[RH8,2/3] vt: selection, push console lock down

Submitted by Evgenii Shatokhin on Oct. 13, 2020, 9:04 p.m.


Message ID 20201013210437.20384-3-eshatokhin@virtuozzo.com
State New
Series "Fixes for CVE-2020-8648"
Commit Message

Evgenii Shatokhin Oct. 13, 2020, 9:04 p.m.
From: Jiri Slaby <jslaby@suse.cz>

We need to nest the console lock in sel_lock, so we have to push it down
a bit. Fortunately, the callers of set_selection_* just lock the console
lock around the function call. So moving it down is easy.

In the next patch, we switch the order.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


This is a backport of mainline commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f:

* speakup-related hunk was dropped because that driver does not use
set_selection(): it is not exported in this kernel version;

* the affected code is in set_selection() rather than set_selection_kernel().

Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 drivers/tty/vt/selection.c | 13 ++++++++++++-
 drivers/tty/vt/vt.c        |  2 --
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
index 2a68d6fdb7b1..2f378a7cd1fe 100644
--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -155,7 +155,7 @@  static int store_utf8(u16 c, char *p)
  *	The entire selection process is managed under the console_lock. It's
  *	 a lot under the lock but its hardly a performance path
-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
 	struct vc_data *vc = vc_cons[fg_console].d;
 	int new_sel_start, new_sel_end, spc;
@@ -320,6 +320,17 @@  int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
 	return ret;
+int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+	int ret;
+	console_lock();
+	ret = __set_selection(sel, tty);
+	console_unlock();
+	return ret;
 /* Insert the contents of the selection buffer into the
  * queue of the tty associated with the current console.
  * Invoked by ioctl().
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 29cf1cd7aff0..440a2d085729 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2694,9 +2694,7 @@  int tioclinux(struct tty_struct *tty, unsigned long arg)
 	switch (type)
-			console_lock();
 			ret = set_selection((struct tiocl_selection __user *)(p+1), tty);
-			console_unlock();
 			ret = paste_selection(tty);