linux-hardened/drivers/char
Linus Torvalds 386f40c86d Revert "tty: fix a little bug in scrup, vt.c"
This reverts commit 962400e8fd, which was
entirely bogus.

The code used to multiply the character offset by "vc->vc_cols", and
that's actually correct, because 'd' itself is an 'unsigned short'.  So
the pointer arithmetic already takes the size of a VGA character into
account.  Changing it to use vc_size_row (which is just "vc_cols"
shifted up to take the size of the character into account) ends up
multiplying with the VGA character size twice.

This got reported as bugs for various other subsystems, because what it
actually results in is writing the 16-bit vc_video_erase_char pattern
(usually 0x0720: 0x07 is the default attribute, 0x20 is ASCII space)
into some random other allocation.

So Markus ended up reporting this as a ext4 bug, while to Torsten Kaiser
it looked like a problem with KMS or libata.  Jeff Chua saw it in
different places.

And finally - Justin Mattock had slab poisoning enabled, and saw it as a
slab poison overwritten.  And bisected and reverted this to verify the
buggy commit.

Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Reported-by: Torsten Kaiser <just.for.lkml@googlemail.com>
Reported-by: Jeff Chua <jeff.chua.linux@gmail.com>
Reported-by: Justin P. Mattock <justinmattock@gmail.com>
Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Cc: Frank Pan <frankpzh@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-06-06 20:44:04 -07:00
..
agp agp/uninorth: Fix oops caused by flushing too much 2010-06-02 17:50:37 +10:00
hw_random Merge branch 'devel' of master.kernel.org:/home/rmk/linux-2.6-arm 2010-05-25 12:06:33 -07:00
ip2 Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
ipmi ipmi: handle run_to_completion properly in deliver_recv_msg() 2010-05-27 09:12:50 -07:00
mwave mwave: fix read buffer overflow 2009-09-24 07:21:03 -07:00
pcmcia pcmcia: dev_node removal (remaining drivers) 2010-05-10 10:23:16 +02:00
rio include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tpm TPM: ACPI/PNP dependency removal 2010-05-17 09:08:18 +10:00
xilinx_hwicap of: Remove duplicate fields from of_platform_driver 2010-05-22 00:10:40 -06:00
.gitignore
amiserial.c m68k: amiga - Serial port platform device conversion 2010-05-26 19:51:09 +02:00
apm-emulation.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
applicom.c drivers/char/applicom.c: use memdup_user 2010-05-27 09:12:50 -07:00
applicom.h
bfin-otp.c const: constify remaining file_operations 2009-10-01 16:11:11 -07:00
bfin_jtag_comm.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
briq_panel.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
bsr.c Merge branch 'master' into for-next 2010-04-23 02:08:44 +02:00
cd1865.h
consolemap.c consolemap: indentation & braces disagree - reindent 2009-01-06 15:59:30 -08:00
cp437.uni
cs5535_gpio.c drivers: Remove BKL from cs5535_gpio 2009-10-14 17:36:48 +02:00
cyclades.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
defkeymap.c_shipped
defkeymap.map
digi1.h
digiFep1.h
digiPCI.h
ds1302.c
ds1620.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
dsp56k.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
dtlk.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
efirtc.c efirtc: explicitly set llseek to no_llseek 2009-12-16 07:19:59 -08:00
epca.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
epca.h
epcaconfig.h
generic_nvram.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
generic_serial.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
genrtc.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
hangcheck-timer.c hangcheck-timer: fix x86_32 bugs 2010-05-25 08:07:02 -07:00
hpet.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
hvc_beat.c Merge branch 'next-devicetree' of git://git.secretlab.ca/git/linux-2.6 2010-02-25 15:38:37 -08:00
hvc_console.c hvc_console: Fix race between hvc_close and hvc_remove 2010-04-08 09:46:20 +09:30
hvc_console.h hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_irq.c hvc_console: Call free_irq() only if request_irq() was successful 2009-01-13 14:48:01 +11:00
hvc_iseries.c Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
hvc_iucv.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hvc_rtas.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_udbg.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_vio.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_xen.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvcs.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hvsi.c hvsi: fix messed up error checking getting state name 2010-05-25 08:07:03 -07:00
i8k.c procfs: Push down the bkl from ioctl 2010-05-17 03:06:12 +02:00
isicom.c serial: isicomm: handle running out of slots 2010-05-21 09:34:30 -07:00
istallion.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
Kconfig ramoops: add HAS_IOMEM dependency 2010-06-04 15:21:44 -07:00
keyboard.c Input: keyboard - fix formatting issues 2010-04-13 23:26:35 -07:00
lp.c lp: move compat_ioctl handling into lp.c 2009-12-10 22:55:36 +01:00
Makefile char drivers: RAM oops/panic logger 2010-05-27 09:12:50 -07:00
mbcs.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mbcs.h
mem.c frv: hide uncached_access() when pgprot_noncached is not #defined 2010-04-07 08:38:05 -07:00
misc.c drivers: misc: pass miscdevice pointer via file private data 2010-05-25 08:07:03 -07:00
mmtimer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
moxa.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
moxa.h
mspec.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
mxser.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
mxser.h
n_gsm.c TTY/n_gsm: potential double lock 2010-06-04 13:37:17 -07:00
n_hdlc.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
n_r3964.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
n_tty.c ldisc n_tty: add new method n_tty_inherit_ops() 2010-03-12 15:52:43 -08:00
nozomi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nsc_gpio.c
nvram.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
nwbutton.c
nwbutton.h
nwflash.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
pc8736x_gpio.c drivers: Remove BKL from pc8736x_gpio 2009-10-14 17:36:52 +02:00
ppdev.c drivers/char/ppdev.c: use kasprintf 2010-05-27 09:12:50 -07:00
ps3flash.c drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
pty.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ramoops.c char drivers: RAM oops/panic logger 2010-05-27 09:12:50 -07:00
random.c random: simplify fips mode 2010-05-20 19:55:01 +10:00
raw.c drivers: Push down BKL into various drivers 2010-05-17 05:27:41 +02:00
riscom8.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
riscom8.h
riscom8_reg.h
rocket.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
rocket.h
rocket_int.h
rtc.c sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
scc.h m68k: atari - Rename "mfp" to "st_mfp" 2009-02-22 09:23:02 -08:00
scx200_gpio.c drivers: Remove BKL from scx200_gpio 2009-10-14 17:36:53 +02:00
selection.c tty: rewrite the ldisc locking 2009-06-11 08:51:01 -07:00
ser_a2232.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c serial: Tidy REMOTE_DEBUG 2010-05-21 09:34:31 -07:00
snsc.c
snsc.h
snsc_event.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sonypi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
specialix.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
specialix_io8.h
stallion.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
sx.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
sx.h
sxboards.h
sxwindow.h
synclink.c Char: synclink, remove unnecessary checks 2010-03-02 14:43:16 -08:00
synclink_gt.c serial: synclink_gt: dropped transmit data bugfix 2010-03-02 14:43:08 -08:00
synclinkmp.c hdlc: convert to netdev_tx_t 2009-09-01 01:13:31 -07:00
sysrq.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-05-20 10:33:06 -07:00
tb0219.c mips: Remove BKL from tb0219 2009-10-14 17:36:53 +02:00
tlclk.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
toshiba.c tosh: Use non bkl ioctl 2010-01-04 12:31:21 -08:00
tty_audit.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tty_buffer.c tty: fix obsolete comment on tty_insert_flip_string_fixed_flag 2010-05-21 09:34:30 -07:00
tty_io.c tty: Fix unbalanced BKL handling in error path 2010-05-13 12:10:56 -07:00
tty_ioctl.c tree-wide: fix a very frequent spelling mistake 2009-11-09 09:40:54 +01:00
tty_ldisc.c tty: Fix the ldisc hangup race 2010-03-02 14:43:22 -08:00
tty_port.c tty_port,usb-console: Fix usb serial console open/close regression 2010-03-19 07:17:57 -07:00
uv_mmtimer.c x86, UV: Fix RTC latency bug by reading replicated cachelines 2010-01-27 11:33:53 +01:00
vc_screen.c vc: create vcs(a) devices for consoles 2009-07-20 16:38:43 -07:00
viotape.c of: Always use 'struct device.of_node' to get device node pointer. 2010-05-18 16:10:44 -06:00
virtio_console.c virtio: console: Fix crash when port is unplugged and blocked for write 2010-06-03 22:39:19 +09:30
vme_scc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
vt.c Revert "tty: fix a little bug in scrup, vt.c" 2010-06-06 20:44:04 -07:00
vt_ioctl.c vt_ioctl: return -EFAULT on copy_from_user errors 2010-06-04 13:37:18 -07:00