Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp740463yba; Fri, 26 Apr 2019 08:02:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqyRjQtsGH1ZVNyl9oxglJ0kEWqMCSaQv6kTCeKm1ZwoTs4cuoK/XUzhim27OgLumALnlKzG X-Received: by 2002:a17:902:380c:: with SMTP id l12mr46059857plc.320.1556290953207; Fri, 26 Apr 2019 08:02:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556290953; cv=none; d=google.com; s=arc-20160816; b=oFUh1yVftWe6mAYfPwIunG2iMdFH3enmcNnmA4kgJmNSFpHhe6N84M8caUawBVbac0 ck4LhOydhTA7HQ/IwNQxrvTZHnEDILPQeZv+0LjVpVlteS6RxFXBpxcsxJJ3iWEb1E8G ub4DQJN2mO4qAUJCK05B5J177+AZDKy0qhwMZt8lG34zvQ9rHit92H3isdMUAgW16OXs qDXduEoFCmH/EklLZDvoZycdjhOyuPogqDV+08E51nlcNse0/oPqRSA9GpHNI2ZH/9Ae FgKx2mjZGkzKXgqMn1OOaB23RFacj/J26dekHD5sPGmN2IR6jPe5arYZXyk8aMH8L0RF Cohw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=0F1ut/UAEkuWPG6wyrTkb2MOpdQOgWB7mvJpKTT59BU=; b=vflu+q9GMUO1dmc6AZUAP5/jo9tKfNhjXVem9/QG1zENNXTap6BFOCF3d5T2inzSMX UkHnFjtEIrEtII1OAsCD38/Dw21CUk5FS2VUtrbmiZvw2J78+waRdf7TaePqieFPtN2y p7gjkEAKTK1zluUEm6dX/OMJD5fNBhNSzoCtBIl1BePKMNz1WeGLZeF0hMMebYFTRmFI Rmqxf4g9q8z7VhAI1JPay5qZjPDEcsz0JBjVTQsun5pknYkOrSHhyLd9vl7EbRnthtGH 42mfkj25xoH82FTEH+JxG3NmvkKjgv+p0wWL3szfi+IceqqZi9cF1oDNvXZKgFf6hBCZ 9lOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v37si9240917pgl.168.2019.04.26.08.02.14; Fri, 26 Apr 2019 08:02:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726334AbfDZO75 (ORCPT + 99 others); Fri, 26 Apr 2019 10:59:57 -0400 Received: from mail-wm1-f67.google.com ([209.85.128.67]:35537 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726336AbfDZO75 (ORCPT ); Fri, 26 Apr 2019 10:59:57 -0400 Received: by mail-wm1-f67.google.com with SMTP id y197so4862531wmd.0 for ; Fri, 26 Apr 2019 07:59:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0F1ut/UAEkuWPG6wyrTkb2MOpdQOgWB7mvJpKTT59BU=; b=cbZF2mealvJmkaoI/VLTVN/tRLIg6rBlqW1aF2UT96drS7lZo/sO4Hhj3Xrnj2+6pf B33nQjyZhp7EJ3j34ucYdz4JOk1bm1HerEQzZ2beceuXVdHz5RKemEV0WZlxqtcujptk MqyIbGYVvBFt/nfgqPReroeMxKsCdpSsJYf+Yr/iqh2zM2LMCNgZeE2WLGUJRKE/IUqL pLDf/NN9m6I0m3hxW0VxU7eZlzqbdBBfS3O6kTtl1E7BaTrF1+MrH2uTtAZoqRNMjH7I WJMz4buupEVtDKcpQQfW75Y533L7yIs8D+wIBcOGnCFF3C0uD9IwYYrNUFdhq4pKfsXo hZ7Q== X-Gm-Message-State: APjAAAWMnY5mET839r3yVuzRanAFKXIWm3fXu3hSYuIv48U8GSbw39dc ac++5T8QxoPUMashssKnYUioMrlEly9zCQ== X-Received: by 2002:a7b:c053:: with SMTP id u19mr7711277wmc.63.1556290795318; Fri, 26 Apr 2019 07:59:55 -0700 (PDT) Received: from dhcp129-106.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.googlemail.com with ESMTPSA id h123sm6572282wme.6.2019.04.26.07.59.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 07:59:54 -0700 (PDT) From: Grzegorz Halat To: linux-kernel@vger.kernel.org Cc: Bartlomiej Zolnierkiewicz , Greg Kroah-Hartman , Jiri Slaby , linux-fbdev@vger.kernel.org, Oleksandr Natalenko , Grzegorz Halat Subject: [PATCH] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Date: Fri, 26 Apr 2019 16:59:46 +0200 Message-Id: <20190426145946.26537-1-ghalat@redhat.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After memory allocation failure vc_allocate() doesn't clean up data which has been initialized in visual_init(). In case of fbcon this leads to divide-by-0 in fbcon_init() on next open of the same tty. memory allocation in vc_allocate() may fail here: 1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); on next open() fbcon_init() skips vc_font.data initialization: 1088: if (!p->fontdata) { division by zero in fbcon_init() happens here: 1149: new_cols /= vc->vc_font.width; Additional check is needed in fbcon_deinit() to prevent usage of uninitialized vc_screenbuf: 1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf) 1252: set_vc_hi_font(vc, false); Crash: #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4 [exception RIP: fbcon_init+463] RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246 ... #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c #9 [ffffc90001eafbc8] con_install at ffffffff8154f624 ... Signed-off-by: Grzegorz Halat --- drivers/tty/vt/vt.c | 11 +++++++++-- drivers/video/fbdev/core/fbcon.c | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 650c66886c80..ec85d195678f 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *vc, int num, int init) vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; } + +static void visual_deinit(struct vc_data *vc) +{ + vc->vc_sw->con_deinit(vc); + module_put(vc->vc_sw->owner); +} + int vc_allocate(unsigned int currcons) /* return 0 on success */ { struct vt_notifier_param param; @@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */ return 0; err_free: + visual_deinit(vc); kfree(vc); vc_cons[currcons].d = NULL; return -ENOMEM; @@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned int currcons) param.vc = vc = vc_cons[currcons].d; atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m); vcs_remove_sysfs(currcons); - vc->vc_sw->con_deinit(vc); + visual_deinit(vc); put_pid(vc->vt_pid); - module_put(vc->vc_sw->owner); vc_uniscr_set(vc, NULL); kfree(vc->vc_screenbuf); vc_cons[currcons].d = NULL; diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index cd059a801662..c59b23f6e9ba 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1248,7 +1248,7 @@ static void fbcon_deinit(struct vc_data *vc) if (free_font) vc->vc_font.data = NULL; - if (vc->vc_hi_font_mask) + if (vc->vc_hi_font_mask && vc->vc_screenbuf) set_vc_hi_font(vc, false); if (!con_is_bound(&fb_con)) -- 2.20.1