From 1b0ec88ac1cb0413a717bc3cefea72d6f2533672 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Thu, 23 Jun 2016 13:34:23 +0200 Subject: vt: remove lines parameter from scrollback It is always called with 0, so remove the parameter and pass the default down to scrolldelta without checking. Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/keyboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/tty/vt/keyboard.c') diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index f973bfce5d08..cd08c103eb47 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -579,7 +579,7 @@ static void fn_scroll_forw(struct vc_data *vc) static void fn_scroll_back(struct vc_data *vc) { - scrollback(vc, 0); + scrollback(vc); } static void fn_show_mem(struct vc_data *vc) -- cgit v1.2.3 From 9b6519009dbe2b361a73284ea0fd2e9b86aeef4d Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Fri, 20 May 2016 17:53:28 +0530 Subject: tty/vt/keyboard: use memdup_user(). Use memdup_user to duplicate a memory region from user-space to kernel-space, instead of open coding using kmalloc & copy_from_user. Signed-off-by: Muhammad Falak R Wani Reviewed-by: Samuel Thibault Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/keyboard.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) (limited to 'drivers/tty/vt/keyboard.c') diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index cd08c103eb47..89a7ab007ff4 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -1745,16 +1745,10 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm) return -EINVAL; if (ct) { - buf = kmalloc(ct * sizeof(struct kbdiacruc), - GFP_KERNEL); - if (buf == NULL) - return -ENOMEM; - - if (copy_from_user(buf, a->kbdiacruc, - ct * sizeof(struct kbdiacruc))) { - kfree(buf); - return -EFAULT; - } + buf = memdup_user(a->kbdiacruc, + ct * sizeof(struct kbdiacruc)); + if (IS_ERR(buf)) + return PTR_ERR(buf); } spin_lock_irqsave(&kbd_event_lock, flags); if (ct) -- cgit v1.2.3 From 510cccb5b0c8868a2b302a0ab524da7912da648b Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Mon, 27 Jun 2016 14:12:34 -0700 Subject: tty/vt/keyboard: fix OOB access in do_compute_shiftstate() The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS, which is currently 256, whereas number of keys/buttons in input device (and therefor in key_down) is much larger - KEY_CNT - 768, and that can cause out-of-bound access when we do sym = U(key_maps[0][k]); with large 'k'. To fix it we should not attempt iterating beyond smaller of NR_KEYS and KEY_CNT. Also while at it let's switch to for_each_set_bit() instead of open-coding it. Reported-by: Sasha Levin Reviewed-by: Guenter Roeck Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov --- drivers/tty/vt/keyboard.c | 30 +++++++++--------------------- 1 file changed, 9 insertions(+), 21 deletions(-) (limited to 'drivers/tty/vt/keyboard.c') diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index f973bfce5d08..1e93a37e27f0 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -366,34 +366,22 @@ static void to_utf8(struct vc_data *vc, uint c) static void do_compute_shiftstate(void) { - unsigned int i, j, k, sym, val; + unsigned int k, sym, val; shift_state = 0; memset(shift_down, 0, sizeof(shift_down)); - for (i = 0; i < ARRAY_SIZE(key_down); i++) { - - if (!key_down[i]) + for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) { + sym = U(key_maps[0][k]); + if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) continue; - k = i * BITS_PER_LONG; - - for (j = 0; j < BITS_PER_LONG; j++, k++) { - - if (!test_bit(k, key_down)) - continue; + val = KVAL(sym); + if (val == KVAL(K_CAPSSHIFT)) + val = KVAL(K_SHIFT); - sym = U(key_maps[0][k]); - if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) - continue; - - val = KVAL(sym); - if (val == KVAL(K_CAPSSHIFT)) - val = KVAL(K_SHIFT); - - shift_down[val]++; - shift_state |= (1 << val); - } + shift_down[val]++; + shift_state |= BIT(val); } } -- cgit v1.2.3