tty/vt/vt_ioctl.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  *  Copyright (C) 1992 obz under the linux copyright
0004  *
0005  *  Dynamic diacritical handling - aeb@cwi.nl - Dec 1993
0006  *  Dynamic keymap and string allocation - aeb@cwi.nl - May 1994
0007  *  Restrict VT switching via ioctl() - grif@cs.ucr.edu - Dec 1995
0008  *  Some code moved for less code duplication - Andi Kleen - Mar 1997
0009  *  Check put/get_user, cleanups - acme@conectiva.com.br - Jun 2001
0010  */
0011
0012 #include <linux/types.h>
0013 #include <linux/errno.h>
0014 #include <linux/sched/signal.h>
0015 #include <linux/tty.h>
0016 #include <linux/timer.h>
0017 #include <linux/kernel.h>
0018 #include <linux/compat.h>
0019 #include <linux/module.h>
0020 #include <linux/kd.h>
0021 #include <linux/vt.h>
0022 #include <linux/string.h>
0023 #include <linux/slab.h>
0024 #include <linux/major.h>
0025 #include <linux/fs.h>
0026 #include <linux/console.h>
0027 #include <linux/consolemap.h>
0028 #include <linux/signal.h>
0029 #include <linux/suspend.h>
0030 #include <linux/timex.h>
0031
0032 #include <asm/io.h>
0033 #include <linux/uaccess.h>
0034
0035 #include <linux/nospec.h>
0036
0037 #include <linux/kbd_kern.h>
0038 #include <linux/vt_kern.h>
0039 #include <linux/kbd_diacr.h>
0040 #include <linux/selection.h>
0041
0042 bool vt_dont_switch;
0043
0044 static inline bool vt_in_use(unsigned int i)
0045 {
0046     const struct vc_data *vc = vc_cons[i].d;
0047
0048     /*
0049      * console_lock must be held to prevent the vc from being deallocated
0050      * while we're checking whether it's in-use.
0051      */
0052     WARN_CONSOLE_UNLOCKED();
0053
0054     return vc && kref_read(&vc->port.kref) > 1;
0055 }
0056
0057 static inline bool vt_busy(int i)
0058 {
0059     if (vt_in_use(i))
0060         return true;
0061     if (i == fg_console)
0062         return true;
0063     if (vc_is_sel(vc_cons[i].d))
0064         return true;
0065
0066     return false;
0067 }
0068
0069 /*
0070  * Console (vt and kd) routines, as defined by USL SVR4 manual, and by
0071  * experimentation and study of X386 SYSV handling.
0072  *
0073  * One point of difference: SYSV vt's are /dev/vtX, which X >= 0, and
0074  * /dev/console is a separate ttyp. Under Linux, /dev/tty0 is /dev/console,
0075  * and the vc start at /dev/ttyX, X >= 1. We maintain that here, so we will
0076  * always treat our set of vt as numbered 1..MAX_NR_CONSOLES (corresponding to
0077  * ttys 0..MAX_NR_CONSOLES-1). Explicitly naming VT 0 is illegal, but using
0078  * /dev/tty0 (fg_console) as a target is legal, since an implicit aliasing
0079  * to the current console is done by the main ioctl code.
0080  */
0081
0082 #ifdef CONFIG_X86
0083 #include <asm/syscalls.h>
0084 #endif
0085
0086 static void complete_change_console(struct vc_data *vc);
0087
0088 /*
0089  *  User space VT_EVENT handlers
0090  */
0091
0092 struct vt_event_wait {
0093     struct list_head list;
0094     struct vt_event event;
0095     int done;
0096 };
0097
0098 static LIST_HEAD(vt_events);
0099 static DEFINE_SPINLOCK(vt_event_lock);
0100 static DECLARE_WAIT_QUEUE_HEAD(vt_event_waitqueue);
0101
0102 /**
0103  *  vt_event_post
0104  *  @event: the event that occurred
0105  *  @old: old console
0106  *  @new: new console
0107  *
0108  *  Post an VT event to interested VT handlers
0109  */
0110
0111 void vt_event_post(unsigned int event, unsigned int old, unsigned int new)
0112 {
0113     struct list_head *pos, *head;
0114     unsigned long flags;
0115     int wake = 0;
0116
0117     spin_lock_irqsave(&vt_event_lock, flags);
0118     head = &vt_events;
0119
0120     list_for_each(pos, head) {
0121         struct vt_event_wait *ve = list_entry(pos,
0122                         struct vt_event_wait, list);
0123         if (!(ve->event.event & event))
0124             continue;
0125         ve->event.event = event;
0126         /* kernel view is consoles 0..n-1, user space view is
0127            console 1..n with 0 meaning current, so we must bias */
0128         ve->event.oldev = old + 1;
0129         ve->event.newev = new + 1;
0130         wake = 1;
0131         ve->done = 1;
0132     }
0133     spin_unlock_irqrestore(&vt_event_lock, flags);
0134     if (wake)
0135         wake_up_interruptible(&vt_event_waitqueue);
0136 }
0137
0138 static void __vt_event_queue(struct vt_event_wait *vw)
0139 {
0140     unsigned long flags;
0141     /* Prepare the event */
0142     INIT_LIST_HEAD(&vw->list);
0143     vw->done = 0;
0144     /* Queue our event */
0145     spin_lock_irqsave(&vt_event_lock, flags);
0146     list_add(&vw->list, &vt_events);
0147     spin_unlock_irqrestore(&vt_event_lock, flags);
0148 }
0149
0150 static void __vt_event_wait(struct vt_event_wait *vw)
0151 {
0152     /* Wait for it to pass */
0153     wait_event_interruptible(vt_event_waitqueue, vw->done);
0154 }
0155
0156 static void __vt_event_dequeue(struct vt_event_wait *vw)
0157 {
0158     unsigned long flags;
0159
0160     /* Dequeue it */
0161     spin_lock_irqsave(&vt_event_lock, flags);
0162     list_del(&vw->list);
0163     spin_unlock_irqrestore(&vt_event_lock, flags);
0164 }
0165
0166 /**
0167  *  vt_event_wait       -   wait for an event
0168  *  @vw: our event
0169  *
0170  *  Waits for an event to occur which completes our vt_event_wait
0171  *  structure. On return the structure has wv->done set to 1 for success
0172  *  or 0 if some event such as a signal ended the wait.
0173  */
0174
0175 static void vt_event_wait(struct vt_event_wait *vw)
0176 {
0177     __vt_event_queue(vw);
0178     __vt_event_wait(vw);
0179     __vt_event_dequeue(vw);
0180 }
0181
0182 /**
0183  *  vt_event_wait_ioctl -   event ioctl handler
0184  *  @event: argument to ioctl (the event)
0185  *
0186  *  Implement the VT_WAITEVENT ioctl using the VT event interface
0187  */
0188
0189 static int vt_event_wait_ioctl(struct vt_event __user *event)
0190 {
0191     struct vt_event_wait vw;
0192
0193     if (copy_from_user(&vw.event, event, sizeof(struct vt_event)))
0194         return -EFAULT;
0195     /* Highest supported event for now */
0196     if (vw.event.event & ~VT_MAX_EVENT)
0197         return -EINVAL;
0198
0199     vt_event_wait(&vw);
0200     /* If it occurred report it */
0201     if (vw.done) {
0202         if (copy_to_user(event, &vw.event, sizeof(struct vt_event)))
0203             return -EFAULT;
0204         return 0;
0205     }
0206     return -EINTR;
0207 }
0208
0209 /**
0210  *  vt_waitactive   -   active console wait
0211  *  @n: new console
0212  *
0213  *  Helper for event waits. Used to implement the legacy
0214  *  event waiting ioctls in terms of events
0215  */
0216
0217 int vt_waitactive(int n)
0218 {
0219     struct vt_event_wait vw;
0220     do {
0221         vw.event.event = VT_EVENT_SWITCH;
0222         __vt_event_queue(&vw);
0223         if (n == fg_console + 1) {
0224             __vt_event_dequeue(&vw);
0225             break;
0226         }
0227         __vt_event_wait(&vw);
0228         __vt_event_dequeue(&vw);
0229         if (vw.done == 0)
0230             return -EINTR;
0231     } while (vw.event.newev != n);
0232     return 0;
0233 }
0234
0235 /*
0236  * these are the valid i/o ports we're allowed to change. they map all the
0237  * video ports
0238  */
0239 #define GPFIRST 0x3b4
0240 #define GPLAST 0x3df
0241 #define GPNUM (GPLAST - GPFIRST + 1)
0242
0243 /*
0244  * currently, setting the mode from KD_TEXT to KD_GRAPHICS doesn't do a whole
0245  * lot. i'm not sure if it should do any restoration of modes or what...
0246  *
0247  * XXX It should at least call into the driver, fbdev's definitely need to
0248  * restore their engine state. --BenH
0249  *
0250  * Called with the console lock held.
0251  */
0252 static int vt_kdsetmode(struct vc_data *vc, unsigned long mode)
0253 {
0254     switch (mode) {
0255     case KD_GRAPHICS:
0256         break;
0257     case KD_TEXT0:
0258     case KD_TEXT1:
0259         mode = KD_TEXT;
0260         fallthrough;
0261     case KD_TEXT:
0262         break;
0263     default:
0264         return -EINVAL;
0265     }
0266
0267     if (vc->vc_mode == mode)
0268         return 0;
0269
0270     vc->vc_mode = mode;
0271     if (vc->vc_num != fg_console)
0272         return 0;
0273
0274     /* explicitly blank/unblank the screen if switching modes */
0275     if (mode == KD_TEXT)
0276         do_unblank_screen(1);
0277     else
0278         do_blank_screen(1);
0279
0280     return 0;
0281 }
0282
0283 static int vt_k_ioctl(struct tty_struct *tty, unsigned int cmd,
0284         unsigned long arg, bool perm)
0285 {
0286     struct vc_data *vc = tty->driver_data;
0287     void __user *up = (void __user *)arg;
0288     unsigned int console = vc->vc_num;
0289     int ret;
0290
0291     switch (cmd) {
0292     case KIOCSOUND:
0293         if (!perm)
0294             return -EPERM;
0295         /*
0296          * The use of PIT_TICK_RATE is historic, it used to be
0297          * the platform-dependent CLOCK_TICK_RATE between 2.6.12
0298          * and 2.6.36, which was a minor but unfortunate ABI
0299          * change. kd_mksound is locked by the input layer.
0300          */
0301         if (arg)
0302             arg = PIT_TICK_RATE / arg;
0303         kd_mksound(arg, 0);
0304         break;
0305
0306     case KDMKTONE:
0307         if (!perm)
0308             return -EPERM;
0309     {
0310         unsigned int ticks, count;
0311
0312         /*
0313          * Generate the tone for the appropriate number of ticks.
0314          * If the time is zero, turn off sound ourselves.
0315          */
0316         ticks = msecs_to_jiffies((arg >> 16) & 0xffff);
0317         count = ticks ? (arg & 0xffff) : 0;
0318         if (count)
0319             count = PIT_TICK_RATE / count;
0320         kd_mksound(count, ticks);
0321         break;
0322     }
0323
0324     case KDGKBTYPE:
0325         /*
0326          * this is naïve.
0327          */
0328         return put_user(KB_101, (char __user *)arg);
0329
0330         /*
0331          * These cannot be implemented on any machine that implements
0332          * ioperm() in user level (such as Alpha PCs) or not at all.
0333          *
0334          * XXX: you should never use these, just call ioperm directly..
0335          */
0336 #ifdef CONFIG_X86
0337     case KDADDIO:
0338     case KDDELIO:
0339         /*
0340          * KDADDIO and KDDELIO may be able to add ports beyond what
0341          * we reject here, but to be safe...
0342          *
0343          * These are locked internally via sys_ioperm
0344          */
0345         if (arg < GPFIRST || arg > GPLAST)
0346             return -EINVAL;
0347
0348         return ksys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;
0349
0350     case KDENABIO:
0351     case KDDISABIO:
0352         return ksys_ioperm(GPFIRST, GPNUM,
0353                   (cmd == KDENABIO)) ? -ENXIO : 0;
0354 #endif
0355
0356     /* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */
0357
0358     case KDKBDREP:
0359     {
0360         struct kbd_repeat kbrep;
0361
0362         if (!capable(CAP_SYS_TTY_CONFIG))
0363             return -EPERM;
0364
0365         if (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat)))
0366             return -EFAULT;
0367
0368         ret = kbd_rate(&kbrep);
0369         if (ret)
0370             return ret;
0371         if (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))
0372             return -EFAULT;
0373         break;
0374     }
0375
0376     case KDSETMODE:
0377         if (!perm)
0378             return -EPERM;
0379
0380         console_lock();
0381         ret = vt_kdsetmode(vc, arg);
0382         console_unlock();
0383         return ret;
0384
0385     case KDGETMODE:
0386         return put_user(vc->vc_mode, (int __user *)arg);
0387
0388     case KDMAPDISP:
0389     case KDUNMAPDISP:
0390         /*
0391          * these work like a combination of mmap and KDENABIO.
0392          * this could be easily finished.
0393          */
0394         return -EINVAL;
0395
0396     case KDSKBMODE:
0397         if (!perm)
0398             return -EPERM;
0399         ret = vt_do_kdskbmode(console, arg);
0400         if (ret)
0401             return ret;
0402         tty_ldisc_flush(tty);
0403         break;
0404
0405     case KDGKBMODE:
0406         return put_user(vt_do_kdgkbmode(console), (int __user *)arg);
0407
0408     /* this could be folded into KDSKBMODE, but for compatibility
0409        reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */
0410     case KDSKBMETA:
0411         return vt_do_kdskbmeta(console, arg);
0412
0413     case KDGKBMETA:
0414         /* FIXME: should review whether this is worth locking */
0415         return put_user(vt_do_kdgkbmeta(console), (int __user *)arg);
0416
0417     case KDGETKEYCODE:
0418     case KDSETKEYCODE:
0419         if(!capable(CAP_SYS_TTY_CONFIG))
0420             perm = 0;
0421         return vt_do_kbkeycode_ioctl(cmd, up, perm);
0422
0423     case KDGKBENT:
0424     case KDSKBENT:
0425         return vt_do_kdsk_ioctl(cmd, up, perm, console);
0426
0427     case KDGKBSENT:
0428     case KDSKBSENT:
0429         return vt_do_kdgkb_ioctl(cmd, up, perm);
0430
0431     /* Diacritical processing. Handled in keyboard.c as it has
0432        to operate on the keyboard locks and structures */
0433     case KDGKBDIACR:
0434     case KDGKBDIACRUC:
0435     case KDSKBDIACR:
0436     case KDSKBDIACRUC:
0437         return vt_do_diacrit(cmd, up, perm);
0438
0439     /* the ioctls below read/set the flags usually shown in the leds */
0440     /* don't use them - they will go away without warning */
0441     case KDGKBLED:
0442     case KDSKBLED:
0443     case KDGETLED:
0444     case KDSETLED:
0445         return vt_do_kdskled(console, cmd, arg, perm);
0446
0447     /*
0448      * A process can indicate its willingness to accept signals
0449      * generated by pressing an appropriate key combination.
0450      * Thus, one can have a daemon that e.g. spawns a new console
0451      * upon a keypress and then changes to it.
0452      * See also the kbrequest field of inittab(5).
0453      */
0454     case KDSIGACCEPT:
0455         if (!perm || !capable(CAP_KILL))
0456             return -EPERM;
0457         if (!valid_signal(arg) || arg < 1 || arg == SIGKILL)
0458             return -EINVAL;
0459
0460         spin_lock_irq(&vt_spawn_con.lock);
0461         put_pid(vt_spawn_con.pid);
0462         vt_spawn_con.pid = get_pid(task_pid(current));
0463         vt_spawn_con.sig = arg;
0464         spin_unlock_irq(&vt_spawn_con.lock);
0465         break;
0466
0467     case KDFONTOP: {
0468         struct console_font_op op;
0469
0470         if (copy_from_user(&op, up, sizeof(op)))
0471             return -EFAULT;
0472         if (!perm && op.op != KD_FONT_OP_GET)
0473             return -EPERM;
0474         ret = con_font_op(vc, &op);
0475         if (ret)
0476             return ret;
0477         if (copy_to_user(up, &op, sizeof(op)))
0478             return -EFAULT;
0479         break;
0480     }
0481
0482     default:
0483         return -ENOIOCTLCMD;
0484     }
0485
0486     return 0;
0487 }
0488
0489 static inline int do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud,
0490         bool perm, struct vc_data *vc)
0491 {
0492     struct unimapdesc tmp;
0493
0494     if (copy_from_user(&tmp, user_ud, sizeof tmp))
0495         return -EFAULT;
0496     switch (cmd) {
0497     case PIO_UNIMAP:
0498         if (!perm)
0499             return -EPERM;
0500         return con_set_unimap(vc, tmp.entry_ct, tmp.entries);
0501     case GIO_UNIMAP:
0502         if (!perm && fg_console != vc->vc_num)
0503             return -EPERM;
0504         return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct),
0505                 tmp.entries);
0506     }
0507     return 0;
0508 }
0509
0510 static int vt_io_ioctl(struct vc_data *vc, unsigned int cmd, void __user *up,
0511         bool perm)
0512 {
0513     switch (cmd) {
0514     case PIO_CMAP:
0515         if (!perm)
0516             return -EPERM;
0517         return con_set_cmap(up);
0518
0519     case GIO_CMAP:
0520         return con_get_cmap(up);
0521
0522     case PIO_SCRNMAP:
0523         if (!perm)
0524             return -EPERM;
0525         return con_set_trans_old(up);
0526
0527     case GIO_SCRNMAP:
0528         return con_get_trans_old(up);
0529
0530     case PIO_UNISCRNMAP:
0531         if (!perm)
0532             return -EPERM;
0533         return con_set_trans_new(up);
0534
0535     case GIO_UNISCRNMAP:
0536         return con_get_trans_new(up);
0537
0538     case PIO_UNIMAPCLR:
0539         if (!perm)
0540             return -EPERM;
0541         con_clear_unimap(vc);
0542         break;
0543
0544     case PIO_UNIMAP:
0545     case GIO_UNIMAP:
0546         return do_unimap_ioctl(cmd, up, perm, vc);
0547
0548     default:
0549         return -ENOIOCTLCMD;
0550     }
0551
0552     return 0;
0553 }
0554
0555 static int vt_reldisp(struct vc_data *vc, unsigned int swtch)
0556 {
0557     int newvt, ret;
0558
0559     if (vc->vt_mode.mode != VT_PROCESS)
0560         return -EINVAL;
0561
0562     /* Switched-to response */
0563     if (vc->vt_newvt < 0) {
0564          /* If it's just an ACK, ignore it */
0565         return swtch == VT_ACKACQ ? 0 : -EINVAL;
0566     }
0567
0568     /* Switching-from response */
0569     if (swtch == 0) {
0570         /* Switch disallowed, so forget we were trying to do it. */
0571         vc->vt_newvt = -1;
0572         return 0;
0573     }
0574
0575     /* The current vt has been released, so complete the switch. */
0576     newvt = vc->vt_newvt;
0577     vc->vt_newvt = -1;
0578     ret = vc_allocate(newvt);
0579     if (ret)
0580         return ret;
0581
0582     /*
0583      * When we actually do the console switch, make sure we are atomic with
0584      * respect to other console switches..
0585      */
0586     complete_change_console(vc_cons[newvt].d);
0587
0588     return 0;
0589 }
0590
0591 static int vt_setactivate(struct vt_setactivate __user *sa)
0592 {
0593     struct vt_setactivate vsa;
0594     struct vc_data *nvc;
0595     int ret;
0596
0597     if (copy_from_user(&vsa, sa, sizeof(vsa)))
0598         return -EFAULT;
0599     if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
0600         return -ENXIO;
0601
0602     vsa.console--;
0603     vsa.console = array_index_nospec(vsa.console, MAX_NR_CONSOLES);
0604     console_lock();
0605     ret = vc_allocate(vsa.console);
0606     if (ret) {
0607         console_unlock();
0608         return ret;
0609     }
0610
0611     /*
0612      * This is safe providing we don't drop the console sem between
0613      * vc_allocate and finishing referencing nvc.
0614      */
0615     nvc = vc_cons[vsa.console].d;
0616     nvc->vt_mode = vsa.mode;
0617     nvc->vt_mode.frsig = 0;
0618     put_pid(nvc->vt_pid);
0619     nvc->vt_pid = get_pid(task_pid(current));
0620     console_unlock();
0621
0622     /* Commence switch and lock */
0623     /* Review set_console locks */
0624     set_console(vsa.console);
0625
0626     return 0;
0627 }
0628
0629 /* deallocate a single console, if possible (leave 0) */
0630 static int vt_disallocate(unsigned int vc_num)
0631 {
0632     struct vc_data *vc = NULL;
0633     int ret = 0;
0634
0635     console_lock();
0636     if (vt_busy(vc_num))
0637         ret = -EBUSY;
0638     else if (vc_num)
0639         vc = vc_deallocate(vc_num);
0640     console_unlock();
0641
0642     if (vc && vc_num >= MIN_NR_CONSOLES)
0643         tty_port_put(&vc->port);
0644
0645     return ret;
0646 }
0647
0648 /* deallocate all unused consoles, but leave 0 */
0649 static void vt_disallocate_all(void)
0650 {
0651     struct vc_data *vc[MAX_NR_CONSOLES];
0652     int i;
0653
0654     console_lock();
0655     for (i = 1; i < MAX_NR_CONSOLES; i++)
0656         if (!vt_busy(i))
0657             vc[i] = vc_deallocate(i);
0658         else
0659             vc[i] = NULL;
0660     console_unlock();
0661
0662     for (i = 1; i < MAX_NR_CONSOLES; i++) {
0663         if (vc[i] && i >= MIN_NR_CONSOLES)
0664             tty_port_put(&vc[i]->port);
0665     }
0666 }
0667
0668 static int vt_resizex(struct vc_data *vc, struct vt_consize __user *cs)
0669 {
0670     struct vt_consize v;
0671     int i;
0672
0673     if (copy_from_user(&v, cs, sizeof(struct vt_consize)))
0674         return -EFAULT;
0675
0676     /* FIXME: Should check the copies properly */
0677     if (!v.v_vlin)
0678         v.v_vlin = vc->vc_scan_lines;
0679
0680     if (v.v_clin) {
0681         int rows = v.v_vlin / v.v_clin;
0682         if (v.v_rows != rows) {
0683             if (v.v_rows) /* Parameters don't add up */
0684                 return -EINVAL;
0685             v.v_rows = rows;
0686         }
0687     }
0688
0689     if (v.v_vcol && v.v_ccol) {
0690         int cols = v.v_vcol / v.v_ccol;
0691         if (v.v_cols != cols) {
0692             if (v.v_cols)
0693                 return -EINVAL;
0694             v.v_cols = cols;
0695         }
0696     }
0697
0698     if (v.v_clin > 32)
0699         return -EINVAL;
0700
0701     for (i = 0; i < MAX_NR_CONSOLES; i++) {
0702         struct vc_data *vcp;
0703
0704         if (!vc_cons[i].d)
0705             continue;
0706         console_lock();
0707         vcp = vc_cons[i].d;
0708         if (vcp) {
0709             int ret;
0710             int save_scan_lines = vcp->vc_scan_lines;
0711             int save_cell_height = vcp->vc_cell_height;
0712
0713             if (v.v_vlin)
0714                 vcp->vc_scan_lines = v.v_vlin;
0715             if (v.v_clin)
0716                 vcp->vc_cell_height = v.v_clin;
0717             vcp->vc_resize_user = 1;
0718             ret = vc_resize(vcp, v.v_cols, v.v_rows);
0719             if (ret) {
0720                 vcp->vc_scan_lines = save_scan_lines;
0721                 vcp->vc_cell_height = save_cell_height;
0722                 console_unlock();
0723                 return ret;
0724             }
0725         }
0726         console_unlock();
0727     }
0728
0729     return 0;
0730 }
0731
0732 /*
0733  * We handle the console-specific ioctl's here.  We allow the
0734  * capability to modify any console, not just the fg_console.
0735  */
0736 int vt_ioctl(struct tty_struct *tty,
0737          unsigned int cmd, unsigned long arg)
0738 {
0739     struct vc_data *vc = tty->driver_data;
0740     void __user *up = (void __user *)arg;
0741     int i, perm;
0742     int ret;
0743
0744     /*
0745      * To have permissions to do most of the vt ioctls, we either have
0746      * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
0747      */
0748     perm = 0;
0749     if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
0750         perm = 1;
0751
0752     ret = vt_k_ioctl(tty, cmd, arg, perm);
0753     if (ret != -ENOIOCTLCMD)
0754         return ret;
0755
0756     ret = vt_io_ioctl(vc, cmd, up, perm);
0757     if (ret != -ENOIOCTLCMD)
0758         return ret;
0759
0760     switch (cmd) {
0761     case TIOCLINUX:
0762         return tioclinux(tty, arg);
0763     case VT_SETMODE:
0764     {
0765         struct vt_mode tmp;
0766
0767         if (!perm)
0768             return -EPERM;
0769         if (copy_from_user(&tmp, up, sizeof(struct vt_mode)))
0770             return -EFAULT;
0771         if (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS)
0772             return -EINVAL;
0773
0774         console_lock();
0775         vc->vt_mode = tmp;
0776         /* the frsig is ignored, so we set it to 0 */
0777         vc->vt_mode.frsig = 0;
0778         put_pid(vc->vt_pid);
0779         vc->vt_pid = get_pid(task_pid(current));
0780         /* no switch is required -- saw@shade.msu.ru */
0781         vc->vt_newvt = -1;
0782         console_unlock();
0783         break;
0784     }
0785
0786     case VT_GETMODE:
0787     {
0788         struct vt_mode tmp;
0789         int rc;
0790
0791         console_lock();
0792         memcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));
0793         console_unlock();
0794
0795         rc = copy_to_user(up, &tmp, sizeof(struct vt_mode));
0796         if (rc)
0797             return -EFAULT;
0798         break;
0799     }
0800
0801     /*
0802      * Returns global vt state. Note that VT 0 is always open, since
0803      * it's an alias for the current VT, and people can't use it here.
0804      * We cannot return state for more than 16 VTs, since v_state is short.
0805      */
0806     case VT_GETSTATE:
0807     {
0808         struct vt_stat __user *vtstat = up;
0809         unsigned short state, mask;
0810
0811         if (put_user(fg_console + 1, &vtstat->v_active))
0812             return -EFAULT;
0813
0814         state = 1;  /* /dev/tty0 is always open */
0815         console_lock(); /* required by vt_in_use() */
0816         for (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;
0817                 ++i, mask <<= 1)
0818             if (vt_in_use(i))
0819                 state |= mask;
0820         console_unlock();
0821         return put_user(state, &vtstat->v_state);
0822     }
0823
0824     /*
0825      * Returns the first available (non-opened) console.
0826      */
0827     case VT_OPENQRY:
0828         console_lock(); /* required by vt_in_use() */
0829         for (i = 0; i < MAX_NR_CONSOLES; ++i)
0830             if (!vt_in_use(i))
0831                 break;
0832         console_unlock();
0833         i = i < MAX_NR_CONSOLES ? (i+1) : -1;
0834         return put_user(i, (int __user *)arg);
0835
0836     /*
0837      * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,
0838      * with num >= 1 (switches to vt 0, our console, are not allowed, just
0839      * to preserve sanity).
0840      */
0841     case VT_ACTIVATE:
0842         if (!perm)
0843             return -EPERM;
0844         if (arg == 0 || arg > MAX_NR_CONSOLES)
0845             return -ENXIO;
0846
0847         arg--;
0848         arg = array_index_nospec(arg, MAX_NR_CONSOLES);
0849         console_lock();
0850         ret = vc_allocate(arg);
0851         console_unlock();
0852         if (ret)
0853             return ret;
0854         set_console(arg);
0855         break;
0856
0857     case VT_SETACTIVATE:
0858         if (!perm)
0859             return -EPERM;
0860
0861         return vt_setactivate(up);
0862
0863     /*
0864      * wait until the specified VT has been activated
0865      */
0866     case VT_WAITACTIVE:
0867         if (!perm)
0868             return -EPERM;
0869         if (arg == 0 || arg > MAX_NR_CONSOLES)
0870             return -ENXIO;
0871         return vt_waitactive(arg);
0872
0873     /*
0874      * If a vt is under process control, the kernel will not switch to it
0875      * immediately, but postpone the operation until the process calls this
0876      * ioctl, allowing the switch to complete.
0877      *
0878      * According to the X sources this is the behavior:
0879      *  0:  pending switch-from not OK
0880      *  1:  pending switch-from OK
0881      *  2:  completed switch-to OK
0882      */
0883     case VT_RELDISP:
0884         if (!perm)
0885             return -EPERM;
0886
0887         console_lock();
0888         ret = vt_reldisp(vc, arg);
0889         console_unlock();
0890
0891         return ret;
0892
0893
0894      /*
0895       * Disallocate memory associated to VT (but leave VT1)
0896       */
0897      case VT_DISALLOCATE:
0898         if (arg > MAX_NR_CONSOLES)
0899             return -ENXIO;
0900
0901         if (arg == 0) {
0902             vt_disallocate_all();
0903             break;
0904         }
0905
0906         arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES);
0907         return vt_disallocate(arg);
0908
0909     case VT_RESIZE:
0910     {
0911         struct vt_sizes __user *vtsizes = up;
0912         struct vc_data *vc;
0913         ushort ll,cc;
0914
0915         if (!perm)
0916             return -EPERM;
0917         if (get_user(ll, &vtsizes->v_rows) ||
0918             get_user(cc, &vtsizes->v_cols))
0919             return -EFAULT;
0920
0921         console_lock();
0922         for (i = 0; i < MAX_NR_CONSOLES; i++) {
0923             vc = vc_cons[i].d;
0924
0925             if (vc) {
0926                 vc->vc_resize_user = 1;
0927                 /* FIXME: review v tty lock */
0928                 vc_resize(vc_cons[i].d, cc, ll);
0929             }
0930         }
0931         console_unlock();
0932         break;
0933     }
0934
0935     case VT_RESIZEX:
0936         if (!perm)
0937             return -EPERM;
0938
0939         return vt_resizex(vc, up);
0940
0941     case VT_LOCKSWITCH:
0942         if (!capable(CAP_SYS_TTY_CONFIG))
0943             return -EPERM;
0944         vt_dont_switch = true;
0945         break;
0946     case VT_UNLOCKSWITCH:
0947         if (!capable(CAP_SYS_TTY_CONFIG))
0948             return -EPERM;
0949         vt_dont_switch = false;
0950         break;
0951     case VT_GETHIFONTMASK:
0952         return put_user(vc->vc_hi_font_mask,
0953                     (unsigned short __user *)arg);
0954     case VT_WAITEVENT:
0955         return vt_event_wait_ioctl((struct vt_event __user *)arg);
0956     default:
0957         return -ENOIOCTLCMD;
0958     }
0959
0960     return 0;
0961 }
0962
0963 void reset_vc(struct vc_data *vc)
0964 {
0965     vc->vc_mode = KD_TEXT;
0966     vt_reset_unicode(vc->vc_num);
0967     vc->vt_mode.mode = VT_AUTO;
0968     vc->vt_mode.waitv = 0;
0969     vc->vt_mode.relsig = 0;
0970     vc->vt_mode.acqsig = 0;
0971     vc->vt_mode.frsig = 0;
0972     put_pid(vc->vt_pid);
0973     vc->vt_pid = NULL;
0974     vc->vt_newvt = -1;
0975     reset_palette(vc);
0976 }
0977
0978 void vc_SAK(struct work_struct *work)
0979 {
0980     struct vc *vc_con =
0981         container_of(work, struct vc, SAK_work);
0982     struct vc_data *vc;
0983     struct tty_struct *tty;
0984
0985     console_lock();
0986     vc = vc_con->d;
0987     if (vc) {
0988         /* FIXME: review tty ref counting */
0989         tty = vc->port.tty;
0990         /*
0991          * SAK should also work in all raw modes and reset
0992          * them properly.
0993          */
0994         if (tty)
0995             __do_SAK(tty);
0996         reset_vc(vc);
0997     }
0998     console_unlock();
0999 }
1000
1001 #ifdef CONFIG_COMPAT
1002
1003 struct compat_console_font_op {
1004     compat_uint_t op;        /* operation code KD_FONT_OP_* */
1005     compat_uint_t flags;     /* KD_FONT_FLAG_* */
1006     compat_uint_t width, height;     /* font size */
1007     compat_uint_t charcount;
1008     compat_caddr_t data;    /* font data with height fixed to 32 */
1009 };
1010
1011 static inline int
1012 compat_kdfontop_ioctl(struct compat_console_font_op __user *fontop,
1013              int perm, struct console_font_op *op, struct vc_data *vc)
1014 {
1015     int i;
1016
1017     if (copy_from_user(op, fontop, sizeof(struct compat_console_font_op)))
1018         return -EFAULT;
1019     if (!perm && op->op != KD_FONT_OP_GET)
1020         return -EPERM;
1021     op->data = compat_ptr(((struct compat_console_font_op *)op)->data);
1022     i = con_font_op(vc, op);
1023     if (i)
1024         return i;
1025     ((struct compat_console_font_op *)op)->data = (unsigned long)op->data;
1026     if (copy_to_user(fontop, op, sizeof(struct compat_console_font_op)))
1027         return -EFAULT;
1028     return 0;
1029 }
1030
1031 struct compat_unimapdesc {
1032     unsigned short entry_ct;
1033     compat_caddr_t entries;
1034 };
1035
1036 static inline int
1037 compat_unimap_ioctl(unsigned int cmd, struct compat_unimapdesc __user *user_ud,
1038              int perm, struct vc_data *vc)
1039 {
1040     struct compat_unimapdesc tmp;
1041     struct unipair __user *tmp_entries;
1042
1043     if (copy_from_user(&tmp, user_ud, sizeof tmp))
1044         return -EFAULT;
1045     tmp_entries = compat_ptr(tmp.entries);
1046     switch (cmd) {
1047     case PIO_UNIMAP:
1048         if (!perm)
1049             return -EPERM;
1050         return con_set_unimap(vc, tmp.entry_ct, tmp_entries);
1051     case GIO_UNIMAP:
1052         if (!perm && fg_console != vc->vc_num)
1053             return -EPERM;
1054         return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp_entries);
1055     }
1056     return 0;
1057 }
1058
1059 long vt_compat_ioctl(struct tty_struct *tty,
1060          unsigned int cmd, unsigned long arg)
1061 {
1062     struct vc_data *vc = tty->driver_data;
1063     struct console_font_op op;  /* used in multiple places here */
1064     void __user *up = compat_ptr(arg);
1065     int perm;
1066
1067     /*
1068      * To have permissions to do most of the vt ioctls, we either have
1069      * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
1070      */
1071     perm = 0;
1072     if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
1073         perm = 1;
1074
1075     switch (cmd) {
1076     /*
1077      * these need special handlers for incompatible data structures
1078      */
1079
1080     case KDFONTOP:
1081         return compat_kdfontop_ioctl(up, perm, &op, vc);
1082
1083     case PIO_UNIMAP:
1084     case GIO_UNIMAP:
1085         return compat_unimap_ioctl(cmd, up, perm, vc);
1086
1087     /*
1088      * all these treat 'arg' as an integer
1089      */
1090     case KIOCSOUND:
1091     case KDMKTONE:
1092 #ifdef CONFIG_X86
1093     case KDADDIO:
1094     case KDDELIO:
1095 #endif
1096     case KDSETMODE:
1097     case KDMAPDISP:
1098     case KDUNMAPDISP:
1099     case KDSKBMODE:
1100     case KDSKBMETA:
1101     case KDSKBLED:
1102     case KDSETLED:
1103     case KDSIGACCEPT:
1104     case VT_ACTIVATE:
1105     case VT_WAITACTIVE:
1106     case VT_RELDISP:
1107     case VT_DISALLOCATE:
1108     case VT_RESIZE:
1109     case VT_RESIZEX:
1110         return vt_ioctl(tty, cmd, arg);
1111
1112     /*
1113      * the rest has a compatible data structure behind arg,
1114      * but we have to convert it to a proper 64 bit pointer.
1115      */
1116     default:
1117         return vt_ioctl(tty, cmd, (unsigned long)up);
1118     }
1119 }
1120
1121
1122 #endif /* CONFIG_COMPAT */
1123
1124
1125 /*
1126  * Performs the back end of a vt switch. Called under the console
1127  * semaphore.
1128  */
1129 static void complete_change_console(struct vc_data *vc)
1130 {
1131     unsigned char old_vc_mode;
1132     int old = fg_console;
1133
1134     last_console = fg_console;
1135
1136     /*
1137      * If we're switching, we could be going from KD_GRAPHICS to
1138      * KD_TEXT mode or vice versa, which means we need to blank or
1139      * unblank the screen later.
1140      */
1141     old_vc_mode = vc_cons[fg_console].d->vc_mode;
1142     switch_screen(vc);
1143
1144     /*
1145      * This can't appear below a successful kill_pid().  If it did,
1146      * then the *blank_screen operation could occur while X, having
1147      * received acqsig, is waking up on another processor.  This
1148      * condition can lead to overlapping accesses to the VGA range
1149      * and the framebuffer (causing system lockups).
1150      *
1151      * To account for this we duplicate this code below only if the
1152      * controlling process is gone and we've called reset_vc.
1153      */
1154     if (old_vc_mode != vc->vc_mode) {
1155         if (vc->vc_mode == KD_TEXT)
1156             do_unblank_screen(1);
1157         else
1158             do_blank_screen(1);
1159     }
1160
1161     /*
1162      * If this new console is under process control, send it a signal
1163      * telling it that it has acquired. Also check if it has died and
1164      * clean up (similar to logic employed in change_console())
1165      */
1166     if (vc->vt_mode.mode == VT_PROCESS) {
1167         /*
1168          * Send the signal as privileged - kill_pid() will
1169          * tell us if the process has gone or something else
1170          * is awry
1171          */
1172         if (kill_pid(vc->vt_pid, vc->vt_mode.acqsig, 1) != 0) {
1173         /*
1174          * The controlling process has died, so we revert back to
1175          * normal operation. In this case, we'll also change back
1176          * to KD_TEXT mode. I'm not sure if this is strictly correct
1177          * but it saves the agony when the X server dies and the screen
1178          * remains blanked due to KD_GRAPHICS! It would be nice to do
1179          * this outside of VT_PROCESS but there is no single process
1180          * to account for and tracking tty count may be undesirable.
1181          */
1182             reset_vc(vc);
1183
1184             if (old_vc_mode != vc->vc_mode) {
1185                 if (vc->vc_mode == KD_TEXT)
1186                     do_unblank_screen(1);
1187                 else
1188                     do_blank_screen(1);
1189             }
1190         }
1191     }
1192
1193     /*
1194      * Wake anyone waiting for their VT to activate
1195      */
1196     vt_event_post(VT_EVENT_SWITCH, old, vc->vc_num);
1197     return;
1198 }
1199
1200 /*
1201  * Performs the front-end of a vt switch
1202  */
1203 void change_console(struct vc_data *new_vc)
1204 {
1205     struct vc_data *vc;
1206
1207     if (!new_vc || new_vc->vc_num == fg_console || vt_dont_switch)
1208         return;
1209
1210     /*
1211      * If this vt is in process mode, then we need to handshake with
1212      * that process before switching. Essentially, we store where that
1213      * vt wants to switch to and wait for it to tell us when it's done
1214      * (via VT_RELDISP ioctl).
1215      *
1216      * We also check to see if the controlling process still exists.
1217      * If it doesn't, we reset this vt to auto mode and continue.
1218      * This is a cheap way to track process control. The worst thing
1219      * that can happen is: we send a signal to a process, it dies, and
1220      * the switch gets "lost" waiting for a response; hopefully, the
1221      * user will try again, we'll detect the process is gone (unless
1222      * the user waits just the right amount of time :-) and revert the
1223      * vt to auto control.
1224      */
1225     vc = vc_cons[fg_console].d;
1226     if (vc->vt_mode.mode == VT_PROCESS) {
1227         /*
1228          * Send the signal as privileged - kill_pid() will
1229          * tell us if the process has gone or something else
1230          * is awry.
1231          *
1232          * We need to set vt_newvt *before* sending the signal or we
1233          * have a race.
1234          */
1235         vc->vt_newvt = new_vc->vc_num;
1236         if (kill_pid(vc->vt_pid, vc->vt_mode.relsig, 1) == 0) {
1237             /*
1238              * It worked. Mark the vt to switch to and
1239              * return. The process needs to send us a
1240              * VT_RELDISP ioctl to complete the switch.
1241              */
1242             return;
1243         }
1244
1245         /*
1246          * The controlling process has died, so we revert back to
1247          * normal operation. In this case, we'll also change back
1248          * to KD_TEXT mode. I'm not sure if this is strictly correct
1249          * but it saves the agony when the X server dies and the screen
1250          * remains blanked due to KD_GRAPHICS! It would be nice to do
1251          * this outside of VT_PROCESS but there is no single process
1252          * to account for and tracking tty count may be undesirable.
1253          */
1254         reset_vc(vc);
1255
1256         /*
1257          * Fall through to normal (VT_AUTO) handling of the switch...
1258          */
1259     }
1260
1261     /*
1262      * Ignore all switches in KD_GRAPHICS+VT_AUTO mode
1263      */
1264     if (vc->vc_mode == KD_GRAPHICS)
1265         return;
1266
1267     complete_change_console(new_vc);
1268 }
1269
1270 /* Perform a kernel triggered VT switch for suspend/resume */
1271
1272 static int disable_vt_switch;
1273
1274 int vt_move_to_console(unsigned int vt, int alloc)
1275 {
1276     int prev;
1277
1278     console_lock();
1279     /* Graphics mode - up to X */
1280     if (disable_vt_switch) {
1281         console_unlock();
1282         return 0;
1283     }
1284     prev = fg_console;
1285
1286     if (alloc && vc_allocate(vt)) {
1287         /* we can't have a free VC for now. Too bad,
1288          * we don't want to mess the screen for now. */
1289         console_unlock();
1290         return -ENOSPC;
1291     }
1292
1293     if (set_console(vt)) {
1294         /*
1295          * We're unable to switch to the SUSPEND_CONSOLE.
1296          * Let the calling function know so it can decide
1297          * what to do.
1298          */
1299         console_unlock();
1300         return -EIO;
1301     }
1302     console_unlock();
1303     if (vt_waitactive(vt + 1)) {
1304         pr_debug("Suspend: Can't switch VCs.");
1305         return -EINTR;
1306     }
1307     return prev;
1308 }
1309
1310 /*
1311  * Normally during a suspend, we allocate a new console and switch to it.
1312  * When we resume, we switch back to the original console.  This switch
1313  * can be slow, so on systems where the framebuffer can handle restoration
1314  * of video registers anyways, there's little point in doing the console
1315  * switch.  This function allows you to disable it by passing it '0'.
1316  */
1317 void pm_set_vt_switch(int do_switch)
1318 {
1319     console_lock();
1320     disable_vt_switch = !do_switch;
1321     console_unlock();
1322 }
1323 EXPORT_SYMBOL(pm_set_vt_switch);