2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
* Provide access to virtual console memory.
|
|
|
|
* /dev/vcs0: the screen as it is being viewed right now (possibly scrolled)
|
|
|
|
* /dev/vcsN: the screen of /dev/ttyN (1 <= N <= 63)
|
|
|
|
* [minor: N]
|
|
|
|
*
|
|
|
|
* /dev/vcsaN: idem, but including attributes, and prefixed with
|
|
|
|
* the 4 bytes lines,columns,x,y (as screendump used to give).
|
|
|
|
* Attribute/character pair is in native endianity.
|
|
|
|
* [minor: N+128]
|
|
|
|
*
|
|
|
|
* This replaces screendump and part of selection, so that the system
|
|
|
|
* administrator can control access using file system permissions.
|
|
|
|
*
|
|
|
|
* aeb@cwi.nl - efter Friedas begravelse - 950211
|
|
|
|
*
|
|
|
|
* machek@k332.feld.cvut.cz - modified not to send characters to wrong console
|
|
|
|
* - fixed some fatal off-by-one bugs (0-- no longer == -1 -> looping and looping and looping...)
|
|
|
|
* - making it shorter - scr_readw are macros which expand in PRETTY long code
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/major.h>
|
|
|
|
#include <linux/errno.h>
|
2011-05-27 08:46:24 -06:00
|
|
|
#include <linux/export.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/tty.h>
|
|
|
|
#include <linux/interrupt.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/vt_kern.h>
|
|
|
|
#include <linux/selection.h>
|
|
|
|
#include <linux/kbd_kern.h>
|
|
|
|
#include <linux/console.h>
|
|
|
|
#include <linux/device.h>
|
2010-10-05 12:22:37 -06:00
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/poll.h>
|
|
|
|
#include <linux/signal.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/notifier.h>
|
2007-05-08 01:39:49 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <asm/uaccess.h>
|
|
|
|
#include <asm/byteorder.h>
|
|
|
|
#include <asm/unaligned.h>
|
|
|
|
|
|
|
|
#undef attr
|
|
|
|
#undef org
|
|
|
|
#undef addr
|
|
|
|
#define HEADER_SIZE 4
|
|
|
|
|
2011-02-07 11:31:25 -07:00
|
|
|
#define CON_BUF_SIZE (CONFIG_BASE_SMALL ? 256 : PAGE_SIZE)
|
|
|
|
|
2010-10-05 12:22:37 -06:00
|
|
|
struct vcs_poll_data {
|
|
|
|
struct notifier_block notifier;
|
|
|
|
unsigned int cons_num;
|
|
|
|
bool seen_last_update;
|
|
|
|
wait_queue_head_t waitq;
|
|
|
|
struct fasync_struct *fasync;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
|
|
|
vcs_notifier(struct notifier_block *nb, unsigned long code, void *_param)
|
|
|
|
{
|
|
|
|
struct vt_notifier_param *param = _param;
|
|
|
|
struct vc_data *vc = param->vc;
|
|
|
|
struct vcs_poll_data *poll =
|
|
|
|
container_of(nb, struct vcs_poll_data, notifier);
|
|
|
|
int currcons = poll->cons_num;
|
|
|
|
|
|
|
|
if (code != VT_UPDATE)
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
|
|
|
|
if (currcons == 0)
|
|
|
|
currcons = fg_console;
|
|
|
|
else
|
|
|
|
currcons--;
|
|
|
|
if (currcons != vc->vc_num)
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
|
|
|
|
poll->seen_last_update = false;
|
|
|
|
wake_up_interruptible(&poll->waitq);
|
|
|
|
kill_fasync(&poll->fasync, SIGIO, POLL_IN);
|
|
|
|
return NOTIFY_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
vcs_poll_data_free(struct vcs_poll_data *poll)
|
|
|
|
{
|
|
|
|
unregister_vt_notifier(&poll->notifier);
|
|
|
|
kfree(poll);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct vcs_poll_data *
|
|
|
|
vcs_poll_data_get(struct file *file)
|
|
|
|
{
|
|
|
|
struct vcs_poll_data *poll = file->private_data;
|
|
|
|
|
|
|
|
if (poll)
|
|
|
|
return poll;
|
|
|
|
|
|
|
|
poll = kzalloc(sizeof(*poll), GFP_KERNEL);
|
|
|
|
if (!poll)
|
|
|
|
return NULL;
|
|
|
|
poll->cons_num = iminor(file->f_path.dentry->d_inode) & 127;
|
|
|
|
init_waitqueue_head(&poll->waitq);
|
|
|
|
poll->notifier.notifier_call = vcs_notifier;
|
|
|
|
if (register_vt_notifier(&poll->notifier) != 0) {
|
|
|
|
kfree(poll);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This code may be called either through ->poll() or ->fasync().
|
|
|
|
* If we have two threads using the same file descriptor, they could
|
|
|
|
* both enter this function, both notice that the structure hasn't
|
|
|
|
* been allocated yet and go ahead allocating it in parallel, but
|
|
|
|
* only one of them must survive and be shared otherwise we'd leak
|
|
|
|
* memory with a dangling notifier callback.
|
|
|
|
*/
|
|
|
|
spin_lock(&file->f_lock);
|
|
|
|
if (!file->private_data) {
|
|
|
|
file->private_data = poll;
|
|
|
|
} else {
|
|
|
|
/* someone else raced ahead of us */
|
|
|
|
vcs_poll_data_free(poll);
|
|
|
|
poll = file->private_data;
|
|
|
|
}
|
|
|
|
spin_unlock(&file->f_lock);
|
|
|
|
|
|
|
|
return poll;
|
|
|
|
}
|
|
|
|
|
2011-02-07 11:31:25 -07:00
|
|
|
/*
|
|
|
|
* Returns VC for inode.
|
|
|
|
* Must be called with console_lock.
|
|
|
|
*/
|
|
|
|
static struct vc_data*
|
|
|
|
vcs_vc(struct inode *inode, int *viewed)
|
|
|
|
{
|
|
|
|
unsigned int currcons = iminor(inode) & 127;
|
|
|
|
|
|
|
|
WARN_CONSOLE_UNLOCKED();
|
|
|
|
|
|
|
|
if (currcons == 0) {
|
|
|
|
currcons = fg_console;
|
|
|
|
if (viewed)
|
|
|
|
*viewed = 1;
|
|
|
|
} else {
|
|
|
|
currcons--;
|
|
|
|
if (viewed)
|
|
|
|
*viewed = 0;
|
|
|
|
}
|
|
|
|
return vc_cons[currcons].d;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns size for VC carried by inode.
|
|
|
|
* Must be called with console_lock.
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
static int
|
|
|
|
vcs_size(struct inode *inode)
|
|
|
|
{
|
|
|
|
int size;
|
|
|
|
int minor = iminor(inode);
|
|
|
|
struct vc_data *vc;
|
|
|
|
|
2011-02-07 11:31:25 -07:00
|
|
|
WARN_CONSOLE_UNLOCKED();
|
|
|
|
|
|
|
|
vc = vcs_vc(inode, NULL);
|
|
|
|
if (!vc)
|
2005-04-16 16:20:36 -06:00
|
|
|
return -ENXIO;
|
|
|
|
|
|
|
|
size = vc->vc_rows * vc->vc_cols;
|
|
|
|
|
|
|
|
if (minor & 128)
|
|
|
|
size = 2*size + HEADER_SIZE;
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
|
|
|
static loff_t vcs_lseek(struct file *file, loff_t offset, int orig)
|
|
|
|
{
|
|
|
|
int size;
|
|
|
|
|
tty,vcs: lseek/VC-release race fix
there's a race between vcs's lseek handler and VC release.
The lseek handler does not hold console_lock and touches
VC's size info. If during this the VC got released, there's
an access violation.
Following program triggers the issue for me:
[SNIP]
#define _BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
#include <unistd.h>
#include <errno.h>
static int run_seek(void)
{
while(1) {
int fd;
fd = open("./vcs30", O_RDWR);
while(lseek(fd, 0, 0) != -1);
close(fd);
}
}
static int open_ioctl_tty(void)
{
return open("/dev/tty1", O_RDWR);
}
static int do_ioctl(int fd, int req, int i)
{
return ioctl(fd, req, i);
}
#define INIT(i) do_ioctl(ioctl_fd, VT_ACTIVATE, i)
#define SHUT(i) do_ioctl(ioctl_fd, VT_DISALLOCATE, i)
int main(int argc, char **argv)
{
int ioctl_fd = open_ioctl_tty();
if (ioctl < 0) {
perror("open tty1 failed\n");
return -1;
}
if ((-1 == mknod("vcs30", S_IFCHR|0666, makedev(7, 30))) &&
(errno != EEXIST)) {
printf("errno %d\n", errno);
perror("failed to create vcs30");
return -1;
}
do_ioctl(ioctl_fd, VT_LOCKSWITCH, 0);
if (!fork())
run_seek();
while(1) {
INIT(30);
SHUT(30);
}
return 0;
}
[SNIP]
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-07 11:31:24 -07:00
|
|
|
console_lock();
|
2006-12-08 03:36:55 -07:00
|
|
|
size = vcs_size(file->f_path.dentry->d_inode);
|
tty,vcs: lseek/VC-release race fix
there's a race between vcs's lseek handler and VC release.
The lseek handler does not hold console_lock and touches
VC's size info. If during this the VC got released, there's
an access violation.
Following program triggers the issue for me:
[SNIP]
#define _BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
#include <unistd.h>
#include <errno.h>
static int run_seek(void)
{
while(1) {
int fd;
fd = open("./vcs30", O_RDWR);
while(lseek(fd, 0, 0) != -1);
close(fd);
}
}
static int open_ioctl_tty(void)
{
return open("/dev/tty1", O_RDWR);
}
static int do_ioctl(int fd, int req, int i)
{
return ioctl(fd, req, i);
}
#define INIT(i) do_ioctl(ioctl_fd, VT_ACTIVATE, i)
#define SHUT(i) do_ioctl(ioctl_fd, VT_DISALLOCATE, i)
int main(int argc, char **argv)
{
int ioctl_fd = open_ioctl_tty();
if (ioctl < 0) {
perror("open tty1 failed\n");
return -1;
}
if ((-1 == mknod("vcs30", S_IFCHR|0666, makedev(7, 30))) &&
(errno != EEXIST)) {
printf("errno %d\n", errno);
perror("failed to create vcs30");
return -1;
}
do_ioctl(ioctl_fd, VT_LOCKSWITCH, 0);
if (!fork())
run_seek();
while(1) {
INIT(30);
SHUT(30);
}
return 0;
}
[SNIP]
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-07 11:31:24 -07:00
|
|
|
console_unlock();
|
2011-02-07 11:31:25 -07:00
|
|
|
if (size < 0)
|
tty,vcs: lseek/VC-release race fix
there's a race between vcs's lseek handler and VC release.
The lseek handler does not hold console_lock and touches
VC's size info. If during this the VC got released, there's
an access violation.
Following program triggers the issue for me:
[SNIP]
#define _BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
#include <unistd.h>
#include <errno.h>
static int run_seek(void)
{
while(1) {
int fd;
fd = open("./vcs30", O_RDWR);
while(lseek(fd, 0, 0) != -1);
close(fd);
}
}
static int open_ioctl_tty(void)
{
return open("/dev/tty1", O_RDWR);
}
static int do_ioctl(int fd, int req, int i)
{
return ioctl(fd, req, i);
}
#define INIT(i) do_ioctl(ioctl_fd, VT_ACTIVATE, i)
#define SHUT(i) do_ioctl(ioctl_fd, VT_DISALLOCATE, i)
int main(int argc, char **argv)
{
int ioctl_fd = open_ioctl_tty();
if (ioctl < 0) {
perror("open tty1 failed\n");
return -1;
}
if ((-1 == mknod("vcs30", S_IFCHR|0666, makedev(7, 30))) &&
(errno != EEXIST)) {
printf("errno %d\n", errno);
perror("failed to create vcs30");
return -1;
}
do_ioctl(ioctl_fd, VT_LOCKSWITCH, 0);
if (!fork())
run_seek();
while(1) {
INIT(30);
SHUT(30);
}
return 0;
}
[SNIP]
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-07 11:31:24 -07:00
|
|
|
return size;
|
2005-04-16 16:20:36 -06:00
|
|
|
switch (orig) {
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
case 2:
|
|
|
|
offset += size;
|
|
|
|
break;
|
|
|
|
case 1:
|
|
|
|
offset += file->f_pos;
|
|
|
|
case 0:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (offset < 0 || offset > size) {
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
file->f_pos = offset;
|
|
|
|
return file->f_pos;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
|
|
|
|
{
|
2006-12-08 03:36:55 -07:00
|
|
|
struct inode *inode = file->f_path.dentry->d_inode;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned int currcons = iminor(inode);
|
|
|
|
struct vc_data *vc;
|
2010-10-05 12:22:37 -06:00
|
|
|
struct vcs_poll_data *poll;
|
2005-04-16 16:20:36 -06:00
|
|
|
long pos;
|
2011-02-07 11:31:25 -07:00
|
|
|
long attr, read;
|
|
|
|
int col, maxcol, viewed;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned short *org = NULL;
|
|
|
|
ssize_t ret;
|
2011-02-07 11:31:25 -07:00
|
|
|
char *con_buf;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2011-02-07 11:31:25 -07:00
|
|
|
con_buf = (char *) __get_free_page(GFP_KERNEL);
|
|
|
|
if (!con_buf)
|
|
|
|
return -ENOMEM;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
pos = *ppos;
|
|
|
|
|
|
|
|
/* Select the proper current console and verify
|
|
|
|
* sanity of the situation under the console lock.
|
|
|
|
*/
|
2011-01-25 16:07:35 -07:00
|
|
|
console_lock();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
attr = (currcons & 128);
|
|
|
|
ret = -ENXIO;
|
2011-02-07 11:31:25 -07:00
|
|
|
vc = vcs_vc(inode, &viewed);
|
|
|
|
if (!vc)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto unlock_out;
|
|
|
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
if (pos < 0)
|
|
|
|
goto unlock_out;
|
2010-10-05 12:22:37 -06:00
|
|
|
poll = file->private_data;
|
|
|
|
if (count && poll)
|
|
|
|
poll->seen_last_update = true;
|
2005-04-16 16:20:36 -06:00
|
|
|
read = 0;
|
|
|
|
ret = 0;
|
|
|
|
while (count) {
|
|
|
|
char *con_buf0, *con_buf_start;
|
|
|
|
long this_round, size;
|
|
|
|
ssize_t orig_count;
|
|
|
|
long p = pos;
|
|
|
|
|
|
|
|
/* Check whether we are above size each round,
|
|
|
|
* as copy_to_user at the end of this loop
|
|
|
|
* could sleep.
|
|
|
|
*/
|
|
|
|
size = vcs_size(inode);
|
tty,vcs: lseek/VC-release race fix
there's a race between vcs's lseek handler and VC release.
The lseek handler does not hold console_lock and touches
VC's size info. If during this the VC got released, there's
an access violation.
Following program triggers the issue for me:
[SNIP]
#define _BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
#include <unistd.h>
#include <errno.h>
static int run_seek(void)
{
while(1) {
int fd;
fd = open("./vcs30", O_RDWR);
while(lseek(fd, 0, 0) != -1);
close(fd);
}
}
static int open_ioctl_tty(void)
{
return open("/dev/tty1", O_RDWR);
}
static int do_ioctl(int fd, int req, int i)
{
return ioctl(fd, req, i);
}
#define INIT(i) do_ioctl(ioctl_fd, VT_ACTIVATE, i)
#define SHUT(i) do_ioctl(ioctl_fd, VT_DISALLOCATE, i)
int main(int argc, char **argv)
{
int ioctl_fd = open_ioctl_tty();
if (ioctl < 0) {
perror("open tty1 failed\n");
return -1;
}
if ((-1 == mknod("vcs30", S_IFCHR|0666, makedev(7, 30))) &&
(errno != EEXIST)) {
printf("errno %d\n", errno);
perror("failed to create vcs30");
return -1;
}
do_ioctl(ioctl_fd, VT_LOCKSWITCH, 0);
if (!fork())
run_seek();
while(1) {
INIT(30);
SHUT(30);
}
return 0;
}
[SNIP]
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-07 11:31:24 -07:00
|
|
|
if (size < 0) {
|
|
|
|
if (read)
|
|
|
|
break;
|
|
|
|
ret = size;
|
|
|
|
goto unlock_out;
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
if (pos >= size)
|
|
|
|
break;
|
|
|
|
if (count > size - pos)
|
|
|
|
count = size - pos;
|
|
|
|
|
|
|
|
this_round = count;
|
|
|
|
if (this_round > CON_BUF_SIZE)
|
|
|
|
this_round = CON_BUF_SIZE;
|
|
|
|
|
|
|
|
/* Perform the whole read into the local con_buf.
|
|
|
|
* Then we can drop the console spinlock and safely
|
|
|
|
* attempt to move it to userspace.
|
|
|
|
*/
|
|
|
|
|
|
|
|
con_buf_start = con_buf0 = con_buf;
|
|
|
|
orig_count = this_round;
|
|
|
|
maxcol = vc->vc_cols;
|
|
|
|
if (!attr) {
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
col = p % maxcol;
|
|
|
|
p += maxcol - col;
|
|
|
|
while (this_round-- > 0) {
|
|
|
|
*con_buf0++ = (vcs_scr_readw(vc, org++) & 0xff);
|
|
|
|
if (++col == maxcol) {
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
col = 0;
|
|
|
|
p += maxcol;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (p < HEADER_SIZE) {
|
|
|
|
size_t tmp_count;
|
|
|
|
|
|
|
|
con_buf0[0] = (char)vc->vc_rows;
|
|
|
|
con_buf0[1] = (char)vc->vc_cols;
|
|
|
|
getconsxy(vc, con_buf0 + 2);
|
|
|
|
|
|
|
|
con_buf_start += p;
|
|
|
|
this_round += p;
|
|
|
|
if (this_round > CON_BUF_SIZE) {
|
|
|
|
this_round = CON_BUF_SIZE;
|
|
|
|
orig_count = this_round - p;
|
|
|
|
}
|
|
|
|
|
|
|
|
tmp_count = HEADER_SIZE;
|
|
|
|
if (tmp_count > this_round)
|
|
|
|
tmp_count = this_round;
|
|
|
|
|
|
|
|
/* Advance state pointers and move on. */
|
|
|
|
this_round -= tmp_count;
|
|
|
|
p = HEADER_SIZE;
|
|
|
|
con_buf0 = con_buf + HEADER_SIZE;
|
|
|
|
/* If this_round >= 0, then p is even... */
|
|
|
|
} else if (p & 1) {
|
|
|
|
/* Skip first byte for output if start address is odd
|
|
|
|
* Update region sizes up/down depending on free
|
|
|
|
* space in buffer.
|
|
|
|
*/
|
|
|
|
con_buf_start++;
|
|
|
|
if (this_round < CON_BUF_SIZE)
|
|
|
|
this_round++;
|
|
|
|
else
|
|
|
|
orig_count--;
|
|
|
|
}
|
|
|
|
if (this_round > 0) {
|
|
|
|
unsigned short *tmp_buf = (unsigned short *)con_buf0;
|
|
|
|
|
|
|
|
p -= HEADER_SIZE;
|
|
|
|
p /= 2;
|
|
|
|
col = p % maxcol;
|
|
|
|
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
p += maxcol - col;
|
|
|
|
|
|
|
|
/* Buffer has even length, so we can always copy
|
|
|
|
* character + attribute. We do not copy last byte
|
|
|
|
* to userspace if this_round is odd.
|
|
|
|
*/
|
|
|
|
this_round = (this_round + 1) >> 1;
|
|
|
|
|
|
|
|
while (this_round) {
|
|
|
|
*tmp_buf++ = vcs_scr_readw(vc, org++);
|
|
|
|
this_round --;
|
|
|
|
if (++col == maxcol) {
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
col = 0;
|
|
|
|
p += maxcol;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Finally, release the console semaphore while we push
|
|
|
|
* all the data to userspace from our temporary buffer.
|
|
|
|
*
|
|
|
|
* AKPM: Even though it's a semaphore, we should drop it because
|
|
|
|
* the pagefault handling code may want to call printk().
|
|
|
|
*/
|
|
|
|
|
2011-01-25 16:07:35 -07:00
|
|
|
console_unlock();
|
2005-04-16 16:20:36 -06:00
|
|
|
ret = copy_to_user(buf, con_buf_start, orig_count);
|
2011-01-25 16:07:35 -07:00
|
|
|
console_lock();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
if (ret) {
|
|
|
|
read += (orig_count - ret);
|
|
|
|
ret = -EFAULT;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
buf += orig_count;
|
|
|
|
pos += orig_count;
|
|
|
|
read += orig_count;
|
|
|
|
count -= orig_count;
|
|
|
|
}
|
|
|
|
*ppos += read;
|
|
|
|
if (read)
|
|
|
|
ret = read;
|
|
|
|
unlock_out:
|
2011-01-25 16:07:35 -07:00
|
|
|
console_unlock();
|
2011-02-07 11:31:25 -07:00
|
|
|
free_page((unsigned long) con_buf);
|
2005-04-16 16:20:36 -06:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
|
|
|
|
{
|
2006-12-08 03:36:55 -07:00
|
|
|
struct inode *inode = file->f_path.dentry->d_inode;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned int currcons = iminor(inode);
|
|
|
|
struct vc_data *vc;
|
|
|
|
long pos;
|
2011-02-07 11:31:25 -07:00
|
|
|
long attr, size, written;
|
2005-04-16 16:20:36 -06:00
|
|
|
char *con_buf0;
|
2011-02-07 11:31:25 -07:00
|
|
|
int col, maxcol, viewed;
|
2005-04-16 16:20:36 -06:00
|
|
|
u16 *org0 = NULL, *org = NULL;
|
|
|
|
size_t ret;
|
2011-02-07 11:31:25 -07:00
|
|
|
char *con_buf;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2011-02-07 11:31:25 -07:00
|
|
|
con_buf = (char *) __get_free_page(GFP_KERNEL);
|
|
|
|
if (!con_buf)
|
|
|
|
return -ENOMEM;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
pos = *ppos;
|
|
|
|
|
|
|
|
/* Select the proper current console and verify
|
|
|
|
* sanity of the situation under the console lock.
|
|
|
|
*/
|
2011-01-25 16:07:35 -07:00
|
|
|
console_lock();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
attr = (currcons & 128);
|
|
|
|
ret = -ENXIO;
|
2011-02-07 11:31:25 -07:00
|
|
|
vc = vcs_vc(inode, &viewed);
|
|
|
|
if (!vc)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto unlock_out;
|
|
|
|
|
|
|
|
size = vcs_size(inode);
|
|
|
|
ret = -EINVAL;
|
|
|
|
if (pos < 0 || pos > size)
|
|
|
|
goto unlock_out;
|
|
|
|
if (count > size - pos)
|
|
|
|
count = size - pos;
|
|
|
|
written = 0;
|
|
|
|
while (count) {
|
|
|
|
long this_round = count;
|
|
|
|
size_t orig_count;
|
|
|
|
long p;
|
|
|
|
|
|
|
|
if (this_round > CON_BUF_SIZE)
|
|
|
|
this_round = CON_BUF_SIZE;
|
|
|
|
|
|
|
|
/* Temporarily drop the console lock so that we can read
|
|
|
|
* in the write data from userspace safely.
|
|
|
|
*/
|
2011-01-25 16:07:35 -07:00
|
|
|
console_unlock();
|
2005-04-16 16:20:36 -06:00
|
|
|
ret = copy_from_user(con_buf, buf, this_round);
|
2011-01-25 16:07:35 -07:00
|
|
|
console_lock();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
if (ret) {
|
|
|
|
this_round -= ret;
|
|
|
|
if (!this_round) {
|
|
|
|
/* Abort loop if no data were copied. Otherwise
|
|
|
|
* fail with -EFAULT.
|
|
|
|
*/
|
|
|
|
if (written)
|
|
|
|
break;
|
|
|
|
ret = -EFAULT;
|
|
|
|
goto unlock_out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The vcs_size might have changed while we slept to grab
|
|
|
|
* the user buffer, so recheck.
|
|
|
|
* Return data written up to now on failure.
|
|
|
|
*/
|
|
|
|
size = vcs_size(inode);
|
tty,vcs: lseek/VC-release race fix
there's a race between vcs's lseek handler and VC release.
The lseek handler does not hold console_lock and touches
VC's size info. If during this the VC got released, there's
an access violation.
Following program triggers the issue for me:
[SNIP]
#define _BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
#include <unistd.h>
#include <errno.h>
static int run_seek(void)
{
while(1) {
int fd;
fd = open("./vcs30", O_RDWR);
while(lseek(fd, 0, 0) != -1);
close(fd);
}
}
static int open_ioctl_tty(void)
{
return open("/dev/tty1", O_RDWR);
}
static int do_ioctl(int fd, int req, int i)
{
return ioctl(fd, req, i);
}
#define INIT(i) do_ioctl(ioctl_fd, VT_ACTIVATE, i)
#define SHUT(i) do_ioctl(ioctl_fd, VT_DISALLOCATE, i)
int main(int argc, char **argv)
{
int ioctl_fd = open_ioctl_tty();
if (ioctl < 0) {
perror("open tty1 failed\n");
return -1;
}
if ((-1 == mknod("vcs30", S_IFCHR|0666, makedev(7, 30))) &&
(errno != EEXIST)) {
printf("errno %d\n", errno);
perror("failed to create vcs30");
return -1;
}
do_ioctl(ioctl_fd, VT_LOCKSWITCH, 0);
if (!fork())
run_seek();
while(1) {
INIT(30);
SHUT(30);
}
return 0;
}
[SNIP]
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-02-07 11:31:24 -07:00
|
|
|
if (size < 0) {
|
|
|
|
if (written)
|
|
|
|
break;
|
|
|
|
ret = size;
|
|
|
|
goto unlock_out;
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
if (pos >= size)
|
|
|
|
break;
|
|
|
|
if (this_round > size - pos)
|
|
|
|
this_round = size - pos;
|
|
|
|
|
|
|
|
/* OK, now actually push the write to the console
|
|
|
|
* under the lock using the local kernel buffer.
|
|
|
|
*/
|
|
|
|
|
|
|
|
con_buf0 = con_buf;
|
|
|
|
orig_count = this_round;
|
|
|
|
maxcol = vc->vc_cols;
|
|
|
|
p = pos;
|
|
|
|
if (!attr) {
|
|
|
|
org0 = org = screen_pos(vc, p, viewed);
|
|
|
|
col = p % maxcol;
|
|
|
|
p += maxcol - col;
|
|
|
|
|
|
|
|
while (this_round > 0) {
|
|
|
|
unsigned char c = *con_buf0++;
|
|
|
|
|
|
|
|
this_round--;
|
|
|
|
vcs_scr_writew(vc,
|
|
|
|
(vcs_scr_readw(vc, org) & 0xff00) | c, org);
|
|
|
|
org++;
|
|
|
|
if (++col == maxcol) {
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
col = 0;
|
|
|
|
p += maxcol;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (p < HEADER_SIZE) {
|
|
|
|
char header[HEADER_SIZE];
|
|
|
|
|
|
|
|
getconsxy(vc, header + 2);
|
|
|
|
while (p < HEADER_SIZE && this_round > 0) {
|
|
|
|
this_round--;
|
|
|
|
header[p++] = *con_buf0++;
|
|
|
|
}
|
|
|
|
if (!viewed)
|
|
|
|
putconsxy(vc, header + 2);
|
|
|
|
}
|
|
|
|
p -= HEADER_SIZE;
|
|
|
|
col = (p/2) % maxcol;
|
|
|
|
if (this_round > 0) {
|
|
|
|
org0 = org = screen_pos(vc, p/2, viewed);
|
|
|
|
if ((p & 1) && this_round > 0) {
|
|
|
|
char c;
|
|
|
|
|
|
|
|
this_round--;
|
|
|
|
c = *con_buf0++;
|
|
|
|
#ifdef __BIG_ENDIAN
|
|
|
|
vcs_scr_writew(vc, c |
|
|
|
|
(vcs_scr_readw(vc, org) & 0xff00), org);
|
|
|
|
#else
|
|
|
|
vcs_scr_writew(vc, (c << 8) |
|
|
|
|
(vcs_scr_readw(vc, org) & 0xff), org);
|
|
|
|
#endif
|
|
|
|
org++;
|
|
|
|
p++;
|
|
|
|
if (++col == maxcol) {
|
|
|
|
org = screen_pos(vc, p/2, viewed);
|
|
|
|
col = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
p /= 2;
|
|
|
|
p += maxcol - col;
|
|
|
|
}
|
|
|
|
while (this_round > 1) {
|
|
|
|
unsigned short w;
|
|
|
|
|
2005-12-28 18:01:04 -07:00
|
|
|
w = get_unaligned(((unsigned short *)con_buf0));
|
2005-04-16 16:20:36 -06:00
|
|
|
vcs_scr_writew(vc, w, org++);
|
|
|
|
con_buf0 += 2;
|
|
|
|
this_round -= 2;
|
|
|
|
if (++col == maxcol) {
|
|
|
|
org = screen_pos(vc, p, viewed);
|
|
|
|
col = 0;
|
|
|
|
p += maxcol;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (this_round > 0) {
|
|
|
|
unsigned char c;
|
|
|
|
|
|
|
|
c = *con_buf0++;
|
|
|
|
#ifdef __BIG_ENDIAN
|
|
|
|
vcs_scr_writew(vc, (vcs_scr_readw(vc, org) & 0xff) | (c << 8), org);
|
|
|
|
#else
|
|
|
|
vcs_scr_writew(vc, (vcs_scr_readw(vc, org) & 0xff00) | c, org);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
count -= orig_count;
|
|
|
|
written += orig_count;
|
|
|
|
buf += orig_count;
|
|
|
|
pos += orig_count;
|
|
|
|
if (org0)
|
|
|
|
update_region(vc, (unsigned long)(org0), org - org0);
|
|
|
|
}
|
|
|
|
*ppos += written;
|
|
|
|
ret = written;
|
2010-09-30 22:10:44 -06:00
|
|
|
if (written)
|
|
|
|
vcs_scr_updated(vc);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
unlock_out:
|
2011-01-25 16:07:35 -07:00
|
|
|
console_unlock();
|
2011-02-07 11:31:25 -07:00
|
|
|
free_page((unsigned long) con_buf);
|
2005-04-16 16:20:36 -06:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2010-10-05 12:22:37 -06:00
|
|
|
static unsigned int
|
|
|
|
vcs_poll(struct file *file, poll_table *wait)
|
|
|
|
{
|
|
|
|
struct vcs_poll_data *poll = vcs_poll_data_get(file);
|
2010-11-09 23:33:12 -07:00
|
|
|
int ret = DEFAULT_POLLMASK|POLLERR|POLLPRI;
|
2010-10-05 12:22:37 -06:00
|
|
|
|
|
|
|
if (poll) {
|
|
|
|
poll_wait(file, &poll->waitq, wait);
|
2010-11-09 23:33:12 -07:00
|
|
|
if (poll->seen_last_update)
|
|
|
|
ret = DEFAULT_POLLMASK;
|
2010-10-05 12:22:37 -06:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
vcs_fasync(int fd, struct file *file, int on)
|
|
|
|
{
|
|
|
|
struct vcs_poll_data *poll = file->private_data;
|
|
|
|
|
|
|
|
if (!poll) {
|
|
|
|
/* don't allocate anything if all we want is disable fasync */
|
|
|
|
if (!on)
|
|
|
|
return 0;
|
|
|
|
poll = vcs_poll_data_get(file);
|
|
|
|
if (!poll)
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
return fasync_helper(fd, file, on, &poll->fasync);
|
|
|
|
}
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
static int
|
|
|
|
vcs_open(struct inode *inode, struct file *filp)
|
|
|
|
{
|
|
|
|
unsigned int currcons = iminor(inode) & 127;
|
2008-05-16 13:47:50 -06:00
|
|
|
int ret = 0;
|
|
|
|
|
2010-06-01 14:53:01 -06:00
|
|
|
tty_lock();
|
2005-04-16 16:20:36 -06:00
|
|
|
if(currcons && !vc_cons_allocated(currcons-1))
|
2008-05-16 13:47:50 -06:00
|
|
|
ret = -ENXIO;
|
2010-06-01 14:53:01 -06:00
|
|
|
tty_unlock();
|
2008-05-16 13:47:50 -06:00
|
|
|
return ret;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
2010-10-05 12:22:37 -06:00
|
|
|
static int vcs_release(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
struct vcs_poll_data *poll = file->private_data;
|
|
|
|
|
|
|
|
if (poll)
|
|
|
|
vcs_poll_data_free(poll);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-07-03 01:24:21 -06:00
|
|
|
static const struct file_operations vcs_fops = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.llseek = vcs_lseek,
|
|
|
|
.read = vcs_read,
|
|
|
|
.write = vcs_write,
|
2010-10-05 12:22:37 -06:00
|
|
|
.poll = vcs_poll,
|
|
|
|
.fasync = vcs_fasync,
|
2005-04-16 16:20:36 -06:00
|
|
|
.open = vcs_open,
|
2010-10-05 12:22:37 -06:00
|
|
|
.release = vcs_release,
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
2005-03-23 10:53:09 -07:00
|
|
|
static struct class *vc_class;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2009-03-09 07:18:52 -06:00
|
|
|
void vcs_make_sysfs(int index)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2009-03-09 07:18:52 -06:00
|
|
|
device_create(vc_class, NULL, MKDEV(VCS_MAJOR, index + 1), NULL,
|
|
|
|
"vcs%u", index + 1);
|
|
|
|
device_create(vc_class, NULL, MKDEV(VCS_MAJOR, index + 129), NULL,
|
|
|
|
"vcsa%u", index + 1);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2006-09-29 02:59:47 -06:00
|
|
|
|
2009-03-09 07:18:52 -06:00
|
|
|
void vcs_remove_sysfs(int index)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2009-03-09 07:18:52 -06:00
|
|
|
device_destroy(vc_class, MKDEV(VCS_MAJOR, index + 1));
|
|
|
|
device_destroy(vc_class, MKDEV(VCS_MAJOR, index + 129));
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
int __init vcs_init(void)
|
|
|
|
{
|
2009-07-20 09:04:55 -06:00
|
|
|
unsigned int i;
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
if (register_chrdev(VCS_MAJOR, "vcs", &vcs_fops))
|
|
|
|
panic("unable to get major %d for vcs device", VCS_MAJOR);
|
2005-03-23 10:53:09 -07:00
|
|
|
vc_class = class_create(THIS_MODULE, "vc");
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-07-21 21:03:34 -06:00
|
|
|
device_create(vc_class, NULL, MKDEV(VCS_MAJOR, 0), NULL, "vcs");
|
|
|
|
device_create(vc_class, NULL, MKDEV(VCS_MAJOR, 128), NULL, "vcsa");
|
2009-07-20 09:04:55 -06:00
|
|
|
for (i = 0; i < MIN_NR_CONSOLES; i++)
|
|
|
|
vcs_make_sysfs(i);
|
2005-04-16 16:20:36 -06:00
|
|
|
return 0;
|
|
|
|
}
|