Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.208 2024-06-16T11:39:11+00:00 2024-06-16T11:39:11+00:00 Dan Carpenter dan.carpenter@linaro.org 2024-04-15T11:02:23+00:00 urn:sha1:504178fb7d9f6cdb0496d5491efb05f45597e535 commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream. The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-04-27T15:05:28+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2024-03-23T16:48:43+00:00 urn:sha1:0d130158db29f5e0b3893154908cf618896450a8 commit c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1 upstream. In case a console is set up really large and contains a really long word (> 256 characters), we have to stop before the length of the word buffer. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Fixes: c6e3fd22cd538 ("Staging: add speakup to the staging directory") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240323164843.1426997-1-samuel.thibault@ens-lyon.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-11-26T08:24:44+00:00 Mushahid Hussain mushi.shar@gmail.com 2022-10-10T16:57:20+00:00 urn:sha1:a190a83db2848fef521dc190e51a8755c744287a commit 0fc801f8018000c8e64a275a20cb1da7c54e46df upstream. This patch fixes a segfault by adding a null check on synth in speakup_con_update(). The segfault can be reproduced as follows: - Login into a text console - Load speakup and speakup_soft modules - Remove speakup_soft - Switch to a graphics console This is caused by lack of a null check on `synth` in speakup_con_update(). Here's the sequence that causes the segfault: - When we remove the speakup_soft, synth_release() sets the synth to null. - After that, when we change the virtual console to graphics console, vt_notifier_call() is fired, which then calls speakup_con_update(). - Inside speakup_con_update() there's no null check on synth, so it calls synth_printf(). - Inside synth_printf(), synth_buffer_add() and synth_start(), both access synth, when it is null and causing a segfault. Therefore adding a null check on synth solves the issue. Fixes: 2610df41489f ("staging: speakup: Add pause command used on switching to graphical mode") Cc: stable <stable@kernel.org> Signed-off-by: Mushahid Hussain <mushi.shar@gmail.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20221010165720.397042-1-mushi.shar@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-15T15:07:46+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2021-06-13T19:59:09+00:00 urn:sha1:5b5140bf5182c24f1e37d61337a952e53f6aeb05 The existing code was assuming that bright color names can be forged by just prepending the "bright" word to the color name. But some langages may rather append it, or require completely different names ("grey" is actually already an example). From: Trevor Astrope <astrope@tabbweb.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20210613195909.n7ssor6iqeo3pcno@begin Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-16T08:18:46+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2020-11-16T08:18:46+00:00 urn:sha1:93c69b2d17372463ae33b79b3002c22a208945b3 We need the char/misc fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-09T17:15:50+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2020-11-02T09:59:45+00:00 urn:sha1:508155944752f6e51dbc0a7273d933e954e4ed64 The cursor tracking modes enum, the edge enum, and the read_all commands enum should be used as such in the source code, to make it more readable and make gcc catch missing values in switches. Also, some values of enums are coupled with others, we at least need to document these. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20201102095945.ap4pdff2dn47hijh@function Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-09T17:14:20+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2020-11-07T23:33:10+00:00 urn:sha1:640969a69ca4dd2ac025fe873c6bf25eba8f11b3 speakup_cut() calls speakup_clear_selection() which calls console_lock. Problem is: speakup_cut() is called from a keyboard interrupt context. This would hang if speakup_cut is pressed while the console lock is unfortunately already held. We can however as well just defer calling clear_selection() until the already-deferred set_selection_kernel() call. This was spotted by the lock hardener: Possible unsafe locking scenario:\x0a CPU0 ---- lock(console_lock); <Interrupt> lock(console_lock); \x0a *** DEADLOCK ***\x0a [...] Call Trace: <IRQ> dump_stack+0xc2/0x11a print_usage_bug.cold+0x3e0/0x4b1 mark_lock+0xd95/0x1390 ? print_irq_inversion_bug+0xa0/0xa0 __lock_acquire+0x21eb/0x5730 ? __kasan_check_read+0x11/0x20 ? check_chain_key+0x215/0x5e0 ? register_lock_class+0x1580/0x1580 ? lock_downgrade+0x7a0/0x7a0 ? __rwlock_init+0x140/0x140 lock_acquire+0x13f/0x370 ? speakup_clear_selection+0xe/0x20 [speakup] console_lock+0x33/0x50 ? speakup_clear_selection+0xe/0x20 [speakup] speakup_clear_selection+0xe/0x20 [speakup] speakup_cut+0x19e/0x4b0 [speakup] keyboard_notifier_call+0x1f04/0x4a40 [speakup] ? read_all_doc+0x240/0x240 [speakup] notifier_call_chain+0xbf/0x130 __atomic_notifier_call_chain+0x80/0x130 atomic_notifier_call_chain+0x16/0x20 kbd_event+0x7d7/0x3b20 ? k_pad+0x850/0x850 ? sysrq_filter+0x450/0xd40 input_to_handler+0x362/0x4b0 ? rcu_read_lock_sched_held+0xe0/0xe0 input_pass_values+0x408/0x5a0 ? __rwlock_init+0x140/0x140 ? lock_acquire+0x13f/0x370 input_handle_event+0x70e/0x1380 input_event+0x67/0x90 atkbd_interrupt+0xe62/0x1d4e [atkbd] ? __kasan_check_write+0x14/0x20 ? atkbd_event_work+0x130/0x130 [atkbd] ? _raw_spin_lock_irqsave+0x26/0x70 serio_interrupt+0x93/0x120 [serio] i8042_interrupt+0x232/0x510 [i8042] ? rcu_read_lock_bh_held+0xd0/0xd0 ? handle_irq_event+0xa5/0x13a ? i8042_remove+0x1f0/0x1f0 [i8042] __handle_irq_event_percpu+0xe6/0x6c0 handle_irq_event_percpu+0x71/0x150 ? __handle_irq_event_percpu+0x6c0/0x6c0 ? __kasan_check_read+0x11/0x20 ? do_raw_spin_unlock+0x5c/0x240 handle_irq_event+0xad/0x13a handle_edge_irq+0x233/0xa90 do_IRQ+0x10b/0x310 common_interrupt+0xf/0xf </IRQ> Cc: stable@vger.kernel.org Reported-by: Jookia <contact@jookia.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20201107233310.7iisvaozpiqj3yvy@function Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-08-18T11:45:20+00:00 Jiri Slaby jslaby@suse.cz 2020-08-18T08:56:53+00:00 urn:sha1:b8209f694f7f4256181deea92d30eedb908d6788 viewed is used as a flag, i.e. bool. So treat is as such in most of the places. vcs_vc is handled in the next patch. Note: the last parameter of invert_screen was misnamed in the declaration since 1.1.92. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-08-06T21:56:11+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-08-06T21:56:11+00:00 urn:sha1:d6efb3ac3e6c19ab722b28bdb9252bae0b9676b6 Pull tty/serial updates from Greg KH: "Here is the large set of TTY and Serial driver patches for 5.9-rc1. Lots of bugfixes in here, thanks to syzbot fuzzing for serial and vt and console code. Other highlights include: - much needed vt/vc code cleanup from Jiri Slaby - 8250 driver fixes and additions - various serial driver updates and feature enhancements - locking cleanup for serial/console initializations - other minor cleanups All of these have been in linux-next with no reported issues" * tag 'tty-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (90 commits) MAINTAINERS: enlist Greg formally for console stuff vgacon: Fix for missing check in scrollback handling Revert "serial: 8250: Let serial core initialise spin lock" serial: 8250: Let serial core initialise spin lock tty: keyboard, do not speculate on func_table index serial: stm32: Add RS485 RTS GPIO control serial: 8250_dw: Fix common clocks usage race condition serial: 8250_dw: Pass the same rate to the clk round and set rate methods serial: 8250_dw: Simplify the ref clock rate setting procedure serial: 8250: Add 8250 port clock update method tty: serial: imx: add imx earlycon driver tty: serial: imx: enable imx serial console port as module tty/synclink: remove leftover bits of non-PCI card support tty: Use the preferred form for passing the size of a structure type tty: Fix identation issues in struct serial_struct32 tty: Avoid the use of one-element arrays serial: msm_serial: add sparse context annotation serial: pmac_zilog: add sparse context annotation newport_con: vc_color is now in state serial: imx: use hrtimers for rs485 delays ... 2020-07-29T12:02:41+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2020-07-29T00:35:31+00:00 urn:sha1:2067fd92d75b6d9085a43caf050bca5d88c491b8 The nasty TODO items are done. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20200729003531.907370-1-samuel.thibault@ens-lyon.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>