virtio-console: avoid DMA from stack

commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.

put_chars() stuffs the buffer it gets into an sg, but that buffer may be
on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
manifested as printks getting turned into NUL bytes).

Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 10 insertions, 2 deletions

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 5649234b7316..471a301d63e3 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1136,6 +1136,8 @@ static int put_chars(u32 vtermno, const char *buf, int count)
 {
         struct port *port;
         struct scatterlist sg[1];
+        void *data;
+        int ret;
 
         if (unlikely(early_put_chars))
                 return early_put_chars(vtermno, buf, count);
@@ -1144,8 +1146,14 @@ static int put_chars(u32 vtermno, const char *buf, int count)
         if (!port)
                 return -EPIPE;
 
-        sg_init_one(sg, buf, count);
-        return __send_to_port(port, sg, 1, count, (void *)buf, false);
+        data = kmemdup(buf, count, GFP_ATOMIC);
+        if (!data)
+                return -ENOMEM;
+
+        sg_init_one(sg, data, count);
+        ret = __send_to_port(port, sg, 1, count, data, false);
+        kfree(data);
+        return ret;
 }
 
 /*