use kvmalloc() for allocation in con_get_unimap(), so let's do the substitution. And do the same for con_set_unimap(). Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | tty: fix up a few remaining files without SPDX identifiersGreg Kroah-Hartman2019-04-044-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were a few straggling files under drivers/tty/ that did not have any SPDX identifier either because they entered the tree recently, or they somehow missed the mass-tagging of commit b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license") This commit follows the same rule as b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license") where files without any specified license in them fall under GPL-2.0 as the correct license for the individual file. Add that identifier to these remaining files so that we don't have to guess at the license of them in the future. Cc: Jiri Slaby <jslaby@suse.com> Cc: "David S. Miller" <davem@davemloft.net> Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | vt: use /dev/vcs (not /dev/vcs0) in commentJakub Wilk2019-03-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both /dev/vcs and /dev/vcs0 were in use in the past, but these days /dev/vcs0 is mostly historical curiosity. * "/dev/vcs" is the name that has always been in the Linux allocated devices list. * "vcs" is the device name in sysfs since Linux v2.6.12. * MAKEDEV(1) in Debian used to create /dev/vcs0 only, but /dev/vcs was added in 1999: https://bugs.debian.org/45698 * MAKEDEV(1) in RedHat switched from /dev/vcs0 to /dev/vcs in 2000: * Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com> - change vcs0 to vcs (ditto for vcsa0) Signed-off-by: Jakub Wilk <jwilk@jwilk.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0Yifeng Li2019-03-271-2/+0Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, in the userspace, it was possible to use the "setterm" command from util-linux to blank the VT console by default, using the following command. According to the man page, > The force option keeps the screen blank even if a key is pressed. It was implemented by calling TIOCL_BLANKSCREEN. case BLANKSCREEN: ioctlarg = TIOCL_BLANKSCREEN; if (ioctl(STDIN_FILENO, TIOCLINUX, &ioctlarg)) warn(_("cannot force blank")); break; However, after Linux 4.12, this command ceased to work anymore, which is unexpected. By inspecting the kernel source, it shows that the issue was triggered by the side-effect from commit a4199f5eb809 ("tty: Disable default console blanking interval"). The console blanking is implemented by function do_blank_screen() in vt.c: "blank_state" will be initialized to "blank_normal_wait" in con_init() if AND ONLY IF ("blankinterval" > 0). If "blankinterval" is 0, "blank_state" will be "blank_off" (== 0), and a call to do_blank_screen() will always abort, even if a forced blanking is required from the user by calling TIOCL_BLANKSCREEN, the console won't be blanked. This behavior is unexpected from a user's point-of-view, since it's not mentioned in any documentation. The setterm man page suggests it will always work, and the kernel comments in uapi/linux/tiocl.h says > /* keep screen blank even if a key is pressed */ > #define TIOCL_BLANKSCREEN 14 To fix it, we simply remove the "blank_state != blank_off" check, as pointed out by Nicolas Pitre, this check doesn't logically make sense and it's safe to remove. Suggested-by: Nicolas Pitre <nicolas.pitre@linaro.org> Fixes: a4199f5eb809 ("tty: Disable default console blanking interval") Signed-off-by: Yifeng Li <tomli@tomli.me> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | tty/vt: fix write/write race in ioctl(KDSKBSENT) handlerSergei Trofimovich2019-03-271-6/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The bug manifests as an attempt to access deallocated memory: BUG: unable to handle kernel paging request at ffff9c8735448000 #PF error: [PROT] [WRITE] PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161 Oops: 0003 [#1] PREEMPT SMP CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013 RIP: 0010:__memmove+0x81/0x1a0 Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49 RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203 RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000 R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0 Call Trace: vt_do_kdgkb_ioctl+0x34d/0x440 vt_ioctl+0xba3/0x1190 ? __bpf_prog_run32+0x39/0x60 ? mem_cgroup_commit_charge+0x7b/0x4e0 tty_ioctl+0x23f/0x920 ? preempt_count_sub+0x98/0xe0 ? __seccomp_filter+0x67/0x600 do_vfs_ioctl+0xa2/0x6a0 ? syscall_trace_enter+0x192/0x2d0 ksys_ioctl+0x3a/0x70 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x54/0xe0 entry_SYSCALL_64_after_hwframe+0x49/0xbe The bug manifests on systemd systems with multiple vtcon devices: # cat /sys/devices/virtual/vtconsole/vtcon0/name (S) dummy device # cat /sys/devices/virtual/vtconsole/vtcon1/name (M) frame buffer device There systemd runs 'loadkeys' tool in tapallel for each vtcon instance. This causes two parallel ioctl(KDSKBSENT) calls to race into adding the same entry into 'func_table' array at: drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl() The function has no locking around writes to 'func_table'. The simplest reproducer is to have initrams with the following init on a 8-CPU machine x86_64: #!/bin/sh loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & wait The change adds lock on write path only. Reads are still racy. CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> CC: Jiri Slaby <jslaby@suse.com> Link: https://lkml.org/lkml/2019/2/17/256 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge 5.1-rc6 into staging-nextGreg Kroah-Hartman2019-04-211-1/+2
|\ \ \ | | |/ | |/| | | | | | | | | | | | | We want the fixes in here as well as this resolves an iio driver merge issue. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | vt: fix cursor when clearing the screenMikulas Patocka2019-04-171-1/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The patch a6dbe4427559 ("vt: perform safe console erase in the right order") introduced a bug. The conditional do_update_region() was replaced by a call to update_region() that does contain the conditional already, but with unwanted extra side effects such as restoring the cursor drawing. In order to reproduce the bug: - use framebuffer console with the AMDGPU driver - type "links" to start the console www browser - press 'q' and space to exit links Now the cursor will be permanently visible in the center of the screen. It will stay there until something overwrites it. The bug goes away if we change update_region() back to the conditional do_update_region(). [ nico: reworded changelog ] Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reviewed-by: Nicolas Pitre <nico@fluxnic.net> Cc: stable@vger.kernel.org Fixes: a6dbe4427559 ("vt: perform safe console erase in the right order") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* / vt: selection: allow functions to be called from inside kernelOkash Khawaja2019-04-192-19/+34
|/ | | | | | | | | | | | | | | | | | This patch breaks set_selection() into two functions so that when called from kernel, copy_from_user() can be avoided. The two functions are called set_selection_user() and set_selection_kernel() in order to be explicit about their purposes. This also means updating any references to set_selection() and fixing for name change. It also exports set_selection_kernel() and paste_selection(). These changes are used the following patch where speakup's selection functionality calls into the above functions, thereby doing away with parallel implementation. Signed-off-by: Okash Khawaja <okash.khawaja@gmail.com> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Tested-by: Gregory Nowak <greg@gregn.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* vt: perform safe console erase in the right orderNicolas Pitre2019-02-121-8/+7Star
| | | | | | | | | | | | | | | | | Commit 4b4ecd9cb853 ("vt: Perform safe console erase only once") removed what appeared to be an extra call to scr_memsetw(). This missed the fact that set_origin() must be called before clearing the screen otherwise old screen content gets restored on the screen when using vgacon. Let's fix that by moving all the scrollback handling to flush_scrollback() where it logically belongs, and invoking it before the actual screen clearing in csi_J(), making the code simpler in the end. Reported-by: Matthew Whitehead <tedheadster@gmail.com> Signed-off-by: Nicolas Pitre <nico@linaro.org> Tested-by: Matthew Whitehead <tedheadster@gmail.com> Fixes: 4b4ecd9cb853 ("vt: Perform safe console erase only once") Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Merge 5.0-rc4 into tty-nextGreg Kroah-Hartman2019-01-281-33/+17Star
|\ | | | | | | | | | | We need the tty and serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: invoke notifier on screen size changeNicolas Pitre2019-01-181-0/+1
| | | | | | | | | | | | | | | | | | User space using poll() on /dev/vcs devices are not awaken when a screen size change occurs. Let's fix that. Signed-off-by: Nicolas Pitre <nico@linaro.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: always call notifier with the console lock heldNicolas Pitre2019-01-181-1/+1
| | | | | | | | | | | | | | | | | | Every invocation of notify_write() and notify_update() is performed under the console lock, except for one case. Let's fix that. Signed-off-by: Nicolas Pitre <nico@linaro.org> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: make vt_console_print() compatible with the unicode screen bufferNicolas Pitre2019-01-181-32/+15Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kernel messages are printed to the console, they appear blank on the unicode screen. This is because vt_console_print() is lacking a call to vc_uniscr_putc(). However the later function assumes vc->vc_x is always up to date when called, which is not the case here as vt_console_print() uses it to mark the beginning of the display update. This patch reworks (and simplifies) vt_console_print() so that vc->vc_x is always valid and keeps the start of display update in a local variable instead, which finally allows for adding the missing vc_uniscr_putc() call. Signed-off-by: Nicolas Pitre <nico@linaro.org> Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vt: ignore sequences that contain ':' in parameters.Martin Hostettler2019-01-181-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | csi sequences can contain subparameters delimited by ':' characters. For now just ignore the whole sequence in this case. Such sequences are used by more capable terminal implementations with T.416 high color modes or extended underline rendition attributes. Also ignore sequences with private use characters '?', '>', '=' and '>' that are not at the initial position. Signed-off-by: Martin Hostettler <textshell@uchuujin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vt: ignore csi sequences with intermediate characters.Martin Hostettler2019-01-181-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | Various csi sequences contain intermediate characters between the parameters and the final character. Introduce a additional state that cleanly ignores these sequences. This allows the vt to ignore these sequences used by more capable terminal implementations such as "request mode", etc. Signed-off-by: Martin Hostettler <textshell@uchuujin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vt: Implement parsing for >, =, < private sequences.Martin Hostettler2019-01-181-4/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Private sequences can start with '>', '=' and (in theory) '<'. Implement correct parsing for these. The newly parsable sequences are cleanly ignored as it is customary with terminal emulators. This allows the vt to ignore various sequences used by more capable terminal implementations such as "Secondary Device Attributes", "Tertiary Device Attributes" and various advanced configuration commands that don't have dedicated terminfo entries. Signed-off-by: Martin Hostettler <textshell@uchuujin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vt: refactor vc_ques to allow of other private sequences.Martin Hostettler2019-01-181-9/+11
| | | | | | | | | | | | | | | | | | | | The vc_ques keeps track if a csi sequence is a private DEC control function beginning with '?'. Nowadays some private control functions begin with '>' and '='. Switch the code to instead use a new 3-bit vc_priv that allows for all private use parameter prefixes. Signed-off-by: Martin Hostettler <textshell@uchuujin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vt: annotate implicit fall throughsMathieu Malaterre2019-01-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a plan to build the kernel with -Wimplicit-fallthrough and these places in the code produced warnings (W=1). Fix them up. This commit remove the following warning: drivers/tty/vt/vt.c:2112:6: warning: this statement may fall through [-Wimplicit-fallthrough=] drivers/tty/vt/vt.c:2237:6: warning: this statement may fall through [-Wimplicit-fallthrough=] Signed-off-by: Mathieu Malaterre <malat@debian.org> Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vcs: restore and document initial POLLPRI eventNicolas Pitre2019-01-181-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Restore and document the forced initial POLLPRI event reporting when poll() is used for the first time. This used to be the implemented behavior before recent changes. Because of the way poll() is implemented, this prevents losing an event happening between the last read() and the first poll() invocation. Since poll() for /dev/vcs* was not always supported, user space probes for its availability as follows: int fd = open("/dev/vcsa", O_RDONLY); struct pollfd p = { .fd = fd, .events = POLLPRI }; available = (poll(&p, 1, 0) == 1); Semantically, it makes sense to signal the first event as such even if it might be spurious. The screen could be modified, and modified back to its initial state before we get to read it, so users must be prepared for that anyway. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vcs: fasync(): make it consistent with poll()Nicolas Pitre2019-01-181-3/+12
| | | | | | | | | | | | | | | | | | | | | | | | We use POLLPRI not POLLIN to wait for data with poll() as there is never any incoming data stream per se. Let's use the same semantic with fasync() for consistency, including the fact that a vt may go away. No known user space ever relied on the SIGIO reason so far, let alone FASYNC, so the risk of breakage is pretty much nonexistent. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vcs: poll(): cope with a deallocated vtNicolas Pitre2019-01-181-6/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When VT_DISALLOCATE is used on a vt, user space waiting with poll() on the corresponding /dev/vcs device is not awakened. This is now fixed by returning POLLHUP|POLLERR to user space. Also, in the normal screen update case, we don't set POLLERR anymore as POLLPRI alone is a much more logical response in a non-error situation, saving some confusion on the user space side. The only known user app making use of poll() on /dev/vcs* is BRLTTY which is known to cope with that change already, so the risk of breakage is pretty much nonexistent. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | vcsa: clamp header values when they don't fitNicolas Pitre2019-01-182-4/+6
|/ | | | | | | | | | | The /dev/vcsa* devices have a fixed char-sized header that stores the screen geometry and cursor location. Let's make sure it doesn't contain random garbage when those values exceed 255. If ever it becomes necessary to convey larger screen info to user space then a larger header in the not-yet-implemented /dev/vcsua* devices should be considered. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Merge tag 'tty-4.20-rc2' of ↵Linus Torvalds2018-11-101-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are some small tty fixes for 4.20-rc2 One of these missed the original 4.19-final release, I missed that I hadn't done a pull request for it as it was in linux-next and my branch for a long time, that's my fault. The others are small, fixing some reported issues and finally fixing the termios mess for alpha so that glibc has a chance to implement some missing functionality that has been pending for many years now. All of these have been in linux-next with no reported issues" * tag 'tty-4.20-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: sh-sci: Fix could not remove dev_attr_rx_fifo_timeout arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 termios, tty/tty_baudrate.c: fix buffer overrun vt: fix broken display when running aptitude serial: sh-sci: Fix receive on SCIFA/SCIFB variants with DMA
| * vt: fix broken display when running aptitudeMikulas Patocka2018-11-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | If you run aptitude on framebuffer console, the display is corrupted. The corruption is caused by the commit d8ae7242. The patch adds "offset" to "start" when calling scr_memsetw, but it forgets to do the same addition on a subsequent call to do_update_region. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Fixes: d8ae72427187 ("vt: preserve unicode values corresponding to screen characters") Reviewed-by: Nicolas Pitre <nico@linaro.org> Cc: stable@vger.kernel.org # 4.19 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge tag 'drm-next-2018-10-24' of git://anongit.freedesktop.org/drm/drmLinus Torvalds2018-10-291-8/+4Star
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull drm updates from Dave Airlie: "This is going to rebuild more than drm as it adds a new helper to list.h for doing bulk updates. Seemed like a reasonable addition to me. Otherwise the usual merge window stuff lots of i915 and amdgpu, not so much nouveau, and piles of everything else. Core: - Adds a new list.h helper for doing bulk list updates for TTM. - Don't leak fb address in smem_start to userspace (comes with EXPORT workaround for people using mali out of tree hacks) - udmabuf device to turn memfd regions into dma-buf - Per-plane blend mode property - ref/unref replacements with get/put - fbdev conflicting framebuffers code cleaned up - host-endian format variants - panel orientation quirk for Acer One 10 bridge: - TI SN65DSI86 chip support vkms: - GEM support. - Cursor support amdgpu: - Merge amdkfd and amdgpu into one module - CEC over DP AUX support - Picasso APU support + VCN dynamic powergating - Raven2 APU support - Vega20 enablement + kfd support - ACP powergating improvements - ABGR/XBGR display support - VCN jpeg support - xGMI support - DC i2c/aux cleanup - Ycbcr 4:2:0 support - GPUVM improvements - Powerplay and powerplay endian fixes - Display underflow fixes vmwgfx: - Move vmwgfx specific TTM code to vmwgfx - Split out vmwgfx buffer/resource validation code - Atomic operation rework bochs: - use more helpers - format/byteorder improvements qxl: - use more helpers i915: - GGTT coherency getparam - Turn off resource streamer API - More Icelake enablement + DMC firmware - Full PPGTT for Ivybridge, Haswell and Valleyview - DDB distribution based on resolution - Limited range DP display support nouveau: - CEC over DP AUX support - Initial HDMI 2.0 support virtio-gpu: - vmap support for PRIME objects tegra: - Initial Tegra194 support - DMA/IOMMU integration fixes msm: - a6xx perf improvements + clock prefix - GPU preemption optimisations - a6xx devfreq support - cursor support rockchip: - PX30 support - rgb output interface support mediatek: - HDMI output support on mt2701 and mt7623 rcar-du: - Interlaced modes on Gen3 - LVDS on R8A77980 - D3 and E3 SoC support hisilicon: - misc fixes mxsfb: - runtime pm support sun4i: - R40 TCON support - Allwinner A64 support - R40 HDMI support omapdrm: - Driver rework changing display pipeline ordering to use common code - DMM memory barrier and irq fixes - Errata workarounds exynos: - out-bridge support for LVDS bridge driver - Samsung 16x16 tiled format support - Plane alpha and pixel blend mode support tilcdc: - suspend/resume update mali-dp: - misc updates" * tag 'drm-next-2018-10-24' of git://anongit.freedesktop.org/drm/drm: (1382 commits) firmware/dmc/icl: Add missing MODULE_FIRMWARE() for Icelake. drm/i915/icl: Fix signal_levels drm/i915/icl: Fix DDI/TC port clk_off bits drm/i915/icl: create function to identify combophy port drm/i915/gen9+: Fix initial readout for Y tiled framebuffers drm/i915: Large page offsets for pread/pwrite drm/i915/selftests: Disable shrinker across mmap-exhaustion drm/i915/dp: Link train Fallback on eDP only if fallback link BW can fit panel's native mode drm/i915: Fix intel_dp_mst_best_encoder() drm/i915: Skip vcpi allocation for MSTB ports that are gone drm/i915: Don't unset intel_connector->mst_port drm/i915: Only reset seqno if actually idle drm/i915: Use the correct crtc when sanitizing plane mapping drm/i915: Restore vblank interrupts earlier drm/i915: Check fb stride against plane max stride drm/amdgpu/vcn:Fix uninitialized symbol error drm: panel-orientation-quirks: Add quirk for Acer One 10 (S1003) drm/amd/amdgpu: Fix debugfs error handling drm/amdgpu: Update gc_9_0 golden settings. drm/amd/powerplay: update PPtable with DC BTC and Tvr SocLimit fields ...
| * | BackMerge v4.19-rc6 into drm-nextDave Airlie2018-10-041-0/+4
| |\| | | | | | | | | | | | | | | | I have some pulls based on rc6, and I prefer to have an explicit backmerge. Signed-off-by: Dave Airlie <airlied@redhat.com>
| * | vt: Remove vc_panic_force_writeDaniel Vetter2018-09-111-8/+4Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was only used by the panic support in fbcon, which is now gone. Remove this now dead code too. Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Kees Cook <keescook@chromium.org> Cc: Joe Perches <joe@perches.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Meng Xu <mengxu.gatech@gmail.com> Cc: Nicolas Pitre <nicolas.pitre@linaro.org> Cc: Thomas Meyer <thomas@m3y3r.de> Cc: Mike Frysinger <vapier@chromium.org> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Thierry Reding <treding@nvidia.com> Cc: David Lechner <david@lechnology.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180822085405.10787-2-daniel.vetter@ffwll.ch
* | | Merge branch 'work.tty-ioctl' of ↵Linus Torvalds2018-10-241-22/+9Star
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull tty ioctl updates from Al Viro: "This is the compat_ioctl work related to tty ioctls. Quite a bit of dead code taken out, all tty-related stuff gone from fs/compat_ioctl.c. A bunch of compat bugs fixed - some still remain, but all more or less generic tty-related ioctls should be covered (remaining issues are in things like driver-private ioctls in a pcmcia serial card driver not getting properly handled in 32bit processes on 64bit host, etc)" * 'work.tty-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (53 commits) kill TIOCSERGSTRUCT change semantics of ldisc ->compat_ioctl() kill TIOCSER[SG]WILD synclink_gt(): fix compat_ioctl() pty: fix compat ioctls compat_ioctl - kill keyboard ioctl handling gigaset: add ->compat_ioctl() vt_compat_ioctl(): clean up, use compat_ptr() properly gigaset: don't try to printk userland buffer contents dgnc: don't bother with (empty) stub for TCXONC dgnc: leave TIOC[GS]SOFTCAR to ldisc remove fallback to drivers for TIOCGICOUNT dgnc: break-related ioctls won't reach ->ioctl() kill the rest of tty COMPAT_IOCTL() entries dgnc: TIOCM... won't reach ->ioctl() isdn_tty: TCSBRK{,P} won't reach ->ioctl() kill capinc_tty_ioctl() take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl() synclink: reduce pointless checks in ->ioctl() complete ->[sg]et_serial() switchover ...
| * | vt_compat_ioctl(): clean up, use compat_ptr() properlyAl Viro2018-10-131-22/+9Star
| |/ | | | | | | | | | | we need it for "convert the structure" cases too Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* / tty: vt_ioctl: fix potential Spectre v1Gustavo A. R. Silva2018-09-181-0/+4
|/ | | | | | | | | | | | | | | | | | | | | | | vsa.console is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/tty/vt/vt_ioctl.c:711 vt_ioctl() warn: potential spectre issue 'vc_cons' [r] Fix this by sanitizing vsa.console before using it to index vc_cons Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Reviewed-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Merge tag 'tty-4.19-rc1' of ↵Linus Torvalds2018-08-184-45/+490
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial driver updates from Greg KH: "Here is the big tty and serial driver pull request for 4.19-rc1. It's not all that big, just a number of small serial driver updates and fixes, along with some better vt handling for unicode characters for those using braille terminals. All of these patches have been in linux-next for a long time with no reported issues" * tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (73 commits) tty: serial: 8250: Revert NXP SC16C2552 workaround serial: 8250_exar: Read INT0 from slave device, too tty: rocket: Fix possible buffer overwrite on register_PCI serial: 8250_dw: Add ACPI support for uart on Broadcom SoC serial: 8250_dw: always set baud rate in dw8250_set_termios dt-bindings: serial: Add binding for uartlite tty: serial: uartlite: Add support for suspend and resume tty: serial: uartlite: Add clock adaptation tty: serial: uartlite: Add structure for private data serial: sh-sci: Improve support for separate TEI and DRI interrupts serial: sh-sci: Remove SCIx_RZ_SCIFA_REGTYPE serial: sh-sci: Allow for compressed SCIF address serial: sh-sci: Improve interrupts description serial: 8250: Use cached port name directly in messages serial: 8250_exar: Drop unused variable in pci_xr17v35x_setup() vt: drop unused struct vt_struct vt: avoid a VLA in the unicode screen scroll function vt: add /dev/vcsu* to devices.txt vt: coherence validation code for the unicode screen buffer vt: selection: take screen contents from uniscr if available ...
| * vt: avoid a VLA in the unicode screen scroll functionNicolas Pitre2018-07-211-13/+23
| | | | | | | | | | | | | | | | | | | | | | | | The nr argument is typically small: most often nr == 1. However this could be abused with a very large explicit scroll in a resized screen. Make the code scroll lines by performing an array rotation operation to avoid the need for a large temporary space. Requested-by: Kees Cook <keescook@chromium.org> Suggested-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: coherence validation code for the unicode screen bufferNicolas Pitre2018-07-211-0/+39
| | | | | | | | | | | | | | | | Make sure the unicode screen buffer matches the video screen content. This is provided for debugging convenience and disabled by default. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: selection: take screen contents from uniscr if availableAdam Borowski2018-07-212-4/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | This preserves whatever was written even if we can't currently display the given glyph. Mouse paste won't corrupt any character of wcwidth() == 1 anymore. Note that for now uniscr doesn't get allocated until something reads /dev/vcsuN for that console, making this code dormant for most users. Signed-off-by: Adam Borowski <kilobyte@angband.pl> Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: selection: handle storing of characters above U+FFFFAdam Borowski2018-07-211-5/+18
| | | | | | | | | | | | | | | | Those above U+10FFFF get replaced with U+FFFD. Signed-off-by: Adam Borowski <kilobyte@angband.pl> Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * vt: don't reinvent min()Adam Borowski2018-07-211-10/+4Star
| | | | | | | | | | | | | | | | All the helper function saved us was a cast. Signed-off-by: Adam Borowski <kilobyte@angband.pl> Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * kbd: complete dead keys definitionsSamuel Thibault2018-07-071-1/+29
| | | | | | | | | | | | | | | | | | | | This completes dead keys definitions for internationalization completeness on the console. The representatives have been chosen coherently with libx11 compose sequences, which avoid symetry conflicts (e.g. there is U with caron, but no c with breve). Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * Merge 4.18-rc3 into tty-nextGreg Kroah-Hartman2018-07-021-2/+2
| |\ | | | | | | | | | | | | | | | We want ths tty core changes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | vt: unicode fallback for scrollbackNicolas Pitre2018-06-282-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is currently no provision for scrollback content in the core code, leaving that to backend video drivers where this can be highly optimized. There is currently no common method for those drivers to tell the core what part of the scrollback is actually displayed and what size the scrollback buffer is either. Because of that, the unicode screen buffer has no provision for any scrollback. At least we can provide backtranslated glyph values when the scrollback is active which should be plenty good enough for now. Signed-off-by: Nicolas Pitre <nico@linaro.org> Tested-by: Dave Mielke <Dave@mielke.cc> Acked-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | vt: introduce unicode mode for /dev/vcsNicolas Pitre2018-06-282-14/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the core vt code knows how to preserve unicode values for each displayed character, it is then possible to let user space access it via /dev/vcs*. Unicode characters are presented as 32 bit values in native endianity via the /dev/vcsu* devices, mimicking the simple /dev/vcs* devices. Unicode with attributes (similarly to /dev/vcsa*) is not supported at the moment. Data is available only as long as the console is in UTF-8 mode. ENODATA is returned otherwise. This was tested with the latest development version (to become version 5.7) of BRLTTY. Amongst other things, this allows ⠋⠕⠗ ⠞⠓⠊⠎ ⠃⠗⠁⠊⠇⠇⠑⠀⠞⠑⠭⠞⠀to appear directly on braille displays regardless of the console font being used. Signed-off-by: Nicolas Pitre <nico@linaro.org> Tested-by: Dave Mielke <Dave@mielke.cc> Acked-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | vt: preserve unicode values corresponding to screen charactersNicolas Pitre2018-06-281-11/+209
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The vt code translates UTF-8 strings into glyph index values and stores those glyph values directly in the screen buffer. Because there can only be at most 512 glyphs, it is impossible to represent most unicode characters, in which case a default glyph (often '?') is displayed instead. The original unicode value is then lost. This patch implements the basic screen buffer handling to preserve unicode values alongside corresponding display glyphs. It is not activated by default, meaning that people not relying on that functionality won't get the implied overhead. Signed-off-by: Nicolas Pitre <nico@linaro.org> Tested-by: Dave Mielke <Dave@mielke.cc> Acked-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge tag 'leds-for-4.19-rc1' of ↵Linus Torvalds2018-08-141-1/+3
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds Pull LED updates from Jacek Anaszewski: "LED triggers improvements make the biggest part of this pull request. The most striking ones, that allowed for nice cleanups in the triggers are: - centralized handling of creation and removal of trigger sysfs attributes via attribute group - addition of module_led_trigger() helper The other things that need to be mentioned: New features and improvements to existing LED class drivers: - lt3593: add DT support, switch to gpiod interface - lm3692x: support LED sync configuration, change OF calls to fwnode calls - apu: modify PC Engines apu/apu2 driver to support apu3 Change in the drivers/net/can/led.c: - mark led trigger as broken since it's in the way for the further cleanups. It implements a subset of the netdev trigger and an Ack is needed from someone who can actually test and confirm that the netdev trigger works for can devices" * tag 'leds-for-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds: (32 commits) leds: ns2: Change unsigned to unsigned int usb: simplify usbport trigger leds: gpio trigger: simplifications from core changes leds: backlight trigger: simplifications from core changes leds: activity trigger: simplifications from core changes leds: default-on trigger: make use of module_led_trigger() leds: heartbeat trigger: simplifications from core changes leds: oneshot trigger: simplifications from core changes leds: transient trigger: simplifications from core changes leds: timer trigger: simplifications from core changes leds: netdev trigger: simplifications from core changes leds: triggers: new function led_set_trigger_data() leds: triggers: define module_led_trigger helper leds: triggers: handle .trigger_data and .activated() in the core leds: triggers: add device attribute support leds: triggers: let struct led_trigger::activate() return an error code leds: triggers: make the MODULE_LICENSE string match the actual license leds: lm3692x: Support LED sync configuration dt: bindings: lm3692x: Update binding for LED sync control leds: lm3692x: Change DT calls to fwnode calls ...
| * | leds: triggers: let struct led_trigger::activate() return an error codeUwe Kleine-König2018-07-051-1/+3
| |/ | | | | | | | | | | | | | | | | | | | | | | | | Given that activating a trigger can fail, let the callback return an indication. This prevents to have a trigger active according to the "trigger" sysfs attribute but not functional. All users are changed accordingly to return 0 for now. There is no intended change in behaviour. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Acked-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
* / vt: prevent leaking uninitialized data to userspace via /dev/vcs*Alexander Potapenko2018-06-281-2/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | KMSAN reported an infoleak when reading from /dev/vcs*: BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0 Call Trace: ... kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 copy_to_user ./include/linux/uaccess.h:184 vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 __vfs_read+0x1b2/0x9d0 fs/read_write.c:416 vfs_read+0x36c/0x6b0 fs/read_write.c:452 ... Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 __kmalloc+0x13a/0x350 mm/slub.c:3818 kmalloc ./include/linux/slab.h:517 vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880 tty_driver_install_tty drivers/tty/tty_io.c:1224 tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324 tty_open_by_driver drivers/tty/tty_io.c:1959 tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007 chrdev_open+0xc25/0xd90 fs/char_dev.c:417 do_dentry_open+0xccc/0x1440 fs/open.c:794 vfs_open+0x1b6/0x2f0 fs/open.c:908 ... Bytes 0-79 of 240 are uninitialized Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com Signed-off-by: Alexander Potapenko <glider@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* treewide: kmalloc() -> kmalloc_array()Kees Cook2018-06-133-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The kmalloc() function has a 2-factor argument form, kmalloc_array(). This patch replaces cases of: kmalloc(a * b, gfp) with: kmalloc_array(a * b, gfp) as well as handling cases of: kmalloc(a * b * c, gfp) with: kmalloc(array3_size(a, b, c), gfp) as it's slightly less ugly than: kmalloc_array(array_size(a, b), c, gfp) This does, however, attempt to ignore constant size factors like: kmalloc(4 * 1024, gfp) though any constants defined via macros get caught up in the conversion. Any factors with a sizeof() of "unsigned char", "char", and "u8" were dropped, since they're redundant. The tools/ directory was manually excluded, since it has its own implementation of kmalloc(). The Coccinelle script used for this was: // Fix redundant parens around sizeof(). @@ type TYPE; expression THING, E; @@ ( kmalloc( - (sizeof(TYPE)) * E + sizeof(TYPE) * E , ...) | kmalloc( - (sizeof(THING)) * E + sizeof(THING) * E , ...) ) // Drop single-byte sizes and redundant parens. @@ expression COUNT; typedef u8; typedef __u8; @@ ( kmalloc( - sizeof(u8) * (COUNT) + COUNT , ...) | kmalloc( - sizeof(__u8) * (COUNT) + COUNT , ...) | kmalloc( - sizeof(char) * (COUNT) + COUNT , ...) | kmalloc( - sizeof(unsigned char) * (COUNT) + COUNT , ...) | kmalloc( - sizeof(u8) * COUNT + COUNT , ...) | kmalloc( - sizeof(__u8) * COUNT + COUNT , ...) | kmalloc( - sizeof(char) * COUNT + COUNT , ...) | kmalloc( - sizeof(unsigned char) * COUNT + COUNT , ...) ) // 2-factor product with sizeof(type/expression) and identifier or constant. @@ type TYPE; expression THING; identifier COUNT_ID; constant COUNT_CONST; @@ ( - kmalloc + kmalloc_array ( - sizeof(TYPE) * (COUNT_ID) + COUNT_ID, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(TYPE) * COUNT_ID + COUNT_ID, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(TYPE) * (COUNT_CONST) + COUNT_CONST, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(TYPE) * COUNT_CONST + COUNT_CONST, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * (COUNT_ID) + COUNT_ID, sizeof(THING) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * COUNT_ID + COUNT_ID, sizeof(THING) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * (COUNT_CONST) + COUNT_CONST, sizeof(THING) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * COUNT_CONST + COUNT_CONST, sizeof(THING) , ...) ) // 2-factor product, only identifiers. @@ identifier SIZE, COUNT; @@ - kmalloc + kmalloc_array ( - SIZE * COUNT + COUNT, SIZE , ...) // 3-factor product with 1 sizeof(type) or sizeof(expression), with // redundant parens removed. @@ expression THING; identifier STRIDE, COUNT; type TYPE; @@ ( kmalloc( - sizeof(TYPE) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kmalloc( - sizeof(TYPE) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kmalloc( - sizeof(TYPE) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kmalloc( - sizeof(TYPE) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kmalloc( - sizeof(THING) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kmalloc( - sizeof(THING) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kmalloc( - sizeof(THING) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kmalloc( - sizeof(THING) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) ) // 3-factor product with 2 sizeof(variable), with redundant parens removed. @@ expression THING1, THING2; identifier COUNT; type TYPE1, TYPE2; @@ ( kmalloc( - sizeof(TYPE1) * sizeof(TYPE2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | kmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | kmalloc( - sizeof(THING1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | kmalloc( - sizeof(THING1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | kmalloc( - sizeof(TYPE1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) | kmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) ) // 3-factor product, only identifiers, with redundant parens removed. @@ identifier STRIDE, SIZE, COUNT; @@ ( kmalloc( - (COUNT) * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - COUNT * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - COUNT * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - (COUNT) * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - COUNT * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - (COUNT) * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - (COUNT) * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kmalloc( - COUNT * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) ) // Any remaining multi-factor products, first at least 3-factor products, // when they're not all constants... @@ expression E1, E2, E3; constant C1, C2, C3; @@ ( kmalloc(C1 * C2 * C3, ...) | kmalloc( - (E1) * E2 * E3 + array3_size(E1, E2, E3) , ...) | kmalloc( - (E1) * (E2) * E3 + array3_size(E1, E2, E3) , ...) | kmalloc( - (E1) * (E2) * (E3) + array3_size(E1, E2, E3) , ...) | kmalloc( - E1 * E2 * E3 + array3_size(E1, E2, E3) , ...) ) // And then all remaining 2 factors products when they're not all constants, // keeping sizeof() as the second factor argument. @@ expression THING, E1, E2; type TYPE; constant C1, C2, C3; @@ ( kmalloc(sizeof(THING) * C2, ...) | kmalloc(sizeof(TYPE) * C2, ...) | kmalloc(C1 * C2 * C3, ...) | kmalloc(C1 * C2, ...) | - kmalloc + kmalloc_array ( - sizeof(TYPE) * (E2) + E2, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(TYPE) * E2 + E2, sizeof(TYPE) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * (E2) + E2, sizeof(THING) , ...) | - kmalloc + kmalloc_array ( - sizeof(THING) * E2 + E2, sizeof(THING) , ...) | - kmalloc + kmalloc_array ( - (E1) * E2 + E1, E2 , ...) | - kmalloc + kmalloc_array ( - (E1) * (E2) + E1, E2 , ...) | - kmalloc + kmalloc_array ( - E1 * E2 + E1, E2 , ...) ) Signed-off-by: Kees Cook <keescook@chromium.org>
* vt: Perform safe console erase only onceNicolas Pitre2018-05-251-9/+7Star
| | | | | | | | | | | | Commit f8df13e0a9 ("tty: Clean console safely") added code to clear both the scrollback buffer and the screen with "\e[3J", then execution falls through into the code to simply clear the screen. This means scr_memsetw() and the console driver update callback are called twice on the whole screen buffer. Let's reorganize the code so the same work is not performed twice needlessly. Signed-off-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>