1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  Copyright (C) 1991, 1992  Linus Torvalds
4  */
5 
6 /*
7  * 'tty_io.c' gives an orthogonal feeling to tty's, be they consoles
8  * or rs-channels. It also implements echoing, cooked mode etc.
9  *
10  * Kill-line thanks to John T Kohl, who also corrected VMIN = VTIME = 0.
11  *
12  * Modified by Theodore Ts'o, 9/14/92, to dynamically allocate the
13  * tty_struct and tty_queue structures.  Previously there was an array
14  * of 256 tty_struct's which was statically allocated, and the
15  * tty_queue structures were allocated at boot time.  Both are now
16  * dynamically allocated only when the tty is open.
17  *
18  * Also restructured routines so that there is more of a separation
19  * between the high-level tty routines (tty_io.c and tty_ioctl.c) and
20  * the low-level tty routines (serial.c, pty.c, console.c).  This
21  * makes for cleaner and more compact code.  -TYT, 9/17/92
22  *
23  * Modified by Fred N. van Kempen, 01/29/93, to add line disciplines
24  * which can be dynamically activated and de-activated by the line
25  * discipline handling modules (like SLIP).
26  *
27  * NOTE: pay no attention to the line discipline code (yet); its
28  * interface is still subject to change in this version...
29  * -- TYT, 1/31/92
30  *
31  * Added functionality to the OPOST tty handling.  No delays, but all
32  * other bits should be there.
33  *	-- Nick Holloway <alfie@dcs.warwick.ac.uk>, 27th May 1993.
34  *
35  * Rewrote canonical mode and added more termios flags.
36  *	-- julian@uhunix.uhcc.hawaii.edu (J. Cowley), 13Jan94
37  *
38  * Reorganized FASYNC support so mouse code can share it.
39  *	-- ctm@ardi.com, 9Sep95
40  *
41  * New TIOCLINUX variants added.
42  *	-- mj@k332.feld.cvut.cz, 19-Nov-95
43  *
44  * Restrict vt switching via ioctl()
45  *      -- grif@cs.ucr.edu, 5-Dec-95
46  *
47  * Move console and virtual terminal code to more appropriate files,
48  * implement CONFIG_VT and generalize console device interface.
49  *	-- Marko Kohtala <Marko.Kohtala@hut.fi>, March 97
50  *
51  * Rewrote tty_init_dev and tty_release_dev to eliminate races.
52  *	-- Bill Hawes <whawes@star.net>, June 97
53  *
54  * Added devfs support.
55  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 13-Jan-1998
56  *
57  * Added support for a Unix98-style ptmx device.
58  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 14-Jan-1998
59  *
60  * Reduced memory usage for older ARM systems
61  *      -- Russell King <rmk@arm.linux.org.uk>
62  *
63  * Move do_SAK() into process context.  Less stack use in devfs functions.
64  * alloc_tty_struct() always uses kmalloc()
65  *			 -- Andrew Morton <andrewm@uow.edu.eu> 17Mar01
66  */
67 
68 #include <linux/types.h>
69 #include <linux/major.h>
70 #include <linux/errno.h>
71 #include <linux/signal.h>
72 #include <linux/fcntl.h>
73 #include <linux/sched/signal.h>
74 #include <linux/sched/task.h>
75 #include <linux/interrupt.h>
76 #include <linux/tty.h>
77 #include <linux/tty_driver.h>
78 #include <linux/tty_flip.h>
79 #include <linux/devpts_fs.h>
80 #include <linux/file.h>
81 #include <linux/fdtable.h>
82 #include <linux/console.h>
83 #include <linux/timer.h>
84 #include <linux/ctype.h>
85 #include <linux/kd.h>
86 #include <linux/mm.h>
87 #include <linux/string.h>
88 #include <linux/slab.h>
89 #include <linux/poll.h>
90 #include <linux/ppp-ioctl.h>
91 #include <linux/proc_fs.h>
92 #include <linux/init.h>
93 #include <linux/module.h>
94 #include <linux/device.h>
95 #include <linux/wait.h>
96 #include <linux/bitops.h>
97 #include <linux/delay.h>
98 #include <linux/seq_file.h>
99 #include <linux/serial.h>
100 #include <linux/ratelimit.h>
101 #include <linux/compat.h>
102 #include <linux/uaccess.h>
103 #include <linux/termios_internal.h>
104 #include <linux/fs.h>
105 
106 #include <linux/kbd_kern.h>
107 #include <linux/vt_kern.h>
108 #include <linux/selection.h>
109 
110 #include <linux/kmod.h>
111 #include <linux/nsproxy.h>
112 #include "tty.h"
113 
114 #undef TTY_DEBUG_HANGUP
115 #ifdef TTY_DEBUG_HANGUP
116 # define tty_debug_hangup(tty, f, args...)	tty_debug(tty, f, ##args)
117 #else
118 # define tty_debug_hangup(tty, f, args...)	do { } while (0)
119 #endif
120 
121 #define TTY_PARANOIA_CHECK 1
122 #define CHECK_TTY_COUNT 1
123 
124 struct ktermios tty_std_termios = {	/* for the benefit of tty drivers  */
125 	.c_iflag = ICRNL | IXON,
126 	.c_oflag = OPOST | ONLCR,
127 	.c_cflag = B38400 | CS8 | CREAD | HUPCL,
128 	.c_lflag = ISIG | ICANON | ECHO | ECHOE | ECHOK |
129 		   ECHOCTL | ECHOKE | IEXTEN,
130 	.c_cc = INIT_C_CC,
131 	.c_ispeed = 38400,
132 	.c_ospeed = 38400,
133 	/* .c_line = N_TTY, */
134 };
135 EXPORT_SYMBOL(tty_std_termios);
136 
137 /* This list gets poked at by procfs and various bits of boot up code. This
138  * could do with some rationalisation such as pulling the tty proc function
139  * into this file.
140  */
141 
142 LIST_HEAD(tty_drivers);			/* linked list of tty drivers */
143 
144 /* Mutex to protect creating and releasing a tty */
145 DEFINE_MUTEX(tty_mutex);
146 
147 static ssize_t tty_read(struct kiocb *, struct iov_iter *);
148 static ssize_t tty_write(struct kiocb *, struct iov_iter *);
149 static __poll_t tty_poll(struct file *, poll_table *);
150 static int tty_open(struct inode *, struct file *);
151 #ifdef CONFIG_COMPAT
152 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
153 				unsigned long arg);
154 #else
155 #define tty_compat_ioctl NULL
156 #endif
157 static int __tty_fasync(int fd, struct file *filp, int on);
158 static int tty_fasync(int fd, struct file *filp, int on);
159 static void release_tty(struct tty_struct *tty, int idx);
160 
161 /**
162  * free_tty_struct - free a disused tty
163  * @tty: tty struct to free
164  *
165  * Free the write buffers, tty queue and tty memory itself.
166  *
167  * Locking: none. Must be called after tty is definitely unused
168  */
free_tty_struct(struct tty_struct * tty)169 static void free_tty_struct(struct tty_struct *tty)
170 {
171 	tty_ldisc_deinit(tty);
172 	put_device(tty->dev);
173 	kvfree(tty->write_buf);
174 	kfree(tty);
175 }
176 
file_tty(struct file * file)177 static inline struct tty_struct *file_tty(struct file *file)
178 {
179 	return ((struct tty_file_private *)file->private_data)->tty;
180 }
181 
tty_alloc_file(struct file * file)182 int tty_alloc_file(struct file *file)
183 {
184 	struct tty_file_private *priv;
185 
186 	priv = kmalloc(sizeof(*priv), GFP_KERNEL);
187 	if (!priv)
188 		return -ENOMEM;
189 
190 	file->private_data = priv;
191 
192 	return 0;
193 }
194 
195 /* Associate a new file with the tty structure */
tty_add_file(struct tty_struct * tty,struct file * file)196 void tty_add_file(struct tty_struct *tty, struct file *file)
197 {
198 	struct tty_file_private *priv = file->private_data;
199 
200 	priv->tty = tty;
201 	priv->file = file;
202 
203 	spin_lock(&tty->files_lock);
204 	list_add(&priv->list, &tty->tty_files);
205 	spin_unlock(&tty->files_lock);
206 }
207 
208 /**
209  * tty_free_file - free file->private_data
210  * @file: to free private_data of
211  *
212  * This shall be used only for fail path handling when tty_add_file was not
213  * called yet.
214  */
tty_free_file(struct file * file)215 void tty_free_file(struct file *file)
216 {
217 	struct tty_file_private *priv = file->private_data;
218 
219 	file->private_data = NULL;
220 	kfree(priv);
221 }
222 
223 /* Delete file from its tty */
tty_del_file(struct file * file)224 static void tty_del_file(struct file *file)
225 {
226 	struct tty_file_private *priv = file->private_data;
227 	struct tty_struct *tty = priv->tty;
228 
229 	spin_lock(&tty->files_lock);
230 	list_del(&priv->list);
231 	spin_unlock(&tty->files_lock);
232 	tty_free_file(file);
233 }
234 
235 /**
236  * tty_name - return tty naming
237  * @tty: tty structure
238  *
239  * Convert a tty structure into a name. The name reflects the kernel naming
240  * policy and if udev is in use may not reflect user space
241  *
242  * Locking: none
243  */
tty_name(const struct tty_struct * tty)244 const char *tty_name(const struct tty_struct *tty)
245 {
246 	if (!tty) /* Hmm.  NULL pointer.  That's fun. */
247 		return "NULL tty";
248 	return tty->name;
249 }
250 EXPORT_SYMBOL(tty_name);
251 
tty_driver_name(const struct tty_struct * tty)252 const char *tty_driver_name(const struct tty_struct *tty)
253 {
254 	if (!tty || !tty->driver)
255 		return "";
256 	return tty->driver->name;
257 }
258 
tty_paranoia_check(struct tty_struct * tty,struct inode * inode,const char * routine)259 static int tty_paranoia_check(struct tty_struct *tty, struct inode *inode,
260 			      const char *routine)
261 {
262 #ifdef TTY_PARANOIA_CHECK
263 	if (!tty) {
264 		pr_warn("(%d:%d): %s: NULL tty\n",
265 			imajor(inode), iminor(inode), routine);
266 		return 1;
267 	}
268 #endif
269 	return 0;
270 }
271 
272 /* Caller must hold tty_lock */
check_tty_count(struct tty_struct * tty,const char * routine)273 static void check_tty_count(struct tty_struct *tty, const char *routine)
274 {
275 #ifdef CHECK_TTY_COUNT
276 	struct list_head *p;
277 	int count = 0, kopen_count = 0;
278 
279 	spin_lock(&tty->files_lock);
280 	list_for_each(p, &tty->tty_files) {
281 		count++;
282 	}
283 	spin_unlock(&tty->files_lock);
284 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
285 	    tty->driver->subtype == PTY_TYPE_SLAVE &&
286 	    tty->link && tty->link->count)
287 		count++;
288 	if (tty_port_kopened(tty->port))
289 		kopen_count++;
290 	if (tty->count != (count + kopen_count)) {
291 		tty_warn(tty, "%s: tty->count(%d) != (#fd's(%d) + #kopen's(%d))\n",
292 			 routine, tty->count, count, kopen_count);
293 	}
294 #endif
295 }
296 
297 /**
298  * get_tty_driver - find device of a tty
299  * @device: device identifier
300  * @index: returns the index of the tty
301  *
302  * This routine returns a tty driver structure, given a device number and also
303  * passes back the index number.
304  *
305  * Locking: caller must hold tty_mutex
306  */
get_tty_driver(dev_t device,int * index)307 static struct tty_driver *get_tty_driver(dev_t device, int *index)
308 {
309 	struct tty_driver *p;
310 
311 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
312 		dev_t base = MKDEV(p->major, p->minor_start);
313 
314 		if (device < base || device >= base + p->num)
315 			continue;
316 		*index = device - base;
317 		return tty_driver_kref_get(p);
318 	}
319 	return NULL;
320 }
321 
322 /**
323  * tty_dev_name_to_number - return dev_t for device name
324  * @name: user space name of device under /dev
325  * @number: pointer to dev_t that this function will populate
326  *
327  * This function converts device names like ttyS0 or ttyUSB1 into dev_t like
328  * (4, 64) or (188, 1). If no corresponding driver is registered then the
329  * function returns -%ENODEV.
330  *
331  * Locking: this acquires tty_mutex to protect the tty_drivers list from
332  *	being modified while we are traversing it, and makes sure to
333  *	release it before exiting.
334  */
tty_dev_name_to_number(const char * name,dev_t * number)335 int tty_dev_name_to_number(const char *name, dev_t *number)
336 {
337 	struct tty_driver *p;
338 	int ret;
339 	int index, prefix_length = 0;
340 	const char *str;
341 
342 	for (str = name; *str && !isdigit(*str); str++)
343 		;
344 
345 	if (!*str)
346 		return -EINVAL;
347 
348 	ret = kstrtoint(str, 10, &index);
349 	if (ret)
350 		return ret;
351 
352 	prefix_length = str - name;
353 
354 	guard(mutex)(&tty_mutex);
355 
356 	list_for_each_entry(p, &tty_drivers, tty_drivers)
357 		if (prefix_length == strlen(p->name) && strncmp(name,
358 					p->name, prefix_length) == 0) {
359 			if (index < p->num) {
360 				*number = MKDEV(p->major, p->minor_start + index);
361 				return 0;
362 			}
363 		}
364 
365 	return -ENODEV;
366 }
367 EXPORT_SYMBOL_GPL(tty_dev_name_to_number);
368 
369 #ifdef CONFIG_CONSOLE_POLL
370 
371 /**
372  * tty_find_polling_driver - find device of a polled tty
373  * @name: name string to match
374  * @line: pointer to resulting tty line nr
375  *
376  * This routine returns a tty driver structure, given a name and the condition
377  * that the tty driver is capable of polled operation.
378  */
tty_find_polling_driver(char * name,int * line)379 struct tty_driver *tty_find_polling_driver(char *name, int *line)
380 {
381 	struct tty_driver *p, *res = NULL;
382 	int tty_line = 0;
383 	int len;
384 	char *str, *stp;
385 
386 	for (str = name; *str; str++)
387 		if ((*str >= '0' && *str <= '9') || *str == ',')
388 			break;
389 	if (!*str)
390 		return NULL;
391 
392 	len = str - name;
393 	tty_line = simple_strtoul(str, &str, 10);
394 
395 	mutex_lock(&tty_mutex);
396 	/* Search through the tty devices to look for a match */
397 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
398 		if (!len || strncmp(name, p->name, len) != 0)
399 			continue;
400 		stp = str;
401 		if (*stp == ',')
402 			stp++;
403 		if (*stp == '\0')
404 			stp = NULL;
405 
406 		if (tty_line >= 0 && tty_line < p->num && p->ops &&
407 		    p->ops->poll_init && !p->ops->poll_init(p, tty_line, stp)) {
408 			res = tty_driver_kref_get(p);
409 			*line = tty_line;
410 			break;
411 		}
412 	}
413 	mutex_unlock(&tty_mutex);
414 
415 	return res;
416 }
417 EXPORT_SYMBOL_GPL(tty_find_polling_driver);
418 #endif
419 
hung_up_tty_read(struct kiocb * iocb,struct iov_iter * to)420 static ssize_t hung_up_tty_read(struct kiocb *iocb, struct iov_iter *to)
421 {
422 	return 0;
423 }
424 
hung_up_tty_write(struct kiocb * iocb,struct iov_iter * from)425 static ssize_t hung_up_tty_write(struct kiocb *iocb, struct iov_iter *from)
426 {
427 	return -EIO;
428 }
429 
430 /* No kernel lock held - none needed ;) */
hung_up_tty_poll(struct file * filp,poll_table * wait)431 static __poll_t hung_up_tty_poll(struct file *filp, poll_table *wait)
432 {
433 	return EPOLLIN | EPOLLOUT | EPOLLERR | EPOLLHUP | EPOLLRDNORM | EPOLLWRNORM;
434 }
435 
hung_up_tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)436 static long hung_up_tty_ioctl(struct file *file, unsigned int cmd,
437 		unsigned long arg)
438 {
439 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
440 }
441 
hung_up_tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)442 static long hung_up_tty_compat_ioctl(struct file *file,
443 				     unsigned int cmd, unsigned long arg)
444 {
445 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
446 }
447 
hung_up_tty_fasync(int fd,struct file * file,int on)448 static int hung_up_tty_fasync(int fd, struct file *file, int on)
449 {
450 	return -ENOTTY;
451 }
452 
tty_show_fdinfo(struct seq_file * m,struct file * file)453 static void tty_show_fdinfo(struct seq_file *m, struct file *file)
454 {
455 	struct tty_struct *tty = file_tty(file);
456 
457 	if (tty && tty->ops && tty->ops->show_fdinfo)
458 		tty->ops->show_fdinfo(tty, m);
459 }
460 
461 static const struct file_operations tty_fops = {
462 	.read_iter	= tty_read,
463 	.write_iter	= tty_write,
464 	.splice_read	= copy_splice_read,
465 	.splice_write	= iter_file_splice_write,
466 	.poll		= tty_poll,
467 	.unlocked_ioctl	= tty_ioctl,
468 	.compat_ioctl	= tty_compat_ioctl,
469 	.open		= tty_open,
470 	.release	= tty_release,
471 	.fasync		= tty_fasync,
472 	.show_fdinfo	= tty_show_fdinfo,
473 };
474 
475 static const struct file_operations console_fops = {
476 	.read_iter	= tty_read,
477 	.write_iter	= redirected_tty_write,
478 	.splice_read	= copy_splice_read,
479 	.splice_write	= iter_file_splice_write,
480 	.poll		= tty_poll,
481 	.unlocked_ioctl	= tty_ioctl,
482 	.compat_ioctl	= tty_compat_ioctl,
483 	.open		= tty_open,
484 	.release	= tty_release,
485 	.fasync		= tty_fasync,
486 };
487 
488 static const struct file_operations hung_up_tty_fops = {
489 	.read_iter	= hung_up_tty_read,
490 	.write_iter	= hung_up_tty_write,
491 	.poll		= hung_up_tty_poll,
492 	.unlocked_ioctl	= hung_up_tty_ioctl,
493 	.compat_ioctl	= hung_up_tty_compat_ioctl,
494 	.release	= tty_release,
495 	.fasync		= hung_up_tty_fasync,
496 };
497 
498 static DEFINE_SPINLOCK(redirect_lock);
499 static struct file *redirect;
500 
501 /**
502  * tty_wakeup - request more data
503  * @tty: terminal
504  *
505  * Internal and external helper for wakeups of tty. This function informs the
506  * line discipline if present that the driver is ready to receive more output
507  * data.
508  */
tty_wakeup(struct tty_struct * tty)509 void tty_wakeup(struct tty_struct *tty)
510 {
511 	struct tty_ldisc *ld;
512 
513 	if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) {
514 		ld = tty_ldisc_ref(tty);
515 		if (ld) {
516 			if (ld->ops->write_wakeup)
517 				ld->ops->write_wakeup(tty);
518 			tty_ldisc_deref(ld);
519 		}
520 	}
521 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
522 }
523 EXPORT_SYMBOL_GPL(tty_wakeup);
524 
525 /**
526  * tty_release_redirect - Release a redirect on a pty if present
527  * @tty: tty device
528  *
529  * This is available to the pty code so if the master closes, if the slave is a
530  * redirect it can release the redirect.
531  */
tty_release_redirect(struct tty_struct * tty)532 static struct file *tty_release_redirect(struct tty_struct *tty)
533 {
534 	struct file *f = NULL;
535 
536 	spin_lock(&redirect_lock);
537 	if (redirect && file_tty(redirect) == tty) {
538 		f = redirect;
539 		redirect = NULL;
540 	}
541 	spin_unlock(&redirect_lock);
542 
543 	return f;
544 }
545 
546 /**
547  * __tty_hangup - actual handler for hangup events
548  * @tty: tty device
549  * @exit_session: if non-zero, signal all foreground group processes
550  *
551  * This can be called by a "kworker" kernel thread. That is process synchronous
552  * but doesn't hold any locks, so we need to make sure we have the appropriate
553  * locks for what we're doing.
554  *
555  * The hangup event clears any pending redirections onto the hung up device. It
556  * ensures future writes will error and it does the needed line discipline
557  * hangup and signal delivery. The tty object itself remains intact.
558  *
559  * Locking:
560  *  * BTM
561  *
562  *   * redirect lock for undoing redirection
563  *   * file list lock for manipulating list of ttys
564  *   * tty_ldiscs_lock from called functions
565  *   * termios_rwsem resetting termios data
566  *   * tasklist_lock to walk task list for hangup event
567  *
568  *    * ->siglock to protect ->signal/->sighand
569  *
570  */
__tty_hangup(struct tty_struct * tty,int exit_session)571 static void __tty_hangup(struct tty_struct *tty, int exit_session)
572 {
573 	struct file *cons_filp = NULL;
574 	struct file *filp, *f;
575 	struct tty_file_private *priv;
576 	int    closecount = 0, n;
577 	int refs;
578 
579 	if (!tty)
580 		return;
581 
582 	f = tty_release_redirect(tty);
583 
584 	tty_lock(tty);
585 
586 	if (test_bit(TTY_HUPPED, &tty->flags)) {
587 		tty_unlock(tty);
588 		return;
589 	}
590 
591 	/*
592 	 * Some console devices aren't actually hung up for technical and
593 	 * historical reasons, which can lead to indefinite interruptible
594 	 * sleep in n_tty_read().  The following explicitly tells
595 	 * n_tty_read() to abort readers.
596 	 */
597 	set_bit(TTY_HUPPING, &tty->flags);
598 
599 	/* inuse_filps is protected by the single tty lock,
600 	 * this really needs to change if we want to flush the
601 	 * workqueue with the lock held.
602 	 */
603 	check_tty_count(tty, "tty_hangup");
604 
605 	spin_lock(&tty->files_lock);
606 	/* This breaks for file handles being sent over AF_UNIX sockets ? */
607 	list_for_each_entry(priv, &tty->tty_files, list) {
608 		filp = priv->file;
609 		if (filp->f_op->write_iter == redirected_tty_write)
610 			cons_filp = filp;
611 		if (filp->f_op->write_iter != tty_write)
612 			continue;
613 		closecount++;
614 		__tty_fasync(-1, filp, 0);	/* can't block */
615 		filp->f_op = &hung_up_tty_fops;
616 	}
617 	spin_unlock(&tty->files_lock);
618 
619 	refs = tty_signal_session_leader(tty, exit_session);
620 	/* Account for the p->signal references we killed */
621 	while (refs--)
622 		tty_kref_put(tty);
623 
624 	tty_ldisc_hangup(tty, cons_filp != NULL);
625 
626 	spin_lock_irq(&tty->ctrl.lock);
627 	clear_bit(TTY_THROTTLED, &tty->flags);
628 	clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
629 	put_pid(tty->ctrl.session);
630 	put_pid(tty->ctrl.pgrp);
631 	tty->ctrl.session = NULL;
632 	tty->ctrl.pgrp = NULL;
633 	tty->ctrl.pktstatus = 0;
634 	spin_unlock_irq(&tty->ctrl.lock);
635 
636 	/*
637 	 * If one of the devices matches a console pointer, we
638 	 * cannot just call hangup() because that will cause
639 	 * tty->count and state->count to go out of sync.
640 	 * So we just call close() the right number of times.
641 	 */
642 	if (cons_filp) {
643 		if (tty->ops->close)
644 			for (n = 0; n < closecount; n++)
645 				tty->ops->close(tty, cons_filp);
646 	} else if (tty->ops->hangup)
647 		tty->ops->hangup(tty);
648 	/*
649 	 * We don't want to have driver/ldisc interactions beyond the ones
650 	 * we did here. The driver layer expects no calls after ->hangup()
651 	 * from the ldisc side, which is now guaranteed.
652 	 */
653 	set_bit(TTY_HUPPED, &tty->flags);
654 	clear_bit(TTY_HUPPING, &tty->flags);
655 	tty_unlock(tty);
656 
657 	if (f)
658 		fput(f);
659 }
660 
do_tty_hangup(struct work_struct * work)661 static void do_tty_hangup(struct work_struct *work)
662 {
663 	struct tty_struct *tty =
664 		container_of(work, struct tty_struct, hangup_work);
665 
666 	__tty_hangup(tty, 0);
667 }
668 
669 /**
670  * tty_hangup - trigger a hangup event
671  * @tty: tty to hangup
672  *
673  * A carrier loss (virtual or otherwise) has occurred on @tty. Schedule a
674  * hangup sequence to run after this event.
675  */
tty_hangup(struct tty_struct * tty)676 void tty_hangup(struct tty_struct *tty)
677 {
678 	tty_debug_hangup(tty, "hangup\n");
679 	schedule_work(&tty->hangup_work);
680 }
681 EXPORT_SYMBOL(tty_hangup);
682 
683 /**
684  * tty_vhangup - process vhangup
685  * @tty: tty to hangup
686  *
687  * The user has asked via system call for the terminal to be hung up. We do
688  * this synchronously so that when the syscall returns the process is complete.
689  * That guarantee is necessary for security reasons.
690  */
tty_vhangup(struct tty_struct * tty)691 void tty_vhangup(struct tty_struct *tty)
692 {
693 	tty_debug_hangup(tty, "vhangup\n");
694 	__tty_hangup(tty, 0);
695 }
696 EXPORT_SYMBOL(tty_vhangup);
697 
698 
699 /**
700  * tty_vhangup_self - process vhangup for own ctty
701  *
702  * Perform a vhangup on the current controlling tty
703  */
tty_vhangup_self(void)704 void tty_vhangup_self(void)
705 {
706 	struct tty_struct *tty;
707 
708 	tty = get_current_tty();
709 	if (tty) {
710 		tty_vhangup(tty);
711 		tty_kref_put(tty);
712 	}
713 }
714 
715 /**
716  * tty_vhangup_session - hangup session leader exit
717  * @tty: tty to hangup
718  *
719  * The session leader is exiting and hanging up its controlling terminal.
720  * Every process in the foreground process group is signalled %SIGHUP.
721  *
722  * We do this synchronously so that when the syscall returns the process is
723  * complete. That guarantee is necessary for security reasons.
724  */
tty_vhangup_session(struct tty_struct * tty)725 void tty_vhangup_session(struct tty_struct *tty)
726 {
727 	tty_debug_hangup(tty, "session hangup\n");
728 	__tty_hangup(tty, 1);
729 }
730 
731 /**
732  * tty_hung_up_p - was tty hung up
733  * @filp: file pointer of tty
734  *
735  * Return: true if the tty has been subject to a vhangup or a carrier loss
736  */
tty_hung_up_p(struct file * filp)737 int tty_hung_up_p(struct file *filp)
738 {
739 	return (filp && filp->f_op == &hung_up_tty_fops);
740 }
741 EXPORT_SYMBOL(tty_hung_up_p);
742 
__stop_tty(struct tty_struct * tty)743 void __stop_tty(struct tty_struct *tty)
744 {
745 	if (tty->flow.stopped)
746 		return;
747 	tty->flow.stopped = true;
748 	if (tty->ops->stop)
749 		tty->ops->stop(tty);
750 }
751 
752 /**
753  * stop_tty - propagate flow control
754  * @tty: tty to stop
755  *
756  * Perform flow control to the driver. May be called on an already stopped
757  * device and will not re-call the &tty_driver->stop() method.
758  *
759  * This functionality is used by both the line disciplines for halting incoming
760  * flow and by the driver. It may therefore be called from any context, may be
761  * under the tty %atomic_write_lock but not always.
762  *
763  * Locking:
764  *	flow.lock
765  */
stop_tty(struct tty_struct * tty)766 void stop_tty(struct tty_struct *tty)
767 {
768 	unsigned long flags;
769 
770 	spin_lock_irqsave(&tty->flow.lock, flags);
771 	__stop_tty(tty);
772 	spin_unlock_irqrestore(&tty->flow.lock, flags);
773 }
774 EXPORT_SYMBOL(stop_tty);
775 
__start_tty(struct tty_struct * tty)776 void __start_tty(struct tty_struct *tty)
777 {
778 	if (!tty->flow.stopped || tty->flow.tco_stopped)
779 		return;
780 	tty->flow.stopped = false;
781 	if (tty->ops->start)
782 		tty->ops->start(tty);
783 	tty_wakeup(tty);
784 }
785 
786 /**
787  * start_tty - propagate flow control
788  * @tty: tty to start
789  *
790  * Start a tty that has been stopped if at all possible. If @tty was previously
791  * stopped and is now being started, the &tty_driver->start() method is invoked
792  * and the line discipline woken.
793  *
794  * Locking:
795  *	flow.lock
796  */
start_tty(struct tty_struct * tty)797 void start_tty(struct tty_struct *tty)
798 {
799 	unsigned long flags;
800 
801 	spin_lock_irqsave(&tty->flow.lock, flags);
802 	__start_tty(tty);
803 	spin_unlock_irqrestore(&tty->flow.lock, flags);
804 }
805 EXPORT_SYMBOL(start_tty);
806 
tty_update_time(struct tty_struct * tty,bool mtime)807 static void tty_update_time(struct tty_struct *tty, bool mtime)
808 {
809 	time64_t sec = ktime_get_real_seconds();
810 	struct tty_file_private *priv;
811 
812 	spin_lock(&tty->files_lock);
813 	list_for_each_entry(priv, &tty->tty_files, list) {
814 		struct inode *inode = file_inode(priv->file);
815 		struct timespec64 time = mtime ? inode_get_mtime(inode) : inode_get_atime(inode);
816 
817 		/*
818 		 * We only care if the two values differ in anything other than the
819 		 * lower three bits (i.e every 8 seconds).  If so, then we can update
820 		 * the time of the tty device, otherwise it could be construded as a
821 		 * security leak to let userspace know the exact timing of the tty.
822 		 */
823 		if ((sec ^ time.tv_sec) & ~7) {
824 			if (mtime)
825 				inode_set_mtime(inode, sec, 0);
826 			else
827 				inode_set_atime(inode, sec, 0);
828 		}
829 	}
830 	spin_unlock(&tty->files_lock);
831 }
832 
833 /*
834  * Iterate on the ldisc ->read() function until we've gotten all
835  * the data the ldisc has for us.
836  *
837  * The "cookie" is something that the ldisc read function can fill
838  * in to let us know that there is more data to be had.
839  *
840  * We promise to continue to call the ldisc until it stops returning
841  * data or clears the cookie. The cookie may be something that the
842  * ldisc maintains state for and needs to free.
843  */
iterate_tty_read(struct tty_ldisc * ld,struct tty_struct * tty,struct file * file,struct iov_iter * to)844 static ssize_t iterate_tty_read(struct tty_ldisc *ld, struct tty_struct *tty,
845 				struct file *file, struct iov_iter *to)
846 {
847 	void *cookie = NULL;
848 	unsigned long offset = 0;
849 	ssize_t retval = 0;
850 	size_t copied, count = iov_iter_count(to);
851 	u8 kernel_buf[64];
852 
853 	do {
854 		ssize_t size = min(count, sizeof(kernel_buf));
855 
856 		size = ld->ops->read(tty, file, kernel_buf, size, &cookie, offset);
857 		if (!size)
858 			break;
859 
860 		if (size < 0) {
861 			/* Did we have an earlier error (ie -EFAULT)? */
862 			if (retval)
863 				break;
864 			retval = size;
865 
866 			/*
867 			 * -EOVERFLOW means we didn't have enough space
868 			 * for a whole packet, and we shouldn't return
869 			 * a partial result.
870 			 */
871 			if (retval == -EOVERFLOW)
872 				offset = 0;
873 			break;
874 		}
875 
876 		copied = copy_to_iter(kernel_buf, size, to);
877 		offset += copied;
878 		count -= copied;
879 
880 		/*
881 		 * If the user copy failed, we still need to do another ->read()
882 		 * call if we had a cookie to let the ldisc clear up.
883 		 *
884 		 * But make sure size is zeroed.
885 		 */
886 		if (unlikely(copied != size)) {
887 			count = 0;
888 			retval = -EFAULT;
889 		}
890 	} while (cookie);
891 
892 	/* We always clear tty buffer in case they contained passwords */
893 	memzero_explicit(kernel_buf, sizeof(kernel_buf));
894 	return offset ? offset : retval;
895 }
896 
897 
898 /**
899  * tty_read - read method for tty device files
900  * @iocb: kernel I/O control block
901  * @to: destination for the data read
902  *
903  * Perform the read system call function on this terminal device. Checks
904  * for hung up devices before calling the line discipline method.
905  *
906  * Locking:
907  *	Locks the line discipline internally while needed. Multiple read calls
908  *	may be outstanding in parallel.
909  */
tty_read(struct kiocb * iocb,struct iov_iter * to)910 static ssize_t tty_read(struct kiocb *iocb, struct iov_iter *to)
911 {
912 	struct file *file = iocb->ki_filp;
913 	struct inode *inode = file_inode(file);
914 	struct tty_struct *tty = file_tty(file);
915 	struct tty_ldisc *ld;
916 	ssize_t ret;
917 
918 	if (tty_paranoia_check(tty, inode, "tty_read"))
919 		return -EIO;
920 	if (!tty || tty_io_error(tty))
921 		return -EIO;
922 
923 	/* We want to wait for the line discipline to sort out in this
924 	 * situation.
925 	 */
926 	ld = tty_ldisc_ref_wait(tty);
927 	if (!ld)
928 		return hung_up_tty_read(iocb, to);
929 	ret = -EIO;
930 	if (ld->ops->read)
931 		ret = iterate_tty_read(ld, tty, file, to);
932 	tty_ldisc_deref(ld);
933 
934 	if (ret > 0)
935 		tty_update_time(tty, false);
936 
937 	return ret;
938 }
939 
tty_write_unlock(struct tty_struct * tty)940 void tty_write_unlock(struct tty_struct *tty)
941 {
942 	mutex_unlock(&tty->atomic_write_lock);
943 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
944 }
945 
tty_write_lock(struct tty_struct * tty,bool ndelay)946 int tty_write_lock(struct tty_struct *tty, bool ndelay)
947 {
948 	if (!mutex_trylock(&tty->atomic_write_lock)) {
949 		if (ndelay)
950 			return -EAGAIN;
951 		if (mutex_lock_interruptible(&tty->atomic_write_lock))
952 			return -ERESTARTSYS;
953 	}
954 	return 0;
955 }
956 
957 /*
958  * Split writes up in sane blocksizes to avoid
959  * denial-of-service type attacks
960  */
iterate_tty_write(struct tty_ldisc * ld,struct tty_struct * tty,struct file * file,struct iov_iter * from)961 static ssize_t iterate_tty_write(struct tty_ldisc *ld, struct tty_struct *tty,
962 				 struct file *file, struct iov_iter *from)
963 {
964 	size_t chunk, count = iov_iter_count(from);
965 	ssize_t ret, written = 0;
966 
967 	ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
968 	if (ret < 0)
969 		return ret;
970 
971 	/*
972 	 * We chunk up writes into a temporary buffer. This
973 	 * simplifies low-level drivers immensely, since they
974 	 * don't have locking issues and user mode accesses.
975 	 *
976 	 * But if TTY_NO_WRITE_SPLIT is set, we should use a
977 	 * big chunk-size..
978 	 *
979 	 * The default chunk-size is 2kB, because the NTTY
980 	 * layer has problems with bigger chunks. It will
981 	 * claim to be able to handle more characters than
982 	 * it actually does.
983 	 */
984 	chunk = 2048;
985 	if (test_bit(TTY_NO_WRITE_SPLIT, &tty->flags))
986 		chunk = 65536;
987 	if (count < chunk)
988 		chunk = count;
989 
990 	/* write_buf/write_cnt is protected by the atomic_write_lock mutex */
991 	if (tty->write_cnt < chunk) {
992 		u8 *buf_chunk;
993 
994 		if (chunk < 1024)
995 			chunk = 1024;
996 
997 		buf_chunk = kvmalloc(chunk, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
998 		if (!buf_chunk) {
999 			ret = -ENOMEM;
1000 			goto out;
1001 		}
1002 		kvfree(tty->write_buf);
1003 		tty->write_cnt = chunk;
1004 		tty->write_buf = buf_chunk;
1005 	}
1006 
1007 	/* Do the write .. */
1008 	for (;;) {
1009 		size_t size = min(chunk, count);
1010 
1011 		ret = -EFAULT;
1012 		if (copy_from_iter(tty->write_buf, size, from) != size)
1013 			break;
1014 
1015 		ret = ld->ops->write(tty, file, tty->write_buf, size);
1016 		if (ret <= 0)
1017 			break;
1018 
1019 		written += ret;
1020 		if (ret > size)
1021 			break;
1022 
1023 		/* FIXME! Have Al check this! */
1024 		if (ret != size)
1025 			iov_iter_revert(from, size-ret);
1026 
1027 		count -= ret;
1028 		if (!count)
1029 			break;
1030 		ret = -ERESTARTSYS;
1031 		if (signal_pending(current))
1032 			break;
1033 		cond_resched();
1034 	}
1035 	if (written) {
1036 		tty_update_time(tty, true);
1037 		ret = written;
1038 	}
1039 out:
1040 	tty_write_unlock(tty);
1041 	return ret;
1042 }
1043 
1044 #ifdef CONFIG_PRINT_QUOTA_WARNING
1045 /**
1046  * tty_write_message - write a message to a certain tty, not just the console.
1047  * @tty: the destination tty_struct
1048  * @msg: the message to write
1049  *
1050  * This is used for messages that need to be redirected to a specific tty. We
1051  * don't put it into the syslog queue right now maybe in the future if really
1052  * needed.
1053  *
1054  * We must still hold the BTM and test the CLOSING flag for the moment.
1055  *
1056  * This function is DEPRECATED, do not use in new code.
1057  */
tty_write_message(struct tty_struct * tty,char * msg)1058 void tty_write_message(struct tty_struct *tty, char *msg)
1059 {
1060 	if (tty) {
1061 		mutex_lock(&tty->atomic_write_lock);
1062 		tty_lock(tty);
1063 		if (tty->ops->write && tty->count > 0)
1064 			tty->ops->write(tty, msg, strlen(msg));
1065 		tty_unlock(tty);
1066 		tty_write_unlock(tty);
1067 	}
1068 }
1069 #endif
1070 
file_tty_write(struct file * file,struct kiocb * iocb,struct iov_iter * from)1071 static ssize_t file_tty_write(struct file *file, struct kiocb *iocb, struct iov_iter *from)
1072 {
1073 	struct tty_struct *tty = file_tty(file);
1074 	struct tty_ldisc *ld;
1075 	ssize_t ret;
1076 
1077 	if (tty_paranoia_check(tty, file_inode(file), "tty_write"))
1078 		return -EIO;
1079 	if (!tty || !tty->ops->write ||	tty_io_error(tty))
1080 		return -EIO;
1081 	/* Short term debug to catch buggy drivers */
1082 	if (tty->ops->write_room == NULL)
1083 		tty_err(tty, "missing write_room method\n");
1084 	ld = tty_ldisc_ref_wait(tty);
1085 	if (!ld)
1086 		return hung_up_tty_write(iocb, from);
1087 	if (!ld->ops->write)
1088 		ret = -EIO;
1089 	else
1090 		ret = iterate_tty_write(ld, tty, file, from);
1091 	tty_ldisc_deref(ld);
1092 	return ret;
1093 }
1094 
1095 /**
1096  * tty_write - write method for tty device file
1097  * @iocb: kernel I/O control block
1098  * @from: iov_iter with data to write
1099  *
1100  * Write data to a tty device via the line discipline.
1101  *
1102  * Locking:
1103  *	Locks the line discipline as required
1104  *	Writes to the tty driver are serialized by the atomic_write_lock
1105  *	and are then processed in chunks to the device. The line
1106  *	discipline write method will not be invoked in parallel for
1107  *	each device.
1108  */
tty_write(struct kiocb * iocb,struct iov_iter * from)1109 static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
1110 {
1111 	return file_tty_write(iocb->ki_filp, iocb, from);
1112 }
1113 
redirected_tty_write(struct kiocb * iocb,struct iov_iter * iter)1114 ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter)
1115 {
1116 	struct file *p = NULL;
1117 
1118 	spin_lock(&redirect_lock);
1119 	if (redirect)
1120 		p = get_file(redirect);
1121 	spin_unlock(&redirect_lock);
1122 
1123 	/*
1124 	 * We know the redirected tty is just another tty, we can
1125 	 * call file_tty_write() directly with that file pointer.
1126 	 */
1127 	if (p) {
1128 		ssize_t res;
1129 
1130 		res = file_tty_write(p, iocb, iter);
1131 		fput(p);
1132 		return res;
1133 	}
1134 	return tty_write(iocb, iter);
1135 }
1136 
1137 /**
1138  * tty_send_xchar - send priority character
1139  * @tty: the tty to send to
1140  * @ch: xchar to send
1141  *
1142  * Send a high priority character to the tty even if stopped.
1143  *
1144  * Locking: none for xchar method, write ordering for write method.
1145  */
tty_send_xchar(struct tty_struct * tty,u8 ch)1146 int tty_send_xchar(struct tty_struct *tty, u8 ch)
1147 {
1148 	bool was_stopped = tty->flow.stopped;
1149 
1150 	if (tty->ops->send_xchar) {
1151 		down_read(&tty->termios_rwsem);
1152 		tty->ops->send_xchar(tty, ch);
1153 		up_read(&tty->termios_rwsem);
1154 		return 0;
1155 	}
1156 
1157 	if (tty_write_lock(tty, false) < 0)
1158 		return -ERESTARTSYS;
1159 
1160 	down_read(&tty->termios_rwsem);
1161 	if (was_stopped)
1162 		start_tty(tty);
1163 	tty->ops->write(tty, &ch, 1);
1164 	if (was_stopped)
1165 		stop_tty(tty);
1166 	up_read(&tty->termios_rwsem);
1167 	tty_write_unlock(tty);
1168 	return 0;
1169 }
1170 
1171 /**
1172  * pty_line_name - generate name for a pty
1173  * @driver: the tty driver in use
1174  * @index: the minor number
1175  * @p: output buffer of at least 6 bytes
1176  *
1177  * Generate a name from a @driver reference and write it to the output buffer
1178  * @p.
1179  *
1180  * Locking: None
1181  */
pty_line_name(struct tty_driver * driver,int index,char * p)1182 static void pty_line_name(struct tty_driver *driver, int index, char *p)
1183 {
1184 	static const char ptychar[] = "pqrstuvwxyzabcde";
1185 	int i = index + driver->name_base;
1186 	/* ->name is initialized to "ttyp", but "tty" is expected */
1187 	sprintf(p, "%s%c%x",
1188 		driver->subtype == PTY_TYPE_SLAVE ? "tty" : driver->name,
1189 		ptychar[i >> 4 & 0xf], i & 0xf);
1190 }
1191 
1192 /**
1193  * tty_line_name - generate name for a tty
1194  * @driver: the tty driver in use
1195  * @index: the minor number
1196  * @p: output buffer of at least 7 bytes
1197  *
1198  * Generate a name from a @driver reference and write it to the output buffer
1199  * @p.
1200  *
1201  * Locking: None
1202  */
tty_line_name(struct tty_driver * driver,int index,char * p)1203 static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)
1204 {
1205 	if (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)
1206 		return sprintf(p, "%s", driver->name);
1207 	else
1208 		return sprintf(p, "%s%d", driver->name,
1209 			       index + driver->name_base);
1210 }
1211 
1212 /**
1213  * tty_driver_lookup_tty() - find an existing tty, if any
1214  * @driver: the driver for the tty
1215  * @file: file object
1216  * @idx: the minor number
1217  *
1218  * Return: the tty, if found. If not found, return %NULL or ERR_PTR() if the
1219  * driver lookup() method returns an error.
1220  *
1221  * Locking: tty_mutex must be held. If the tty is found, bump the tty kref.
1222  */
tty_driver_lookup_tty(struct tty_driver * driver,struct file * file,int idx)1223 static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver,
1224 		struct file *file, int idx)
1225 {
1226 	struct tty_struct *tty;
1227 
1228 	if (driver->ops->lookup) {
1229 		if (!file)
1230 			tty = ERR_PTR(-EIO);
1231 		else
1232 			tty = driver->ops->lookup(driver, file, idx);
1233 	} else {
1234 		if (idx >= driver->num)
1235 			return ERR_PTR(-EINVAL);
1236 		tty = driver->ttys[idx];
1237 	}
1238 	if (!IS_ERR(tty))
1239 		tty_kref_get(tty);
1240 	return tty;
1241 }
1242 
1243 /**
1244  * tty_init_termios - helper for termios setup
1245  * @tty: the tty to set up
1246  *
1247  * Initialise the termios structure for this tty. This runs under the
1248  * %tty_mutex currently so we can be relaxed about ordering.
1249  */
tty_init_termios(struct tty_struct * tty)1250 void tty_init_termios(struct tty_struct *tty)
1251 {
1252 	struct ktermios *tp;
1253 	int idx = tty->index;
1254 
1255 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1256 		tty->termios = tty->driver->init_termios;
1257 	else {
1258 		/* Check for lazy saved data */
1259 		tp = tty->driver->termios[idx];
1260 		if (tp != NULL) {
1261 			tty->termios = *tp;
1262 			tty->termios.c_line  = tty->driver->init_termios.c_line;
1263 		} else
1264 			tty->termios = tty->driver->init_termios;
1265 	}
1266 	/* Compatibility until drivers always set this */
1267 	tty->termios.c_ispeed = tty_termios_input_baud_rate(&tty->termios);
1268 	tty->termios.c_ospeed = tty_termios_baud_rate(&tty->termios);
1269 }
1270 EXPORT_SYMBOL_GPL(tty_init_termios);
1271 
1272 /**
1273  * tty_standard_install - usual tty->ops->install
1274  * @driver: the driver for the tty
1275  * @tty: the tty
1276  *
1277  * If the @driver overrides @tty->ops->install, it still can call this function
1278  * to perform the standard install operations.
1279  */
tty_standard_install(struct tty_driver * driver,struct tty_struct * tty)1280 int tty_standard_install(struct tty_driver *driver, struct tty_struct *tty)
1281 {
1282 	tty_init_termios(tty);
1283 	tty_driver_kref_get(driver);
1284 	tty->count++;
1285 	driver->ttys[tty->index] = tty;
1286 	return 0;
1287 }
1288 EXPORT_SYMBOL_GPL(tty_standard_install);
1289 
1290 /**
1291  * tty_driver_install_tty() - install a tty entry in the driver
1292  * @driver: the driver for the tty
1293  * @tty: the tty
1294  *
1295  * Install a tty object into the driver tables. The @tty->index field will be
1296  * set by the time this is called. This method is responsible for ensuring any
1297  * need additional structures are allocated and configured.
1298  *
1299  * Locking: tty_mutex for now
1300  */
tty_driver_install_tty(struct tty_driver * driver,struct tty_struct * tty)1301 static int tty_driver_install_tty(struct tty_driver *driver,
1302 						struct tty_struct *tty)
1303 {
1304 	return driver->ops->install ? driver->ops->install(driver, tty) :
1305 		tty_standard_install(driver, tty);
1306 }
1307 
1308 /**
1309  * tty_driver_remove_tty() - remove a tty from the driver tables
1310  * @driver: the driver for the tty
1311  * @tty: tty to remove
1312  *
1313  * Remove a tty object from the driver tables. The tty->index field will be set
1314  * by the time this is called.
1315  *
1316  * Locking: tty_mutex for now
1317  */
tty_driver_remove_tty(struct tty_driver * driver,struct tty_struct * tty)1318 static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty)
1319 {
1320 	if (driver->ops->remove)
1321 		driver->ops->remove(driver, tty);
1322 	else
1323 		driver->ttys[tty->index] = NULL;
1324 }
1325 
1326 /**
1327  * tty_reopen() - fast re-open of an open tty
1328  * @tty: the tty to open
1329  *
1330  * Re-opens on master ptys are not allowed and return -%EIO.
1331  *
1332  * Locking: Caller must hold tty_lock
1333  * Return: 0 on success, -errno on error.
1334  */
tty_reopen(struct tty_struct * tty)1335 static int tty_reopen(struct tty_struct *tty)
1336 {
1337 	struct tty_driver *driver = tty->driver;
1338 	struct tty_ldisc *ld;
1339 	int retval = 0;
1340 
1341 	if (driver->type == TTY_DRIVER_TYPE_PTY &&
1342 	    driver->subtype == PTY_TYPE_MASTER)
1343 		return -EIO;
1344 
1345 	if (!tty->count)
1346 		return -EAGAIN;
1347 
1348 	if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
1349 		return -EBUSY;
1350 
1351 	ld = tty_ldisc_ref_wait(tty);
1352 	if (ld) {
1353 		tty_ldisc_deref(ld);
1354 	} else {
1355 		retval = tty_ldisc_lock(tty, 5 * HZ);
1356 		if (retval)
1357 			return retval;
1358 
1359 		if (!tty->ldisc)
1360 			retval = tty_ldisc_reinit(tty, tty->termios.c_line);
1361 		tty_ldisc_unlock(tty);
1362 	}
1363 
1364 	if (retval == 0)
1365 		tty->count++;
1366 
1367 	return retval;
1368 }
1369 
1370 /**
1371  * tty_init_dev - initialise a tty device
1372  * @driver: tty driver we are opening a device on
1373  * @idx: device index
1374  *
1375  * Prepare a tty device. This may not be a "new" clean device but could also be
1376  * an active device. The pty drivers require special handling because of this.
1377  *
1378  * Locking:
1379  *	The function is called under the tty_mutex, which protects us from the
1380  *	tty struct or driver itself going away.
1381  *
1382  * On exit the tty device has the line discipline attached and a reference
1383  * count of 1. If a pair was created for pty/tty use and the other was a pty
1384  * master then it too has a reference count of 1.
1385  *
1386  * WSH 06/09/97: Rewritten to remove races and properly clean up after a failed
1387  * open. The new code protects the open with a mutex, so it's really quite
1388  * straightforward. The mutex locking can probably be relaxed for the (most
1389  * common) case of reopening a tty.
1390  *
1391  * Return: new tty structure
1392  */
tty_init_dev(struct tty_driver * driver,int idx)1393 struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
1394 {
1395 	struct tty_struct *tty;
1396 	int retval;
1397 
1398 	/*
1399 	 * First time open is complex, especially for PTY devices.
1400 	 * This code guarantees that either everything succeeds and the
1401 	 * TTY is ready for operation, or else the table slots are vacated
1402 	 * and the allocated memory released.  (Except that the termios
1403 	 * may be retained.)
1404 	 */
1405 
1406 	if (!try_module_get(driver->owner))
1407 		return ERR_PTR(-ENODEV);
1408 
1409 	tty = alloc_tty_struct(driver, idx);
1410 	if (!tty) {
1411 		retval = -ENOMEM;
1412 		goto err_module_put;
1413 	}
1414 
1415 	tty_lock(tty);
1416 	retval = tty_driver_install_tty(driver, tty);
1417 	if (retval < 0)
1418 		goto err_free_tty;
1419 
1420 	if (!tty->port)
1421 		tty->port = driver->ports[idx];
1422 
1423 	if (WARN_RATELIMIT(!tty->port,
1424 			"%s: %s driver does not set tty->port. This would crash the kernel. Fix the driver!\n",
1425 			__func__, tty->driver->name)) {
1426 		retval = -EINVAL;
1427 		goto err_release_lock;
1428 	}
1429 
1430 	retval = tty_ldisc_lock(tty, 5 * HZ);
1431 	if (retval)
1432 		goto err_release_lock;
1433 	tty->port->itty = tty;
1434 
1435 	/*
1436 	 * Structures all installed ... call the ldisc open routines.
1437 	 * If we fail here just call release_tty to clean up.  No need
1438 	 * to decrement the use counts, as release_tty doesn't care.
1439 	 */
1440 	retval = tty_ldisc_setup(tty, tty->link);
1441 	if (retval)
1442 		goto err_release_tty;
1443 	tty_ldisc_unlock(tty);
1444 	/* Return the tty locked so that it cannot vanish under the caller */
1445 	return tty;
1446 
1447 err_free_tty:
1448 	tty_unlock(tty);
1449 	free_tty_struct(tty);
1450 err_module_put:
1451 	module_put(driver->owner);
1452 	return ERR_PTR(retval);
1453 
1454 	/* call the tty release_tty routine to clean out this slot */
1455 err_release_tty:
1456 	tty_ldisc_unlock(tty);
1457 	tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
1458 			     retval, idx);
1459 err_release_lock:
1460 	tty_unlock(tty);
1461 	release_tty(tty, idx);
1462 	return ERR_PTR(retval);
1463 }
1464 
1465 /**
1466  * tty_save_termios() - save tty termios data in driver table
1467  * @tty: tty whose termios data to save
1468  *
1469  * Locking: Caller guarantees serialisation with tty_init_termios().
1470  */
tty_save_termios(struct tty_struct * tty)1471 void tty_save_termios(struct tty_struct *tty)
1472 {
1473 	struct ktermios *tp;
1474 	int idx = tty->index;
1475 
1476 	/* If the port is going to reset then it has no termios to save */
1477 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1478 		return;
1479 
1480 	/* Stash the termios data */
1481 	tp = tty->driver->termios[idx];
1482 	if (tp == NULL) {
1483 		tp = kmalloc(sizeof(*tp), GFP_KERNEL);
1484 		if (tp == NULL)
1485 			return;
1486 		tty->driver->termios[idx] = tp;
1487 	}
1488 	*tp = tty->termios;
1489 }
1490 EXPORT_SYMBOL_GPL(tty_save_termios);
1491 
1492 /**
1493  * tty_flush_works - flush all works of a tty/pty pair
1494  * @tty: tty device to flush works for (or either end of a pty pair)
1495  *
1496  * Sync flush all works belonging to @tty (and the 'other' tty).
1497  */
tty_flush_works(struct tty_struct * tty)1498 static void tty_flush_works(struct tty_struct *tty)
1499 {
1500 	flush_work(&tty->SAK_work);
1501 	flush_work(&tty->hangup_work);
1502 	if (tty->link) {
1503 		flush_work(&tty->link->SAK_work);
1504 		flush_work(&tty->link->hangup_work);
1505 	}
1506 }
1507 
1508 /**
1509  * release_one_tty - release tty structure memory
1510  * @work: work of tty we are obliterating
1511  *
1512  * Releases memory associated with a tty structure, and clears out the
1513  * driver table slots. This function is called when a device is no longer
1514  * in use. It also gets called when setup of a device fails.
1515  *
1516  * Locking:
1517  *	takes the file list lock internally when working on the list of ttys
1518  *	that the driver keeps.
1519  *
1520  * This method gets called from a work queue so that the driver private
1521  * cleanup ops can sleep (needed for USB at least)
1522  */
release_one_tty(struct work_struct * work)1523 static void release_one_tty(struct work_struct *work)
1524 {
1525 	struct tty_struct *tty =
1526 		container_of(work, struct tty_struct, hangup_work);
1527 	struct tty_driver *driver = tty->driver;
1528 	struct module *owner = driver->owner;
1529 
1530 	if (tty->ops->cleanup)
1531 		tty->ops->cleanup(tty);
1532 
1533 	tty_driver_kref_put(driver);
1534 	module_put(owner);
1535 
1536 	spin_lock(&tty->files_lock);
1537 	list_del_init(&tty->tty_files);
1538 	spin_unlock(&tty->files_lock);
1539 
1540 	put_pid(tty->ctrl.pgrp);
1541 	put_pid(tty->ctrl.session);
1542 	free_tty_struct(tty);
1543 }
1544 
queue_release_one_tty(struct kref * kref)1545 static void queue_release_one_tty(struct kref *kref)
1546 {
1547 	struct tty_struct *tty = container_of(kref, struct tty_struct, kref);
1548 
1549 	/* The hangup queue is now free so we can reuse it rather than
1550 	 *  waste a chunk of memory for each port.
1551 	 */
1552 	INIT_WORK(&tty->hangup_work, release_one_tty);
1553 	schedule_work(&tty->hangup_work);
1554 }
1555 
1556 /**
1557  * tty_kref_put - release a tty kref
1558  * @tty: tty device
1559  *
1560  * Release a reference to the @tty device and if need be let the kref layer
1561  * destruct the object for us.
1562  */
tty_kref_put(struct tty_struct * tty)1563 void tty_kref_put(struct tty_struct *tty)
1564 {
1565 	if (tty)
1566 		kref_put(&tty->kref, queue_release_one_tty);
1567 }
1568 EXPORT_SYMBOL(tty_kref_put);
1569 
1570 /**
1571  * release_tty - release tty structure memory
1572  * @tty: tty device release
1573  * @idx: index of the tty device release
1574  *
1575  * Release both @tty and a possible linked partner (think pty pair),
1576  * and decrement the refcount of the backing module.
1577  *
1578  * Locking:
1579  *	tty_mutex
1580  *	takes the file list lock internally when working on the list of ttys
1581  *	that the driver keeps.
1582  */
release_tty(struct tty_struct * tty,int idx)1583 static void release_tty(struct tty_struct *tty, int idx)
1584 {
1585 	/* This should always be true but check for the moment */
1586 	WARN_ON(tty->index != idx);
1587 	WARN_ON(!mutex_is_locked(&tty_mutex));
1588 	if (tty->ops->shutdown)
1589 		tty->ops->shutdown(tty);
1590 	tty_save_termios(tty);
1591 	tty_driver_remove_tty(tty->driver, tty);
1592 	if (tty->port)
1593 		tty->port->itty = NULL;
1594 	if (tty->link)
1595 		tty->link->port->itty = NULL;
1596 	if (tty->port)
1597 		tty_buffer_cancel_work(tty->port);
1598 	if (tty->link)
1599 		tty_buffer_cancel_work(tty->link->port);
1600 
1601 	tty_kref_put(tty->link);
1602 	tty_kref_put(tty);
1603 }
1604 
1605 /**
1606  * tty_release_checks - check a tty before real release
1607  * @tty: tty to check
1608  * @idx: index of the tty
1609  *
1610  * Performs some paranoid checking before true release of the @tty. This is a
1611  * no-op unless %TTY_PARANOIA_CHECK is defined.
1612  */
tty_release_checks(struct tty_struct * tty,int idx)1613 static int tty_release_checks(struct tty_struct *tty, int idx)
1614 {
1615 #ifdef TTY_PARANOIA_CHECK
1616 	if (idx < 0 || idx >= tty->driver->num) {
1617 		tty_debug(tty, "bad idx %d\n", idx);
1618 		return -1;
1619 	}
1620 
1621 	/* not much to check for devpts */
1622 	if (tty->driver->flags & TTY_DRIVER_DEVPTS_MEM)
1623 		return 0;
1624 
1625 	if (tty != tty->driver->ttys[idx]) {
1626 		tty_debug(tty, "bad driver table[%d] = %p\n",
1627 			  idx, tty->driver->ttys[idx]);
1628 		return -1;
1629 	}
1630 	if (tty->driver->other) {
1631 		struct tty_struct *o_tty = tty->link;
1632 
1633 		if (o_tty != tty->driver->other->ttys[idx]) {
1634 			tty_debug(tty, "bad other table[%d] = %p\n",
1635 				  idx, tty->driver->other->ttys[idx]);
1636 			return -1;
1637 		}
1638 		if (o_tty->link != tty) {
1639 			tty_debug(tty, "bad link = %p\n", o_tty->link);
1640 			return -1;
1641 		}
1642 	}
1643 #endif
1644 	return 0;
1645 }
1646 
1647 /**
1648  * tty_kclose - closes tty opened by tty_kopen
1649  * @tty: tty device
1650  *
1651  * Performs the final steps to release and free a tty device. It is the same as
1652  * tty_release_struct() except that it also resets %TTY_PORT_KOPENED flag on
1653  * @tty->port.
1654  */
tty_kclose(struct tty_struct * tty)1655 void tty_kclose(struct tty_struct *tty)
1656 {
1657 	/*
1658 	 * Ask the line discipline code to release its structures
1659 	 */
1660 	tty_ldisc_release(tty);
1661 
1662 	/* Wait for pending work before tty destruction commences */
1663 	tty_flush_works(tty);
1664 
1665 	tty_debug_hangup(tty, "freeing structure\n");
1666 	/*
1667 	 * The release_tty function takes care of the details of clearing
1668 	 * the slots and preserving the termios structure.
1669 	 */
1670 	mutex_lock(&tty_mutex);
1671 	tty_port_set_kopened(tty->port, 0);
1672 	release_tty(tty, tty->index);
1673 	mutex_unlock(&tty_mutex);
1674 }
1675 EXPORT_SYMBOL_GPL(tty_kclose);
1676 
1677 /**
1678  * tty_release_struct - release a tty struct
1679  * @tty: tty device
1680  * @idx: index of the tty
1681  *
1682  * Performs the final steps to release and free a tty device. It is roughly the
1683  * reverse of tty_init_dev().
1684  */
tty_release_struct(struct tty_struct * tty,int idx)1685 void tty_release_struct(struct tty_struct *tty, int idx)
1686 {
1687 	/*
1688 	 * Ask the line discipline code to release its structures
1689 	 */
1690 	tty_ldisc_release(tty);
1691 
1692 	/* Wait for pending work before tty destruction commmences */
1693 	tty_flush_works(tty);
1694 
1695 	tty_debug_hangup(tty, "freeing structure\n");
1696 	/*
1697 	 * The release_tty function takes care of the details of clearing
1698 	 * the slots and preserving the termios structure.
1699 	 */
1700 	mutex_lock(&tty_mutex);
1701 	release_tty(tty, idx);
1702 	mutex_unlock(&tty_mutex);
1703 }
1704 EXPORT_SYMBOL_GPL(tty_release_struct);
1705 
1706 /**
1707  * tty_release - vfs callback for close
1708  * @inode: inode of tty
1709  * @filp: file pointer for handle to tty
1710  *
1711  * Called the last time each file handle is closed that references this tty.
1712  * There may however be several such references.
1713  *
1714  * Locking:
1715  *	Takes BKL. See tty_release_dev().
1716  *
1717  * Even releasing the tty structures is a tricky business. We have to be very
1718  * careful that the structures are all released at the same time, as interrupts
1719  * might otherwise get the wrong pointers.
1720  *
1721  * WSH 09/09/97: rewritten to avoid some nasty race conditions that could
1722  * lead to double frees or releasing memory still in use.
1723  */
tty_release(struct inode * inode,struct file * filp)1724 int tty_release(struct inode *inode, struct file *filp)
1725 {
1726 	struct tty_struct *tty = file_tty(filp);
1727 	struct tty_struct *o_tty = NULL;
1728 	int	do_sleep, final;
1729 	int	idx;
1730 	long	timeout = 0;
1731 	int	once = 1;
1732 
1733 	if (tty_paranoia_check(tty, inode, __func__))
1734 		return 0;
1735 
1736 	tty_lock(tty);
1737 	check_tty_count(tty, __func__);
1738 
1739 	__tty_fasync(-1, filp, 0);
1740 
1741 	idx = tty->index;
1742 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
1743 	    tty->driver->subtype == PTY_TYPE_MASTER)
1744 		o_tty = tty->link;
1745 
1746 	if (tty_release_checks(tty, idx)) {
1747 		tty_unlock(tty);
1748 		return 0;
1749 	}
1750 
1751 	tty_debug_hangup(tty, "releasing (count=%d)\n", tty->count);
1752 
1753 	if (tty->ops->close)
1754 		tty->ops->close(tty, filp);
1755 
1756 	/* If tty is pty master, lock the slave pty (stable lock order) */
1757 	tty_lock_slave(o_tty);
1758 
1759 	/*
1760 	 * Sanity check: if tty->count is going to zero, there shouldn't be
1761 	 * any waiters on tty->read_wait or tty->write_wait.  We test the
1762 	 * wait queues and kick everyone out _before_ actually starting to
1763 	 * close.  This ensures that we won't block while releasing the tty
1764 	 * structure.
1765 	 *
1766 	 * The test for the o_tty closing is necessary, since the master and
1767 	 * slave sides may close in any order.  If the slave side closes out
1768 	 * first, its count will be one, since the master side holds an open.
1769 	 * Thus this test wouldn't be triggered at the time the slave closed,
1770 	 * so we do it now.
1771 	 */
1772 	while (1) {
1773 		do_sleep = 0;
1774 
1775 		if (tty->count <= 1) {
1776 			if (waitqueue_active(&tty->read_wait)) {
1777 				wake_up_poll(&tty->read_wait, EPOLLIN);
1778 				do_sleep++;
1779 			}
1780 			if (waitqueue_active(&tty->write_wait)) {
1781 				wake_up_poll(&tty->write_wait, EPOLLOUT);
1782 				do_sleep++;
1783 			}
1784 		}
1785 		if (o_tty && o_tty->count <= 1) {
1786 			if (waitqueue_active(&o_tty->read_wait)) {
1787 				wake_up_poll(&o_tty->read_wait, EPOLLIN);
1788 				do_sleep++;
1789 			}
1790 			if (waitqueue_active(&o_tty->write_wait)) {
1791 				wake_up_poll(&o_tty->write_wait, EPOLLOUT);
1792 				do_sleep++;
1793 			}
1794 		}
1795 		if (!do_sleep)
1796 			break;
1797 
1798 		if (once) {
1799 			once = 0;
1800 			tty_warn(tty, "read/write wait queue active!\n");
1801 		}
1802 		schedule_timeout_killable(timeout);
1803 		if (timeout < 120 * HZ)
1804 			timeout = 2 * timeout + 1;
1805 		else
1806 			timeout = MAX_SCHEDULE_TIMEOUT;
1807 	}
1808 
1809 	if (o_tty) {
1810 		if (--o_tty->count < 0) {
1811 			tty_warn(tty, "bad slave count (%d)\n", o_tty->count);
1812 			o_tty->count = 0;
1813 		}
1814 	}
1815 	if (--tty->count < 0) {
1816 		tty_warn(tty, "bad tty->count (%d)\n", tty->count);
1817 		tty->count = 0;
1818 	}
1819 
1820 	/*
1821 	 * We've decremented tty->count, so we need to remove this file
1822 	 * descriptor off the tty->tty_files list; this serves two
1823 	 * purposes:
1824 	 *  - check_tty_count sees the correct number of file descriptors
1825 	 *    associated with this tty.
1826 	 *  - do_tty_hangup no longer sees this file descriptor as
1827 	 *    something that needs to be handled for hangups.
1828 	 */
1829 	tty_del_file(filp);
1830 
1831 	/*
1832 	 * Perform some housekeeping before deciding whether to return.
1833 	 *
1834 	 * If _either_ side is closing, make sure there aren't any
1835 	 * processes that still think tty or o_tty is their controlling
1836 	 * tty.
1837 	 */
1838 	if (!tty->count) {
1839 		read_lock(&tasklist_lock);
1840 		session_clear_tty(tty->ctrl.session);
1841 		if (o_tty)
1842 			session_clear_tty(o_tty->ctrl.session);
1843 		read_unlock(&tasklist_lock);
1844 	}
1845 
1846 	/* check whether both sides are closing ... */
1847 	final = !tty->count && !(o_tty && o_tty->count);
1848 
1849 	tty_unlock_slave(o_tty);
1850 	tty_unlock(tty);
1851 
1852 	/* At this point, the tty->count == 0 should ensure a dead tty
1853 	 * cannot be re-opened by a racing opener.
1854 	 */
1855 
1856 	if (!final)
1857 		return 0;
1858 
1859 	tty_debug_hangup(tty, "final close\n");
1860 
1861 	tty_release_struct(tty, idx);
1862 	return 0;
1863 }
1864 
1865 /**
1866  * tty_open_current_tty - get locked tty of current task
1867  * @device: device number
1868  * @filp: file pointer to tty
1869  * @return: locked tty of the current task iff @device is /dev/tty
1870  *
1871  * Performs a re-open of the current task's controlling tty.
1872  *
1873  * We cannot return driver and index like for the other nodes because devpts
1874  * will not work then. It expects inodes to be from devpts FS.
1875  */
tty_open_current_tty(dev_t device,struct file * filp)1876 static struct tty_struct *tty_open_current_tty(dev_t device, struct file *filp)
1877 {
1878 	struct tty_struct *tty;
1879 	int retval;
1880 
1881 	if (device != MKDEV(TTYAUX_MAJOR, 0))
1882 		return NULL;
1883 
1884 	tty = get_current_tty();
1885 	if (!tty)
1886 		return ERR_PTR(-ENXIO);
1887 
1888 	filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */
1889 	/* noctty = 1; */
1890 	tty_lock(tty);
1891 	tty_kref_put(tty);	/* safe to drop the kref now */
1892 
1893 	retval = tty_reopen(tty);
1894 	if (retval < 0) {
1895 		tty_unlock(tty);
1896 		tty = ERR_PTR(retval);
1897 	}
1898 	return tty;
1899 }
1900 
1901 /**
1902  * tty_lookup_driver - lookup a tty driver for a given device file
1903  * @device: device number
1904  * @filp: file pointer to tty
1905  * @index: index for the device in the @return driver
1906  *
1907  * If returned value is not erroneous, the caller is responsible to decrement
1908  * the refcount by tty_driver_kref_put().
1909  *
1910  * Locking: %tty_mutex protects get_tty_driver()
1911  *
1912  * Return: driver for this inode (with increased refcount)
1913  */
tty_lookup_driver(dev_t device,struct file * filp,int * index)1914 static struct tty_driver *tty_lookup_driver(dev_t device, struct file *filp,
1915 		int *index)
1916 {
1917 	struct tty_driver *driver = NULL;
1918 
1919 	switch (device) {
1920 #ifdef CONFIG_VT
1921 	case MKDEV(TTY_MAJOR, 0): {
1922 		extern struct tty_driver *console_driver;
1923 
1924 		driver = tty_driver_kref_get(console_driver);
1925 		*index = fg_console;
1926 		break;
1927 	}
1928 #endif
1929 	case MKDEV(TTYAUX_MAJOR, 1): {
1930 		struct tty_driver *console_driver = console_device(index);
1931 
1932 		if (console_driver) {
1933 			driver = tty_driver_kref_get(console_driver);
1934 			if (driver && filp) {
1935 				/* Don't let /dev/console block */
1936 				filp->f_flags |= O_NONBLOCK;
1937 				break;
1938 			}
1939 		}
1940 		if (driver)
1941 			tty_driver_kref_put(driver);
1942 		return ERR_PTR(-ENODEV);
1943 	}
1944 	default:
1945 		driver = get_tty_driver(device, index);
1946 		if (!driver)
1947 			return ERR_PTR(-ENODEV);
1948 		break;
1949 	}
1950 	return driver;
1951 }
1952 
tty_kopen(dev_t device,int shared)1953 static struct tty_struct *tty_kopen(dev_t device, int shared)
1954 {
1955 	struct tty_struct *tty;
1956 	struct tty_driver *driver;
1957 	int index = -1;
1958 
1959 	mutex_lock(&tty_mutex);
1960 	driver = tty_lookup_driver(device, NULL, &index);
1961 	if (IS_ERR(driver)) {
1962 		mutex_unlock(&tty_mutex);
1963 		return ERR_CAST(driver);
1964 	}
1965 
1966 	/* check whether we're reopening an existing tty */
1967 	tty = tty_driver_lookup_tty(driver, NULL, index);
1968 	if (IS_ERR(tty) || shared)
1969 		goto out;
1970 
1971 	if (tty) {
1972 		/* drop kref from tty_driver_lookup_tty() */
1973 		tty_kref_put(tty);
1974 		tty = ERR_PTR(-EBUSY);
1975 	} else { /* tty_init_dev returns tty with the tty_lock held */
1976 		tty = tty_init_dev(driver, index);
1977 		if (IS_ERR(tty))
1978 			goto out;
1979 		tty_port_set_kopened(tty->port, 1);
1980 	}
1981 out:
1982 	mutex_unlock(&tty_mutex);
1983 	tty_driver_kref_put(driver);
1984 	return tty;
1985 }
1986 
1987 /**
1988  * tty_kopen_exclusive - open a tty device for kernel
1989  * @device: dev_t of device to open
1990  *
1991  * Opens tty exclusively for kernel. Performs the driver lookup, makes sure
1992  * it's not already opened and performs the first-time tty initialization.
1993  *
1994  * Claims the global %tty_mutex to serialize:
1995  *  * concurrent first-time tty initialization
1996  *  * concurrent tty driver removal w/ lookup
1997  *  * concurrent tty removal from driver table
1998  *
1999  * Return: the locked initialized &tty_struct
2000  */
tty_kopen_exclusive(dev_t device)2001 struct tty_struct *tty_kopen_exclusive(dev_t device)
2002 {
2003 	return tty_kopen(device, 0);
2004 }
2005 EXPORT_SYMBOL_GPL(tty_kopen_exclusive);
2006 
2007 /**
2008  * tty_kopen_shared - open a tty device for shared in-kernel use
2009  * @device: dev_t of device to open
2010  *
2011  * Opens an already existing tty for in-kernel use. Compared to
2012  * tty_kopen_exclusive() above it doesn't ensure to be the only user.
2013  *
2014  * Locking: identical to tty_kopen() above.
2015  */
tty_kopen_shared(dev_t device)2016 struct tty_struct *tty_kopen_shared(dev_t device)
2017 {
2018 	return tty_kopen(device, 1);
2019 }
2020 EXPORT_SYMBOL_GPL(tty_kopen_shared);
2021 
2022 /**
2023  * tty_open_by_driver - open a tty device
2024  * @device: dev_t of device to open
2025  * @filp: file pointer to tty
2026  *
2027  * Performs the driver lookup, checks for a reopen, or otherwise performs the
2028  * first-time tty initialization.
2029  *
2030  *
2031  * Claims the global tty_mutex to serialize:
2032  *  * concurrent first-time tty initialization
2033  *  * concurrent tty driver removal w/ lookup
2034  *  * concurrent tty removal from driver table
2035  *
2036  * Return: the locked initialized or re-opened &tty_struct
2037  */
tty_open_by_driver(dev_t device,struct file * filp)2038 static struct tty_struct *tty_open_by_driver(dev_t device,
2039 					     struct file *filp)
2040 {
2041 	struct tty_struct *tty;
2042 	struct tty_driver *driver = NULL;
2043 	int index = -1;
2044 	int retval;
2045 
2046 	mutex_lock(&tty_mutex);
2047 	driver = tty_lookup_driver(device, filp, &index);
2048 	if (IS_ERR(driver)) {
2049 		mutex_unlock(&tty_mutex);
2050 		return ERR_CAST(driver);
2051 	}
2052 
2053 	/* check whether we're reopening an existing tty */
2054 	tty = tty_driver_lookup_tty(driver, filp, index);
2055 	if (IS_ERR(tty)) {
2056 		mutex_unlock(&tty_mutex);
2057 		goto out;
2058 	}
2059 
2060 	if (tty) {
2061 		if (tty_port_kopened(tty->port)) {
2062 			tty_kref_put(tty);
2063 			mutex_unlock(&tty_mutex);
2064 			tty = ERR_PTR(-EBUSY);
2065 			goto out;
2066 		}
2067 		mutex_unlock(&tty_mutex);
2068 		retval = tty_lock_interruptible(tty);
2069 		tty_kref_put(tty);  /* drop kref from tty_driver_lookup_tty() */
2070 		if (retval) {
2071 			if (retval == -EINTR)
2072 				retval = -ERESTARTSYS;
2073 			tty = ERR_PTR(retval);
2074 			goto out;
2075 		}
2076 		retval = tty_reopen(tty);
2077 		if (retval < 0) {
2078 			tty_unlock(tty);
2079 			tty = ERR_PTR(retval);
2080 		}
2081 	} else { /* Returns with the tty_lock held for now */
2082 		tty = tty_init_dev(driver, index);
2083 		mutex_unlock(&tty_mutex);
2084 	}
2085 out:
2086 	tty_driver_kref_put(driver);
2087 	return tty;
2088 }
2089 
2090 /**
2091  * tty_open - open a tty device
2092  * @inode: inode of device file
2093  * @filp: file pointer to tty
2094  *
2095  * tty_open() and tty_release() keep up the tty count that contains the number
2096  * of opens done on a tty. We cannot use the inode-count, as different inodes
2097  * might point to the same tty.
2098  *
2099  * Open-counting is needed for pty masters, as well as for keeping track of
2100  * serial lines: DTR is dropped when the last close happens.
2101  * (This is not done solely through tty->count, now.  - Ted 1/27/92)
2102  *
2103  * The termios state of a pty is reset on the first open so that settings don't
2104  * persist across reuse.
2105  *
2106  * Locking:
2107  *  * %tty_mutex protects tty, tty_lookup_driver() and tty_init_dev().
2108  *  * @tty->count should protect the rest.
2109  *  * ->siglock protects ->signal/->sighand
2110  *
2111  * Note: the tty_unlock/lock cases without a ref are only safe due to %tty_mutex
2112  */
tty_open(struct inode * inode,struct file * filp)2113 static int tty_open(struct inode *inode, struct file *filp)
2114 {
2115 	struct tty_struct *tty;
2116 	int noctty, retval;
2117 	dev_t device = inode->i_rdev;
2118 	unsigned saved_flags = filp->f_flags;
2119 
2120 	nonseekable_open(inode, filp);
2121 
2122 retry_open:
2123 	retval = tty_alloc_file(filp);
2124 	if (retval)
2125 		return -ENOMEM;
2126 
2127 	tty = tty_open_current_tty(device, filp);
2128 	if (!tty)
2129 		tty = tty_open_by_driver(device, filp);
2130 
2131 	if (IS_ERR(tty)) {
2132 		tty_free_file(filp);
2133 		retval = PTR_ERR(tty);
2134 		if (retval != -EAGAIN || signal_pending(current))
2135 			return retval;
2136 		schedule();
2137 		goto retry_open;
2138 	}
2139 
2140 	tty_add_file(tty, filp);
2141 
2142 	check_tty_count(tty, __func__);
2143 	tty_debug_hangup(tty, "opening (count=%d)\n", tty->count);
2144 
2145 	if (tty->ops->open)
2146 		retval = tty->ops->open(tty, filp);
2147 	else
2148 		retval = -ENODEV;
2149 	filp->f_flags = saved_flags;
2150 
2151 	if (retval) {
2152 		tty_debug_hangup(tty, "open error %d, releasing\n", retval);
2153 
2154 		tty_unlock(tty); /* need to call tty_release without BTM */
2155 		tty_release(inode, filp);
2156 		if (retval != -ERESTARTSYS)
2157 			return retval;
2158 
2159 		if (signal_pending(current))
2160 			return retval;
2161 
2162 		schedule();
2163 		/*
2164 		 * Need to reset f_op in case a hangup happened.
2165 		 */
2166 		if (tty_hung_up_p(filp))
2167 			filp->f_op = &tty_fops;
2168 		goto retry_open;
2169 	}
2170 	clear_bit(TTY_HUPPED, &tty->flags);
2171 
2172 	noctty = (filp->f_flags & O_NOCTTY) ||
2173 		 (IS_ENABLED(CONFIG_VT) && device == MKDEV(TTY_MAJOR, 0)) ||
2174 		 device == MKDEV(TTYAUX_MAJOR, 1) ||
2175 		 (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2176 		  tty->driver->subtype == PTY_TYPE_MASTER);
2177 	if (!noctty)
2178 		tty_open_proc_set_tty(filp, tty);
2179 	tty_unlock(tty);
2180 	return 0;
2181 }
2182 
2183 
2184 /**
2185  * tty_poll - check tty status
2186  * @filp: file being polled
2187  * @wait: poll wait structures to update
2188  *
2189  * Call the line discipline polling method to obtain the poll status of the
2190  * device.
2191  *
2192  * Locking: locks called line discipline but ldisc poll method may be
2193  * re-entered freely by other callers.
2194  */
tty_poll(struct file * filp,poll_table * wait)2195 static __poll_t tty_poll(struct file *filp, poll_table *wait)
2196 {
2197 	struct tty_struct *tty = file_tty(filp);
2198 	struct tty_ldisc *ld;
2199 	__poll_t ret = 0;
2200 
2201 	if (tty_paranoia_check(tty, file_inode(filp), "tty_poll"))
2202 		return 0;
2203 
2204 	ld = tty_ldisc_ref_wait(tty);
2205 	if (!ld)
2206 		return hung_up_tty_poll(filp, wait);
2207 	if (ld->ops->poll)
2208 		ret = ld->ops->poll(tty, filp, wait);
2209 	tty_ldisc_deref(ld);
2210 	return ret;
2211 }
2212 
__tty_fasync(int fd,struct file * filp,int on)2213 static int __tty_fasync(int fd, struct file *filp, int on)
2214 {
2215 	struct tty_struct *tty = file_tty(filp);
2216 	unsigned long flags;
2217 	int retval = 0;
2218 
2219 	if (tty_paranoia_check(tty, file_inode(filp), "tty_fasync"))
2220 		goto out;
2221 
2222 	if (on) {
2223 		retval = file_f_owner_allocate(filp);
2224 		if (retval)
2225 			goto out;
2226 	}
2227 
2228 	retval = fasync_helper(fd, filp, on, &tty->fasync);
2229 	if (retval <= 0)
2230 		goto out;
2231 
2232 	if (on) {
2233 		enum pid_type type;
2234 		struct pid *pid;
2235 
2236 		spin_lock_irqsave(&tty->ctrl.lock, flags);
2237 		if (tty->ctrl.pgrp) {
2238 			pid = tty->ctrl.pgrp;
2239 			type = PIDTYPE_PGID;
2240 		} else {
2241 			pid = task_pid(current);
2242 			type = PIDTYPE_TGID;
2243 		}
2244 		get_pid(pid);
2245 		spin_unlock_irqrestore(&tty->ctrl.lock, flags);
2246 		__f_setown(filp, pid, type, 0);
2247 		put_pid(pid);
2248 		retval = 0;
2249 	}
2250 out:
2251 	return retval;
2252 }
2253 
tty_fasync(int fd,struct file * filp,int on)2254 static int tty_fasync(int fd, struct file *filp, int on)
2255 {
2256 	struct tty_struct *tty = file_tty(filp);
2257 	int retval = -ENOTTY;
2258 
2259 	tty_lock(tty);
2260 	if (!tty_hung_up_p(filp))
2261 		retval = __tty_fasync(fd, filp, on);
2262 	tty_unlock(tty);
2263 
2264 	return retval;
2265 }
2266 
2267 static bool tty_legacy_tiocsti __read_mostly = IS_ENABLED(CONFIG_LEGACY_TIOCSTI);
2268 /**
2269  * tiocsti - fake input character
2270  * @tty: tty to fake input into
2271  * @p: pointer to character
2272  *
2273  * Fake input to a tty device. Does the necessary locking and input management.
2274  *
2275  * FIXME: does not honour flow control ??
2276  *
2277  * Locking:
2278  *  * Called functions take tty_ldiscs_lock
2279  *  * current->signal->tty check is safe without locks
2280  */
tiocsti(struct tty_struct * tty,u8 __user * p)2281 static int tiocsti(struct tty_struct *tty, u8 __user *p)
2282 {
2283 	struct tty_ldisc *ld;
2284 	u8 ch;
2285 
2286 	if (!tty_legacy_tiocsti && !capable(CAP_SYS_ADMIN))
2287 		return -EIO;
2288 
2289 	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
2290 		return -EPERM;
2291 	if (get_user(ch, p))
2292 		return -EFAULT;
2293 	tty_audit_tiocsti(tty, ch);
2294 	ld = tty_ldisc_ref_wait(tty);
2295 	if (!ld)
2296 		return -EIO;
2297 	tty_buffer_lock_exclusive(tty->port);
2298 	if (ld->ops->receive_buf)
2299 		ld->ops->receive_buf(tty, &ch, NULL, 1);
2300 	tty_buffer_unlock_exclusive(tty->port);
2301 	tty_ldisc_deref(ld);
2302 	return 0;
2303 }
2304 
2305 /**
2306  * tiocgwinsz - implement window query ioctl
2307  * @tty: tty
2308  * @arg: user buffer for result
2309  *
2310  * Copies the kernel idea of the window size into the user buffer.
2311  *
2312  * Locking: @tty->winsize_mutex is taken to ensure the winsize data is
2313  * consistent.
2314  */
tiocgwinsz(struct tty_struct * tty,struct winsize __user * arg)2315 static int tiocgwinsz(struct tty_struct *tty, struct winsize __user *arg)
2316 {
2317 	int err;
2318 
2319 	mutex_lock(&tty->winsize_mutex);
2320 	err = copy_to_user(arg, &tty->winsize, sizeof(*arg));
2321 	mutex_unlock(&tty->winsize_mutex);
2322 
2323 	return err ? -EFAULT : 0;
2324 }
2325 
2326 /**
2327  * tty_do_resize - resize event
2328  * @tty: tty being resized
2329  * @ws: new dimensions
2330  *
2331  * Update the termios variables and send the necessary signals to peform a
2332  * terminal resize correctly.
2333  */
tty_do_resize(struct tty_struct * tty,struct winsize * ws)2334 int tty_do_resize(struct tty_struct *tty, struct winsize *ws)
2335 {
2336 	struct pid *pgrp;
2337 
2338 	/* Lock the tty */
2339 	mutex_lock(&tty->winsize_mutex);
2340 	if (!memcmp(ws, &tty->winsize, sizeof(*ws)))
2341 		goto done;
2342 
2343 	/* Signal the foreground process group */
2344 	pgrp = tty_get_pgrp(tty);
2345 	if (pgrp)
2346 		kill_pgrp(pgrp, SIGWINCH, 1);
2347 	put_pid(pgrp);
2348 
2349 	tty->winsize = *ws;
2350 done:
2351 	mutex_unlock(&tty->winsize_mutex);
2352 	return 0;
2353 }
2354 EXPORT_SYMBOL(tty_do_resize);
2355 
2356 /**
2357  * tiocswinsz - implement window size set ioctl
2358  * @tty: tty side of tty
2359  * @arg: user buffer for result
2360  *
2361  * Copies the user idea of the window size to the kernel. Traditionally this is
2362  * just advisory information but for the Linux console it actually has driver
2363  * level meaning and triggers a VC resize.
2364  *
2365  * Locking:
2366  *	Driver dependent. The default do_resize method takes the tty termios
2367  *	mutex and ctrl.lock. The console takes its own lock then calls into the
2368  *	default method.
2369  */
tiocswinsz(struct tty_struct * tty,struct winsize __user * arg)2370 static int tiocswinsz(struct tty_struct *tty, struct winsize __user *arg)
2371 {
2372 	struct winsize tmp_ws;
2373 
2374 	if (copy_from_user(&tmp_ws, arg, sizeof(*arg)))
2375 		return -EFAULT;
2376 
2377 	if (tty->ops->resize)
2378 		return tty->ops->resize(tty, &tmp_ws);
2379 	else
2380 		return tty_do_resize(tty, &tmp_ws);
2381 }
2382 
2383 /**
2384  * tioccons - allow admin to move logical console
2385  * @file: the file to become console
2386  *
2387  * Allow the administrator to move the redirected console device.
2388  *
2389  * Locking: uses redirect_lock to guard the redirect information
2390  */
tioccons(struct file * file)2391 static int tioccons(struct file *file)
2392 {
2393 	if (!capable(CAP_SYS_ADMIN))
2394 		return -EPERM;
2395 	if (file->f_op->write_iter == redirected_tty_write) {
2396 		struct file *f;
2397 
2398 		spin_lock(&redirect_lock);
2399 		f = redirect;
2400 		redirect = NULL;
2401 		spin_unlock(&redirect_lock);
2402 		if (f)
2403 			fput(f);
2404 		return 0;
2405 	}
2406 	if (file->f_op->write_iter != tty_write)
2407 		return -ENOTTY;
2408 	if (!(file->f_mode & FMODE_WRITE))
2409 		return -EBADF;
2410 	if (!(file->f_mode & FMODE_CAN_WRITE))
2411 		return -EINVAL;
2412 	spin_lock(&redirect_lock);
2413 	if (redirect) {
2414 		spin_unlock(&redirect_lock);
2415 		return -EBUSY;
2416 	}
2417 	redirect = get_file(file);
2418 	spin_unlock(&redirect_lock);
2419 	return 0;
2420 }
2421 
2422 /**
2423  * tiocsetd - set line discipline
2424  * @tty: tty device
2425  * @p: pointer to user data
2426  *
2427  * Set the line discipline according to user request.
2428  *
2429  * Locking: see tty_set_ldisc(), this function is just a helper
2430  */
tiocsetd(struct tty_struct * tty,int __user * p)2431 static int tiocsetd(struct tty_struct *tty, int __user *p)
2432 {
2433 	int disc;
2434 	int ret;
2435 
2436 	if (get_user(disc, p))
2437 		return -EFAULT;
2438 
2439 	ret = tty_set_ldisc(tty, disc);
2440 
2441 	return ret;
2442 }
2443 
2444 /**
2445  * tiocgetd - get line discipline
2446  * @tty: tty device
2447  * @p: pointer to user data
2448  *
2449  * Retrieves the line discipline id directly from the ldisc.
2450  *
2451  * Locking: waits for ldisc reference (in case the line discipline is changing
2452  * or the @tty is being hungup)
2453  */
tiocgetd(struct tty_struct * tty,int __user * p)2454 static int tiocgetd(struct tty_struct *tty, int __user *p)
2455 {
2456 	struct tty_ldisc *ld;
2457 	int ret;
2458 
2459 	ld = tty_ldisc_ref_wait(tty);
2460 	if (!ld)
2461 		return -EIO;
2462 	ret = put_user(ld->ops->num, p);
2463 	tty_ldisc_deref(ld);
2464 	return ret;
2465 }
2466 
2467 /**
2468  * send_break - performed time break
2469  * @tty: device to break on
2470  * @duration: timeout in mS
2471  *
2472  * Perform a timed break on hardware that lacks its own driver level timed
2473  * break functionality.
2474  *
2475  * Locking:
2476  *	@tty->atomic_write_lock serializes
2477  */
send_break(struct tty_struct * tty,unsigned int duration)2478 static int send_break(struct tty_struct *tty, unsigned int duration)
2479 {
2480 	int retval;
2481 
2482 	if (tty->ops->break_ctl == NULL)
2483 		return 0;
2484 
2485 	if (tty->driver->flags & TTY_DRIVER_HARDWARE_BREAK)
2486 		return tty->ops->break_ctl(tty, duration);
2487 
2488 	/* Do the work ourselves */
2489 	if (tty_write_lock(tty, false) < 0)
2490 		return -EINTR;
2491 
2492 	retval = tty->ops->break_ctl(tty, -1);
2493 	if (!retval) {
2494 		msleep_interruptible(duration);
2495 		retval = tty->ops->break_ctl(tty, 0);
2496 	} else if (retval == -EOPNOTSUPP) {
2497 		/* some drivers can tell only dynamically */
2498 		retval = 0;
2499 	}
2500 	tty_write_unlock(tty);
2501 
2502 	if (signal_pending(current))
2503 		retval = -EINTR;
2504 
2505 	return retval;
2506 }
2507 
2508 /**
2509  * tty_get_tiocm - get tiocm status register
2510  * @tty: tty device
2511  *
2512  * Obtain the modem status bits from the tty driver if the feature
2513  * is supported.
2514  */
tty_get_tiocm(struct tty_struct * tty)2515 int tty_get_tiocm(struct tty_struct *tty)
2516 {
2517 	int retval = -ENOTTY;
2518 
2519 	if (tty->ops->tiocmget)
2520 		retval = tty->ops->tiocmget(tty);
2521 
2522 	return retval;
2523 }
2524 EXPORT_SYMBOL_GPL(tty_get_tiocm);
2525 
2526 /**
2527  * tty_tiocmget - get modem status
2528  * @tty: tty device
2529  * @p: pointer to result
2530  *
2531  * Obtain the modem status bits from the tty driver if the feature is
2532  * supported. Return -%ENOTTY if it is not available.
2533  *
2534  * Locking: none (up to the driver)
2535  */
tty_tiocmget(struct tty_struct * tty,int __user * p)2536 static int tty_tiocmget(struct tty_struct *tty, int __user *p)
2537 {
2538 	int retval;
2539 
2540 	retval = tty_get_tiocm(tty);
2541 	if (retval >= 0)
2542 		retval = put_user(retval, p);
2543 
2544 	return retval;
2545 }
2546 
2547 /**
2548  * tty_tiocmset - set modem status
2549  * @tty: tty device
2550  * @cmd: command - clear bits, set bits or set all
2551  * @p: pointer to desired bits
2552  *
2553  * Set the modem status bits from the tty driver if the feature
2554  * is supported. Return -%ENOTTY if it is not available.
2555  *
2556  * Locking: none (up to the driver)
2557  */
tty_tiocmset(struct tty_struct * tty,unsigned int cmd,unsigned __user * p)2558 static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
2559 	     unsigned __user *p)
2560 {
2561 	int retval;
2562 	unsigned int set, clear, val;
2563 
2564 	if (tty->ops->tiocmset == NULL)
2565 		return -ENOTTY;
2566 
2567 	retval = get_user(val, p);
2568 	if (retval)
2569 		return retval;
2570 	set = clear = 0;
2571 	switch (cmd) {
2572 	case TIOCMBIS:
2573 		set = val;
2574 		break;
2575 	case TIOCMBIC:
2576 		clear = val;
2577 		break;
2578 	case TIOCMSET:
2579 		set = val;
2580 		clear = ~val;
2581 		break;
2582 	}
2583 	set &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2584 	clear &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2585 	return tty->ops->tiocmset(tty, set, clear);
2586 }
2587 
2588 /**
2589  * tty_get_icount - get tty statistics
2590  * @tty: tty device
2591  * @icount: output parameter
2592  *
2593  * Gets a copy of the @tty's icount statistics.
2594  *
2595  * Locking: none (up to the driver)
2596  */
tty_get_icount(struct tty_struct * tty,struct serial_icounter_struct * icount)2597 int tty_get_icount(struct tty_struct *tty,
2598 		   struct serial_icounter_struct *icount)
2599 {
2600 	memset(icount, 0, sizeof(*icount));
2601 
2602 	if (tty->ops->get_icount)
2603 		return tty->ops->get_icount(tty, icount);
2604 	else
2605 		return -ENOTTY;
2606 }
2607 EXPORT_SYMBOL_GPL(tty_get_icount);
2608 
tty_tiocgicount(struct tty_struct * tty,void __user * arg)2609 static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
2610 {
2611 	struct serial_icounter_struct icount;
2612 	int retval;
2613 
2614 	retval = tty_get_icount(tty, &icount);
2615 	if (retval != 0)
2616 		return retval;
2617 
2618 	if (copy_to_user(arg, &icount, sizeof(icount)))
2619 		return -EFAULT;
2620 	return 0;
2621 }
2622 
tty_set_serial(struct tty_struct * tty,struct serial_struct * ss)2623 static int tty_set_serial(struct tty_struct *tty, struct serial_struct *ss)
2624 {
2625 	char comm[TASK_COMM_LEN];
2626 	int flags;
2627 
2628 	flags = ss->flags & ASYNC_DEPRECATED;
2629 
2630 	if (flags)
2631 		pr_warn_ratelimited("%s: '%s' is using deprecated serial flags (with no effect): %.8x\n",
2632 				__func__, get_task_comm(comm, current), flags);
2633 
2634 	if (!tty->ops->set_serial)
2635 		return -ENOTTY;
2636 
2637 	return tty->ops->set_serial(tty, ss);
2638 }
2639 
tty_tiocsserial(struct tty_struct * tty,struct serial_struct __user * ss)2640 static int tty_tiocsserial(struct tty_struct *tty, struct serial_struct __user *ss)
2641 {
2642 	struct serial_struct v;
2643 
2644 	if (copy_from_user(&v, ss, sizeof(*ss)))
2645 		return -EFAULT;
2646 
2647 	return tty_set_serial(tty, &v);
2648 }
2649 
tty_tiocgserial(struct tty_struct * tty,struct serial_struct __user * ss)2650 static int tty_tiocgserial(struct tty_struct *tty, struct serial_struct __user *ss)
2651 {
2652 	struct serial_struct v;
2653 	int err;
2654 
2655 	memset(&v, 0, sizeof(v));
2656 	if (!tty->ops->get_serial)
2657 		return -ENOTTY;
2658 	err = tty->ops->get_serial(tty, &v);
2659 	if (!err && copy_to_user(ss, &v, sizeof(v)))
2660 		err = -EFAULT;
2661 	return err;
2662 }
2663 
2664 /*
2665  * if pty, return the slave side (real_tty)
2666  * otherwise, return self
2667  */
tty_pair_get_tty(struct tty_struct * tty)2668 static struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
2669 {
2670 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2671 	    tty->driver->subtype == PTY_TYPE_MASTER)
2672 		tty = tty->link;
2673 	return tty;
2674 }
2675 
2676 /*
2677  * Split this up, as gcc can choke on it otherwise..
2678  */
tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2679 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2680 {
2681 	struct tty_struct *tty = file_tty(file);
2682 	struct tty_struct *real_tty;
2683 	void __user *p = (void __user *)arg;
2684 	int retval;
2685 	struct tty_ldisc *ld;
2686 
2687 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2688 		return -EINVAL;
2689 
2690 	real_tty = tty_pair_get_tty(tty);
2691 
2692 	/*
2693 	 * Factor out some common prep work
2694 	 */
2695 	switch (cmd) {
2696 	case TIOCSETD:
2697 	case TIOCSBRK:
2698 	case TIOCCBRK:
2699 	case TCSBRK:
2700 	case TCSBRKP:
2701 		retval = tty_check_change(tty);
2702 		if (retval)
2703 			return retval;
2704 		if (cmd != TIOCCBRK) {
2705 			tty_wait_until_sent(tty, 0);
2706 			if (signal_pending(current))
2707 				return -EINTR;
2708 		}
2709 		break;
2710 	}
2711 
2712 	/*
2713 	 *	Now do the stuff.
2714 	 */
2715 	switch (cmd) {
2716 	case TIOCSTI:
2717 		return tiocsti(tty, p);
2718 	case TIOCGWINSZ:
2719 		return tiocgwinsz(real_tty, p);
2720 	case TIOCSWINSZ:
2721 		return tiocswinsz(real_tty, p);
2722 	case TIOCCONS:
2723 		return real_tty != tty ? -EINVAL : tioccons(file);
2724 	case TIOCEXCL:
2725 		set_bit(TTY_EXCLUSIVE, &tty->flags);
2726 		return 0;
2727 	case TIOCNXCL:
2728 		clear_bit(TTY_EXCLUSIVE, &tty->flags);
2729 		return 0;
2730 	case TIOCGEXCL:
2731 	{
2732 		int excl = test_bit(TTY_EXCLUSIVE, &tty->flags);
2733 
2734 		return put_user(excl, (int __user *)p);
2735 	}
2736 	case TIOCGETD:
2737 		return tiocgetd(tty, p);
2738 	case TIOCSETD:
2739 		return tiocsetd(tty, p);
2740 	case TIOCVHANGUP:
2741 		if (!capable(CAP_SYS_ADMIN))
2742 			return -EPERM;
2743 		tty_vhangup(tty);
2744 		return 0;
2745 	case TIOCGDEV:
2746 	{
2747 		unsigned int ret = new_encode_dev(tty_devnum(real_tty));
2748 
2749 		return put_user(ret, (unsigned int __user *)p);
2750 	}
2751 	/*
2752 	 * Break handling
2753 	 */
2754 	case TIOCSBRK:	/* Turn break on, unconditionally */
2755 		if (tty->ops->break_ctl)
2756 			return tty->ops->break_ctl(tty, -1);
2757 		return 0;
2758 	case TIOCCBRK:	/* Turn break off, unconditionally */
2759 		if (tty->ops->break_ctl)
2760 			return tty->ops->break_ctl(tty, 0);
2761 		return 0;
2762 	case TCSBRK:   /* SVID version: non-zero arg --> no break */
2763 		/* non-zero arg means wait for all output data
2764 		 * to be sent (performed above) but don't send break.
2765 		 * This is used by the tcdrain() termios function.
2766 		 */
2767 		if (!arg)
2768 			return send_break(tty, 250);
2769 		return 0;
2770 	case TCSBRKP:	/* support for POSIX tcsendbreak() */
2771 		return send_break(tty, arg ? arg*100 : 250);
2772 
2773 	case TIOCMGET:
2774 		return tty_tiocmget(tty, p);
2775 	case TIOCMSET:
2776 	case TIOCMBIC:
2777 	case TIOCMBIS:
2778 		return tty_tiocmset(tty, cmd, p);
2779 	case TIOCGICOUNT:
2780 		return tty_tiocgicount(tty, p);
2781 	case TCFLSH:
2782 		switch (arg) {
2783 		case TCIFLUSH:
2784 		case TCIOFLUSH:
2785 		/* flush tty buffer and allow ldisc to process ioctl */
2786 			tty_buffer_flush(tty, NULL);
2787 			break;
2788 		}
2789 		break;
2790 	case TIOCSSERIAL:
2791 		return tty_tiocsserial(tty, p);
2792 	case TIOCGSERIAL:
2793 		return tty_tiocgserial(tty, p);
2794 	case TIOCGPTPEER:
2795 		/* Special because the struct file is needed */
2796 		return ptm_open_peer(file, tty, (int)arg);
2797 	default:
2798 		retval = tty_jobctrl_ioctl(tty, real_tty, file, cmd, arg);
2799 		if (retval != -ENOIOCTLCMD)
2800 			return retval;
2801 	}
2802 	if (tty->ops->ioctl) {
2803 		retval = tty->ops->ioctl(tty, cmd, arg);
2804 		if (retval != -ENOIOCTLCMD)
2805 			return retval;
2806 	}
2807 	ld = tty_ldisc_ref_wait(tty);
2808 	if (!ld)
2809 		return hung_up_tty_ioctl(file, cmd, arg);
2810 	retval = -EINVAL;
2811 	if (ld->ops->ioctl) {
2812 		retval = ld->ops->ioctl(tty, cmd, arg);
2813 		if (retval == -ENOIOCTLCMD)
2814 			retval = -ENOTTY;
2815 	}
2816 	tty_ldisc_deref(ld);
2817 	return retval;
2818 }
2819 
2820 #ifdef CONFIG_COMPAT
2821 
2822 struct serial_struct32 {
2823 	compat_int_t    type;
2824 	compat_int_t    line;
2825 	compat_uint_t   port;
2826 	compat_int_t    irq;
2827 	compat_int_t    flags;
2828 	compat_int_t    xmit_fifo_size;
2829 	compat_int_t    custom_divisor;
2830 	compat_int_t    baud_base;
2831 	unsigned short  close_delay;
2832 	char    io_type;
2833 	char    reserved_char;
2834 	compat_int_t    hub6;
2835 	unsigned short  closing_wait; /* time to wait before closing */
2836 	unsigned short  closing_wait2; /* no longer used... */
2837 	compat_uint_t   iomem_base;
2838 	unsigned short  iomem_reg_shift;
2839 	unsigned int    port_high;
2840 	/* compat_ulong_t  iomap_base FIXME */
2841 	compat_int_t    reserved;
2842 };
2843 
compat_tty_tiocsserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2844 static int compat_tty_tiocsserial(struct tty_struct *tty,
2845 		struct serial_struct32 __user *ss)
2846 {
2847 	struct serial_struct32 v32;
2848 	struct serial_struct v;
2849 
2850 	if (copy_from_user(&v32, ss, sizeof(*ss)))
2851 		return -EFAULT;
2852 
2853 	memcpy(&v, &v32, offsetof(struct serial_struct32, iomem_base));
2854 	v.iomem_base = compat_ptr(v32.iomem_base);
2855 	v.iomem_reg_shift = v32.iomem_reg_shift;
2856 	v.port_high = v32.port_high;
2857 	v.iomap_base = 0;
2858 
2859 	return tty_set_serial(tty, &v);
2860 }
2861 
compat_tty_tiocgserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2862 static int compat_tty_tiocgserial(struct tty_struct *tty,
2863 			struct serial_struct32 __user *ss)
2864 {
2865 	struct serial_struct32 v32;
2866 	struct serial_struct v;
2867 	int err;
2868 
2869 	memset(&v, 0, sizeof(v));
2870 	memset(&v32, 0, sizeof(v32));
2871 
2872 	if (!tty->ops->get_serial)
2873 		return -ENOTTY;
2874 	err = tty->ops->get_serial(tty, &v);
2875 	if (!err) {
2876 		memcpy(&v32, &v, offsetof(struct serial_struct32, iomem_base));
2877 		v32.iomem_base = (unsigned long)v.iomem_base >> 32 ?
2878 			0xfffffff : ptr_to_compat(v.iomem_base);
2879 		v32.iomem_reg_shift = v.iomem_reg_shift;
2880 		v32.port_high = v.port_high;
2881 		if (copy_to_user(ss, &v32, sizeof(v32)))
2882 			err = -EFAULT;
2883 	}
2884 	return err;
2885 }
tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2886 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
2887 				unsigned long arg)
2888 {
2889 	struct tty_struct *tty = file_tty(file);
2890 	struct tty_ldisc *ld;
2891 	int retval = -ENOIOCTLCMD;
2892 
2893 	switch (cmd) {
2894 	case TIOCOUTQ:
2895 	case TIOCSTI:
2896 	case TIOCGWINSZ:
2897 	case TIOCSWINSZ:
2898 	case TIOCGEXCL:
2899 	case TIOCGETD:
2900 	case TIOCSETD:
2901 	case TIOCGDEV:
2902 	case TIOCMGET:
2903 	case TIOCMSET:
2904 	case TIOCMBIC:
2905 	case TIOCMBIS:
2906 	case TIOCGICOUNT:
2907 	case TIOCGPGRP:
2908 	case TIOCSPGRP:
2909 	case TIOCGSID:
2910 	case TIOCSERGETLSR:
2911 	case TIOCGRS485:
2912 	case TIOCSRS485:
2913 #ifdef TIOCGETP
2914 	case TIOCGETP:
2915 	case TIOCSETP:
2916 	case TIOCSETN:
2917 #endif
2918 #ifdef TIOCGETC
2919 	case TIOCGETC:
2920 	case TIOCSETC:
2921 #endif
2922 #ifdef TIOCGLTC
2923 	case TIOCGLTC:
2924 	case TIOCSLTC:
2925 #endif
2926 	case TCSETSF:
2927 	case TCSETSW:
2928 	case TCSETS:
2929 	case TCGETS:
2930 #ifdef TCGETS2
2931 	case TCGETS2:
2932 	case TCSETSF2:
2933 	case TCSETSW2:
2934 	case TCSETS2:
2935 #endif
2936 	case TCGETA:
2937 	case TCSETAF:
2938 	case TCSETAW:
2939 	case TCSETA:
2940 	case TIOCGLCKTRMIOS:
2941 	case TIOCSLCKTRMIOS:
2942 #ifdef TCGETX
2943 	case TCGETX:
2944 	case TCSETX:
2945 	case TCSETXW:
2946 	case TCSETXF:
2947 #endif
2948 	case TIOCGSOFTCAR:
2949 	case TIOCSSOFTCAR:
2950 
2951 	case PPPIOCGCHAN:
2952 	case PPPIOCGUNIT:
2953 		return tty_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
2954 	case TIOCCONS:
2955 	case TIOCEXCL:
2956 	case TIOCNXCL:
2957 	case TIOCVHANGUP:
2958 	case TIOCSBRK:
2959 	case TIOCCBRK:
2960 	case TCSBRK:
2961 	case TCSBRKP:
2962 	case TCFLSH:
2963 	case TIOCGPTPEER:
2964 	case TIOCNOTTY:
2965 	case TIOCSCTTY:
2966 	case TCXONC:
2967 	case TIOCMIWAIT:
2968 	case TIOCSERCONFIG:
2969 		return tty_ioctl(file, cmd, arg);
2970 	}
2971 
2972 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2973 		return -EINVAL;
2974 
2975 	switch (cmd) {
2976 	case TIOCSSERIAL:
2977 		return compat_tty_tiocsserial(tty, compat_ptr(arg));
2978 	case TIOCGSERIAL:
2979 		return compat_tty_tiocgserial(tty, compat_ptr(arg));
2980 	}
2981 	if (tty->ops->compat_ioctl) {
2982 		retval = tty->ops->compat_ioctl(tty, cmd, arg);
2983 		if (retval != -ENOIOCTLCMD)
2984 			return retval;
2985 	}
2986 
2987 	ld = tty_ldisc_ref_wait(tty);
2988 	if (!ld)
2989 		return hung_up_tty_compat_ioctl(file, cmd, arg);
2990 	if (ld->ops->compat_ioctl)
2991 		retval = ld->ops->compat_ioctl(tty, cmd, arg);
2992 	if (retval == -ENOIOCTLCMD && ld->ops->ioctl)
2993 		retval = ld->ops->ioctl(tty, (unsigned long)compat_ptr(cmd),
2994 				arg);
2995 	tty_ldisc_deref(ld);
2996 
2997 	return retval;
2998 }
2999 #endif
3000 
this_tty(const void * t,struct file * file,unsigned fd)3001 static int this_tty(const void *t, struct file *file, unsigned fd)
3002 {
3003 	if (likely(file->f_op->read_iter != tty_read))
3004 		return 0;
3005 	return file_tty(file) != t ? 0 : fd + 1;
3006 }
3007 
3008 /*
3009  * This implements the "Secure Attention Key" ---  the idea is to
3010  * prevent trojan horses by killing all processes associated with this
3011  * tty when the user hits the "Secure Attention Key".  Required for
3012  * super-paranoid applications --- see the Orange Book for more details.
3013  *
3014  * This code could be nicer; ideally it should send a HUP, wait a few
3015  * seconds, then send a INT, and then a KILL signal.  But you then
3016  * have to coordinate with the init process, since all processes associated
3017  * with the current tty must be dead before the new getty is allowed
3018  * to spawn.
3019  *
3020  * Now, if it would be correct ;-/ The current code has a nasty hole -
3021  * it doesn't catch files in flight. We may send the descriptor to ourselves
3022  * via AF_UNIX socket, close it and later fetch from socket. FIXME.
3023  *
3024  * Nasty bug: do_SAK is being called in interrupt context.  This can
3025  * deadlock.  We punt it up to process context.  AKPM - 16Mar2001
3026  */
__do_SAK(struct tty_struct * tty)3027 void __do_SAK(struct tty_struct *tty)
3028 {
3029 	struct task_struct *g, *p;
3030 	struct pid *session;
3031 	int i;
3032 	unsigned long flags;
3033 
3034 	spin_lock_irqsave(&tty->ctrl.lock, flags);
3035 	session = get_pid(tty->ctrl.session);
3036 	spin_unlock_irqrestore(&tty->ctrl.lock, flags);
3037 
3038 	tty_ldisc_flush(tty);
3039 
3040 	tty_driver_flush_buffer(tty);
3041 
3042 	read_lock(&tasklist_lock);
3043 	/* Kill the entire session */
3044 	do_each_pid_task(session, PIDTYPE_SID, p) {
3045 		tty_notice(tty, "SAK: killed process %d (%s): by session\n",
3046 			   task_pid_nr(p), p->comm);
3047 		group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
3048 	} while_each_pid_task(session, PIDTYPE_SID, p);
3049 
3050 	/* Now kill any processes that happen to have the tty open */
3051 	for_each_process_thread(g, p) {
3052 		if (p->signal->tty == tty) {
3053 			tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
3054 				   task_pid_nr(p), p->comm);
3055 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p,
3056 					PIDTYPE_SID);
3057 			continue;
3058 		}
3059 		task_lock(p);
3060 		i = iterate_fd(p->files, 0, this_tty, tty);
3061 		if (i != 0) {
3062 			tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
3063 				   task_pid_nr(p), p->comm, i - 1);
3064 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p,
3065 					PIDTYPE_SID);
3066 		}
3067 		task_unlock(p);
3068 	}
3069 	read_unlock(&tasklist_lock);
3070 	put_pid(session);
3071 }
3072 
do_SAK_work(struct work_struct * work)3073 static void do_SAK_work(struct work_struct *work)
3074 {
3075 	struct tty_struct *tty =
3076 		container_of(work, struct tty_struct, SAK_work);
3077 	__do_SAK(tty);
3078 }
3079 
3080 /*
3081  * The tq handling here is a little racy - tty->SAK_work may already be queued.
3082  * Fortunately we don't need to worry, because if ->SAK_work is already queued,
3083  * the values which we write to it will be identical to the values which it
3084  * already has. --akpm
3085  */
do_SAK(struct tty_struct * tty)3086 void do_SAK(struct tty_struct *tty)
3087 {
3088 	if (!tty)
3089 		return;
3090 	schedule_work(&tty->SAK_work);
3091 }
3092 EXPORT_SYMBOL(do_SAK);
3093 
3094 /* Must put_device() after it's unused! */
tty_get_device(struct tty_struct * tty)3095 static struct device *tty_get_device(struct tty_struct *tty)
3096 {
3097 	dev_t devt = tty_devnum(tty);
3098 
3099 	return class_find_device_by_devt(&tty_class, devt);
3100 }
3101 
3102 
3103 /**
3104  * alloc_tty_struct - allocate a new tty
3105  * @driver: driver which will handle the returned tty
3106  * @idx: minor of the tty
3107  *
3108  * This subroutine allocates and initializes a tty structure.
3109  *
3110  * Locking: none - @tty in question is not exposed at this point
3111  */
alloc_tty_struct(struct tty_driver * driver,int idx)3112 struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
3113 {
3114 	struct tty_struct *tty;
3115 
3116 	tty = kzalloc(sizeof(*tty), GFP_KERNEL_ACCOUNT);
3117 	if (!tty)
3118 		return NULL;
3119 
3120 	kref_init(&tty->kref);
3121 	if (tty_ldisc_init(tty)) {
3122 		kfree(tty);
3123 		return NULL;
3124 	}
3125 	tty->ctrl.session = NULL;
3126 	tty->ctrl.pgrp = NULL;
3127 	mutex_init(&tty->legacy_mutex);
3128 	mutex_init(&tty->throttle_mutex);
3129 	init_rwsem(&tty->termios_rwsem);
3130 	mutex_init(&tty->winsize_mutex);
3131 	init_ldsem(&tty->ldisc_sem);
3132 	init_waitqueue_head(&tty->write_wait);
3133 	init_waitqueue_head(&tty->read_wait);
3134 	INIT_WORK(&tty->hangup_work, do_tty_hangup);
3135 	mutex_init(&tty->atomic_write_lock);
3136 	spin_lock_init(&tty->ctrl.lock);
3137 	spin_lock_init(&tty->flow.lock);
3138 	spin_lock_init(&tty->files_lock);
3139 	INIT_LIST_HEAD(&tty->tty_files);
3140 	INIT_WORK(&tty->SAK_work, do_SAK_work);
3141 
3142 	tty->driver = driver;
3143 	tty->ops = driver->ops;
3144 	tty->index = idx;
3145 	tty_line_name(driver, idx, tty->name);
3146 	tty->dev = tty_get_device(tty);
3147 
3148 	return tty;
3149 }
3150 
3151 /**
3152  * tty_put_char - write one character to a tty
3153  * @tty: tty
3154  * @ch: character to write
3155  *
3156  * Write one byte to the @tty using the provided @tty->ops->put_char() method
3157  * if present.
3158  *
3159  * Note: the specific put_char operation in the driver layer may go
3160  * away soon. Don't call it directly, use this method
3161  *
3162  * Return: the number of characters successfully output.
3163  */
tty_put_char(struct tty_struct * tty,u8 ch)3164 int tty_put_char(struct tty_struct *tty, u8 ch)
3165 {
3166 	if (tty->ops->put_char)
3167 		return tty->ops->put_char(tty, ch);
3168 	return tty->ops->write(tty, &ch, 1);
3169 }
3170 EXPORT_SYMBOL_GPL(tty_put_char);
3171 
tty_cdev_add(struct tty_driver * driver,dev_t dev,unsigned int index,unsigned int count)3172 static int tty_cdev_add(struct tty_driver *driver, dev_t dev,
3173 		unsigned int index, unsigned int count)
3174 {
3175 	int err;
3176 
3177 	/* init here, since reused cdevs cause crashes */
3178 	driver->cdevs[index] = cdev_alloc();
3179 	if (!driver->cdevs[index])
3180 		return -ENOMEM;
3181 	driver->cdevs[index]->ops = &tty_fops;
3182 	driver->cdevs[index]->owner = driver->owner;
3183 	err = cdev_add(driver->cdevs[index], dev, count);
3184 	if (err)
3185 		kobject_put(&driver->cdevs[index]->kobj);
3186 	return err;
3187 }
3188 
3189 /**
3190  * tty_register_device - register a tty device
3191  * @driver: the tty driver that describes the tty device
3192  * @index: the index in the tty driver for this tty device
3193  * @device: a struct device that is associated with this tty device.
3194  *	This field is optional, if there is no known struct device
3195  *	for this tty device it can be set to NULL safely.
3196  *
3197  * This call is required to be made to register an individual tty device
3198  * if the tty driver's flags have the %TTY_DRIVER_DYNAMIC_DEV bit set.  If
3199  * that bit is not set, this function should not be called by a tty
3200  * driver.
3201  *
3202  * Locking: ??
3203  *
3204  * Return: A pointer to the struct device for this tty device (or
3205  * ERR_PTR(-EFOO) on error).
3206  */
tty_register_device(struct tty_driver * driver,unsigned index,struct device * device)3207 struct device *tty_register_device(struct tty_driver *driver, unsigned index,
3208 				   struct device *device)
3209 {
3210 	return tty_register_device_attr(driver, index, device, NULL, NULL);
3211 }
3212 EXPORT_SYMBOL(tty_register_device);
3213 
tty_device_create_release(struct device * dev)3214 static void tty_device_create_release(struct device *dev)
3215 {
3216 	dev_dbg(dev, "releasing...\n");
3217 	kfree(dev);
3218 }
3219 
3220 /**
3221  * tty_register_device_attr - register a tty device
3222  * @driver: the tty driver that describes the tty device
3223  * @index: the index in the tty driver for this tty device
3224  * @device: a struct device that is associated with this tty device.
3225  *	This field is optional, if there is no known struct device
3226  *	for this tty device it can be set to %NULL safely.
3227  * @drvdata: Driver data to be set to device.
3228  * @attr_grp: Attribute group to be set on device.
3229  *
3230  * This call is required to be made to register an individual tty device if the
3231  * tty driver's flags have the %TTY_DRIVER_DYNAMIC_DEV bit set. If that bit is
3232  * not set, this function should not be called by a tty driver.
3233  *
3234  * Locking: ??
3235  *
3236  * Return: A pointer to the struct device for this tty device (or
3237  * ERR_PTR(-EFOO) on error).
3238  */
tty_register_device_attr(struct tty_driver * driver,unsigned index,struct device * device,void * drvdata,const struct attribute_group ** attr_grp)3239 struct device *tty_register_device_attr(struct tty_driver *driver,
3240 				   unsigned index, struct device *device,
3241 				   void *drvdata,
3242 				   const struct attribute_group **attr_grp)
3243 {
3244 	char name[64];
3245 	dev_t devt = MKDEV(driver->major, driver->minor_start) + index;
3246 	struct ktermios *tp;
3247 	struct device *dev;
3248 	int retval;
3249 
3250 	if (index >= driver->num) {
3251 		pr_err("%s: Attempt to register invalid tty line number (%d)\n",
3252 		       driver->name, index);
3253 		return ERR_PTR(-EINVAL);
3254 	}
3255 
3256 	if (driver->type == TTY_DRIVER_TYPE_PTY)
3257 		pty_line_name(driver, index, name);
3258 	else
3259 		tty_line_name(driver, index, name);
3260 
3261 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3262 	if (!dev)
3263 		return ERR_PTR(-ENOMEM);
3264 
3265 	dev->devt = devt;
3266 	dev->class = &tty_class;
3267 	dev->parent = device;
3268 	dev->release = tty_device_create_release;
3269 	dev_set_name(dev, "%s", name);
3270 	dev->groups = attr_grp;
3271 	dev_set_drvdata(dev, drvdata);
3272 
3273 	dev_set_uevent_suppress(dev, 1);
3274 
3275 	retval = device_register(dev);
3276 	if (retval)
3277 		goto err_put;
3278 
3279 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3280 		/*
3281 		 * Free any saved termios data so that the termios state is
3282 		 * reset when reusing a minor number.
3283 		 */
3284 		tp = driver->termios[index];
3285 		if (tp) {
3286 			driver->termios[index] = NULL;
3287 			kfree(tp);
3288 		}
3289 
3290 		retval = tty_cdev_add(driver, devt, index, 1);
3291 		if (retval)
3292 			goto err_del;
3293 	}
3294 
3295 	dev_set_uevent_suppress(dev, 0);
3296 	kobject_uevent(&dev->kobj, KOBJ_ADD);
3297 
3298 	return dev;
3299 
3300 err_del:
3301 	device_del(dev);
3302 err_put:
3303 	put_device(dev);
3304 
3305 	return ERR_PTR(retval);
3306 }
3307 EXPORT_SYMBOL_GPL(tty_register_device_attr);
3308 
3309 /**
3310  * tty_unregister_device - unregister a tty device
3311  * @driver: the tty driver that describes the tty device
3312  * @index: the index in the tty driver for this tty device
3313  *
3314  * If a tty device is registered with a call to tty_register_device() then
3315  * this function must be called when the tty device is gone.
3316  *
3317  * Locking: ??
3318  */
tty_unregister_device(struct tty_driver * driver,unsigned index)3319 void tty_unregister_device(struct tty_driver *driver, unsigned index)
3320 {
3321 	device_destroy(&tty_class, MKDEV(driver->major, driver->minor_start) + index);
3322 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3323 		cdev_del(driver->cdevs[index]);
3324 		driver->cdevs[index] = NULL;
3325 	}
3326 }
3327 EXPORT_SYMBOL(tty_unregister_device);
3328 
3329 /**
3330  * __tty_alloc_driver - allocate tty driver
3331  * @lines: count of lines this driver can handle at most
3332  * @owner: module which is responsible for this driver
3333  * @flags: some of %TTY_DRIVER_ flags, will be set in driver->flags
3334  *
3335  * This should not be called directly, some of the provided macros should be
3336  * used instead. Use IS_ERR() and friends on @retval.
3337  */
__tty_alloc_driver(unsigned int lines,struct module * owner,unsigned long flags)3338 struct tty_driver *__tty_alloc_driver(unsigned int lines, struct module *owner,
3339 		unsigned long flags)
3340 {
3341 	struct tty_driver *driver;
3342 	unsigned int cdevs = 1;
3343 	int err;
3344 
3345 	if (!lines || (flags & TTY_DRIVER_UNNUMBERED_NODE && lines > 1))
3346 		return ERR_PTR(-EINVAL);
3347 
3348 	driver = kzalloc(sizeof(*driver), GFP_KERNEL);
3349 	if (!driver)
3350 		return ERR_PTR(-ENOMEM);
3351 
3352 	kref_init(&driver->kref);
3353 	driver->num = lines;
3354 	driver->owner = owner;
3355 	driver->flags = flags;
3356 
3357 	if (!(flags & TTY_DRIVER_DEVPTS_MEM)) {
3358 		driver->ttys = kcalloc(lines, sizeof(*driver->ttys),
3359 				GFP_KERNEL);
3360 		driver->termios = kcalloc(lines, sizeof(*driver->termios),
3361 				GFP_KERNEL);
3362 		if (!driver->ttys || !driver->termios) {
3363 			err = -ENOMEM;
3364 			goto err_free_all;
3365 		}
3366 	}
3367 
3368 	if (!(flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3369 		driver->ports = kcalloc(lines, sizeof(*driver->ports),
3370 				GFP_KERNEL);
3371 		if (!driver->ports) {
3372 			err = -ENOMEM;
3373 			goto err_free_all;
3374 		}
3375 		cdevs = lines;
3376 	}
3377 
3378 	driver->cdevs = kcalloc(cdevs, sizeof(*driver->cdevs), GFP_KERNEL);
3379 	if (!driver->cdevs) {
3380 		err = -ENOMEM;
3381 		goto err_free_all;
3382 	}
3383 
3384 	return driver;
3385 err_free_all:
3386 	kfree(driver->ports);
3387 	kfree(driver->ttys);
3388 	kfree(driver->termios);
3389 	kfree(driver->cdevs);
3390 	kfree(driver);
3391 	return ERR_PTR(err);
3392 }
3393 EXPORT_SYMBOL(__tty_alloc_driver);
3394 
destruct_tty_driver(struct kref * kref)3395 static void destruct_tty_driver(struct kref *kref)
3396 {
3397 	struct tty_driver *driver = container_of(kref, struct tty_driver, kref);
3398 	int i;
3399 	struct ktermios *tp;
3400 
3401 	if (driver->flags & TTY_DRIVER_INSTALLED) {
3402 		for (i = 0; i < driver->num; i++) {
3403 			tp = driver->termios[i];
3404 			if (tp) {
3405 				driver->termios[i] = NULL;
3406 				kfree(tp);
3407 			}
3408 			if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV))
3409 				tty_unregister_device(driver, i);
3410 		}
3411 		proc_tty_unregister_driver(driver);
3412 		if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)
3413 			cdev_del(driver->cdevs[0]);
3414 	}
3415 	kfree(driver->cdevs);
3416 	kfree(driver->ports);
3417 	kfree(driver->termios);
3418 	kfree(driver->ttys);
3419 	kfree(driver);
3420 }
3421 
3422 /**
3423  * tty_driver_kref_put - drop a reference to a tty driver
3424  * @driver: driver of which to drop the reference
3425  *
3426  * The final put will destroy and free up the driver.
3427  */
tty_driver_kref_put(struct tty_driver * driver)3428 void tty_driver_kref_put(struct tty_driver *driver)
3429 {
3430 	kref_put(&driver->kref, destruct_tty_driver);
3431 }
3432 EXPORT_SYMBOL(tty_driver_kref_put);
3433 
3434 /**
3435  * tty_register_driver - register a tty driver
3436  * @driver: driver to register
3437  *
3438  * Called by a tty driver to register itself.
3439  */
tty_register_driver(struct tty_driver * driver)3440 int tty_register_driver(struct tty_driver *driver)
3441 {
3442 	int error;
3443 	int i;
3444 	dev_t dev;
3445 	struct device *d;
3446 
3447 	if (!driver->major) {
3448 		error = alloc_chrdev_region(&dev, driver->minor_start,
3449 						driver->num, driver->name);
3450 		if (!error) {
3451 			driver->major = MAJOR(dev);
3452 			driver->minor_start = MINOR(dev);
3453 		}
3454 	} else {
3455 		dev = MKDEV(driver->major, driver->minor_start);
3456 		error = register_chrdev_region(dev, driver->num, driver->name);
3457 	}
3458 	if (error < 0)
3459 		goto err;
3460 
3461 	if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC) {
3462 		error = tty_cdev_add(driver, dev, 0, driver->num);
3463 		if (error)
3464 			goto err_unreg_char;
3465 	}
3466 
3467 	mutex_lock(&tty_mutex);
3468 	list_add(&driver->tty_drivers, &tty_drivers);
3469 	mutex_unlock(&tty_mutex);
3470 
3471 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV)) {
3472 		for (i = 0; i < driver->num; i++) {
3473 			d = tty_register_device(driver, i, NULL);
3474 			if (IS_ERR(d)) {
3475 				error = PTR_ERR(d);
3476 				goto err_unreg_devs;
3477 			}
3478 		}
3479 	}
3480 	proc_tty_register_driver(driver);
3481 	driver->flags |= TTY_DRIVER_INSTALLED;
3482 	return 0;
3483 
3484 err_unreg_devs:
3485 	for (i--; i >= 0; i--)
3486 		tty_unregister_device(driver, i);
3487 
3488 	mutex_lock(&tty_mutex);
3489 	list_del(&driver->tty_drivers);
3490 	mutex_unlock(&tty_mutex);
3491 
3492 err_unreg_char:
3493 	unregister_chrdev_region(dev, driver->num);
3494 err:
3495 	return error;
3496 }
3497 EXPORT_SYMBOL(tty_register_driver);
3498 
3499 /**
3500  * tty_unregister_driver - unregister a tty driver
3501  * @driver: driver to unregister
3502  *
3503  * Called by a tty driver to unregister itself.
3504  */
tty_unregister_driver(struct tty_driver * driver)3505 void tty_unregister_driver(struct tty_driver *driver)
3506 {
3507 	unregister_chrdev_region(MKDEV(driver->major, driver->minor_start),
3508 				driver->num);
3509 	mutex_lock(&tty_mutex);
3510 	list_del(&driver->tty_drivers);
3511 	mutex_unlock(&tty_mutex);
3512 }
3513 EXPORT_SYMBOL(tty_unregister_driver);
3514 
tty_devnum(struct tty_struct * tty)3515 dev_t tty_devnum(struct tty_struct *tty)
3516 {
3517 	return MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
3518 }
3519 EXPORT_SYMBOL(tty_devnum);
3520 
tty_default_fops(struct file_operations * fops)3521 void tty_default_fops(struct file_operations *fops)
3522 {
3523 	*fops = tty_fops;
3524 }
3525 
tty_devnode(const struct device * dev,umode_t * mode)3526 static char *tty_devnode(const struct device *dev, umode_t *mode)
3527 {
3528 	if (!mode)
3529 		return NULL;
3530 	if (dev->devt == MKDEV(TTYAUX_MAJOR, 0) ||
3531 	    dev->devt == MKDEV(TTYAUX_MAJOR, 2))
3532 		*mode = 0666;
3533 	return NULL;
3534 }
3535 
3536 const struct class tty_class = {
3537 	.name		= "tty",
3538 	.devnode	= tty_devnode,
3539 };
3540 
tty_class_init(void)3541 static int __init tty_class_init(void)
3542 {
3543 	return class_register(&tty_class);
3544 }
3545 
3546 postcore_initcall(tty_class_init);
3547 
3548 /* 3/2004 jmc: why do these devices exist? */
3549 static struct cdev tty_cdev, console_cdev;
3550 
show_cons_active(struct device * dev,struct device_attribute * attr,char * buf)3551 static ssize_t show_cons_active(struct device *dev,
3552 				struct device_attribute *attr, char *buf)
3553 {
3554 	struct console *cs[16];
3555 	int i = 0;
3556 	struct console *c;
3557 	ssize_t count = 0;
3558 
3559 	/*
3560 	 * Hold the console_list_lock to guarantee that no consoles are
3561 	 * unregistered until all console processing is complete.
3562 	 * This also allows safe traversal of the console list and
3563 	 * race-free reading of @flags.
3564 	 */
3565 	console_list_lock();
3566 
3567 	for_each_console(c) {
3568 		if (!c->device)
3569 			continue;
3570 		if (!(c->flags & CON_NBCON) && !c->write)
3571 			continue;
3572 		if ((c->flags & CON_ENABLED) == 0)
3573 			continue;
3574 		cs[i++] = c;
3575 		if (i >= ARRAY_SIZE(cs))
3576 			break;
3577 	}
3578 
3579 	/*
3580 	 * Take console_lock to serialize device() callback with
3581 	 * other console operations. For example, fg_console is
3582 	 * modified under console_lock when switching vt.
3583 	 */
3584 	console_lock();
3585 	while (i--) {
3586 		int index = cs[i]->index;
3587 		struct tty_driver *drv = cs[i]->device(cs[i], &index);
3588 
3589 		/* don't resolve tty0 as some programs depend on it */
3590 		if (drv && (cs[i]->index > 0 || drv->major != TTY_MAJOR))
3591 			count += tty_line_name(drv, index, buf + count);
3592 		else
3593 			count += sprintf(buf + count, "%s%d",
3594 					 cs[i]->name, cs[i]->index);
3595 
3596 		count += sprintf(buf + count, "%c", i ? ' ':'\n');
3597 	}
3598 	console_unlock();
3599 
3600 	console_list_unlock();
3601 
3602 	return count;
3603 }
3604 static DEVICE_ATTR(active, S_IRUGO, show_cons_active, NULL);
3605 
3606 static struct attribute *cons_dev_attrs[] = {
3607 	&dev_attr_active.attr,
3608 	NULL
3609 };
3610 
3611 ATTRIBUTE_GROUPS(cons_dev);
3612 
3613 static struct device *consdev;
3614 
console_sysfs_notify(void)3615 void console_sysfs_notify(void)
3616 {
3617 	if (consdev)
3618 		sysfs_notify(&consdev->kobj, NULL, "active");
3619 }
3620 
3621 static struct ctl_table tty_table[] = {
3622 	{
3623 		.procname	= "legacy_tiocsti",
3624 		.data		= &tty_legacy_tiocsti,
3625 		.maxlen		= sizeof(tty_legacy_tiocsti),
3626 		.mode		= 0644,
3627 		.proc_handler	= proc_dobool,
3628 	},
3629 	{
3630 		.procname	= "ldisc_autoload",
3631 		.data		= &tty_ldisc_autoload,
3632 		.maxlen		= sizeof(tty_ldisc_autoload),
3633 		.mode		= 0644,
3634 		.proc_handler	= proc_dointvec,
3635 		.extra1		= SYSCTL_ZERO,
3636 		.extra2		= SYSCTL_ONE,
3637 	},
3638 };
3639 
3640 /*
3641  * Ok, now we can initialize the rest of the tty devices and can count
3642  * on memory allocations, interrupts etc..
3643  */
tty_init(void)3644 int __init tty_init(void)
3645 {
3646 	register_sysctl_init("dev/tty", tty_table);
3647 	cdev_init(&tty_cdev, &tty_fops);
3648 	if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) ||
3649 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0)
3650 		panic("Couldn't register /dev/tty driver\n");
3651 	device_create(&tty_class, NULL, MKDEV(TTYAUX_MAJOR, 0), NULL, "tty");
3652 
3653 	cdev_init(&console_cdev, &console_fops);
3654 	if (cdev_add(&console_cdev, MKDEV(TTYAUX_MAJOR, 1), 1) ||
3655 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 1), 1, "/dev/console") < 0)
3656 		panic("Couldn't register /dev/console driver\n");
3657 	consdev = device_create_with_groups(&tty_class, NULL,
3658 					    MKDEV(TTYAUX_MAJOR, 1), NULL,
3659 					    cons_dev_groups, "console");
3660 	if (IS_ERR(consdev))
3661 		consdev = NULL;
3662 
3663 #ifdef CONFIG_VT
3664 	vty_init(&console_fops);
3665 #endif
3666 	return 0;
3667 }
3668