[PATCH v2] tty: vt/keyboard: Hoist and reuse variable in vt_do_kdgkb_ioctl
From: Thorsten Blum
Date: Mon Mar 02 2026 - 10:46:58 EST
Hoist 'len' and use it in both cases.
Add a comment explaining why reassigning 'kbs' is intentional.
Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
---
Changes in v2:
- Keep 'kbs' reassignment and add a comment why it's required (Jiri)
- Link to v1: https://lore.kernel.org/lkml/20260226123419.737669-1-thorsten.blum@xxxxxxxxx/
---
drivers/tty/vt/keyboard.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 13bc048f45e8..88fd4ef2634a 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -2000,17 +2000,18 @@ static char *vt_kdskbsent(char *kbs, unsigned char cur)
int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
{
unsigned char kb_func;
+ ssize_t len;
if (get_user(kb_func, &user_kdgkb->kb_func))
return -EFAULT;
kb_func = array_index_nospec(kb_func, MAX_NR_FUNC);
+ /* size should have been a struct member */
+ len = sizeof(user_kdgkb->kb_string);
+
switch (cmd) {
case KDGKBSENT: {
- /* size should have been a struct member */
- ssize_t len = sizeof(user_kdgkb->kb_string);
-
char __free(kfree) *kbs = kmalloc(len, GFP_KERNEL);
if (!kbs)
return -ENOMEM;
@@ -2031,11 +2032,16 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
return -EPERM;
char __free(kfree) *kbs = strndup_user(user_kdgkb->kb_string,
- sizeof(user_kdgkb->kb_string));
+ len);
if (IS_ERR(kbs))
return PTR_ERR(kbs);
guard(spinlock_irqsave)(&func_buf_lock);
+
+ /*
+ * Ownership transfer: vt_kdskbsent() returns a pointer
+ * that must be freed (new buffer, old buffer, or NULL).
+ */
kbs = vt_kdskbsent(kbs, kb_func);
return 0;
--
Thorsten Blum <thorsten.blum@xxxxxxxxx>
GPG: 1D60 735E 8AEF 3BE4 73B6 9D84 7336 78FD 8DFE EAD4