1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  Copyright (C) 1991, 1992  Linus Torvalds
4  */
5 
6 /*
7  * 'tty_io.c' gives an orthogonal feeling to tty's, be they consoles
8  * or rs-channels. It also implements echoing, cooked mode etc.
9  *
10  * Kill-line thanks to John T Kohl, who also corrected VMIN = VTIME = 0.
11  *
12  * Modified by Theodore Ts'o, 9/14/92, to dynamically allocate the
13  * tty_struct and tty_queue structures.  Previously there was an array
14  * of 256 tty_struct's which was statically allocated, and the
15  * tty_queue structures were allocated at boot time.  Both are now
16  * dynamically allocated only when the tty is open.
17  *
18  * Also restructured routines so that there is more of a separation
19  * between the high-level tty routines (tty_io.c and tty_ioctl.c) and
20  * the low-level tty routines (serial.c, pty.c, console.c).  This
21  * makes for cleaner and more compact code.  -TYT, 9/17/92
22  *
23  * Modified by Fred N. van Kempen, 01/29/93, to add line disciplines
24  * which can be dynamically activated and de-activated by the line
25  * discipline handling modules (like SLIP).
26  *
27  * NOTE: pay no attention to the line discipline code (yet); its
28  * interface is still subject to change in this version...
29  * -- TYT, 1/31/92
30  *
31  * Added functionality to the OPOST tty handling.  No delays, but all
32  * other bits should be there.
33  *	-- Nick Holloway <alfie@dcs.warwick.ac.uk>, 27th May 1993.
34  *
35  * Rewrote canonical mode and added more termios flags.
36  * 	-- julian@uhunix.uhcc.hawaii.edu (J. Cowley), 13Jan94
37  *
38  * Reorganized FASYNC support so mouse code can share it.
39  *	-- ctm@ardi.com, 9Sep95
40  *
41  * New TIOCLINUX variants added.
42  *	-- mj@k332.feld.cvut.cz, 19-Nov-95
43  *
44  * Restrict vt switching via ioctl()
45  *      -- grif@cs.ucr.edu, 5-Dec-95
46  *
47  * Move console and virtual terminal code to more appropriate files,
48  * implement CONFIG_VT and generalize console device interface.
49  *	-- Marko Kohtala <Marko.Kohtala@hut.fi>, March 97
50  *
51  * Rewrote tty_init_dev and tty_release_dev to eliminate races.
52  *	-- Bill Hawes <whawes@star.net>, June 97
53  *
54  * Added devfs support.
55  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 13-Jan-1998
56  *
57  * Added support for a Unix98-style ptmx device.
58  *      -- C. Scott Ananian <cananian@alumni.princeton.edu>, 14-Jan-1998
59  *
60  * Reduced memory usage for older ARM systems
61  *      -- Russell King <rmk@arm.linux.org.uk>
62  *
63  * Move do_SAK() into process context.  Less stack use in devfs functions.
64  * alloc_tty_struct() always uses kmalloc()
65  *			 -- Andrew Morton <andrewm@uow.edu.eu> 17Mar01
66  */
67 
68 #include <linux/types.h>
69 #include <linux/major.h>
70 #include <linux/errno.h>
71 #include <linux/signal.h>
72 #include <linux/fcntl.h>
73 #include <linux/sched/signal.h>
74 #include <linux/sched/task.h>
75 #include <linux/interrupt.h>
76 #include <linux/tty.h>
77 #include <linux/tty_driver.h>
78 #include <linux/tty_flip.h>
79 #include <linux/devpts_fs.h>
80 #include <linux/file.h>
81 #include <linux/fdtable.h>
82 #include <linux/console.h>
83 #include <linux/timer.h>
84 #include <linux/ctype.h>
85 #include <linux/kd.h>
86 #include <linux/mm.h>
87 #include <linux/string.h>
88 #include <linux/slab.h>
89 #include <linux/poll.h>
90 #include <linux/ppp-ioctl.h>
91 #include <linux/proc_fs.h>
92 #include <linux/init.h>
93 #include <linux/module.h>
94 #include <linux/device.h>
95 #include <linux/wait.h>
96 #include <linux/bitops.h>
97 #include <linux/delay.h>
98 #include <linux/seq_file.h>
99 #include <linux/serial.h>
100 #include <linux/ratelimit.h>
101 #include <linux/compat.h>
102 
103 #include <linux/uaccess.h>
104 
105 #include <linux/kbd_kern.h>
106 #include <linux/vt_kern.h>
107 #include <linux/selection.h>
108 
109 #include <linux/kmod.h>
110 #include <linux/nsproxy.h>
111 
112 #undef TTY_DEBUG_HANGUP
113 #ifdef TTY_DEBUG_HANGUP
114 # define tty_debug_hangup(tty, f, args...)	tty_debug(tty, f, ##args)
115 #else
116 # define tty_debug_hangup(tty, f, args...)	do { } while (0)
117 #endif
118 
119 #define TTY_PARANOIA_CHECK 1
120 #define CHECK_TTY_COUNT 1
121 
122 struct ktermios tty_std_termios = {	/* for the benefit of tty drivers  */
123 	.c_iflag = ICRNL | IXON,
124 	.c_oflag = OPOST | ONLCR,
125 	.c_cflag = B38400 | CS8 | CREAD | HUPCL,
126 	.c_lflag = ISIG | ICANON | ECHO | ECHOE | ECHOK |
127 		   ECHOCTL | ECHOKE | IEXTEN,
128 	.c_cc = INIT_C_CC,
129 	.c_ispeed = 38400,
130 	.c_ospeed = 38400,
131 	/* .c_line = N_TTY, */
132 };
133 
134 EXPORT_SYMBOL(tty_std_termios);
135 
136 /* This list gets poked at by procfs and various bits of boot up code. This
137    could do with some rationalisation such as pulling the tty proc function
138    into this file */
139 
140 LIST_HEAD(tty_drivers);			/* linked list of tty drivers */
141 
142 /* Mutex to protect creating and releasing a tty */
143 DEFINE_MUTEX(tty_mutex);
144 
145 static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
146 static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
147 ssize_t redirected_tty_write(struct file *, const char __user *,
148 							size_t, loff_t *);
149 static __poll_t tty_poll(struct file *, poll_table *);
150 static int tty_open(struct inode *, struct file *);
151 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
152 #ifdef CONFIG_COMPAT
153 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
154 				unsigned long arg);
155 #else
156 #define tty_compat_ioctl NULL
157 #endif
158 static int __tty_fasync(int fd, struct file *filp, int on);
159 static int tty_fasync(int fd, struct file *filp, int on);
160 static void release_tty(struct tty_struct *tty, int idx);
161 
162 /**
163  *	free_tty_struct		-	free a disused tty
164  *	@tty: tty struct to free
165  *
166  *	Free the write buffers, tty queue and tty memory itself.
167  *
168  *	Locking: none. Must be called after tty is definitely unused
169  */
170 
free_tty_struct(struct tty_struct * tty)171 static void free_tty_struct(struct tty_struct *tty)
172 {
173 	tty_ldisc_deinit(tty);
174 	put_device(tty->dev);
175 	kfree(tty->write_buf);
176 	tty->magic = 0xDEADDEAD;
177 	kfree(tty);
178 }
179 
file_tty(struct file * file)180 static inline struct tty_struct *file_tty(struct file *file)
181 {
182 	return ((struct tty_file_private *)file->private_data)->tty;
183 }
184 
tty_alloc_file(struct file * file)185 int tty_alloc_file(struct file *file)
186 {
187 	struct tty_file_private *priv;
188 
189 	priv = kmalloc(sizeof(*priv), GFP_KERNEL);
190 	if (!priv)
191 		return -ENOMEM;
192 
193 	file->private_data = priv;
194 
195 	return 0;
196 }
197 
198 /* Associate a new file with the tty structure */
tty_add_file(struct tty_struct * tty,struct file * file)199 void tty_add_file(struct tty_struct *tty, struct file *file)
200 {
201 	struct tty_file_private *priv = file->private_data;
202 
203 	priv->tty = tty;
204 	priv->file = file;
205 
206 	spin_lock(&tty->files_lock);
207 	list_add(&priv->list, &tty->tty_files);
208 	spin_unlock(&tty->files_lock);
209 }
210 
211 /**
212  * tty_free_file - free file->private_data
213  *
214  * This shall be used only for fail path handling when tty_add_file was not
215  * called yet.
216  */
tty_free_file(struct file * file)217 void tty_free_file(struct file *file)
218 {
219 	struct tty_file_private *priv = file->private_data;
220 
221 	file->private_data = NULL;
222 	kfree(priv);
223 }
224 
225 /* Delete file from its tty */
tty_del_file(struct file * file)226 static void tty_del_file(struct file *file)
227 {
228 	struct tty_file_private *priv = file->private_data;
229 	struct tty_struct *tty = priv->tty;
230 
231 	spin_lock(&tty->files_lock);
232 	list_del(&priv->list);
233 	spin_unlock(&tty->files_lock);
234 	tty_free_file(file);
235 }
236 
237 /**
238  *	tty_name	-	return tty naming
239  *	@tty: tty structure
240  *
241  *	Convert a tty structure into a name. The name reflects the kernel
242  *	naming policy and if udev is in use may not reflect user space
243  *
244  *	Locking: none
245  */
246 
tty_name(const struct tty_struct * tty)247 const char *tty_name(const struct tty_struct *tty)
248 {
249 	if (!tty) /* Hmm.  NULL pointer.  That's fun. */
250 		return "NULL tty";
251 	return tty->name;
252 }
253 
254 EXPORT_SYMBOL(tty_name);
255 
tty_driver_name(const struct tty_struct * tty)256 const char *tty_driver_name(const struct tty_struct *tty)
257 {
258 	if (!tty || !tty->driver)
259 		return "";
260 	return tty->driver->name;
261 }
262 
tty_paranoia_check(struct tty_struct * tty,struct inode * inode,const char * routine)263 static int tty_paranoia_check(struct tty_struct *tty, struct inode *inode,
264 			      const char *routine)
265 {
266 #ifdef TTY_PARANOIA_CHECK
267 	if (!tty) {
268 		pr_warn("(%d:%d): %s: NULL tty\n",
269 			imajor(inode), iminor(inode), routine);
270 		return 1;
271 	}
272 	if (tty->magic != TTY_MAGIC) {
273 		pr_warn("(%d:%d): %s: bad magic number\n",
274 			imajor(inode), iminor(inode), routine);
275 		return 1;
276 	}
277 #endif
278 	return 0;
279 }
280 
281 /* Caller must hold tty_lock */
check_tty_count(struct tty_struct * tty,const char * routine)282 static int check_tty_count(struct tty_struct *tty, const char *routine)
283 {
284 #ifdef CHECK_TTY_COUNT
285 	struct list_head *p;
286 	int count = 0, kopen_count = 0;
287 
288 	spin_lock(&tty->files_lock);
289 	list_for_each(p, &tty->tty_files) {
290 		count++;
291 	}
292 	spin_unlock(&tty->files_lock);
293 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
294 	    tty->driver->subtype == PTY_TYPE_SLAVE &&
295 	    tty->link && tty->link->count)
296 		count++;
297 	if (tty_port_kopened(tty->port))
298 		kopen_count++;
299 	if (tty->count != (count + kopen_count)) {
300 		tty_warn(tty, "%s: tty->count(%d) != (#fd's(%d) + #kopen's(%d))\n",
301 			 routine, tty->count, count, kopen_count);
302 		return (count + kopen_count);
303 	}
304 #endif
305 	return 0;
306 }
307 
308 /**
309  *	get_tty_driver		-	find device of a tty
310  *	@device: device identifier
311  *	@index: returns the index of the tty
312  *
313  *	This routine returns a tty driver structure, given a device number
314  *	and also passes back the index number.
315  *
316  *	Locking: caller must hold tty_mutex
317  */
318 
get_tty_driver(dev_t device,int * index)319 static struct tty_driver *get_tty_driver(dev_t device, int *index)
320 {
321 	struct tty_driver *p;
322 
323 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
324 		dev_t base = MKDEV(p->major, p->minor_start);
325 		if (device < base || device >= base + p->num)
326 			continue;
327 		*index = device - base;
328 		return tty_driver_kref_get(p);
329 	}
330 	return NULL;
331 }
332 
333 /**
334  *	tty_dev_name_to_number	-	return dev_t for device name
335  *	@name: user space name of device under /dev
336  *	@number: pointer to dev_t that this function will populate
337  *
338  *	This function converts device names like ttyS0 or ttyUSB1 into dev_t
339  *	like (4, 64) or (188, 1). If no corresponding driver is registered then
340  *	the function returns -ENODEV.
341  *
342  *	Locking: this acquires tty_mutex to protect the tty_drivers list from
343  *		being modified while we are traversing it, and makes sure to
344  *		release it before exiting.
345  */
tty_dev_name_to_number(const char * name,dev_t * number)346 int tty_dev_name_to_number(const char *name, dev_t *number)
347 {
348 	struct tty_driver *p;
349 	int ret;
350 	int index, prefix_length = 0;
351 	const char *str;
352 
353 	for (str = name; *str && !isdigit(*str); str++)
354 		;
355 
356 	if (!*str)
357 		return -EINVAL;
358 
359 	ret = kstrtoint(str, 10, &index);
360 	if (ret)
361 		return ret;
362 
363 	prefix_length = str - name;
364 	mutex_lock(&tty_mutex);
365 
366 	list_for_each_entry(p, &tty_drivers, tty_drivers)
367 		if (prefix_length == strlen(p->name) && strncmp(name,
368 					p->name, prefix_length) == 0) {
369 			if (index < p->num) {
370 				*number = MKDEV(p->major, p->minor_start + index);
371 				goto out;
372 			}
373 		}
374 
375 	/* if here then driver wasn't found */
376 	ret = -ENODEV;
377 out:
378 	mutex_unlock(&tty_mutex);
379 	return ret;
380 }
381 EXPORT_SYMBOL_GPL(tty_dev_name_to_number);
382 
383 #ifdef CONFIG_CONSOLE_POLL
384 
385 /**
386  *	tty_find_polling_driver	-	find device of a polled tty
387  *	@name: name string to match
388  *	@line: pointer to resulting tty line nr
389  *
390  *	This routine returns a tty driver structure, given a name
391  *	and the condition that the tty driver is capable of polled
392  *	operation.
393  */
tty_find_polling_driver(char * name,int * line)394 struct tty_driver *tty_find_polling_driver(char *name, int *line)
395 {
396 	struct tty_driver *p, *res = NULL;
397 	int tty_line = 0;
398 	int len;
399 	char *str, *stp;
400 
401 	for (str = name; *str; str++)
402 		if ((*str >= '0' && *str <= '9') || *str == ',')
403 			break;
404 	if (!*str)
405 		return NULL;
406 
407 	len = str - name;
408 	tty_line = simple_strtoul(str, &str, 10);
409 
410 	mutex_lock(&tty_mutex);
411 	/* Search through the tty devices to look for a match */
412 	list_for_each_entry(p, &tty_drivers, tty_drivers) {
413 		if (!len || strncmp(name, p->name, len) != 0)
414 			continue;
415 		stp = str;
416 		if (*stp == ',')
417 			stp++;
418 		if (*stp == '\0')
419 			stp = NULL;
420 
421 		if (tty_line >= 0 && tty_line < p->num && p->ops &&
422 		    p->ops->poll_init && !p->ops->poll_init(p, tty_line, stp)) {
423 			res = tty_driver_kref_get(p);
424 			*line = tty_line;
425 			break;
426 		}
427 	}
428 	mutex_unlock(&tty_mutex);
429 
430 	return res;
431 }
432 EXPORT_SYMBOL_GPL(tty_find_polling_driver);
433 #endif
434 
hung_up_tty_read(struct file * file,char __user * buf,size_t count,loff_t * ppos)435 static ssize_t hung_up_tty_read(struct file *file, char __user *buf,
436 				size_t count, loff_t *ppos)
437 {
438 	return 0;
439 }
440 
hung_up_tty_write(struct file * file,const char __user * buf,size_t count,loff_t * ppos)441 static ssize_t hung_up_tty_write(struct file *file, const char __user *buf,
442 				 size_t count, loff_t *ppos)
443 {
444 	return -EIO;
445 }
446 
447 /* No kernel lock held - none needed ;) */
hung_up_tty_poll(struct file * filp,poll_table * wait)448 static __poll_t hung_up_tty_poll(struct file *filp, poll_table *wait)
449 {
450 	return EPOLLIN | EPOLLOUT | EPOLLERR | EPOLLHUP | EPOLLRDNORM | EPOLLWRNORM;
451 }
452 
hung_up_tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)453 static long hung_up_tty_ioctl(struct file *file, unsigned int cmd,
454 		unsigned long arg)
455 {
456 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
457 }
458 
hung_up_tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)459 static long hung_up_tty_compat_ioctl(struct file *file,
460 				     unsigned int cmd, unsigned long arg)
461 {
462 	return cmd == TIOCSPGRP ? -ENOTTY : -EIO;
463 }
464 
hung_up_tty_fasync(int fd,struct file * file,int on)465 static int hung_up_tty_fasync(int fd, struct file *file, int on)
466 {
467 	return -ENOTTY;
468 }
469 
tty_show_fdinfo(struct seq_file * m,struct file * file)470 static void tty_show_fdinfo(struct seq_file *m, struct file *file)
471 {
472 	struct tty_struct *tty = file_tty(file);
473 
474 	if (tty && tty->ops && tty->ops->show_fdinfo)
475 		tty->ops->show_fdinfo(tty, m);
476 }
477 
478 static const struct file_operations tty_fops = {
479 	.llseek		= no_llseek,
480 	.read		= tty_read,
481 	.write		= tty_write,
482 	.poll		= tty_poll,
483 	.unlocked_ioctl	= tty_ioctl,
484 	.compat_ioctl	= tty_compat_ioctl,
485 	.open		= tty_open,
486 	.release	= tty_release,
487 	.fasync		= tty_fasync,
488 	.show_fdinfo	= tty_show_fdinfo,
489 };
490 
491 static const struct file_operations console_fops = {
492 	.llseek		= no_llseek,
493 	.read		= tty_read,
494 	.write		= redirected_tty_write,
495 	.poll		= tty_poll,
496 	.unlocked_ioctl	= tty_ioctl,
497 	.compat_ioctl	= tty_compat_ioctl,
498 	.open		= tty_open,
499 	.release	= tty_release,
500 	.fasync		= tty_fasync,
501 };
502 
503 static const struct file_operations hung_up_tty_fops = {
504 	.llseek		= no_llseek,
505 	.read		= hung_up_tty_read,
506 	.write		= hung_up_tty_write,
507 	.poll		= hung_up_tty_poll,
508 	.unlocked_ioctl	= hung_up_tty_ioctl,
509 	.compat_ioctl	= hung_up_tty_compat_ioctl,
510 	.release	= tty_release,
511 	.fasync		= hung_up_tty_fasync,
512 };
513 
514 static DEFINE_SPINLOCK(redirect_lock);
515 static struct file *redirect;
516 
517 extern void tty_sysctl_init(void);
518 
519 /**
520  *	tty_wakeup	-	request more data
521  *	@tty: terminal
522  *
523  *	Internal and external helper for wakeups of tty. This function
524  *	informs the line discipline if present that the driver is ready
525  *	to receive more output data.
526  */
527 
tty_wakeup(struct tty_struct * tty)528 void tty_wakeup(struct tty_struct *tty)
529 {
530 	struct tty_ldisc *ld;
531 
532 	if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags)) {
533 		ld = tty_ldisc_ref(tty);
534 		if (ld) {
535 			if (ld->ops->write_wakeup)
536 				ld->ops->write_wakeup(tty);
537 			tty_ldisc_deref(ld);
538 		}
539 	}
540 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
541 }
542 
543 EXPORT_SYMBOL_GPL(tty_wakeup);
544 
545 /**
546  *	__tty_hangup		-	actual handler for hangup events
547  *	@tty: tty device
548  *
549  *	This can be called by a "kworker" kernel thread.  That is process
550  *	synchronous but doesn't hold any locks, so we need to make sure we
551  *	have the appropriate locks for what we're doing.
552  *
553  *	The hangup event clears any pending redirections onto the hung up
554  *	device. It ensures future writes will error and it does the needed
555  *	line discipline hangup and signal delivery. The tty object itself
556  *	remains intact.
557  *
558  *	Locking:
559  *		BTM
560  *		  redirect lock for undoing redirection
561  *		  file list lock for manipulating list of ttys
562  *		  tty_ldiscs_lock from called functions
563  *		  termios_rwsem resetting termios data
564  *		  tasklist_lock to walk task list for hangup event
565  *		    ->siglock to protect ->signal/->sighand
566  */
__tty_hangup(struct tty_struct * tty,int exit_session)567 static void __tty_hangup(struct tty_struct *tty, int exit_session)
568 {
569 	struct file *cons_filp = NULL;
570 	struct file *filp, *f = NULL;
571 	struct tty_file_private *priv;
572 	int    closecount = 0, n;
573 	int refs;
574 
575 	if (!tty)
576 		return;
577 
578 
579 	spin_lock(&redirect_lock);
580 	if (redirect && file_tty(redirect) == tty) {
581 		f = redirect;
582 		redirect = NULL;
583 	}
584 	spin_unlock(&redirect_lock);
585 
586 	tty_lock(tty);
587 
588 	if (test_bit(TTY_HUPPED, &tty->flags)) {
589 		tty_unlock(tty);
590 		return;
591 	}
592 
593 	/*
594 	 * Some console devices aren't actually hung up for technical and
595 	 * historical reasons, which can lead to indefinite interruptible
596 	 * sleep in n_tty_read().  The following explicitly tells
597 	 * n_tty_read() to abort readers.
598 	 */
599 	set_bit(TTY_HUPPING, &tty->flags);
600 
601 	/* inuse_filps is protected by the single tty lock,
602 	   this really needs to change if we want to flush the
603 	   workqueue with the lock held */
604 	check_tty_count(tty, "tty_hangup");
605 
606 	spin_lock(&tty->files_lock);
607 	/* This breaks for file handles being sent over AF_UNIX sockets ? */
608 	list_for_each_entry(priv, &tty->tty_files, list) {
609 		filp = priv->file;
610 		if (filp->f_op->write == redirected_tty_write)
611 			cons_filp = filp;
612 		if (filp->f_op->write != tty_write)
613 			continue;
614 		closecount++;
615 		__tty_fasync(-1, filp, 0);	/* can't block */
616 		filp->f_op = &hung_up_tty_fops;
617 	}
618 	spin_unlock(&tty->files_lock);
619 
620 	refs = tty_signal_session_leader(tty, exit_session);
621 	/* Account for the p->signal references we killed */
622 	while (refs--)
623 		tty_kref_put(tty);
624 
625 	tty_ldisc_hangup(tty, cons_filp != NULL);
626 
627 	spin_lock_irq(&tty->ctrl_lock);
628 	clear_bit(TTY_THROTTLED, &tty->flags);
629 	clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
630 	put_pid(tty->session);
631 	put_pid(tty->pgrp);
632 	tty->session = NULL;
633 	tty->pgrp = NULL;
634 	tty->ctrl_status = 0;
635 	spin_unlock_irq(&tty->ctrl_lock);
636 
637 	/*
638 	 * If one of the devices matches a console pointer, we
639 	 * cannot just call hangup() because that will cause
640 	 * tty->count and state->count to go out of sync.
641 	 * So we just call close() the right number of times.
642 	 */
643 	if (cons_filp) {
644 		if (tty->ops->close)
645 			for (n = 0; n < closecount; n++)
646 				tty->ops->close(tty, cons_filp);
647 	} else if (tty->ops->hangup)
648 		tty->ops->hangup(tty);
649 	/*
650 	 * We don't want to have driver/ldisc interactions beyond the ones
651 	 * we did here. The driver layer expects no calls after ->hangup()
652 	 * from the ldisc side, which is now guaranteed.
653 	 */
654 	set_bit(TTY_HUPPED, &tty->flags);
655 	clear_bit(TTY_HUPPING, &tty->flags);
656 	tty_unlock(tty);
657 
658 	if (f)
659 		fput(f);
660 }
661 
do_tty_hangup(struct work_struct * work)662 static void do_tty_hangup(struct work_struct *work)
663 {
664 	struct tty_struct *tty =
665 		container_of(work, struct tty_struct, hangup_work);
666 
667 	__tty_hangup(tty, 0);
668 }
669 
670 /**
671  *	tty_hangup		-	trigger a hangup event
672  *	@tty: tty to hangup
673  *
674  *	A carrier loss (virtual or otherwise) has occurred on this like
675  *	schedule a hangup sequence to run after this event.
676  */
677 
tty_hangup(struct tty_struct * tty)678 void tty_hangup(struct tty_struct *tty)
679 {
680 	tty_debug_hangup(tty, "hangup\n");
681 	schedule_work(&tty->hangup_work);
682 }
683 
684 EXPORT_SYMBOL(tty_hangup);
685 
686 /**
687  *	tty_vhangup		-	process vhangup
688  *	@tty: tty to hangup
689  *
690  *	The user has asked via system call for the terminal to be hung up.
691  *	We do this synchronously so that when the syscall returns the process
692  *	is complete. That guarantee is necessary for security reasons.
693  */
694 
tty_vhangup(struct tty_struct * tty)695 void tty_vhangup(struct tty_struct *tty)
696 {
697 	tty_debug_hangup(tty, "vhangup\n");
698 	__tty_hangup(tty, 0);
699 }
700 
701 EXPORT_SYMBOL(tty_vhangup);
702 
703 
704 /**
705  *	tty_vhangup_self	-	process vhangup for own ctty
706  *
707  *	Perform a vhangup on the current controlling tty
708  */
709 
tty_vhangup_self(void)710 void tty_vhangup_self(void)
711 {
712 	struct tty_struct *tty;
713 
714 	tty = get_current_tty();
715 	if (tty) {
716 		tty_vhangup(tty);
717 		tty_kref_put(tty);
718 	}
719 }
720 
721 /**
722  *	tty_vhangup_session		-	hangup session leader exit
723  *	@tty: tty to hangup
724  *
725  *	The session leader is exiting and hanging up its controlling terminal.
726  *	Every process in the foreground process group is signalled SIGHUP.
727  *
728  *	We do this synchronously so that when the syscall returns the process
729  *	is complete. That guarantee is necessary for security reasons.
730  */
731 
tty_vhangup_session(struct tty_struct * tty)732 void tty_vhangup_session(struct tty_struct *tty)
733 {
734 	tty_debug_hangup(tty, "session hangup\n");
735 	__tty_hangup(tty, 1);
736 }
737 
738 /**
739  *	tty_hung_up_p		-	was tty hung up
740  *	@filp: file pointer of tty
741  *
742  *	Return true if the tty has been subject to a vhangup or a carrier
743  *	loss
744  */
745 
tty_hung_up_p(struct file * filp)746 int tty_hung_up_p(struct file *filp)
747 {
748 	return (filp && filp->f_op == &hung_up_tty_fops);
749 }
750 
751 EXPORT_SYMBOL(tty_hung_up_p);
752 
753 /**
754  *	stop_tty	-	propagate flow control
755  *	@tty: tty to stop
756  *
757  *	Perform flow control to the driver. May be called
758  *	on an already stopped device and will not re-call the driver
759  *	method.
760  *
761  *	This functionality is used by both the line disciplines for
762  *	halting incoming flow and by the driver. It may therefore be
763  *	called from any context, may be under the tty atomic_write_lock
764  *	but not always.
765  *
766  *	Locking:
767  *		flow_lock
768  */
769 
__stop_tty(struct tty_struct * tty)770 void __stop_tty(struct tty_struct *tty)
771 {
772 	if (tty->stopped)
773 		return;
774 	tty->stopped = 1;
775 	if (tty->ops->stop)
776 		tty->ops->stop(tty);
777 }
778 
stop_tty(struct tty_struct * tty)779 void stop_tty(struct tty_struct *tty)
780 {
781 	unsigned long flags;
782 
783 	spin_lock_irqsave(&tty->flow_lock, flags);
784 	__stop_tty(tty);
785 	spin_unlock_irqrestore(&tty->flow_lock, flags);
786 }
787 EXPORT_SYMBOL(stop_tty);
788 
789 /**
790  *	start_tty	-	propagate flow control
791  *	@tty: tty to start
792  *
793  *	Start a tty that has been stopped if at all possible. If this
794  *	tty was previous stopped and is now being started, the driver
795  *	start method is invoked and the line discipline woken.
796  *
797  *	Locking:
798  *		flow_lock
799  */
800 
__start_tty(struct tty_struct * tty)801 void __start_tty(struct tty_struct *tty)
802 {
803 	if (!tty->stopped || tty->flow_stopped)
804 		return;
805 	tty->stopped = 0;
806 	if (tty->ops->start)
807 		tty->ops->start(tty);
808 	tty_wakeup(tty);
809 }
810 
start_tty(struct tty_struct * tty)811 void start_tty(struct tty_struct *tty)
812 {
813 	unsigned long flags;
814 
815 	spin_lock_irqsave(&tty->flow_lock, flags);
816 	__start_tty(tty);
817 	spin_unlock_irqrestore(&tty->flow_lock, flags);
818 }
819 EXPORT_SYMBOL(start_tty);
820 
tty_update_time(struct timespec64 * time)821 static void tty_update_time(struct timespec64 *time)
822 {
823 	time64_t sec = ktime_get_real_seconds();
824 
825 	/*
826 	 * We only care if the two values differ in anything other than the
827 	 * lower three bits (i.e every 8 seconds).  If so, then we can update
828 	 * the time of the tty device, otherwise it could be construded as a
829 	 * security leak to let userspace know the exact timing of the tty.
830 	 */
831 	if ((sec ^ time->tv_sec) & ~7)
832 		time->tv_sec = sec;
833 }
834 
835 /**
836  *	tty_read	-	read method for tty device files
837  *	@file: pointer to tty file
838  *	@buf: user buffer
839  *	@count: size of user buffer
840  *	@ppos: unused
841  *
842  *	Perform the read system call function on this terminal device. Checks
843  *	for hung up devices before calling the line discipline method.
844  *
845  *	Locking:
846  *		Locks the line discipline internally while needed. Multiple
847  *	read calls may be outstanding in parallel.
848  */
849 
tty_read(struct file * file,char __user * buf,size_t count,loff_t * ppos)850 static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
851 			loff_t *ppos)
852 {
853 	int i;
854 	struct inode *inode = file_inode(file);
855 	struct tty_struct *tty = file_tty(file);
856 	struct tty_ldisc *ld;
857 
858 	if (tty_paranoia_check(tty, inode, "tty_read"))
859 		return -EIO;
860 	if (!tty || tty_io_error(tty))
861 		return -EIO;
862 
863 	/* We want to wait for the line discipline to sort out in this
864 	   situation */
865 	ld = tty_ldisc_ref_wait(tty);
866 	if (!ld)
867 		return hung_up_tty_read(file, buf, count, ppos);
868 	if (ld->ops->read)
869 		i = ld->ops->read(tty, file, buf, count);
870 	else
871 		i = -EIO;
872 	tty_ldisc_deref(ld);
873 
874 	if (i > 0)
875 		tty_update_time(&inode->i_atime);
876 
877 	return i;
878 }
879 
tty_write_unlock(struct tty_struct * tty)880 static void tty_write_unlock(struct tty_struct *tty)
881 {
882 	mutex_unlock(&tty->atomic_write_lock);
883 	wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
884 }
885 
tty_write_lock(struct tty_struct * tty,int ndelay)886 static int tty_write_lock(struct tty_struct *tty, int ndelay)
887 {
888 	if (!mutex_trylock(&tty->atomic_write_lock)) {
889 		if (ndelay)
890 			return -EAGAIN;
891 		if (mutex_lock_interruptible(&tty->atomic_write_lock))
892 			return -ERESTARTSYS;
893 	}
894 	return 0;
895 }
896 
897 /*
898  * Split writes up in sane blocksizes to avoid
899  * denial-of-service type attacks
900  */
do_tty_write(ssize_t (* write)(struct tty_struct *,struct file *,const unsigned char *,size_t),struct tty_struct * tty,struct file * file,const char __user * buf,size_t count)901 static inline ssize_t do_tty_write(
902 	ssize_t (*write)(struct tty_struct *, struct file *, const unsigned char *, size_t),
903 	struct tty_struct *tty,
904 	struct file *file,
905 	const char __user *buf,
906 	size_t count)
907 {
908 	ssize_t ret, written = 0;
909 	unsigned int chunk;
910 
911 	ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
912 	if (ret < 0)
913 		return ret;
914 
915 	/*
916 	 * We chunk up writes into a temporary buffer. This
917 	 * simplifies low-level drivers immensely, since they
918 	 * don't have locking issues and user mode accesses.
919 	 *
920 	 * But if TTY_NO_WRITE_SPLIT is set, we should use a
921 	 * big chunk-size..
922 	 *
923 	 * The default chunk-size is 2kB, because the NTTY
924 	 * layer has problems with bigger chunks. It will
925 	 * claim to be able to handle more characters than
926 	 * it actually does.
927 	 *
928 	 * FIXME: This can probably go away now except that 64K chunks
929 	 * are too likely to fail unless switched to vmalloc...
930 	 */
931 	chunk = 2048;
932 	if (test_bit(TTY_NO_WRITE_SPLIT, &tty->flags))
933 		chunk = 65536;
934 	if (count < chunk)
935 		chunk = count;
936 
937 	/* write_buf/write_cnt is protected by the atomic_write_lock mutex */
938 	if (tty->write_cnt < chunk) {
939 		unsigned char *buf_chunk;
940 
941 		if (chunk < 1024)
942 			chunk = 1024;
943 
944 		buf_chunk = kmalloc(chunk, GFP_KERNEL);
945 		if (!buf_chunk) {
946 			ret = -ENOMEM;
947 			goto out;
948 		}
949 		kfree(tty->write_buf);
950 		tty->write_cnt = chunk;
951 		tty->write_buf = buf_chunk;
952 	}
953 
954 	/* Do the write .. */
955 	for (;;) {
956 		size_t size = count;
957 		if (size > chunk)
958 			size = chunk;
959 		ret = -EFAULT;
960 		if (copy_from_user(tty->write_buf, buf, size))
961 			break;
962 		ret = write(tty, file, tty->write_buf, size);
963 		if (ret <= 0)
964 			break;
965 		written += ret;
966 		buf += ret;
967 		count -= ret;
968 		if (!count)
969 			break;
970 		ret = -ERESTARTSYS;
971 		if (signal_pending(current))
972 			break;
973 		cond_resched();
974 	}
975 	if (written) {
976 		tty_update_time(&file_inode(file)->i_mtime);
977 		ret = written;
978 	}
979 out:
980 	tty_write_unlock(tty);
981 	return ret;
982 }
983 
984 /**
985  * tty_write_message - write a message to a certain tty, not just the console.
986  * @tty: the destination tty_struct
987  * @msg: the message to write
988  *
989  * This is used for messages that need to be redirected to a specific tty.
990  * We don't put it into the syslog queue right now maybe in the future if
991  * really needed.
992  *
993  * We must still hold the BTM and test the CLOSING flag for the moment.
994  */
995 
tty_write_message(struct tty_struct * tty,char * msg)996 void tty_write_message(struct tty_struct *tty, char *msg)
997 {
998 	if (tty) {
999 		mutex_lock(&tty->atomic_write_lock);
1000 		tty_lock(tty);
1001 		if (tty->ops->write && tty->count > 0)
1002 			tty->ops->write(tty, msg, strlen(msg));
1003 		tty_unlock(tty);
1004 		tty_write_unlock(tty);
1005 	}
1006 	return;
1007 }
1008 
1009 
1010 /**
1011  *	tty_write		-	write method for tty device file
1012  *	@file: tty file pointer
1013  *	@buf: user data to write
1014  *	@count: bytes to write
1015  *	@ppos: unused
1016  *
1017  *	Write data to a tty device via the line discipline.
1018  *
1019  *	Locking:
1020  *		Locks the line discipline as required
1021  *		Writes to the tty driver are serialized by the atomic_write_lock
1022  *	and are then processed in chunks to the device. The line discipline
1023  *	write method will not be invoked in parallel for each device.
1024  */
1025 
tty_write(struct file * file,const char __user * buf,size_t count,loff_t * ppos)1026 static ssize_t tty_write(struct file *file, const char __user *buf,
1027 						size_t count, loff_t *ppos)
1028 {
1029 	struct tty_struct *tty = file_tty(file);
1030  	struct tty_ldisc *ld;
1031 	ssize_t ret;
1032 
1033 	if (tty_paranoia_check(tty, file_inode(file), "tty_write"))
1034 		return -EIO;
1035 	if (!tty || !tty->ops->write ||	tty_io_error(tty))
1036 			return -EIO;
1037 	/* Short term debug to catch buggy drivers */
1038 	if (tty->ops->write_room == NULL)
1039 		tty_err(tty, "missing write_room method\n");
1040 	ld = tty_ldisc_ref_wait(tty);
1041 	if (!ld)
1042 		return hung_up_tty_write(file, buf, count, ppos);
1043 	if (!ld->ops->write)
1044 		ret = -EIO;
1045 	else
1046 		ret = do_tty_write(ld->ops->write, tty, file, buf, count);
1047 	tty_ldisc_deref(ld);
1048 	return ret;
1049 }
1050 
redirected_tty_write(struct file * file,const char __user * buf,size_t count,loff_t * ppos)1051 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
1052 						size_t count, loff_t *ppos)
1053 {
1054 	struct file *p = NULL;
1055 
1056 	spin_lock(&redirect_lock);
1057 	if (redirect)
1058 		p = get_file(redirect);
1059 	spin_unlock(&redirect_lock);
1060 
1061 	if (p) {
1062 		ssize_t res;
1063 		res = vfs_write(p, buf, count, &p->f_pos);
1064 		fput(p);
1065 		return res;
1066 	}
1067 	return tty_write(file, buf, count, ppos);
1068 }
1069 
1070 /**
1071  *	tty_send_xchar	-	send priority character
1072  *
1073  *	Send a high priority character to the tty even if stopped
1074  *
1075  *	Locking: none for xchar method, write ordering for write method.
1076  */
1077 
tty_send_xchar(struct tty_struct * tty,char ch)1078 int tty_send_xchar(struct tty_struct *tty, char ch)
1079 {
1080 	int	was_stopped = tty->stopped;
1081 
1082 	if (tty->ops->send_xchar) {
1083 		down_read(&tty->termios_rwsem);
1084 		tty->ops->send_xchar(tty, ch);
1085 		up_read(&tty->termios_rwsem);
1086 		return 0;
1087 	}
1088 
1089 	if (tty_write_lock(tty, 0) < 0)
1090 		return -ERESTARTSYS;
1091 
1092 	down_read(&tty->termios_rwsem);
1093 	if (was_stopped)
1094 		start_tty(tty);
1095 	tty->ops->write(tty, &ch, 1);
1096 	if (was_stopped)
1097 		stop_tty(tty);
1098 	up_read(&tty->termios_rwsem);
1099 	tty_write_unlock(tty);
1100 	return 0;
1101 }
1102 
1103 static char ptychar[] = "pqrstuvwxyzabcde";
1104 
1105 /**
1106  *	pty_line_name	-	generate name for a pty
1107  *	@driver: the tty driver in use
1108  *	@index: the minor number
1109  *	@p: output buffer of at least 6 bytes
1110  *
1111  *	Generate a name from a driver reference and write it to the output
1112  *	buffer.
1113  *
1114  *	Locking: None
1115  */
pty_line_name(struct tty_driver * driver,int index,char * p)1116 static void pty_line_name(struct tty_driver *driver, int index, char *p)
1117 {
1118 	int i = index + driver->name_base;
1119 	/* ->name is initialized to "ttyp", but "tty" is expected */
1120 	sprintf(p, "%s%c%x",
1121 		driver->subtype == PTY_TYPE_SLAVE ? "tty" : driver->name,
1122 		ptychar[i >> 4 & 0xf], i & 0xf);
1123 }
1124 
1125 /**
1126  *	tty_line_name	-	generate name for a tty
1127  *	@driver: the tty driver in use
1128  *	@index: the minor number
1129  *	@p: output buffer of at least 7 bytes
1130  *
1131  *	Generate a name from a driver reference and write it to the output
1132  *	buffer.
1133  *
1134  *	Locking: None
1135  */
tty_line_name(struct tty_driver * driver,int index,char * p)1136 static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)
1137 {
1138 	if (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)
1139 		return sprintf(p, "%s", driver->name);
1140 	else
1141 		return sprintf(p, "%s%d", driver->name,
1142 			       index + driver->name_base);
1143 }
1144 
1145 /**
1146  *	tty_driver_lookup_tty() - find an existing tty, if any
1147  *	@driver: the driver for the tty
1148  *	@idx:	 the minor number
1149  *
1150  *	Return the tty, if found. If not found, return NULL or ERR_PTR() if the
1151  *	driver lookup() method returns an error.
1152  *
1153  *	Locking: tty_mutex must be held. If the tty is found, bump the tty kref.
1154  */
tty_driver_lookup_tty(struct tty_driver * driver,struct file * file,int idx)1155 static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver,
1156 		struct file *file, int idx)
1157 {
1158 	struct tty_struct *tty;
1159 
1160 	if (driver->ops->lookup)
1161 		if (!file)
1162 			tty = ERR_PTR(-EIO);
1163 		else
1164 			tty = driver->ops->lookup(driver, file, idx);
1165 	else
1166 		tty = driver->ttys[idx];
1167 
1168 	if (!IS_ERR(tty))
1169 		tty_kref_get(tty);
1170 	return tty;
1171 }
1172 
1173 /**
1174  *	tty_init_termios	-  helper for termios setup
1175  *	@tty: the tty to set up
1176  *
1177  *	Initialise the termios structure for this tty. This runs under
1178  *	the tty_mutex currently so we can be relaxed about ordering.
1179  */
1180 
tty_init_termios(struct tty_struct * tty)1181 void tty_init_termios(struct tty_struct *tty)
1182 {
1183 	struct ktermios *tp;
1184 	int idx = tty->index;
1185 
1186 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1187 		tty->termios = tty->driver->init_termios;
1188 	else {
1189 		/* Check for lazy saved data */
1190 		tp = tty->driver->termios[idx];
1191 		if (tp != NULL) {
1192 			tty->termios = *tp;
1193 			tty->termios.c_line  = tty->driver->init_termios.c_line;
1194 		} else
1195 			tty->termios = tty->driver->init_termios;
1196 	}
1197 	/* Compatibility until drivers always set this */
1198 	tty->termios.c_ispeed = tty_termios_input_baud_rate(&tty->termios);
1199 	tty->termios.c_ospeed = tty_termios_baud_rate(&tty->termios);
1200 }
1201 EXPORT_SYMBOL_GPL(tty_init_termios);
1202 
tty_standard_install(struct tty_driver * driver,struct tty_struct * tty)1203 int tty_standard_install(struct tty_driver *driver, struct tty_struct *tty)
1204 {
1205 	tty_init_termios(tty);
1206 	tty_driver_kref_get(driver);
1207 	tty->count++;
1208 	driver->ttys[tty->index] = tty;
1209 	return 0;
1210 }
1211 EXPORT_SYMBOL_GPL(tty_standard_install);
1212 
1213 /**
1214  *	tty_driver_install_tty() - install a tty entry in the driver
1215  *	@driver: the driver for the tty
1216  *	@tty: the tty
1217  *
1218  *	Install a tty object into the driver tables. The tty->index field
1219  *	will be set by the time this is called. This method is responsible
1220  *	for ensuring any need additional structures are allocated and
1221  *	configured.
1222  *
1223  *	Locking: tty_mutex for now
1224  */
tty_driver_install_tty(struct tty_driver * driver,struct tty_struct * tty)1225 static int tty_driver_install_tty(struct tty_driver *driver,
1226 						struct tty_struct *tty)
1227 {
1228 	return driver->ops->install ? driver->ops->install(driver, tty) :
1229 		tty_standard_install(driver, tty);
1230 }
1231 
1232 /**
1233  *	tty_driver_remove_tty() - remove a tty from the driver tables
1234  *	@driver: the driver for the tty
1235  *	@tty: tty to remove
1236  *
1237  *	Remvoe a tty object from the driver tables. The tty->index field
1238  *	will be set by the time this is called.
1239  *
1240  *	Locking: tty_mutex for now
1241  */
tty_driver_remove_tty(struct tty_driver * driver,struct tty_struct * tty)1242 static void tty_driver_remove_tty(struct tty_driver *driver, struct tty_struct *tty)
1243 {
1244 	if (driver->ops->remove)
1245 		driver->ops->remove(driver, tty);
1246 	else
1247 		driver->ttys[tty->index] = NULL;
1248 }
1249 
1250 /**
1251  *	tty_reopen()	- fast re-open of an open tty
1252  *	@tty: the tty to open
1253  *
1254  *	Return 0 on success, -errno on error.
1255  *	Re-opens on master ptys are not allowed and return -EIO.
1256  *
1257  *	Locking: Caller must hold tty_lock
1258  */
tty_reopen(struct tty_struct * tty)1259 static int tty_reopen(struct tty_struct *tty)
1260 {
1261 	struct tty_driver *driver = tty->driver;
1262 	struct tty_ldisc *ld;
1263 	int retval = 0;
1264 
1265 	if (driver->type == TTY_DRIVER_TYPE_PTY &&
1266 	    driver->subtype == PTY_TYPE_MASTER)
1267 		return -EIO;
1268 
1269 	if (!tty->count)
1270 		return -EAGAIN;
1271 
1272 	if (test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_ADMIN))
1273 		return -EBUSY;
1274 
1275 	ld = tty_ldisc_ref_wait(tty);
1276 	if (ld) {
1277 		tty_ldisc_deref(ld);
1278 	} else {
1279 		retval = tty_ldisc_lock(tty, 5 * HZ);
1280 		if (retval)
1281 			return retval;
1282 
1283 		if (!tty->ldisc)
1284 			retval = tty_ldisc_reinit(tty, tty->termios.c_line);
1285 		tty_ldisc_unlock(tty);
1286 	}
1287 
1288 	if (retval == 0)
1289 		tty->count++;
1290 
1291 	return retval;
1292 }
1293 
1294 /**
1295  *	tty_init_dev		-	initialise a tty device
1296  *	@driver: tty driver we are opening a device on
1297  *	@idx: device index
1298  *
1299  *	Prepare a tty device. This may not be a "new" clean device but
1300  *	could also be an active device. The pty drivers require special
1301  *	handling because of this.
1302  *
1303  *	Locking:
1304  *		The function is called under the tty_mutex, which
1305  *	protects us from the tty struct or driver itself going away.
1306  *
1307  *	On exit the tty device has the line discipline attached and
1308  *	a reference count of 1. If a pair was created for pty/tty use
1309  *	and the other was a pty master then it too has a reference count of 1.
1310  *
1311  * WSH 06/09/97: Rewritten to remove races and properly clean up after a
1312  * failed open.  The new code protects the open with a mutex, so it's
1313  * really quite straightforward.  The mutex locking can probably be
1314  * relaxed for the (most common) case of reopening a tty.
1315  *
1316  *	Return: returned tty structure
1317  */
1318 
tty_init_dev(struct tty_driver * driver,int idx)1319 struct tty_struct *tty_init_dev(struct tty_driver *driver, int idx)
1320 {
1321 	struct tty_struct *tty;
1322 	int retval;
1323 
1324 	/*
1325 	 * First time open is complex, especially for PTY devices.
1326 	 * This code guarantees that either everything succeeds and the
1327 	 * TTY is ready for operation, or else the table slots are vacated
1328 	 * and the allocated memory released.  (Except that the termios
1329 	 * may be retained.)
1330 	 */
1331 
1332 	if (!try_module_get(driver->owner))
1333 		return ERR_PTR(-ENODEV);
1334 
1335 	tty = alloc_tty_struct(driver, idx);
1336 	if (!tty) {
1337 		retval = -ENOMEM;
1338 		goto err_module_put;
1339 	}
1340 
1341 	tty_lock(tty);
1342 	retval = tty_driver_install_tty(driver, tty);
1343 	if (retval < 0)
1344 		goto err_free_tty;
1345 
1346 	if (!tty->port)
1347 		tty->port = driver->ports[idx];
1348 
1349 	if (WARN_RATELIMIT(!tty->port,
1350 			"%s: %s driver does not set tty->port. This would crash the kernel. Fix the driver!\n",
1351 			__func__, tty->driver->name)) {
1352 		retval = -EINVAL;
1353 		goto err_release_lock;
1354 	}
1355 
1356 	retval = tty_ldisc_lock(tty, 5 * HZ);
1357 	if (retval)
1358 		goto err_release_lock;
1359 	tty->port->itty = tty;
1360 
1361 	/*
1362 	 * Structures all installed ... call the ldisc open routines.
1363 	 * If we fail here just call release_tty to clean up.  No need
1364 	 * to decrement the use counts, as release_tty doesn't care.
1365 	 */
1366 	retval = tty_ldisc_setup(tty, tty->link);
1367 	if (retval)
1368 		goto err_release_tty;
1369 	tty_ldisc_unlock(tty);
1370 	/* Return the tty locked so that it cannot vanish under the caller */
1371 	return tty;
1372 
1373 err_free_tty:
1374 	tty_unlock(tty);
1375 	free_tty_struct(tty);
1376 err_module_put:
1377 	module_put(driver->owner);
1378 	return ERR_PTR(retval);
1379 
1380 	/* call the tty release_tty routine to clean out this slot */
1381 err_release_tty:
1382 	tty_ldisc_unlock(tty);
1383 	tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n",
1384 			     retval, idx);
1385 err_release_lock:
1386 	tty_unlock(tty);
1387 	release_tty(tty, idx);
1388 	return ERR_PTR(retval);
1389 }
1390 
1391 /**
1392  * tty_save_termios() - save tty termios data in driver table
1393  * @tty: tty whose termios data to save
1394  *
1395  * Locking: Caller guarantees serialisation with tty_init_termios().
1396  */
tty_save_termios(struct tty_struct * tty)1397 void tty_save_termios(struct tty_struct *tty)
1398 {
1399 	struct ktermios *tp;
1400 	int idx = tty->index;
1401 
1402 	/* If the port is going to reset then it has no termios to save */
1403 	if (tty->driver->flags & TTY_DRIVER_RESET_TERMIOS)
1404 		return;
1405 
1406 	/* Stash the termios data */
1407 	tp = tty->driver->termios[idx];
1408 	if (tp == NULL) {
1409 		tp = kmalloc(sizeof(*tp), GFP_KERNEL);
1410 		if (tp == NULL)
1411 			return;
1412 		tty->driver->termios[idx] = tp;
1413 	}
1414 	*tp = tty->termios;
1415 }
1416 EXPORT_SYMBOL_GPL(tty_save_termios);
1417 
1418 /**
1419  *	tty_flush_works		-	flush all works of a tty/pty pair
1420  *	@tty: tty device to flush works for (or either end of a pty pair)
1421  *
1422  *	Sync flush all works belonging to @tty (and the 'other' tty).
1423  */
tty_flush_works(struct tty_struct * tty)1424 static void tty_flush_works(struct tty_struct *tty)
1425 {
1426 	flush_work(&tty->SAK_work);
1427 	flush_work(&tty->hangup_work);
1428 	if (tty->link) {
1429 		flush_work(&tty->link->SAK_work);
1430 		flush_work(&tty->link->hangup_work);
1431 	}
1432 }
1433 
1434 /**
1435  *	release_one_tty		-	release tty structure memory
1436  *	@work: work of tty we are obliterating
1437  *
1438  *	Releases memory associated with a tty structure, and clears out the
1439  *	driver table slots. This function is called when a device is no longer
1440  *	in use. It also gets called when setup of a device fails.
1441  *
1442  *	Locking:
1443  *		takes the file list lock internally when working on the list
1444  *	of ttys that the driver keeps.
1445  *
1446  *	This method gets called from a work queue so that the driver private
1447  *	cleanup ops can sleep (needed for USB at least)
1448  */
release_one_tty(struct work_struct * work)1449 static void release_one_tty(struct work_struct *work)
1450 {
1451 	struct tty_struct *tty =
1452 		container_of(work, struct tty_struct, hangup_work);
1453 	struct tty_driver *driver = tty->driver;
1454 	struct module *owner = driver->owner;
1455 
1456 	if (tty->ops->cleanup)
1457 		tty->ops->cleanup(tty);
1458 
1459 	tty->magic = 0;
1460 	tty_driver_kref_put(driver);
1461 	module_put(owner);
1462 
1463 	spin_lock(&tty->files_lock);
1464 	list_del_init(&tty->tty_files);
1465 	spin_unlock(&tty->files_lock);
1466 
1467 	put_pid(tty->pgrp);
1468 	put_pid(tty->session);
1469 	free_tty_struct(tty);
1470 }
1471 
queue_release_one_tty(struct kref * kref)1472 static void queue_release_one_tty(struct kref *kref)
1473 {
1474 	struct tty_struct *tty = container_of(kref, struct tty_struct, kref);
1475 
1476 	/* The hangup queue is now free so we can reuse it rather than
1477 	   waste a chunk of memory for each port */
1478 	INIT_WORK(&tty->hangup_work, release_one_tty);
1479 	schedule_work(&tty->hangup_work);
1480 }
1481 
1482 /**
1483  *	tty_kref_put		-	release a tty kref
1484  *	@tty: tty device
1485  *
1486  *	Release a reference to a tty device and if need be let the kref
1487  *	layer destruct the object for us
1488  */
1489 
tty_kref_put(struct tty_struct * tty)1490 void tty_kref_put(struct tty_struct *tty)
1491 {
1492 	if (tty)
1493 		kref_put(&tty->kref, queue_release_one_tty);
1494 }
1495 EXPORT_SYMBOL(tty_kref_put);
1496 
1497 /**
1498  *	release_tty		-	release tty structure memory
1499  *
1500  *	Release both @tty and a possible linked partner (think pty pair),
1501  *	and decrement the refcount of the backing module.
1502  *
1503  *	Locking:
1504  *		tty_mutex
1505  *		takes the file list lock internally when working on the list
1506  *	of ttys that the driver keeps.
1507  *
1508  */
release_tty(struct tty_struct * tty,int idx)1509 static void release_tty(struct tty_struct *tty, int idx)
1510 {
1511 	/* This should always be true but check for the moment */
1512 	WARN_ON(tty->index != idx);
1513 	WARN_ON(!mutex_is_locked(&tty_mutex));
1514 	if (tty->ops->shutdown)
1515 		tty->ops->shutdown(tty);
1516 	tty_save_termios(tty);
1517 	tty_driver_remove_tty(tty->driver, tty);
1518 	if (tty->port)
1519 		tty->port->itty = NULL;
1520 	if (tty->link)
1521 		tty->link->port->itty = NULL;
1522 	if (tty->port)
1523 		tty_buffer_cancel_work(tty->port);
1524 	if (tty->link)
1525 		tty_buffer_cancel_work(tty->link->port);
1526 
1527 	tty_kref_put(tty->link);
1528 	tty_kref_put(tty);
1529 }
1530 
1531 /**
1532  *	tty_release_checks - check a tty before real release
1533  *	@tty: tty to check
1534  *	@idx: index of the tty
1535  *
1536  *	Performs some paranoid checking before true release of the @tty.
1537  *	This is a no-op unless TTY_PARANOIA_CHECK is defined.
1538  */
tty_release_checks(struct tty_struct * tty,int idx)1539 static int tty_release_checks(struct tty_struct *tty, int idx)
1540 {
1541 #ifdef TTY_PARANOIA_CHECK
1542 	if (idx < 0 || idx >= tty->driver->num) {
1543 		tty_debug(tty, "bad idx %d\n", idx);
1544 		return -1;
1545 	}
1546 
1547 	/* not much to check for devpts */
1548 	if (tty->driver->flags & TTY_DRIVER_DEVPTS_MEM)
1549 		return 0;
1550 
1551 	if (tty != tty->driver->ttys[idx]) {
1552 		tty_debug(tty, "bad driver table[%d] = %p\n",
1553 			  idx, tty->driver->ttys[idx]);
1554 		return -1;
1555 	}
1556 	if (tty->driver->other) {
1557 		struct tty_struct *o_tty = tty->link;
1558 
1559 		if (o_tty != tty->driver->other->ttys[idx]) {
1560 			tty_debug(tty, "bad other table[%d] = %p\n",
1561 				  idx, tty->driver->other->ttys[idx]);
1562 			return -1;
1563 		}
1564 		if (o_tty->link != tty) {
1565 			tty_debug(tty, "bad link = %p\n", o_tty->link);
1566 			return -1;
1567 		}
1568 	}
1569 #endif
1570 	return 0;
1571 }
1572 
1573 /**
1574  *      tty_kclose      -       closes tty opened by tty_kopen
1575  *      @tty: tty device
1576  *
1577  *      Performs the final steps to release and free a tty device. It is the
1578  *      same as tty_release_struct except that it also resets TTY_PORT_KOPENED
1579  *      flag on tty->port.
1580  */
tty_kclose(struct tty_struct * tty)1581 void tty_kclose(struct tty_struct *tty)
1582 {
1583 	/*
1584 	 * Ask the line discipline code to release its structures
1585 	 */
1586 	tty_ldisc_release(tty);
1587 
1588 	/* Wait for pending work before tty destruction commmences */
1589 	tty_flush_works(tty);
1590 
1591 	tty_debug_hangup(tty, "freeing structure\n");
1592 	/*
1593 	 * The release_tty function takes care of the details of clearing
1594 	 * the slots and preserving the termios structure.
1595 	 */
1596 	mutex_lock(&tty_mutex);
1597 	tty_port_set_kopened(tty->port, 0);
1598 	release_tty(tty, tty->index);
1599 	mutex_unlock(&tty_mutex);
1600 }
1601 EXPORT_SYMBOL_GPL(tty_kclose);
1602 
1603 /**
1604  *	tty_release_struct	-	release a tty struct
1605  *	@tty: tty device
1606  *	@idx: index of the tty
1607  *
1608  *	Performs the final steps to release and free a tty device. It is
1609  *	roughly the reverse of tty_init_dev.
1610  */
tty_release_struct(struct tty_struct * tty,int idx)1611 void tty_release_struct(struct tty_struct *tty, int idx)
1612 {
1613 	/*
1614 	 * Ask the line discipline code to release its structures
1615 	 */
1616 	tty_ldisc_release(tty);
1617 
1618 	/* Wait for pending work before tty destruction commmences */
1619 	tty_flush_works(tty);
1620 
1621 	tty_debug_hangup(tty, "freeing structure\n");
1622 	/*
1623 	 * The release_tty function takes care of the details of clearing
1624 	 * the slots and preserving the termios structure.
1625 	 */
1626 	mutex_lock(&tty_mutex);
1627 	release_tty(tty, idx);
1628 	mutex_unlock(&tty_mutex);
1629 }
1630 EXPORT_SYMBOL_GPL(tty_release_struct);
1631 
1632 /**
1633  *	tty_release		-	vfs callback for close
1634  *	@inode: inode of tty
1635  *	@filp: file pointer for handle to tty
1636  *
1637  *	Called the last time each file handle is closed that references
1638  *	this tty. There may however be several such references.
1639  *
1640  *	Locking:
1641  *		Takes bkl. See tty_release_dev
1642  *
1643  * Even releasing the tty structures is a tricky business.. We have
1644  * to be very careful that the structures are all released at the
1645  * same time, as interrupts might otherwise get the wrong pointers.
1646  *
1647  * WSH 09/09/97: rewritten to avoid some nasty race conditions that could
1648  * lead to double frees or releasing memory still in use.
1649  */
1650 
tty_release(struct inode * inode,struct file * filp)1651 int tty_release(struct inode *inode, struct file *filp)
1652 {
1653 	struct tty_struct *tty = file_tty(filp);
1654 	struct tty_struct *o_tty = NULL;
1655 	int	do_sleep, final;
1656 	int	idx;
1657 	long	timeout = 0;
1658 	int	once = 1;
1659 
1660 	if (tty_paranoia_check(tty, inode, __func__))
1661 		return 0;
1662 
1663 	tty_lock(tty);
1664 	check_tty_count(tty, __func__);
1665 
1666 	__tty_fasync(-1, filp, 0);
1667 
1668 	idx = tty->index;
1669 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
1670 	    tty->driver->subtype == PTY_TYPE_MASTER)
1671 		o_tty = tty->link;
1672 
1673 	if (tty_release_checks(tty, idx)) {
1674 		tty_unlock(tty);
1675 		return 0;
1676 	}
1677 
1678 	tty_debug_hangup(tty, "releasing (count=%d)\n", tty->count);
1679 
1680 	if (tty->ops->close)
1681 		tty->ops->close(tty, filp);
1682 
1683 	/* If tty is pty master, lock the slave pty (stable lock order) */
1684 	tty_lock_slave(o_tty);
1685 
1686 	/*
1687 	 * Sanity check: if tty->count is going to zero, there shouldn't be
1688 	 * any waiters on tty->read_wait or tty->write_wait.  We test the
1689 	 * wait queues and kick everyone out _before_ actually starting to
1690 	 * close.  This ensures that we won't block while releasing the tty
1691 	 * structure.
1692 	 *
1693 	 * The test for the o_tty closing is necessary, since the master and
1694 	 * slave sides may close in any order.  If the slave side closes out
1695 	 * first, its count will be one, since the master side holds an open.
1696 	 * Thus this test wouldn't be triggered at the time the slave closed,
1697 	 * so we do it now.
1698 	 */
1699 	while (1) {
1700 		do_sleep = 0;
1701 
1702 		if (tty->count <= 1) {
1703 			if (waitqueue_active(&tty->read_wait)) {
1704 				wake_up_poll(&tty->read_wait, EPOLLIN);
1705 				do_sleep++;
1706 			}
1707 			if (waitqueue_active(&tty->write_wait)) {
1708 				wake_up_poll(&tty->write_wait, EPOLLOUT);
1709 				do_sleep++;
1710 			}
1711 		}
1712 		if (o_tty && o_tty->count <= 1) {
1713 			if (waitqueue_active(&o_tty->read_wait)) {
1714 				wake_up_poll(&o_tty->read_wait, EPOLLIN);
1715 				do_sleep++;
1716 			}
1717 			if (waitqueue_active(&o_tty->write_wait)) {
1718 				wake_up_poll(&o_tty->write_wait, EPOLLOUT);
1719 				do_sleep++;
1720 			}
1721 		}
1722 		if (!do_sleep)
1723 			break;
1724 
1725 		if (once) {
1726 			once = 0;
1727 			tty_warn(tty, "read/write wait queue active!\n");
1728 		}
1729 		schedule_timeout_killable(timeout);
1730 		if (timeout < 120 * HZ)
1731 			timeout = 2 * timeout + 1;
1732 		else
1733 			timeout = MAX_SCHEDULE_TIMEOUT;
1734 	}
1735 
1736 	if (o_tty) {
1737 		if (--o_tty->count < 0) {
1738 			tty_warn(tty, "bad slave count (%d)\n", o_tty->count);
1739 			o_tty->count = 0;
1740 		}
1741 	}
1742 	if (--tty->count < 0) {
1743 		tty_warn(tty, "bad tty->count (%d)\n", tty->count);
1744 		tty->count = 0;
1745 	}
1746 
1747 	/*
1748 	 * We've decremented tty->count, so we need to remove this file
1749 	 * descriptor off the tty->tty_files list; this serves two
1750 	 * purposes:
1751 	 *  - check_tty_count sees the correct number of file descriptors
1752 	 *    associated with this tty.
1753 	 *  - do_tty_hangup no longer sees this file descriptor as
1754 	 *    something that needs to be handled for hangups.
1755 	 */
1756 	tty_del_file(filp);
1757 
1758 	/*
1759 	 * Perform some housekeeping before deciding whether to return.
1760 	 *
1761 	 * If _either_ side is closing, make sure there aren't any
1762 	 * processes that still think tty or o_tty is their controlling
1763 	 * tty.
1764 	 */
1765 	if (!tty->count) {
1766 		read_lock(&tasklist_lock);
1767 		session_clear_tty(tty->session);
1768 		if (o_tty)
1769 			session_clear_tty(o_tty->session);
1770 		read_unlock(&tasklist_lock);
1771 	}
1772 
1773 	/* check whether both sides are closing ... */
1774 	final = !tty->count && !(o_tty && o_tty->count);
1775 
1776 	tty_unlock_slave(o_tty);
1777 	tty_unlock(tty);
1778 
1779 	/* At this point, the tty->count == 0 should ensure a dead tty
1780 	   cannot be re-opened by a racing opener */
1781 
1782 	if (!final)
1783 		return 0;
1784 
1785 	tty_debug_hangup(tty, "final close\n");
1786 
1787 	tty_release_struct(tty, idx);
1788 	return 0;
1789 }
1790 
1791 /**
1792  *	tty_open_current_tty - get locked tty of current task
1793  *	@device: device number
1794  *	@filp: file pointer to tty
1795  *	@return: locked tty of the current task iff @device is /dev/tty
1796  *
1797  *	Performs a re-open of the current task's controlling tty.
1798  *
1799  *	We cannot return driver and index like for the other nodes because
1800  *	devpts will not work then. It expects inodes to be from devpts FS.
1801  */
tty_open_current_tty(dev_t device,struct file * filp)1802 static struct tty_struct *tty_open_current_tty(dev_t device, struct file *filp)
1803 {
1804 	struct tty_struct *tty;
1805 	int retval;
1806 
1807 	if (device != MKDEV(TTYAUX_MAJOR, 0))
1808 		return NULL;
1809 
1810 	tty = get_current_tty();
1811 	if (!tty)
1812 		return ERR_PTR(-ENXIO);
1813 
1814 	filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */
1815 	/* noctty = 1; */
1816 	tty_lock(tty);
1817 	tty_kref_put(tty);	/* safe to drop the kref now */
1818 
1819 	retval = tty_reopen(tty);
1820 	if (retval < 0) {
1821 		tty_unlock(tty);
1822 		tty = ERR_PTR(retval);
1823 	}
1824 	return tty;
1825 }
1826 
1827 /**
1828  *	tty_lookup_driver - lookup a tty driver for a given device file
1829  *	@device: device number
1830  *	@filp: file pointer to tty
1831  *	@index: index for the device in the @return driver
1832  *	@return: driver for this inode (with increased refcount)
1833  *
1834  * 	If @return is not erroneous, the caller is responsible to decrement the
1835  * 	refcount by tty_driver_kref_put.
1836  *
1837  *	Locking: tty_mutex protects get_tty_driver
1838  */
tty_lookup_driver(dev_t device,struct file * filp,int * index)1839 static struct tty_driver *tty_lookup_driver(dev_t device, struct file *filp,
1840 		int *index)
1841 {
1842 	struct tty_driver *driver = NULL;
1843 
1844 	switch (device) {
1845 #ifdef CONFIG_VT
1846 	case MKDEV(TTY_MAJOR, 0): {
1847 		extern struct tty_driver *console_driver;
1848 		driver = tty_driver_kref_get(console_driver);
1849 		*index = fg_console;
1850 		break;
1851 	}
1852 #endif
1853 	case MKDEV(TTYAUX_MAJOR, 1): {
1854 		struct tty_driver *console_driver = console_device(index);
1855 		if (console_driver) {
1856 			driver = tty_driver_kref_get(console_driver);
1857 			if (driver && filp) {
1858 				/* Don't let /dev/console block */
1859 				filp->f_flags |= O_NONBLOCK;
1860 				break;
1861 			}
1862 		}
1863 		if (driver)
1864 			tty_driver_kref_put(driver);
1865 		return ERR_PTR(-ENODEV);
1866 	}
1867 	default:
1868 		driver = get_tty_driver(device, index);
1869 		if (!driver)
1870 			return ERR_PTR(-ENODEV);
1871 		break;
1872 	}
1873 	return driver;
1874 }
1875 
1876 /**
1877  *	tty_kopen	-	open a tty device for kernel
1878  *	@device: dev_t of device to open
1879  *
1880  *	Opens tty exclusively for kernel. Performs the driver lookup,
1881  *	makes sure it's not already opened and performs the first-time
1882  *	tty initialization.
1883  *
1884  *	Returns the locked initialized &tty_struct
1885  *
1886  *	Claims the global tty_mutex to serialize:
1887  *	  - concurrent first-time tty initialization
1888  *	  - concurrent tty driver removal w/ lookup
1889  *	  - concurrent tty removal from driver table
1890  */
tty_kopen(dev_t device)1891 struct tty_struct *tty_kopen(dev_t device)
1892 {
1893 	struct tty_struct *tty;
1894 	struct tty_driver *driver;
1895 	int index = -1;
1896 
1897 	mutex_lock(&tty_mutex);
1898 	driver = tty_lookup_driver(device, NULL, &index);
1899 	if (IS_ERR(driver)) {
1900 		mutex_unlock(&tty_mutex);
1901 		return ERR_CAST(driver);
1902 	}
1903 
1904 	/* check whether we're reopening an existing tty */
1905 	tty = tty_driver_lookup_tty(driver, NULL, index);
1906 	if (IS_ERR(tty))
1907 		goto out;
1908 
1909 	if (tty) {
1910 		/* drop kref from tty_driver_lookup_tty() */
1911 		tty_kref_put(tty);
1912 		tty = ERR_PTR(-EBUSY);
1913 	} else { /* tty_init_dev returns tty with the tty_lock held */
1914 		tty = tty_init_dev(driver, index);
1915 		if (IS_ERR(tty))
1916 			goto out;
1917 		tty_port_set_kopened(tty->port, 1);
1918 	}
1919 out:
1920 	mutex_unlock(&tty_mutex);
1921 	tty_driver_kref_put(driver);
1922 	return tty;
1923 }
1924 EXPORT_SYMBOL_GPL(tty_kopen);
1925 
1926 /**
1927  *	tty_open_by_driver	-	open a tty device
1928  *	@device: dev_t of device to open
1929  *	@filp: file pointer to tty
1930  *
1931  *	Performs the driver lookup, checks for a reopen, or otherwise
1932  *	performs the first-time tty initialization.
1933  *
1934  *	Returns the locked initialized or re-opened &tty_struct
1935  *
1936  *	Claims the global tty_mutex to serialize:
1937  *	  - concurrent first-time tty initialization
1938  *	  - concurrent tty driver removal w/ lookup
1939  *	  - concurrent tty removal from driver table
1940  */
tty_open_by_driver(dev_t device,struct file * filp)1941 static struct tty_struct *tty_open_by_driver(dev_t device,
1942 					     struct file *filp)
1943 {
1944 	struct tty_struct *tty;
1945 	struct tty_driver *driver = NULL;
1946 	int index = -1;
1947 	int retval;
1948 
1949 	mutex_lock(&tty_mutex);
1950 	driver = tty_lookup_driver(device, filp, &index);
1951 	if (IS_ERR(driver)) {
1952 		mutex_unlock(&tty_mutex);
1953 		return ERR_CAST(driver);
1954 	}
1955 
1956 	/* check whether we're reopening an existing tty */
1957 	tty = tty_driver_lookup_tty(driver, filp, index);
1958 	if (IS_ERR(tty)) {
1959 		mutex_unlock(&tty_mutex);
1960 		goto out;
1961 	}
1962 
1963 	if (tty) {
1964 		if (tty_port_kopened(tty->port)) {
1965 			tty_kref_put(tty);
1966 			mutex_unlock(&tty_mutex);
1967 			tty = ERR_PTR(-EBUSY);
1968 			goto out;
1969 		}
1970 		mutex_unlock(&tty_mutex);
1971 		retval = tty_lock_interruptible(tty);
1972 		tty_kref_put(tty);  /* drop kref from tty_driver_lookup_tty() */
1973 		if (retval) {
1974 			if (retval == -EINTR)
1975 				retval = -ERESTARTSYS;
1976 			tty = ERR_PTR(retval);
1977 			goto out;
1978 		}
1979 		retval = tty_reopen(tty);
1980 		if (retval < 0) {
1981 			tty_unlock(tty);
1982 			tty = ERR_PTR(retval);
1983 		}
1984 	} else { /* Returns with the tty_lock held for now */
1985 		tty = tty_init_dev(driver, index);
1986 		mutex_unlock(&tty_mutex);
1987 	}
1988 out:
1989 	tty_driver_kref_put(driver);
1990 	return tty;
1991 }
1992 
1993 /**
1994  *	tty_open		-	open a tty device
1995  *	@inode: inode of device file
1996  *	@filp: file pointer to tty
1997  *
1998  *	tty_open and tty_release keep up the tty count that contains the
1999  *	number of opens done on a tty. We cannot use the inode-count, as
2000  *	different inodes might point to the same tty.
2001  *
2002  *	Open-counting is needed for pty masters, as well as for keeping
2003  *	track of serial lines: DTR is dropped when the last close happens.
2004  *	(This is not done solely through tty->count, now.  - Ted 1/27/92)
2005  *
2006  *	The termios state of a pty is reset on first open so that
2007  *	settings don't persist across reuse.
2008  *
2009  *	Locking: tty_mutex protects tty, tty_lookup_driver and tty_init_dev.
2010  *		 tty->count should protect the rest.
2011  *		 ->siglock protects ->signal/->sighand
2012  *
2013  *	Note: the tty_unlock/lock cases without a ref are only safe due to
2014  *	tty_mutex
2015  */
2016 
tty_open(struct inode * inode,struct file * filp)2017 static int tty_open(struct inode *inode, struct file *filp)
2018 {
2019 	struct tty_struct *tty;
2020 	int noctty, retval;
2021 	dev_t device = inode->i_rdev;
2022 	unsigned saved_flags = filp->f_flags;
2023 
2024 	nonseekable_open(inode, filp);
2025 
2026 retry_open:
2027 	retval = tty_alloc_file(filp);
2028 	if (retval)
2029 		return -ENOMEM;
2030 
2031 	tty = tty_open_current_tty(device, filp);
2032 	if (!tty)
2033 		tty = tty_open_by_driver(device, filp);
2034 
2035 	if (IS_ERR(tty)) {
2036 		tty_free_file(filp);
2037 		retval = PTR_ERR(tty);
2038 		if (retval != -EAGAIN || signal_pending(current))
2039 			return retval;
2040 		schedule();
2041 		goto retry_open;
2042 	}
2043 
2044 	tty_add_file(tty, filp);
2045 
2046 	check_tty_count(tty, __func__);
2047 	tty_debug_hangup(tty, "opening (count=%d)\n", tty->count);
2048 
2049 	if (tty->ops->open)
2050 		retval = tty->ops->open(tty, filp);
2051 	else
2052 		retval = -ENODEV;
2053 	filp->f_flags = saved_flags;
2054 
2055 	if (retval) {
2056 		tty_debug_hangup(tty, "open error %d, releasing\n", retval);
2057 
2058 		tty_unlock(tty); /* need to call tty_release without BTM */
2059 		tty_release(inode, filp);
2060 		if (retval != -ERESTARTSYS)
2061 			return retval;
2062 
2063 		if (signal_pending(current))
2064 			return retval;
2065 
2066 		schedule();
2067 		/*
2068 		 * Need to reset f_op in case a hangup happened.
2069 		 */
2070 		if (tty_hung_up_p(filp))
2071 			filp->f_op = &tty_fops;
2072 		goto retry_open;
2073 	}
2074 	clear_bit(TTY_HUPPED, &tty->flags);
2075 
2076 	noctty = (filp->f_flags & O_NOCTTY) ||
2077 		 (IS_ENABLED(CONFIG_VT) && device == MKDEV(TTY_MAJOR, 0)) ||
2078 		 device == MKDEV(TTYAUX_MAJOR, 1) ||
2079 		 (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2080 		  tty->driver->subtype == PTY_TYPE_MASTER);
2081 	if (!noctty)
2082 		tty_open_proc_set_tty(filp, tty);
2083 	tty_unlock(tty);
2084 	return 0;
2085 }
2086 
2087 
2088 
2089 /**
2090  *	tty_poll	-	check tty status
2091  *	@filp: file being polled
2092  *	@wait: poll wait structures to update
2093  *
2094  *	Call the line discipline polling method to obtain the poll
2095  *	status of the device.
2096  *
2097  *	Locking: locks called line discipline but ldisc poll method
2098  *	may be re-entered freely by other callers.
2099  */
2100 
tty_poll(struct file * filp,poll_table * wait)2101 static __poll_t tty_poll(struct file *filp, poll_table *wait)
2102 {
2103 	struct tty_struct *tty = file_tty(filp);
2104 	struct tty_ldisc *ld;
2105 	__poll_t ret = 0;
2106 
2107 	if (tty_paranoia_check(tty, file_inode(filp), "tty_poll"))
2108 		return 0;
2109 
2110 	ld = tty_ldisc_ref_wait(tty);
2111 	if (!ld)
2112 		return hung_up_tty_poll(filp, wait);
2113 	if (ld->ops->poll)
2114 		ret = ld->ops->poll(tty, filp, wait);
2115 	tty_ldisc_deref(ld);
2116 	return ret;
2117 }
2118 
__tty_fasync(int fd,struct file * filp,int on)2119 static int __tty_fasync(int fd, struct file *filp, int on)
2120 {
2121 	struct tty_struct *tty = file_tty(filp);
2122 	unsigned long flags;
2123 	int retval = 0;
2124 
2125 	if (tty_paranoia_check(tty, file_inode(filp), "tty_fasync"))
2126 		goto out;
2127 
2128 	retval = fasync_helper(fd, filp, on, &tty->fasync);
2129 	if (retval <= 0)
2130 		goto out;
2131 
2132 	if (on) {
2133 		enum pid_type type;
2134 		struct pid *pid;
2135 
2136 		spin_lock_irqsave(&tty->ctrl_lock, flags);
2137 		if (tty->pgrp) {
2138 			pid = tty->pgrp;
2139 			type = PIDTYPE_PGID;
2140 		} else {
2141 			pid = task_pid(current);
2142 			type = PIDTYPE_TGID;
2143 		}
2144 		get_pid(pid);
2145 		spin_unlock_irqrestore(&tty->ctrl_lock, flags);
2146 		__f_setown(filp, pid, type, 0);
2147 		put_pid(pid);
2148 		retval = 0;
2149 	}
2150 out:
2151 	return retval;
2152 }
2153 
tty_fasync(int fd,struct file * filp,int on)2154 static int tty_fasync(int fd, struct file *filp, int on)
2155 {
2156 	struct tty_struct *tty = file_tty(filp);
2157 	int retval = -ENOTTY;
2158 
2159 	tty_lock(tty);
2160 	if (!tty_hung_up_p(filp))
2161 		retval = __tty_fasync(fd, filp, on);
2162 	tty_unlock(tty);
2163 
2164 	return retval;
2165 }
2166 
2167 /**
2168  *	tiocsti			-	fake input character
2169  *	@tty: tty to fake input into
2170  *	@p: pointer to character
2171  *
2172  *	Fake input to a tty device. Does the necessary locking and
2173  *	input management.
2174  *
2175  *	FIXME: does not honour flow control ??
2176  *
2177  *	Locking:
2178  *		Called functions take tty_ldiscs_lock
2179  *		current->signal->tty check is safe without locks
2180  *
2181  *	FIXME: may race normal receive processing
2182  */
2183 
tiocsti(struct tty_struct * tty,char __user * p)2184 static int tiocsti(struct tty_struct *tty, char __user *p)
2185 {
2186 	char ch, mbz = 0;
2187 	struct tty_ldisc *ld;
2188 
2189 	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
2190 		return -EPERM;
2191 	if (get_user(ch, p))
2192 		return -EFAULT;
2193 	tty_audit_tiocsti(tty, ch);
2194 	ld = tty_ldisc_ref_wait(tty);
2195 	if (!ld)
2196 		return -EIO;
2197 	if (ld->ops->receive_buf)
2198 		ld->ops->receive_buf(tty, &ch, &mbz, 1);
2199 	tty_ldisc_deref(ld);
2200 	return 0;
2201 }
2202 
2203 /**
2204  *	tiocgwinsz		-	implement window query ioctl
2205  *	@tty: tty
2206  *	@arg: user buffer for result
2207  *
2208  *	Copies the kernel idea of the window size into the user buffer.
2209  *
2210  *	Locking: tty->winsize_mutex is taken to ensure the winsize data
2211  *		is consistent.
2212  */
2213 
tiocgwinsz(struct tty_struct * tty,struct winsize __user * arg)2214 static int tiocgwinsz(struct tty_struct *tty, struct winsize __user *arg)
2215 {
2216 	int err;
2217 
2218 	mutex_lock(&tty->winsize_mutex);
2219 	err = copy_to_user(arg, &tty->winsize, sizeof(*arg));
2220 	mutex_unlock(&tty->winsize_mutex);
2221 
2222 	return err ? -EFAULT: 0;
2223 }
2224 
2225 /**
2226  *	tty_do_resize		-	resize event
2227  *	@tty: tty being resized
2228  *	@ws: new dimensions
2229  *
2230  *	Update the termios variables and send the necessary signals to
2231  *	peform a terminal resize correctly
2232  */
2233 
tty_do_resize(struct tty_struct * tty,struct winsize * ws)2234 int tty_do_resize(struct tty_struct *tty, struct winsize *ws)
2235 {
2236 	struct pid *pgrp;
2237 
2238 	/* Lock the tty */
2239 	mutex_lock(&tty->winsize_mutex);
2240 	if (!memcmp(ws, &tty->winsize, sizeof(*ws)))
2241 		goto done;
2242 
2243 	/* Signal the foreground process group */
2244 	pgrp = tty_get_pgrp(tty);
2245 	if (pgrp)
2246 		kill_pgrp(pgrp, SIGWINCH, 1);
2247 	put_pid(pgrp);
2248 
2249 	tty->winsize = *ws;
2250 done:
2251 	mutex_unlock(&tty->winsize_mutex);
2252 	return 0;
2253 }
2254 EXPORT_SYMBOL(tty_do_resize);
2255 
2256 /**
2257  *	tiocswinsz		-	implement window size set ioctl
2258  *	@tty: tty side of tty
2259  *	@arg: user buffer for result
2260  *
2261  *	Copies the user idea of the window size to the kernel. Traditionally
2262  *	this is just advisory information but for the Linux console it
2263  *	actually has driver level meaning and triggers a VC resize.
2264  *
2265  *	Locking:
2266  *		Driver dependent. The default do_resize method takes the
2267  *	tty termios mutex and ctrl_lock. The console takes its own lock
2268  *	then calls into the default method.
2269  */
2270 
tiocswinsz(struct tty_struct * tty,struct winsize __user * arg)2271 static int tiocswinsz(struct tty_struct *tty, struct winsize __user *arg)
2272 {
2273 	struct winsize tmp_ws;
2274 	if (copy_from_user(&tmp_ws, arg, sizeof(*arg)))
2275 		return -EFAULT;
2276 
2277 	if (tty->ops->resize)
2278 		return tty->ops->resize(tty, &tmp_ws);
2279 	else
2280 		return tty_do_resize(tty, &tmp_ws);
2281 }
2282 
2283 /**
2284  *	tioccons	-	allow admin to move logical console
2285  *	@file: the file to become console
2286  *
2287  *	Allow the administrator to move the redirected console device
2288  *
2289  *	Locking: uses redirect_lock to guard the redirect information
2290  */
2291 
tioccons(struct file * file)2292 static int tioccons(struct file *file)
2293 {
2294 	if (!capable(CAP_SYS_ADMIN))
2295 		return -EPERM;
2296 	if (file->f_op->write == redirected_tty_write) {
2297 		struct file *f;
2298 		spin_lock(&redirect_lock);
2299 		f = redirect;
2300 		redirect = NULL;
2301 		spin_unlock(&redirect_lock);
2302 		if (f)
2303 			fput(f);
2304 		return 0;
2305 	}
2306 	spin_lock(&redirect_lock);
2307 	if (redirect) {
2308 		spin_unlock(&redirect_lock);
2309 		return -EBUSY;
2310 	}
2311 	redirect = get_file(file);
2312 	spin_unlock(&redirect_lock);
2313 	return 0;
2314 }
2315 
2316 /**
2317  *	tiocsetd	-	set line discipline
2318  *	@tty: tty device
2319  *	@p: pointer to user data
2320  *
2321  *	Set the line discipline according to user request.
2322  *
2323  *	Locking: see tty_set_ldisc, this function is just a helper
2324  */
2325 
tiocsetd(struct tty_struct * tty,int __user * p)2326 static int tiocsetd(struct tty_struct *tty, int __user *p)
2327 {
2328 	int disc;
2329 	int ret;
2330 
2331 	if (get_user(disc, p))
2332 		return -EFAULT;
2333 
2334 	ret = tty_set_ldisc(tty, disc);
2335 
2336 	return ret;
2337 }
2338 
2339 /**
2340  *	tiocgetd	-	get line discipline
2341  *	@tty: tty device
2342  *	@p: pointer to user data
2343  *
2344  *	Retrieves the line discipline id directly from the ldisc.
2345  *
2346  *	Locking: waits for ldisc reference (in case the line discipline
2347  *		is changing or the tty is being hungup)
2348  */
2349 
tiocgetd(struct tty_struct * tty,int __user * p)2350 static int tiocgetd(struct tty_struct *tty, int __user *p)
2351 {
2352 	struct tty_ldisc *ld;
2353 	int ret;
2354 
2355 	ld = tty_ldisc_ref_wait(tty);
2356 	if (!ld)
2357 		return -EIO;
2358 	ret = put_user(ld->ops->num, p);
2359 	tty_ldisc_deref(ld);
2360 	return ret;
2361 }
2362 
2363 /**
2364  *	send_break	-	performed time break
2365  *	@tty: device to break on
2366  *	@duration: timeout in mS
2367  *
2368  *	Perform a timed break on hardware that lacks its own driver level
2369  *	timed break functionality.
2370  *
2371  *	Locking:
2372  *		atomic_write_lock serializes
2373  *
2374  */
2375 
send_break(struct tty_struct * tty,unsigned int duration)2376 static int send_break(struct tty_struct *tty, unsigned int duration)
2377 {
2378 	int retval;
2379 
2380 	if (tty->ops->break_ctl == NULL)
2381 		return 0;
2382 
2383 	if (tty->driver->flags & TTY_DRIVER_HARDWARE_BREAK)
2384 		retval = tty->ops->break_ctl(tty, duration);
2385 	else {
2386 		/* Do the work ourselves */
2387 		if (tty_write_lock(tty, 0) < 0)
2388 			return -EINTR;
2389 		retval = tty->ops->break_ctl(tty, -1);
2390 		if (retval)
2391 			goto out;
2392 		if (!signal_pending(current))
2393 			msleep_interruptible(duration);
2394 		retval = tty->ops->break_ctl(tty, 0);
2395 out:
2396 		tty_write_unlock(tty);
2397 		if (signal_pending(current))
2398 			retval = -EINTR;
2399 	}
2400 	return retval;
2401 }
2402 
2403 /**
2404  *	tty_tiocmget		-	get modem status
2405  *	@tty: tty device
2406  *	@p: pointer to result
2407  *
2408  *	Obtain the modem status bits from the tty driver if the feature
2409  *	is supported. Return -EINVAL if it is not available.
2410  *
2411  *	Locking: none (up to the driver)
2412  */
2413 
tty_tiocmget(struct tty_struct * tty,int __user * p)2414 static int tty_tiocmget(struct tty_struct *tty, int __user *p)
2415 {
2416 	int retval = -EINVAL;
2417 
2418 	if (tty->ops->tiocmget) {
2419 		retval = tty->ops->tiocmget(tty);
2420 
2421 		if (retval >= 0)
2422 			retval = put_user(retval, p);
2423 	}
2424 	return retval;
2425 }
2426 
2427 /**
2428  *	tty_tiocmset		-	set modem status
2429  *	@tty: tty device
2430  *	@cmd: command - clear bits, set bits or set all
2431  *	@p: pointer to desired bits
2432  *
2433  *	Set the modem status bits from the tty driver if the feature
2434  *	is supported. Return -EINVAL if it is not available.
2435  *
2436  *	Locking: none (up to the driver)
2437  */
2438 
tty_tiocmset(struct tty_struct * tty,unsigned int cmd,unsigned __user * p)2439 static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
2440 	     unsigned __user *p)
2441 {
2442 	int retval;
2443 	unsigned int set, clear, val;
2444 
2445 	if (tty->ops->tiocmset == NULL)
2446 		return -EINVAL;
2447 
2448 	retval = get_user(val, p);
2449 	if (retval)
2450 		return retval;
2451 	set = clear = 0;
2452 	switch (cmd) {
2453 	case TIOCMBIS:
2454 		set = val;
2455 		break;
2456 	case TIOCMBIC:
2457 		clear = val;
2458 		break;
2459 	case TIOCMSET:
2460 		set = val;
2461 		clear = ~val;
2462 		break;
2463 	}
2464 	set &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2465 	clear &= TIOCM_DTR|TIOCM_RTS|TIOCM_OUT1|TIOCM_OUT2|TIOCM_LOOP;
2466 	return tty->ops->tiocmset(tty, set, clear);
2467 }
2468 
tty_tiocgicount(struct tty_struct * tty,void __user * arg)2469 static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
2470 {
2471 	int retval = -EINVAL;
2472 	struct serial_icounter_struct icount;
2473 	memset(&icount, 0, sizeof(icount));
2474 	if (tty->ops->get_icount)
2475 		retval = tty->ops->get_icount(tty, &icount);
2476 	if (retval != 0)
2477 		return retval;
2478 	if (copy_to_user(arg, &icount, sizeof(icount)))
2479 		return -EFAULT;
2480 	return 0;
2481 }
2482 
tty_tiocsserial(struct tty_struct * tty,struct serial_struct __user * ss)2483 static int tty_tiocsserial(struct tty_struct *tty, struct serial_struct __user *ss)
2484 {
2485 	static DEFINE_RATELIMIT_STATE(depr_flags,
2486 			DEFAULT_RATELIMIT_INTERVAL,
2487 			DEFAULT_RATELIMIT_BURST);
2488 	char comm[TASK_COMM_LEN];
2489 	struct serial_struct v;
2490 	int flags;
2491 
2492 	if (copy_from_user(&v, ss, sizeof(*ss)))
2493 		return -EFAULT;
2494 
2495 	flags = v.flags & ASYNC_DEPRECATED;
2496 
2497 	if (flags && __ratelimit(&depr_flags))
2498 		pr_warn("%s: '%s' is using deprecated serial flags (with no effect): %.8x\n",
2499 			__func__, get_task_comm(comm, current), flags);
2500 	if (!tty->ops->set_serial)
2501 		return -ENOTTY;
2502 	return tty->ops->set_serial(tty, &v);
2503 }
2504 
tty_tiocgserial(struct tty_struct * tty,struct serial_struct __user * ss)2505 static int tty_tiocgserial(struct tty_struct *tty, struct serial_struct __user *ss)
2506 {
2507 	struct serial_struct v;
2508 	int err;
2509 
2510 	memset(&v, 0, sizeof(v));
2511 	if (!tty->ops->get_serial)
2512 		return -ENOTTY;
2513 	err = tty->ops->get_serial(tty, &v);
2514 	if (!err && copy_to_user(ss, &v, sizeof(v)))
2515 		err = -EFAULT;
2516 	return err;
2517 }
2518 
2519 /*
2520  * if pty, return the slave side (real_tty)
2521  * otherwise, return self
2522  */
tty_pair_get_tty(struct tty_struct * tty)2523 static struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
2524 {
2525 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
2526 	    tty->driver->subtype == PTY_TYPE_MASTER)
2527 		tty = tty->link;
2528 	return tty;
2529 }
2530 
2531 /*
2532  * Split this up, as gcc can choke on it otherwise..
2533  */
tty_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2534 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2535 {
2536 	struct tty_struct *tty = file_tty(file);
2537 	struct tty_struct *real_tty;
2538 	void __user *p = (void __user *)arg;
2539 	int retval;
2540 	struct tty_ldisc *ld;
2541 
2542 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2543 		return -EINVAL;
2544 
2545 	real_tty = tty_pair_get_tty(tty);
2546 
2547 	/*
2548 	 * Factor out some common prep work
2549 	 */
2550 	switch (cmd) {
2551 	case TIOCSETD:
2552 	case TIOCSBRK:
2553 	case TIOCCBRK:
2554 	case TCSBRK:
2555 	case TCSBRKP:
2556 		retval = tty_check_change(tty);
2557 		if (retval)
2558 			return retval;
2559 		if (cmd != TIOCCBRK) {
2560 			tty_wait_until_sent(tty, 0);
2561 			if (signal_pending(current))
2562 				return -EINTR;
2563 		}
2564 		break;
2565 	}
2566 
2567 	/*
2568 	 *	Now do the stuff.
2569 	 */
2570 	switch (cmd) {
2571 	case TIOCSTI:
2572 		return tiocsti(tty, p);
2573 	case TIOCGWINSZ:
2574 		return tiocgwinsz(real_tty, p);
2575 	case TIOCSWINSZ:
2576 		return tiocswinsz(real_tty, p);
2577 	case TIOCCONS:
2578 		return real_tty != tty ? -EINVAL : tioccons(file);
2579 	case TIOCEXCL:
2580 		set_bit(TTY_EXCLUSIVE, &tty->flags);
2581 		return 0;
2582 	case TIOCNXCL:
2583 		clear_bit(TTY_EXCLUSIVE, &tty->flags);
2584 		return 0;
2585 	case TIOCGEXCL:
2586 	{
2587 		int excl = test_bit(TTY_EXCLUSIVE, &tty->flags);
2588 		return put_user(excl, (int __user *)p);
2589 	}
2590 	case TIOCGETD:
2591 		return tiocgetd(tty, p);
2592 	case TIOCSETD:
2593 		return tiocsetd(tty, p);
2594 	case TIOCVHANGUP:
2595 		if (!capable(CAP_SYS_ADMIN))
2596 			return -EPERM;
2597 		tty_vhangup(tty);
2598 		return 0;
2599 	case TIOCGDEV:
2600 	{
2601 		unsigned int ret = new_encode_dev(tty_devnum(real_tty));
2602 		return put_user(ret, (unsigned int __user *)p);
2603 	}
2604 	/*
2605 	 * Break handling
2606 	 */
2607 	case TIOCSBRK:	/* Turn break on, unconditionally */
2608 		if (tty->ops->break_ctl)
2609 			return tty->ops->break_ctl(tty, -1);
2610 		return 0;
2611 	case TIOCCBRK:	/* Turn break off, unconditionally */
2612 		if (tty->ops->break_ctl)
2613 			return tty->ops->break_ctl(tty, 0);
2614 		return 0;
2615 	case TCSBRK:   /* SVID version: non-zero arg --> no break */
2616 		/* non-zero arg means wait for all output data
2617 		 * to be sent (performed above) but don't send break.
2618 		 * This is used by the tcdrain() termios function.
2619 		 */
2620 		if (!arg)
2621 			return send_break(tty, 250);
2622 		return 0;
2623 	case TCSBRKP:	/* support for POSIX tcsendbreak() */
2624 		return send_break(tty, arg ? arg*100 : 250);
2625 
2626 	case TIOCMGET:
2627 		return tty_tiocmget(tty, p);
2628 	case TIOCMSET:
2629 	case TIOCMBIC:
2630 	case TIOCMBIS:
2631 		return tty_tiocmset(tty, cmd, p);
2632 	case TIOCGICOUNT:
2633 		return tty_tiocgicount(tty, p);
2634 	case TCFLSH:
2635 		switch (arg) {
2636 		case TCIFLUSH:
2637 		case TCIOFLUSH:
2638 		/* flush tty buffer and allow ldisc to process ioctl */
2639 			tty_buffer_flush(tty, NULL);
2640 			break;
2641 		}
2642 		break;
2643 	case TIOCSSERIAL:
2644 		return tty_tiocsserial(tty, p);
2645 	case TIOCGSERIAL:
2646 		return tty_tiocgserial(tty, p);
2647 	case TIOCGPTPEER:
2648 		/* Special because the struct file is needed */
2649 		return ptm_open_peer(file, tty, (int)arg);
2650 	default:
2651 		retval = tty_jobctrl_ioctl(tty, real_tty, file, cmd, arg);
2652 		if (retval != -ENOIOCTLCMD)
2653 			return retval;
2654 	}
2655 	if (tty->ops->ioctl) {
2656 		retval = tty->ops->ioctl(tty, cmd, arg);
2657 		if (retval != -ENOIOCTLCMD)
2658 			return retval;
2659 	}
2660 	ld = tty_ldisc_ref_wait(tty);
2661 	if (!ld)
2662 		return hung_up_tty_ioctl(file, cmd, arg);
2663 	retval = -EINVAL;
2664 	if (ld->ops->ioctl) {
2665 		retval = ld->ops->ioctl(tty, file, cmd, arg);
2666 		if (retval == -ENOIOCTLCMD)
2667 			retval = -ENOTTY;
2668 	}
2669 	tty_ldisc_deref(ld);
2670 	return retval;
2671 }
2672 
2673 #ifdef CONFIG_COMPAT
2674 
2675 struct serial_struct32 {
2676 	compat_int_t    type;
2677 	compat_int_t    line;
2678 	compat_uint_t   port;
2679 	compat_int_t    irq;
2680 	compat_int_t    flags;
2681 	compat_int_t    xmit_fifo_size;
2682 	compat_int_t    custom_divisor;
2683 	compat_int_t    baud_base;
2684 	unsigned short  close_delay;
2685 	char    io_type;
2686 	char    reserved_char;
2687 	compat_int_t    hub6;
2688 	unsigned short  closing_wait; /* time to wait before closing */
2689 	unsigned short  closing_wait2; /* no longer used... */
2690 	compat_uint_t   iomem_base;
2691 	unsigned short  iomem_reg_shift;
2692 	unsigned int    port_high;
2693 	/* compat_ulong_t  iomap_base FIXME */
2694 	compat_int_t    reserved;
2695 };
2696 
compat_tty_tiocsserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2697 static int compat_tty_tiocsserial(struct tty_struct *tty,
2698 		struct serial_struct32 __user *ss)
2699 {
2700 	static DEFINE_RATELIMIT_STATE(depr_flags,
2701 			DEFAULT_RATELIMIT_INTERVAL,
2702 			DEFAULT_RATELIMIT_BURST);
2703 	char comm[TASK_COMM_LEN];
2704 	struct serial_struct32 v32;
2705 	struct serial_struct v;
2706 	int flags;
2707 
2708 	if (copy_from_user(&v32, ss, sizeof(*ss)))
2709 		return -EFAULT;
2710 
2711 	memcpy(&v, &v32, offsetof(struct serial_struct32, iomem_base));
2712 	v.iomem_base = compat_ptr(v32.iomem_base);
2713 	v.iomem_reg_shift = v32.iomem_reg_shift;
2714 	v.port_high = v32.port_high;
2715 	v.iomap_base = 0;
2716 
2717 	flags = v.flags & ASYNC_DEPRECATED;
2718 
2719 	if (flags && __ratelimit(&depr_flags))
2720 		pr_warn("%s: '%s' is using deprecated serial flags (with no effect): %.8x\n",
2721 			__func__, get_task_comm(comm, current), flags);
2722 	if (!tty->ops->set_serial)
2723 		return -ENOTTY;
2724 	return tty->ops->set_serial(tty, &v);
2725 }
2726 
compat_tty_tiocgserial(struct tty_struct * tty,struct serial_struct32 __user * ss)2727 static int compat_tty_tiocgserial(struct tty_struct *tty,
2728 			struct serial_struct32 __user *ss)
2729 {
2730 	struct serial_struct32 v32;
2731 	struct serial_struct v;
2732 	int err;
2733 
2734 	memset(&v, 0, sizeof(v));
2735 	memset(&v32, 0, sizeof(v32));
2736 
2737 	if (!tty->ops->get_serial)
2738 		return -ENOTTY;
2739 	err = tty->ops->get_serial(tty, &v);
2740 	if (!err) {
2741 		memcpy(&v32, &v, offsetof(struct serial_struct32, iomem_base));
2742 		v32.iomem_base = (unsigned long)v.iomem_base >> 32 ?
2743 			0xfffffff : ptr_to_compat(v.iomem_base);
2744 		v32.iomem_reg_shift = v.iomem_reg_shift;
2745 		v32.port_high = v.port_high;
2746 		if (copy_to_user(ss, &v32, sizeof(v32)))
2747 			err = -EFAULT;
2748 	}
2749 	return err;
2750 }
tty_compat_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2751 static long tty_compat_ioctl(struct file *file, unsigned int cmd,
2752 				unsigned long arg)
2753 {
2754 	struct tty_struct *tty = file_tty(file);
2755 	struct tty_ldisc *ld;
2756 	int retval = -ENOIOCTLCMD;
2757 
2758 	switch (cmd) {
2759 	case TIOCOUTQ:
2760 	case TIOCSTI:
2761 	case TIOCGWINSZ:
2762 	case TIOCSWINSZ:
2763 	case TIOCGEXCL:
2764 	case TIOCGETD:
2765 	case TIOCSETD:
2766 	case TIOCGDEV:
2767 	case TIOCMGET:
2768 	case TIOCMSET:
2769 	case TIOCMBIC:
2770 	case TIOCMBIS:
2771 	case TIOCGICOUNT:
2772 	case TIOCGPGRP:
2773 	case TIOCSPGRP:
2774 	case TIOCGSID:
2775 	case TIOCSERGETLSR:
2776 	case TIOCGRS485:
2777 	case TIOCSRS485:
2778 #ifdef TIOCGETP
2779 	case TIOCGETP:
2780 	case TIOCSETP:
2781 	case TIOCSETN:
2782 #endif
2783 #ifdef TIOCGETC
2784 	case TIOCGETC:
2785 	case TIOCSETC:
2786 #endif
2787 #ifdef TIOCGLTC
2788 	case TIOCGLTC:
2789 	case TIOCSLTC:
2790 #endif
2791 	case TCSETSF:
2792 	case TCSETSW:
2793 	case TCSETS:
2794 	case TCGETS:
2795 #ifdef TCGETS2
2796 	case TCGETS2:
2797 	case TCSETSF2:
2798 	case TCSETSW2:
2799 	case TCSETS2:
2800 #endif
2801 	case TCGETA:
2802 	case TCSETAF:
2803 	case TCSETAW:
2804 	case TCSETA:
2805 	case TIOCGLCKTRMIOS:
2806 	case TIOCSLCKTRMIOS:
2807 #ifdef TCGETX
2808 	case TCGETX:
2809 	case TCSETX:
2810 	case TCSETXW:
2811 	case TCSETXF:
2812 #endif
2813 	case TIOCGSOFTCAR:
2814 	case TIOCSSOFTCAR:
2815 
2816 	case PPPIOCGCHAN:
2817 	case PPPIOCGUNIT:
2818 		return tty_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
2819 	case TIOCCONS:
2820 	case TIOCEXCL:
2821 	case TIOCNXCL:
2822 	case TIOCVHANGUP:
2823 	case TIOCSBRK:
2824 	case TIOCCBRK:
2825 	case TCSBRK:
2826 	case TCSBRKP:
2827 	case TCFLSH:
2828 	case TIOCGPTPEER:
2829 	case TIOCNOTTY:
2830 	case TIOCSCTTY:
2831 	case TCXONC:
2832 	case TIOCMIWAIT:
2833 	case TIOCSERCONFIG:
2834 		return tty_ioctl(file, cmd, arg);
2835 	}
2836 
2837 	if (tty_paranoia_check(tty, file_inode(file), "tty_ioctl"))
2838 		return -EINVAL;
2839 
2840 	switch (cmd) {
2841 	case TIOCSSERIAL:
2842 		return compat_tty_tiocsserial(tty, compat_ptr(arg));
2843 	case TIOCGSERIAL:
2844 		return compat_tty_tiocgserial(tty, compat_ptr(arg));
2845 	}
2846 	if (tty->ops->compat_ioctl) {
2847 		retval = tty->ops->compat_ioctl(tty, cmd, arg);
2848 		if (retval != -ENOIOCTLCMD)
2849 			return retval;
2850 	}
2851 
2852 	ld = tty_ldisc_ref_wait(tty);
2853 	if (!ld)
2854 		return hung_up_tty_compat_ioctl(file, cmd, arg);
2855 	if (ld->ops->compat_ioctl)
2856 		retval = ld->ops->compat_ioctl(tty, file, cmd, arg);
2857 	if (retval == -ENOIOCTLCMD && ld->ops->ioctl)
2858 		retval = ld->ops->ioctl(tty, file,
2859 				(unsigned long)compat_ptr(cmd), arg);
2860 	tty_ldisc_deref(ld);
2861 
2862 	return retval;
2863 }
2864 #endif
2865 
this_tty(const void * t,struct file * file,unsigned fd)2866 static int this_tty(const void *t, struct file *file, unsigned fd)
2867 {
2868 	if (likely(file->f_op->read != tty_read))
2869 		return 0;
2870 	return file_tty(file) != t ? 0 : fd + 1;
2871 }
2872 
2873 /*
2874  * This implements the "Secure Attention Key" ---  the idea is to
2875  * prevent trojan horses by killing all processes associated with this
2876  * tty when the user hits the "Secure Attention Key".  Required for
2877  * super-paranoid applications --- see the Orange Book for more details.
2878  *
2879  * This code could be nicer; ideally it should send a HUP, wait a few
2880  * seconds, then send a INT, and then a KILL signal.  But you then
2881  * have to coordinate with the init process, since all processes associated
2882  * with the current tty must be dead before the new getty is allowed
2883  * to spawn.
2884  *
2885  * Now, if it would be correct ;-/ The current code has a nasty hole -
2886  * it doesn't catch files in flight. We may send the descriptor to ourselves
2887  * via AF_UNIX socket, close it and later fetch from socket. FIXME.
2888  *
2889  * Nasty bug: do_SAK is being called in interrupt context.  This can
2890  * deadlock.  We punt it up to process context.  AKPM - 16Mar2001
2891  */
__do_SAK(struct tty_struct * tty)2892 void __do_SAK(struct tty_struct *tty)
2893 {
2894 #ifdef TTY_SOFT_SAK
2895 	tty_hangup(tty);
2896 #else
2897 	struct task_struct *g, *p;
2898 	struct pid *session;
2899 	int		i;
2900 	unsigned long flags;
2901 
2902 	if (!tty)
2903 		return;
2904 
2905 	spin_lock_irqsave(&tty->ctrl_lock, flags);
2906 	session = get_pid(tty->session);
2907 	spin_unlock_irqrestore(&tty->ctrl_lock, flags);
2908 
2909 	tty_ldisc_flush(tty);
2910 
2911 	tty_driver_flush_buffer(tty);
2912 
2913 	read_lock(&tasklist_lock);
2914 	/* Kill the entire session */
2915 	do_each_pid_task(session, PIDTYPE_SID, p) {
2916 		tty_notice(tty, "SAK: killed process %d (%s): by session\n",
2917 			   task_pid_nr(p), p->comm);
2918 		group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
2919 	} while_each_pid_task(session, PIDTYPE_SID, p);
2920 
2921 	/* Now kill any processes that happen to have the tty open */
2922 	do_each_thread(g, p) {
2923 		if (p->signal->tty == tty) {
2924 			tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
2925 				   task_pid_nr(p), p->comm);
2926 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
2927 			continue;
2928 		}
2929 		task_lock(p);
2930 		i = iterate_fd(p->files, 0, this_tty, tty);
2931 		if (i != 0) {
2932 			tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
2933 				   task_pid_nr(p), p->comm, i - 1);
2934 			group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
2935 		}
2936 		task_unlock(p);
2937 	} while_each_thread(g, p);
2938 	read_unlock(&tasklist_lock);
2939 	put_pid(session);
2940 #endif
2941 }
2942 
do_SAK_work(struct work_struct * work)2943 static void do_SAK_work(struct work_struct *work)
2944 {
2945 	struct tty_struct *tty =
2946 		container_of(work, struct tty_struct, SAK_work);
2947 	__do_SAK(tty);
2948 }
2949 
2950 /*
2951  * The tq handling here is a little racy - tty->SAK_work may already be queued.
2952  * Fortunately we don't need to worry, because if ->SAK_work is already queued,
2953  * the values which we write to it will be identical to the values which it
2954  * already has. --akpm
2955  */
do_SAK(struct tty_struct * tty)2956 void do_SAK(struct tty_struct *tty)
2957 {
2958 	if (!tty)
2959 		return;
2960 	schedule_work(&tty->SAK_work);
2961 }
2962 
2963 EXPORT_SYMBOL(do_SAK);
2964 
2965 /* Must put_device() after it's unused! */
tty_get_device(struct tty_struct * tty)2966 static struct device *tty_get_device(struct tty_struct *tty)
2967 {
2968 	dev_t devt = tty_devnum(tty);
2969 	return class_find_device_by_devt(tty_class, devt);
2970 }
2971 
2972 
2973 /**
2974  *	alloc_tty_struct
2975  *
2976  *	This subroutine allocates and initializes a tty structure.
2977  *
2978  *	Locking: none - tty in question is not exposed at this point
2979  */
2980 
alloc_tty_struct(struct tty_driver * driver,int idx)2981 struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
2982 {
2983 	struct tty_struct *tty;
2984 
2985 	tty = kzalloc(sizeof(*tty), GFP_KERNEL);
2986 	if (!tty)
2987 		return NULL;
2988 
2989 	kref_init(&tty->kref);
2990 	tty->magic = TTY_MAGIC;
2991 	if (tty_ldisc_init(tty)) {
2992 		kfree(tty);
2993 		return NULL;
2994 	}
2995 	tty->session = NULL;
2996 	tty->pgrp = NULL;
2997 	mutex_init(&tty->legacy_mutex);
2998 	mutex_init(&tty->throttle_mutex);
2999 	init_rwsem(&tty->termios_rwsem);
3000 	mutex_init(&tty->winsize_mutex);
3001 	init_ldsem(&tty->ldisc_sem);
3002 	init_waitqueue_head(&tty->write_wait);
3003 	init_waitqueue_head(&tty->read_wait);
3004 	INIT_WORK(&tty->hangup_work, do_tty_hangup);
3005 	mutex_init(&tty->atomic_write_lock);
3006 	spin_lock_init(&tty->ctrl_lock);
3007 	spin_lock_init(&tty->flow_lock);
3008 	spin_lock_init(&tty->files_lock);
3009 	INIT_LIST_HEAD(&tty->tty_files);
3010 	INIT_WORK(&tty->SAK_work, do_SAK_work);
3011 
3012 	tty->driver = driver;
3013 	tty->ops = driver->ops;
3014 	tty->index = idx;
3015 	tty_line_name(driver, idx, tty->name);
3016 	tty->dev = tty_get_device(tty);
3017 
3018 	return tty;
3019 }
3020 
3021 /**
3022  *	tty_put_char	-	write one character to a tty
3023  *	@tty: tty
3024  *	@ch: character
3025  *
3026  *	Write one byte to the tty using the provided put_char method
3027  *	if present. Returns the number of characters successfully output.
3028  *
3029  *	Note: the specific put_char operation in the driver layer may go
3030  *	away soon. Don't call it directly, use this method
3031  */
3032 
tty_put_char(struct tty_struct * tty,unsigned char ch)3033 int tty_put_char(struct tty_struct *tty, unsigned char ch)
3034 {
3035 	if (tty->ops->put_char)
3036 		return tty->ops->put_char(tty, ch);
3037 	return tty->ops->write(tty, &ch, 1);
3038 }
3039 EXPORT_SYMBOL_GPL(tty_put_char);
3040 
3041 struct class *tty_class;
3042 
tty_cdev_add(struct tty_driver * driver,dev_t dev,unsigned int index,unsigned int count)3043 static int tty_cdev_add(struct tty_driver *driver, dev_t dev,
3044 		unsigned int index, unsigned int count)
3045 {
3046 	int err;
3047 
3048 	/* init here, since reused cdevs cause crashes */
3049 	driver->cdevs[index] = cdev_alloc();
3050 	if (!driver->cdevs[index])
3051 		return -ENOMEM;
3052 	driver->cdevs[index]->ops = &tty_fops;
3053 	driver->cdevs[index]->owner = driver->owner;
3054 	err = cdev_add(driver->cdevs[index], dev, count);
3055 	if (err)
3056 		kobject_put(&driver->cdevs[index]->kobj);
3057 	return err;
3058 }
3059 
3060 /**
3061  *	tty_register_device - register a tty device
3062  *	@driver: the tty driver that describes the tty device
3063  *	@index: the index in the tty driver for this tty device
3064  *	@device: a struct device that is associated with this tty device.
3065  *		This field is optional, if there is no known struct device
3066  *		for this tty device it can be set to NULL safely.
3067  *
3068  *	Returns a pointer to the struct device for this tty device
3069  *	(or ERR_PTR(-EFOO) on error).
3070  *
3071  *	This call is required to be made to register an individual tty device
3072  *	if the tty driver's flags have the TTY_DRIVER_DYNAMIC_DEV bit set.  If
3073  *	that bit is not set, this function should not be called by a tty
3074  *	driver.
3075  *
3076  *	Locking: ??
3077  */
3078 
tty_register_device(struct tty_driver * driver,unsigned index,struct device * device)3079 struct device *tty_register_device(struct tty_driver *driver, unsigned index,
3080 				   struct device *device)
3081 {
3082 	return tty_register_device_attr(driver, index, device, NULL, NULL);
3083 }
3084 EXPORT_SYMBOL(tty_register_device);
3085 
tty_device_create_release(struct device * dev)3086 static void tty_device_create_release(struct device *dev)
3087 {
3088 	dev_dbg(dev, "releasing...\n");
3089 	kfree(dev);
3090 }
3091 
3092 /**
3093  *	tty_register_device_attr - register a tty device
3094  *	@driver: the tty driver that describes the tty device
3095  *	@index: the index in the tty driver for this tty device
3096  *	@device: a struct device that is associated with this tty device.
3097  *		This field is optional, if there is no known struct device
3098  *		for this tty device it can be set to NULL safely.
3099  *	@drvdata: Driver data to be set to device.
3100  *	@attr_grp: Attribute group to be set on device.
3101  *
3102  *	Returns a pointer to the struct device for this tty device
3103  *	(or ERR_PTR(-EFOO) on error).
3104  *
3105  *	This call is required to be made to register an individual tty device
3106  *	if the tty driver's flags have the TTY_DRIVER_DYNAMIC_DEV bit set.  If
3107  *	that bit is not set, this function should not be called by a tty
3108  *	driver.
3109  *
3110  *	Locking: ??
3111  */
tty_register_device_attr(struct tty_driver * driver,unsigned index,struct device * device,void * drvdata,const struct attribute_group ** attr_grp)3112 struct device *tty_register_device_attr(struct tty_driver *driver,
3113 				   unsigned index, struct device *device,
3114 				   void *drvdata,
3115 				   const struct attribute_group **attr_grp)
3116 {
3117 	char name[64];
3118 	dev_t devt = MKDEV(driver->major, driver->minor_start) + index;
3119 	struct ktermios *tp;
3120 	struct device *dev;
3121 	int retval;
3122 
3123 	if (index >= driver->num) {
3124 		pr_err("%s: Attempt to register invalid tty line number (%d)\n",
3125 		       driver->name, index);
3126 		return ERR_PTR(-EINVAL);
3127 	}
3128 
3129 	if (driver->type == TTY_DRIVER_TYPE_PTY)
3130 		pty_line_name(driver, index, name);
3131 	else
3132 		tty_line_name(driver, index, name);
3133 
3134 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3135 	if (!dev)
3136 		return ERR_PTR(-ENOMEM);
3137 
3138 	dev->devt = devt;
3139 	dev->class = tty_class;
3140 	dev->parent = device;
3141 	dev->release = tty_device_create_release;
3142 	dev_set_name(dev, "%s", name);
3143 	dev->groups = attr_grp;
3144 	dev_set_drvdata(dev, drvdata);
3145 
3146 	dev_set_uevent_suppress(dev, 1);
3147 
3148 	retval = device_register(dev);
3149 	if (retval)
3150 		goto err_put;
3151 
3152 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3153 		/*
3154 		 * Free any saved termios data so that the termios state is
3155 		 * reset when reusing a minor number.
3156 		 */
3157 		tp = driver->termios[index];
3158 		if (tp) {
3159 			driver->termios[index] = NULL;
3160 			kfree(tp);
3161 		}
3162 
3163 		retval = tty_cdev_add(driver, devt, index, 1);
3164 		if (retval)
3165 			goto err_del;
3166 	}
3167 
3168 	dev_set_uevent_suppress(dev, 0);
3169 	kobject_uevent(&dev->kobj, KOBJ_ADD);
3170 
3171 	return dev;
3172 
3173 err_del:
3174 	device_del(dev);
3175 err_put:
3176 	put_device(dev);
3177 
3178 	return ERR_PTR(retval);
3179 }
3180 EXPORT_SYMBOL_GPL(tty_register_device_attr);
3181 
3182 /**
3183  * 	tty_unregister_device - unregister a tty device
3184  * 	@driver: the tty driver that describes the tty device
3185  * 	@index: the index in the tty driver for this tty device
3186  *
3187  * 	If a tty device is registered with a call to tty_register_device() then
3188  *	this function must be called when the tty device is gone.
3189  *
3190  *	Locking: ??
3191  */
3192 
tty_unregister_device(struct tty_driver * driver,unsigned index)3193 void tty_unregister_device(struct tty_driver *driver, unsigned index)
3194 {
3195 	device_destroy(tty_class,
3196 		MKDEV(driver->major, driver->minor_start) + index);
3197 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3198 		cdev_del(driver->cdevs[index]);
3199 		driver->cdevs[index] = NULL;
3200 	}
3201 }
3202 EXPORT_SYMBOL(tty_unregister_device);
3203 
3204 /**
3205  * __tty_alloc_driver -- allocate tty driver
3206  * @lines: count of lines this driver can handle at most
3207  * @owner: module which is responsible for this driver
3208  * @flags: some of TTY_DRIVER_* flags, will be set in driver->flags
3209  *
3210  * This should not be called directly, some of the provided macros should be
3211  * used instead. Use IS_ERR and friends on @retval.
3212  */
__tty_alloc_driver(unsigned int lines,struct module * owner,unsigned long flags)3213 struct tty_driver *__tty_alloc_driver(unsigned int lines, struct module *owner,
3214 		unsigned long flags)
3215 {
3216 	struct tty_driver *driver;
3217 	unsigned int cdevs = 1;
3218 	int err;
3219 
3220 	if (!lines || (flags & TTY_DRIVER_UNNUMBERED_NODE && lines > 1))
3221 		return ERR_PTR(-EINVAL);
3222 
3223 	driver = kzalloc(sizeof(*driver), GFP_KERNEL);
3224 	if (!driver)
3225 		return ERR_PTR(-ENOMEM);
3226 
3227 	kref_init(&driver->kref);
3228 	driver->magic = TTY_DRIVER_MAGIC;
3229 	driver->num = lines;
3230 	driver->owner = owner;
3231 	driver->flags = flags;
3232 
3233 	if (!(flags & TTY_DRIVER_DEVPTS_MEM)) {
3234 		driver->ttys = kcalloc(lines, sizeof(*driver->ttys),
3235 				GFP_KERNEL);
3236 		driver->termios = kcalloc(lines, sizeof(*driver->termios),
3237 				GFP_KERNEL);
3238 		if (!driver->ttys || !driver->termios) {
3239 			err = -ENOMEM;
3240 			goto err_free_all;
3241 		}
3242 	}
3243 
3244 	if (!(flags & TTY_DRIVER_DYNAMIC_ALLOC)) {
3245 		driver->ports = kcalloc(lines, sizeof(*driver->ports),
3246 				GFP_KERNEL);
3247 		if (!driver->ports) {
3248 			err = -ENOMEM;
3249 			goto err_free_all;
3250 		}
3251 		cdevs = lines;
3252 	}
3253 
3254 	driver->cdevs = kcalloc(cdevs, sizeof(*driver->cdevs), GFP_KERNEL);
3255 	if (!driver->cdevs) {
3256 		err = -ENOMEM;
3257 		goto err_free_all;
3258 	}
3259 
3260 	return driver;
3261 err_free_all:
3262 	kfree(driver->ports);
3263 	kfree(driver->ttys);
3264 	kfree(driver->termios);
3265 	kfree(driver->cdevs);
3266 	kfree(driver);
3267 	return ERR_PTR(err);
3268 }
3269 EXPORT_SYMBOL(__tty_alloc_driver);
3270 
destruct_tty_driver(struct kref * kref)3271 static void destruct_tty_driver(struct kref *kref)
3272 {
3273 	struct tty_driver *driver = container_of(kref, struct tty_driver, kref);
3274 	int i;
3275 	struct ktermios *tp;
3276 
3277 	if (driver->flags & TTY_DRIVER_INSTALLED) {
3278 		for (i = 0; i < driver->num; i++) {
3279 			tp = driver->termios[i];
3280 			if (tp) {
3281 				driver->termios[i] = NULL;
3282 				kfree(tp);
3283 			}
3284 			if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV))
3285 				tty_unregister_device(driver, i);
3286 		}
3287 		proc_tty_unregister_driver(driver);
3288 		if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC)
3289 			cdev_del(driver->cdevs[0]);
3290 	}
3291 	kfree(driver->cdevs);
3292 	kfree(driver->ports);
3293 	kfree(driver->termios);
3294 	kfree(driver->ttys);
3295 	kfree(driver);
3296 }
3297 
tty_driver_kref_put(struct tty_driver * driver)3298 void tty_driver_kref_put(struct tty_driver *driver)
3299 {
3300 	kref_put(&driver->kref, destruct_tty_driver);
3301 }
3302 EXPORT_SYMBOL(tty_driver_kref_put);
3303 
tty_set_operations(struct tty_driver * driver,const struct tty_operations * op)3304 void tty_set_operations(struct tty_driver *driver,
3305 			const struct tty_operations *op)
3306 {
3307 	driver->ops = op;
3308 };
3309 EXPORT_SYMBOL(tty_set_operations);
3310 
put_tty_driver(struct tty_driver * d)3311 void put_tty_driver(struct tty_driver *d)
3312 {
3313 	tty_driver_kref_put(d);
3314 }
3315 EXPORT_SYMBOL(put_tty_driver);
3316 
3317 /*
3318  * Called by a tty driver to register itself.
3319  */
tty_register_driver(struct tty_driver * driver)3320 int tty_register_driver(struct tty_driver *driver)
3321 {
3322 	int error;
3323 	int i;
3324 	dev_t dev;
3325 	struct device *d;
3326 
3327 	if (!driver->major) {
3328 		error = alloc_chrdev_region(&dev, driver->minor_start,
3329 						driver->num, driver->name);
3330 		if (!error) {
3331 			driver->major = MAJOR(dev);
3332 			driver->minor_start = MINOR(dev);
3333 		}
3334 	} else {
3335 		dev = MKDEV(driver->major, driver->minor_start);
3336 		error = register_chrdev_region(dev, driver->num, driver->name);
3337 	}
3338 	if (error < 0)
3339 		goto err;
3340 
3341 	if (driver->flags & TTY_DRIVER_DYNAMIC_ALLOC) {
3342 		error = tty_cdev_add(driver, dev, 0, driver->num);
3343 		if (error)
3344 			goto err_unreg_char;
3345 	}
3346 
3347 	mutex_lock(&tty_mutex);
3348 	list_add(&driver->tty_drivers, &tty_drivers);
3349 	mutex_unlock(&tty_mutex);
3350 
3351 	if (!(driver->flags & TTY_DRIVER_DYNAMIC_DEV)) {
3352 		for (i = 0; i < driver->num; i++) {
3353 			d = tty_register_device(driver, i, NULL);
3354 			if (IS_ERR(d)) {
3355 				error = PTR_ERR(d);
3356 				goto err_unreg_devs;
3357 			}
3358 		}
3359 	}
3360 	proc_tty_register_driver(driver);
3361 	driver->flags |= TTY_DRIVER_INSTALLED;
3362 	return 0;
3363 
3364 err_unreg_devs:
3365 	for (i--; i >= 0; i--)
3366 		tty_unregister_device(driver, i);
3367 
3368 	mutex_lock(&tty_mutex);
3369 	list_del(&driver->tty_drivers);
3370 	mutex_unlock(&tty_mutex);
3371 
3372 err_unreg_char:
3373 	unregister_chrdev_region(dev, driver->num);
3374 err:
3375 	return error;
3376 }
3377 EXPORT_SYMBOL(tty_register_driver);
3378 
3379 /*
3380  * Called by a tty driver to unregister itself.
3381  */
tty_unregister_driver(struct tty_driver * driver)3382 int tty_unregister_driver(struct tty_driver *driver)
3383 {
3384 #if 0
3385 	/* FIXME */
3386 	if (driver->refcount)
3387 		return -EBUSY;
3388 #endif
3389 	unregister_chrdev_region(MKDEV(driver->major, driver->minor_start),
3390 				driver->num);
3391 	mutex_lock(&tty_mutex);
3392 	list_del(&driver->tty_drivers);
3393 	mutex_unlock(&tty_mutex);
3394 	return 0;
3395 }
3396 
3397 EXPORT_SYMBOL(tty_unregister_driver);
3398 
tty_devnum(struct tty_struct * tty)3399 dev_t tty_devnum(struct tty_struct *tty)
3400 {
3401 	return MKDEV(tty->driver->major, tty->driver->minor_start) + tty->index;
3402 }
3403 EXPORT_SYMBOL(tty_devnum);
3404 
tty_default_fops(struct file_operations * fops)3405 void tty_default_fops(struct file_operations *fops)
3406 {
3407 	*fops = tty_fops;
3408 }
3409 
tty_devnode(struct device * dev,umode_t * mode)3410 static char *tty_devnode(struct device *dev, umode_t *mode)
3411 {
3412 	if (!mode)
3413 		return NULL;
3414 	if (dev->devt == MKDEV(TTYAUX_MAJOR, 0) ||
3415 	    dev->devt == MKDEV(TTYAUX_MAJOR, 2))
3416 		*mode = 0666;
3417 	return NULL;
3418 }
3419 
tty_class_init(void)3420 static int __init tty_class_init(void)
3421 {
3422 	tty_class = class_create(THIS_MODULE, "tty");
3423 	if (IS_ERR(tty_class))
3424 		return PTR_ERR(tty_class);
3425 	tty_class->devnode = tty_devnode;
3426 	return 0;
3427 }
3428 
3429 postcore_initcall(tty_class_init);
3430 
3431 /* 3/2004 jmc: why do these devices exist? */
3432 static struct cdev tty_cdev, console_cdev;
3433 
show_cons_active(struct device * dev,struct device_attribute * attr,char * buf)3434 static ssize_t show_cons_active(struct device *dev,
3435 				struct device_attribute *attr, char *buf)
3436 {
3437 	struct console *cs[16];
3438 	int i = 0;
3439 	struct console *c;
3440 	ssize_t count = 0;
3441 
3442 	console_lock();
3443 	for_each_console(c) {
3444 		if (!c->device)
3445 			continue;
3446 		if (!c->write)
3447 			continue;
3448 		if ((c->flags & CON_ENABLED) == 0)
3449 			continue;
3450 		cs[i++] = c;
3451 		if (i >= ARRAY_SIZE(cs))
3452 			break;
3453 	}
3454 	while (i--) {
3455 		int index = cs[i]->index;
3456 		struct tty_driver *drv = cs[i]->device(cs[i], &index);
3457 
3458 		/* don't resolve tty0 as some programs depend on it */
3459 		if (drv && (cs[i]->index > 0 || drv->major != TTY_MAJOR))
3460 			count += tty_line_name(drv, index, buf + count);
3461 		else
3462 			count += sprintf(buf + count, "%s%d",
3463 					 cs[i]->name, cs[i]->index);
3464 
3465 		count += sprintf(buf + count, "%c", i ? ' ':'\n');
3466 	}
3467 	console_unlock();
3468 
3469 	return count;
3470 }
3471 static DEVICE_ATTR(active, S_IRUGO, show_cons_active, NULL);
3472 
3473 static struct attribute *cons_dev_attrs[] = {
3474 	&dev_attr_active.attr,
3475 	NULL
3476 };
3477 
3478 ATTRIBUTE_GROUPS(cons_dev);
3479 
3480 static struct device *consdev;
3481 
console_sysfs_notify(void)3482 void console_sysfs_notify(void)
3483 {
3484 	if (consdev)
3485 		sysfs_notify(&consdev->kobj, NULL, "active");
3486 }
3487 
3488 /*
3489  * Ok, now we can initialize the rest of the tty devices and can count
3490  * on memory allocations, interrupts etc..
3491  */
tty_init(void)3492 int __init tty_init(void)
3493 {
3494 	tty_sysctl_init();
3495 	cdev_init(&tty_cdev, &tty_fops);
3496 	if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) ||
3497 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0)
3498 		panic("Couldn't register /dev/tty driver\n");
3499 	device_create(tty_class, NULL, MKDEV(TTYAUX_MAJOR, 0), NULL, "tty");
3500 
3501 	cdev_init(&console_cdev, &console_fops);
3502 	if (cdev_add(&console_cdev, MKDEV(TTYAUX_MAJOR, 1), 1) ||
3503 	    register_chrdev_region(MKDEV(TTYAUX_MAJOR, 1), 1, "/dev/console") < 0)
3504 		panic("Couldn't register /dev/console driver\n");
3505 	consdev = device_create_with_groups(tty_class, NULL,
3506 					    MKDEV(TTYAUX_MAJOR, 1), NULL,
3507 					    cons_dev_groups, "console");
3508 	if (IS_ERR(consdev))
3509 		consdev = NULL;
3510 
3511 #ifdef CONFIG_VT
3512 	vty_init(&console_fops);
3513 #endif
3514 	return 0;
3515 }
3516 
3517