An error occurred fetching the project authors.
  1. 19 Jan, 2023 12 commits
  2. 01 Sep, 2022 2 commits
    • Daniel Vetter's avatar
      tty/vt: Add console_lock check to vt_console_print() · b74dbbe1
      Daniel Vetter authored
      I'm scratching my head why we have this printing_lock. Digging through
      historical git trees shows that:
      - Added in 1.1.73, and I found absolutely no reason why.
      - Converted to atomic bitops in 2.1.125pre2, I guess as part of SMP
        enabling/bugfixes.
      - Converted to a proper spinlock in b0940003 ("vt: bitlock fix")
        because the hand-rolled atomic version lacked necessary memory
        barriers.
      
      Digging around in lore for that time period did also not shed further
      light.
      
      The only reason I think this might still be relevant today is that (to
      my understanding at least, ymmv) during an oops we might be printing
      without console_lock held. See console_flush_on_panic() and the
      comments in there - we flush out the console buffers irrespective of
      whether we managed to acquire the right locks.
      
      The strange thing is that this reason is fairly recent, because the
      console flushing was historically done without oops_in_progress set.
      This only changed in c7c3f05e ("panic: avoid deadlocks in
      re-entrant console drivers"), which removed the call to
      bust_spinlocks(0) (which decrements oops_in_progress again) before
      flushing out the console (which back then was open coded as a
      console_trylock/unlock pair).
      
      Note that this entire mess should be properly fixed in the
      printk/console layer, and not inflicted on each implementation.
      
      For now just document what's going on and check that in all other
      cases callers obey the locking rules.
      
      v2: WARN_CONSOLE_UNLOCKED already checks for oops_in_progress
      (something else that should be fixed I guess), hence remove the
      open-coded check I've had.
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jirislaby@kernel.org>
      Cc: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Xuezhi Zhang <zhangxuezhi1@coolpad.com>
      Cc: Yangxi Xiang <xyangxi5@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: nick black <dankamongmen@gmail.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: John Ogness <john.ogness@linutronix.de>
      Reviewed-by: default avatarSam Ravnborg <sam@ravnborg.org>
      Link: https://lore.kernel.org/r/20220830144945.430528-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b74dbbe1
    • Daniel Vetter's avatar
      kernel/panic: Drop unblank_screen call · 0a64ce6e
      Daniel Vetter authored
      console_unblank() does this too (called in both places right after),
      and with a lot more confidence inspiring approach to locking.
      
      Reconstructing this story is very strange:
      
      In b61312d3 ("oops handling: ensure that any oops is flushed to
      the mtdoops console") it is claimed that a printk(" "); flushed out
      the console buffer, which was removed in e3e8a75d ("[PATCH]
      Extract and use wake_up_klogd()"). In todays kernels this is done way
      earlier in console_flush_on_panic with some really nasty tricks. I
      didn't bother to fully reconstruct this all, least because the call to
      bust_spinlock(0); gets moved every few years, depending upon how the
      wind blows (or well, who screamed loudest about the various issue each
      call site caused).
      
      Before that commit the only calls to console_unblank() where in s390
      arch code.
      
      The other side here is the console->unblank callback, which was
      introduced in 2.1.31 for the vt driver. Which predates the
      console_unblank() function by a lot, which was added (without users)
      in 2.4.14.3. So pretty much impossible to guess at any motivation
      here. Also afaict the vt driver is the only (and always was the only)
      console driver implementing the unblank callback, so no idea why a
      call to console_unblank() was added for the mtdooops driver - the
      action actually flushing out the console buffers is done from
      console_unlock() only.
      
      Note that as prep for the s390 users the locking was adjusted in
      2.5.22 (I couldn't figure out how to properly reference the BK commit
      from the historical git trees) from a normal semaphore to a trylock.
      
      Note that a copy of the direct unblank_screen() call was added to
      panic() in c7c3f05e ("panic: avoid deadlocks in re-entrant console
      drivers"), which partially inlined the bust_spinlocks(0); call.
      
      Long story short, I have no idea why the direct call to unblank_screen
      survived for so long (the infrastructure to do it properly existed for
      years), nor why it wasn't removed when the console_unblank() call was
      finally added. But it makes a ton more sense to finally do that than
      not - it's just better encapsulation to go through the console
      functions instead of doing a direct call, so let's dare. Plus it
      really does not make much sense to call the only unblank
      implementation there is twice, once without, and once with appropriate
      locking.
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jirislaby@kernel.org>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Xuezhi Zhang <zhangxuezhi1@coolpad.com>
      Cc: Yangxi Xiang <xyangxi5@gmail.com>
      Cc: nick black <dankamongmen@gmail.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
      Cc: Marco Elver <elver@google.com>
      Cc: John Ogness <john.ogness@linutronix.de>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: David Gow <davidgow@google.com>
      Cc: tangmeng <tangmeng@uniontech.com>
      Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: default avatarPetr Mladek <pmladek@suse.com>
      Acked-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Link: https://lore.kernel.org/r/20220830145004.430545-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a64ce6e
  3. 30 Aug, 2022 2 commits
  4. 19 Jul, 2022 1 commit
  5. 30 Jun, 2022 1 commit
  6. 27 Jun, 2022 1 commit
  7. 10 Jun, 2022 2 commits
  8. 25 Nov, 2021 1 commit
  9. 30 Aug, 2021 1 commit
    • nick black's avatar
      console: consume APC, DM, DCS · 3a2b2eb5
      nick black authored
      The Linux console's VT102 implementation already consumes OSC
      ("Operating System Command") sequences, probably because that's how
      palette changes are transmitted.
      
      In addition to OSC, there are three other major clases of ANSI control
      strings: APC ("Application Program Command"), PM ("Privacy Message"),
      and DCS ("Device Control String").  They are handled similarly to OSC in
      terms of termination.
      
      Source: vt100.net
      
      Add three new enumerated states, one for each of these types.  All three
      are handled the same way right now--they simply consume input until
      terminated.  I hope to expand upon this firmament in the future.  Add
      new predicate ansi_control_string(), returning true for any of these
      states.  Replace explicit checks against ESosc with calls to this
      function.  Transition to these states appropriately from the escape
      initiation (ESesc) state.
      
      This was motivated by the following Notcurses bugs:
      
       https://github.com/dankamongmen/notcurses/issues/2050
       https://github.com/dankamongmen/notcurses/issues/1828
       https://github.com/dankamongmen/notcurses/issues/2069
      
      where standard VT sequences are not consumed by the Linux console.  It's
      not necessary that the Linux console *support* these sequences, but it
      ought *consume* these well-specified classes of sequences.
      
      Tested by sending a variety of escape sequences to the console, and
      verifying that they still worked, or were now properly consumed.
      Verified that the escapes were properly terminated at a generic level.
      Verified that the Notcurses tools continued to show expected output on
      the Linux console, except now without escape bleedthrough.
      
      Link: https://lore.kernel.org/lkml/YSydL0q8iaUfkphg@schwarzgerat.orthanc/Signed-off-by: default avatarnick black <dankamongmen@gmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jirislaby@kernel.org>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3a2b2eb5
  10. 27 Jul, 2021 1 commit
    • Jiri Slaby's avatar
      tty: stop using alloc_tty_driver · 39b7b42b
      Jiri Slaby authored
      alloc_tty_driver was deprecated by tty_alloc_driver in commit
      7f0bc6a6 (TTY: pass flags to alloc_tty_driver) in 2012.
      
      I never got into eliminating alloc_tty_driver until now. So we still
      have two functions for allocating drivers which might be confusing. So
      get rid of alloc_tty_driver uses to eliminate it for good in the next
      patch.
      
      Note we need to switch return value checking as tty_alloc_driver uses
      ERR_PTR. And flags are now a parameter of tty_alloc_driver.
      
      Cc: Richard Henderson <rth@twiddle.net>(odd fixer:ALPHA PORT)
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: Matt Turner <mattst88@gmail.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Cc: Helge Deller <deller@gmx.de>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
      Cc: Chris Zankel <chris@zankel.net>
      Cc: Max Filippov <jcmvbkbc@gmail.com>
      Cc: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
      Cc: Jens Taprogge <jens.taprogge@taprogge.org>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Heiko Carstens <hca@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Laurentiu Tudor <laurentiu.tudor@nxp.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: David Sterba <dsterba@suse.com>
      Cc: Shawn Guo <shawnguo@kernel.org>
      Cc: Sascha Hauer <s.hauer@pengutronix.de>
      Cc: Oliver Neukum <oneukum@suse.com>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
      Acked-by: default avatarSamuel Iglesias Gonsálvez <siglesias@igalia.com>
      Acked-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Acked-by: default avatarDavid Sterba <dsterba@suse.com>
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Link: https://lore.kernel.org/r/20210723074317.32690-5-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39b7b42b
  11. 21 Jul, 2021 1 commit
    • Igor Matheus Andrade Torrente's avatar
      tty: Fix out-of-bound vmalloc access in imageblit · 3b0c4061
      Igor Matheus Andrade Torrente authored
      This issue happens when a userspace program does an ioctl
      FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct
      containing only the fields xres, yres, and bits_per_pixel
      with values.
      
      If this struct is the same as the previous ioctl, the
      vc_resize() detects it and doesn't call the resize_screen(),
      leaving the fb_var_screeninfo incomplete. And this leads to
      the updatescrollmode() calculates a wrong value to
      fbcon_display->vrows, which makes the real_y() return a
      wrong value of y, and that value, eventually, causes
      the imageblit to access an out-of-bound address value.
      
      To solve this issue I made the resize_screen() be called
      even if the screen does not need any resizing, so it will
      "fix and fill" the fb_var_screeninfo independently.
      
      Cc: stable <stable@vger.kernel.org> # after 5.15-rc2 is out, give it time to bake
      Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com
      Signed-off-by: default avatarIgor Matheus Andrade Torrente <igormtorrente@gmail.com>
      Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b0c4061
  12. 15 May, 2021 1 commit
  13. 13 May, 2021 5 commits
    • Jiri Slaby's avatar
      tty: remove tty_operations::chars_in_buffer for non-buffering · fa7501e5
      Jiri Slaby authored
      The only user of tty_ops::chars_in_buffer is tty_chars_in_buffer. And it
      considers tty_ops::chars_in_buffer optional. In case it's NULL, zero is
      returned. So remove all those chars_in_buffer from tty_ops which return
      zero. (Zero means such driver doesn't buffer.)
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Richard Henderson <rth@twiddle.net>
      Acked-by: Max Filippov <jcmvbkbc@gmail.com> # xtensa
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: Matt Turner <mattst88@gmail.com>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Cc: Helge Deller <deller@gmx.de>
      Cc: Chris Zankel <chris@zankel.net>
      Cc: Heiko Carstens <hca@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Link: https://lore.kernel.org/r/20210505091928.22010-26-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa7501e5
    • Jiri Slaby's avatar
      tty: make tty_operations::write_room return uint · 03b3b1a2
      Jiri Slaby authored
      Line disciplines expect a positive value or zero returned from
      tty->ops->write_room (invoked by tty_write_room). So make this
      assumption explicit by using unsigned int as a return value. Both of
      tty->ops->write_room and tty_write_room.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Acked-by: default avatarLaurentiu Tudor <laurentiu.tudor@nxp.com>
      Acked-by: default avatarAlex Elder <elder@linaro.org>
      Acked-by: Max Filippov <jcmvbkbc@gmail.com> # xtensa
      Acked-by: default avatarDavid Sterba <dsterba@suse.com>
      Acked-By: default avatarAnton Ivanov <anton.ivanov@cambridgegreys.com>
      Acked-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: Matt Turner <mattst88@gmail.com>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Cc: Helge Deller <deller@gmx.de>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Chris Zankel <chris@zankel.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
      Cc: Jens Taprogge <jens.taprogge@taprogge.org>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Cc: Scott Branden <scott.branden@broadcom.com>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Heiko Carstens <hca@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: David Lin <dtwlin@gmail.com>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Shawn Guo <shawnguo@kernel.org>
      Cc: Sascha Hauer <s.hauer@pengutronix.de>
      Cc: Oliver Neukum <oneukum@suse.com>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Mathias Nyman <mathias.nyman@intel.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
      Link: https://lore.kernel.org/r/20210505091928.22010-23-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03b3b1a2
    • Jiri Slaby's avatar
      tty: cumulate and document tty_struct::ctrl* members · 64d608db
      Jiri Slaby authored
      Group the ctrl members under a single struct called ctrl. The new struct
      contains 'pgrp', 'session', 'pktstatus', and 'packet'. 'pktstatus' and
      'packet' used to be bits in a bitfield. The struct also contains the
      lock protecting them to share the same cache line.
      
      Note that commit c545b66c (tty: Serialize tcflow() with other tty
      flow control changes) added a padding to the original bitfield. It was
      for the bitfield to occupy a whole 64b word to avoid interferring stores
      on Alpha (cannot we evaporate this arch with weird implications to C
      code yet?). But it doesn't work as expected as the padding
      (tty_struct::ctrl_unused) is aligned to a 8B boundary too and occupies
      some bytes from the next word.
      
      So make it reliable by:
      1) setting __aligned of the struct -- that aligns the start, and
      2) making 'unsigned long unused[0]' as the last member of the struct --
         pads the end.
      
      Add a kerneldoc comment for this grouped members.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: netdev@vger.kernel.org
      Link: https://lore.kernel.org/r/20210505091928.22010-14-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64d608db
    • Jiri Slaby's avatar
      tty: cumulate and document tty_struct::flow* members · 6e94dbc7
      Jiri Slaby authored
      Group the flow flags under a single struct called flow. The new struct
      contains 'stopped' and 'tco_stopped' bools which used to be bits in a
      bitfield. The struct also contains the lock protecting them to
      potentially share the same cache line.
      
      Note that commit c545b66c (tty: Serialize tcflow() with other tty
      flow control changes) added a padding to the original bitfield. It was
      for the bitfield to occupy a whole 64b word to avoid interferring stores
      on Alpha (cannot we evaporate this arch with weird implications to C
      code yet?). But it doesn't work as expected as the padding
      (tty_struct::unused) is aligned to a 8B boundary too and occupies some
      bytes from the next word.
      
      So make it reliable by:
      1) setting __aligned of the struct -- that aligns the start, and
      2) making 'unsigned long unused[0]' as the last member of the struct --
         pads the end.
      
      This is also the perfect time to start the documentation of tty_struct
      where all this lives. So we start by documenting what these bools
      actually serve for. And why we do all the alignment dances. Only the few
      up-to-date information from the Theodore's comment made it into this new
      Kerneldoc comment.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Cc: Heiko Carstens <hca@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Shawn Guo <shawnguo@kernel.org>
      Cc: Sascha Hauer <s.hauer@pengutronix.de>
      Cc: Vineet Gupta <vgupta@synopsys.com>
      Cc: "Maciej W. Rozycki" <macro@orcam.me.uk>
      Link: https://lore.kernel.org/r/20210505091928.22010-13-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e94dbc7
    • Jiri Slaby's avatar
      tty: remove broken r3964 line discipline · ed5aecd3
      Jiri Slaby authored
      Noone stepped up in the past two years since it was marked as BROKEN by
      commit c7084edc (tty: mark Siemens R3964 line discipline as BROKEN).
      Remove the line discipline for good.
      
      Three remarks:
      * we remove also the uapi header (as noone is able to use that interface
        anyway)
      * we do *not* remove the N_R3964 constant definition from tty.h, so it
        remains reserved.
      * in_interrupt() check is now removed from vt's con_put_char. Noone else
        calls tty_operations::put_char from interrupt context.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Link: https://lore.kernel.org/r/20210505091928.22010-2-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed5aecd3
  14. 28 Mar, 2021 1 commit
  15. 23 Mar, 2021 1 commit
  16. 07 Jan, 2021 2 commits
  17. 08 Nov, 2020 1 commit
    • Daniel Vetter's avatar
      vt: Disable KD_FONT_OP_COPY · 3c4e0dff
      Daniel Vetter authored
      It's buggy:
      
      On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
      > We recently discovered a slab-out-of-bounds read in fbcon in the latest
      > kernel ( v5.10-rc2 for now ).  The root cause of this vulnerability is that
      > "fbcon_do_set_font" did not handle "vc->vc_font.data" and
      > "vc->vc_font.height" correctly, and the patch
      > <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
      > issue.
      >
      > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
      > use  KD_FONT_OP_SET again to set a large font.height for tty1. After that,
      > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
      > in "fbcon_do_set_font", while tty1 retains the original larger
      > height. Obviously, this will cause an out-of-bounds read, because we can
      > access a smaller vc_font.data with a larger vc_font.height.
      
      Further there was only one user ever.
      - Android's loadfont, busybox and console-tools only ever use OP_GET
        and OP_SET
      - fbset documentation only mentions the kernel cmdline font: option,
        not anything else.
      - systemd used OP_COPY before release 232 published in Nov 2016
      
      Now unfortunately the crucial report seems to have gone down with
      gmane, and the commit message doesn't say much. But the pull request
      hints at OP_COPY being broken
      
      https://github.com/systemd/systemd/pull/3651
      
      So in other words, this never worked, and the only project which
      foolishly every tried to use it, realized that rather quickly too.
      
      Instead of trying to fix security issues here on dead code by adding
      missing checks, fix the entire thing by removing the functionality.
      
      Note that systemd code using the OP_COPY function ignored the return
      value, so it doesn't matter what we're doing here really - just in
      case a lone server somewhere happens to be extremely unlucky and
      running an affected old version of systemd. The relevant code from
      font_copy_to_all_vcs() in systemd was:
      
      	/* copy font from active VT, where the font was uploaded to */
      	cfo.op = KD_FONT_OP_COPY;
      	cfo.height = vcs.v_active-1; /* tty1 == index 0 */
      	(void) ioctl(vcfd, KDFONTOP, &cfo);
      
      Note this just disables the ioctl, garbage collecting the now unused
      callbacks is left for -next.
      
      v2: Tetsuo found the old mail, which allowed me to find it on another
      archive. Add the link too.
      Acked-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Reported-by: default avatarMinh Yuan <yuanmingbuaa@gmail.com>
      References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
      References: https://github.com/systemd/systemd/pull/3651
      Cc: Greg KH <greg@kroah.com>
      Cc: Peilin Ye <yepeilin.cs@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c4e0dff
  18. 23 Aug, 2020 1 commit
  19. 18 Aug, 2020 3 commits