vc_screen: don't clobber return value in vcs_read

jira VULN-358
jira VULN-55184
cve-bf CVE-2023-3567
cve-bf CVE-2023-52973
commit-author Thomas Weißschuh <[email protected]>
commit ae3419f

Commit 226fae1 ("vc_screen: move load of struct vc_data pointer in
vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop.

While doing this it also moved the unconditional assignment of

	ret = -ENXIO;

This unconditional assignment was valid outside the loop but within it
it clobbers the actual value of ret.

To avoid this only assign "ret = -ENXIO" when actually needed.

[ Also, the 'goto unlock_out" needs to be just a "break", so that it
  does the right thing when it exits on later iterations when partial
  success has happened - Linus ]

	Reported-by: Storm Dragon <[email protected]>
Link: https://lore.kernel.org/lkml/Y%[email protected]/
Fixes: 226fae1 ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
	Signed-off-by: Thomas Weißschuh <[email protected]>
Link: https://lore.kernel.org/lkml/[email protected]/
	Signed-off-by: Linus Torvalds <[email protected]>
(cherry picked from commit ae3419f)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

drivers/tty/vt/vc_screen.c

@@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
 		unsigned int this_round, skip = 0;
 		int size;
 
-		ret = -ENXIO;
 		vc = vcs_vc(inode, &viewed);
-		if (!vc)
-			goto unlock_out;
+		if (!vc) {
+			ret = -ENXIO;
+			break;
+		}
 
 		/* Check whether we are above size each round,
 		 * as copy_to_user at the end of this loop