@@ -113,15 +113,22 @@ static inline int inword(const u32 c)
* sel_loadlut() - load the LUT table
* @lut: user table
*
- * Load the LUT table from user space. The caller must hold the console
- * lock. Make a temporary copy so a partial update doesn't make a mess.
+ * Load the LUT table from user space. Make a temporary copy so a partial
+ * update doesn't make a mess.
+ *
+ * Locking: The console lock is acquired.
*/
int sel_loadlut(u32 __user *lut)
{
u32 tmplut[ARRAY_SIZE(inwordLut)];
+
if (copy_from_user(tmplut, lut, sizeof(inwordLut)))
return -EFAULT;
+
+ console_lock();
memcpy(inwordLut, tmplut, sizeof(inwordLut));
+ console_unlock();
+
return 0;
}
@@ -3162,10 +3162,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
case TIOCL_SELLOADLUT:
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
- console_lock();
- ret = sel_loadlut(param_aligned32);
- console_unlock();
- break;
+ return sel_loadlut(param_aligned32);
case TIOCL_GETSHIFTSTATE:
/*
* Make it possible to react to Shift+Mousebutton. Note that
@@ -3181,10 +3178,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
console_unlock();
return put_user(data, p);
case TIOCL_SETVESABLANK:
- console_lock();
- ret = set_vesa_blanking(param);
- console_unlock();
- break;
+ return set_vesa_blanking(param);
case TIOCL_GETKMSGREDIRECT:
data = vt_get_kmsg_redirect();
return put_user(data, p);
@@ -4270,7 +4264,10 @@ static int set_vesa_blanking(u8 __user *mode_user)
if (get_user(mode, mode_user))
return -EFAULT;
+ console_lock();
vesa_blank_mode = (mode < 4) ? mode : 0;
+ console_unlock();
+
return 0;
}
Avoid costly user copies under the console lock. So push the lock down from tioclinux() to sel_loadlut() and set_vesa_blanking(). It is now obvious what is actually protected. Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org> --- drivers/tty/vt/selection.c | 11 +++++++++-- drivers/tty/vt/vt.c | 13 +++++-------- 2 files changed, 14 insertions(+), 10 deletions(-)