Hi.
On Fri, Apr 26, 2019 at 04:43:57PM +0200, Grzegorz Halat wrote:
> After memory allocation failure vc_allocate() doesn't clean up data
> which has been initialized in visual_init(). In case of fbcon this
> leads to divide-by-0 in fbcon_init() on next open of the same tty.
>
> memory allocation in vc_allocate() may fail here:
> 1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
>
> on next open() fbcon_init() skips vc_font.data initialization:
> 1088: if (!p->fontdata) {
>
> division by zero in fbcon_init() happens here:
> 1149: new_cols /= vc->vc_font.width;
>
> Additional check is needed in fbcon_deinit() to prevent
> usage of uninitialized vc_screenbuf:
>
> 1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf)
> 1252: set_vc_hi_font(vc, false);
>
> Crash:
>
> #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4
> [exception RIP: fbcon_init+463]
> RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246
> ...
> #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e
> #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c
> #9 [ffffc90001eafbc8] con_install at ffffffff8154f624
> ...
>
> Signed-off-by: Grzegorz Halat <ghalat@xxxxxxxxxx>
> ---
> drivers/tty/vt/vt.c | 11 +++++++++--
> drivers/video/fbdev/core/fbcon.c | 2 +-
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 650c66886c80..ec85d195678f 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *vc, int num, int init)
> vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
> }
>
> +
> +static void visual_deinit(struct vc_data *vc)
> +{
> + vc->vc_sw->con_deinit(vc);
> + module_put(vc->vc_sw->owner);
> +}
> +
> int vc_allocate(unsigned int currcons) /* return 0 on success */
> {
> struct vt_notifier_param param;
> @@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */
>
> return 0;
> err_free:
> + visual_deinit(vc);
> kfree(vc);
> vc_cons[currcons].d = NULL;
> return -ENOMEM;
> @@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned int currcons)
> param.vc = vc = vc_cons[currcons].d;
> atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m);
> vcs_remove_sysfs(currcons);
> - vc->vc_sw->con_deinit(vc);
> + visual_deinit(vc);
> put_pid(vc->vt_pid);
> - module_put(vc->vc_sw->owner);
> vc_uniscr_set(vc, NULL);
> kfree(vc->vc_screenbuf);
> vc_cons[currcons].d = NULL;
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index cd059a801662..c59b23f6e9ba 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1248,7 +1248,7 @@ static void fbcon_deinit(struct vc_data *vc)
> if (free_font)
> vc->vc_font.data = NULL;
>
> - if (vc->vc_hi_font_mask)
> + if (vc->vc_hi_font_mask && vc->vc_screenbuf)
> set_vc_hi_font(vc, false);
>
> if (!con_is_bound(&fb_con))
> --
> 2.20.1
>
LGTM.
Reviewed-by: Oleksandr Natalenko <oleksandr@xxxxxxxxxx>
--
Best regards,
Oleksandr Natalenko (post-factum)
Senior Software Maintenance Engineer
