Commit a3da2984 authored May 02, 2020 by Nicolas Pitre Committed by Greg Kroah-Hartman May 14, 2020

vt: fix unicode console freeing with a common interface



[ Upstream commit 57d38f26d81e4275748b69372f31df545dcd9b71 ]

By directly using kfree() in different places we risk missing one if
it is switched to using vfree(), especially if the corresponding
vmalloc() is hidden away within a common abstraction.

Oh wait, that's exactly what happened here.

So let's fix this by creating a common abstraction for the free case
as well.

Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Reported-by:  <syzbot+0bfda3ade1ee9288a1be@syzkaller.appspotmail.com>
Fixes: 9a98e7a80f95 ("vt: don't use kmalloc() for the unicode screen buffer")
Cc: <stable@vger.kernel.org>
Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.2005021043110.2671@knanqh.ubzr


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 84a50dc4

drivers/tty/vt/vt.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -365,9 +365,14 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
		return uniscr;
		}

		static void vc_uniscr_free(struct uni_screen *uniscr)
		{
		vfree(uniscr);
		}

		static void vc_uniscr_set(struct vc_data vc, struct uni_screen new_uniscr)
		{
		vfree(vc->vc_uni_screen);
		vc_uniscr_free(vc->vc_uni_screen);
		vc->vc_uni_screen = new_uniscr;
		}

		@@ -1233,7 +1238,7 @@ static int vc_do_resize(struct tty_struct tty, struct vc_data vc,
		err = resize_screen(vc, new_cols, new_rows, user);
		if (err) {
		kfree(newscreen);
		kfree(new_uniscr);
		vc_uniscr_free(new_uniscr);
		return err;
		}