Message ID | 20200405204024.1007843-1-andrew@daynix.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | Fix: buffer overflow during hvc_alloc(). | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch powerpc/merge (2c0ce4ff35994a7b12cc9879ced52c9e7c2e6667) |
snowpatch_ozlabs/build-ppc64le | success | Build succeeded |
snowpatch_ozlabs/build-ppc64be | success | Build succeeded |
snowpatch_ozlabs/build-ppc64e | success | Build succeeded |
snowpatch_ozlabs/build-pmac32 | warning | Upstream build failed, couldn't test patch |
snowpatch_ozlabs/checkpatch | warning | total: 0 errors, 1 warnings, 1 checks, 37 lines checked |
snowpatch_ozlabs/needsstable | success | Patch has no Fixes tags |
On 6/4/20 6:40 am, andrew@daynix.com wrote: > From: Andrew Melnychenko <andrew@daynix.com> > > If there is a lot(more then 16) of virtio-console devices > or virtio_console module is reloaded > - buffers 'vtermnos' and 'cons_ops' are overflowed. > In older kernels it overruns spinlock which leads to kernel freezing: > https://bugzilla.redhat.com/show_bug.cgi?id=1786239 > This Bugzilla report isn't publicly accessible. Can you include a relevant summary here and/or make the report publicly viewable? If it does indeed lead to a kernel freeze, this should be tagged with a Fixes: and a Cc: stable@vger.kernel.org.
diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c index 27284a2dcd2b..436cc51c92c3 100644 --- a/drivers/tty/hvc/hvc_console.c +++ b/drivers/tty/hvc/hvc_console.c @@ -302,10 +302,6 @@ int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops) vtermnos[index] = vtermno; cons_ops[index] = ops; - /* reserve all indices up to and including this index */ - if (last_hvc < index) - last_hvc = index; - /* check if we need to re-register the kernel console */ hvc_check_console(index); @@ -960,13 +956,22 @@ struct hvc_struct *hvc_alloc(uint32_t vtermno, int data, cons_ops[i] == hp->ops) break; - /* no matching slot, just use a counter */ - if (i >= MAX_NR_HVC_CONSOLES) - i = ++last_hvc; + if (i >= MAX_NR_HVC_CONSOLES) { + + /* find 'empty' slot for console */ + for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) { + } + + /* no matching slot, just use a counter */ + if (i == MAX_NR_HVC_CONSOLES) + i = ++last_hvc + MAX_NR_HVC_CONSOLES; + } hp->index = i; - cons_ops[i] = ops; - vtermnos[i] = vtermno; + if (i < MAX_NR_HVC_CONSOLES) { + cons_ops[i] = ops; + vtermnos[i] = vtermno; + } list_add_tail(&(hp->next), &hvc_structs); mutex_unlock(&hvc_structs_mutex);