Hi, On Mon, Feb 27, 2023 at 03:21:41PM -0500, George Kennedy wrote: > Restore the vcs_size() handling in vcs_read() to what > it had been in previous version. This still seems to be broken for me. Testcase: # cat /dev/vcsa1 [.. data, looks complete ..] cat: /dev/vcsa1: No such device or address "ret" is still unconditionally overwritten with -ENXIO at the beginning of the loop. And when we break the loop because everything has been read in `if (pos >= size)` then this error is returned to userspace instead of just `0`. I still need the patch from https://lore.kernel.org/lkml/20230220064612.1783-1-linux@xxxxxxxxxxxxxx/ > Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") > Suggested-by: Jiri Slaby <jirislaby@xxxxxxxxxx> > Signed-off-by: George Kennedy <george.kennedy@xxxxxxxxxx> > --- > v2: added Fixes > > drivers/tty/vt/vc_screen.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c > index f566eb1839dc..c0a2273bb998 100644 > --- a/drivers/tty/vt/vc_screen.c > +++ b/drivers/tty/vt/vc_screen.c > @@ -414,10 +414,8 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) > */ > size = vcs_size(vc, attr, uni_mode); > if (size < 0) { > - if (read) > - break; > ret = size; > - goto unlock_out; > + break; > } > if (pos >= size) > break; > -- > 2.31.1 >
