Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp984929ybb;
        Sat, 28 Mar 2020 15:18:07 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsq1ARpaXEIDTaMoXCyvg5Txj1e/Sq29Oihea1rLCTBMiT8WjkS3BAZ/M5sedKDgQ/Uog9P
X-Received: by 2002:aca:ddc4:: with SMTP id u187mr3518584oig.129.1585433887728;
        Sat, 28 Mar 2020 15:18:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585433887; cv=none;
        d=google.com; s=arc-20160816;
        b=psezuwDmacI+CEHMUufN5EwLMpM23jMTuNBouXLp/bqQVMeBr+KHCs828w3n+3EENn
         rf/lMSk884QK3B/oBDBNz90jUTyKlMQASgWo5xDGBTkTOV/qcJokUCtcN4hPMPV5wF3Q
         CnO+sX9ZWSME9XhMOITnlIDBGeYaJ9TRp6oIY50s+k0o1nu/LvECYhtKfqf6fEkSpzka
         ke/heASO/Ahzjp9E12qd7+hHaG6yYNj6x3sVv2iuicCI+vBMk9WNh3H5ZB+2PEtCpDgv
         4OnwG7+qej9HYffC3JGnp7YWgVcmvfs29vsdCMmGUehqZrBBUebEbWerzTVivf3C5Ukd
         ILWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :subject:cc:to:from:date:dkim-signature:dkim-signature;
        bh=kLkeY9NKKOpHC7rAPATgWXBQbZw4JjfhL94e9vckCmU=;
        b=a7SJX/2rmSnJV4PAXNuop51x9ALXn03jw6KANB2aL7NIYMK4e3r2yC8XQx+FSFILjp
         xD1Kz3aIqi9ACsgERemtJ91wblFD1/2U4MO724NxX3Zzwhapuwt52pdLHjmsXHc162sw
         ZE19/5NM1F9UowKFHOYcZ1NeVdX/qPhb8MyhctKtSDKyxAMRvJL6czTcIBJD7WcjO8aF
         L0lqjCO1UetWEYVXKMN6WDlPnDNU81kW+2Zd/+FXivv+/joiZZQEyaeFDeKlsPWBUA+o
         2AJ3egmWq3rYP1vQhwe1KSr7RtSEX4WA1XGjOVDrMNfCLjszMnEvmJ10rUG/vKRO7/Kn
         oPrA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b=CCnptZX5;
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=VqzxExHh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t2si4216794otb.284.2020.03.28.15.17.52;
        Sat, 28 Mar 2020 15:18:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b=CCnptZX5;
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=VqzxExHh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727799AbgC1V7a (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Sat, 28 Mar 2020 17:59:30 -0400
Received: from pb-smtp2.pobox.com ([64.147.108.71]:54392 "EHLO
        pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727484AbgC1V7a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 28 Mar 2020 17:59:30 -0400
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1])
        by pb-smtp2.pobox.com (Postfix) with ESMTP id AB7885DF0E;
        Sat, 28 Mar 2020 17:59:27 -0400 (EDT)
        (envelope-from nico@fluxnic.net)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to
        :cc:subject:message-id:mime-version:content-type; s=sasl; bh=dgf
        WqgLTCrN+VlDEATqWy9fOblU=; b=CCnptZX5bYjc8MPRVVfYmeIBHcufNVEG54l
        2j2B87mGcjERdMfHjMegHwxqoSY5LQ00DOJx2/pNJ3QB+hEzR3W3lpqnLDCzVhPW
        DVaIX8aTh2dKLgU4y/A02CqOSGRJ2FSFB+jJ7F3H0kipbKqmINFBfSXQ7GWINIc1
        4ligjSDA=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1])
        by pb-smtp2.pobox.com (Postfix) with ESMTP id A21375DF0D;
        Sat, 28 Mar 2020 17:59:27 -0400 (EDT)
        (envelope-from nico@fluxnic.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net;
 h=date:from:to:cc:subject:message-id:mime-version:content-type;
 s=2016-12.pbsmtp; bh=hboGcD0CSWpZTZid8EN5p6L2AKFvA36jUPmev5j9F8I=;
 b=VqzxExHh6a9ijv2T//5/Z1WbikPWsqrTuthGtrc+WdRnPPjjRc9QQL6cg0yJdlidsgUTzzgDz88GbQiOHVh6QNqdTlmea8TpyBQsrxnAOrTEnsJJIcJxQQofjqSkLhnWiWlR/s0GpDRyzCeWv1LRGVCFVazz4VRrwvSgOl50HiM=
Received: from yoda.home (unknown [24.203.50.76])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 064715DF0C;
        Sat, 28 Mar 2020 17:59:27 -0400 (EDT)
        (envelope-from nico@fluxnic.net)
Received: from xanadu.home (xanadu.home [192.168.2.2])
        by yoda.home (Postfix) with ESMTPSA id EF1182DA0174;
        Sat, 28 Mar 2020 17:59:25 -0400 (EDT)
Date:   Sat, 28 Mar 2020 17:59:25 -0400 (EDT)
From:   Nicolas Pitre <nico@fluxnic.net>
To:     gregkh@linuxfoundation.org
cc:     Chen Wandun <chenwandun@huawei.com>,
        Adam Borowski <kilobyte@angband.pl>, jslaby@suse.com,
        daniel.vetter@ffwll.ch, sam@ravnborg.org, b.zolnierkie@samsung.com,
        lukas@wunner.de, ghalat@redhat.com, linux-kernel@vger.kernel.org
Subject: [PATCH] vt: don't use kmalloc() for the unicode screen buffer
Message-ID: <nycvar.YSQ.7.76.2003281745280.2671@knanqh.ubzr>
User-Agent: Alpine 2.21 (LFD 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Pobox-Relay-ID: 6474F6CA-713F-11EA-84AA-D1361DBA3BAF-78420484!pb-smtp2.pobox.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Even if the actual screen size is bounded in vc_do_resize(), the unicode 
buffer is still a little more than twice the size of the glyph buffer
and may exceed MAX_ORDER down the kmalloc() path. This can be triggered
from user space.

Since there is no point having a physically contiguous buffer here, 
let's avoid the above issue as well as reducing pressure on high order
allocations by using vmalloc() instead.

Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Cc: <stable@vger.kernel.org>

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 15d2769805..7c10edb648 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -350,7 +350,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
 	/* allocate everything in one go */
 	memsize = cols * rows * sizeof(char32_t);
 	memsize += rows * sizeof(char32_t *);
-	p = kmalloc(memsize, GFP_KERNEL);
+	p = vmalloc(memsize);
 	if (!p)
 		return NULL;
 
@@ -366,7 +366,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
 
 static void vc_uniscr_set(struct vc_data *vc, struct uni_screen *new_uniscr)
 {
-	kfree(vc->vc_uni_screen);
+	vfree(vc->vc_uni_screen);
 	vc->vc_uni_screen = new_uniscr;
 }