Merge 4.4.286 into android-4.4-p

Changes in 4.4.286
	usb: gadget: r8a66597: fix a loop in set_feature()
	usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
	cifs: fix incorrect check for null pointer in header_assemble
	xen/x86: fix PV trap handling on secondary processors
	USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
	USB: serial: mos7840: remove duplicated 0xac24 device ID
	USB: serial: option: add Telit LN920 compositions
	USB: serial: option: remove duplicate USB device ID
	USB: serial: option: add device id for Foxconn T99W265
	net: hso: fix muxed tty registration
	net/mlx4_en: Don't allow aRFS for encapsulated packets
	scsi: iscsi: Adjust iface sysfs attr detection
	blktrace: Fix uaf in blk_trace access after removing by sysfs
	m68k: Double cast io functions to unsigned long
	compiler.h: Introduce absolute_pointer macro
	net: i825xx: Use absolute_pointer for memcpy from fixed memory location
	sparc: avoid stringop-overread errors
	qnx4: avoid stringop-overread errors
	parisc: Use absolute_pointer() to define PAGE0
	arm64: Mark __stack_chk_guard as __ro_after_init
	alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile
	net: 6pack: Fix tx timeout and slot time
	spi: Fix tegra20 build with CONFIG_PM=n
	qnx4: work around gcc false positive warning bug
	tty: Fix out-of-bound vmalloc access in imageblit
	mac80211: fix use-after-free in CCMP/GCMP RX
	ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
	e100: fix length calculation in e100_get_regs_len
	e100: fix buffer overrun in e100_get_regs
	ipack: ipoctal: fix stack information leak
	ipack: ipoctal: fix tty registration race
	ipack: ipoctal: fix tty-registration error handling
	ipack: ipoctal: fix missing allocation-failure check
	ipack: ipoctal: fix module reference leak
	ext4: fix potential infinite loop in ext4_dx_readdir()
	EDAC/synopsys: Fix wrong value type assignment for edac_mode
	arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55
	HID: betop: fix slab-out-of-bounds Write in betop_probe
	netfilter: ipset: Fix oversized kvmalloc() calls
	HID: usbhid: free raw_report buffers in usbhid_stop
	cred: allow get_cred() and put_cred() to be given NULL.
	Linux 4.4.286

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3180bfeaddc99c8d216f932c9f149060cc60f16e

1 files changed, 19 insertions, 2 deletions

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 9f479b4c6491..0fab196a1d90 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -882,8 +882,25 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
 	new_row_size = new_cols << 1;
 	new_screen_size = new_row_size * new_rows;
 
-	if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
-		return 0;
+	if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) {
+		/*
+		 * This function is being called here to cover the case
+		 * where the userspace calls the FBIOPUT_VSCREENINFO twice,
+		 * passing the same fb_var_screeninfo containing the fields
+		 * yres/xres equal to a number non-multiple of vc_font.height
+		 * and yres_virtual/xres_virtual equal to number lesser than the
+		 * vc_font.height and yres/xres.
+		 * In the second call, the struct fb_var_screeninfo isn't
+		 * being modified by the underlying driver because of the
+		 * if above, and this causes the fbcon_display->vrows to become
+		 * negative and it eventually leads to out-of-bound
+		 * access by the imageblit function.
+		 * To give the correct values to the struct and to not have
+		 * to deal with possible errors from the code below, we call
+		 * the resize_screen here as well.
+		 */
+		return resize_screen(vc, new_cols, new_rows, user);
+	}
 
 	if (new_screen_size > (4 << 20))
 		return -EINVAL;