We first tried to avoid updating atime/mtime entirely (commit
b0de59b5: "TTY: do not update atime/mtime on read/write"), and then
limited it to only update it occasionally (commit 37b7f3c7: "TTY:
fix atime/mtime regression"), but it turns out that this was both
insufficient and overkill.

It was insufficient because we let people attach to the shared ptmx node
to see activity without even reading atime/mtime, and it was overkill
because the "only once a minute" means that you can't really tell an
idle person from an active one with 'w'.

So this tries to fix the problem properly.  It marks the shared ptmx
node as un-notifiable, and it lowers the "only once a minute" to a few
seconds instead - still long enough that you can't time individual
keystrokes, but short enough that you can tell whether somebody is
active or not.
Reported-by: NSimon Kirby <sim@hostway.ca>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

In commit b0de59b5 ("TTY: do not update atime/mtime on read/write")
we removed timestamps from tty inodes to fix a security issue and waited
if something breaks.  Well, 'w', the utility to find out logged users
and their inactivity time broke.  It shows that users are inactive since
the time they logged in.

To revert to the old behaviour while still preventing attackers to
guess the password length, we update the timestamps in one-minute
intervals by this patch.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Acked-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

test_bit() is already atomic; drop mutex lock/unlock.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Expected typical log output:
[    2.437211] tty_open: opening pts1...
[    2.443376] tty_open: opening pts5...
[    2.447830] tty_release: ptm0 (tty count=1)...
[    2.447849] pts0 vhangup...
[    2.447865] tty_release: ptm0: final close
[    2.447876] tty_release: ptm0: freeing structure...
[    2.451634] tty_release: tty1 (tty count=1)...
[    2.451638] tty_release: tty1: final close
[    2.451654] tty_release: tty1: freeing structure...
[    2.452505] tty_release: pts5 (tty count=2)...
[    2.453029] tty_open: opening pts0...
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The tty core relies on the ldisc layer for synchronizing destruction
of the tty. Instead, the final tty release must wait for any pending tty
work to complete prior to tty destruction.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Waiting for buffer work to complete is not required for safely
performing changes to the line discipline, once the line discipline
is halted. The buffer work routine, flush_to_ldisc(), will be
unable to acquire an ldisc ref and all existing references were
waited until released (so it can't already have one).

Ensure running buffer work which may reference the soon-to-be-gone
tty completes and any buffer work running after this point retrieves
a NULL tty.

Also, ensure all buffer work is cancelled on port destruction.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

tty_ldisc_hangup() guarantees the ldisc is enabled (or that there
is no ldisc). Since __tty_hangup() was the only user, re-define
tty_ldisc_enable() in file-scope.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

An exiting session leader can hang if a foreground process is
blocking for line discipline i/o, eg. in n_tty_read(). This happens
because the blocking reader is holding an ldisc reference (indicating
the line discipline is in-use) which prevents __tty_hangup() from
recycling the line discipline. Although waiters are woken before
attempting to gain exclusive access for changing the ldisc, the
blocking reader in this case will not exit the i/o loop since it
has not yet received SIGHUP (because it has not been sent).

Instead, perform signalling first, then recycle the line discipline.

Fixes:

INFO: task init:1 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
init            D 00000000001d7180  2688     1      0 0x00000002
 ffff8800b9acfba8 0000000000000002 00000000001d7180 ffff8800b9b10048
 ffff8800b94cb000 ffff8800b9b10000 00000000001d7180 00000000001d7180
 ffff8800b9b10000 ffff8800b9acffd8 00000000001d7180 00000000001d7180
Call Trace:
 [<ffffffff83db9909>] __schedule+0x2e9/0x3b0
 [<ffffffff83db9b35>] schedule+0x55/0x60
 [<ffffffff83db74ba>] schedule_timeout+0x3a/0x370
 [<ffffffff81182349>] ? mark_held_locks+0xf9/0x130
 [<ffffffff83dbab38>] ? down_failed+0x108/0x200
 [<ffffffff83dbb7ab>] ? _raw_spin_unlock_irq+0x2b/0x80
 [<ffffffff81182608>] ? trace_hardirqs_on_caller+0x128/0x160
 [<ffffffff83dbab61>] down_failed+0x131/0x200
 [<ffffffff83dbbfad>] ? tty_ldisc_lock_pair_timeout+0xcd/0x120
 [<ffffffff83dbae03>] ldsem_down_write+0xd3/0x113
 [<ffffffff83dbbfad>] ? tty_ldisc_lock_pair_timeout+0xcd/0x120
 [<ffffffff8118264d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff83dbbfad>] tty_ldisc_lock_pair_timeout+0xcd/0x120
 [<ffffffff81c3df60>] tty_ldisc_hangup+0xd0/0x220
 [<ffffffff81c35bd7>] __tty_hangup+0x137/0x4f0
 [<ffffffff81c37c7c>] disassociate_ctty+0x6c/0x230
 [<ffffffff8111290c>] do_exit+0x41c/0x590
 [<ffffffff8107ad34>] ? syscall_trace_enter+0x24/0x2e0
 [<ffffffff81112b4a>] do_group_exit+0x8a/0xc0
 [<ffffffff81112b92>] sys_exit_group+0x12/0x20
 [<ffffffff83dc49d8>] tracesys+0xe1/0xe6
1 lock held by init/1:
 #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff83dbbfad>] tty_ldisc_lock_pair_timeout+0xcd/0x120
Reported-by: NSasha Levin <levinsasha928@gmail.com>
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When the session leader is exiting, signal the foreground group
processes as part of the hangup sequence, instead of after the
hangup is complete. This prepares for hanging up the
line discipline _after_ signalling processes which
may be blocking on ldisc i/o.

Parameterize __tty_hangup() to distinguish between when the
session leader is exiting and all other hangups; signal the
foreground group after signalling the session leader and its
process group, which preserves the original signal order.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The interrupt state does not need to be saved, disabled and
restored here; interrupts are already off because this lock
is bracketed by spin_lock_irq/spin_unlock_irq.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

__tty_hangup() and tty_vhangup() cannot be called from atomic context,
so locks do not need to preserve the interrupt state (although,
still disable interrupts).
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Reduce complexity of __tty_hangup(); separate SIGHUP signalling
into tty_signal_session_leader().
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
out length of a password using timestamps of /dev/ptmx. It is
documented in "Timing Analysis of Keystrokes and Timing Attacks on
SSH". To avoid that problem, do not update time when reading
from/writing to a TTY.

I am afraid of regressions as this is a behavior we have since 0.97
and apps may expect the time to be current, e.g. for monitoring
whether there was a change on the TTY. Now, there is no change. So
this would better have a lot of testing before it goes upstream.

References: CVE-2013-0160
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: stable <stable@vger.kernel.org> # after 3.9 is out
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Convert the synchronous size sense code to an interrupt driven
approach. This allows to set the device online even if the
terminal is not connected. With the new code views can be
registered without a connected terminal, the tty can be opened
as soon as the device is online. After the terminal has been
connected and the size has been determined the tty is resized
to match the device characteristics..
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>

Michał's previous patch missed this tty check to fix up the
class_find_device() arguments.
Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
Cc: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: NKevin Cernekee <cernekee@gmail.com>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Nothing outside of drivers/tty/tty_io.c references these functions, so
mark them static.
Signed-off-by: NJosh Triplett <josh@joshtriplett.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

For checkpoint/restore we need to know if tty has
exclusive or packet mode set, as well as if pty
is currently locked. Just to be able to restore
this characteristics.

For this sake the following ioctl codes are introduced

 - TIOCGPKT to get packet mode state
 - TIOCGPTLCK to get Pty locked state
 - TIOCGEXCL to get Exclusive mode state

Note this ioctls are a bit unsafe in terms of data
obtained consistency. The tty characteristics might
be changed right after ioctl complete. Keep it in
mind and use this ioctl carefully.

v2:
 - Use TIOC prefix for ioctl codes (by jslaby@)
Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
CC: Alan Cox <alan@lxorguk.ukuu.org.uk>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Pavel Emelyanov <xemul@parallels.com>
CC: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

So this is it. The big step why we did all the work over the past
kernel releases. Now everything is prepared, so nothing protects us
from doing that big step.

           |  |            \  \ nnnn/^l      |  |
           |  |             \  /     /       |  |
           |  '-,.__   =>    \/   ,-`    =>  |  '-,.__
           | O __.´´)        (  .`           | O __.´´)
            ~~~   ~~          ``              ~~~   ~~
The buffers are now in the tty_port structure and we can start
teaching the buffer helpers (insert char/string, flip etc.) to use
tty_port instead of tty_struct all around.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

For that purpose we have to temporarily introduce a second tty back
pointer into tty_port. It is because serial layer, and maybe others,
still do not use tty_port_tty_set/get. So that we cannot set the
tty_port->tty to NULL at will now.

Yes, the fix would be to convert whole serial layer and all its users
to tty_port_tty_set/get. However we are in the process of removing the
need of tty in most of the call sites, so this would lead to a
duplicated work.

Instead we have now tty_port->itty (internal tty) which will be used
only in flush_to_ldisc. For that one it is ensured that itty is valid
wherever the work is run. IOW, the work is synchronously cancelled
before we set itty to NULL and also before hangup is processed.

After we need only tty_port and not tty_struct in most code, this
shall be changed to tty_port_tty_set/get and itty removed completely.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

atomic_write_lock is not n_tty specific, so move it up in the
tty_struct.

And since these are the last ones to move, remove also the comment
saying there are some ldisc' members. There are none now.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Here we start moving all the n_tty related bits from tty_struct to
the newly defined n_tty_data struct in n_tty proper.

In this patch primitive members and bits are moved. The rest will be
done per-partes in the next patches.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Now that we have control over tty->driver_data in pty, we can just
kill the /dev/pts/ in pty code too. Namely, in ->shutdown hook of
tty. For pty, this is called only once, for whichever end is closed
last. But we don't care, both driver_data are the inode as it used to
be till now.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

simplifies a bunch of callers...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

iterates through the opened files in given descriptor table,
calling a supplied function; we stop once non-zero is returned.
Callback gets struct file *, descriptor number and const void *
argument passed to iterator.  It is called with files->file_lock
held, so it is not allowed to block.

tty_io, netprio_cgroup and selinux flush_unauthorized_files()
converted to its use.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Added tty_device_create_release() and bound to dev->release in
tty_register_device_attr().
Added tty_port_register_device_attr() and used in uart_add_one_port()
instead of tty_register_device_attr().
Signed-off-by: NTomas Hlavacek <tmshlvck@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Added file /sys/devices/.../tty/ttySX/uartclk to allow reading
uartclk value in struct uart_port in serial_core via sysfs.

tty_register_device() has been generalized and refactored in order
to add support for setting drvdata and attribute_group to the device.
Signed-off-by: NTomas Hlavacek <tmshlvck@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

At commit 07d106d0, Linus pointed out that ENOIOCTLCMD should be
translated as ENOTTY to user mode.
For example:
	fd = open("/dev/tty", O_RDWR);
	ioctl(fd, -1, &argp);

then the errno should be ENOTTY but not EINVAL.
Signed-off-by: NWanlong Gao <gaowanlong@cn.fujitsu.com>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

And if not, complain loudly. None in-kernel module should trigger
that, but let us find out for sure. On the other hand, all the
out-of-tree modules will hit that. Give them some time (maybe one
release) to catch up.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We need the /dev/ node not to be available before we call
tty_register_device. Otherwise we might race with open and
tty_struct->port might not be available at that time.

This is not an issue now, but would be a problem after "TTY: use
tty_port_register_device" is applied.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This allows drivers like ttyprintk to avoid hacks to create an
unnumbered node in /dev. It used to set TTY_DRIVER_DYNAMIC_DEV in
flags and call device_create on its own. That is incorrect, because
TTY_DRIVER_DYNAMIC_DEV may be set only if tty_register_device is
called explicitly.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

So now, that we have flags and know everything needed, keep a promise
and move all the tables and ports allocation from tty_register_driver
to tty_alloc_driver.

Not only that it makes sense, but we need this for
tty_port_link_device which needs tty_driver->ports but is to be called
before tty_register_driver.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Acked-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We need to allow drivers that use neither tty_port_install nor
tty_port_register_device to link a tty_port to a tty somehow.  To
avoid a race with open, this has to be performed before
tty_register_device. But currently tty_driver->ports is allocated even
in tty_register_device because we do not know whether this is the PTY
driver. The PTY driver is special here due to an excessive count of
lines it declares to handle. We cannot handle tty_ports there this
way.

To circumvent this, we start passing tty_driver flags to
alloc_tty_driver already and we create tty_alloc_driver for this
purpose. There we can allocate tty_driver->ports and do all the magic
between tty_alloc_driver and tty_register_device. Later we will
introduce tty_port_link_device function for that purpose.

All drivers should eventually switch to this new tty driver allocation
interface.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The termios and other changes mean the other protections needed on the driver
tty arrays should be adequate. Turn it all back on.

This contains pieces folded in from the fixes made to the original patches

| From: Geert Uytterhoeven <geert@linux-m68k.org>	(fix m68k)
| From: Paul Gortmaker <paul.gortmaker@windriver.com>	(fix cris)
| From: Jiri Kosina <jkosina@suze.cz>			(lockdep)
| From: Eric Dumazet <eric.dumazet@gmail.com>		(lockdep)
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We sometimes pass NULL pointers to free_tty_struct().  One example where
it can happen is in the error handling code in pty_common_install().
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We're trying to save the termios state and we need to allocate a buffer
to do it.  Smatch complains that the buffer is leaked at the end of the
function.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Ian Abbott found that the tty layer would explode with the right set of
parallel open and close operations. This is because we race in the
handling of tty->drivers->termios[].

Correct this by
	Making tty_ldisc_release behave like nromal code (takes the lock,
			does stuff, drops the lock)
	Drop the tty lock earlier in tty_ldisc_release
	Taking the tty mutex around the driver->termios update in all cases
	Adding a WARN_ON to catch future screwups.

I also forgot to clean up the pty resources properly. With a pty pair we
need to pull both halves out of the tables.
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Tested-by: NIan Abbott <abbotti@mev.co.uk>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Now that we don't have tty->termios tied to drivers->tty we can untangle
the logic here. In addition we can push the removal logic out of the
destructor path.

At that point we can think about sorting out tty_port and console and all
the other ugly hangovers.
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>