1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 1992 obz under the linux copyright
4 *
5 * Dynamic diacritical handling - aeb@cwi.nl - Dec 1993
6 * Dynamic keymap and string allocation - aeb@cwi.nl - May 1994
7 * Restrict VT switching via ioctl() - grif@cs.ucr.edu - Dec 1995
8 * Some code moved for less code duplication - Andi Kleen - Mar 1997
9 * Check put/get_user, cleanups - acme@conectiva.com.br - Jun 2001
10 */
11
12 #include <linux/types.h>
13 #include <linux/errno.h>
14 #include <linux/sched/signal.h>
15 #include <linux/tty.h>
16 #include <linux/timer.h>
17 #include <linux/kernel.h>
18 #include <linux/compat.h>
19 #include <linux/module.h>
20 #include <linux/kd.h>
21 #include <linux/vt.h>
22 #include <linux/string.h>
23 #include <linux/slab.h>
24 #include <linux/major.h>
25 #include <linux/fs.h>
26 #include <linux/console.h>
27 #include <linux/consolemap.h>
28 #include <linux/signal.h>
29 #include <linux/suspend.h>
30 #include <linux/timex.h>
31
32 #include <asm/io.h>
33 #include <linux/uaccess.h>
34
35 #include <linux/nospec.h>
36
37 #include <linux/kbd_kern.h>
38 #include <linux/vt_kern.h>
39 #include <linux/kbd_diacr.h>
40 #include <linux/selection.h>
41
42 bool vt_dont_switch;
43
vt_in_use(unsigned int i)44 static inline bool vt_in_use(unsigned int i)
45 {
46 const struct vc_data *vc = vc_cons[i].d;
47
48 /*
49 * console_lock must be held to prevent the vc from being deallocated
50 * while we're checking whether it's in-use.
51 */
52 WARN_CONSOLE_UNLOCKED();
53
54 return vc && kref_read(&vc->port.kref) > 1;
55 }
56
vt_busy(int i)57 static inline bool vt_busy(int i)
58 {
59 if (vt_in_use(i))
60 return true;
61 if (i == fg_console)
62 return true;
63 if (vc_is_sel(vc_cons[i].d))
64 return true;
65
66 return false;
67 }
68
69 /*
70 * Console (vt and kd) routines, as defined by USL SVR4 manual, and by
71 * experimentation and study of X386 SYSV handling.
72 *
73 * One point of difference: SYSV vt's are /dev/vtX, which X >= 0, and
74 * /dev/console is a separate ttyp. Under Linux, /dev/tty0 is /dev/console,
75 * and the vc start at /dev/ttyX, X >= 1. We maintain that here, so we will
76 * always treat our set of vt as numbered 1..MAX_NR_CONSOLES (corresponding to
77 * ttys 0..MAX_NR_CONSOLES-1). Explicitly naming VT 0 is illegal, but using
78 * /dev/tty0 (fg_console) as a target is legal, since an implicit aliasing
79 * to the current console is done by the main ioctl code.
80 */
81
82 #ifdef CONFIG_X86
83 #include <asm/syscalls.h>
84 #endif
85
86 static void complete_change_console(struct vc_data *vc);
87
88 /*
89 * User space VT_EVENT handlers
90 */
91
92 struct vt_event_wait {
93 struct list_head list;
94 struct vt_event event;
95 int done;
96 };
97
98 static LIST_HEAD(vt_events);
99 static DEFINE_SPINLOCK(vt_event_lock);
100 static DECLARE_WAIT_QUEUE_HEAD(vt_event_waitqueue);
101
102 /**
103 * vt_event_post
104 * @event: the event that occurred
105 * @old: old console
106 * @new: new console
107 *
108 * Post an VT event to interested VT handlers
109 */
110
vt_event_post(unsigned int event,unsigned int old,unsigned int new)111 void vt_event_post(unsigned int event, unsigned int old, unsigned int new)
112 {
113 struct list_head *pos, *head;
114 unsigned long flags;
115 int wake = 0;
116
117 spin_lock_irqsave(&vt_event_lock, flags);
118 head = &vt_events;
119
120 list_for_each(pos, head) {
121 struct vt_event_wait *ve = list_entry(pos,
122 struct vt_event_wait, list);
123 if (!(ve->event.event & event))
124 continue;
125 ve->event.event = event;
126 /* kernel view is consoles 0..n-1, user space view is
127 console 1..n with 0 meaning current, so we must bias */
128 ve->event.oldev = old + 1;
129 ve->event.newev = new + 1;
130 wake = 1;
131 ve->done = 1;
132 }
133 spin_unlock_irqrestore(&vt_event_lock, flags);
134 if (wake)
135 wake_up_interruptible(&vt_event_waitqueue);
136 }
137
__vt_event_queue(struct vt_event_wait * vw)138 static void __vt_event_queue(struct vt_event_wait *vw)
139 {
140 unsigned long flags;
141 /* Prepare the event */
142 INIT_LIST_HEAD(&vw->list);
143 vw->done = 0;
144 /* Queue our event */
145 spin_lock_irqsave(&vt_event_lock, flags);
146 list_add(&vw->list, &vt_events);
147 spin_unlock_irqrestore(&vt_event_lock, flags);
148 }
149
__vt_event_wait(struct vt_event_wait * vw)150 static void __vt_event_wait(struct vt_event_wait *vw)
151 {
152 /* Wait for it to pass */
153 wait_event_interruptible(vt_event_waitqueue, vw->done);
154 }
155
__vt_event_dequeue(struct vt_event_wait * vw)156 static void __vt_event_dequeue(struct vt_event_wait *vw)
157 {
158 unsigned long flags;
159
160 /* Dequeue it */
161 spin_lock_irqsave(&vt_event_lock, flags);
162 list_del(&vw->list);
163 spin_unlock_irqrestore(&vt_event_lock, flags);
164 }
165
166 /**
167 * vt_event_wait - wait for an event
168 * @vw: our event
169 *
170 * Waits for an event to occur which completes our vt_event_wait
171 * structure. On return the structure has wv->done set to 1 for success
172 * or 0 if some event such as a signal ended the wait.
173 */
174
vt_event_wait(struct vt_event_wait * vw)175 static void vt_event_wait(struct vt_event_wait *vw)
176 {
177 __vt_event_queue(vw);
178 __vt_event_wait(vw);
179 __vt_event_dequeue(vw);
180 }
181
182 /**
183 * vt_event_wait_ioctl - event ioctl handler
184 * @arg: argument to ioctl
185 *
186 * Implement the VT_WAITEVENT ioctl using the VT event interface
187 */
188
vt_event_wait_ioctl(struct vt_event __user * event)189 static int vt_event_wait_ioctl(struct vt_event __user *event)
190 {
191 struct vt_event_wait vw;
192
193 if (copy_from_user(&vw.event, event, sizeof(struct vt_event)))
194 return -EFAULT;
195 /* Highest supported event for now */
196 if (vw.event.event & ~VT_MAX_EVENT)
197 return -EINVAL;
198
199 vt_event_wait(&vw);
200 /* If it occurred report it */
201 if (vw.done) {
202 if (copy_to_user(event, &vw.event, sizeof(struct vt_event)))
203 return -EFAULT;
204 return 0;
205 }
206 return -EINTR;
207 }
208
209 /**
210 * vt_waitactive - active console wait
211 * @event: event code
212 * @n: new console
213 *
214 * Helper for event waits. Used to implement the legacy
215 * event waiting ioctls in terms of events
216 */
217
vt_waitactive(int n)218 int vt_waitactive(int n)
219 {
220 struct vt_event_wait vw;
221 do {
222 vw.event.event = VT_EVENT_SWITCH;
223 __vt_event_queue(&vw);
224 if (n == fg_console + 1) {
225 __vt_event_dequeue(&vw);
226 break;
227 }
228 __vt_event_wait(&vw);
229 __vt_event_dequeue(&vw);
230 if (vw.done == 0)
231 return -EINTR;
232 } while (vw.event.newev != n);
233 return 0;
234 }
235
236 /*
237 * these are the valid i/o ports we're allowed to change. they map all the
238 * video ports
239 */
240 #define GPFIRST 0x3b4
241 #define GPLAST 0x3df
242 #define GPNUM (GPLAST - GPFIRST + 1)
243
244
245
246 static inline int
do_fontx_ioctl(struct vc_data * vc,int cmd,struct consolefontdesc __user * user_cfd,int perm,struct console_font_op * op)247 do_fontx_ioctl(struct vc_data *vc, int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op)
248 {
249 struct consolefontdesc cfdarg;
250 int i;
251
252 if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
253 return -EFAULT;
254
255 switch (cmd) {
256 case PIO_FONTX:
257 if (!perm)
258 return -EPERM;
259 op->op = KD_FONT_OP_SET;
260 op->flags = KD_FONT_FLAG_OLD;
261 op->width = 8;
262 op->height = cfdarg.charheight;
263 op->charcount = cfdarg.charcount;
264 op->data = cfdarg.chardata;
265 return con_font_op(vc, op);
266
267 case GIO_FONTX:
268 op->op = KD_FONT_OP_GET;
269 op->flags = KD_FONT_FLAG_OLD;
270 op->width = 8;
271 op->height = cfdarg.charheight;
272 op->charcount = cfdarg.charcount;
273 op->data = cfdarg.chardata;
274 i = con_font_op(vc, op);
275 if (i)
276 return i;
277 cfdarg.charheight = op->height;
278 cfdarg.charcount = op->charcount;
279 if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
280 return -EFAULT;
281 return 0;
282 }
283 return -EINVAL;
284 }
285
286 static inline int
do_unimap_ioctl(int cmd,struct unimapdesc __user * user_ud,int perm,struct vc_data * vc)287 do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc)
288 {
289 struct unimapdesc tmp;
290
291 if (copy_from_user(&tmp, user_ud, sizeof tmp))
292 return -EFAULT;
293 switch (cmd) {
294 case PIO_UNIMAP:
295 if (!perm)
296 return -EPERM;
297 return con_set_unimap(vc, tmp.entry_ct, tmp.entries);
298 case GIO_UNIMAP:
299 if (!perm && fg_console != vc->vc_num)
300 return -EPERM;
301 return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp.entries);
302 }
303 return 0;
304 }
305
306 /* deallocate a single console, if possible (leave 0) */
vt_disallocate(unsigned int vc_num)307 static int vt_disallocate(unsigned int vc_num)
308 {
309 struct vc_data *vc = NULL;
310 int ret = 0;
311
312 console_lock();
313 if (vt_busy(vc_num))
314 ret = -EBUSY;
315 else if (vc_num)
316 vc = vc_deallocate(vc_num);
317 console_unlock();
318
319 if (vc && vc_num >= MIN_NR_CONSOLES)
320 tty_port_put(&vc->port);
321
322 return ret;
323 }
324
325 /* deallocate all unused consoles, but leave 0 */
vt_disallocate_all(void)326 static void vt_disallocate_all(void)
327 {
328 struct vc_data *vc[MAX_NR_CONSOLES];
329 int i;
330
331 console_lock();
332 for (i = 1; i < MAX_NR_CONSOLES; i++)
333 if (!vt_busy(i))
334 vc[i] = vc_deallocate(i);
335 else
336 vc[i] = NULL;
337 console_unlock();
338
339 for (i = 1; i < MAX_NR_CONSOLES; i++) {
340 if (vc[i] && i >= MIN_NR_CONSOLES)
341 tty_port_put(&vc[i]->port);
342 }
343 }
344
345
346 /*
347 * We handle the console-specific ioctl's here. We allow the
348 * capability to modify any console, not just the fg_console.
349 */
vt_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)350 int vt_ioctl(struct tty_struct *tty,
351 unsigned int cmd, unsigned long arg)
352 {
353 struct vc_data *vc = tty->driver_data;
354 struct console_font_op op; /* used in multiple places here */
355 unsigned int console = vc->vc_num;
356 unsigned char ucval;
357 unsigned int uival;
358 void __user *up = (void __user *)arg;
359 int i, perm;
360 int ret = 0;
361
362 /*
363 * To have permissions to do most of the vt ioctls, we either have
364 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
365 */
366 perm = 0;
367 if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
368 perm = 1;
369
370 switch (cmd) {
371 case TIOCLINUX:
372 ret = tioclinux(tty, arg);
373 break;
374 case KIOCSOUND:
375 if (!perm)
376 return -EPERM;
377 /*
378 * The use of PIT_TICK_RATE is historic, it used to be
379 * the platform-dependent CLOCK_TICK_RATE between 2.6.12
380 * and 2.6.36, which was a minor but unfortunate ABI
381 * change. kd_mksound is locked by the input layer.
382 */
383 if (arg)
384 arg = PIT_TICK_RATE / arg;
385 kd_mksound(arg, 0);
386 break;
387
388 case KDMKTONE:
389 if (!perm)
390 return -EPERM;
391 {
392 unsigned int ticks, count;
393
394 /*
395 * Generate the tone for the appropriate number of ticks.
396 * If the time is zero, turn off sound ourselves.
397 */
398 ticks = msecs_to_jiffies((arg >> 16) & 0xffff);
399 count = ticks ? (arg & 0xffff) : 0;
400 if (count)
401 count = PIT_TICK_RATE / count;
402 kd_mksound(count, ticks);
403 break;
404 }
405
406 case KDGKBTYPE:
407 /*
408 * this is naïve.
409 */
410 ucval = KB_101;
411 ret = put_user(ucval, (char __user *)arg);
412 break;
413
414 /*
415 * These cannot be implemented on any machine that implements
416 * ioperm() in user level (such as Alpha PCs) or not at all.
417 *
418 * XXX: you should never use these, just call ioperm directly..
419 */
420 #ifdef CONFIG_X86
421 case KDADDIO:
422 case KDDELIO:
423 /*
424 * KDADDIO and KDDELIO may be able to add ports beyond what
425 * we reject here, but to be safe...
426 *
427 * These are locked internally via sys_ioperm
428 */
429 if (arg < GPFIRST || arg > GPLAST) {
430 ret = -EINVAL;
431 break;
432 }
433 ret = ksys_ioperm(arg, 1, (cmd == KDADDIO)) ? -ENXIO : 0;
434 break;
435
436 case KDENABIO:
437 case KDDISABIO:
438 ret = ksys_ioperm(GPFIRST, GPNUM,
439 (cmd == KDENABIO)) ? -ENXIO : 0;
440 break;
441 #endif
442
443 /* Linux m68k/i386 interface for setting the keyboard delay/repeat rate */
444
445 case KDKBDREP:
446 {
447 struct kbd_repeat kbrep;
448
449 if (!capable(CAP_SYS_TTY_CONFIG))
450 return -EPERM;
451
452 if (copy_from_user(&kbrep, up, sizeof(struct kbd_repeat))) {
453 ret = -EFAULT;
454 break;
455 }
456 ret = kbd_rate(&kbrep);
457 if (ret)
458 break;
459 if (copy_to_user(up, &kbrep, sizeof(struct kbd_repeat)))
460 ret = -EFAULT;
461 break;
462 }
463
464 case KDSETMODE:
465 /*
466 * currently, setting the mode from KD_TEXT to KD_GRAPHICS
467 * doesn't do a whole lot. i'm not sure if it should do any
468 * restoration of modes or what...
469 *
470 * XXX It should at least call into the driver, fbdev's definitely
471 * need to restore their engine state. --BenH
472 */
473 if (!perm)
474 return -EPERM;
475 switch (arg) {
476 case KD_GRAPHICS:
477 break;
478 case KD_TEXT0:
479 case KD_TEXT1:
480 arg = KD_TEXT;
481 case KD_TEXT:
482 break;
483 default:
484 ret = -EINVAL;
485 goto out;
486 }
487 console_lock();
488 if (vc->vc_mode == (unsigned char) arg) {
489 console_unlock();
490 break;
491 }
492 vc->vc_mode = (unsigned char) arg;
493 if (console != fg_console) {
494 console_unlock();
495 break;
496 }
497 /*
498 * explicitly blank/unblank the screen if switching modes
499 */
500 if (arg == KD_TEXT)
501 do_unblank_screen(1);
502 else
503 do_blank_screen(1);
504 console_unlock();
505 break;
506
507 case KDGETMODE:
508 uival = vc->vc_mode;
509 goto setint;
510
511 case KDMAPDISP:
512 case KDUNMAPDISP:
513 /*
514 * these work like a combination of mmap and KDENABIO.
515 * this could be easily finished.
516 */
517 ret = -EINVAL;
518 break;
519
520 case KDSKBMODE:
521 if (!perm)
522 return -EPERM;
523 ret = vt_do_kdskbmode(console, arg);
524 if (ret == 0)
525 tty_ldisc_flush(tty);
526 break;
527
528 case KDGKBMODE:
529 uival = vt_do_kdgkbmode(console);
530 ret = put_user(uival, (int __user *)arg);
531 break;
532
533 /* this could be folded into KDSKBMODE, but for compatibility
534 reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */
535 case KDSKBMETA:
536 ret = vt_do_kdskbmeta(console, arg);
537 break;
538
539 case KDGKBMETA:
540 /* FIXME: should review whether this is worth locking */
541 uival = vt_do_kdgkbmeta(console);
542 setint:
543 ret = put_user(uival, (int __user *)arg);
544 break;
545
546 case KDGETKEYCODE:
547 case KDSETKEYCODE:
548 if(!capable(CAP_SYS_TTY_CONFIG))
549 perm = 0;
550 ret = vt_do_kbkeycode_ioctl(cmd, up, perm);
551 break;
552
553 case KDGKBENT:
554 case KDSKBENT:
555 ret = vt_do_kdsk_ioctl(cmd, up, perm, console);
556 break;
557
558 case KDGKBSENT:
559 case KDSKBSENT:
560 ret = vt_do_kdgkb_ioctl(cmd, up, perm);
561 break;
562
563 /* Diacritical processing. Handled in keyboard.c as it has
564 to operate on the keyboard locks and structures */
565 case KDGKBDIACR:
566 case KDGKBDIACRUC:
567 case KDSKBDIACR:
568 case KDSKBDIACRUC:
569 ret = vt_do_diacrit(cmd, up, perm);
570 break;
571
572 /* the ioctls below read/set the flags usually shown in the leds */
573 /* don't use them - they will go away without warning */
574 case KDGKBLED:
575 case KDSKBLED:
576 case KDGETLED:
577 case KDSETLED:
578 ret = vt_do_kdskled(console, cmd, arg, perm);
579 break;
580
581 /*
582 * A process can indicate its willingness to accept signals
583 * generated by pressing an appropriate key combination.
584 * Thus, one can have a daemon that e.g. spawns a new console
585 * upon a keypress and then changes to it.
586 * See also the kbrequest field of inittab(5).
587 */
588 case KDSIGACCEPT:
589 {
590 if (!perm || !capable(CAP_KILL))
591 return -EPERM;
592 if (!valid_signal(arg) || arg < 1 || arg == SIGKILL)
593 ret = -EINVAL;
594 else {
595 spin_lock_irq(&vt_spawn_con.lock);
596 put_pid(vt_spawn_con.pid);
597 vt_spawn_con.pid = get_pid(task_pid(current));
598 vt_spawn_con.sig = arg;
599 spin_unlock_irq(&vt_spawn_con.lock);
600 }
601 break;
602 }
603
604 case VT_SETMODE:
605 {
606 struct vt_mode tmp;
607
608 if (!perm)
609 return -EPERM;
610 if (copy_from_user(&tmp, up, sizeof(struct vt_mode))) {
611 ret = -EFAULT;
612 goto out;
613 }
614 if (tmp.mode != VT_AUTO && tmp.mode != VT_PROCESS) {
615 ret = -EINVAL;
616 goto out;
617 }
618 console_lock();
619 vc->vt_mode = tmp;
620 /* the frsig is ignored, so we set it to 0 */
621 vc->vt_mode.frsig = 0;
622 put_pid(vc->vt_pid);
623 vc->vt_pid = get_pid(task_pid(current));
624 /* no switch is required -- saw@shade.msu.ru */
625 vc->vt_newvt = -1;
626 console_unlock();
627 break;
628 }
629
630 case VT_GETMODE:
631 {
632 struct vt_mode tmp;
633 int rc;
634
635 console_lock();
636 memcpy(&tmp, &vc->vt_mode, sizeof(struct vt_mode));
637 console_unlock();
638
639 rc = copy_to_user(up, &tmp, sizeof(struct vt_mode));
640 if (rc)
641 ret = -EFAULT;
642 break;
643 }
644
645 /*
646 * Returns global vt state. Note that VT 0 is always open, since
647 * it's an alias for the current VT, and people can't use it here.
648 * We cannot return state for more than 16 VTs, since v_state is short.
649 */
650 case VT_GETSTATE:
651 {
652 struct vt_stat __user *vtstat = up;
653 unsigned short state, mask;
654
655 if (put_user(fg_console + 1, &vtstat->v_active))
656 ret = -EFAULT;
657 else {
658 state = 1; /* /dev/tty0 is always open */
659 console_lock(); /* required by vt_in_use() */
660 for (i = 0, mask = 2; i < MAX_NR_CONSOLES && mask;
661 ++i, mask <<= 1)
662 if (vt_in_use(i))
663 state |= mask;
664 console_unlock();
665 ret = put_user(state, &vtstat->v_state);
666 }
667 break;
668 }
669
670 /*
671 * Returns the first available (non-opened) console.
672 */
673 case VT_OPENQRY:
674 console_lock(); /* required by vt_in_use() */
675 for (i = 0; i < MAX_NR_CONSOLES; ++i)
676 if (!vt_in_use(i))
677 break;
678 console_unlock();
679 uival = i < MAX_NR_CONSOLES ? (i+1) : -1;
680 goto setint;
681
682 /*
683 * ioctl(fd, VT_ACTIVATE, num) will cause us to switch to vt # num,
684 * with num >= 1 (switches to vt 0, our console, are not allowed, just
685 * to preserve sanity).
686 */
687 case VT_ACTIVATE:
688 if (!perm)
689 return -EPERM;
690 if (arg == 0 || arg > MAX_NR_CONSOLES)
691 ret = -ENXIO;
692 else {
693 arg--;
694 console_lock();
695 ret = vc_allocate(arg);
696 console_unlock();
697 if (ret)
698 break;
699 set_console(arg);
700 }
701 break;
702
703 case VT_SETACTIVATE:
704 {
705 struct vt_setactivate vsa;
706
707 if (!perm)
708 return -EPERM;
709
710 if (copy_from_user(&vsa, (struct vt_setactivate __user *)arg,
711 sizeof(struct vt_setactivate))) {
712 ret = -EFAULT;
713 goto out;
714 }
715 if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
716 ret = -ENXIO;
717 else {
718 vsa.console = array_index_nospec(vsa.console,
719 MAX_NR_CONSOLES + 1);
720 vsa.console--;
721 console_lock();
722 ret = vc_allocate(vsa.console);
723 if (ret == 0) {
724 struct vc_data *nvc;
725 /* This is safe providing we don't drop the
726 console sem between vc_allocate and
727 finishing referencing nvc */
728 nvc = vc_cons[vsa.console].d;
729 nvc->vt_mode = vsa.mode;
730 nvc->vt_mode.frsig = 0;
731 put_pid(nvc->vt_pid);
732 nvc->vt_pid = get_pid(task_pid(current));
733 }
734 console_unlock();
735 if (ret)
736 break;
737 /* Commence switch and lock */
738 /* Review set_console locks */
739 set_console(vsa.console);
740 }
741 break;
742 }
743
744 /*
745 * wait until the specified VT has been activated
746 */
747 case VT_WAITACTIVE:
748 if (!perm)
749 return -EPERM;
750 if (arg == 0 || arg > MAX_NR_CONSOLES)
751 ret = -ENXIO;
752 else
753 ret = vt_waitactive(arg);
754 break;
755
756 /*
757 * If a vt is under process control, the kernel will not switch to it
758 * immediately, but postpone the operation until the process calls this
759 * ioctl, allowing the switch to complete.
760 *
761 * According to the X sources this is the behavior:
762 * 0: pending switch-from not OK
763 * 1: pending switch-from OK
764 * 2: completed switch-to OK
765 */
766 case VT_RELDISP:
767 if (!perm)
768 return -EPERM;
769
770 console_lock();
771 if (vc->vt_mode.mode != VT_PROCESS) {
772 console_unlock();
773 ret = -EINVAL;
774 break;
775 }
776 /*
777 * Switching-from response
778 */
779 if (vc->vt_newvt >= 0) {
780 if (arg == 0)
781 /*
782 * Switch disallowed, so forget we were trying
783 * to do it.
784 */
785 vc->vt_newvt = -1;
786
787 else {
788 /*
789 * The current vt has been released, so
790 * complete the switch.
791 */
792 int newvt;
793 newvt = vc->vt_newvt;
794 vc->vt_newvt = -1;
795 ret = vc_allocate(newvt);
796 if (ret) {
797 console_unlock();
798 break;
799 }
800 /*
801 * When we actually do the console switch,
802 * make sure we are atomic with respect to
803 * other console switches..
804 */
805 complete_change_console(vc_cons[newvt].d);
806 }
807 } else {
808 /*
809 * Switched-to response
810 */
811 /*
812 * If it's just an ACK, ignore it
813 */
814 if (arg != VT_ACKACQ)
815 ret = -EINVAL;
816 }
817 console_unlock();
818 break;
819
820 /*
821 * Disallocate memory associated to VT (but leave VT1)
822 */
823 case VT_DISALLOCATE:
824 if (arg > MAX_NR_CONSOLES) {
825 ret = -ENXIO;
826 break;
827 }
828 if (arg == 0)
829 vt_disallocate_all();
830 else
831 ret = vt_disallocate(--arg);
832 break;
833
834 case VT_RESIZE:
835 {
836 struct vt_sizes __user *vtsizes = up;
837 struct vc_data *vc;
838
839 ushort ll,cc;
840 if (!perm)
841 return -EPERM;
842 if (get_user(ll, &vtsizes->v_rows) ||
843 get_user(cc, &vtsizes->v_cols))
844 ret = -EFAULT;
845 else {
846 console_lock();
847 for (i = 0; i < MAX_NR_CONSOLES; i++) {
848 vc = vc_cons[i].d;
849
850 if (vc) {
851 vc->vc_resize_user = 1;
852 /* FIXME: review v tty lock */
853 vc_resize(vc_cons[i].d, cc, ll);
854 }
855 }
856 console_unlock();
857 }
858 break;
859 }
860
861 case VT_RESIZEX:
862 {
863 struct vt_consize v;
864 if (!perm)
865 return -EPERM;
866 if (copy_from_user(&v, up, sizeof(struct vt_consize)))
867 return -EFAULT;
868 /* FIXME: Should check the copies properly */
869 if (!v.v_vlin)
870 v.v_vlin = vc->vc_scan_lines;
871 if (v.v_clin) {
872 int rows = v.v_vlin/v.v_clin;
873 if (v.v_rows != rows) {
874 if (v.v_rows) /* Parameters don't add up */
875 return -EINVAL;
876 v.v_rows = rows;
877 }
878 }
879 if (v.v_vcol && v.v_ccol) {
880 int cols = v.v_vcol/v.v_ccol;
881 if (v.v_cols != cols) {
882 if (v.v_cols)
883 return -EINVAL;
884 v.v_cols = cols;
885 }
886 }
887
888 if (v.v_clin > 32)
889 return -EINVAL;
890
891 for (i = 0; i < MAX_NR_CONSOLES; i++) {
892 struct vc_data *vcp;
893
894 if (!vc_cons[i].d)
895 continue;
896 console_lock();
897 vcp = vc_cons[i].d;
898 if (vcp) {
899 int ret;
900 int save_scan_lines = vcp->vc_scan_lines;
901 int save_font_height = vcp->vc_font.height;
902
903 if (v.v_vlin)
904 vcp->vc_scan_lines = v.v_vlin;
905 if (v.v_clin)
906 vcp->vc_font.height = v.v_clin;
907 vcp->vc_resize_user = 1;
908 ret = vc_resize(vcp, v.v_cols, v.v_rows);
909 if (ret) {
910 vcp->vc_scan_lines = save_scan_lines;
911 vcp->vc_font.height = save_font_height;
912 console_unlock();
913 return ret;
914 }
915 }
916 console_unlock();
917 }
918 break;
919 }
920
921 case PIO_FONT: {
922 if (!perm)
923 return -EPERM;
924 op.op = KD_FONT_OP_SET;
925 op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC; /* Compatibility */
926 op.width = 8;
927 op.height = 0;
928 op.charcount = 256;
929 op.data = up;
930 ret = con_font_op(vc, &op);
931 break;
932 }
933
934 case GIO_FONT: {
935 op.op = KD_FONT_OP_GET;
936 op.flags = KD_FONT_FLAG_OLD;
937 op.width = 8;
938 op.height = 32;
939 op.charcount = 256;
940 op.data = up;
941 ret = con_font_op(vc, &op);
942 break;
943 }
944
945 case PIO_CMAP:
946 if (!perm)
947 ret = -EPERM;
948 else
949 ret = con_set_cmap(up);
950 break;
951
952 case GIO_CMAP:
953 ret = con_get_cmap(up);
954 break;
955
956 case PIO_FONTX:
957 case GIO_FONTX:
958 ret = do_fontx_ioctl(vc, cmd, up, perm, &op);
959 break;
960
961 case PIO_FONTRESET:
962 {
963 if (!perm)
964 return -EPERM;
965
966 #ifdef BROKEN_GRAPHICS_PROGRAMS
967 /* With BROKEN_GRAPHICS_PROGRAMS defined, the default
968 font is not saved. */
969 ret = -ENOSYS;
970 break;
971 #else
972 {
973 op.op = KD_FONT_OP_SET_DEFAULT;
974 op.data = NULL;
975 ret = con_font_op(vc, &op);
976 if (ret)
977 break;
978 console_lock();
979 con_set_default_unimap(vc);
980 console_unlock();
981 break;
982 }
983 #endif
984 }
985
986 case KDFONTOP: {
987 if (copy_from_user(&op, up, sizeof(op))) {
988 ret = -EFAULT;
989 break;
990 }
991 if (!perm && op.op != KD_FONT_OP_GET)
992 return -EPERM;
993 ret = con_font_op(vc, &op);
994 if (ret)
995 break;
996 if (copy_to_user(up, &op, sizeof(op)))
997 ret = -EFAULT;
998 break;
999 }
1000
1001 case PIO_SCRNMAP:
1002 if (!perm)
1003 ret = -EPERM;
1004 else
1005 ret = con_set_trans_old(up);
1006 break;
1007
1008 case GIO_SCRNMAP:
1009 ret = con_get_trans_old(up);
1010 break;
1011
1012 case PIO_UNISCRNMAP:
1013 if (!perm)
1014 ret = -EPERM;
1015 else
1016 ret = con_set_trans_new(up);
1017 break;
1018
1019 case GIO_UNISCRNMAP:
1020 ret = con_get_trans_new(up);
1021 break;
1022
1023 case PIO_UNIMAPCLR:
1024 if (!perm)
1025 return -EPERM;
1026 con_clear_unimap(vc);
1027 break;
1028
1029 case PIO_UNIMAP:
1030 case GIO_UNIMAP:
1031 ret = do_unimap_ioctl(cmd, up, perm, vc);
1032 break;
1033
1034 case VT_LOCKSWITCH:
1035 if (!capable(CAP_SYS_TTY_CONFIG))
1036 return -EPERM;
1037 vt_dont_switch = true;
1038 break;
1039 case VT_UNLOCKSWITCH:
1040 if (!capable(CAP_SYS_TTY_CONFIG))
1041 return -EPERM;
1042 vt_dont_switch = false;
1043 break;
1044 case VT_GETHIFONTMASK:
1045 ret = put_user(vc->vc_hi_font_mask,
1046 (unsigned short __user *)arg);
1047 break;
1048 case VT_WAITEVENT:
1049 ret = vt_event_wait_ioctl((struct vt_event __user *)arg);
1050 break;
1051 default:
1052 ret = -ENOIOCTLCMD;
1053 }
1054 out:
1055 return ret;
1056 }
1057
reset_vc(struct vc_data * vc)1058 void reset_vc(struct vc_data *vc)
1059 {
1060 vc->vc_mode = KD_TEXT;
1061 vt_reset_unicode(vc->vc_num);
1062 vc->vt_mode.mode = VT_AUTO;
1063 vc->vt_mode.waitv = 0;
1064 vc->vt_mode.relsig = 0;
1065 vc->vt_mode.acqsig = 0;
1066 vc->vt_mode.frsig = 0;
1067 put_pid(vc->vt_pid);
1068 vc->vt_pid = NULL;
1069 vc->vt_newvt = -1;
1070 if (!in_interrupt()) /* Via keyboard.c:SAK() - akpm */
1071 reset_palette(vc);
1072 }
1073
vc_SAK(struct work_struct * work)1074 void vc_SAK(struct work_struct *work)
1075 {
1076 struct vc *vc_con =
1077 container_of(work, struct vc, SAK_work);
1078 struct vc_data *vc;
1079 struct tty_struct *tty;
1080
1081 console_lock();
1082 vc = vc_con->d;
1083 if (vc) {
1084 /* FIXME: review tty ref counting */
1085 tty = vc->port.tty;
1086 /*
1087 * SAK should also work in all raw modes and reset
1088 * them properly.
1089 */
1090 if (tty)
1091 __do_SAK(tty);
1092 reset_vc(vc);
1093 }
1094 console_unlock();
1095 }
1096
1097 #ifdef CONFIG_COMPAT
1098
1099 struct compat_consolefontdesc {
1100 unsigned short charcount; /* characters in font (256 or 512) */
1101 unsigned short charheight; /* scan lines per character (1-32) */
1102 compat_caddr_t chardata; /* font data in expanded form */
1103 };
1104
1105 static inline int
compat_fontx_ioctl(struct vc_data * vc,int cmd,struct compat_consolefontdesc __user * user_cfd,int perm,struct console_font_op * op)1106 compat_fontx_ioctl(struct vc_data *vc, int cmd,
1107 struct compat_consolefontdesc __user *user_cfd,
1108 int perm, struct console_font_op *op)
1109 {
1110 struct compat_consolefontdesc cfdarg;
1111 int i;
1112
1113 if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
1114 return -EFAULT;
1115
1116 switch (cmd) {
1117 case PIO_FONTX:
1118 if (!perm)
1119 return -EPERM;
1120 op->op = KD_FONT_OP_SET;
1121 op->flags = KD_FONT_FLAG_OLD;
1122 op->width = 8;
1123 op->height = cfdarg.charheight;
1124 op->charcount = cfdarg.charcount;
1125 op->data = compat_ptr(cfdarg.chardata);
1126 return con_font_op(vc, op);
1127
1128 case GIO_FONTX:
1129 op->op = KD_FONT_OP_GET;
1130 op->flags = KD_FONT_FLAG_OLD;
1131 op->width = 8;
1132 op->height = cfdarg.charheight;
1133 op->charcount = cfdarg.charcount;
1134 op->data = compat_ptr(cfdarg.chardata);
1135 i = con_font_op(vc, op);
1136 if (i)
1137 return i;
1138 cfdarg.charheight = op->height;
1139 cfdarg.charcount = op->charcount;
1140 if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
1141 return -EFAULT;
1142 return 0;
1143 }
1144 return -EINVAL;
1145 }
1146
1147 struct compat_console_font_op {
1148 compat_uint_t op; /* operation code KD_FONT_OP_* */
1149 compat_uint_t flags; /* KD_FONT_FLAG_* */
1150 compat_uint_t width, height; /* font size */
1151 compat_uint_t charcount;
1152 compat_caddr_t data; /* font data with height fixed to 32 */
1153 };
1154
1155 static inline int
compat_kdfontop_ioctl(struct compat_console_font_op __user * fontop,int perm,struct console_font_op * op,struct vc_data * vc)1156 compat_kdfontop_ioctl(struct compat_console_font_op __user *fontop,
1157 int perm, struct console_font_op *op, struct vc_data *vc)
1158 {
1159 int i;
1160
1161 if (copy_from_user(op, fontop, sizeof(struct compat_console_font_op)))
1162 return -EFAULT;
1163 if (!perm && op->op != KD_FONT_OP_GET)
1164 return -EPERM;
1165 op->data = compat_ptr(((struct compat_console_font_op *)op)->data);
1166 i = con_font_op(vc, op);
1167 if (i)
1168 return i;
1169 ((struct compat_console_font_op *)op)->data = (unsigned long)op->data;
1170 if (copy_to_user(fontop, op, sizeof(struct compat_console_font_op)))
1171 return -EFAULT;
1172 return 0;
1173 }
1174
1175 struct compat_unimapdesc {
1176 unsigned short entry_ct;
1177 compat_caddr_t entries;
1178 };
1179
1180 static inline int
compat_unimap_ioctl(unsigned int cmd,struct compat_unimapdesc __user * user_ud,int perm,struct vc_data * vc)1181 compat_unimap_ioctl(unsigned int cmd, struct compat_unimapdesc __user *user_ud,
1182 int perm, struct vc_data *vc)
1183 {
1184 struct compat_unimapdesc tmp;
1185 struct unipair __user *tmp_entries;
1186
1187 if (copy_from_user(&tmp, user_ud, sizeof tmp))
1188 return -EFAULT;
1189 tmp_entries = compat_ptr(tmp.entries);
1190 switch (cmd) {
1191 case PIO_UNIMAP:
1192 if (!perm)
1193 return -EPERM;
1194 return con_set_unimap(vc, tmp.entry_ct, tmp_entries);
1195 case GIO_UNIMAP:
1196 if (!perm && fg_console != vc->vc_num)
1197 return -EPERM;
1198 return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct), tmp_entries);
1199 }
1200 return 0;
1201 }
1202
vt_compat_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)1203 long vt_compat_ioctl(struct tty_struct *tty,
1204 unsigned int cmd, unsigned long arg)
1205 {
1206 struct vc_data *vc = tty->driver_data;
1207 struct console_font_op op; /* used in multiple places here */
1208 void __user *up = (void __user *)arg;
1209 int perm;
1210 int ret = 0;
1211
1212 /*
1213 * To have permissions to do most of the vt ioctls, we either have
1214 * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
1215 */
1216 perm = 0;
1217 if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
1218 perm = 1;
1219
1220 switch (cmd) {
1221 /*
1222 * these need special handlers for incompatible data structures
1223 */
1224 case PIO_FONTX:
1225 case GIO_FONTX:
1226 ret = compat_fontx_ioctl(vc, cmd, up, perm, &op);
1227 break;
1228
1229 case KDFONTOP:
1230 ret = compat_kdfontop_ioctl(up, perm, &op, vc);
1231 break;
1232
1233 case PIO_UNIMAP:
1234 case GIO_UNIMAP:
1235 ret = compat_unimap_ioctl(cmd, up, perm, vc);
1236 break;
1237
1238 /*
1239 * all these treat 'arg' as an integer
1240 */
1241 case KIOCSOUND:
1242 case KDMKTONE:
1243 #ifdef CONFIG_X86
1244 case KDADDIO:
1245 case KDDELIO:
1246 #endif
1247 case KDSETMODE:
1248 case KDMAPDISP:
1249 case KDUNMAPDISP:
1250 case KDSKBMODE:
1251 case KDSKBMETA:
1252 case KDSKBLED:
1253 case KDSETLED:
1254 case KDSIGACCEPT:
1255 case VT_ACTIVATE:
1256 case VT_WAITACTIVE:
1257 case VT_RELDISP:
1258 case VT_DISALLOCATE:
1259 case VT_RESIZE:
1260 case VT_RESIZEX:
1261 goto fallback;
1262
1263 /*
1264 * the rest has a compatible data structure behind arg,
1265 * but we have to convert it to a proper 64 bit pointer.
1266 */
1267 default:
1268 arg = (unsigned long)compat_ptr(arg);
1269 goto fallback;
1270 }
1271
1272 return ret;
1273
1274 fallback:
1275 return vt_ioctl(tty, cmd, arg);
1276 }
1277
1278
1279 #endif /* CONFIG_COMPAT */
1280
1281
1282 /*
1283 * Performs the back end of a vt switch. Called under the console
1284 * semaphore.
1285 */
complete_change_console(struct vc_data * vc)1286 static void complete_change_console(struct vc_data *vc)
1287 {
1288 unsigned char old_vc_mode;
1289 int old = fg_console;
1290
1291 last_console = fg_console;
1292
1293 /*
1294 * If we're switching, we could be going from KD_GRAPHICS to
1295 * KD_TEXT mode or vice versa, which means we need to blank or
1296 * unblank the screen later.
1297 */
1298 old_vc_mode = vc_cons[fg_console].d->vc_mode;
1299 switch_screen(vc);
1300
1301 /*
1302 * This can't appear below a successful kill_pid(). If it did,
1303 * then the *blank_screen operation could occur while X, having
1304 * received acqsig, is waking up on another processor. This
1305 * condition can lead to overlapping accesses to the VGA range
1306 * and the framebuffer (causing system lockups).
1307 *
1308 * To account for this we duplicate this code below only if the
1309 * controlling process is gone and we've called reset_vc.
1310 */
1311 if (old_vc_mode != vc->vc_mode) {
1312 if (vc->vc_mode == KD_TEXT)
1313 do_unblank_screen(1);
1314 else
1315 do_blank_screen(1);
1316 }
1317
1318 /*
1319 * If this new console is under process control, send it a signal
1320 * telling it that it has acquired. Also check if it has died and
1321 * clean up (similar to logic employed in change_console())
1322 */
1323 if (vc->vt_mode.mode == VT_PROCESS) {
1324 /*
1325 * Send the signal as privileged - kill_pid() will
1326 * tell us if the process has gone or something else
1327 * is awry
1328 */
1329 if (kill_pid(vc->vt_pid, vc->vt_mode.acqsig, 1) != 0) {
1330 /*
1331 * The controlling process has died, so we revert back to
1332 * normal operation. In this case, we'll also change back
1333 * to KD_TEXT mode. I'm not sure if this is strictly correct
1334 * but it saves the agony when the X server dies and the screen
1335 * remains blanked due to KD_GRAPHICS! It would be nice to do
1336 * this outside of VT_PROCESS but there is no single process
1337 * to account for and tracking tty count may be undesirable.
1338 */
1339 reset_vc(vc);
1340
1341 if (old_vc_mode != vc->vc_mode) {
1342 if (vc->vc_mode == KD_TEXT)
1343 do_unblank_screen(1);
1344 else
1345 do_blank_screen(1);
1346 }
1347 }
1348 }
1349
1350 /*
1351 * Wake anyone waiting for their VT to activate
1352 */
1353 vt_event_post(VT_EVENT_SWITCH, old, vc->vc_num);
1354 return;
1355 }
1356
1357 /*
1358 * Performs the front-end of a vt switch
1359 */
change_console(struct vc_data * new_vc)1360 void change_console(struct vc_data *new_vc)
1361 {
1362 struct vc_data *vc;
1363
1364 if (!new_vc || new_vc->vc_num == fg_console || vt_dont_switch)
1365 return;
1366
1367 /*
1368 * If this vt is in process mode, then we need to handshake with
1369 * that process before switching. Essentially, we store where that
1370 * vt wants to switch to and wait for it to tell us when it's done
1371 * (via VT_RELDISP ioctl).
1372 *
1373 * We also check to see if the controlling process still exists.
1374 * If it doesn't, we reset this vt to auto mode and continue.
1375 * This is a cheap way to track process control. The worst thing
1376 * that can happen is: we send a signal to a process, it dies, and
1377 * the switch gets "lost" waiting for a response; hopefully, the
1378 * user will try again, we'll detect the process is gone (unless
1379 * the user waits just the right amount of time :-) and revert the
1380 * vt to auto control.
1381 */
1382 vc = vc_cons[fg_console].d;
1383 if (vc->vt_mode.mode == VT_PROCESS) {
1384 /*
1385 * Send the signal as privileged - kill_pid() will
1386 * tell us if the process has gone or something else
1387 * is awry.
1388 *
1389 * We need to set vt_newvt *before* sending the signal or we
1390 * have a race.
1391 */
1392 vc->vt_newvt = new_vc->vc_num;
1393 if (kill_pid(vc->vt_pid, vc->vt_mode.relsig, 1) == 0) {
1394 /*
1395 * It worked. Mark the vt to switch to and
1396 * return. The process needs to send us a
1397 * VT_RELDISP ioctl to complete the switch.
1398 */
1399 return;
1400 }
1401
1402 /*
1403 * The controlling process has died, so we revert back to
1404 * normal operation. In this case, we'll also change back
1405 * to KD_TEXT mode. I'm not sure if this is strictly correct
1406 * but it saves the agony when the X server dies and the screen
1407 * remains blanked due to KD_GRAPHICS! It would be nice to do
1408 * this outside of VT_PROCESS but there is no single process
1409 * to account for and tracking tty count may be undesirable.
1410 */
1411 reset_vc(vc);
1412
1413 /*
1414 * Fall through to normal (VT_AUTO) handling of the switch...
1415 */
1416 }
1417
1418 /*
1419 * Ignore all switches in KD_GRAPHICS+VT_AUTO mode
1420 */
1421 if (vc->vc_mode == KD_GRAPHICS)
1422 return;
1423
1424 complete_change_console(new_vc);
1425 }
1426
1427 /* Perform a kernel triggered VT switch for suspend/resume */
1428
1429 static int disable_vt_switch;
1430
vt_move_to_console(unsigned int vt,int alloc)1431 int vt_move_to_console(unsigned int vt, int alloc)
1432 {
1433 int prev;
1434
1435 console_lock();
1436 /* Graphics mode - up to X */
1437 if (disable_vt_switch) {
1438 console_unlock();
1439 return 0;
1440 }
1441 prev = fg_console;
1442
1443 if (alloc && vc_allocate(vt)) {
1444 /* we can't have a free VC for now. Too bad,
1445 * we don't want to mess the screen for now. */
1446 console_unlock();
1447 return -ENOSPC;
1448 }
1449
1450 if (set_console(vt)) {
1451 /*
1452 * We're unable to switch to the SUSPEND_CONSOLE.
1453 * Let the calling function know so it can decide
1454 * what to do.
1455 */
1456 console_unlock();
1457 return -EIO;
1458 }
1459 console_unlock();
1460 if (vt_waitactive(vt + 1)) {
1461 pr_debug("Suspend: Can't switch VCs.");
1462 return -EINTR;
1463 }
1464 return prev;
1465 }
1466
1467 /*
1468 * Normally during a suspend, we allocate a new console and switch to it.
1469 * When we resume, we switch back to the original console. This switch
1470 * can be slow, so on systems where the framebuffer can handle restoration
1471 * of video registers anyways, there's little point in doing the console
1472 * switch. This function allows you to disable it by passing it '0'.
1473 */
pm_set_vt_switch(int do_switch)1474 void pm_set_vt_switch(int do_switch)
1475 {
1476 console_lock();
1477 disable_vt_switch = !do_switch;
1478 console_unlock();
1479 }
1480 EXPORT_SYMBOL(pm_set_vt_switch);
1481