From: Jiri Slaby <jslaby@xxxxxxx>
commit d54654790302ccaa72589380dce060d376ef8716 upstream.
In commit 5ba127878722, we shuffled with the check of 'perm'. But my
brain somehow inverted the condition in 'do_unimap_ioctl' (I thought
it is ||, not &&), so GIO_UNIMAP stopped working completely.
Move the 'perm' checks back to do_unimap_ioctl and do them right again.
In fact, this reverts this part of code to the pre-5ba127878722 state.
Except 'perm' is now a bool.
Fixes: 5ba127878722 ("vt_ioctl: move perm checks level up")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Fabian Vogt <fvogt@xxxxxxxx>
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Link: https://lore.kernel.org/r/20201026055419.30518-1-jslaby@xxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/tty/vt/vt_ioctl.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -550,7 +550,7 @@ static int vt_io_fontreset(struct consol
}
static inline int do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud,
- struct vc_data *vc)
+ bool perm, struct vc_data *vc)
{
struct unimapdesc tmp;
@@ -558,9 +558,11 @@ static inline int do_unimap_ioctl(int cm
return -EFAULT;
switch (cmd) {
case PIO_UNIMAP:
+ if (!perm)
+ return -EPERM;
return con_set_unimap(vc, tmp.entry_ct, tmp.entries);
case GIO_UNIMAP:
- if (fg_console != vc->vc_num)
+ if (!perm && fg_console != vc->vc_num)
return -EPERM;
return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct),
tmp.entries);
@@ -640,10 +642,7 @@ static int vt_io_ioctl(struct vc_data *v
case PIO_UNIMAP:
case GIO_UNIMAP:
- if (!perm)
- return -EPERM;
-
- return do_unimap_ioctl(cmd, up, vc);
+ return do_unimap_ioctl(cmd, up, perm, vc);
default:
return -ENOIOCTLCMD;
