1 /*
2  *  linux/drivers/char/vt_ioctl.c
3  *
4  *  Copyright (C) 1992 obz under the linux copyright
5  *
6  *  Dynamic diacritical handling - aeb@cwi.nl - Dec 1993
7  *  Dynamic keymap and string allocation - aeb@cwi.nl - May 1994
8  *  Restrict VT switching via ioctl() - grif@cs.ucr.edu - Dec 1995
9  *  Some code moved for less code duplication - Andi Kleen - Mar 1997
10  *  Check put/get_user, cleanups - acme@conectiva.com.br - Jun 2001
11  */
12 
13 #include <linux/types.h>
14 #include <linux/errno.h>
15 #include <linux/sched.h>
16 #include <linux/tty.h>
17 #include <linux/timer.h>
18 #include <linux/kernel.h>
19 #include <linux/compat.h>
20 #include <linux/module.h>
21 #include <linux/kd.h>
22 #include <linux/vt.h>
23 #include <linux/string.h>
24 #include <linux/slab.h>
25 #include <linux/major.h>
26 #include <linux/fs.h>
27 #include <linux/console.h>
28 #include <linux/consolemap.h>
29 #include <linux/signal.h>
30 #include <linux/timex.h>
31 
32 #include <asm/io.h>
33 #include <asm/uaccess.h>
34 
35 #include <linux/kbd_kern.h>
36 #include <linux/vt_kern.h>
37 #include <linux/kbd_diacr.h>
38 #include <linux/selection.h>
39 
40 char vt_dont_switch;
41 extern struct tty_driver *console_driver;
42 
43 #define VT_IS_IN_USE(i)	(console_driver->ttys[i] && console_driver->ttys[i]->count)
44 #define VT_BUSY(i)	(VT_IS_IN_USE(i) || i == fg_console || vc_cons[i].d == sel_cons)
45 
46 /*
47  * Console (vt and kd) routines, as defined by USL SVR4 manual, and by
48  * experimentation and study of X386 SYSV handling.
49  *
50  * One point of difference: SYSV vt's are /dev/vtX, which X >= 0, and
51  * /dev/console is a separate ttyp. Under Linux, /dev/tty0 is /dev/console,
52  * and the vc start at /dev/ttyX, X >= 1. We maintain that here, so we will
53  * always treat our set of vt as numbered 1..MAX_NR_CONSOLES (corresponding to
54  * ttys 0..MAX_NR_CONSOLES-1). Explicitly naming VT 0 is illegal, but using
55  * /dev/tty0 (fg_console) as a target is legal, since an implicit aliasing
56  * to the current console is done by the main ioctl code.
57  */
58 
59 #ifdef CONFIG_X86
60 #include <linux/syscalls.h>
61 #endif
62 
63 static void complete_change_console(struct vc_data *vc);
64 
65 /*
66  *	User space VT_EVENT handlers
67  */
68 
69 struct vt_event_wait {
70 	struct list_head list;
71 	struct vt_event event;
72 	int done;
73 };
74 
75 static LIST_HEAD(vt_events);
76 static DEFINE_SPINLOCK(vt_event_lock);
77 static DECLARE_WAIT_QUEUE_HEAD(vt_event_waitqueue);
78 
79 /**
80  *	vt_event_post
81  *	@event: the event that occurred
82  *	@old: old console
83  *	@new: new console
84  *
85  *	Post an VT event to interested VT handlers
86  */
87 
vt_event_post(unsigned int event,unsigned int old,unsigned int new)88 void vt_event_post(unsigned int event, unsigned int old, unsigned int new)
89 {
90 	struct list_head *pos, *head;
91 	unsigned long flags;
92 	int wake = 0;
93 
94 	spin_lock_irqsave(&vt_event_lock, flags);
95 	head = &vt_events;
96 
97 	list_for_each(pos, head) {
98 		struct vt_event_wait *ve = list_entry(pos,
99 						struct vt_event_wait, list);
100 		if (!(ve->event.event & event))
101 			continue;
102 		ve->event.event = event;
103 		/* kernel view is consoles 0..n-1, user space view is
104 		   console 1..n with 0 meaning current, so we must bias */
105 		ve->event.oldev = old + 1;
106 		ve->event.newev = new + 1;
107 		wake = 1;
108 		ve->done = 1;
109 	}
110 	spin_unlock_irqrestore(&vt_event_lock, flags);
111 	if (wake)
112 		wake_up_interruptible(&vt_event_waitqueue);
113 }
114 
115 /**
116  *	vt_event_wait		-	wait for an event
117  *	@vw: our event
118  *
119  *	Waits for an event to occur which completes our vt_event_wait
120  *	structure. On return the structure has wv->done set to 1 for success
121  *	or 0 if some event such as a signal ended the wait.
122  */
123 
vt_event_wait(struct vt_event_wait * vw)124 static void vt_event_wait(struct vt_event_wait *vw)
125 {
126 	unsigned long flags;
127 	/* Prepare the event */
128 	INIT_LIST_HEAD(&vw->list);
129 	vw->done = 0;
130 	/* Queue our event */
131 	spin_lock_irqsave(&vt_event_lock, flags);
132 	list_add(&vw->list, &vt_events);
133 	spin_unlock_irqrestore(&vt_event_lock, flags);
134 	/* Wait for it to pass */
135 	wait_event_interruptible_tty(vt_event_waitqueue, vw->done);
136 	/* Dequeue it */
137 	spin_lock_irqsave(&vt_event_lock, flags);
138 	list_del(&vw->list);
139 	spin_unlock_irqrestore(&vt_event_lock, flags);
140 }
141 
142 /**
143  *	vt_event_wait_ioctl	-	event ioctl handler
144  *	@arg: argument to ioctl
145  *
146  *	Implement the VT_WAITEVENT ioctl using the VT event interface
147  */
148 
vt_event_wait_ioctl(struct vt_event __user * event)149 static int vt_event_wait_ioctl(struct vt_event __user *event)
150 {
151 	struct vt_event_wait vw;
152 
153 	if (copy_from_user(&vw.event, event, sizeof(struct vt_event)))
154 		return -EFAULT;
155 	/* Highest supported event for now */
156 	if (vw.event.event & ~VT_MAX_EVENT)
157 		return -EINVAL;
158 
159 	vt_event_wait(&vw);
160 	/* If it occurred report it */
161 	if (vw.done) {
162 		if (copy_to_user(event, &vw.event, sizeof(struct vt_event)))
163 			return -EFAULT;
164 		return 0;
165 	}
166 	return -EINTR;
167 }
168 
169 /**
170  *	vt_waitactive	-	active console wait
171  *	@event: event code
172  *	@n: new console
173  *
174  *	Helper for event waits. Used to implement the legacy
175  *	event waiting ioctls in terms of events
176  */
177 
vt_waitactive(int n)178 int vt_waitactive(int n)
179 {
180 	struct vt_event_wait vw;
181 	do {
182 		if (n == fg_console + 1)
183 			break;
184 		vw.event.event = VT_EVENT_SWITCH;
185 		vt_event_wait(&vw);
186 		if (vw.done == 0)
187 			return -EINTR;
188 	} while (vw.event.newev != n);
189 	return 0;
190 }
191 
192 /*
193  * these are the valid i/o ports we're allowed to change. they map all the
194  * video ports
195  */
196 #define GPFIRST 0x3b4
197 #define GPLAST 0x3df
198 #define GPNUM (GPLAST - GPFIRST + 1)
199 
200 #define i (tmp.kb_index)
201 #define s (tmp.kb_table)
202 #define v (tmp.kb_value)
203 static inline int
do_kdsk_ioctl(int cmd,struct kbentry __user * user_kbe,int perm,struct kbd_struct * kbd)204 do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, struct kbd_struct *kbd)
205 {
206 	struct kbentry tmp;
207 	ushort *key_map, val, ov;
208 
209 	if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
210 		return -EFAULT;
211 
212 	if (!capable(CAP_SYS_TTY_CONFIG))
213 		perm = 0;
214 
215 	switch (cmd) {
216 	case KDGKBENT:
217 		key_map = key_maps[s];
218 		if (key_map) {
219 		    val = U(key_map[i]);
220 		    if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= NR_TYPES)
221 			val = K_HOLE;
222 		} else
223 		    val = (i ? K_HOLE : K_NOSUCHMAP);
224 		return put_user(val, &user_kbe->kb_value);
225 	case KDSKBENT:
226 		if (!perm)
227 			return -EPERM;
228 		if (!i && v == K_NOSUCHMAP) {
229 			/* deallocate map */
230 			key_map = key_maps[s];
231 			if (s && key_map) {
232 			    key_maps[s] = NULL;
233 			    if (key_map[0] == U(K_ALLOCATED)) {
234 					kfree(key_map);
235 					keymap_count--;
236 			    }
237 			}
238 			break;
239 		}
240 
241 		if (KTYP(v) < NR_TYPES) {
242 		    if (KVAL(v) > max_vals[KTYP(v)])
243 				return -EINVAL;
244 		} else
245 		    if (kbd->kbdmode != VC_UNICODE)
246 				return -EINVAL;
247 
248 		/* ++Geert: non-PC keyboards may generate keycode zero */
249 #if !defined(__mc68000__) && !defined(__powerpc__)
250 		/* assignment to entry 0 only tests validity of args */
251 		if (!i)
252 			break;
253 #endif
254 
255 		if (!(key_map = key_maps[s])) {
256 			int j;
257 
258 			if (keymap_count >= MAX_NR_OF_USER_KEYMAPS &&
259 			    !capable(CAP_SYS_RESOURCE))
260 				return -EPERM;
261 
262 			key_map = kmalloc(sizeof(plain_map),
263 						     GFP_KERNEL);
264 			if (!key_map)
265 				return -ENOMEM;
266 			key_maps[s] = key_map;
267 			key_map[0] = U(K_ALLOCATED);
268 			for (j = 1; j < NR_KEYS; j++)
269 				key_map[j] = U(K_HOLE);
270 			keymap_count++;
271 		}
272 		ov = U(key_map[i]);
273 		if (v == ov)
274 			break;	/* nothing to do */
275 		/*
276 		 * Attention Key.
277 		 */
278 		if (((ov == K_SAK) || (v == K_SAK)) && !capable(CAP_SYS_ADMIN))
279 			return -EPERM;
280 		key_map[i] = U(v);
281 		if (!s && (KTYP(ov) == KT_SHIFT || KTYP(v) == KT_SHIFT))
282 			compute_shiftstate();
283 		break;
284 	}
285 	return 0;
286 }
287 #undef i
288 #undef s
289 #undef v
290 
291 static inline int
do_kbkeycode_ioctl(int cmd,struct kbkeycode __user * user_kbkc,int perm)292 do_kbkeycode_ioctl(int cmd, struct kbkeycode __user *user_kbkc, int perm)
293 {
294 	struct kbkeycode tmp;
295 	int kc = 0;
296 
297 	if (copy_from_user(&tmp, user_kbkc, sizeof(struct kbkeycode)))
298 		return -EFAULT;
299 	switch (cmd) {
300 	case KDGETKEYCODE:
301 		kc = getkeycode(tmp.scancode);
302 		if (kc >= 0)
303 			kc = put_user(kc, &user_kbkc->keycode);
304 		break;
305 	case KDSETKEYCODE:
306 		if (!perm)
307 			return -EPERM;
308 		kc = setkeycode(tmp.scancode, tmp.keycode);
309 		break;
310 	}
311 	return kc;
312 }
313 
314 static inline int
do_kdgkb_ioctl(int cmd,struct kbsentry __user * user_kdgkb,int perm)315 do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
316 {
317 	struct kbsentry *kbs;
318 	char *p;
319 	u_char *q;
320 	u_char __user *up;
321 	int sz;
322 	int delta;
323 	char *first_free, *fj, *fnw;
324 	int i, j, k;
325 	int ret;
326 
327 	if (!capable(CAP_SYS_TTY_CONFIG))
328 		perm = 0;
329 
330 	kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
331 	if (!kbs) {
332 		ret = -ENOMEM;
333 		goto reterr;
334 	}
335 
336 	/* we mostly copy too much here (512bytes), but who cares ;) */
337 	if (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {
338 		ret = -EFAULT;
339 		goto reterr;
340 	}
341 	kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
342 	i = kbs->kb_func;
343 
344 	switch (cmd) {
345 	case KDGKBSENT:
346 		sz = sizeof(kbs->kb_string) - 1; /* sz should have been
347 						  a struct member */
348 		up = user_kdgkb->kb_string;
349 		p = func_table[i];
350 		if(p)
351 			for ( ; *p && sz; p++, sz--)
352 				if (put_user(*p, up++)) {
353 					ret = -EFAULT;
354 					goto reterr;
355 				}
356 		if (put_user('\0', up)) {
357 			ret = -EFAULT;
358 			goto reterr;
359 		}
360 		kfree(kbs);
361 		return ((p && *p) ? -EOVERFLOW : 0);
362 	case KDSKBSENT:
363 		if (!perm) {
364 			ret = -EPERM;
365 			goto reterr;
366 		}
367 
368 		q = func_table[i];
369 		first_free = funcbufptr + (funcbufsize - funcbufleft);
370 		for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
371 			;
372 		if (j < MAX_NR_FUNC)
373 			fj = func_table[j];
374 		else
375 			fj = first_free;
376 
377 		delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
378 		if (delta <= funcbufleft) { 	/* it fits in current buf */
379 		    if (j < MAX_NR_FUNC) {
380 			memmove(fj + delta, fj, first_free - fj);
381 			for (k = j; k < MAX_NR_FUNC; k++)
382 			    if (func_table[k])
383 				func_table[k] += delta;
384 		    }
385 		    if (!q)
386 		      func_table[i] = fj;
387 		    funcbufleft -= delta;
388 		} else {			/* allocate a larger buffer */
389 		    sz = 256;
390 		    while (sz < funcbufsize - funcbufleft + delta)
391 		      sz <<= 1;
392 		    fnw = kmalloc(sz, GFP_KERNEL);
393 		    if(!fnw) {
394 		      ret = -ENOMEM;
395 		      goto reterr;
396 		    }
397 
398 		    if (!q)
399 		      func_table[i] = fj;
400 		    if (fj > funcbufptr)
401 			memmove(fnw, funcbufptr, fj - funcbufptr);
402 		    for (k = 0; k < j; k++)
403 		      if (func_table[k])
404 			func_table[k] = fnw + (func_table[k] - funcbufptr);
405 
406 		    if (first_free > fj) {
407 			memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);
408 			for (k = j; k < MAX_NR_FUNC; k++)
409 			  if (func_table[k])
410 			    func_table[k] = fnw + (func_table[k] - funcbufptr) + delta;
411 		    }
412 		    if (funcbufptr != func_buf)
413 		      kfree(funcbufptr);
414 		    funcbufptr = fnw;
415 		    funcbufleft = funcbufleft - delta + sz - funcbufsize;
416 		    funcbufsize = sz;
417 		}
418 		strcpy(func_table[i], kbs->kb_string);
419 		break;
420 	}
421 	ret = 0;
422 reterr:
423 	kfree(kbs);
424 	return ret;
425 }
426 
427 static inline int
do_fontx_ioctl(int cmd,struct consolefontdesc __user * user_cfd,int perm,struct console_font_op * op)428 do_fontx_ioctl(int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op)
429 {
430 	struct consolefontdesc cfdarg;
431 	int i;
432 
433 	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
434 		return -EFAULT;
435 
436 	switch (cmd) {
437 	case PIO_FONTX:
438 		if (!perm)
439 			return -EPERM;
440 		op->op = KD_FONT_OP_SET;
441 		op->flags = KD_FONT_FLAG_OLD;
442 		op->width = 8;
443 		op->height = cfdarg.charheight;
444 		op->charcount = cfdarg.charcount;
445 		op->data = cfdarg.chardata;
446 		return con_font_op(vc_cons[fg_console].d, op);
447 	case GIO_FONTX: {
448 		op->op = KD_FONT_OP_GET;
449 		op->flags = KD_FONT_FLAG_OLD;
450 		op->width = 8;
451 		op->height = cfdarg.charheight;
452 		op->charcount = cfdarg.charcount;
453 		op->data = cfdarg.chardata;
454 		i = con_font_op(vc_cons[fg_console].d, op);
455 		if (i)
456 			return i;
457 		cfdarg.charheight = op->height;
458 		cfdarg.charcount = op->charcount;
459 		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
460 			return -EFAULT;
461 		return 0;
462 		}
463 	}
464 	return -EINVAL;
465 }
466 
467 static inline int
do_unimap_ioctl(int cmd,struct unimapdesc __user * user_ud,int perm,struct vc_data * vc)468 do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc)
469 {
470 	struct unimapdesc tmp;
471 
472 	if (copy_from_user(&tmp, user_ud, sizeof tmp))
473 		return -EFAULT;
474 	if (tmp.entries)
475 		if (!access_ok(VERIFY_WRITE, tmp.entries,
476 				tmp.entry_ct*sizeof(struct unipair)))
477 			return -EFAULT;
478 	switch (cmd) {
479 	case PIO_UNIMAP:
480 		if (!perm)
481 			return -EPERM;
482 		return con_set_unimap(vc, tmp.entry_ct, tmp.entries);
483 	case GIO_UNIMAP:
484 		if (!perm && fg_console != vc->vc_num)
485 			return -EPERM;
486 		return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp.entries);
487 	}
488 	return 0;
489 }
490 
491 
492 
493 /*
494  * We handle the console-specific ioctl's here.  We allow the
495  * capability to modify any console, not just the fg_console.
496  */
vt_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)497 int vt_ioctl(struct tty_struct *tty,
498 	     unsigned int cmd, unsigned long arg)
499 {
500 	struct vc_data *vc = tty->driver_data;
501 	struct console_font_op op;	/* used in multiple places here */
502 	struct kbd_struct * kbd;
503 	unsigned int console;
504 	unsigned char ucval;
505 	unsigned int uival;
506 	void __user *up = (void __user *)arg;
507 	int i, perm;
508 	int ret = 0;
509 
510 	console = vc->vc_num;
511 
512 	tty_lock();
513 
514 	if (!vc_cons_allocated(console)) { 	/* impossible? */
515 		ret = -ENOIOCTLCMD;
516 		goto out;
517 	}
518 
519 
520 	/*
521 	 * To have permissions to do most of the vt ioctls, we either have
522 	 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
523 	 */
524 	perm = 0;
525 	if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
526 		perm = 1;
527 
528 	kbd = kbd_table + console;
529 	switch (cmd) {
530 	case TIOCLINUX:
531 		ret = tioclinux(tty, arg);
532 		break;
533 	case KIOCSOUND:
534 		if (!perm)
535 			goto eperm;
536 		/*
537 		 * The use of PIT_TICK_RATE is historic, it used to be
538 		 * the platform-dependent CLOCK_TICK_RATE between 2.6.12
539 		 * and 2.6.36, which was a minor but unfortunate ABI
540 		 * change.
541 		 */
542 		if (arg)
543 			arg = PIT_TICK_RATE / arg;
544 		kd_mksound(arg, 0);
545 		break;
546 
547 	case KDMKTONE:
548 		if (!perm)
549 			goto eperm;
550 	{
551 		unsigned int ticks, count;
552 
553 		/*
554 		 * Generate the tone for the appropriate number of ticks.
555 		 * If the time is zero, turn off sound ourselves.
556 		 */
557 		ticks = HZ * ((arg >> 16) & 0xffff) / 1000;
558 		count = ticks ? (arg & 0xffff) : 0;
559 		if (count)
560 			count = PIT_TICK_RATE / count;
561 		kd_mksound(count, ticks);
562 		break;
563 	}
564 
565 	case KDGKBTYPE:
566 		/*
567 		 * this is naive.
568 		 */
569 		ucval = KB_101;
570 		goto setchar;
571 
572 		/*
573 		 * These cannot be implemented on any machine that implements
574 		 * ioperm() in user level (such as Alpha PCs) or not at all.
575 		 *
576 		 * XXX: you should never use these, just call ioperm directly..
577 		 */
578 #ifdef CONFIG_X86
579 	case KDADDIO:
580 	case KDDELIO:
581 		/*
582 		 * KDADDIO and KDDELIO may be able to add ports beyond what
583 		 * we reject here, but to be safe...
584 		 */
585 		if (arg < GPFIRST || arg > GPLAST) {
586 			ret = -EINVAL;
587 			break;
588 		}
589 		ret = sys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;
590 		break;
591 
592 	case KDENABIO:
593 	case KDDISABIO:
594 		ret = sys_ioperm(GPFIRST, GPNUM,
595 				  (cmd == KDENABIO)) ? -ENXIO : 0;
596 		break;
597 #endif
598 
599 	/* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */
600 
601 	case KDKBDREP:
602 	{
603 		struct kbd_repeat kbrep;
604 
605 		if (!capable(CAP_SYS_TTY_CONFIG))
606 			goto eperm;
607 
608 		if (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat))) {
609 			ret =  -EFAULT;
610 			break;
611 		}
612 		ret = kbd_rate(&kbrep);
613 		if (ret)
614 			break;
615 		if (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))
616 			ret = -EFAULT;
617 		break;
618 	}
619 
620 	case KDSETMODE:
621 		/*
622 		 * currently, setting the mode from KD_TEXT to KD_GRAPHICS
623 		 * doesn't do a whole lot. i'm not sure if it should do any
624 		 * restoration of modes or what...
625 		 *
626 		 * XXX It should at least call into the driver, fbdev's definitely
627 		 * need to restore their engine state. --BenH
628 		 */
629 		if (!perm)
630 			goto eperm;
631 		switch (arg) {
632 		case KD_GRAPHICS:
633 			break;
634 		case KD_TEXT0:
635 		case KD_TEXT1:
636 			arg = KD_TEXT;
637 		case KD_TEXT:
638 			break;
639 		default:
640 			ret = -EINVAL;
641 			goto out;
642 		}
643 		if (vc->vc_mode == (unsigned char) arg)
644 			break;
645 		vc->vc_mode = (unsigned char) arg;
646 		if (console != fg_console)
647 			break;
648 		/*
649 		 * explicitly blank/unblank the screen if switching modes
650 		 */
651 		console_lock();
652 		if (arg == KD_TEXT)
653 			do_unblank_screen(1);
654 		else
655 			do_blank_screen(1);
656 		console_unlock();
657 		break;
658 
659 	case KDGETMODE:
660 		uival = vc->vc_mode;
661 		goto setint;
662 
663 	case KDMAPDISP:
664 	case KDUNMAPDISP:
665 		/*
666 		 * these work like a combination of mmap and KDENABIO.
667 		 * this could be easily finished.
668 		 */
669 		ret = -EINVAL;
670 		break;
671 
672 	case KDSKBMODE:
673 		if (!perm)
674 			goto eperm;
675 		switch(arg) {
676 		  case K_RAW:
677 			kbd->kbdmode = VC_RAW;
678 			break;
679 		  case K_MEDIUMRAW:
680 			kbd->kbdmode = VC_MEDIUMRAW;
681 			break;
682 		  case K_XLATE:
683 			kbd->kbdmode = VC_XLATE;
684 			compute_shiftstate();
685 			break;
686 		  case K_UNICODE:
687 			kbd->kbdmode = VC_UNICODE;
688 			compute_shiftstate();
689 			break;
690 		  case K_OFF:
691 			kbd->kbdmode = VC_OFF;
692 			break;
693 		  default:
694 			ret = -EINVAL;
695 			goto out;
696 		}
697 		tty_ldisc_flush(tty);
698 		break;
699 
700 	case KDGKBMODE:
701 		uival = ((kbd->kbdmode == VC_RAW) ? K_RAW :
702 				 (kbd->kbdmode == VC_MEDIUMRAW) ? K_MEDIUMRAW :
703 				 (kbd->kbdmode == VC_UNICODE) ? K_UNICODE :
704 				 K_XLATE);
705 		goto setint;
706 
707 	/* this could be folded into KDSKBMODE, but for compatibility
708 	   reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */
709 	case KDSKBMETA:
710 		switch(arg) {
711 		  case K_METABIT:
712 			clr_vc_kbd_mode(kbd, VC_META);
713 			break;
714 		  case K_ESCPREFIX:
715 			set_vc_kbd_mode(kbd, VC_META);
716 			break;
717 		  default:
718 			ret = -EINVAL;
719 		}
720 		break;
721 
722 	case KDGKBMETA:
723 		uival = (vc_kbd_mode(kbd, VC_META) ? K_ESCPREFIX : K_METABIT);
724 	setint:
725 		ret = put_user(uival, (int __user *)arg);
726 		break;
727 
728 	case KDGETKEYCODE:
729 	case KDSETKEYCODE:
730 		if(!capable(CAP_SYS_TTY_CONFIG))
731 			perm = 0;
732 		ret = do_kbkeycode_ioctl(cmd, up, perm);
733 		break;
734 
735 	case KDGKBENT:
736 	case KDSKBENT:
737 		ret = do_kdsk_ioctl(cmd, up, perm, kbd);
738 		break;
739 
740 	case KDGKBSENT:
741 	case KDSKBSENT:
742 		ret = do_kdgkb_ioctl(cmd, up, perm);
743 		break;
744 
745 	case KDGKBDIACR:
746 	{
747 		struct kbdiacrs __user *a = up;
748 		struct kbdiacr diacr;
749 		int i;
750 
751 		if (put_user(accent_table_size, &a->kb_cnt)) {
752 			ret = -EFAULT;
753 			break;
754 		}
755 		for (i = 0; i < accent_table_size; i++) {
756 			diacr.diacr = conv_uni_to_8bit(accent_table[i].diacr);
757 			diacr.base = conv_uni_to_8bit(accent_table[i].base);
758 			diacr.result = conv_uni_to_8bit(accent_table[i].result);
759 			if (copy_to_user(a->kbdiacr + i, &diacr, sizeof(struct kbdiacr))) {
760 				ret = -EFAULT;
761 				break;
762 			}
763 		}
764 		break;
765 	}
766 	case KDGKBDIACRUC:
767 	{
768 		struct kbdiacrsuc __user *a = up;
769 
770 		if (put_user(accent_table_size, &a->kb_cnt))
771 			ret = -EFAULT;
772 		else if (copy_to_user(a->kbdiacruc, accent_table,
773 				accent_table_size*sizeof(struct kbdiacruc)))
774 			ret = -EFAULT;
775 		break;
776 	}
777 
778 	case KDSKBDIACR:
779 	{
780 		struct kbdiacrs __user *a = up;
781 		struct kbdiacr diacr;
782 		unsigned int ct;
783 		int i;
784 
785 		if (!perm)
786 			goto eperm;
787 		if (get_user(ct,&a->kb_cnt)) {
788 			ret = -EFAULT;
789 			break;
790 		}
791 		if (ct >= MAX_DIACR) {
792 			ret = -EINVAL;
793 			break;
794 		}
795 		accent_table_size = ct;
796 		for (i = 0; i < ct; i++) {
797 			if (copy_from_user(&diacr, a->kbdiacr + i, sizeof(struct kbdiacr))) {
798 				ret = -EFAULT;
799 				break;
800 			}
801 			accent_table[i].diacr = conv_8bit_to_uni(diacr.diacr);
802 			accent_table[i].base = conv_8bit_to_uni(diacr.base);
803 			accent_table[i].result = conv_8bit_to_uni(diacr.result);
804 		}
805 		break;
806 	}
807 
808 	case KDSKBDIACRUC:
809 	{
810 		struct kbdiacrsuc __user *a = up;
811 		unsigned int ct;
812 
813 		if (!perm)
814 			goto eperm;
815 		if (get_user(ct,&a->kb_cnt)) {
816 			ret = -EFAULT;
817 			break;
818 		}
819 		if (ct >= MAX_DIACR) {
820 			ret = -EINVAL;
821 			break;
822 		}
823 		accent_table_size = ct;
824 		if (copy_from_user(accent_table, a->kbdiacruc, ct*sizeof(struct kbdiacruc)))
825 			ret = -EFAULT;
826 		break;
827 	}
828 
829 	/* the ioctls below read/set the flags usually shown in the leds */
830 	/* don't use them - they will go away without warning */
831 	case KDGKBLED:
832 		ucval = kbd->ledflagstate | (kbd->default_ledflagstate << 4);
833 		goto setchar;
834 
835 	case KDSKBLED:
836 		if (!perm)
837 			goto eperm;
838 		if (arg & ~0x77) {
839 			ret = -EINVAL;
840 			break;
841 		}
842 		kbd->ledflagstate = (arg & 7);
843 		kbd->default_ledflagstate = ((arg >> 4) & 7);
844 		set_leds();
845 		break;
846 
847 	/* the ioctls below only set the lights, not the functions */
848 	/* for those, see KDGKBLED and KDSKBLED above */
849 	case KDGETLED:
850 		ucval = getledstate();
851 	setchar:
852 		ret = put_user(ucval, (char __user *)arg);
853 		break;
854 
855 	case KDSETLED:
856 		if (!perm)
857 			goto eperm;
858 		setledstate(kbd, arg);
859 		break;
860 
861 	/*
862 	 * A process can indicate its willingness to accept signals
863 	 * generated by pressing an appropriate key combination.
864 	 * Thus, one can have a daemon that e.g. spawns a new console
865 	 * upon a keypress and then changes to it.
866 	 * See also the kbrequest field of inittab(5).
867 	 */
868 	case KDSIGACCEPT:
869 	{
870 		if (!perm || !capable(CAP_KILL))
871 			goto eperm;
872 		if (!valid_signal(arg) || arg < 1 || arg == SIGKILL)
873 			ret = -EINVAL;
874 		else {
875 			spin_lock_irq(&vt_spawn_con.lock);
876 			put_pid(vt_spawn_con.pid);
877 			vt_spawn_con.pid = get_pid(task_pid(current));
878 			vt_spawn_con.sig = arg;
879 			spin_unlock_irq(&vt_spawn_con.lock);
880 		}
881 		break;
882 	}
883 
884 	case VT_SETMODE:
885 	{
886 		struct vt_mode tmp;
887 
888 		if (!perm)
889 			goto eperm;
890 		if (copy_from_user(&tmp, up, sizeof(struct vt_mode))) {
891 			ret = -EFAULT;
892 			goto out;
893 		}
894 		if (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS) {
895 			ret = -EINVAL;
896 			goto out;
897 		}
898 		console_lock();
899 		vc->vt_mode = tmp;
900 		/* the frsig is ignored, so we set it to 0 */
901 		vc->vt_mode.frsig = 0;
902 		put_pid(vc->vt_pid);
903 		vc->vt_pid = get_pid(task_pid(current));
904 		/* no switch is required -- saw@shade.msu.ru */
905 		vc->vt_newvt = -1;
906 		console_unlock();
907 		break;
908 	}
909 
910 	case VT_GETMODE:
911 	{
912 		struct vt_mode tmp;
913 		int rc;
914 
915 		console_lock();
916 		memcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));
917 		console_unlock();
918 
919 		rc = copy_to_user(up, &tmp, sizeof(struct vt_mode));
920 		if (rc)
921 			ret = -EFAULT;
922 		break;
923 	}
924 
925 	/*
926 	 * Returns global vt state. Note that VT 0 is always open, since
927 	 * it's an alias for the current VT, and people can't use it here.
928 	 * We cannot return state for more than 16 VTs, since v_state is short.
929 	 */
930 	case VT_GETSTATE:
931 	{
932 		struct vt_stat __user *vtstat = up;
933 		unsigned short state, mask;
934 
935 		if (put_user(fg_console + 1, &vtstat->v_active))
936 			ret = -EFAULT;
937 		else {
938 			state = 1;	/* /dev/tty0 is always open */
939 			for (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;
940 							++i, mask <<= 1)
941 				if (VT_IS_IN_USE(i))
942 					state |= mask;
943 			ret = put_user(state, &vtstat->v_state);
944 		}
945 		break;
946 	}
947 
948 	/*
949 	 * Returns the first available (non-opened) console.
950 	 */
951 	case VT_OPENQRY:
952 		for (i = 0; i < MAX_NR_CONSOLES; ++i)
953 			if (! VT_IS_IN_USE(i))
954 				break;
955 		uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
956 		goto setint;
957 
958 	/*
959 	 * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,
960 	 * with num >= 1 (switches to vt 0, our console, are not allowed, just
961 	 * to preserve sanity).
962 	 */
963 	case VT_ACTIVATE:
964 		if (!perm)
965 			goto eperm;
966 		if (arg == 0 || arg > MAX_NR_CONSOLES)
967 			ret =  -ENXIO;
968 		else {
969 			arg--;
970 			console_lock();
971 			ret = vc_allocate(arg);
972 			console_unlock();
973 			if (ret)
974 				break;
975 			set_console(arg);
976 		}
977 		break;
978 
979 	case VT_SETACTIVATE:
980 	{
981 		struct vt_setactivate vsa;
982 
983 		if (!perm)
984 			goto eperm;
985 
986 		if (copy_from_user(&vsa, (struct vt_setactivate __user *)arg,
987 					sizeof(struct vt_setactivate))) {
988 			ret = -EFAULT;
989 			goto out;
990 		}
991 		if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
992 			ret = -ENXIO;
993 		else {
994 			vsa.console--;
995 			console_lock();
996 			ret = vc_allocate(vsa.console);
997 			if (ret == 0) {
998 				struct vc_data *nvc;
999 				/* This is safe providing we don't drop the
1000 				   console sem between vc_allocate and
1001 				   finishing referencing nvc */
1002 				nvc = vc_cons[vsa.console].d;
1003 				nvc->vt_mode = vsa.mode;
1004 				nvc->vt_mode.frsig = 0;
1005 				put_pid(nvc->vt_pid);
1006 				nvc->vt_pid = get_pid(task_pid(current));
1007 			}
1008 			console_unlock();
1009 			if (ret)
1010 				break;
1011 			/* Commence switch and lock */
1012 			set_console(vsa.console);
1013 		}
1014 		break;
1015 	}
1016 
1017 	/*
1018 	 * wait until the specified VT has been activated
1019 	 */
1020 	case VT_WAITACTIVE:
1021 		if (!perm)
1022 			goto eperm;
1023 		if (arg == 0 || arg > MAX_NR_CONSOLES)
1024 			ret = -ENXIO;
1025 		else
1026 			ret = vt_waitactive(arg);
1027 		break;
1028 
1029 	/*
1030 	 * If a vt is under process control, the kernel will not switch to it
1031 	 * immediately, but postpone the operation until the process calls this
1032 	 * ioctl, allowing the switch to complete.
1033 	 *
1034 	 * According to the X sources this is the behavior:
1035 	 *	0:	pending switch-from not OK
1036 	 *	1:	pending switch-from OK
1037 	 *	2:	completed switch-to OK
1038 	 */
1039 	case VT_RELDISP:
1040 		if (!perm)
1041 			goto eperm;
1042 
1043 		if (vc->vt_mode.mode != VT_PROCESS) {
1044 			ret = -EINVAL;
1045 			break;
1046 		}
1047 		/*
1048 		 * Switching-from response
1049 		 */
1050 		console_lock();
1051 		if (vc->vt_newvt >= 0) {
1052 			if (arg == 0)
1053 				/*
1054 				 * Switch disallowed, so forget we were trying
1055 				 * to do it.
1056 				 */
1057 				vc->vt_newvt = -1;
1058 
1059 			else {
1060 				/*
1061 				 * The current vt has been released, so
1062 				 * complete the switch.
1063 				 */
1064 				int newvt;
1065 				newvt = vc->vt_newvt;
1066 				vc->vt_newvt = -1;
1067 				ret = vc_allocate(newvt);
1068 				if (ret) {
1069 					console_unlock();
1070 					break;
1071 				}
1072 				/*
1073 				 * When we actually do the console switch,
1074 				 * make sure we are atomic with respect to
1075 				 * other console switches..
1076 				 */
1077 				complete_change_console(vc_cons[newvt].d);
1078 			}
1079 		} else {
1080 			/*
1081 			 * Switched-to response
1082 			 */
1083 			/*
1084 			 * If it's just an ACK, ignore it
1085 			 */
1086 			if (arg != VT_ACKACQ)
1087 				ret = -EINVAL;
1088 		}
1089 		console_unlock();
1090 		break;
1091 
1092 	 /*
1093 	  * Disallocate memory associated to VT (but leave VT1)
1094 	  */
1095 	 case VT_DISALLOCATE:
1096 		if (arg > MAX_NR_CONSOLES) {
1097 			ret = -ENXIO;
1098 			break;
1099 		}
1100 		if (arg == 0) {
1101 		    /* deallocate all unused consoles, but leave 0 */
1102 			console_lock();
1103 			for (i=1; i<MAX_NR_CONSOLES; i++)
1104 				if (! VT_BUSY(i))
1105 					vc_deallocate(i);
1106 			console_unlock();
1107 		} else {
1108 			/* deallocate a single console, if possible */
1109 			arg--;
1110 			if (VT_BUSY(arg))
1111 				ret = -EBUSY;
1112 			else if (arg) {			      /* leave 0 */
1113 				console_lock();
1114 				vc_deallocate(arg);
1115 				console_unlock();
1116 			}
1117 		}
1118 		break;
1119 
1120 	case VT_RESIZE:
1121 	{
1122 		struct vt_sizes __user *vtsizes = up;
1123 		struct vc_data *vc;
1124 
1125 		ushort ll,cc;
1126 		if (!perm)
1127 			goto eperm;
1128 		if (get_user(ll, &vtsizes->v_rows) ||
1129 		    get_user(cc, &vtsizes->v_cols))
1130 			ret = -EFAULT;
1131 		else {
1132 			console_lock();
1133 			for (i = 0; i < MAX_NR_CONSOLES; i++) {
1134 				vc = vc_cons[i].d;
1135 
1136 				if (vc) {
1137 					vc->vc_resize_user = 1;
1138 					vc_resize(vc_cons[i].d, cc, ll);
1139 				}
1140 			}
1141 			console_unlock();
1142 		}
1143 		break;
1144 	}
1145 
1146 	case VT_RESIZEX:
1147 	{
1148 		struct vt_consize __user *vtconsize = up;
1149 		ushort ll,cc,vlin,clin,vcol,ccol;
1150 		if (!perm)
1151 			goto eperm;
1152 		if (!access_ok(VERIFY_READ, vtconsize,
1153 				sizeof(struct vt_consize))) {
1154 			ret = -EFAULT;
1155 			break;
1156 		}
1157 		/* FIXME: Should check the copies properly */
1158 		__get_user(ll, &vtconsize->v_rows);
1159 		__get_user(cc, &vtconsize->v_cols);
1160 		__get_user(vlin, &vtconsize->v_vlin);
1161 		__get_user(clin, &vtconsize->v_clin);
1162 		__get_user(vcol, &vtconsize->v_vcol);
1163 		__get_user(ccol, &vtconsize->v_ccol);
1164 		vlin = vlin ? vlin : vc->vc_scan_lines;
1165 		if (clin) {
1166 			if (ll) {
1167 				if (ll != vlin/clin) {
1168 					/* Parameters don't add up */
1169 					ret = -EINVAL;
1170 					break;
1171 				}
1172 			} else
1173 				ll = vlin/clin;
1174 		}
1175 		if (vcol && ccol) {
1176 			if (cc) {
1177 				if (cc != vcol/ccol) {
1178 					ret = -EINVAL;
1179 					break;
1180 				}
1181 			} else
1182 				cc = vcol/ccol;
1183 		}
1184 
1185 		if (clin > 32) {
1186 			ret =  -EINVAL;
1187 			break;
1188 		}
1189 
1190 		for (i = 0; i < MAX_NR_CONSOLES; i++) {
1191 			if (!vc_cons[i].d)
1192 				continue;
1193 			console_lock();
1194 			if (vlin)
1195 				vc_cons[i].d->vc_scan_lines = vlin;
1196 			if (clin)
1197 				vc_cons[i].d->vc_font.height = clin;
1198 			vc_cons[i].d->vc_resize_user = 1;
1199 			vc_resize(vc_cons[i].d, cc, ll);
1200 			console_unlock();
1201 		}
1202 		break;
1203 	}
1204 
1205 	case PIO_FONT: {
1206 		if (!perm)
1207 			goto eperm;
1208 		op.op = KD_FONT_OP_SET;
1209 		op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;	/* Compatibility */
1210 		op.width = 8;
1211 		op.height = 0;
1212 		op.charcount = 256;
1213 		op.data = up;
1214 		ret = con_font_op(vc_cons[fg_console].d, &op);
1215 		break;
1216 	}
1217 
1218 	case GIO_FONT: {
1219 		op.op = KD_FONT_OP_GET;
1220 		op.flags = KD_FONT_FLAG_OLD;
1221 		op.width = 8;
1222 		op.height = 32;
1223 		op.charcount = 256;
1224 		op.data = up;
1225 		ret = con_font_op(vc_cons[fg_console].d, &op);
1226 		break;
1227 	}
1228 
1229 	case PIO_CMAP:
1230                 if (!perm)
1231 			ret = -EPERM;
1232 		else
1233 	                ret = con_set_cmap(up);
1234 		break;
1235 
1236 	case GIO_CMAP:
1237                 ret = con_get_cmap(up);
1238 		break;
1239 
1240 	case PIO_FONTX:
1241 	case GIO_FONTX:
1242 		ret = do_fontx_ioctl(cmd, up, perm, &op);
1243 		break;
1244 
1245 	case PIO_FONTRESET:
1246 	{
1247 		if (!perm)
1248 			goto eperm;
1249 
1250 #ifdef BROKEN_GRAPHICS_PROGRAMS
1251 		/* With BROKEN_GRAPHICS_PROGRAMS defined, the default
1252 		   font is not saved. */
1253 		ret = -ENOSYS;
1254 		break;
1255 #else
1256 		{
1257 		op.op = KD_FONT_OP_SET_DEFAULT;
1258 		op.data = NULL;
1259 		ret = con_font_op(vc_cons[fg_console].d, &op);
1260 		if (ret)
1261 			break;
1262 		con_set_default_unimap(vc_cons[fg_console].d);
1263 		break;
1264 		}
1265 #endif
1266 	}
1267 
1268 	case KDFONTOP: {
1269 		if (copy_from_user(&op, up, sizeof(op))) {
1270 			ret = -EFAULT;
1271 			break;
1272 		}
1273 		if (!perm && op.op != KD_FONT_OP_GET)
1274 			goto eperm;
1275 		ret = con_font_op(vc, &op);
1276 		if (ret)
1277 			break;
1278 		if (copy_to_user(up, &op, sizeof(op)))
1279 			ret = -EFAULT;
1280 		break;
1281 	}
1282 
1283 	case PIO_SCRNMAP:
1284 		if (!perm)
1285 			ret = -EPERM;
1286 		else
1287 			ret = con_set_trans_old(up);
1288 		break;
1289 
1290 	case GIO_SCRNMAP:
1291 		ret = con_get_trans_old(up);
1292 		break;
1293 
1294 	case PIO_UNISCRNMAP:
1295 		if (!perm)
1296 			ret = -EPERM;
1297 		else
1298 			ret = con_set_trans_new(up);
1299 		break;
1300 
1301 	case GIO_UNISCRNMAP:
1302 		ret = con_get_trans_new(up);
1303 		break;
1304 
1305 	case PIO_UNIMAPCLR:
1306 	      { struct unimapinit ui;
1307 		if (!perm)
1308 			goto eperm;
1309 		ret = copy_from_user(&ui, up, sizeof(struct unimapinit));
1310 		if (ret)
1311 			ret = -EFAULT;
1312 		else
1313 			con_clear_unimap(vc, &ui);
1314 		break;
1315 	      }
1316 
1317 	case PIO_UNIMAP:
1318 	case GIO_UNIMAP:
1319 		ret = do_unimap_ioctl(cmd, up, perm, vc);
1320 		break;
1321 
1322 	case VT_LOCKSWITCH:
1323 		if (!capable(CAP_SYS_TTY_CONFIG))
1324 			goto eperm;
1325 		vt_dont_switch = 1;
1326 		break;
1327 	case VT_UNLOCKSWITCH:
1328 		if (!capable(CAP_SYS_TTY_CONFIG))
1329 			goto eperm;
1330 		vt_dont_switch = 0;
1331 		break;
1332 	case VT_GETHIFONTMASK:
1333 		ret = put_user(vc->vc_hi_font_mask,
1334 					(unsigned short __user *)arg);
1335 		break;
1336 	case VT_WAITEVENT:
1337 		ret = vt_event_wait_ioctl((struct vt_event __user *)arg);
1338 		break;
1339 	default:
1340 		ret = -ENOIOCTLCMD;
1341 	}
1342 out:
1343 	tty_unlock();
1344 	return ret;
1345 eperm:
1346 	ret = -EPERM;
1347 	goto out;
1348 }
1349 
reset_vc(struct vc_data * vc)1350 void reset_vc(struct vc_data *vc)
1351 {
1352 	vc->vc_mode = KD_TEXT;
1353 	kbd_table[vc->vc_num].kbdmode = default_utf8 ? VC_UNICODE : VC_XLATE;
1354 	vc->vt_mode.mode = VT_AUTO;
1355 	vc->vt_mode.waitv = 0;
1356 	vc->vt_mode.relsig = 0;
1357 	vc->vt_mode.acqsig = 0;
1358 	vc->vt_mode.frsig = 0;
1359 	put_pid(vc->vt_pid);
1360 	vc->vt_pid = NULL;
1361 	vc->vt_newvt = -1;
1362 	if (!in_interrupt())    /* Via keyboard.c:SAK() - akpm */
1363 		reset_palette(vc);
1364 }
1365 
vc_SAK(struct work_struct * work)1366 void vc_SAK(struct work_struct *work)
1367 {
1368 	struct vc *vc_con =
1369 		container_of(work, struct vc, SAK_work);
1370 	struct vc_data *vc;
1371 	struct tty_struct *tty;
1372 
1373 	console_lock();
1374 	vc = vc_con->d;
1375 	if (vc) {
1376 		tty = vc->port.tty;
1377 		/*
1378 		 * SAK should also work in all raw modes and reset
1379 		 * them properly.
1380 		 */
1381 		if (tty)
1382 			__do_SAK(tty);
1383 		reset_vc(vc);
1384 	}
1385 	console_unlock();
1386 }
1387 
1388 #ifdef CONFIG_COMPAT
1389 
1390 struct compat_consolefontdesc {
1391 	unsigned short charcount;       /* characters in font (256 or 512) */
1392 	unsigned short charheight;      /* scan lines per character (1-32) */
1393 	compat_caddr_t chardata;	/* font data in expanded form */
1394 };
1395 
1396 static inline int
compat_fontx_ioctl(int cmd,struct compat_consolefontdesc __user * user_cfd,int perm,struct console_font_op * op)1397 compat_fontx_ioctl(int cmd, struct compat_consolefontdesc __user *user_cfd,
1398 			 int perm, struct console_font_op *op)
1399 {
1400 	struct compat_consolefontdesc cfdarg;
1401 	int i;
1402 
1403 	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
1404 		return -EFAULT;
1405 
1406 	switch (cmd) {
1407 	case PIO_FONTX:
1408 		if (!perm)
1409 			return -EPERM;
1410 		op->op = KD_FONT_OP_SET;
1411 		op->flags = KD_FONT_FLAG_OLD;
1412 		op->width = 8;
1413 		op->height = cfdarg.charheight;
1414 		op->charcount = cfdarg.charcount;
1415 		op->data = compat_ptr(cfdarg.chardata);
1416 		return con_font_op(vc_cons[fg_console].d, op);
1417 	case GIO_FONTX:
1418 		op->op = KD_FONT_OP_GET;
1419 		op->flags = KD_FONT_FLAG_OLD;
1420 		op->width = 8;
1421 		op->height = cfdarg.charheight;
1422 		op->charcount = cfdarg.charcount;
1423 		op->data = compat_ptr(cfdarg.chardata);
1424 		i = con_font_op(vc_cons[fg_console].d, op);
1425 		if (i)
1426 			return i;
1427 		cfdarg.charheight = op->height;
1428 		cfdarg.charcount = op->charcount;
1429 		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
1430 			return -EFAULT;
1431 		return 0;
1432 	}
1433 	return -EINVAL;
1434 }
1435 
1436 struct compat_console_font_op {
1437 	compat_uint_t op;        /* operation code KD_FONT_OP_* */
1438 	compat_uint_t flags;     /* KD_FONT_FLAG_* */
1439 	compat_uint_t width, height;     /* font size */
1440 	compat_uint_t charcount;
1441 	compat_caddr_t data;    /* font data with height fixed to 32 */
1442 };
1443 
1444 static inline int
compat_kdfontop_ioctl(struct compat_console_font_op __user * fontop,int perm,struct console_font_op * op,struct vc_data * vc)1445 compat_kdfontop_ioctl(struct compat_console_font_op __user *fontop,
1446 			 int perm, struct console_font_op *op, struct vc_data *vc)
1447 {
1448 	int i;
1449 
1450 	if (copy_from_user(op, fontop, sizeof(struct compat_console_font_op)))
1451 		return -EFAULT;
1452 	if (!perm && op->op != KD_FONT_OP_GET)
1453 		return -EPERM;
1454 	op->data = compat_ptr(((struct compat_console_font_op *)op)->data);
1455 	op->flags |= KD_FONT_FLAG_OLD;
1456 	i = con_font_op(vc, op);
1457 	if (i)
1458 		return i;
1459 	((struct compat_console_font_op *)op)->data = (unsigned long)op->data;
1460 	if (copy_to_user(fontop, op, sizeof(struct compat_console_font_op)))
1461 		return -EFAULT;
1462 	return 0;
1463 }
1464 
1465 struct compat_unimapdesc {
1466 	unsigned short entry_ct;
1467 	compat_caddr_t entries;
1468 };
1469 
1470 static inline int
compat_unimap_ioctl(unsigned int cmd,struct compat_unimapdesc __user * user_ud,int perm,struct vc_data * vc)1471 compat_unimap_ioctl(unsigned int cmd, struct compat_unimapdesc __user *user_ud,
1472 			 int perm, struct vc_data *vc)
1473 {
1474 	struct compat_unimapdesc tmp;
1475 	struct unipair __user *tmp_entries;
1476 
1477 	if (copy_from_user(&tmp, user_ud, sizeof tmp))
1478 		return -EFAULT;
1479 	tmp_entries = compat_ptr(tmp.entries);
1480 	if (tmp_entries)
1481 		if (!access_ok(VERIFY_WRITE, tmp_entries,
1482 				tmp.entry_ct*sizeof(struct unipair)))
1483 			return -EFAULT;
1484 	switch (cmd) {
1485 	case PIO_UNIMAP:
1486 		if (!perm)
1487 			return -EPERM;
1488 		return con_set_unimap(vc, tmp.entry_ct, tmp_entries);
1489 	case GIO_UNIMAP:
1490 		if (!perm && fg_console != vc->vc_num)
1491 			return -EPERM;
1492 		return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp_entries);
1493 	}
1494 	return 0;
1495 }
1496 
vt_compat_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)1497 long vt_compat_ioctl(struct tty_struct *tty,
1498 	     unsigned int cmd, unsigned long arg)
1499 {
1500 	struct vc_data *vc = tty->driver_data;
1501 	struct console_font_op op;	/* used in multiple places here */
1502 	struct kbd_struct *kbd;
1503 	unsigned int console;
1504 	void __user *up = (void __user *)arg;
1505 	int perm;
1506 	int ret = 0;
1507 
1508 	console = vc->vc_num;
1509 
1510 	tty_lock();
1511 
1512 	if (!vc_cons_allocated(console)) { 	/* impossible? */
1513 		ret = -ENOIOCTLCMD;
1514 		goto out;
1515 	}
1516 
1517 	/*
1518 	 * To have permissions to do most of the vt ioctls, we either have
1519 	 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
1520 	 */
1521 	perm = 0;
1522 	if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
1523 		perm = 1;
1524 
1525 	kbd = kbd_table + console;
1526 	switch (cmd) {
1527 	/*
1528 	 * these need special handlers for incompatible data structures
1529 	 */
1530 	case PIO_FONTX:
1531 	case GIO_FONTX:
1532 		ret = compat_fontx_ioctl(cmd, up, perm, &op);
1533 		break;
1534 
1535 	case KDFONTOP:
1536 		ret = compat_kdfontop_ioctl(up, perm, &op, vc);
1537 		break;
1538 
1539 	case PIO_UNIMAP:
1540 	case GIO_UNIMAP:
1541 		ret = compat_unimap_ioctl(cmd, up, perm, vc);
1542 		break;
1543 
1544 	/*
1545 	 * all these treat 'arg' as an integer
1546 	 */
1547 	case KIOCSOUND:
1548 	case KDMKTONE:
1549 #ifdef CONFIG_X86
1550 	case KDADDIO:
1551 	case KDDELIO:
1552 #endif
1553 	case KDSETMODE:
1554 	case KDMAPDISP:
1555 	case KDUNMAPDISP:
1556 	case KDSKBMODE:
1557 	case KDSKBMETA:
1558 	case KDSKBLED:
1559 	case KDSETLED:
1560 	case KDSIGACCEPT:
1561 	case VT_ACTIVATE:
1562 	case VT_WAITACTIVE:
1563 	case VT_RELDISP:
1564 	case VT_DISALLOCATE:
1565 	case VT_RESIZE:
1566 	case VT_RESIZEX:
1567 		goto fallback;
1568 
1569 	/*
1570 	 * the rest has a compatible data structure behind arg,
1571 	 * but we have to convert it to a proper 64 bit pointer.
1572 	 */
1573 	default:
1574 		arg = (unsigned long)compat_ptr(arg);
1575 		goto fallback;
1576 	}
1577 out:
1578 	tty_unlock();
1579 	return ret;
1580 
1581 fallback:
1582 	tty_unlock();
1583 	return vt_ioctl(tty, cmd, arg);
1584 }
1585 
1586 
1587 #endif /* CONFIG_COMPAT */
1588 
1589 
1590 /*
1591  * Performs the back end of a vt switch. Called under the console
1592  * semaphore.
1593  */
complete_change_console(struct vc_data * vc)1594 static void complete_change_console(struct vc_data *vc)
1595 {
1596 	unsigned char old_vc_mode;
1597 	int old = fg_console;
1598 
1599 	last_console = fg_console;
1600 
1601 	/*
1602 	 * If we're switching, we could be going from KD_GRAPHICS to
1603 	 * KD_TEXT mode or vice versa, which means we need to blank or
1604 	 * unblank the screen later.
1605 	 */
1606 	old_vc_mode = vc_cons[fg_console].d->vc_mode;
1607 	switch_screen(vc);
1608 
1609 	/*
1610 	 * This can't appear below a successful kill_pid().  If it did,
1611 	 * then the *blank_screen operation could occur while X, having
1612 	 * received acqsig, is waking up on another processor.  This
1613 	 * condition can lead to overlapping accesses to the VGA range
1614 	 * and the framebuffer (causing system lockups).
1615 	 *
1616 	 * To account for this we duplicate this code below only if the
1617 	 * controlling process is gone and we've called reset_vc.
1618 	 */
1619 	if (old_vc_mode != vc->vc_mode) {
1620 		if (vc->vc_mode == KD_TEXT)
1621 			do_unblank_screen(1);
1622 		else
1623 			do_blank_screen(1);
1624 	}
1625 
1626 	/*
1627 	 * If this new console is under process control, send it a signal
1628 	 * telling it that it has acquired. Also check if it has died and
1629 	 * clean up (similar to logic employed in change_console())
1630 	 */
1631 	if (vc->vt_mode.mode == VT_PROCESS) {
1632 		/*
1633 		 * Send the signal as privileged - kill_pid() will
1634 		 * tell us if the process has gone or something else
1635 		 * is awry
1636 		 */
1637 		if (kill_pid(vc->vt_pid, vc->vt_mode.acqsig, 1) != 0) {
1638 		/*
1639 		 * The controlling process has died, so we revert back to
1640 		 * normal operation. In this case, we'll also change back
1641 		 * to KD_TEXT mode. I'm not sure if this is strictly correct
1642 		 * but it saves the agony when the X server dies and the screen
1643 		 * remains blanked due to KD_GRAPHICS! It would be nice to do
1644 		 * this outside of VT_PROCESS but there is no single process
1645 		 * to account for and tracking tty count may be undesirable.
1646 		 */
1647 			reset_vc(vc);
1648 
1649 			if (old_vc_mode != vc->vc_mode) {
1650 				if (vc->vc_mode == KD_TEXT)
1651 					do_unblank_screen(1);
1652 				else
1653 					do_blank_screen(1);
1654 			}
1655 		}
1656 	}
1657 
1658 	/*
1659 	 * Wake anyone waiting for their VT to activate
1660 	 */
1661 	vt_event_post(VT_EVENT_SWITCH, old, vc->vc_num);
1662 	return;
1663 }
1664 
1665 /*
1666  * Performs the front-end of a vt switch
1667  */
change_console(struct vc_data * new_vc)1668 void change_console(struct vc_data *new_vc)
1669 {
1670 	struct vc_data *vc;
1671 
1672 	if (!new_vc || new_vc->vc_num == fg_console || vt_dont_switch)
1673 		return;
1674 
1675 	/*
1676 	 * If this vt is in process mode, then we need to handshake with
1677 	 * that process before switching. Essentially, we store where that
1678 	 * vt wants to switch to and wait for it to tell us when it's done
1679 	 * (via VT_RELDISP ioctl).
1680 	 *
1681 	 * We also check to see if the controlling process still exists.
1682 	 * If it doesn't, we reset this vt to auto mode and continue.
1683 	 * This is a cheap way to track process control. The worst thing
1684 	 * that can happen is: we send a signal to a process, it dies, and
1685 	 * the switch gets "lost" waiting for a response; hopefully, the
1686 	 * user will try again, we'll detect the process is gone (unless
1687 	 * the user waits just the right amount of time :-) and revert the
1688 	 * vt to auto control.
1689 	 */
1690 	vc = vc_cons[fg_console].d;
1691 	if (vc->vt_mode.mode == VT_PROCESS) {
1692 		/*
1693 		 * Send the signal as privileged - kill_pid() will
1694 		 * tell us if the process has gone or something else
1695 		 * is awry.
1696 		 *
1697 		 * We need to set vt_newvt *before* sending the signal or we
1698 		 * have a race.
1699 		 */
1700 		vc->vt_newvt = new_vc->vc_num;
1701 		if (kill_pid(vc->vt_pid, vc->vt_mode.relsig, 1) == 0) {
1702 			/*
1703 			 * It worked. Mark the vt to switch to and
1704 			 * return. The process needs to send us a
1705 			 * VT_RELDISP ioctl to complete the switch.
1706 			 */
1707 			return;
1708 		}
1709 
1710 		/*
1711 		 * The controlling process has died, so we revert back to
1712 		 * normal operation. In this case, we'll also change back
1713 		 * to KD_TEXT mode. I'm not sure if this is strictly correct
1714 		 * but it saves the agony when the X server dies and the screen
1715 		 * remains blanked due to KD_GRAPHICS! It would be nice to do
1716 		 * this outside of VT_PROCESS but there is no single process
1717 		 * to account for and tracking tty count may be undesirable.
1718 		 */
1719 		reset_vc(vc);
1720 
1721 		/*
1722 		 * Fall through to normal (VT_AUTO) handling of the switch...
1723 		 */
1724 	}
1725 
1726 	/*
1727 	 * Ignore all switches in KD_GRAPHICS+VT_AUTO mode
1728 	 */
1729 	if (vc->vc_mode == KD_GRAPHICS)
1730 		return;
1731 
1732 	complete_change_console(new_vc);
1733 }
1734 
1735 /* Perform a kernel triggered VT switch for suspend/resume */
1736 
1737 static int disable_vt_switch;
1738 
vt_move_to_console(unsigned int vt,int alloc)1739 int vt_move_to_console(unsigned int vt, int alloc)
1740 {
1741 	int prev;
1742 
1743 	console_lock();
1744 	/* Graphics mode - up to X */
1745 	if (disable_vt_switch) {
1746 		console_unlock();
1747 		return 0;
1748 	}
1749 	prev = fg_console;
1750 
1751 	if (alloc && vc_allocate(vt)) {
1752 		/* we can't have a free VC for now. Too bad,
1753 		 * we don't want to mess the screen for now. */
1754 		console_unlock();
1755 		return -ENOSPC;
1756 	}
1757 
1758 	if (set_console(vt)) {
1759 		/*
1760 		 * We're unable to switch to the SUSPEND_CONSOLE.
1761 		 * Let the calling function know so it can decide
1762 		 * what to do.
1763 		 */
1764 		console_unlock();
1765 		return -EIO;
1766 	}
1767 	console_unlock();
1768 	tty_lock();
1769 	if (vt_waitactive(vt + 1)) {
1770 		pr_debug("Suspend: Can't switch VCs.");
1771 		tty_unlock();
1772 		return -EINTR;
1773 	}
1774 	tty_unlock();
1775 	return prev;
1776 }
1777 
1778 /*
1779  * Normally during a suspend, we allocate a new console and switch to it.
1780  * When we resume, we switch back to the original console.  This switch
1781  * can be slow, so on systems where the framebuffer can handle restoration
1782  * of video registers anyways, there's little point in doing the console
1783  * switch.  This function allows you to disable it by passing it '0'.
1784  */
pm_set_vt_switch(int do_switch)1785 void pm_set_vt_switch(int do_switch)
1786 {
1787 	console_lock();
1788 	disable_vt_switch = !do_switch;
1789 	console_unlock();
1790 }
1791 EXPORT_SYMBOL(pm_set_vt_switch);
1792