Revert "consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c"

mainline inclusion
from mainline-v5.3-rc1
commit 15b3cd8e
category: bugfix
bugzilla: 34617
CVE: CVE-2019-12379

---------------------------

This reverts commit 84ecc2f6.

con_insert_unipair() is working with a sparse 3-dimensional array:

- p->uni_pgdir[] is the top layer
- p1 points to a middle layer
- p2 points to a bottom layer

If it needs to allocate a new middle layer, and then fails to allocate
a new bottom layer, it would previously free only p2, and now it frees
both p1 and p2.  But since the new middle layer was already registered
in the top layer, it was not leaked.

However, if it looks up an *existing* middle layer and then fails to
allocate a bottom layer, it now frees both p1 and p2 but does *not*
free any other bottom layers under p1.  So it *introduces* a memory
leak.

The error path also cleared the wrong index in p->uni_pgdir[],
introducing a use-after-free.
Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
Fixes: 84ecc2f6 ("consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c")
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NZheng Bin <zhengbin13@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/tty/vt/consolemap.c

@@ -489,11 +489,7 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
 	p2 = p1[n = (unicode >> 6) & 0x1f];
 	if (!p2) {
 		p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
-		if (!p2) {
-			kfree(p1);
-			p->uni_pgdir[n] = NULL;
-			return -ENOMEM;
-		}
+		if (!p2) return -ENOMEM;
 		memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
 	}