From 871bdea6f8c64517635bec352b8bec6b72a26d80 Mon Sep 17 00:00:00 2001 From: Michael Gehring Date: Wed, 21 Mar 2012 01:26:45 +0100 Subject: tty/vt: handle bad user buffer in {G,P}IO_CMAP ioctl set_get_cmap() ignored the result of {get,put}_user(), causing ioctl(vt, {G,P}IO_CMAP, 0xdeadbeef) to silently fail. Another side effect of this: calling the PIO_CMAP ioctl with an invalid buffer would zero the default colormap and the palette for all vts (all colors set to black). Leave the default colormap intact and return -EFAULT when reading/writing to the userspace buffer fails. Signed-off-by: Michael Gehring Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/vt.c | 68 +++++++++++++++++++++++++---------------------------- 1 file changed, 32 insertions(+), 36 deletions(-) (limited to 'drivers/tty/vt') diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 3bdd4b19dd06..5836289bd861 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3893,36 +3893,6 @@ static void set_palette(struct vc_data *vc) vc->vc_sw->con_set_palette(vc, color_table); } -static int set_get_cmap(unsigned char __user *arg, int set) -{ - int i, j, k; - - WARN_CONSOLE_UNLOCKED(); - - for (i = 0; i < 16; i++) - if (set) { - get_user(default_red[i], arg++); - get_user(default_grn[i], arg++); - get_user(default_blu[i], arg++); - } else { - put_user(default_red[i], arg++); - put_user(default_grn[i], arg++); - put_user(default_blu[i], arg++); - } - if (set) { - for (i = 0; i < MAX_NR_CONSOLES; i++) - if (vc_cons_allocated(i)) { - for (j = k = 0; j < 16; j++) { - vc_cons[i].d->vc_palette[k++] = default_red[j]; - vc_cons[i].d->vc_palette[k++] = default_grn[j]; - vc_cons[i].d->vc_palette[k++] = default_blu[j]; - } - set_palette(vc_cons[i].d); - } - } - return 0; -} - /* * Load palette into the DAC registers. arg points to a colour * map, 3 bytes per colour, 16 colours, range from 0 to 255. @@ -3930,24 +3900,50 @@ static int set_get_cmap(unsigned char __user *arg, int set) int con_set_cmap(unsigned char __user *arg) { - int rc; + int i, j, k; + unsigned char colormap[3*16]; + + if (copy_from_user(colormap, arg, sizeof(colormap))) + return -EFAULT; console_lock(); - rc = set_get_cmap (arg,1); + for (i = k = 0; i < 16; i++) { + default_red[i] = colormap[k++]; + default_grn[i] = colormap[k++]; + default_blu[i] = colormap[k++]; + } + for (i = 0; i < MAX_NR_CONSOLES; i++) { + if (!vc_cons_allocated(i)) + continue; + for (j = k = 0; j < 16; j++) { + vc_cons[i].d->vc_palette[k++] = default_red[j]; + vc_cons[i].d->vc_palette[k++] = default_grn[j]; + vc_cons[i].d->vc_palette[k++] = default_blu[j]; + } + set_palette(vc_cons[i].d); + } console_unlock(); - return rc; + return 0; } int con_get_cmap(unsigned char __user *arg) { - int rc; + int i, k; + unsigned char colormap[3*16]; console_lock(); - rc = set_get_cmap (arg,0); + for (i = k = 0; i < 16; i++) { + colormap[k++] = default_red[i]; + colormap[k++] = default_grn[i]; + colormap[k++] = default_blu[i]; + } console_unlock(); - return rc; + if (copy_to_user(arg, colormap, sizeof(colormap))) + return -EFAULT; + + return 0; } void reset_palette(struct vc_data *vc) -- cgit From 5d1a33fa5573702394a4d09a9872f3f930c06d58 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Tue, 24 Apr 2012 11:06:06 +0100 Subject: vt: push the tty_lock down into the map handling When we do this it becomes clear the lock we should be holding is the vc lock, and in fact many of our other helpers are properly invoked this way. We don't at this point guarantee not to race the keyboard code but the results of that appear harmless and that was true before we started as well. We now have no users of tty_lock in the console driver... Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/consolemap.c | 123 ++++++++++++++++++++++++++++++++------------ drivers/tty/vt/vt_ioctl.c | 25 ++------- include/linux/vt_kern.h | 1 - 3 files changed, 96 insertions(+), 53 deletions(-) (limited to 'drivers/tty/vt') diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index 8308fc7cdc26..2aaa0c228409 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -312,6 +313,7 @@ int con_set_trans_old(unsigned char __user * arg) if (!access_ok(VERIFY_READ, arg, E_TABSZ)) return -EFAULT; + console_lock(); for (i=0; ivc_uni_pagedir_loc; - if (p && p->readonly) return -EIO; + if (p && p->readonly) + return -EIO; + if (!p || --p->refcount) { q = kzalloc(sizeof(*p), GFP_KERNEL); if (!q) { - if (p) p->refcount++; + if (p) + p->refcount++; return -ENOMEM; } q->refcount=1; @@ -511,23 +525,43 @@ int con_clear_unimap(struct vc_data *vc, struct unimapinit *ui) return 0; } +int con_clear_unimap(struct vc_data *vc, struct unimapinit *ui) +{ + int ret; + console_lock(); + ret = con_do_clear_unimap(vc, ui); + console_unlock(); + return ret; +} + int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list) { int err = 0, err1, i; struct uni_pagedir *p, *q; + console_lock(); + /* Save original vc_unipagdir_loc in case we allocate a new one */ p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc; - if (p->readonly) return -EIO; + if (p->readonly) { + console_unlock(); + return -EIO; + } - if (!ct) return 0; + if (!ct) { + console_unlock(); + return 0; + } if (p->refcount > 1) { int j, k; u16 **p1, *p2, l; - err1 = con_clear_unimap(vc, NULL); - if (err1) return err1; + err1 = con_do_clear_unimap(vc, NULL); + if (err1) { + console_unlock(); + return err1; + } /* * Since refcount was > 1, con_clear_unimap() allocated a @@ -558,7 +592,8 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list) *vc->vc_uni_pagedir_loc = (unsigned long)p; con_release_unimap(q); kfree(q); - return err1; + console_unlock(); + return err1; } } } else { @@ -592,21 +627,30 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list) /* * Merge with fontmaps of any other virtual consoles. */ - if (con_unify_unimap(vc, p)) + if (con_unify_unimap(vc, p)) { + console_unlock(); return err; + } for (i = 0; i <= 3; i++) set_inverse_transl(vc, p, i); /* Update inverse translations */ set_inverse_trans_unicode(vc, p); - + + console_unlock(); return err; } -/* Loads the unimap for the hardware font, as defined in uni_hash.tbl. - The representation used was the most compact I could come up - with. This routine is executed at sys_setup time, and when the - PIO_FONTRESET ioctl is called. */ - +/** + * con_set_default_unimap - set default unicode map + * @vc: the console we are updating + * + * Loads the unimap for the hardware font, as defined in uni_hash.tbl. + * The representation used was the most compact I could come up + * with. This routine is executed at video setup, and when the + * PIO_FONTRESET ioctl is called. + * + * The caller must hold the console lock + */ int con_set_default_unimap(struct vc_data *vc) { int i, j, err = 0, err1; @@ -617,6 +661,7 @@ int con_set_default_unimap(struct vc_data *vc) p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc; if (p == dflt) return 0; + dflt->refcount++; *vc->vc_uni_pagedir_loc = (unsigned long)dflt; if (p && !--p->refcount) { @@ -628,8 +673,9 @@ int con_set_default_unimap(struct vc_data *vc) /* The default font is always 256 characters */ - err = con_clear_unimap(vc, NULL); - if (err) return err; + err = con_do_clear_unimap(vc, NULL); + if (err) + return err; p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc; q = dfont_unitable; @@ -654,6 +700,13 @@ int con_set_default_unimap(struct vc_data *vc) } EXPORT_SYMBOL(con_set_default_unimap); +/** + * con_copy_unimap - copy unimap between two vts + * @dst_vc: target + * @src_vt: source + * + * The caller must hold the console lock when invoking this method + */ int con_copy_unimap(struct vc_data *dst_vc, struct vc_data *src_vc) { struct uni_pagedir *q; @@ -668,13 +721,23 @@ int con_copy_unimap(struct vc_data *dst_vc, struct vc_data *src_vc) *dst_vc->vc_uni_pagedir_loc = (long)q; return 0; } +EXPORT_SYMBOL(con_copy_unimap); +/** + * con_get_unimap - get the unicode map + * @vc: the console to read from + * + * Read the console unicode data for this console. Called from the ioctl + * handlers. + */ int con_get_unimap(struct vc_data *vc, ushort ct, ushort __user *uct, struct unipair __user *list) { int i, j, k, ect; u16 **p1, *p2; struct uni_pagedir *p; + console_lock(); + ect = 0; if (*vc->vc_uni_pagedir_loc) { p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc; @@ -694,22 +757,19 @@ int con_get_unimap(struct vc_data *vc, ushort ct, ushort __user *uct, struct uni } } __put_user(ect, uct); + console_unlock(); return ((ect <= ct) ? 0 : -ENOMEM); } -void con_protect_unimap(struct vc_data *vc, int rdonly) -{ - struct uni_pagedir *p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc; - - if (p) - p->readonly = rdonly; -} - /* * Always use USER_MAP. These functions are used by the keyboard, * which shouldn't be affected by G0/G1 switching, etc. * If the user map still contains default values, i.e. the * direct-to-font mapping, then assume user is using Latin1. + * + * FIXME: at some point we need to decide if we want to lock the table + * update element itself via the keyboard_event_lock for consistency with the + * keyboard driver as well as the consoles */ /* may be called during an interrupt */ u32 conv_8bit_to_uni(unsigned char c) @@ -777,4 +837,3 @@ console_map_init(void) con_set_default_unimap(vc_cons[i].d); } -EXPORT_SYMBOL(con_copy_unimap); diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c index ede2ef18d2fb..64618547be11 100644 --- a/drivers/tty/vt/vt_ioctl.c +++ b/drivers/tty/vt/vt_ioctl.c @@ -910,7 +910,9 @@ int vt_ioctl(struct tty_struct *tty, ret = con_font_op(vc_cons[fg_console].d, &op); if (ret) break; + console_lock(); con_set_default_unimap(vc_cons[fg_console].d); + console_unlock(); break; } #endif @@ -934,33 +936,23 @@ int vt_ioctl(struct tty_struct *tty, case PIO_SCRNMAP: if (!perm) ret = -EPERM; - else { - tty_lock(); + else ret = con_set_trans_old(up); - tty_unlock(); - } break; case GIO_SCRNMAP: - tty_lock(); ret = con_get_trans_old(up); - tty_unlock(); break; case PIO_UNISCRNMAP: if (!perm) ret = -EPERM; - else { - tty_lock(); + else ret = con_set_trans_new(up); - tty_unlock(); - } break; case GIO_UNISCRNMAP: - tty_lock(); ret = con_get_trans_new(up); - tty_unlock(); break; case PIO_UNIMAPCLR: @@ -970,19 +962,14 @@ int vt_ioctl(struct tty_struct *tty, ret = copy_from_user(&ui, up, sizeof(struct unimapinit)); if (ret) ret = -EFAULT; - else { - tty_lock(); + else con_clear_unimap(vc, &ui); - tty_unlock(); - } break; } case PIO_UNIMAP: case GIO_UNIMAP: - tty_lock(); ret = do_unimap_ioctl(cmd, up, perm, vc); - tty_unlock(); break; case VT_LOCKSWITCH: @@ -1196,9 +1183,7 @@ long vt_compat_ioctl(struct tty_struct *tty, case PIO_UNIMAP: case GIO_UNIMAP: - tty_lock(); ret = compat_unimap_ioctl(cmd, up, perm, vc); - tty_unlock(); break; /* diff --git a/include/linux/vt_kern.h b/include/linux/vt_kern.h index e33d77f15bda..50ae7d0c279e 100644 --- a/include/linux/vt_kern.h +++ b/include/linux/vt_kern.h @@ -70,7 +70,6 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list); int con_get_unimap(struct vc_data *vc, ushort ct, ushort __user *uct, struct unipair __user *list); int con_set_default_unimap(struct vc_data *vc); void con_free_unimap(struct vc_data *vc); -void con_protect_unimap(struct vc_data *vc, int rdonly); int con_copy_unimap(struct vc_data *dst_vc, struct vc_data *src_vc); #define vc_translate(vc, c) ((vc)->vc_translate[(c) | \ -- cgit From b2d0b7a061bfddd27155c7dcd53f365d9dc0c7c3 Mon Sep 17 00:00:00 2001 From: Joshua Cov Date: Fri, 13 Apr 2012 21:08:26 +0200 Subject: keyboard: Use BIOS Keyboard variable to set Numlock The PC BIOS does provide a NUMLOCK flag containing the desired state of this LED. This patch sets the current state according to the data in the bios. [ hpa: fixed __weak declaration without definition, changed "inline" to "static inline" ] Signed-Off-By: Joshua Cov Link: http://lkml.kernel.org/r/CAKL7Q7rvq87TNS1T_Km8fW_5OzS%2BSbYazLXKxW-6ztOxo3zorg@mail.gmail.com Acked-by: Alan Cox Signed-off-by: H. Peter Anvin --- arch/parisc/include/asm/kbdleds.h | 19 +++++++++++++++++++ arch/x86/boot/main.c | 18 ++++++++++++------ arch/x86/include/asm/bootparam.h | 3 ++- arch/x86/include/asm/kbdleds.h | 17 +++++++++++++++++ drivers/tty/vt/keyboard.c | 20 ++++++++------------ 5 files changed, 58 insertions(+), 19 deletions(-) create mode 100644 arch/parisc/include/asm/kbdleds.h create mode 100644 arch/x86/include/asm/kbdleds.h (limited to 'drivers/tty/vt') diff --git a/arch/parisc/include/asm/kbdleds.h b/arch/parisc/include/asm/kbdleds.h new file mode 100644 index 000000000000..2e2e75a83c28 --- /dev/null +++ b/arch/parisc/include/asm/kbdleds.h @@ -0,0 +1,19 @@ +#ifndef _ASM_PARISC_KBDLEDS_H +#define _ASM_PARISC_KBDLEDS_H + +/* + * On HIL keyboards of PARISC machines there is no NumLock key and + * everyone expects the keypad to be used for numbers. That's why + * we can safely turn on the NUMLOCK bit. + */ + +static inline int kbd_defleds(void) +{ +#if defined(CONFIG_KEYBOARD_HIL) || defined(CONFIG_KEYBOARD_HIL_OLD) + return 1 << VC_NUMLOCK; +#else + return 0; +#endif +} + +#endif /* _ASM_PARISC_KBDLEDS_H */ diff --git a/arch/x86/boot/main.c b/arch/x86/boot/main.c index 40358c8905be..cf6083d444f4 100644 --- a/arch/x86/boot/main.c +++ b/arch/x86/boot/main.c @@ -57,14 +57,20 @@ static void copy_boot_params(void) } /* - * Set the keyboard repeat rate to maximum. Unclear why this + * Query the keyboard lock status as given by the BIOS, and + * set the keyboard repeat rate to maximum. Unclear why the latter * is done here; this might be possible to kill off as stale code. */ -static void keyboard_set_repeat(void) +static void keyboard_init(void) { - struct biosregs ireg; + struct biosregs ireg, oreg; initregs(&ireg); - ireg.ax = 0x0305; + + ireg.ah = 0x02; /* Get keyboard status */ + intcall(0x16, &ireg, &oreg); + boot_params.kbd_status = oreg.al; + + ireg.ax = 0x0305; /* Set keyboard repeat rate */ intcall(0x16, &ireg, NULL); } @@ -151,8 +157,8 @@ void main(void) /* Detect memory layout */ detect_memory(); - /* Set keyboard repeat rate (why?) */ - keyboard_set_repeat(); + /* Set keyboard repeat rate (why?) and query the lock flags */ + keyboard_init(); /* Query MCA information */ query_mca(); diff --git a/arch/x86/include/asm/bootparam.h b/arch/x86/include/asm/bootparam.h index 2f90c51cc49d..eb45aa6b1f27 100644 --- a/arch/x86/include/asm/bootparam.h +++ b/arch/x86/include/asm/bootparam.h @@ -112,7 +112,8 @@ struct boot_params { __u8 e820_entries; /* 0x1e8 */ __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 _pad6[6]; /* 0x1eb */ + __u8 kbd_status; /* 0x1eb */ + __u8 _pad6[5]; /* 0x1ec */ struct setup_header hdr; /* setup header */ /* 0x1f1 */ __u8 _pad7[0x290-0x1f1-sizeof(struct setup_header)]; __u32 edd_mbr_sig_buffer[EDD_MBR_SIG_MAX]; /* 0x290 */ diff --git a/arch/x86/include/asm/kbdleds.h b/arch/x86/include/asm/kbdleds.h new file mode 100644 index 000000000000..f27ac5ff597d --- /dev/null +++ b/arch/x86/include/asm/kbdleds.h @@ -0,0 +1,17 @@ +#ifndef _ASM_X86_KBDLEDS_H +#define _ASM_X86_KBDLEDS_H + +/* + * Some laptops take the 789uiojklm,. keys as number pad when NumLock is on. + * This seems a good reason to start with NumLock off. That's why on X86 we + * ask the bios for the correct state. + */ + +#include + +static inline int kbd_defleds(void) +{ + return boot_params.kbd_status & 0x20 ? (1 << VC_NUMLOCK) : 0; +} + +#endif /* _ASM_X86_KBDLEDS_H */ diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index 86dd1e302bb3..b021a1817666 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -53,17 +53,13 @@ extern void ctrl_alt_del(void); #define KBD_DEFMODE ((1 << VC_REPEAT) | (1 << VC_META)) -/* - * Some laptops take the 789uiojklm,. keys as number pad when NumLock is on. - * This seems a good reason to start with NumLock off. On HIL keyboards - * of PARISC machines however there is no NumLock key and everyone expects the - * keypad to be used for numbers. - */ - -#if defined(CONFIG_PARISC) && (defined(CONFIG_KEYBOARD_HIL) || defined(CONFIG_KEYBOARD_HIL_OLD)) -#define KBD_DEFLEDS (1 << VC_NUMLOCK) +#if defined(CONFIG_X86) || defined(CONFIG_PARISC) +#include #else -#define KBD_DEFLEDS 0 +static inline int kbd_defleds(void) +{ + return 0; +} #endif #define KBD_DEFLOCK 0 @@ -1512,8 +1508,8 @@ int __init kbd_init(void) int error; for (i = 0; i < MAX_NR_CONSOLES; i++) { - kbd_table[i].ledflagstate = KBD_DEFLEDS; - kbd_table[i].default_ledflagstate = KBD_DEFLEDS; + kbd_table[i].ledflagstate = kbd_defleds(); + kbd_table[i].default_ledflagstate = kbd_defleds(); kbd_table[i].ledmode = LED_SHOW_FLAGS; kbd_table[i].lockstate = KBD_DEFLOCK; kbd_table[i].slockstate = 0; -- cgit From 05f843b5d3406c29c8af7d1eb39ea9143b21d6dc Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Mon, 14 May 2012 14:41:31 +0100 Subject: tty: Fix LED error return 3.4-rc introduced a regression when setting the LEDS. We do the right thing but then return an error code. Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=43144 Reported-by: Christian Casteyde Signed-off-by: Alan Cox Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/keyboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/tty/vt') diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index 86dd1e302bb3..9f5c462a8692 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -2032,7 +2032,7 @@ int vt_do_kdskled(int console, int cmd, unsigned long arg, int perm) kbd->default_ledflagstate = ((arg >> 4) & 7); set_leds(); spin_unlock_irqrestore(&kbd_event_lock, flags); - break; + return 0; /* the ioctls below only set the lights, not the functions */ /* for those, see KDGKBLED and KDSKBLED above */ -- cgit