[RHEL7,COMMIT] vt: selection, push console lock down

Submitted by Vasily Averin on Oct. 14, 2020, 4:38 a.m.

Details

Message ID 202010140438.09E4cad5019008@vz7build.vvs.sw.ru
State New
Series "Follow-up fixes for CVE-2020-8648"
Headers show

Commit Message

Vasily Averin Oct. 14, 2020, 4:38 a.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.37
------>
commit a1e4a3ee0b77f42ecd94b83527e0df27502f54d1
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Wed Oct 14 07:38:36 2020 +0300

    vt: selection, push console lock down
    
    We need to nest the console lock in sel_lock, so we have to push it down
    a bit. Fortunately, the callers of set_selection_* just lock the console
    lock around the function call. So moving it down is easy.
    
    In the next patch, we switch the order.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    https://jira.sw.ru/browse/PSBM-121234
    
    This is a backport of mainline commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f:
    
    * speakup-related hunk was dropped because that driver does not use
    set_selection(): it is not exported in this kernel version;
    
    * the affected code is in set_selection() rather than set_selection_kernel().
    
    Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
---
 drivers/tty/vt/selection.c | 13 ++++++++++++-
 drivers/tty/vt/vt.c        |  2 --
 2 files changed, 12 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
index 145cf96..1c31746 100644
--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -157,7 +157,7 @@  static int store_utf8(u16 c, char *p)
  *	The entire selection process is managed under the console_lock. It's
  *	 a lot under the lock but its hardly a performance path
  */
-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
 {
 	struct vc_data *vc = vc_cons[fg_console].d;
 	int sel_mode, new_sel_start, new_sel_end, spc;
@@ -333,6 +333,17 @@  unlock:
 	return ret;
 }
 
+int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+{
+	int ret;
+
+	console_lock();
+	ret = __set_selection(sel, tty);
+	console_unlock();
+
+	return ret;
+}
+
 /* Insert the contents of the selection buffer into the
  * queue of the tty associated with the current console.
  * Invoked by ioctl().
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 795d786..07078cf 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2603,9 +2603,7 @@  int tioclinux(struct tty_struct *tty, unsigned long arg)
 	switch (type)
 	{
 		case TIOCL_SETSEL:
-			console_lock();
 			ret = set_selection((struct tiocl_selection __user *)(p+1), tty);
-			console_unlock();
 			break;
 		case TIOCL_PASTESEL:
 			ret = paste_selection(tty);