From 9fc2b2d0cf743008d8f6be6293278f4ef61f09f3 Mon Sep 17 00:00:00 2001 From: Francisco Jerez Date: Sun, 22 Aug 2010 17:37:24 +0200 Subject: vt: Fix console corruption on driver hand-over. After 02f0777a0d6560eb995aade34a1b82f95c0452da "vc_origin" is no longer reset to the screen buffer before calling the con_init() hook of the new console driver. If the old driver wasn't using a fixed scanout buffer (e.g. the case of vgacon) "vc_origin" may be a pointer to a VRAM location, and its contents aren't guaranteed to be preserved after calling con_deinit() on the old driver and con_init() on the new driver, i.e. the subsequent console resize may fill the framebuffer with garbage. It can be reproduced in the transition from vgacon to the nouveau framebuffer driver: in that case the legacy VGA aperture "vc_origin" points to becomes unreadable after fbcon_init(). This patch reverts the mentioned commit. To avoid the problem it intended to fix, stop using "vc_scr_end" in vc_do_resize() to calculate how many rows we have to copy (actually the code looks simpler this way without the help of "vc_scr_end"). Signed-off-by: Francisco Jerez Cc: qiaochong Cc: Greg Kroah-Hartman Cc: Andrew Morton Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman --- drivers/char/vt.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/vt.c b/drivers/char/vt.c index 50590c7f2c01..281aada7b4a1 100644 --- a/drivers/char/vt.c +++ b/drivers/char/vt.c @@ -906,22 +906,16 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, * bottom of buffer */ old_origin += (old_rows - new_rows) * old_row_size; - end = vc->vc_scr_end; } else { /* * Cursor is in no man's land, copy 1/2 screenful * from the top and bottom of cursor position */ old_origin += (vc->vc_y - new_rows/2) * old_row_size; - end = old_origin + (old_row_size * new_rows); } - } else - /* - * Cursor near the top, copy contents from the top of buffer - */ - end = (old_rows > new_rows) ? old_origin + - (old_row_size * new_rows) : - vc->vc_scr_end; + } + + end = old_origin + old_row_size * min(old_rows, new_rows); update_attr(vc); @@ -3075,8 +3069,7 @@ static int bind_con_driver(const struct consw *csw, int first, int last, old_was_color = vc->vc_can_do_color; vc->vc_sw->con_deinit(vc); - if (!vc->vc_origin) - vc->vc_origin = (unsigned long)vc->vc_screenbuf; + vc->vc_origin = (unsigned long)vc->vc_screenbuf; visual_init(vc, i, 0); set_origin(vc); update_attr(vc); -- cgit v1.2.3 From 6eb68d6f3bf1707d5d816ea9242b7d38f25b942e Mon Sep 17 00:00:00 2001 From: Nathael Pajani Date: Thu, 2 Sep 2010 16:06:16 +0200 Subject: tty: fix tty_line must not be equal to number of allocated tty pointers in tty driver I found a bug "by chance" in drivers/char/tty_io.c I mean "by chance" because I was just reading the code of the tty_find_polling_driver() to make a new tty_find_by_name() function. In tty_find_polling_driver() the driver actually test "tty_line <= p->num" while num refers to the number of struct tty_struct pointers allocated for the p->ttys (p is a tty_driver), and tty_line is scanned in a tty name, which can be for example ttyS2. Then tty_line equals 2. And if p->num is 2, we have only p->ttys[0] and p->ttys[1], but no p->ttys[2]. This is actually unharmful, for tty_find_polling_driver() is used only in drivers/serial/kgdboc.c, and there's a test over there to find a console with a matching index, which will never happen. This is still a bug anyway. Signed-off-by: Nathael Pajani Signed-off-by: Greg Kroah-Hartman --- drivers/char/tty_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index 949067a0bd47..613c852ee0fe 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -355,7 +355,7 @@ struct tty_driver *tty_find_polling_driver(char *name, int *line) if (*stp == '\0') stp = NULL; - if (tty_line >= 0 && tty_line <= p->num && p->ops && + if (tty_line >= 0 && tty_line < p->num && p->ops && p->ops->poll_init && !p->ops->poll_init(p, tty_line, stp)) { res = tty_driver_kref_get(p); *line = tty_line; -- cgit v1.2.3