1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  Copyright (C) 1991, 1992  Linus Torvalds
4  */
5 
6 /*
7  * 'tty_io.c' gives an orthogonal feeling to tty's, be they consoles
8  * or rs-channels. It also implements echoing, cooked mode etc.
9  *
10  * Kill-line thanks to John T Kohl, who also corrected VMIN = VTIME = 0.
11  *
12  * Modified by Theodore Ts'o, 9/14/92, to dynamically allocate the
13  * tty_struct and tty_queue structures.  Previously there was an array
14  * of 256 tty_struct's which was statically allocated, and the
15  * tty_queue structures were allocated at boot time.  Both are now
16  * dynamically allocated only when the tty is open.
17  *
18  * Also restructured routines so that there is more of a separation
19  * between the high-level tty routines (tty_io.c and tty_ioctl.c) and
20  * the low-level tty routines (serial.c, pty.c, console.c).  This
21  * makes for cleaner and more compact code.  -TYT, 9/17/92
22  *
23  * Modified by Fred N. van Kempen, 01/29/93, to add line disciplines
24  * which can be dynamically activated and de-activated by the line
25  * discipline handling modules (like SLIP).
26  *
27  * NOTE: pay no attention to the line discipline code (yet); its
28  * interface is still subject to change in this version...
29  * -- TYT, 1/31/92
30  *
31  * Added functionality to the OPOST tty handling.  No delays, but all
32  * other bits should be there.
33  *	-- Nick Holloway <alfie@dcs.warwick.ac.uk>, 27th May 1993.
34  *
35  * Rewrote canonical mode and added more termios flags.
36  *	-- julian@uhunix.uhcc.hawaii.edu (J. Cowley), 13Jan94
37  *
38  * Reorganized FASYNC support so mouse code can share it.
39  *	-- ctm@ardi.com, 9Sep95
40  *
41  * New TIOCLINUX variants added.
42  *	-- mj@k332.feld.cvut.cz, 19-Nov-95
43  *
44  * Restrict vt switching via ioctl()
45  *      -- grif@cs.ucr.edu, 5-Dec-95
46  *
47  * Move console and virtual terminal code to more appropriate files,
48  * implement CONFIG_VT and generalize console device interface.
49  *	-- Marko Kohtala <Marko.Kohtala@hut.fi>, March 97
50  *
51  * Rewrote tty_init_dev and tty_release_dev to eliminate races.
52  *	-- Bill Hawes <whawes@star.net>, June 97
53  *
54  * Added devfs support.
55  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 13-Jan-1998
56  *
57  * Added support for a Unix98-style ptmx device.
58  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 14-Jan-1998
59  *
60  * Reduced memory usage for older ARM systems
61  *      -- Russell King <rmk@arm.linux.org.uk>
62  *
63  * Move do_SAK() into process context.  Less stack use in devfs functions.
64  * alloc_tty_struct() always uses kmalloc()
65  *			 -- Andrew Morton <andrewm@uow.edu.eu> 17Mar01
66  */
67 
68 #include <linux/types.h>
69 #include <linux/major.h>
70 #include <linux/errno.h>
71 #include <linux/signal.h>
72 #include <linux/fcntl.h>
73 #include <linux/sched/signal.h>
74 #include <linux/sched/task.h>
75 #include <linux/interrupt.h>
76 #include <linux/tty.h>
77 #include <linux/tty_driver.h>
78 #include <linux/tty_flip.h>
79 #include <linux/devpts_fs.h>
80 #include <linux/file.h>
81 #include <linux/fdtable.h>
82 #include <linux/console.h>
83 #include <linux/timer.h>
84 #include <linux/ctype.h>
85 #include <linux/kd.h>
86 #include <linux/mm.h>
87 #include <linux/string.h>
88 #include <linux/slab.h>
89 #include <linux/poll.h>
90 #include <linux/ppp-ioctl.h>
91 #include <linux/proc_fs.h>
92 #include <linux/init.h>
93 #include <linux/module.h>
94 #include <linux/device.h>
95 #include <linux/wait.h>
96 #include <linux/bitops.h>
97 #include <linux/delay.h>
98 #include <linux/seq_file.h>
99 #include <linux/serial.h>
100 #include <linux/ratelimit.h>
101 #include <linux/compat.h>
102 #include <linux/uaccess.h>
103 #include <linux/termios_internal.h>
104 #include <linux/fs.h>
105 
106 #include <linux/kbd_kern.h>
107 #include <linux/vt_kern.h>
108 #include <linux/selection.h>
109 
110 #include <linux/kmod.h>
111 #include <linux/nsproxy.h>
112 #include "tty.h"
113 
114 #undef TTY_DEBUG_HANGUP
115 #ifdef TTY_DEBUG_HANGUP
116 # define tty_debug_hangup(tty, f, args...)	tty_debug(tty, f, ##args)
117 #else
118 # define tty_debug_hangup(tty, f, args...)	do { } while (0)
119 #endif
120 
121 #define TTY_PARANOIA_CHECK 1
122 #define CHECK_TTY_COUNT 1
123 
124 struct ktermios tty_std_termios = {	/* for the benefit of tty drivers  */
125 	.c_iflag = ICRNL | IXON,
126 	.c_oflag = OPOST | ONLCR,
127 	.c_cflag = B38400 | CS8 | CREAD | HUPCL,
128 	.c_lflag = ISIG | ICANON | ECHO | ECHOE | ECHOK |
129 		   ECHOCTL | ECHOKE | IEXTEN,
130 	.c_cc = INIT_C_CC,
131 	.c_ispeed = 38400,
132 	.c_ospeed = 38400,
133 	/* .c_line = N_TTY, */
134 };
135 EXPORT_SYMBOL(tty_std_termios);
136 
137 /* This list gets poked at by procfs and various bits of boot up code. This
138  * could do with some rationalisation such as pulling the tty proc function
139  * into this file.
140  */
141 
142 LIST_HEAD(tty_drivers);			/* linked list of tty drivers */
143 
144 /* Mutex to protect creating and releasing a tty */
145 DEFINE_MUTEX(tty_mutex);
146 
147 static ssize_t tty_read(struct kiocb *, struct iov_iter *);
148 static ssize_t tty_write(struct kiocb *, struct iov_iter *);
149 static __poll_t tty_poll(struct file *, poll_table *);
150 static int tty_open(struct inode *, struct file *);
151 #ifdef CONFIG_COMPAT
152 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
153 				unsigned long arg);
154 #else
155 #define tty_compat_ioctl NULL
156 #endif
157 static int __tty_fasync(int fd, struct file *filp, int on);
158 static int tty_fasync(int fd, struct file *filp, int on);
159 static void release_tty(struct tty_struct *tty, int idx);
160 
161 /**
162  * free_tty_struct	-	free a disused tty
163  * @tty: tty struct to free
164  *
165  * Free the write buffers, tty queue and tty memory itself.
166  *
167  * Locking: none. Must be called after tty is definitely unused
168  */
free_tty_struct(struct tty_struct * tty)169 static void free_tty_struct(struct tty_struct *tty)
170 {
171 	tty_ldisc_deinit(tty);
172 	put_device(tty->dev);
173 	kvfree(tty->write_buf);
174 	kfree(tty);
175 }
176 
file_tty(struct file * file)177 static inline struct tty_struct *file_tty(struct file *file)
178 {
179 	return ((struct tty_file_private *)file->private_data)->tty;
180 }
181 
tty_alloc_file(struct file * file)182 int tty_alloc_file(struct file *file)
183 {
184 	struct tty_file_private *priv;
185 
186 	priv = kmalloc(sizeof(*priv), GFP_KERNEL);
187 	if (!priv)
188 		return -ENOMEM;
189 
190 	file->private_data = priv;
191 
192 	return 0;
193 }
194 
195 /* Associate a new file with the tty structure */
tty_add_file(struct tty_struct * tty,struct file * file)196 void tty_add_file(struct tty_struct *tty, struct file *file)
197 {
198 	struct tty_file_private *priv = file->private_data;
199 
200 	priv->tty = tty;
201 	priv->file = file;
202 
203 	spin_lock(&tty->files_lock);
204 	list_add(&priv->list, &tty->tty_files);
205 	spin_unlock(&tty->files_lock);
206 }
207 
208 /**
209  * tty_free_file - free file->private_data
210  * @file: to free private_data of
211  *
212  * This shall be used only for fail path handling when tty_add_file was not
213  * called yet.
214  */
tty_free_file(struct file * file)215 void tty_free_file(struct file *file)
216 {
217 	struct tty_file_private *priv = file->private_data;
218 
219 	file->private_data = NULL;
220 	kfree(priv);
221 }
222 
223 /* Delete file from its tty */
tty_del_file(struct file * file)224 static void tty_del_file(struct file *file)
225 {
226 	struct tty_file_private *priv = file->private_data;
227 	struct tty_struct *tty = priv->tty;
228 
229 	spin_lock(&tty->files_lock);
230 	list_del(&priv->list);
231 	spin_unlock(&tty->files_lock);
232 	tty_free_file(file);
233 }
234 
235 /**
236  * tty_name	-	return tty naming
237  * @tty: tty structure
238  *
239  * Convert a tty structure into a name. The name reflects the kernel naming
240  * policy and if udev is in use may not reflect user space
241  *
242  * Locking: none
243  */
tty_name(const struct tty_struct * tty)244 const char *tty_name(const struct tty_struct *tty)
245 {
246 	if (!tty) /* Hmm.  NULL pointer.  That's fun. */
247 		return "NULL tty";
248 	return tty->name;
249 }
250 EXPORT_SYMBOL(tty_name);
251 
tty_driver_name(const struct tty_struct * tty)252 const char *tty_driver_name(const struct tty_struct *tty)
253 {
254 	if (!tty || !tty->driver)
255 		return "";
256 	return tty->driver->name;
257 }
258 
tty_paranoia_check(struct tty_struct * tty,struct inode * inode,const char * routine)259 static int tty_paranoia_check(struct tty_struct *tty, struct inode *inode,
260 			      const char *routine)
261 {
262 #ifdef TTY_PARANOIA_CHECK
263 	if (!tty) {
264 		pr_warn("(%d:%d): %s: NULL tty\n",
265 			imajor(inode), iminor(inode), routine);
266 		return 1;
267 	}
268 #endif
269 	return 0;
270 }
271 
272 /* Caller must hold tty_lock */
check_tty_count(struct tty_struct * tty,const char * routine)273 static void check_tty_count(struct tty_struct *tty, const char *routine)
274 {
275 #ifdef CHECK_TTY_COUNT
276 	struct list_head *p;
277 	int count = 0, kopen_count = 0;
278 
279 	spin_lock(&tty->files_lock);
280 	list_for_each(p, &tty->tty_files) {
281 		count++;
282 	}
283 	spin_unlock(&tty->files_lock);
284 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
285 	    tty->driver->subtype == PTY_TYPE_SLAVE &&
286 	    tty->link && tty->link->count)
287 		count++;
288 	if (tty_port_kopened(tty->port))
289 		kopen_count++;
290 	if (tty->count != (count + kopen_count)) {
291 		tty_warn(tty, "%s: tty->count(%d) != (#fd's(%d) + #kopen's(%d))\n",
292 			 routine, tty->count, count, kopen_count);
293 	}
294 #endif
295 }
296 
297 /**
298  * get_tty_driver		-	find device of a tty
299  * @device: device identifier
300  * @index: returns the index of the tty
301  *
302  * This routine returns a tty driver structure, given a device number and also
303  * passes back the index number.
304  *
305  * Locking: caller must hold tty_mutex
306  */
get_tty_driver(dev_t device,int * index)307 static struct tty_driver *get_tty_driver(dev_t device, int *index)
308 {
309 	struct tty_driver *p;
310 
311 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
312 		dev_t base = MKDEV(p->major, p->minor_start);
313 
314 		if (device < base || device >= base + p->num)
315 			continue;
316 		*index = device - base;
317 		return tty_driver_kref_get(p);
318 	}
319 	return NULL;
320 }
321 
322 /**
323  * tty_dev_name_to_number	-	return dev_t for device name
324  * @name: user space name of device under /dev
325  * @number: pointer to dev_t that this function will populate
326  *
327  * This function converts device names like ttyS0 or ttyUSB1 into dev_t like
328  * (4, 64) or (188, 1). If no corresponding driver is registered then the
329  * function returns -%ENODEV.
330  *
331  * Locking: this acquires tty_mutex to protect the tty_drivers list from
332  *	being modified while we are traversing it, and makes sure to
333  *	release it before exiting.
334  */
tty_dev_name_to_number(const char * name,dev_t * number)335 int tty_dev_name_to_number(const char *name, dev_t *number)
336 {
337 	struct tty_driver *p;
338 	int ret;
339 	int index, prefix_length = 0;
340 	const char *str;
341 
342 	for (str = name; *str && !isdigit(*str); str++)
343 		;
344 
345 	if (!*str)
346 		return -EINVAL;
347 
348 	ret = kstrtoint(str, 10, &index);
349 	if (ret)
350 		return ret;
351 
352 	prefix_length = str - name;
353 	mutex_lock(&tty_mutex);
354 
355 	list_for_each_entry(p, &tty_drivers, tty_drivers)
356 		if (prefix_length == strlen(p->name) && strncmp(name,
357 					p->name, prefix_length) == 0) {
358 			if (index < p->num) {
359 				*number = MKDEV(p->major, p->minor_start + index);
360 				goto out;
361 			}
362 		}
363 
364 	/* if here then driver wasn't found */
365 	ret = -ENODEV;
366 out:
367 	mutex_unlock(&tty_mutex);
368 	return ret;
369 }
370 EXPORT_SYMBOL_GPL(tty_dev_name_to_number);
371 
372 #ifdef CONFIG_CONSOLE_POLL
373 
374 /**
375  * tty_find_polling_driver	-	find device of a polled tty
376  * @name: name string to match
377  * @line: pointer to resulting tty line nr
378  *
379  * This routine returns a tty driver structure, given a name and the condition
380  * that the tty driver is capable of polled operation.
381  */
tty_find_polling_driver(char * name,int * line)382 struct tty_driver *tty_find_polling_driver(char *name, int *line)
383 {
384 	struct tty_driver *p, *res = NULL;
385 	int tty_line = 0;
386 	int len;
387 	char *str, *stp;
388 
389 	for (str = name; *str; str++)
390 		if ((*str >= '0' && *str <= '9') || *str == ',')
391 			break;
392 	if (!*str)
393 		return NULL;
394 
395 	len = str - name;
396 	tty_line = simple_strtoul(str, &str, 10);
397 
398 	mutex_lock(&tty_mutex);
399 	/* Search through the tty devices to look for a match */
400 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
401 		if (!len || strncmp(name, p->name, len) != 0)
402 			continue;
403 		stp = str;
404 		if (*stp == ',')
405 			stp++;
406 		if (*stp == '\0')
407 			stp = NULL;
408 
409 		if (tty_line >= 0 && tty_line < p->num && p->ops &&
410 		    p->ops->poll_init && !p->ops->poll_init(p, tty_line, stp)) {
411 			res = tty_driver_kref_get(p);
412 			*line = tty_line;
413 			break;
414 		}
415 	}
416 	mutex_unlock(&tty_mutex);
417 
418 	return res;
419 }
420 EXPORT_SYMBOL_GPL(tty_find_polling_driver);
421 #endif
422 
hung_up_tty_read(struct kiocb * iocb,struct iov_iter * to)423 static ssize_t hung_up_tty_read(struct kiocb *iocb, struct iov_iter *to)
424 {
425 	return 0;
426 }
427 
hung_up_tty_write(struct kiocb * iocb,struct iov_iter * from)428 static ssize_t hung_up_tty_write(struct kiocb *iocb, struct iov_iter *from)
429 {
430 	return -EIO;
431 }
432 
433 /* No kernel lock held - none needed ;) */
hung_up_tty_poll(struct file * filp,poll_table * wait)434 static __poll_t hung_up_tty_poll(struct file *filp, poll_table *wait)
435 {
436 	return EPOLLIN | EPOLLOUT | EPOLLERR | EPOLLHUP | EPOLLRDNORM | EPOLLWRNORM;
437 }
438 
hung_up_tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)439 static long hung_up_tty_ioctl(struct file *file, unsigned int cmd,
440 		unsigned long arg)
441 {
442 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
443 }
444 
hung_up_tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)445 static long hung_up_tty_compat_ioctl(struct file *file,
446 				     unsigned int cmd, unsigned long arg)
447 {
448 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
449 }
450 
hung_up_tty_fasync(int fd,struct file * file,int on)451 static int hung_up_tty_fasync(int fd, struct file *file, int on)
452 {
453 	return -ENOTTY;
454 }
455 
tty_show_fdinfo(struct seq_file * m,struct file * file)456 static void tty_show_fdinfo(struct seq_file *m, struct file *file)
457 {
458 	struct tty_struct *tty = file_tty(file);
459 
460 	if (tty && tty->ops && tty->ops->show_fdinfo)
461 		tty->ops->show_fdinfo(tty, m);
462 }
463 
464 static const struct file_operations tty_fops = {
465 	.llseek		= no_llseek,
466 	.read_iter	= tty_read,
467 	.write_iter	= tty_write,
468 	.splice_read	= copy_splice_read,
469 	.splice_write	= iter_file_splice_write,
470 	.poll		= tty_poll,
471 	.unlocked_ioctl	= tty_ioctl,
472 	.compat_ioctl	= tty_compat_ioctl,
473 	.open		= tty_open,
474 	.release	= tty_release,
475 	.fasync		= tty_fasync,
476 	.show_fdinfo	= tty_show_fdinfo,
477 };
478 
479 static const struct file_operations console_fops = {
480 	.llseek		= no_llseek,
481 	.read_iter	= tty_read,
482 	.write_iter	= redirected_tty_write,
483 	.splice_read	= copy_splice_read,
484 	.splice_write	= iter_file_splice_write,
485 	.poll		= tty_poll,
486 	.unlocked_ioctl	= tty_ioctl,
487 	.compat_ioctl	= tty_compat_ioctl,
488 	.open		= tty_open,
489 	.release	= tty_release,
490 	.fasync		= tty_fasync,
491 };
492 
493 static const struct file_operations hung_up_tty_fops = {
494 	.llseek		= no_llseek,
495 	.read_iter	= hung_up_tty_read,
496 	.write_iter	= hung_up_tty_write,
497 	.poll		= hung_up_tty_poll,
498 	.unlocked_ioctl	= hung_up_tty_ioctl,
499 	.compat_ioctl	= hung_up_tty_compat_ioctl,
500 	.release	= tty_release,
501 	.fasync		= hung_up_tty_fasync,
502 };
503 
504 static DEFINE_SPINLOCK(redirect_lock);
505 static struct file *redirect;
506 
507 /**
508  * tty_wakeup	-	request more data
509  * @tty: terminal
510  *
511  * Internal and external helper for wakeups of tty. This function informs the
512  * line discipline if present that the driver is ready to receive more output
513  * data.
514  */
tty_wakeup(struct tty_struct * tty)515 void tty_wakeup(struct tty_struct *tty)
516 {
517 	struct tty_ldisc *ld;
518 
519 	if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) {
520 		ld = tty_ldisc_ref(tty);
521 		if (ld) {
522 			if (ld->ops->write_wakeup)
523 				ld->ops->write_wakeup(tty);
524 			tty_ldisc_deref(ld);
525 		}
526 	}
527 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
528 }
529 EXPORT_SYMBOL_GPL(tty_wakeup);
530 
531 /**
532  * tty_release_redirect	-	Release a redirect on a pty if present
533  * @tty: tty device
534  *
535  * This is available to the pty code so if the master closes, if the slave is a
536  * redirect it can release the redirect.
537  */
tty_release_redirect(struct tty_struct * tty)538 static struct file *tty_release_redirect(struct tty_struct *tty)
539 {
540 	struct file *f = NULL;
541 
542 	spin_lock(&redirect_lock);
543 	if (redirect && file_tty(redirect) == tty) {
544 		f = redirect;
545 		redirect = NULL;
546 	}
547 	spin_unlock(&redirect_lock);
548 
549 	return f;
550 }
551 
552 /**
553  * __tty_hangup		-	actual handler for hangup events
554  * @tty: tty device
555  * @exit_session: if non-zero, signal all foreground group processes
556  *
557  * This can be called by a "kworker" kernel thread. That is process synchronous
558  * but doesn't hold any locks, so we need to make sure we have the appropriate
559  * locks for what we're doing.
560  *
561  * The hangup event clears any pending redirections onto the hung up device. It
562  * ensures future writes will error and it does the needed line discipline
563  * hangup and signal delivery. The tty object itself remains intact.
564  *
565  * Locking:
566  *  * BTM
567  *
568  *   * redirect lock for undoing redirection
569  *   * file list lock for manipulating list of ttys
570  *   * tty_ldiscs_lock from called functions
571  *   * termios_rwsem resetting termios data
572  *   * tasklist_lock to walk task list for hangup event
573  *
574  *    * ->siglock to protect ->signal/->sighand
575  *
576  */
__tty_hangup(struct tty_struct * tty,int exit_session)577 static void __tty_hangup(struct tty_struct *tty, int exit_session)
578 {
579 	struct file *cons_filp = NULL;
580 	struct file *filp, *f;
581 	struct tty_file_private *priv;
582 	int    closecount = 0, n;
583 	int refs;
584 
585 	if (!tty)
586 		return;
587 
588 	f = tty_release_redirect(tty);
589 
590 	tty_lock(tty);
591 
592 	if (test_bit(TTY_HUPPED, &tty->flags)) {
593 		tty_unlock(tty);
594 		return;
595 	}
596 
597 	/*
598 	 * Some console devices aren't actually hung up for technical and
599 	 * historical reasons, which can lead to indefinite interruptible
600 	 * sleep in n_tty_read().  The following explicitly tells
601 	 * n_tty_read() to abort readers.
602 	 */
603 	set_bit(TTY_HUPPING, &tty->flags);
604 
605 	/* inuse_filps is protected by the single tty lock,
606 	 * this really needs to change if we want to flush the
607 	 * workqueue with the lock held.
608 	 */
609 	check_tty_count(tty, "tty_hangup");
610 
611 	spin_lock(&tty->files_lock);
612 	/* This breaks for file handles being sent over AF_UNIX sockets ? */
613 	list_for_each_entry(priv, &tty->tty_files, list) {
614 		filp = priv->file;
615 		if (filp->f_op->write_iter == redirected_tty_write)
616 			cons_filp = filp;
617 		if (filp->f_op->write_iter != tty_write)
618 			continue;
619 		closecount++;
620 		__tty_fasync(-1, filp, 0);	/* can't block */
621 		filp->f_op = &hung_up_tty_fops;
622 	}
623 	spin_unlock(&tty->files_lock);
624 
625 	refs = tty_signal_session_leader(tty, exit_session);
626 	/* Account for the p->signal references we killed */
627 	while (refs--)
628 		tty_kref_put(tty);
629 
630 	tty_ldisc_hangup(tty, cons_filp != NULL);
631 
632 	spin_lock_irq(&tty->ctrl.lock);
633 	clear_bit(TTY_THROTTLED, &tty->flags);
634 	clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
635 	put_pid(tty->ctrl.session);
636 	put_pid(tty->ctrl.pgrp);
637 	tty->ctrl.session = NULL;
638 	tty->ctrl.pgrp = NULL;
639 	tty->ctrl.pktstatus = 0;
640 	spin_unlock_irq(&tty->ctrl.lock);
641 
642 	/*
643 	 * If one of the devices matches a console pointer, we
644 	 * cannot just call hangup() because that will cause
645 	 * tty->count and state->count to go out of sync.
646 	 * So we just call close() the right number of times.
647 	 */
648 	if (cons_filp) {
649 		if (tty->ops->close)
650 			for (n = 0; n < closecount; n++)
651 				tty->ops->close(tty, cons_filp);
652 	} else if (tty->ops->hangup)
653 		tty->ops->hangup(tty);
654 	/*
655 	 * We don't want to have driver/ldisc interactions beyond the ones
656 	 * we did here. The driver layer expects no calls after ->hangup()
657 	 * from the ldisc side, which is now guaranteed.
658 	 */
659 	set_bit(TTY_HUPPED, &tty->flags);
660 	clear_bit(TTY_HUPPING, &tty->flags);
661 	tty_unlock(tty);
662 
663 	if (f)
664 		fput(f);
665 }
666 
do_tty_hangup(struct work_struct * work)667 static void do_tty_hangup(struct work_struct *work)
668 {
669 	struct tty_struct *tty =
670 		container_of(work, struct tty_struct, hangup_work);
671 
672 	__tty_hangup(tty, 0);
673 }
674 
675 /**
676  * tty_hangup		-	trigger a hangup event
677  * @tty: tty to hangup
678  *
679  * A carrier loss (virtual or otherwise) has occurred on @tty. Schedule a
680  * hangup sequence to run after this event.
681  */
tty_hangup(struct tty_struct * tty)682 void tty_hangup(struct tty_struct *tty)
683 {
684 	tty_debug_hangup(tty, "hangup\n");
685 	schedule_work(&tty->hangup_work);
686 }
687 EXPORT_SYMBOL(tty_hangup);
688 
689 /**
690  * tty_vhangup		-	process vhangup
691  * @tty: tty to hangup
692  *
693  * The user has asked via system call for the terminal to be hung up. We do
694  * this synchronously so that when the syscall returns the process is complete.
695  * That guarantee is necessary for security reasons.
696  */
tty_vhangup(struct tty_struct * tty)697 void tty_vhangup(struct tty_struct *tty)
698 {
699 	tty_debug_hangup(tty, "vhangup\n");
700 	__tty_hangup(tty, 0);
701 }
702 EXPORT_SYMBOL(tty_vhangup);
703 
704 
705 /**
706  * tty_vhangup_self	-	process vhangup for own ctty
707  *
708  * Perform a vhangup on the current controlling tty
709  */
tty_vhangup_self(void)710 void tty_vhangup_self(void)
711 {
712 	struct tty_struct *tty;
713 
714 	tty = get_current_tty();
715 	if (tty) {
716 		tty_vhangup(tty);
717 		tty_kref_put(tty);
718 	}
719 }
720 
721 /**
722  * tty_vhangup_session	-	hangup session leader exit
723  * @tty: tty to hangup
724  *
725  * The session leader is exiting and hanging up its controlling terminal.
726  * Every process in the foreground process group is signalled %SIGHUP.
727  *
728  * We do this synchronously so that when the syscall returns the process is
729  * complete. That guarantee is necessary for security reasons.
730  */
tty_vhangup_session(struct tty_struct * tty)731 void tty_vhangup_session(struct tty_struct *tty)
732 {
733 	tty_debug_hangup(tty, "session hangup\n");
734 	__tty_hangup(tty, 1);
735 }
736 
737 /**
738  * tty_hung_up_p	-	was tty hung up
739  * @filp: file pointer of tty
740  *
741  * Return: true if the tty has been subject to a vhangup or a carrier loss
742  */
tty_hung_up_p(struct file * filp)743 int tty_hung_up_p(struct file *filp)
744 {
745 	return (filp && filp->f_op == &hung_up_tty_fops);
746 }
747 EXPORT_SYMBOL(tty_hung_up_p);
748 
__stop_tty(struct tty_struct * tty)749 void __stop_tty(struct tty_struct *tty)
750 {
751 	if (tty->flow.stopped)
752 		return;
753 	tty->flow.stopped = true;
754 	if (tty->ops->stop)
755 		tty->ops->stop(tty);
756 }
757 
758 /**
759  * stop_tty	-	propagate flow control
760  * @tty: tty to stop
761  *
762  * Perform flow control to the driver. May be called on an already stopped
763  * device and will not re-call the &tty_driver->stop() method.
764  *
765  * This functionality is used by both the line disciplines for halting incoming
766  * flow and by the driver. It may therefore be called from any context, may be
767  * under the tty %atomic_write_lock but not always.
768  *
769  * Locking:
770  *	flow.lock
771  */
stop_tty(struct tty_struct * tty)772 void stop_tty(struct tty_struct *tty)
773 {
774 	unsigned long flags;
775 
776 	spin_lock_irqsave(&tty->flow.lock, flags);
777 	__stop_tty(tty);
778 	spin_unlock_irqrestore(&tty->flow.lock, flags);
779 }
780 EXPORT_SYMBOL(stop_tty);
781 
__start_tty(struct tty_struct * tty)782 void __start_tty(struct tty_struct *tty)
783 {
784 	if (!tty->flow.stopped || tty->flow.tco_stopped)
785 		return;
786 	tty->flow.stopped = false;
787 	if (tty->ops->start)
788 		tty->ops->start(tty);
789 	tty_wakeup(tty);
790 }
791 
792 /**
793  * start_tty	-	propagate flow control
794  * @tty: tty to start
795  *
796  * Start a tty that has been stopped if at all possible. If @tty was previously
797  * stopped and is now being started, the &tty_driver->start() method is invoked
798  * and the line discipline woken.
799  *
800  * Locking:
801  *	flow.lock
802  */
start_tty(struct tty_struct * tty)803 void start_tty(struct tty_struct *tty)
804 {
805 	unsigned long flags;
806 
807 	spin_lock_irqsave(&tty->flow.lock, flags);
808 	__start_tty(tty);
809 	spin_unlock_irqrestore(&tty->flow.lock, flags);
810 }
811 EXPORT_SYMBOL(start_tty);
812 
tty_update_time(struct tty_struct * tty,bool mtime)813 static void tty_update_time(struct tty_struct *tty, bool mtime)
814 {
815 	time64_t sec = ktime_get_real_seconds();
816 	struct tty_file_private *priv;
817 
818 	spin_lock(&tty->files_lock);
819 	list_for_each_entry(priv, &tty->tty_files, list) {
820 		struct inode *inode = file_inode(priv->file);
821 		struct timespec64 *time = mtime ? &inode->i_mtime : &inode->i_atime;
822 
823 		/*
824 		 * We only care if the two values differ in anything other than the
825 		 * lower three bits (i.e every 8 seconds).  If so, then we can update
826 		 * the time of the tty device, otherwise it could be construded as a
827 		 * security leak to let userspace know the exact timing of the tty.
828 		 */
829 		if ((sec ^ time->tv_sec) & ~7)
830 			time->tv_sec = sec;
831 	}
832 	spin_unlock(&tty->files_lock);
833 }
834 
835 /*
836  * Iterate on the ldisc ->read() function until we've gotten all
837  * the data the ldisc has for us.
838  *
839  * The "cookie" is something that the ldisc read function can fill
840  * in to let us know that there is more data to be had.
841  *
842  * We promise to continue to call the ldisc until it stops returning
843  * data or clears the cookie. The cookie may be something that the
844  * ldisc maintains state for and needs to free.
845  */
iterate_tty_read(struct tty_ldisc * ld,struct tty_struct * tty,struct file * file,struct iov_iter * to)846 static ssize_t iterate_tty_read(struct tty_ldisc *ld, struct tty_struct *tty,
847 				struct file *file, struct iov_iter *to)
848 {
849 	void *cookie = NULL;
850 	unsigned long offset = 0;
851 	char kernel_buf[64];
852 	ssize_t retval = 0;
853 	size_t copied, count = iov_iter_count(to);
854 
855 	do {
856 		ssize_t size = min(count, sizeof(kernel_buf));
857 
858 		size = ld->ops->read(tty, file, kernel_buf, size, &cookie, offset);
859 		if (!size)
860 			break;
861 
862 		if (size < 0) {
863 			/* Did we have an earlier error (ie -EFAULT)? */
864 			if (retval)
865 				break;
866 			retval = size;
867 
868 			/*
869 			 * -EOVERFLOW means we didn't have enough space
870 			 * for a whole packet, and we shouldn't return
871 			 * a partial result.
872 			 */
873 			if (retval == -EOVERFLOW)
874 				offset = 0;
875 			break;
876 		}
877 
878 		copied = copy_to_iter(kernel_buf, size, to);
879 		offset += copied;
880 		count -= copied;
881 
882 		/*
883 		 * If the user copy failed, we still need to do another ->read()
884 		 * call if we had a cookie to let the ldisc clear up.
885 		 *
886 		 * But make sure size is zeroed.
887 		 */
888 		if (unlikely(copied != size)) {
889 			count = 0;
890 			retval = -EFAULT;
891 		}
892 	} while (cookie);
893 
894 	/* We always clear tty buffer in case they contained passwords */
895 	memzero_explicit(kernel_buf, sizeof(kernel_buf));
896 	return offset ? offset : retval;
897 }
898 
899 
900 /**
901  * tty_read	-	read method for tty device files
902  * @iocb: kernel I/O control block
903  * @to: destination for the data read
904  *
905  * Perform the read system call function on this terminal device. Checks
906  * for hung up devices before calling the line discipline method.
907  *
908  * Locking:
909  *	Locks the line discipline internally while needed. Multiple read calls
910  *	may be outstanding in parallel.
911  */
tty_read(struct kiocb * iocb,struct iov_iter * to)912 static ssize_t tty_read(struct kiocb *iocb, struct iov_iter *to)
913 {
914 	struct file *file = iocb->ki_filp;
915 	struct inode *inode = file_inode(file);
916 	struct tty_struct *tty = file_tty(file);
917 	struct tty_ldisc *ld;
918 	ssize_t ret;
919 
920 	if (tty_paranoia_check(tty, inode, "tty_read"))
921 		return -EIO;
922 	if (!tty || tty_io_error(tty))
923 		return -EIO;
924 
925 	/* We want to wait for the line discipline to sort out in this
926 	 * situation.
927 	 */
928 	ld = tty_ldisc_ref_wait(tty);
929 	if (!ld)
930 		return hung_up_tty_read(iocb, to);
931 	ret = -EIO;
932 	if (ld->ops->read)
933 		ret = iterate_tty_read(ld, tty, file, to);
934 	tty_ldisc_deref(ld);
935 
936 	if (ret > 0)
937 		tty_update_time(tty, false);
938 
939 	return ret;
940 }
941 
tty_write_unlock(struct tty_struct * tty)942 void tty_write_unlock(struct tty_struct *tty)
943 {
944 	mutex_unlock(&tty->atomic_write_lock);
945 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
946 }
947 
tty_write_lock(struct tty_struct * tty,bool ndelay)948 int tty_write_lock(struct tty_struct *tty, bool ndelay)
949 {
950 	if (!mutex_trylock(&tty->atomic_write_lock)) {
951 		if (ndelay)
952 			return -EAGAIN;
953 		if (mutex_lock_interruptible(&tty->atomic_write_lock))
954 			return -ERESTARTSYS;
955 	}
956 	return 0;
957 }
958 
959 /*
960  * Split writes up in sane blocksizes to avoid
961  * denial-of-service type attacks
962  */
iterate_tty_write(struct tty_ldisc * ld,struct tty_struct * tty,struct file * file,struct iov_iter * from)963 static ssize_t iterate_tty_write(struct tty_ldisc *ld, struct tty_struct *tty,
964 				 struct file *file, struct iov_iter *from)
965 {
966 	size_t chunk, count = iov_iter_count(from);
967 	ssize_t ret, written = 0;
968 
969 	ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
970 	if (ret < 0)
971 		return ret;
972 
973 	/*
974 	 * We chunk up writes into a temporary buffer. This
975 	 * simplifies low-level drivers immensely, since they
976 	 * don't have locking issues and user mode accesses.
977 	 *
978 	 * But if TTY_NO_WRITE_SPLIT is set, we should use a
979 	 * big chunk-size..
980 	 *
981 	 * The default chunk-size is 2kB, because the NTTY
982 	 * layer has problems with bigger chunks. It will
983 	 * claim to be able to handle more characters than
984 	 * it actually does.
985 	 */
986 	chunk = 2048;
987 	if (test_bit(TTY_NO_WRITE_SPLIT, &tty->flags))
988 		chunk = 65536;
989 	if (count < chunk)
990 		chunk = count;
991 
992 	/* write_buf/write_cnt is protected by the atomic_write_lock mutex */
993 	if (tty->write_cnt < chunk) {
994 		unsigned char *buf_chunk;
995 
996 		if (chunk < 1024)
997 			chunk = 1024;
998 
999 		buf_chunk = kvmalloc(chunk, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
1000 		if (!buf_chunk) {
1001 			ret = -ENOMEM;
1002 			goto out;
1003 		}
1004 		kvfree(tty->write_buf);
1005 		tty->write_cnt = chunk;
1006 		tty->write_buf = buf_chunk;
1007 	}
1008 
1009 	/* Do the write .. */
1010 	for (;;) {
1011 		size_t size = min(chunk, count);
1012 
1013 		ret = -EFAULT;
1014 		if (copy_from_iter(tty->write_buf, size, from) != size)
1015 			break;
1016 
1017 		ret = ld->ops->write(tty, file, tty->write_buf, size);
1018 		if (ret <= 0)
1019 			break;
1020 
1021 		written += ret;
1022 		if (ret > size)
1023 			break;
1024 
1025 		/* FIXME! Have Al check this! */
1026 		if (ret != size)
1027 			iov_iter_revert(from, size-ret);
1028 
1029 		count -= ret;
1030 		if (!count)
1031 			break;
1032 		ret = -ERESTARTSYS;
1033 		if (signal_pending(current))
1034 			break;
1035 		cond_resched();
1036 	}
1037 	if (written) {
1038 		tty_update_time(tty, true);
1039 		ret = written;
1040 	}
1041 out:
1042 	tty_write_unlock(tty);
1043 	return ret;
1044 }
1045 
1046 /**
1047  * tty_write_message - write a message to a certain tty, not just the console.
1048  * @tty: the destination tty_struct
1049  * @msg: the message to write
1050  *
1051  * This is used for messages that need to be redirected to a specific tty. We
1052  * don't put it into the syslog queue right now maybe in the future if really
1053  * needed.
1054  *
1055  * We must still hold the BTM and test the CLOSING flag for the moment.
1056  */
tty_write_message(struct tty_struct * tty,char * msg)1057 void tty_write_message(struct tty_struct *tty, char *msg)
1058 {
1059 	if (tty) {
1060 		mutex_lock(&tty->atomic_write_lock);
1061 		tty_lock(tty);
1062 		if (tty->ops->write && tty->count > 0)
1063 			tty->ops->write(tty, msg, strlen(msg));
1064 		tty_unlock(tty);
1065 		tty_write_unlock(tty);
1066 	}
1067 }
1068 
file_tty_write(struct file * file,struct kiocb * iocb,struct iov_iter * from)1069 static ssize_t file_tty_write(struct file *file, struct kiocb *iocb, struct iov_iter *from)
1070 {
1071 	struct tty_struct *tty = file_tty(file);
1072 	struct tty_ldisc *ld;
1073 	ssize_t ret;
1074 
1075 	if (tty_paranoia_check(tty, file_inode(file), "tty_write"))
1076 		return -EIO;
1077 	if (!tty || !tty->ops->write ||	tty_io_error(tty))
1078 		return -EIO;
1079 	/* Short term debug to catch buggy drivers */
1080 	if (tty->ops->write_room == NULL)
1081 		tty_err(tty, "missing write_room method\n");
1082 	ld = tty_ldisc_ref_wait(tty);
1083 	if (!ld)
1084 		return hung_up_tty_write(iocb, from);
1085 	if (!ld->ops->write)
1086 		ret = -EIO;
1087 	else
1088 		ret = iterate_tty_write(ld, tty, file, from);
1089 	tty_ldisc_deref(ld);
1090 	return ret;
1091 }
1092 
1093 /**
1094  * tty_write		-	write method for tty device file
1095  * @iocb: kernel I/O control block
1096  * @from: iov_iter with data to write
1097  *
1098  * Write data to a tty device via the line discipline.
1099  *
1100  * Locking:
1101  *	Locks the line discipline as required
1102  *	Writes to the tty driver are serialized by the atomic_write_lock
1103  *	and are then processed in chunks to the device. The line
1104  *	discipline write method will not be invoked in parallel for
1105  *	each device.
1106  */
tty_write(struct kiocb * iocb,struct iov_iter * from)1107 static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from)
1108 {
1109 	return file_tty_write(iocb->ki_filp, iocb, from);
1110 }
1111 
redirected_tty_write(struct kiocb * iocb,struct iov_iter * iter)1112 ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter)
1113 {
1114 	struct file *p = NULL;
1115 
1116 	spin_lock(&redirect_lock);
1117 	if (redirect)
1118 		p = get_file(redirect);
1119 	spin_unlock(&redirect_lock);
1120 
1121 	/*
1122 	 * We know the redirected tty is just another tty, we can
1123 	 * call file_tty_write() directly with that file pointer.
1124 	 */
1125 	if (p) {
1126 		ssize_t res;
1127 
1128 		res = file_tty_write(p, iocb, iter);
1129 		fput(p);
1130 		return res;
1131 	}
1132 	return tty_write(iocb, iter);
1133 }
1134 
1135 /**
1136  * tty_send_xchar	-	send priority character
1137  * @tty: the tty to send to
1138  * @ch: xchar to send
1139  *
1140  * Send a high priority character to the tty even if stopped.
1141  *
1142  * Locking: none for xchar method, write ordering for write method.
1143  */
tty_send_xchar(struct tty_struct * tty,char ch)1144 int tty_send_xchar(struct tty_struct *tty, char ch)
1145 {
1146 	bool was_stopped = tty->flow.stopped;
1147 
1148 	if (tty->ops->send_xchar) {
1149 		down_read(&tty->termios_rwsem);
1150 		tty->ops->send_xchar(tty, ch);
1151 		up_read(&tty->termios_rwsem);
1152 		return 0;
1153 	}
1154 
1155 	if (tty_write_lock(tty, false) < 0)
1156 		return -ERESTARTSYS;
1157 
1158 	down_read(&tty->termios_rwsem);
1159 	if (was_stopped)
1160 		start_tty(tty);
1161 	tty->ops->write(tty, &ch, 1);
1162 	if (was_stopped)
1163 		stop_tty(tty);
1164 	up_read(&tty->termios_rwsem);
1165 	tty_write_unlock(tty);
1166 	return 0;
1167 }
1168 
1169 /**
1170  * pty_line_name	-	generate name for a pty
1171  * @driver: the tty driver in use
1172  * @index: the minor number
1173  * @p: output buffer of at least 6 bytes
1174  *
1175  * Generate a name from a @driver reference and write it to the output buffer
1176  * @p.
1177  *
1178  * Locking: None
1179  */
pty_line_name(struct tty_driver * driver,int index,char * p)1180 static void pty_line_name(struct tty_driver *driver, int index, char *p)
1181 {
1182 	static const char ptychar[] = "pqrstuvwxyzabcde";
1183 	int i = index + driver->name_base;
1184 	/* ->name is initialized to "ttyp", but "tty" is expected */
1185 	sprintf(p, "%s%c%x",
1186 		driver->subtype == PTY_TYPE_SLAVE ? "tty" : driver->name,
1187 		ptychar[i >> 4 & 0xf], i & 0xf);
1188 }
1189 
1190 /**
1191  * tty_line_name	-	generate name for a tty
1192  * @driver: the tty driver in use
1193  * @index: the minor number
1194  * @p: output buffer of at least 7 bytes
1195  *
1196  * Generate a name from a @driver reference and write it to the output buffer
1197  * @p.
1198  *
1199  * Locking: None
1200  */
tty_line_name(struct tty_driver * driver,int index,char * p)1201 static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)
1202 {
1203 	if (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)
1204 		return sprintf(p, "%s", driver->name);
1205 	else
1206 		return sprintf(p, "%s%d", driver->name,
1207 			       index + driver->name_base);
1208 }
1209 
1210 /**
1211  * tty_driver_lookup_tty() - find an existing tty, if any
1212  * @driver: the driver for the tty
1213  * @file: file object
1214  * @idx: the minor number
1215  *
1216  * Return: the tty, if found. If not found, return %NULL or ERR_PTR() if the
1217  * driver lookup() method returns an error.
1218  *
1219  * Locking: tty_mutex must be held. If the tty is found, bump the tty kref.
1220  */
tty_driver_lookup_tty(struct tty_driver * driver,struct file * file,int idx)1221 static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver,
1222 		struct file *file, int idx)
1223 {
1224 	struct tty_struct *tty;
1225 
1226 	if (driver->ops->lookup) {
1227 		if (!file)
1228 			tty = ERR_PTR(-EIO);
1229 		else
1230 			tty = driver->ops->lookup(driver, file, idx);
1231 	} else {
1232 		if (idx >= driver->num)
1233 			return ERR_PTR(-EINVAL);
1234 		tty = driver->ttys[idx];
1235 	}
1236 	if (!IS_ERR(tty))
1237 		tty_kref_get(tty);
1238 	return tty;
1239 }
1240 
1241 /**
1242  * tty_init_termios	-  helper for termios setup
1243  * @tty: the tty to set up
1244  *
1245  * Initialise the termios structure for this tty. This runs under the
1246  * %tty_mutex currently so we can be relaxed about ordering.
1247  */
tty_init_termios(struct tty_struct * tty)1248 void tty_init_termios(struct tty_struct *tty)
1249 {
1250 	struct ktermios *tp;
1251 	int idx = tty->index;
1252 
1253 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1254 		tty->termios = tty->driver->init_termios;
1255 	else {
1256 		/* Check for lazy saved data */
1257 		tp = tty->driver->termios[idx];
1258 		if (tp != NULL) {
1259 			tty->termios = *tp;
1260 			tty->termios.c_line  = tty->driver->init_termios.c_line;
1261 		} else
1262 			tty->termios = tty->driver->init_termios;
1263 	}
1264 	/* Compatibility until drivers always set this */
1265 	tty->termios.c_ispeed = tty_termios_input_baud_rate(&tty->termios);
1266 	tty->termios.c_ospeed = tty_termios_baud_rate(&tty->termios);
1267 }
1268 EXPORT_SYMBOL_GPL(tty_init_termios);
1269 
1270 /**
1271  * tty_standard_install - usual tty->ops->install
1272  * @driver: the driver for the tty
1273  * @tty: the tty
1274  *
1275  * If the @driver overrides @tty->ops->install, it still can call this function
1276  * to perform the standard install operations.
1277  */
tty_standard_install(struct tty_driver * driver,struct tty_struct * tty)1278 int tty_standard_install(struct tty_driver *driver, struct tty_struct *tty)
1279 {
1280 	tty_init_termios(tty);
1281 	tty_driver_kref_get(driver);
1282 	tty->count++;
1283 	driver->ttys[tty->index] = tty;
1284 	return 0;
1285 }
1286 EXPORT_SYMBOL_GPL(tty_standard_install);
1287 
1288 /**
1289  * tty_driver_install_tty() - install a tty entry in the driver
1290  * @driver: the driver for the tty
1291  * @tty: the tty
1292  *
1293  * Install a tty object into the driver tables. The @tty->index field will be
1294  * set by the time this is called. This method is responsible for ensuring any
1295  * need additional structures are allocated and configured.
1296  *
1297  * Locking: tty_mutex for now
1298  */
tty_driver_install_tty(struct tty_driver * driver,struct tty_struct * tty)1299 static int tty_driver_install_tty(struct tty_driver *driver,
1300 						struct tty_struct *tty)
1301 {
1302 	return driver->ops->install ? driver->ops->install(driver, tty) :
1303 		tty_standard_install(driver, tty);
1304 }
1305 
1306 /**
1307  * tty_driver_remove_tty() - remove a tty from the driver tables
1308  * @driver: the driver for the tty
1309  * @tty: tty to remove
1310  *
1311  * Remove a tty object from the driver tables. The tty->index field will be set
1312  * by the time this is called.
1313  *
1314  * Locking: tty_mutex for now
1315  */
tty_driver_remove_tty(struct tty_driver * driver,struct tty_struct * tty)1316 static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty)
1317 {
1318 	if (driver->ops->remove)
1319 		driver->ops->remove(driver, tty);
1320 	else
1321 		driver->ttys[tty->index] = NULL;
1322 }
1323 
1324 /**
1325  * tty_reopen()	- fast re-open of an open tty
1326  * @tty: the tty to open
1327  *
1328  * Re-opens on master ptys are not allowed and return -%EIO.
1329  *
1330  * Locking: Caller must hold tty_lock
1331  * Return: 0 on success, -errno on error.
1332  */
tty_reopen(struct tty_struct * tty)1333 static int tty_reopen(struct tty_struct *tty)
1334 {
1335 	struct tty_driver *driver = tty->driver;
1336 	struct tty_ldisc *ld;
1337 	int retval = 0;
1338 
1339 	if (driver->type == TTY_DRIVER_TYPE_PTY &&
1340 	    driver->subtype == PTY_TYPE_MASTER)
1341 		return -EIO;
1342 
1343 	if (!tty->count)
1344 		return -EAGAIN;
1345 
1346 	if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
1347 		return -EBUSY;
1348 
1349 	ld = tty_ldisc_ref_wait(tty);
1350 	if (ld) {
1351 		tty_ldisc_deref(ld);
1352 	} else {
1353 		retval = tty_ldisc_lock(tty, 5 * HZ);
1354 		if (retval)
1355 			return retval;
1356 
1357 		if (!tty->ldisc)
1358 			retval = tty_ldisc_reinit(tty, tty->termios.c_line);
1359 		tty_ldisc_unlock(tty);
1360 	}
1361 
1362 	if (retval == 0)
1363 		tty->count++;
1364 
1365 	return retval;
1366 }
1367 
1368 /**
1369  * tty_init_dev		-	initialise a tty device
1370  * @driver: tty driver we are opening a device on
1371  * @idx: device index
1372  *
1373  * Prepare a tty device. This may not be a "new" clean device but could also be
1374  * an active device. The pty drivers require special handling because of this.
1375  *
1376  * Locking:
1377  *	The function is called under the tty_mutex, which protects us from the
1378  *	tty struct or driver itself going away.
1379  *
1380  * On exit the tty device has the line discipline attached and a reference
1381  * count of 1. If a pair was created for pty/tty use and the other was a pty
1382  * master then it too has a reference count of 1.
1383  *
1384  * WSH 06/09/97: Rewritten to remove races and properly clean up after a failed
1385  * open. The new code protects the open with a mutex, so it's really quite
1386  * straightforward. The mutex locking can probably be relaxed for the (most
1387  * common) case of reopening a tty.
1388  *
1389  * Return: new tty structure
1390  */
tty_init_dev(struct tty_driver * driver,int idx)1391 struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
1392 {
1393 	struct tty_struct *tty;
1394 	int retval;
1395 
1396 	/*
1397 	 * First time open is complex, especially for PTY devices.
1398 	 * This code guarantees that either everything succeeds and the
1399 	 * TTY is ready for operation, or else the table slots are vacated
1400 	 * and the allocated memory released.  (Except that the termios
1401 	 * may be retained.)
1402 	 */
1403 
1404 	if (!try_module_get(driver->owner))
1405 		return ERR_PTR(-ENODEV);
1406 
1407 	tty = alloc_tty_struct(driver, idx);
1408 	if (!tty) {
1409 		retval = -ENOMEM;
1410 		goto err_module_put;
1411 	}
1412 
1413 	tty_lock(tty);
1414 	retval = tty_driver_install_tty(driver, tty);
1415 	if (retval < 0)
1416 		goto err_free_tty;
1417 
1418 	if (!tty->port)
1419 		tty->port = driver->ports[idx];
1420 
1421 	if (WARN_RATELIMIT(!tty->port,
1422 			"%s: %s driver does not set tty->port. This would crash the kernel. Fix the driver!\n",
1423 			__func__, tty->driver->name)) {
1424 		retval = -EINVAL;
1425 		goto err_release_lock;
1426 	}
1427 
1428 	retval = tty_ldisc_lock(tty, 5 * HZ);
1429 	if (retval)
1430 		goto err_release_lock;
1431 	tty->port->itty = tty;
1432 
1433 	/*
1434 	 * Structures all installed ... call the ldisc open routines.
1435 	 * If we fail here just call release_tty to clean up.  No need
1436 	 * to decrement the use counts, as release_tty doesn't care.
1437 	 */
1438 	retval = tty_ldisc_setup(tty, tty->link);
1439 	if (retval)
1440 		goto err_release_tty;
1441 	tty_ldisc_unlock(tty);
1442 	/* Return the tty locked so that it cannot vanish under the caller */
1443 	return tty;
1444 
1445 err_free_tty:
1446 	tty_unlock(tty);
1447 	free_tty_struct(tty);
1448 err_module_put:
1449 	module_put(driver->owner);
1450 	return ERR_PTR(retval);
1451 
1452 	/* call the tty release_tty routine to clean out this slot */
1453 err_release_tty:
1454 	tty_ldisc_unlock(tty);
1455 	tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
1456 			     retval, idx);
1457 err_release_lock:
1458 	tty_unlock(tty);
1459 	release_tty(tty, idx);
1460 	return ERR_PTR(retval);
1461 }
1462 
1463 /**
1464  * tty_save_termios() - save tty termios data in driver table
1465  * @tty: tty whose termios data to save
1466  *
1467  * Locking: Caller guarantees serialisation with tty_init_termios().
1468  */
tty_save_termios(struct tty_struct * tty)1469 void tty_save_termios(struct tty_struct *tty)
1470 {
1471 	struct ktermios *tp;
1472 	int idx = tty->index;
1473 
1474 	/* If the port is going to reset then it has no termios to save */
1475 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1476 		return;
1477 
1478 	/* Stash the termios data */
1479 	tp = tty->driver->termios[idx];
1480 	if (tp == NULL) {
1481 		tp = kmalloc(sizeof(*tp), GFP_KERNEL);
1482 		if (tp == NULL)
1483 			return;
1484 		tty->driver->termios[idx] = tp;
1485 	}
1486 	*tp = tty->termios;
1487 }
1488 EXPORT_SYMBOL_GPL(tty_save_termios);
1489 
1490 /**
1491  * tty_flush_works	-	flush all works of a tty/pty pair
1492  * @tty: tty device to flush works for (or either end of a pty pair)
1493  *
1494  * Sync flush all works belonging to @tty (and the 'other' tty).
1495  */
tty_flush_works(struct tty_struct * tty)1496 static void tty_flush_works(struct tty_struct *tty)
1497 {
1498 	flush_work(&tty->SAK_work);
1499 	flush_work(&tty->hangup_work);
1500 	if (tty->link) {
1501 		flush_work(&tty->link->SAK_work);
1502 		flush_work(&tty->link->hangup_work);
1503 	}
1504 }
1505 
1506 /**
1507  * release_one_tty	-	release tty structure memory
1508  * @work: work of tty we are obliterating
1509  *
1510  * Releases memory associated with a tty structure, and clears out the
1511  * driver table slots. This function is called when a device is no longer
1512  * in use. It also gets called when setup of a device fails.
1513  *
1514  * Locking:
1515  *	takes the file list lock internally when working on the list of ttys
1516  *	that the driver keeps.
1517  *
1518  * This method gets called from a work queue so that the driver private
1519  * cleanup ops can sleep (needed for USB at least)
1520  */
release_one_tty(struct work_struct * work)1521 static void release_one_tty(struct work_struct *work)
1522 {
1523 	struct tty_struct *tty =
1524 		container_of(work, struct tty_struct, hangup_work);
1525 	struct tty_driver *driver = tty->driver;
1526 	struct module *owner = driver->owner;
1527 
1528 	if (tty->ops->cleanup)
1529 		tty->ops->cleanup(tty);
1530 
1531 	tty_driver_kref_put(driver);
1532 	module_put(owner);
1533 
1534 	spin_lock(&tty->files_lock);
1535 	list_del_init(&tty->tty_files);
1536 	spin_unlock(&tty->files_lock);
1537 
1538 	put_pid(tty->ctrl.pgrp);
1539 	put_pid(tty->ctrl.session);
1540 	free_tty_struct(tty);
1541 }
1542 
queue_release_one_tty(struct kref * kref)1543 static void queue_release_one_tty(struct kref *kref)
1544 {
1545 	struct tty_struct *tty = container_of(kref, struct tty_struct, kref);
1546 
1547 	/* The hangup queue is now free so we can reuse it rather than
1548 	 *  waste a chunk of memory for each port.
1549 	 */
1550 	INIT_WORK(&tty->hangup_work, release_one_tty);
1551 	schedule_work(&tty->hangup_work);
1552 }
1553 
1554 /**
1555  * tty_kref_put		-	release a tty kref
1556  * @tty: tty device
1557  *
1558  * Release a reference to the @tty device and if need be let the kref layer
1559  * destruct the object for us.
1560  */
tty_kref_put(struct tty_struct * tty)1561 void tty_kref_put(struct tty_struct *tty)
1562 {
1563 	if (tty)
1564 		kref_put(&tty->kref, queue_release_one_tty);
1565 }
1566 EXPORT_SYMBOL(tty_kref_put);
1567 
1568 /**
1569  * release_tty		-	release tty structure memory
1570  * @tty: tty device release
1571  * @idx: index of the tty device release
1572  *
1573  * Release both @tty and a possible linked partner (think pty pair),
1574  * and decrement the refcount of the backing module.
1575  *
1576  * Locking:
1577  *	tty_mutex
1578  *	takes the file list lock internally when working on the list of ttys
1579  *	that the driver keeps.
1580  */
release_tty(struct tty_struct * tty,int idx)1581 static void release_tty(struct tty_struct *tty, int idx)
1582 {
1583 	/* This should always be true but check for the moment */
1584 	WARN_ON(tty->index != idx);
1585 	WARN_ON(!mutex_is_locked(&tty_mutex));
1586 	if (tty->ops->shutdown)
1587 		tty->ops->shutdown(tty);
1588 	tty_save_termios(tty);
1589 	tty_driver_remove_tty(tty->driver, tty);
1590 	if (tty->port)
1591 		tty->port->itty = NULL;
1592 	if (tty->link)
1593 		tty->link->port->itty = NULL;
1594 	if (tty->port)
1595 		tty_buffer_cancel_work(tty->port);
1596 	if (tty->link)
1597 		tty_buffer_cancel_work(tty->link->port);
1598 
1599 	tty_kref_put(tty->link);
1600 	tty_kref_put(tty);
1601 }
1602 
1603 /**
1604  * tty_release_checks - check a tty before real release
1605  * @tty: tty to check
1606  * @idx: index of the tty
1607  *
1608  * Performs some paranoid checking before true release of the @tty. This is a
1609  * no-op unless %TTY_PARANOIA_CHECK is defined.
1610  */
tty_release_checks(struct tty_struct * tty,int idx)1611 static int tty_release_checks(struct tty_struct *tty, int idx)
1612 {
1613 #ifdef TTY_PARANOIA_CHECK
1614 	if (idx < 0 || idx >= tty->driver->num) {
1615 		tty_debug(tty, "bad idx %d\n", idx);
1616 		return -1;
1617 	}
1618 
1619 	/* not much to check for devpts */
1620 	if (tty->driver->flags & TTY_DRIVER_DEVPTS_MEM)
1621 		return 0;
1622 
1623 	if (tty != tty->driver->ttys[idx]) {
1624 		tty_debug(tty, "bad driver table[%d] = %p\n",
1625 			  idx, tty->driver->ttys[idx]);
1626 		return -1;
1627 	}
1628 	if (tty->driver->other) {
1629 		struct tty_struct *o_tty = tty->link;
1630 
1631 		if (o_tty != tty->driver->other->ttys[idx]) {
1632 			tty_debug(tty, "bad other table[%d] = %p\n",
1633 				  idx, tty->driver->other->ttys[idx]);
1634 			return -1;
1635 		}
1636 		if (o_tty->link != tty) {
1637 			tty_debug(tty, "bad link = %p\n", o_tty->link);
1638 			return -1;
1639 		}
1640 	}
1641 #endif
1642 	return 0;
1643 }
1644 
1645 /**
1646  * tty_kclose      -       closes tty opened by tty_kopen
1647  * @tty: tty device
1648  *
1649  * Performs the final steps to release and free a tty device. It is the same as
1650  * tty_release_struct() except that it also resets %TTY_PORT_KOPENED flag on
1651  * @tty->port.
1652  */
tty_kclose(struct tty_struct * tty)1653 void tty_kclose(struct tty_struct *tty)
1654 {
1655 	/*
1656 	 * Ask the line discipline code to release its structures
1657 	 */
1658 	tty_ldisc_release(tty);
1659 
1660 	/* Wait for pending work before tty destruction commences */
1661 	tty_flush_works(tty);
1662 
1663 	tty_debug_hangup(tty, "freeing structure\n");
1664 	/*
1665 	 * The release_tty function takes care of the details of clearing
1666 	 * the slots and preserving the termios structure.
1667 	 */
1668 	mutex_lock(&tty_mutex);
1669 	tty_port_set_kopened(tty->port, 0);
1670 	release_tty(tty, tty->index);
1671 	mutex_unlock(&tty_mutex);
1672 }
1673 EXPORT_SYMBOL_GPL(tty_kclose);
1674 
1675 /**
1676  * tty_release_struct	-	release a tty struct
1677  * @tty: tty device
1678  * @idx: index of the tty
1679  *
1680  * Performs the final steps to release and free a tty device. It is roughly the
1681  * reverse of tty_init_dev().
1682  */
tty_release_struct(struct tty_struct * tty,int idx)1683 void tty_release_struct(struct tty_struct *tty, int idx)
1684 {
1685 	/*
1686 	 * Ask the line discipline code to release its structures
1687 	 */
1688 	tty_ldisc_release(tty);
1689 
1690 	/* Wait for pending work before tty destruction commmences */
1691 	tty_flush_works(tty);
1692 
1693 	tty_debug_hangup(tty, "freeing structure\n");
1694 	/*
1695 	 * The release_tty function takes care of the details of clearing
1696 	 * the slots and preserving the termios structure.
1697 	 */
1698 	mutex_lock(&tty_mutex);
1699 	release_tty(tty, idx);
1700 	mutex_unlock(&tty_mutex);
1701 }
1702 EXPORT_SYMBOL_GPL(tty_release_struct);
1703 
1704 /**
1705  * tty_release		-	vfs callback for close
1706  * @inode: inode of tty
1707  * @filp: file pointer for handle to tty
1708  *
1709  * Called the last time each file handle is closed that references this tty.
1710  * There may however be several such references.
1711  *
1712  * Locking:
1713  *	Takes BKL. See tty_release_dev().
1714  *
1715  * Even releasing the tty structures is a tricky business. We have to be very
1716  * careful that the structures are all released at the same time, as interrupts
1717  * might otherwise get the wrong pointers.
1718  *
1719  * WSH 09/09/97: rewritten to avoid some nasty race conditions that could
1720  * lead to double frees or releasing memory still in use.
1721  */
tty_release(struct inode * inode,struct file * filp)1722 int tty_release(struct inode *inode, struct file *filp)
1723 {
1724 	struct tty_struct *tty = file_tty(filp);
1725 	struct tty_struct *o_tty = NULL;
1726 	int	do_sleep, final;
1727 	int	idx;
1728 	long	timeout = 0;
1729 	int	once = 1;
1730 
1731 	if (tty_paranoia_check(tty, inode, __func__))
1732 		return 0;
1733 
1734 	tty_lock(tty);
1735 	check_tty_count(tty, __func__);
1736 
1737 	__tty_fasync(-1, filp, 0);
1738 
1739 	idx = tty->index;
1740 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
1741 	    tty->driver->subtype == PTY_TYPE_MASTER)
1742 		o_tty = tty->link;
1743 
1744 	if (tty_release_checks(tty, idx)) {
1745 		tty_unlock(tty);
1746 		return 0;
1747 	}
1748 
1749 	tty_debug_hangup(tty, "releasing (count=%d)\n", tty->count);
1750 
1751 	if (tty->ops->close)
1752 		tty->ops->close(tty, filp);
1753 
1754 	/* If tty is pty master, lock the slave pty (stable lock order) */
1755 	tty_lock_slave(o_tty);
1756 
1757 	/*
1758 	 * Sanity check: if tty->count is going to zero, there shouldn't be
1759 	 * any waiters on tty->read_wait or tty->write_wait.  We test the
1760 	 * wait queues and kick everyone out _before_ actually starting to
1761 	 * close.  This ensures that we won't block while releasing the tty
1762 	 * structure.
1763 	 *
1764 	 * The test for the o_tty closing is necessary, since the master and
1765 	 * slave sides may close in any order.  If the slave side closes out
1766 	 * first, its count will be one, since the master side holds an open.
1767 	 * Thus this test wouldn't be triggered at the time the slave closed,
1768 	 * so we do it now.
1769 	 */
1770 	while (1) {
1771 		do_sleep = 0;
1772 
1773 		if (tty->count <= 1) {
1774 			if (waitqueue_active(&tty->read_wait)) {
1775 				wake_up_poll(&tty->read_wait, EPOLLIN);
1776 				do_sleep++;
1777 			}
1778 			if (waitqueue_active(&tty->write_wait)) {
1779 				wake_up_poll(&tty->write_wait, EPOLLOUT);
1780 				do_sleep++;
1781 			}
1782 		}
1783 		if (o_tty && o_tty->count <= 1) {
1784 			if (waitqueue_active(&o_tty->read_wait)) {
1785 				wake_up_poll(&o_tty->read_wait, EPOLLIN);
1786 				do_sleep++;
1787 			}
1788 			if (waitqueue_active(&o_tty->write_wait)) {
1789 				wake_up_poll(&o_tty->write_wait, EPOLLOUT);
1790 				do_sleep++;
1791 			}
1792 		}
1793 		if (!do_sleep)
1794 			break;
1795 
1796 		if (once) {
1797 			once = 0;
1798 			tty_warn(tty, "read/write wait queue active!\n");
1799 		}
1800 		schedule_timeout_killable(timeout);
1801 		if (timeout < 120 * HZ)
1802 			timeout = 2 * timeout + 1;
1803 		else
1804 			timeout = MAX_SCHEDULE_TIMEOUT;
1805 	}
1806 
1807 	if (o_tty) {
1808 		if (--o_tty->count < 0) {
1809 			tty_warn(tty, "bad slave count (%d)\n", o_tty->count);
1810 			o_tty->count = 0;
1811 		}
1812 	}
1813 	if (--tty->count < 0) {
1814 		tty_warn(tty, "bad tty->count (%d)\n", tty->count);
1815 		tty->count = 0;
1816 	}
1817 
1818 	/*
1819 	 * We've decremented tty->count, so we need to remove this file
1820 	 * descriptor off the tty->tty_files list; this serves two
1821 	 * purposes:
1822 	 *  - check_tty_count sees the correct number of file descriptors
1823 	 *    associated with this tty.
1824 	 *  - do_tty_hangup no longer sees this file descriptor as
1825 	 *    something that needs to be handled for hangups.
1826 	 */
1827 	tty_del_file(filp);
1828 
1829 	/*
1830 	 * Perform some housekeeping before deciding whether to return.
1831 	 *
1832 	 * If _either_ side is closing, make sure there aren't any
1833 	 * processes that still think tty or o_tty is their controlling
1834 	 * tty.
1835 	 */
1836 	if (!tty->count) {
1837 		read_lock(&tasklist_lock);
1838 		session_clear_tty(tty->ctrl.session);
1839 		if (o_tty)
1840 			session_clear_tty(o_tty->ctrl.session);
1841 		read_unlock(&tasklist_lock);
1842 	}
1843 
1844 	/* check whether both sides are closing ... */
1845 	final = !tty->count && !(o_tty && o_tty->count);
1846 
1847 	tty_unlock_slave(o_tty);
1848 	tty_unlock(tty);
1849 
1850 	/* At this point, the tty->count == 0 should ensure a dead tty
1851 	 * cannot be re-opened by a racing opener.
1852 	 */
1853 
1854 	if (!final)
1855 		return 0;
1856 
1857 	tty_debug_hangup(tty, "final close\n");
1858 
1859 	tty_release_struct(tty, idx);
1860 	return 0;
1861 }
1862 
1863 /**
1864  * tty_open_current_tty - get locked tty of current task
1865  * @device: device number
1866  * @filp: file pointer to tty
1867  * @return: locked tty of the current task iff @device is /dev/tty
1868  *
1869  * Performs a re-open of the current task's controlling tty.
1870  *
1871  * We cannot return driver and index like for the other nodes because devpts
1872  * will not work then. It expects inodes to be from devpts FS.
1873  */
tty_open_current_tty(dev_t device,struct file * filp)1874 static struct tty_struct *tty_open_current_tty(dev_t device, struct file *filp)
1875 {
1876 	struct tty_struct *tty;
1877 	int retval;
1878 
1879 	if (device != MKDEV(TTYAUX_MAJOR, 0))
1880 		return NULL;
1881 
1882 	tty = get_current_tty();
1883 	if (!tty)
1884 		return ERR_PTR(-ENXIO);
1885 
1886 	filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */
1887 	/* noctty = 1; */
1888 	tty_lock(tty);
1889 	tty_kref_put(tty);	/* safe to drop the kref now */
1890 
1891 	retval = tty_reopen(tty);
1892 	if (retval < 0) {
1893 		tty_unlock(tty);
1894 		tty = ERR_PTR(retval);
1895 	}
1896 	return tty;
1897 }
1898 
1899 /**
1900  * tty_lookup_driver - lookup a tty driver for a given device file
1901  * @device: device number
1902  * @filp: file pointer to tty
1903  * @index: index for the device in the @return driver
1904  *
1905  * If returned value is not erroneous, the caller is responsible to decrement
1906  * the refcount by tty_driver_kref_put().
1907  *
1908  * Locking: %tty_mutex protects get_tty_driver()
1909  *
1910  * Return: driver for this inode (with increased refcount)
1911  */
tty_lookup_driver(dev_t device,struct file * filp,int * index)1912 static struct tty_driver *tty_lookup_driver(dev_t device, struct file *filp,
1913 		int *index)
1914 {
1915 	struct tty_driver *driver = NULL;
1916 
1917 	switch (device) {
1918 #ifdef CONFIG_VT
1919 	case MKDEV(TTY_MAJOR, 0): {
1920 		extern struct tty_driver *console_driver;
1921 
1922 		driver = tty_driver_kref_get(console_driver);
1923 		*index = fg_console;
1924 		break;
1925 	}
1926 #endif
1927 	case MKDEV(TTYAUX_MAJOR, 1): {
1928 		struct tty_driver *console_driver = console_device(index);
1929 
1930 		if (console_driver) {
1931 			driver = tty_driver_kref_get(console_driver);
1932 			if (driver && filp) {
1933 				/* Don't let /dev/console block */
1934 				filp->f_flags |= O_NONBLOCK;
1935 				break;
1936 			}
1937 		}
1938 		if (driver)
1939 			tty_driver_kref_put(driver);
1940 		return ERR_PTR(-ENODEV);
1941 	}
1942 	default:
1943 		driver = get_tty_driver(device, index);
1944 		if (!driver)
1945 			return ERR_PTR(-ENODEV);
1946 		break;
1947 	}
1948 	return driver;
1949 }
1950 
tty_kopen(dev_t device,int shared)1951 static struct tty_struct *tty_kopen(dev_t device, int shared)
1952 {
1953 	struct tty_struct *tty;
1954 	struct tty_driver *driver;
1955 	int index = -1;
1956 
1957 	mutex_lock(&tty_mutex);
1958 	driver = tty_lookup_driver(device, NULL, &index);
1959 	if (IS_ERR(driver)) {
1960 		mutex_unlock(&tty_mutex);
1961 		return ERR_CAST(driver);
1962 	}
1963 
1964 	/* check whether we're reopening an existing tty */
1965 	tty = tty_driver_lookup_tty(driver, NULL, index);
1966 	if (IS_ERR(tty) || shared)
1967 		goto out;
1968 
1969 	if (tty) {
1970 		/* drop kref from tty_driver_lookup_tty() */
1971 		tty_kref_put(tty);
1972 		tty = ERR_PTR(-EBUSY);
1973 	} else { /* tty_init_dev returns tty with the tty_lock held */
1974 		tty = tty_init_dev(driver, index);
1975 		if (IS_ERR(tty))
1976 			goto out;
1977 		tty_port_set_kopened(tty->port, 1);
1978 	}
1979 out:
1980 	mutex_unlock(&tty_mutex);
1981 	tty_driver_kref_put(driver);
1982 	return tty;
1983 }
1984 
1985 /**
1986  * tty_kopen_exclusive	-	open a tty device for kernel
1987  * @device: dev_t of device to open
1988  *
1989  * Opens tty exclusively for kernel. Performs the driver lookup, makes sure
1990  * it's not already opened and performs the first-time tty initialization.
1991  *
1992  * Claims the global %tty_mutex to serialize:
1993  *  * concurrent first-time tty initialization
1994  *  * concurrent tty driver removal w/ lookup
1995  *  * concurrent tty removal from driver table
1996  *
1997  * Return: the locked initialized &tty_struct
1998  */
tty_kopen_exclusive(dev_t device)1999 struct tty_struct *tty_kopen_exclusive(dev_t device)
2000 {
2001 	return tty_kopen(device, 0);
2002 }
2003 EXPORT_SYMBOL_GPL(tty_kopen_exclusive);
2004 
2005 /**
2006  * tty_kopen_shared	-	open a tty device for shared in-kernel use
2007  * @device: dev_t of device to open
2008  *
2009  * Opens an already existing tty for in-kernel use. Compared to
2010  * tty_kopen_exclusive() above it doesn't ensure to be the only user.
2011  *
2012  * Locking: identical to tty_kopen() above.
2013  */
tty_kopen_shared(dev_t device)2014 struct tty_struct *tty_kopen_shared(dev_t device)
2015 {
2016 	return tty_kopen(device, 1);
2017 }
2018 EXPORT_SYMBOL_GPL(tty_kopen_shared);
2019 
2020 /**
2021  * tty_open_by_driver	-	open a tty device
2022  * @device: dev_t of device to open
2023  * @filp: file pointer to tty
2024  *
2025  * Performs the driver lookup, checks for a reopen, or otherwise performs the
2026  * first-time tty initialization.
2027  *
2028  *
2029  * Claims the global tty_mutex to serialize:
2030  *  * concurrent first-time tty initialization
2031  *  * concurrent tty driver removal w/ lookup
2032  *  * concurrent tty removal from driver table
2033  *
2034  * Return: the locked initialized or re-opened &tty_struct
2035  */
tty_open_by_driver(dev_t device,struct file * filp)2036 static struct tty_struct *tty_open_by_driver(dev_t device,
2037 					     struct file *filp)
2038 {
2039 	struct tty_struct *tty;
2040 	struct tty_driver *driver = NULL;
2041 	int index = -1;
2042 	int retval;
2043 
2044 	mutex_lock(&tty_mutex);
2045 	driver = tty_lookup_driver(device, filp, &index);
2046 	if (IS_ERR(driver)) {
2047 		mutex_unlock(&tty_mutex);
2048 		return ERR_CAST(driver);
2049 	}
2050 
2051 	/* check whether we're reopening an existing tty */
2052 	tty = tty_driver_lookup_tty(driver, filp, index);
2053 	if (IS_ERR(tty)) {
2054 		mutex_unlock(&tty_mutex);
2055 		goto out;
2056 	}
2057 
2058 	if (tty) {
2059 		if (tty_port_kopened(tty->port)) {
2060 			tty_kref_put(tty);
2061 			mutex_unlock(&tty_mutex);
2062 			tty = ERR_PTR(-EBUSY);
2063 			goto out;
2064 		}
2065 		mutex_unlock(&tty_mutex);
2066 		retval = tty_lock_interruptible(tty);
2067 		tty_kref_put(tty);  /* drop kref from tty_driver_lookup_tty() */
2068 		if (retval) {
2069 			if (retval == -EINTR)
2070 				retval = -ERESTARTSYS;
2071 			tty = ERR_PTR(retval);
2072 			goto out;
2073 		}
2074 		retval = tty_reopen(tty);
2075 		if (retval < 0) {
2076 			tty_unlock(tty);
2077 			tty = ERR_PTR(retval);
2078 		}
2079 	} else { /* Returns with the tty_lock held for now */
2080 		tty = tty_init_dev(driver, index);
2081 		mutex_unlock(&tty_mutex);
2082 	}
2083 out:
2084 	tty_driver_kref_put(driver);
2085 	return tty;
2086 }
2087 
2088 /**
2089  * tty_open	-	open a tty device
2090  * @inode: inode of device file
2091  * @filp: file pointer to tty
2092  *
2093  * tty_open() and tty_release() keep up the tty count that contains the number
2094  * of opens done on a tty. We cannot use the inode-count, as different inodes
2095  * might point to the same tty.
2096  *
2097  * Open-counting is needed for pty masters, as well as for keeping track of
2098  * serial lines: DTR is dropped when the last close happens.
2099  * (This is not done solely through tty->count, now.  - Ted 1/27/92)
2100  *
2101  * The termios state of a pty is reset on the first open so that settings don't
2102  * persist across reuse.
2103  *
2104  * Locking:
2105  *  * %tty_mutex protects tty, tty_lookup_driver() and tty_init_dev().
2106  *  * @tty->count should protect the rest.
2107  *  * ->siglock protects ->signal/->sighand
2108  *
2109  * Note: the tty_unlock/lock cases without a ref are only safe due to %tty_mutex
2110  */
tty_open(struct inode * inode,struct file * filp)2111 static int tty_open(struct inode *inode, struct file *filp)
2112 {
2113 	struct tty_struct *tty;
2114 	int noctty, retval;
2115 	dev_t device = inode->i_rdev;
2116 	unsigned saved_flags = filp->f_flags;
2117 
2118 	nonseekable_open(inode, filp);
2119 
2120 retry_open:
2121 	retval = tty_alloc_file(filp);
2122 	if (retval)
2123 		return -ENOMEM;
2124 
2125 	tty = tty_open_current_tty(device, filp);
2126 	if (!tty)
2127 		tty = tty_open_by_driver(device, filp);
2128 
2129 	if (IS_ERR(tty)) {
2130 		tty_free_file(filp);
2131 		retval = PTR_ERR(tty);
2132 		if (retval != -EAGAIN || signal_pending(current))
2133 			return retval;
2134 		schedule();
2135 		goto retry_open;
2136 	}
2137 
2138 	tty_add_file(tty, filp);
2139 
2140 	check_tty_count(tty, __func__);
2141 	tty_debug_hangup(tty, "opening (count=%d)\n", tty->count);
2142 
2143 	if (tty->ops->open)
2144 		retval = tty->ops->open(tty, filp);
2145 	else
2146 		retval = -ENODEV;
2147 	filp->f_flags = saved_flags;
2148 
2149 	if (retval) {
2150 		tty_debug_hangup(tty, "open error %d, releasing\n", retval);
2151 
2152 		tty_unlock(tty); /* need to call tty_release without BTM */
2153 		tty_release(inode, filp);
2154 		if (retval != -ERESTARTSYS)
2155 			return retval;
2156 
2157 		if (signal_pending(current))
2158 			return retval;
2159 
2160 		schedule();
2161 		/*
2162 		 * Need to reset f_op in case a hangup happened.
2163 		 */
2164 		if (tty_hung_up_p(filp))
2165 			filp->f_op = &tty_fops;
2166 		goto retry_open;
2167 	}
2168 	clear_bit(TTY_HUPPED, &tty->flags);
2169 
2170 	noctty = (filp->f_flags & O_NOCTTY) ||
2171 		 (IS_ENABLED(CONFIG_VT) && device == MKDEV(TTY_MAJOR, 0)) ||
2172 		 device == MKDEV(TTYAUX_MAJOR, 1) ||
2173 		 (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2174 		  tty->driver->subtype == PTY_TYPE_MASTER);
2175 	if (!noctty)
2176 		tty_open_proc_set_tty(filp, tty);
2177 	tty_unlock(tty);
2178 	return 0;
2179 }
2180 
2181 
2182 /**
2183  * tty_poll	-	check tty status
2184  * @filp: file being polled
2185  * @wait: poll wait structures to update
2186  *
2187  * Call the line discipline polling method to obtain the poll status of the
2188  * device.
2189  *
2190  * Locking: locks called line discipline but ldisc poll method may be
2191  * re-entered freely by other callers.
2192  */
tty_poll(struct file * filp,poll_table * wait)2193 static __poll_t tty_poll(struct file *filp, poll_table *wait)
2194 {
2195 	struct tty_struct *tty = file_tty(filp);
2196 	struct tty_ldisc *ld;
2197 	__poll_t ret = 0;
2198 
2199 	if (tty_paranoia_check(tty, file_inode(filp), "tty_poll"))
2200 		return 0;
2201 
2202 	ld = tty_ldisc_ref_wait(tty);
2203 	if (!ld)
2204 		return hung_up_tty_poll(filp, wait);
2205 	if (ld->ops->poll)
2206 		ret = ld->ops->poll(tty, filp, wait);
2207 	tty_ldisc_deref(ld);
2208 	return ret;
2209 }
2210 
__tty_fasync(int fd,struct file * filp,int on)2211 static int __tty_fasync(int fd, struct file *filp, int on)
2212 {
2213 	struct tty_struct *tty = file_tty(filp);
2214 	unsigned long flags;
2215 	int retval = 0;
2216 
2217 	if (tty_paranoia_check(tty, file_inode(filp), "tty_fasync"))
2218 		goto out;
2219 
2220 	retval = fasync_helper(fd, filp, on, &tty->fasync);
2221 	if (retval <= 0)
2222 		goto out;
2223 
2224 	if (on) {
2225 		enum pid_type type;
2226 		struct pid *pid;
2227 
2228 		spin_lock_irqsave(&tty->ctrl.lock, flags);
2229 		if (tty->ctrl.pgrp) {
2230 			pid = tty->ctrl.pgrp;
2231 			type = PIDTYPE_PGID;
2232 		} else {
2233 			pid = task_pid(current);
2234 			type = PIDTYPE_TGID;
2235 		}
2236 		get_pid(pid);
2237 		spin_unlock_irqrestore(&tty->ctrl.lock, flags);
2238 		__f_setown(filp, pid, type, 0);
2239 		put_pid(pid);
2240 		retval = 0;
2241 	}
2242 out:
2243 	return retval;
2244 }
2245 
tty_fasync(int fd,struct file * filp,int on)2246 static int tty_fasync(int fd, struct file *filp, int on)
2247 {
2248 	struct tty_struct *tty = file_tty(filp);
2249 	int retval = -ENOTTY;
2250 
2251 	tty_lock(tty);
2252 	if (!tty_hung_up_p(filp))
2253 		retval = __tty_fasync(fd, filp, on);
2254 	tty_unlock(tty);
2255 
2256 	return retval;
2257 }
2258 
2259 static bool tty_legacy_tiocsti __read_mostly = IS_ENABLED(CONFIG_LEGACY_TIOCSTI);
2260 /**
2261  * tiocsti		-	fake input character
2262  * @tty: tty to fake input into
2263  * @p: pointer to character
2264  *
2265  * Fake input to a tty device. Does the necessary locking and input management.
2266  *
2267  * FIXME: does not honour flow control ??
2268  *
2269  * Locking:
2270  *  * Called functions take tty_ldiscs_lock
2271  *  * current->signal->tty check is safe without locks
2272  */
tiocsti(struct tty_struct * tty,char __user * p)2273 static int tiocsti(struct tty_struct *tty, char __user *p)
2274 {
2275 	char ch, mbz = 0;
2276 	struct tty_ldisc *ld;
2277 
2278 	if (!tty_legacy_tiocsti && !capable(CAP_SYS_ADMIN))
2279 		return -EIO;
2280 
2281 	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
2282 		return -EPERM;
2283 	if (get_user(ch, p))
2284 		return -EFAULT;
2285 	tty_audit_tiocsti(tty, ch);
2286 	ld = tty_ldisc_ref_wait(tty);
2287 	if (!ld)
2288 		return -EIO;
2289 	tty_buffer_lock_exclusive(tty->port);
2290 	if (ld->ops->receive_buf)
2291 		ld->ops->receive_buf(tty, &ch, &mbz, 1);
2292 	tty_buffer_unlock_exclusive(tty->port);
2293 	tty_ldisc_deref(ld);
2294 	return 0;
2295 }
2296 
2297 /**
2298  * tiocgwinsz		-	implement window query ioctl
2299  * @tty: tty
2300  * @arg: user buffer for result
2301  *
2302  * Copies the kernel idea of the window size into the user buffer.
2303  *
2304  * Locking: @tty->winsize_mutex is taken to ensure the winsize data is
2305  * consistent.
2306  */
tiocgwinsz(struct tty_struct * tty,struct winsize __user * arg)2307 static int tiocgwinsz(struct tty_struct *tty, struct winsize __user *arg)
2308 {
2309 	int err;
2310 
2311 	mutex_lock(&tty->winsize_mutex);
2312 	err = copy_to_user(arg, &tty->winsize, sizeof(*arg));
2313 	mutex_unlock(&tty->winsize_mutex);
2314 
2315 	return err ? -EFAULT : 0;
2316 }
2317 
2318 /**
2319  * tty_do_resize	-	resize event
2320  * @tty: tty being resized
2321  * @ws: new dimensions
2322  *
2323  * Update the termios variables and send the necessary signals to peform a
2324  * terminal resize correctly.
2325  */
tty_do_resize(struct tty_struct * tty,struct winsize * ws)2326 int tty_do_resize(struct tty_struct *tty, struct winsize *ws)
2327 {
2328 	struct pid *pgrp;
2329 
2330 	/* Lock the tty */
2331 	mutex_lock(&tty->winsize_mutex);
2332 	if (!memcmp(ws, &tty->winsize, sizeof(*ws)))
2333 		goto done;
2334 
2335 	/* Signal the foreground process group */
2336 	pgrp = tty_get_pgrp(tty);
2337 	if (pgrp)
2338 		kill_pgrp(pgrp, SIGWINCH, 1);
2339 	put_pid(pgrp);
2340 
2341 	tty->winsize = *ws;
2342 done:
2343 	mutex_unlock(&tty->winsize_mutex);
2344 	return 0;
2345 }
2346 EXPORT_SYMBOL(tty_do_resize);
2347 
2348 /**
2349  * tiocswinsz		-	implement window size set ioctl
2350  * @tty: tty side of tty
2351  * @arg: user buffer for result
2352  *
2353  * Copies the user idea of the window size to the kernel. Traditionally this is
2354  * just advisory information but for the Linux console it actually has driver
2355  * level meaning and triggers a VC resize.
2356  *
2357  * Locking:
2358  *	Driver dependent. The default do_resize method takes the tty termios
2359  *	mutex and ctrl.lock. The console takes its own lock then calls into the
2360  *	default method.
2361  */
tiocswinsz(struct tty_struct * tty,struct winsize __user * arg)2362 static int tiocswinsz(struct tty_struct *tty, struct winsize __user *arg)
2363 {
2364 	struct winsize tmp_ws;
2365 
2366 	if (copy_from_user(&tmp_ws, arg, sizeof(*arg)))
2367 		return -EFAULT;
2368 
2369 	if (tty->ops->resize)
2370 		return tty->ops->resize(tty, &tmp_ws);
2371 	else
2372 		return tty_do_resize(tty, &tmp_ws);
2373 }
2374 
2375 /**
2376  * tioccons	-	allow admin to move logical console
2377  * @file: the file to become console
2378  *
2379  * Allow the administrator to move the redirected console device.
2380  *
2381  * Locking: uses redirect_lock to guard the redirect information
2382  */
tioccons(struct file * file)2383 static int tioccons(struct file *file)
2384 {
2385 	if (!capable(CAP_SYS_ADMIN))
2386 		return -EPERM;
2387 	if (file->f_op->write_iter == redirected_tty_write) {
2388 		struct file *f;
2389 
2390 		spin_lock(&redirect_lock);
2391 		f = redirect;
2392 		redirect = NULL;
2393 		spin_unlock(&redirect_lock);
2394 		if (f)
2395 			fput(f);
2396 		return 0;
2397 	}
2398 	if (file->f_op->write_iter != tty_write)
2399 		return -ENOTTY;
2400 	if (!(file->f_mode & FMODE_WRITE))
2401 		return -EBADF;
2402 	if (!(file->f_mode & FMODE_CAN_WRITE))
2403 		return -EINVAL;
2404 	spin_lock(&redirect_lock);
2405 	if (redirect) {
2406 		spin_unlock(&redirect_lock);
2407 		return -EBUSY;
2408 	}
2409 	redirect = get_file(file);
2410 	spin_unlock(&redirect_lock);
2411 	return 0;
2412 }
2413 
2414 /**
2415  * tiocsetd	-	set line discipline
2416  * @tty: tty device
2417  * @p: pointer to user data
2418  *
2419  * Set the line discipline according to user request.
2420  *
2421  * Locking: see tty_set_ldisc(), this function is just a helper
2422  */
tiocsetd(struct tty_struct * tty,int __user * p)2423 static int tiocsetd(struct tty_struct *tty, int __user *p)
2424 {
2425 	int disc;
2426 	int ret;
2427 
2428 	if (get_user(disc, p))
2429 		return -EFAULT;
2430 
2431 	ret = tty_set_ldisc(tty, disc);
2432 
2433 	return ret;
2434 }
2435 
2436 /**
2437  * tiocgetd	-	get line discipline
2438  * @tty: tty device
2439  * @p: pointer to user data
2440  *
2441  * Retrieves the line discipline id directly from the ldisc.
2442  *
2443  * Locking: waits for ldisc reference (in case the line discipline is changing
2444  * or the @tty is being hungup)
2445  */
tiocgetd(struct tty_struct * tty,int __user * p)2446 static int tiocgetd(struct tty_struct *tty, int __user *p)
2447 {
2448 	struct tty_ldisc *ld;
2449 	int ret;
2450 
2451 	ld = tty_ldisc_ref_wait(tty);
2452 	if (!ld)
2453 		return -EIO;
2454 	ret = put_user(ld->ops->num, p);
2455 	tty_ldisc_deref(ld);
2456 	return ret;
2457 }
2458 
2459 /**
2460  * send_break	-	performed time break
2461  * @tty: device to break on
2462  * @duration: timeout in mS
2463  *
2464  * Perform a timed break on hardware that lacks its own driver level timed
2465  * break functionality.
2466  *
2467  * Locking:
2468  *	@tty->atomic_write_lock serializes
2469  */
send_break(struct tty_struct * tty,unsigned int duration)2470 static int send_break(struct tty_struct *tty, unsigned int duration)
2471 {
2472 	int retval;
2473 
2474 	if (tty->ops->break_ctl == NULL)
2475 		return 0;
2476 
2477 	if (tty->driver->flags & TTY_DRIVER_HARDWARE_BREAK)
2478 		return tty->ops->break_ctl(tty, duration);
2479 
2480 	/* Do the work ourselves */
2481 	if (tty_write_lock(tty, false) < 0)
2482 		return -EINTR;
2483 
2484 	retval = tty->ops->break_ctl(tty, -1);
2485 	if (!retval) {
2486 		msleep_interruptible(duration);
2487 		retval = tty->ops->break_ctl(tty, 0);
2488 	} else if (retval == -EOPNOTSUPP) {
2489 		/* some drivers can tell only dynamically */
2490 		retval = 0;
2491 	}
2492 	tty_write_unlock(tty);
2493 
2494 	if (signal_pending(current))
2495 		retval = -EINTR;
2496 
2497 	return retval;
2498 }
2499 
2500 /**
2501  * tty_tiocmget		-	get modem status
2502  * @tty: tty device
2503  * @p: pointer to result
2504  *
2505  * Obtain the modem status bits from the tty driver if the feature is
2506  * supported. Return -%ENOTTY if it is not available.
2507  *
2508  * Locking: none (up to the driver)
2509  */
tty_tiocmget(struct tty_struct * tty,int __user * p)2510 static int tty_tiocmget(struct tty_struct *tty, int __user *p)
2511 {
2512 	int retval = -ENOTTY;
2513 
2514 	if (tty->ops->tiocmget) {
2515 		retval = tty->ops->tiocmget(tty);
2516 
2517 		if (retval >= 0)
2518 			retval = put_user(retval, p);
2519 	}
2520 	return retval;
2521 }
2522 
2523 /**
2524  * tty_tiocmset		-	set modem status
2525  * @tty: tty device
2526  * @cmd: command - clear bits, set bits or set all
2527  * @p: pointer to desired bits
2528  *
2529  * Set the modem status bits from the tty driver if the feature
2530  * is supported. Return -%ENOTTY if it is not available.
2531  *
2532  * Locking: none (up to the driver)
2533  */
tty_tiocmset(struct tty_struct * tty,unsigned int cmd,unsigned __user * p)2534 static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
2535 	     unsigned __user *p)
2536 {
2537 	int retval;
2538 	unsigned int set, clear, val;
2539 
2540 	if (tty->ops->tiocmset == NULL)
2541 		return -ENOTTY;
2542 
2543 	retval = get_user(val, p);
2544 	if (retval)
2545 		return retval;
2546 	set = clear = 0;
2547 	switch (cmd) {
2548 	case TIOCMBIS:
2549 		set = val;
2550 		break;
2551 	case TIOCMBIC:
2552 		clear = val;
2553 		break;
2554 	case TIOCMSET:
2555 		set = val;
2556 		clear = ~val;
2557 		break;
2558 	}
2559 	set &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2560 	clear &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2561 	return tty->ops->tiocmset(tty, set, clear);
2562 }
2563 
2564 /**
2565  * tty_get_icount	-	get tty statistics
2566  * @tty: tty device
2567  * @icount: output parameter
2568  *
2569  * Gets a copy of the @tty's icount statistics.
2570  *
2571  * Locking: none (up to the driver)
2572  */
tty_get_icount(struct tty_struct * tty,struct serial_icounter_struct * icount)2573 int tty_get_icount(struct tty_struct *tty,
2574 		   struct serial_icounter_struct *icount)
2575 {
2576 	memset(icount, 0, sizeof(*icount));
2577 
2578 	if (tty->ops->get_icount)
2579 		return tty->ops->get_icount(tty, icount);
2580 	else
2581 		return -ENOTTY;
2582 }
2583 EXPORT_SYMBOL_GPL(tty_get_icount);
2584 
tty_tiocgicount(struct tty_struct * tty,void __user * arg)2585 static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
2586 {
2587 	struct serial_icounter_struct icount;
2588 	int retval;
2589 
2590 	retval = tty_get_icount(tty, &icount);
2591 	if (retval != 0)
2592 		return retval;
2593 
2594 	if (copy_to_user(arg, &icount, sizeof(icount)))
2595 		return -EFAULT;
2596 	return 0;
2597 }
2598 
tty_set_serial(struct tty_struct * tty,struct serial_struct * ss)2599 static int tty_set_serial(struct tty_struct *tty, struct serial_struct *ss)
2600 {
2601 	char comm[TASK_COMM_LEN];
2602 	int flags;
2603 
2604 	flags = ss->flags & ASYNC_DEPRECATED;
2605 
2606 	if (flags)
2607 		pr_warn_ratelimited("%s: '%s' is using deprecated serial flags (with no effect): %.8x\n",
2608 				__func__, get_task_comm(comm, current), flags);
2609 
2610 	if (!tty->ops->set_serial)
2611 		return -ENOTTY;
2612 
2613 	return tty->ops->set_serial(tty, ss);
2614 }
2615 
tty_tiocsserial(struct tty_struct * tty,struct serial_struct __user * ss)2616 static int tty_tiocsserial(struct tty_struct *tty, struct serial_struct __user *ss)
2617 {
2618 	struct serial_struct v;
2619 
2620 	if (copy_from_user(&v, ss, sizeof(*ss)))
2621 		return -EFAULT;
2622 
2623 	return tty_set_serial(tty, &v);
2624 }
2625 
tty_tiocgserial(struct tty_struct * tty,struct serial_struct __user * ss)2626 static int tty_tiocgserial(struct tty_struct *tty, struct serial_struct __user *ss)
2627 {
2628 	struct serial_struct v;
2629 	int err;
2630 
2631 	memset(&v, 0, sizeof(v));
2632 	if (!tty->ops->get_serial)
2633 		return -ENOTTY;
2634 	err = tty->ops->get_serial(tty, &v);
2635 	if (!err && copy_to_user(ss, &v, sizeof(v)))
2636 		err = -EFAULT;
2637 	return err;
2638 }
2639 
2640 /*
2641  * if pty, return the slave side (real_tty)
2642  * otherwise, return self
2643  */
tty_pair_get_tty(struct tty_struct * tty)2644 static struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
2645 {
2646 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2647 	    tty->driver->subtype == PTY_TYPE_MASTER)
2648 		tty = tty->link;
2649 	return tty;
2650 }
2651 
2652 /*
2653  * Split this up, as gcc can choke on it otherwise..
2654  */
tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2655 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2656 {
2657 	struct tty_struct *tty = file_tty(file);
2658 	struct tty_struct *real_tty;
2659 	void __user *p = (void __user *)arg;
2660 	int retval;
2661 	struct tty_ldisc *ld;
2662 
2663 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2664 		return -EINVAL;
2665 
2666 	real_tty = tty_pair_get_tty(tty);
2667 
2668 	/*
2669 	 * Factor out some common prep work
2670 	 */
2671 	switch (cmd) {
2672 	case TIOCSETD:
2673 	case TIOCSBRK:
2674 	case TIOCCBRK:
2675 	case TCSBRK:
2676 	case TCSBRKP:
2677 		retval = tty_check_change(tty);
2678 		if (retval)
2679 			return retval;
2680 		if (cmd != TIOCCBRK) {
2681 			tty_wait_until_sent(tty, 0);
2682 			if (signal_pending(current))
2683 				return -EINTR;
2684 		}
2685 		break;
2686 	}
2687 
2688 	/*
2689 	 *	Now do the stuff.
2690 	 */
2691 	switch (cmd) {
2692 	case TIOCSTI:
2693 		return tiocsti(tty, p);
2694 	case TIOCGWINSZ:
2695 		return tiocgwinsz(real_tty, p);
2696 	case TIOCSWINSZ:
2697 		return tiocswinsz(real_tty, p);
2698 	case TIOCCONS:
2699 		return real_tty != tty ? -EINVAL : tioccons(file);
2700 	case TIOCEXCL:
2701 		set_bit(TTY_EXCLUSIVE, &tty->flags);
2702 		return 0;
2703 	case TIOCNXCL:
2704 		clear_bit(TTY_EXCLUSIVE, &tty->flags);
2705 		return 0;
2706 	case TIOCGEXCL:
2707 	{
2708 		int excl = test_bit(TTY_EXCLUSIVE, &tty->flags);
2709 
2710 		return put_user(excl, (int __user *)p);
2711 	}
2712 	case TIOCGETD:
2713 		return tiocgetd(tty, p);
2714 	case TIOCSETD:
2715 		return tiocsetd(tty, p);
2716 	case TIOCVHANGUP:
2717 		if (!capable(CAP_SYS_ADMIN))
2718 			return -EPERM;
2719 		tty_vhangup(tty);
2720 		return 0;
2721 	case TIOCGDEV:
2722 	{
2723 		unsigned int ret = new_encode_dev(tty_devnum(real_tty));
2724 
2725 		return put_user(ret, (unsigned int __user *)p);
2726 	}
2727 	/*
2728 	 * Break handling
2729 	 */
2730 	case TIOCSBRK:	/* Turn break on, unconditionally */
2731 		if (tty->ops->break_ctl)
2732 			return tty->ops->break_ctl(tty, -1);
2733 		return 0;
2734 	case TIOCCBRK:	/* Turn break off, unconditionally */
2735 		if (tty->ops->break_ctl)
2736 			return tty->ops->break_ctl(tty, 0);
2737 		return 0;
2738 	case TCSBRK:   /* SVID version: non-zero arg --> no break */
2739 		/* non-zero arg means wait for all output data
2740 		 * to be sent (performed above) but don't send break.
2741 		 * This is used by the tcdrain() termios function.
2742 		 */
2743 		if (!arg)
2744 			return send_break(tty, 250);
2745 		return 0;
2746 	case TCSBRKP:	/* support for POSIX tcsendbreak() */
2747 		return send_break(tty, arg ? arg*100 : 250);
2748 
2749 	case TIOCMGET:
2750 		return tty_tiocmget(tty, p);
2751 	case TIOCMSET:
2752 	case TIOCMBIC:
2753 	case TIOCMBIS:
2754 		return tty_tiocmset(tty, cmd, p);
2755 	case TIOCGICOUNT:
2756 		return tty_tiocgicount(tty, p);
2757 	case TCFLSH:
2758 		switch (arg) {
2759 		case TCIFLUSH:
2760 		case TCIOFLUSH:
2761 		/* flush tty buffer and allow ldisc to process ioctl */
2762 			tty_buffer_flush(tty, NULL);
2763 			break;
2764 		}
2765 		break;
2766 	case TIOCSSERIAL:
2767 		return tty_tiocsserial(tty, p);
2768 	case TIOCGSERIAL:
2769 		return tty_tiocgserial(tty, p);
2770 	case TIOCGPTPEER:
2771 		/* Special because the struct file is needed */
2772 		return ptm_open_peer(file, tty, (int)arg);
2773 	default:
2774 		retval = tty_jobctrl_ioctl(tty, real_tty, file, cmd, arg);
2775 		if (retval != -ENOIOCTLCMD)
2776 			return retval;
2777 	}
2778 	if (tty->ops->ioctl) {
2779 		retval = tty->ops->ioctl(tty, cmd, arg);
2780 		if (retval != -ENOIOCTLCMD)
2781 			return retval;
2782 	}
2783 	ld = tty_ldisc_ref_wait(tty);
2784 	if (!ld)
2785 		return hung_up_tty_ioctl(file, cmd, arg);
2786 	retval = -EINVAL;
2787 	if (ld->ops->ioctl) {
2788 		retval = ld->ops->ioctl(tty, cmd, arg);
2789 		if (retval == -ENOIOCTLCMD)
2790 			retval = -ENOTTY;
2791 	}
2792 	tty_ldisc_deref(ld);
2793 	return retval;
2794 }
2795 
2796 #ifdef CONFIG_COMPAT
2797 
2798 struct serial_struct32 {
2799 	compat_int_t    type;
2800 	compat_int_t    line;
2801 	compat_uint_t   port;
2802 	compat_int_t    irq;
2803 	compat_int_t    flags;
2804 	compat_int_t    xmit_fifo_size;
2805 	compat_int_t    custom_divisor;
2806 	compat_int_t    baud_base;
2807 	unsigned short  close_delay;
2808 	char    io_type;
2809 	char    reserved_char;
2810 	compat_int_t    hub6;
2811 	unsigned short  closing_wait; /* time to wait before closing */
2812 	unsigned short  closing_wait2; /* no longer used... */
2813 	compat_uint_t   iomem_base;
2814 	unsigned short  iomem_reg_shift;
2815 	unsigned int    port_high;
2816 	/* compat_ulong_t  iomap_base FIXME */
2817 	compat_int_t    reserved;
2818 };
2819 
compat_tty_tiocsserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2820 static int compat_tty_tiocsserial(struct tty_struct *tty,
2821 		struct serial_struct32 __user *ss)
2822 {
2823 	struct serial_struct32 v32;
2824 	struct serial_struct v;
2825 
2826 	if (copy_from_user(&v32, ss, sizeof(*ss)))
2827 		return -EFAULT;
2828 
2829 	memcpy(&v, &v32, offsetof(struct serial_struct32, iomem_base));
2830 	v.iomem_base = compat_ptr(v32.iomem_base);
2831 	v.iomem_reg_shift = v32.iomem_reg_shift;
2832 	v.port_high = v32.port_high;
2833 	v.iomap_base = 0;
2834 
2835 	return tty_set_serial(tty, &v);
2836 }
2837 
compat_tty_tiocgserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2838 static int compat_tty_tiocgserial(struct tty_struct *tty,
2839 			struct serial_struct32 __user *ss)
2840 {
2841 	struct serial_struct32 v32;
2842 	struct serial_struct v;
2843 	int err;
2844 
2845 	memset(&v, 0, sizeof(v));
2846 	memset(&v32, 0, sizeof(v32));
2847 
2848 	if (!tty->ops->get_serial)
2849 		return -ENOTTY;
2850 	err = tty->ops->get_serial(tty, &v);
2851 	if (!err) {
2852 		memcpy(&v32, &v, offsetof(struct serial_struct32, iomem_base));
2853 		v32.iomem_base = (unsigned long)v.iomem_base >> 32 ?
2854 			0xfffffff : ptr_to_compat(v.iomem_base);
2855 		v32.iomem_reg_shift = v.iomem_reg_shift;
2856 		v32.port_high = v.port_high;
2857 		if (copy_to_user(ss, &v32, sizeof(v32)))
2858 			err = -EFAULT;
2859 	}
2860 	return err;
2861 }
tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2862 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
2863 				unsigned long arg)
2864 {
2865 	struct tty_struct *tty = file_tty(file);
2866 	struct tty_ldisc *ld;
2867 	int retval = -ENOIOCTLCMD;
2868 
2869 	switch (cmd) {
2870 	case TIOCOUTQ:
2871 	case TIOCSTI:
2872 	case TIOCGWINSZ:
2873 	case TIOCSWINSZ:
2874 	case TIOCGEXCL:
2875 	case TIOCGETD:
2876 	case TIOCSETD:
2877 	case TIOCGDEV:
2878 	case TIOCMGET:
2879 	case TIOCMSET:
2880 	case TIOCMBIC:
2881 	case TIOCMBIS:
2882 	case TIOCGICOUNT:
2883 	case TIOCGPGRP:
2884 	case TIOCSPGRP:
2885 	case TIOCGSID:
2886 	case TIOCSERGETLSR:
2887 	case TIOCGRS485:
2888 	case TIOCSRS485:
2889 #ifdef TIOCGETP
2890 	case TIOCGETP:
2891 	case TIOCSETP:
2892 	case TIOCSETN:
2893 #endif
2894 #ifdef TIOCGETC
2895 	case TIOCGETC:
2896 	case TIOCSETC:
2897 #endif
2898 #ifdef TIOCGLTC
2899 	case TIOCGLTC:
2900 	case TIOCSLTC:
2901 #endif
2902 	case TCSETSF:
2903 	case TCSETSW:
2904 	case TCSETS:
2905 	case TCGETS:
2906 #ifdef TCGETS2
2907 	case TCGETS2:
2908 	case TCSETSF2:
2909 	case TCSETSW2:
2910 	case TCSETS2:
2911 #endif
2912 	case TCGETA:
2913 	case TCSETAF:
2914 	case TCSETAW:
2915 	case TCSETA:
2916 	case TIOCGLCKTRMIOS:
2917 	case TIOCSLCKTRMIOS:
2918 #ifdef TCGETX
2919 	case TCGETX:
2920 	case TCSETX:
2921 	case TCSETXW:
2922 	case TCSETXF:
2923 #endif
2924 	case TIOCGSOFTCAR:
2925 	case TIOCSSOFTCAR:
2926 
2927 	case PPPIOCGCHAN:
2928 	case PPPIOCGUNIT:
2929 		return tty_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
2930 	case TIOCCONS:
2931 	case TIOCEXCL:
2932 	case TIOCNXCL:
2933 	case TIOCVHANGUP:
2934 	case TIOCSBRK:
2935 	case TIOCCBRK:
2936 	case TCSBRK:
2937 	case TCSBRKP:
2938 	case TCFLSH:
2939 	case TIOCGPTPEER:
2940 	case TIOCNOTTY:
2941 	case TIOCSCTTY:
2942 	case TCXONC:
2943 	case TIOCMIWAIT:
2944 	case TIOCSERCONFIG:
2945 		return tty_ioctl(file, cmd, arg);
2946 	}
2947 
2948 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2949 		return -EINVAL;
2950 
2951 	switch (cmd) {
2952 	case TIOCSSERIAL:
2953 		return compat_tty_tiocsserial(tty, compat_ptr(arg));
2954 	case TIOCGSERIAL:
2955 		return compat_tty_tiocgserial(tty, compat_ptr(arg));
2956 	}
2957 	if (tty->ops->compat_ioctl) {
2958 		retval = tty->ops->compat_ioctl(tty, cmd, arg);
2959 		if (retval != -ENOIOCTLCMD)
2960 			return retval;
2961 	}
2962 
2963 	ld = tty_ldisc_ref_wait(tty);
2964 	if (!ld)
2965 		return hung_up_tty_compat_ioctl(file, cmd, arg);
2966 	if (ld->ops->compat_ioctl)
2967 		retval = ld->ops->compat_ioctl(tty, cmd, arg);
2968 	if (retval == -ENOIOCTLCMD && ld->ops->ioctl)
2969 		retval = ld->ops->ioctl(tty, (unsigned long)compat_ptr(cmd),
2970 				arg);
2971 	tty_ldisc_deref(ld);
2972 
2973 	return retval;
2974 }
2975 #endif
2976 
this_tty(const void * t,struct file * file,unsigned fd)2977 static int this_tty(const void *t, struct file *file, unsigned fd)
2978 {
2979 	if (likely(file->f_op->read_iter != tty_read))
2980 		return 0;
2981 	return file_tty(file) != t ? 0 : fd + 1;
2982 }
2983 
2984 /*
2985  * This implements the "Secure Attention Key" ---  the idea is to
2986  * prevent trojan horses by killing all processes associated with this
2987  * tty when the user hits the "Secure Attention Key".  Required for
2988  * super-paranoid applications --- see the Orange Book for more details.
2989  *
2990  * This code could be nicer; ideally it should send a HUP, wait a few
2991  * seconds, then send a INT, and then a KILL signal.  But you then
2992  * have to coordinate with the init process, since all processes associated
2993  * with the current tty must be dead before the new getty is allowed
2994  * to spawn.
2995  *
2996  * Now, if it would be correct ;-/ The current code has a nasty hole -
2997  * it doesn't catch files in flight. We may send the descriptor to ourselves
2998  * via AF_UNIX socket, close it and later fetch from socket. FIXME.
2999  *
3000  * Nasty bug: do_SAK is being called in interrupt context.  This can
3001  * deadlock.  We punt it up to process context.  AKPM - 16Mar2001
3002  */
__do_SAK(struct tty_struct * tty)3003 void __do_SAK(struct tty_struct *tty)
3004 {
3005 	struct task_struct *g, *p;
3006 	struct pid *session;
3007 	int i;
3008 	unsigned long flags;
3009 
3010 	spin_lock_irqsave(&tty->ctrl.lock, flags);
3011 	session = get_pid(tty->ctrl.session);
3012 	spin_unlock_irqrestore(&tty->ctrl.lock, flags);
3013 
3014 	tty_ldisc_flush(tty);
3015 
3016 	tty_driver_flush_buffer(tty);
3017 
3018 	read_lock(&tasklist_lock);
3019 	/* Kill the entire session */
3020 	do_each_pid_task(session, PIDTYPE_SID, p) {
3021 		tty_notice(tty, "SAK: killed process %d (%s): by session\n",
3022 			   task_pid_nr(p), p->comm);
3023 		group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
3024 	} while_each_pid_task(session, PIDTYPE_SID, p);
3025 
3026 	/* Now kill any processes that happen to have the tty open */
3027 	for_each_process_thread(g, p) {
3028 		if (p->signal->tty == tty) {
3029 			tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
3030 				   task_pid_nr(p), p->comm);
3031 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p,
3032 					PIDTYPE_SID);
3033 			continue;
3034 		}
3035 		task_lock(p);
3036 		i = iterate_fd(p->files, 0, this_tty, tty);
3037 		if (i != 0) {
3038 			tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
3039 				   task_pid_nr(p), p->comm, i - 1);
3040 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p,
3041 					PIDTYPE_SID);
3042 		}
3043 		task_unlock(p);
3044 	}
3045 	read_unlock(&tasklist_lock);
3046 	put_pid(session);
3047 }
3048 
do_SAK_work(struct work_struct * work)3049 static void do_SAK_work(struct work_struct *work)
3050 {
3051 	struct tty_struct *tty =
3052 		container_of(work, struct tty_struct, SAK_work);
3053 	__do_SAK(tty);
3054 }
3055 
3056 /*
3057  * The tq handling here is a little racy - tty->SAK_work may already be queued.
3058  * Fortunately we don't need to worry, because if ->SAK_work is already queued,
3059  * the values which we write to it will be identical to the values which it
3060  * already has. --akpm
3061  */
do_SAK(struct tty_struct * tty)3062 void do_SAK(struct tty_struct *tty)
3063 {
3064 	if (!tty)
3065 		return;
3066 	schedule_work(&tty->SAK_work);
3067 }
3068 EXPORT_SYMBOL(do_SAK);
3069 
3070 /* Must put_device() after it's unused! */
tty_get_device(struct tty_struct * tty)3071 static struct device *tty_get_device(struct tty_struct *tty)
3072 {
3073 	dev_t devt = tty_devnum(tty);
3074 
3075 	return class_find_device_by_devt(&tty_class, devt);
3076 }
3077 
3078 
3079 /**
3080  * alloc_tty_struct - allocate a new tty
3081  * @driver: driver which will handle the returned tty
3082  * @idx: minor of the tty
3083  *
3084  * This subroutine allocates and initializes a tty structure.
3085  *
3086  * Locking: none - @tty in question is not exposed at this point
3087  */
alloc_tty_struct(struct tty_driver * driver,int idx)3088 struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
3089 {
3090 	struct tty_struct *tty;
3091 
3092 	tty = kzalloc(sizeof(*tty), GFP_KERNEL_ACCOUNT);
3093 	if (!tty)
3094 		return NULL;
3095 
3096 	kref_init(&tty->kref);
3097 	if (tty_ldisc_init(tty)) {
3098 		kfree(tty);
3099 		return NULL;
3100 	}
3101 	tty->ctrl.session = NULL;
3102 	tty->ctrl.pgrp = NULL;
3103 	mutex_init(&tty->legacy_mutex);
3104 	mutex_init(&tty->throttle_mutex);
3105 	init_rwsem(&tty->termios_rwsem);
3106 	mutex_init(&tty->winsize_mutex);
3107 	init_ldsem(&tty->ldisc_sem);
3108 	init_waitqueue_head(&tty->write_wait);
3109 	init_waitqueue_head(&tty->read_wait);
3110 	INIT_WORK(&tty->hangup_work, do_tty_hangup);
3111 	mutex_init(&tty->atomic_write_lock);
3112 	spin_lock_init(&tty->ctrl.lock);
3113 	spin_lock_init(&tty->flow.lock);
3114 	spin_lock_init(&tty->files_lock);
3115 	INIT_LIST_HEAD(&tty->tty_files);
3116 	INIT_WORK(&tty->SAK_work, do_SAK_work);
3117 
3118 	tty->driver = driver;
3119 	tty->ops = driver->ops;
3120 	tty->index = idx;
3121 	tty_line_name(driver, idx, tty->name);
3122 	tty->dev = tty_get_device(tty);
3123 
3124 	return tty;
3125 }
3126 
3127 /**
3128  * tty_put_char	- write one character to a tty
3129  * @tty: tty
3130  * @ch: character to write
3131  *
3132  * Write one byte to the @tty using the provided @tty->ops->put_char() method
3133  * if present.
3134  *
3135  * Note: the specific put_char operation in the driver layer may go
3136  * away soon. Don't call it directly, use this method
3137  *
3138  * Return: the number of characters successfully output.
3139  */
tty_put_char(struct tty_struct * tty,unsigned char ch)3140 int tty_put_char(struct tty_struct *tty, unsigned char ch)
3141 {
3142 	if (tty->ops->put_char)
3143 		return tty->ops->put_char(tty, ch);
3144 	return tty->ops->write(tty, &ch, 1);
3145 }
3146 EXPORT_SYMBOL_GPL(tty_put_char);
3147 
tty_cdev_add(struct tty_driver * driver,dev_t dev,unsigned int index,unsigned int count)3148 static int tty_cdev_add(struct tty_driver *driver, dev_t dev,
3149 		unsigned int index, unsigned int count)
3150 {
3151 	int err;
3152 
3153 	/* init here, since reused cdevs cause crashes */
3154 	driver->cdevs[index] = cdev_alloc();
3155 	if (!driver->cdevs[index])
3156 		return -ENOMEM;
3157 	driver->cdevs[index]->ops = &tty_fops;
3158 	driver->cdevs[index]->owner = driver->owner;
3159 	err = cdev_add(driver->cdevs[index], dev, count);
3160 	if (err)
3161 		kobject_put(&driver->cdevs[index]->kobj);
3162 	return err;
3163 }
3164 
3165 /**
3166  * tty_register_device - register a tty device
3167  * @driver: the tty driver that describes the tty device
3168  * @index: the index in the tty driver for this tty device
3169  * @device: a struct device that is associated with this tty device.
3170  *	This field is optional, if there is no known struct device
3171  *	for this tty device it can be set to NULL safely.
3172  *
3173  * This call is required to be made to register an individual tty device
3174  * if the tty driver's flags have the %TTY_DRIVER_DYNAMIC_DEV bit set.  If
3175  * that bit is not set, this function should not be called by a tty
3176  * driver.
3177  *
3178  * Locking: ??
3179  *
3180  * Return: A pointer to the struct device for this tty device (or
3181  * ERR_PTR(-EFOO) on error).
3182  */
tty_register_device(struct tty_driver * driver,unsigned index,struct device * device)3183 struct device *tty_register_device(struct tty_driver *driver, unsigned index,
3184 				   struct device *device)
3185 {
3186 	return tty_register_device_attr(driver, index, device, NULL, NULL);
3187 }
3188 EXPORT_SYMBOL(tty_register_device);
3189 
tty_device_create_release(struct device * dev)3190 static void tty_device_create_release(struct device *dev)
3191 {
3192 	dev_dbg(dev, "releasing...\n");
3193 	kfree(dev);
3194 }
3195 
3196 /**
3197  * tty_register_device_attr - register a tty device
3198  * @driver: the tty driver that describes the tty device
3199  * @index: the index in the tty driver for this tty device
3200  * @device: a struct device that is associated with this tty device.
3201  *	This field is optional, if there is no known struct device
3202  *	for this tty device it can be set to %NULL safely.
3203  * @drvdata: Driver data to be set to device.
3204  * @attr_grp: Attribute group to be set on device.
3205  *
3206  * This call is required to be made to register an individual tty device if the
3207  * tty driver's flags have the %TTY_DRIVER_DYNAMIC_DEV bit set. If that bit is
3208  * not set, this function should not be called by a tty driver.
3209  *
3210  * Locking: ??
3211  *
3212  * Return: A pointer to the struct device for this tty device (or
3213  * ERR_PTR(-EFOO) on error).
3214  */
tty_register_device_attr(struct tty_driver * driver,unsigned index,struct device * device,void * drvdata,const struct attribute_group ** attr_grp)3215 struct device *tty_register_device_attr(struct tty_driver *driver,
3216 				   unsigned index, struct device *device,
3217 				   void *drvdata,
3218 				   const struct attribute_group **attr_grp)
3219 {
3220 	char name[64];
3221 	dev_t devt = MKDEV(driver->major, driver->minor_start) + index;
3222 	struct ktermios *tp;
3223 	struct device *dev;
3224 	int retval;
3225 
3226 	if (index >= driver->num) {
3227 		pr_err("%s: Attempt to register invalid tty line number (%d)\n",
3228 		       driver->name, index);
3229 		return ERR_PTR(-EINVAL);
3230 	}
3231 
3232 	if (driver->type == TTY_DRIVER_TYPE_PTY)
3233 		pty_line_name(driver, index, name);
3234 	else
3235 		tty_line_name(driver, index, name);
3236 
3237 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3238 	if (!dev)
3239 		return ERR_PTR(-ENOMEM);
3240 
3241 	dev->devt = devt;
3242 	dev->class = &tty_class;
3243 	dev->parent = device;
3244 	dev->release = tty_device_create_release;
3245 	dev_set_name(dev, "%s", name);
3246 	dev->groups = attr_grp;
3247 	dev_set_drvdata(dev, drvdata);
3248 
3249 	dev_set_uevent_suppress(dev, 1);
3250 
3251 	retval = device_register(dev);
3252 	if (retval)
3253 		goto err_put;
3254 
3255 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3256 		/*
3257 		 * Free any saved termios data so that the termios state is
3258 		 * reset when reusing a minor number.
3259 		 */
3260 		tp = driver->termios[index];
3261 		if (tp) {
3262 			driver->termios[index] = NULL;
3263 			kfree(tp);
3264 		}
3265 
3266 		retval = tty_cdev_add(driver, devt, index, 1);
3267 		if (retval)
3268 			goto err_del;
3269 	}
3270 
3271 	dev_set_uevent_suppress(dev, 0);
3272 	kobject_uevent(&dev->kobj, KOBJ_ADD);
3273 
3274 	return dev;
3275 
3276 err_del:
3277 	device_del(dev);
3278 err_put:
3279 	put_device(dev);
3280 
3281 	return ERR_PTR(retval);
3282 }
3283 EXPORT_SYMBOL_GPL(tty_register_device_attr);
3284 
3285 /**
3286  * tty_unregister_device - unregister a tty device
3287  * @driver: the tty driver that describes the tty device
3288  * @index: the index in the tty driver for this tty device
3289  *
3290  * If a tty device is registered with a call to tty_register_device() then
3291  * this function must be called when the tty device is gone.
3292  *
3293  * Locking: ??
3294  */
tty_unregister_device(struct tty_driver * driver,unsigned index)3295 void tty_unregister_device(struct tty_driver *driver, unsigned index)
3296 {
3297 	device_destroy(&tty_class, MKDEV(driver->major, driver->minor_start) + index);
3298 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3299 		cdev_del(driver->cdevs[index]);
3300 		driver->cdevs[index] = NULL;
3301 	}
3302 }
3303 EXPORT_SYMBOL(tty_unregister_device);
3304 
3305 /**
3306  * __tty_alloc_driver -- allocate tty driver
3307  * @lines: count of lines this driver can handle at most
3308  * @owner: module which is responsible for this driver
3309  * @flags: some of %TTY_DRIVER_ flags, will be set in driver->flags
3310  *
3311  * This should not be called directly, some of the provided macros should be
3312  * used instead. Use IS_ERR() and friends on @retval.
3313  */
__tty_alloc_driver(unsigned int lines,struct module * owner,unsigned long flags)3314 struct tty_driver *__tty_alloc_driver(unsigned int lines, struct module *owner,
3315 		unsigned long flags)
3316 {
3317 	struct tty_driver *driver;
3318 	unsigned int cdevs = 1;
3319 	int err;
3320 
3321 	if (!lines || (flags & TTY_DRIVER_UNNUMBERED_NODE && lines > 1))
3322 		return ERR_PTR(-EINVAL);
3323 
3324 	driver = kzalloc(sizeof(*driver), GFP_KERNEL);
3325 	if (!driver)
3326 		return ERR_PTR(-ENOMEM);
3327 
3328 	kref_init(&driver->kref);
3329 	driver->num = lines;
3330 	driver->owner = owner;
3331 	driver->flags = flags;
3332 
3333 	if (!(flags & TTY_DRIVER_DEVPTS_MEM)) {
3334 		driver->ttys = kcalloc(lines, sizeof(*driver->ttys),
3335 				GFP_KERNEL);
3336 		driver->termios = kcalloc(lines, sizeof(*driver->termios),
3337 				GFP_KERNEL);
3338 		if (!driver->ttys || !driver->termios) {
3339 			err = -ENOMEM;
3340 			goto err_free_all;
3341 		}
3342 	}
3343 
3344 	if (!(flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3345 		driver->ports = kcalloc(lines, sizeof(*driver->ports),
3346 				GFP_KERNEL);
3347 		if (!driver->ports) {
3348 			err = -ENOMEM;
3349 			goto err_free_all;
3350 		}
3351 		cdevs = lines;
3352 	}
3353 
3354 	driver->cdevs = kcalloc(cdevs, sizeof(*driver->cdevs), GFP_KERNEL);
3355 	if (!driver->cdevs) {
3356 		err = -ENOMEM;
3357 		goto err_free_all;
3358 	}
3359 
3360 	return driver;
3361 err_free_all:
3362 	kfree(driver->ports);
3363 	kfree(driver->ttys);
3364 	kfree(driver->termios);
3365 	kfree(driver->cdevs);
3366 	kfree(driver);
3367 	return ERR_PTR(err);
3368 }
3369 EXPORT_SYMBOL(__tty_alloc_driver);
3370 
destruct_tty_driver(struct kref * kref)3371 static void destruct_tty_driver(struct kref *kref)
3372 {
3373 	struct tty_driver *driver = container_of(kref, struct tty_driver, kref);
3374 	int i;
3375 	struct ktermios *tp;
3376 
3377 	if (driver->flags & TTY_DRIVER_INSTALLED) {
3378 		for (i = 0; i < driver->num; i++) {
3379 			tp = driver->termios[i];
3380 			if (tp) {
3381 				driver->termios[i] = NULL;
3382 				kfree(tp);
3383 			}
3384 			if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV))
3385 				tty_unregister_device(driver, i);
3386 		}
3387 		proc_tty_unregister_driver(driver);
3388 		if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)
3389 			cdev_del(driver->cdevs[0]);
3390 	}
3391 	kfree(driver->cdevs);
3392 	kfree(driver->ports);
3393 	kfree(driver->termios);
3394 	kfree(driver->ttys);
3395 	kfree(driver);
3396 }
3397 
3398 /**
3399  * tty_driver_kref_put -- drop a reference to a tty driver
3400  * @driver: driver of which to drop the reference
3401  *
3402  * The final put will destroy and free up the driver.
3403  */
tty_driver_kref_put(struct tty_driver * driver)3404 void tty_driver_kref_put(struct tty_driver *driver)
3405 {
3406 	kref_put(&driver->kref, destruct_tty_driver);
3407 }
3408 EXPORT_SYMBOL(tty_driver_kref_put);
3409 
3410 /**
3411  * tty_register_driver -- register a tty driver
3412  * @driver: driver to register
3413  *
3414  * Called by a tty driver to register itself.
3415  */
tty_register_driver(struct tty_driver * driver)3416 int tty_register_driver(struct tty_driver *driver)
3417 {
3418 	int error;
3419 	int i;
3420 	dev_t dev;
3421 	struct device *d;
3422 
3423 	if (!driver->major) {
3424 		error = alloc_chrdev_region(&dev, driver->minor_start,
3425 						driver->num, driver->name);
3426 		if (!error) {
3427 			driver->major = MAJOR(dev);
3428 			driver->minor_start = MINOR(dev);
3429 		}
3430 	} else {
3431 		dev = MKDEV(driver->major, driver->minor_start);
3432 		error = register_chrdev_region(dev, driver->num, driver->name);
3433 	}
3434 	if (error < 0)
3435 		goto err;
3436 
3437 	if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC) {
3438 		error = tty_cdev_add(driver, dev, 0, driver->num);
3439 		if (error)
3440 			goto err_unreg_char;
3441 	}
3442 
3443 	mutex_lock(&tty_mutex);
3444 	list_add(&driver->tty_drivers, &tty_drivers);
3445 	mutex_unlock(&tty_mutex);
3446 
3447 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV)) {
3448 		for (i = 0; i < driver->num; i++) {
3449 			d = tty_register_device(driver, i, NULL);
3450 			if (IS_ERR(d)) {
3451 				error = PTR_ERR(d);
3452 				goto err_unreg_devs;
3453 			}
3454 		}
3455 	}
3456 	proc_tty_register_driver(driver);
3457 	driver->flags |= TTY_DRIVER_INSTALLED;
3458 	return 0;
3459 
3460 err_unreg_devs:
3461 	for (i--; i >= 0; i--)
3462 		tty_unregister_device(driver, i);
3463 
3464 	mutex_lock(&tty_mutex);
3465 	list_del(&driver->tty_drivers);
3466 	mutex_unlock(&tty_mutex);
3467 
3468 err_unreg_char:
3469 	unregister_chrdev_region(dev, driver->num);
3470 err:
3471 	return error;
3472 }
3473 EXPORT_SYMBOL(tty_register_driver);
3474 
3475 /**
3476  * tty_unregister_driver -- unregister a tty driver
3477  * @driver: driver to unregister
3478  *
3479  * Called by a tty driver to unregister itself.
3480  */
tty_unregister_driver(struct tty_driver * driver)3481 void tty_unregister_driver(struct tty_driver *driver)
3482 {
3483 	unregister_chrdev_region(MKDEV(driver->major, driver->minor_start),
3484 				driver->num);
3485 	mutex_lock(&tty_mutex);
3486 	list_del(&driver->tty_drivers);
3487 	mutex_unlock(&tty_mutex);
3488 }
3489 EXPORT_SYMBOL(tty_unregister_driver);
3490 
tty_devnum(struct tty_struct * tty)3491 dev_t tty_devnum(struct tty_struct *tty)
3492 {
3493 	return MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
3494 }
3495 EXPORT_SYMBOL(tty_devnum);
3496 
tty_default_fops(struct file_operations * fops)3497 void tty_default_fops(struct file_operations *fops)
3498 {
3499 	*fops = tty_fops;
3500 }
3501 
tty_devnode(const struct device * dev,umode_t * mode)3502 static char *tty_devnode(const struct device *dev, umode_t *mode)
3503 {
3504 	if (!mode)
3505 		return NULL;
3506 	if (dev->devt == MKDEV(TTYAUX_MAJOR, 0) ||
3507 	    dev->devt == MKDEV(TTYAUX_MAJOR, 2))
3508 		*mode = 0666;
3509 	return NULL;
3510 }
3511 
3512 const struct class tty_class = {
3513 	.name		= "tty",
3514 	.devnode	= tty_devnode,
3515 };
3516 
tty_class_init(void)3517 static int __init tty_class_init(void)
3518 {
3519 	return class_register(&tty_class);
3520 }
3521 
3522 postcore_initcall(tty_class_init);
3523 
3524 /* 3/2004 jmc: why do these devices exist? */
3525 static struct cdev tty_cdev, console_cdev;
3526 
show_cons_active(struct device * dev,struct device_attribute * attr,char * buf)3527 static ssize_t show_cons_active(struct device *dev,
3528 				struct device_attribute *attr, char *buf)
3529 {
3530 	struct console *cs[16];
3531 	int i = 0;
3532 	struct console *c;
3533 	ssize_t count = 0;
3534 
3535 	/*
3536 	 * Hold the console_list_lock to guarantee that no consoles are
3537 	 * unregistered until all console processing is complete.
3538 	 * This also allows safe traversal of the console list and
3539 	 * race-free reading of @flags.
3540 	 */
3541 	console_list_lock();
3542 
3543 	for_each_console(c) {
3544 		if (!c->device)
3545 			continue;
3546 		if (!c->write)
3547 			continue;
3548 		if ((c->flags & CON_ENABLED) == 0)
3549 			continue;
3550 		cs[i++] = c;
3551 		if (i >= ARRAY_SIZE(cs))
3552 			break;
3553 	}
3554 
3555 	/*
3556 	 * Take console_lock to serialize device() callback with
3557 	 * other console operations. For example, fg_console is
3558 	 * modified under console_lock when switching vt.
3559 	 */
3560 	console_lock();
3561 	while (i--) {
3562 		int index = cs[i]->index;
3563 		struct tty_driver *drv = cs[i]->device(cs[i], &index);
3564 
3565 		/* don't resolve tty0 as some programs depend on it */
3566 		if (drv && (cs[i]->index > 0 || drv->major != TTY_MAJOR))
3567 			count += tty_line_name(drv, index, buf + count);
3568 		else
3569 			count += sprintf(buf + count, "%s%d",
3570 					 cs[i]->name, cs[i]->index);
3571 
3572 		count += sprintf(buf + count, "%c", i ? ' ':'\n');
3573 	}
3574 	console_unlock();
3575 
3576 	console_list_unlock();
3577 
3578 	return count;
3579 }
3580 static DEVICE_ATTR(active, S_IRUGO, show_cons_active, NULL);
3581 
3582 static struct attribute *cons_dev_attrs[] = {
3583 	&dev_attr_active.attr,
3584 	NULL
3585 };
3586 
3587 ATTRIBUTE_GROUPS(cons_dev);
3588 
3589 static struct device *consdev;
3590 
console_sysfs_notify(void)3591 void console_sysfs_notify(void)
3592 {
3593 	if (consdev)
3594 		sysfs_notify(&consdev->kobj, NULL, "active");
3595 }
3596 
3597 static struct ctl_table tty_table[] = {
3598 	{
3599 		.procname	= "legacy_tiocsti",
3600 		.data		= &tty_legacy_tiocsti,
3601 		.maxlen		= sizeof(tty_legacy_tiocsti),
3602 		.mode		= 0644,
3603 		.proc_handler	= proc_dobool,
3604 	},
3605 	{
3606 		.procname	= "ldisc_autoload",
3607 		.data		= &tty_ldisc_autoload,
3608 		.maxlen		= sizeof(tty_ldisc_autoload),
3609 		.mode		= 0644,
3610 		.proc_handler	= proc_dointvec,
3611 		.extra1		= SYSCTL_ZERO,
3612 		.extra2		= SYSCTL_ONE,
3613 	},
3614 	{ }
3615 };
3616 
3617 /*
3618  * Ok, now we can initialize the rest of the tty devices and can count
3619  * on memory allocations, interrupts etc..
3620  */
tty_init(void)3621 int __init tty_init(void)
3622 {
3623 	register_sysctl_init("dev/tty", tty_table);
3624 	cdev_init(&tty_cdev, &tty_fops);
3625 	if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) ||
3626 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0)
3627 		panic("Couldn't register /dev/tty driver\n");
3628 	device_create(&tty_class, NULL, MKDEV(TTYAUX_MAJOR, 0), NULL, "tty");
3629 
3630 	cdev_init(&console_cdev, &console_fops);
3631 	if (cdev_add(&console_cdev, MKDEV(TTYAUX_MAJOR, 1), 1) ||
3632 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 1), 1, "/dev/console") < 0)
3633 		panic("Couldn't register /dev/console driver\n");
3634 	consdev = device_create_with_groups(&tty_class, NULL,
3635 					    MKDEV(TTYAUX_MAJOR, 1), NULL,
3636 					    cons_dev_groups, "console");
3637 	if (IS_ERR(consdev))
3638 		consdev = NULL;
3639 
3640 #ifdef CONFIG_VT
3641 	vty_init(&console_fops);
3642 #endif
3643 	return 0;
3644 }
3645