linux-sg2042/drivers/net/wan/x25_asy.c

825 lines
18 KiB
C
Raw Normal View History

/*
* Things to sort out:
*
* o tbusy handling
* o allow users to set the parameters
* o sync/async switching ?
*
* Note: This does _not_ implement CCITT X.25 asynchronous framing
* recommendations. Its primarily for testing purposes. If you wanted
* to do CCITT then in theory all you need is to nick the HDLC async
* checksum routines from ppp.c
* Changes:
*
* 2000-10-29 Henner Eisen lapb_data_indication() return status.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/uaccess.h>
#include <linux/bitops.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/interrupt.h>
#include <linux/in.h>
#include <linux/tty.h>
#include <linux/errno.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/lapb.h>
#include <linux/init.h>
#include <linux/rtnetlink.h>
#include <linux/compat.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
#include <linux/slab.h>
#include <net/x25device.h>
#include "x25_asy.h"
static struct net_device **x25_asy_devs;
static int x25_asy_maxdev = SL_NRUNIT;
module_param(x25_asy_maxdev, int, 0);
MODULE_LICENSE("GPL");
static int x25_asy_esc(unsigned char *p, unsigned char *d, int len);
static void x25_asy_unesc(struct x25_asy *sl, unsigned char c);
static void x25_asy_setup(struct net_device *dev);
/* Find a free X.25 channel, and link in this `tty' line. */
static struct x25_asy *x25_asy_alloc(void)
{
struct net_device *dev = NULL;
struct x25_asy *sl;
int i;
if (x25_asy_devs == NULL)
return NULL; /* Master array missing ! */
for (i = 0; i < x25_asy_maxdev; i++) {
dev = x25_asy_devs[i];
/* Not allocated ? */
if (dev == NULL)
break;
sl = netdev_priv(dev);
/* Not in use ? */
if (!test_and_set_bit(SLF_INUSE, &sl->flags))
return sl;
}
/* Sorry, too many, all slots in use */
if (i >= x25_asy_maxdev)
return NULL;
/* If no channels are available, allocate one */
if (!dev) {
char name[IFNAMSIZ];
sprintf(name, "x25asy%d", i);
dev = alloc_netdev(sizeof(struct x25_asy), name,
NET_NAME_UNKNOWN, x25_asy_setup);
if (!dev)
return NULL;
/* Initialize channel control data */
sl = netdev_priv(dev);
dev->base_addr = i;
/* register device so that it can be ifconfig'ed */
if (register_netdev(dev) == 0) {
/* (Re-)Set the INUSE bit. Very Important! */
set_bit(SLF_INUSE, &sl->flags);
x25_asy_devs[i] = dev;
return sl;
} else {
pr_warn("%s(): register_netdev() failure\n", __func__);
free_netdev(dev);
}
}
return NULL;
}
/* Free an X.25 channel. */
static void x25_asy_free(struct x25_asy *sl)
{
/* Free all X.25 frame buffers. */
kfree(sl->rbuff);
sl->rbuff = NULL;
kfree(sl->xbuff);
sl->xbuff = NULL;
if (!test_and_clear_bit(SLF_INUSE, &sl->flags))
netdev_err(sl->dev, "x25_asy_free for already free unit\n");
}
static int x25_asy_change_mtu(struct net_device *dev, int newmtu)
{
struct x25_asy *sl = netdev_priv(dev);
unsigned char *xbuff, *rbuff;
int len;
len = 2 * newmtu;
[PATCH] getting rid of all casts of k[cmz]alloc() calls Run this: #!/bin/sh for f in $(grep -Erl "\([^\)]*\) *k[cmz]alloc" *) ; do echo "De-casting $f..." perl -pi -e "s/ ?= ?\([^\)]*\) *(k[cmz]alloc) *\(/ = \1\(/" $f done And then go through and reinstate those cases where code is casting pointers to non-pointers. And then drop a few hunks which conflicted with outstanding work. Cc: Russell King <rmk@arm.linux.org.uk>, Ian Molton <spyro@f2s.com> Cc: Mikael Starvik <starvik@axis.com> Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Kyle McMartin <kyle@mcmartin.ca> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jeff Dike <jdike@addtoit.com> Cc: Greg KH <greg@kroah.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Karsten Keil <kkeil@suse.de> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Cc: Jeff Garzik <jeff@garzik.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Ian Kent <raven@themaw.net> Cc: Steven French <sfrench@us.ibm.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Neil Brown <neilb@cse.unsw.edu.au> Cc: Jaroslav Kysela <perex@suse.cz> Cc: Takashi Iwai <tiwai@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-13 16:35:56 +08:00
xbuff = kmalloc(len + 4, GFP_ATOMIC);
rbuff = kmalloc(len + 4, GFP_ATOMIC);
if (xbuff == NULL || rbuff == NULL) {
kfree(xbuff);
kfree(rbuff);
return -ENOMEM;
}
spin_lock_bh(&sl->lock);
xbuff = xchg(&sl->xbuff, xbuff);
if (sl->xleft) {
if (sl->xleft <= len) {
memcpy(sl->xbuff, sl->xhead, sl->xleft);
} else {
sl->xleft = 0;
dev->stats.tx_dropped++;
}
}
sl->xhead = sl->xbuff;
rbuff = xchg(&sl->rbuff, rbuff);
if (sl->rcount) {
if (sl->rcount <= len) {
memcpy(sl->rbuff, rbuff, sl->rcount);
} else {
sl->rcount = 0;
dev->stats.rx_over_errors++;
set_bit(SLF_ERROR, &sl->flags);
}
}
dev->mtu = newmtu;
sl->buffsize = len;
spin_unlock_bh(&sl->lock);
kfree(xbuff);
kfree(rbuff);
return 0;
}
/* Set the "sending" flag. This must be atomic, hence the ASM. */
static inline void x25_asy_lock(struct x25_asy *sl)
{
netif_stop_queue(sl->dev);
}
/* Clear the "sending" flag. This must be atomic, hence the ASM. */
static inline void x25_asy_unlock(struct x25_asy *sl)
{
netif_wake_queue(sl->dev);
}
/* Send one completely decapsulated IP datagram to the IP layer. */
static void x25_asy_bump(struct x25_asy *sl)
{
struct net_device *dev = sl->dev;
struct sk_buff *skb;
int count;
int err;
count = sl->rcount;
dev->stats.rx_bytes += count;
skb = dev_alloc_skb(count+1);
if (skb == NULL) {
netdev_warn(sl->dev, "memory squeeze, dropping packet\n");
dev->stats.rx_dropped++;
return;
}
skb_push(skb, 1); /* LAPB internal control */
memcpy(skb_put(skb, count), sl->rbuff, count);
skb->protocol = x25_type_trans(skb, sl->dev);
err = lapb_data_received(skb->dev, skb);
if (err != LAPB_OK) {
kfree_skb(skb);
printk(KERN_DEBUG "x25_asy: data received err - %d\n", err);
} else {
netif_rx(skb);
dev->stats.rx_packets++;
}
}
/* Encapsulate one IP datagram and stuff into a TTY queue. */
static void x25_asy_encaps(struct x25_asy *sl, unsigned char *icp, int len)
{
unsigned char *p;
int actual, count, mtu = sl->dev->mtu;
if (len > mtu) {
/* Sigh, shouldn't occur BUT ... */
len = mtu;
printk(KERN_DEBUG "%s: truncating oversized transmit packet!\n",
sl->dev->name);
sl->dev->stats.tx_dropped++;
x25_asy_unlock(sl);
return;
}
p = icp;
count = x25_asy_esc(p, sl->xbuff, len);
/* Order of next two lines is *very* important.
* When we are sending a little amount of data,
* the transfer may be completed inside driver.write()
* routine, because it's running with interrupts enabled.
* In this case we *never* got WRITE_WAKEUP event,
* if we did not request it before write operation.
* 14 Oct 1994 Dmitry Gorodchanin.
*/
set_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
actual = sl->tty->ops->write(sl->tty, sl->xbuff, count);
sl->xleft = count - actual;
sl->xhead = sl->xbuff + actual;
/* VSV */
clear_bit(SLF_OUTWAIT, &sl->flags); /* reset outfill flag */
}
/*
* Called by the driver when there's room for more data. If we have
* more packets to send, we send them here.
*/
static void x25_asy_write_wakeup(struct tty_struct *tty)
{
int actual;
struct x25_asy *sl = tty->disc_data;
/* First make sure we're connected. */
if (!sl || sl->magic != X25_ASY_MAGIC || !netif_running(sl->dev))
return;
if (sl->xleft <= 0) {
/* Now serial buffer is almost free & we can start
* transmission of another packet */
sl->dev->stats.tx_packets++;
clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
x25_asy_unlock(sl);
return;
}
actual = tty->ops->write(tty, sl->xhead, sl->xleft);
sl->xleft -= actual;
sl->xhead += actual;
}
static void x25_asy_timeout(struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
spin_lock(&sl->lock);
if (netif_queue_stopped(dev)) {
/* May be we must check transmitter timeout here ?
* 14 Oct 1994 Dmitry Gorodchanin.
*/
netdev_warn(dev, "transmit timed out, %s?\n",
(tty_chars_in_buffer(sl->tty) || sl->xleft) ?
"bad line quality" : "driver error");
sl->xleft = 0;
clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
x25_asy_unlock(sl);
}
spin_unlock(&sl->lock);
}
/* Encapsulate an IP datagram and kick it into a TTY queue. */
static netdev_tx_t x25_asy_xmit(struct sk_buff *skb,
struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
int err;
if (!netif_running(sl->dev)) {
netdev_err(dev, "xmit call when iface is down\n");
kfree_skb(skb);
return NETDEV_TX_OK;
}
switch (skb->data[0]) {
case X25_IFACE_DATA:
break;
case X25_IFACE_CONNECT: /* Connection request .. do nothing */
err = lapb_connect_request(dev);
if (err != LAPB_OK)
netdev_err(dev, "lapb_connect_request error: %d\n",
err);
kfree_skb(skb);
return NETDEV_TX_OK;
case X25_IFACE_DISCONNECT: /* do nothing - hang up ?? */
err = lapb_disconnect_request(dev);
if (err != LAPB_OK)
netdev_err(dev, "lapb_disconnect_request error: %d\n",
err);
default:
kfree_skb(skb);
return NETDEV_TX_OK;
}
skb_pull(skb, 1); /* Remove control byte */
/*
* If we are busy already- too bad. We ought to be able
* to queue things at this point, to allow for a little
* frame buffer. Oh well...
* -----------------------------------------------------
* I hate queues in X.25 driver. May be it's efficient,
* but for me latency is more important. ;)
* So, no queues !
* 14 Oct 1994 Dmitry Gorodchanin.
*/
err = lapb_data_request(dev, skb);
if (err != LAPB_OK) {
netdev_err(dev, "lapb_data_request error: %d\n", err);
kfree_skb(skb);
return NETDEV_TX_OK;
}
return NETDEV_TX_OK;
}
/*
* LAPB interface boilerplate
*/
/*
* Called when I frame data arrives. We did the work above - throw it
* at the net layer.
*/
static int x25_asy_data_indication(struct net_device *dev, struct sk_buff *skb)
{
return netif_rx(skb);
}
/*
* Data has emerged from the LAPB protocol machine. We don't handle
* busy cases too well. Its tricky to see how to do this nicely -
* perhaps lapb should allow us to bounce this ?
*/
static void x25_asy_data_transmit(struct net_device *dev, struct sk_buff *skb)
{
struct x25_asy *sl = netdev_priv(dev);
spin_lock(&sl->lock);
if (netif_queue_stopped(sl->dev) || sl->tty == NULL) {
spin_unlock(&sl->lock);
netdev_err(dev, "tbusy drop\n");
kfree_skb(skb);
return;
}
/* We were not busy, so we are now... :-) */
if (skb != NULL) {
x25_asy_lock(sl);
dev->stats.tx_bytes += skb->len;
x25_asy_encaps(sl, skb->data, skb->len);
dev_kfree_skb(skb);
}
spin_unlock(&sl->lock);
}
/*
* LAPB connection establish/down information.
*/
static void x25_asy_connected(struct net_device *dev, int reason)
{
struct x25_asy *sl = netdev_priv(dev);
struct sk_buff *skb;
unsigned char *ptr;
skb = dev_alloc_skb(1);
if (skb == NULL) {
netdev_err(dev, "out of memory\n");
return;
}
ptr = skb_put(skb, 1);
*ptr = X25_IFACE_CONNECT;
skb->protocol = x25_type_trans(skb, sl->dev);
netif_rx(skb);
}
static void x25_asy_disconnected(struct net_device *dev, int reason)
{
struct x25_asy *sl = netdev_priv(dev);
struct sk_buff *skb;
unsigned char *ptr;
skb = dev_alloc_skb(1);
if (skb == NULL) {
netdev_err(dev, "out of memory\n");
return;
}
ptr = skb_put(skb, 1);
*ptr = X25_IFACE_DISCONNECT;
skb->protocol = x25_type_trans(skb, sl->dev);
netif_rx(skb);
}
static const struct lapb_register_struct x25_asy_callbacks = {
.connect_confirmation = x25_asy_connected,
.connect_indication = x25_asy_connected,
.disconnect_confirmation = x25_asy_disconnected,
.disconnect_indication = x25_asy_disconnected,
.data_indication = x25_asy_data_indication,
.data_transmit = x25_asy_data_transmit,
};
/* Open the low-level part of the X.25 channel. Easy! */
static int x25_asy_open(struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
unsigned long len;
int err;
if (sl->tty == NULL)
return -ENODEV;
/*
* Allocate the X.25 frame buffers:
*
* rbuff Receive buffer.
* xbuff Transmit buffer.
*/
len = dev->mtu * 2;
[PATCH] getting rid of all casts of k[cmz]alloc() calls Run this: #!/bin/sh for f in $(grep -Erl "\([^\)]*\) *k[cmz]alloc" *) ; do echo "De-casting $f..." perl -pi -e "s/ ?= ?\([^\)]*\) *(k[cmz]alloc) *\(/ = \1\(/" $f done And then go through and reinstate those cases where code is casting pointers to non-pointers. And then drop a few hunks which conflicted with outstanding work. Cc: Russell King <rmk@arm.linux.org.uk>, Ian Molton <spyro@f2s.com> Cc: Mikael Starvik <starvik@axis.com> Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Kyle McMartin <kyle@mcmartin.ca> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jeff Dike <jdike@addtoit.com> Cc: Greg KH <greg@kroah.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Karsten Keil <kkeil@suse.de> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Cc: Jeff Garzik <jeff@garzik.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Ian Kent <raven@themaw.net> Cc: Steven French <sfrench@us.ibm.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Neil Brown <neilb@cse.unsw.edu.au> Cc: Jaroslav Kysela <perex@suse.cz> Cc: Takashi Iwai <tiwai@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-13 16:35:56 +08:00
sl->rbuff = kmalloc(len + 4, GFP_KERNEL);
if (sl->rbuff == NULL)
goto norbuff;
[PATCH] getting rid of all casts of k[cmz]alloc() calls Run this: #!/bin/sh for f in $(grep -Erl "\([^\)]*\) *k[cmz]alloc" *) ; do echo "De-casting $f..." perl -pi -e "s/ ?= ?\([^\)]*\) *(k[cmz]alloc) *\(/ = \1\(/" $f done And then go through and reinstate those cases where code is casting pointers to non-pointers. And then drop a few hunks which conflicted with outstanding work. Cc: Russell King <rmk@arm.linux.org.uk>, Ian Molton <spyro@f2s.com> Cc: Mikael Starvik <starvik@axis.com> Cc: Yoshinori Sato <ysato@users.sourceforge.jp> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Kyle McMartin <kyle@mcmartin.ca> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jeff Dike <jdike@addtoit.com> Cc: Greg KH <greg@kroah.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Karsten Keil <kkeil@suse.de> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Cc: Jeff Garzik <jeff@garzik.org> Cc: James Bottomley <James.Bottomley@steeleye.com> Cc: Ian Kent <raven@themaw.net> Cc: Steven French <sfrench@us.ibm.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Neil Brown <neilb@cse.unsw.edu.au> Cc: Jaroslav Kysela <perex@suse.cz> Cc: Takashi Iwai <tiwai@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-12-13 16:35:56 +08:00
sl->xbuff = kmalloc(len + 4, GFP_KERNEL);
if (sl->xbuff == NULL)
goto noxbuff;
sl->buffsize = len;
sl->rcount = 0;
sl->xleft = 0;
sl->flags &= (1 << SLF_INUSE); /* Clear ESCAPE & ERROR flags */
netif_start_queue(dev);
/*
* Now attach LAPB
*/
err = lapb_register(dev, &x25_asy_callbacks);
if (err == LAPB_OK)
return 0;
/* Cleanup */
kfree(sl->xbuff);
noxbuff:
kfree(sl->rbuff);
norbuff:
return -ENOMEM;
}
/* Close the low-level part of the X.25 channel. Easy! */
static int x25_asy_close(struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
spin_lock(&sl->lock);
if (sl->tty)
clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
netif_stop_queue(dev);
sl->rcount = 0;
sl->xleft = 0;
spin_unlock(&sl->lock);
return 0;
}
/*
* Handle the 'receiver data ready' interrupt.
* This function is called by the 'tty_io' module in the kernel when
* a block of X.25 data has been received, which can now be decapsulated
* and sent on to some IP layer for further processing.
*/
static void x25_asy_receive_buf(struct tty_struct *tty,
const unsigned char *cp, char *fp, int count)
{
struct x25_asy *sl = tty->disc_data;
if (!sl || sl->magic != X25_ASY_MAGIC || !netif_running(sl->dev))
return;
/* Read the characters out of the buffer */
while (count--) {
if (fp && *fp++) {
if (!test_and_set_bit(SLF_ERROR, &sl->flags))
sl->dev->stats.rx_errors++;
cp++;
continue;
}
x25_asy_unesc(sl, *cp++);
}
}
/*
* Open the high-level part of the X.25 channel.
* This function is called by the TTY module when the
* X.25 line discipline is called for. Because we are
* sure the tty line exists, we only have to link it to
* a free X.25 channel...
*/
static int x25_asy_open_tty(struct tty_struct *tty)
{
wan/x25: Fix use-after-free in x25_asy_open_tty() The N_X25 line discipline may access the previous line discipline's closed and already-freed private data on open [1]. The tty->disc_data field _never_ refers to valid data on entry to the line discipline's open() method. Rather, the ldisc is expected to initialize that field for its own use for the lifetime of the instance (ie. from open() to close() only). [1] [ 634.336761] ================================================================== [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 [ 634.339558] Read of size 4 by task syzkaller_execu/8981 [ 634.340359] ============================================================================= [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected ... [ 634.405018] Call Trace: [ 634.405277] dump_stack (lib/dump_stack.c:52) [ 634.405775] print_trailer (mm/slub.c:655) [ 634.406361] object_err (mm/slub.c:662) [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-11-28 03:18:39 +08:00
struct x25_asy *sl;
int err;
if (tty->ops->write == NULL)
return -EOPNOTSUPP;
/* OK. Find a free X.25 channel to use. */
sl = x25_asy_alloc();
if (sl == NULL)
return -ENFILE;
sl->tty = tty;
tty->disc_data = sl;
[PATCH] TTY layer buffering revamp The API and code have been through various bits of initial review by serial driver people but they definitely need to live somewhere for a while so the unconverted drivers can get knocked into shape, existing drivers that have been updated can be better tuned and bugs whacked out. This replaces the tty flip buffers with kmalloc objects in rings. In the normal situation for an IRQ driven serial port at typical speeds the behaviour is pretty much the same, two buffers end up allocated and the kernel cycles between them as before. When there are delays or at high speed we now behave far better as the buffer pool can grow a bit rather than lose characters. This also means that we can operate at higher speeds reliably. For drivers that receive characters in blocks (DMA based, USB and especially virtualisation) the layer allows a lot of driver specific code that works around the tty layer with private secondary queues to be removed. The IBM folks need this sort of layer, the smart serial port people do, the virtualisers do (because a virtualised tty typically operates at infinite speed rather than emulating 9600 baud). Finally many drivers had invalid and unsafe attempts to avoid buffer overflows by directly invoking tty methods extracted out of the innards of work queue structs. These are no longer needed and all go away. That fixes various random hangs with serial ports on overflow. The other change in here is to optimise the receive_room path that is used by some callers. It turns out that only one ldisc uses receive room except asa constant and it updates it far far less than the value is read. We thus make it a variable not a function call. I expect the code to contain bugs due to the size alone but I'll be watching and squashing them and feeding out new patches as it goes. Because the buffers now dynamically expand you should only run out of buffering when the kernel runs out of memory for real. That means a lot of the horrible hacks high performance drivers used to do just aren't needed any more. Description: tty_insert_flip_char is an old API and continues to work as before, as does tty_flip_buffer_push() [this is why many drivers dont need modification]. It does now also return the number of chars inserted There are also tty_buffer_request_room(tty, len) which asks for a buffer block of the length requested and returns the space found. This improves efficiency with hardware that knows how much to transfer. and tty_insert_flip_string_flags(tty, str, flags, len) to insert a string of characters and flags For a smart interface the usual code is len = tty_request_buffer_room(tty, amount_hardware_says); tty_insert_flip_string(tty, buffer_from_card, len); More description! At the moment tty buffers are attached directly to the tty. This is causing a lot of the problems related to tty layer locking, also problems at high speed and also with bursty data (such as occurs in virtualised environments) I'm working on ripping out the flip buffers and replacing them with a pool of dynamically allocated buffers. This allows both for old style "byte I/O" devices and also helps virtualisation and smart devices where large blocks of data suddenely materialise and need storing. So far so good. Lots of drivers reference tty->flip.*. Several of them also call directly and unsafely into function pointers it provides. This will all break. Most drivers can use tty_insert_flip_char which can be kept as an API but others need more. At the moment I've added the following interfaces, if people think more will be needed now is a good time to say int tty_buffer_request_room(tty, size) Try and ensure at least size bytes are available, returns actual room (may be zero). At the moment it just uses the flipbuf space but that will change. Repeated calls without characters being added are not cumulative. (ie if you call it with 1, 1, 1, and then 4 you'll have four characters of space. The other functions will also try and grow buffers in future but this will be a more efficient way when you know block sizes. int tty_insert_flip_char(tty, ch, flag) As before insert a character if there is room. Now returns 1 for success, 0 for failure. int tty_insert_flip_string(tty, str, len) Insert a block of non error characters. Returns the number inserted. int tty_prepare_flip_string(tty, strptr, len) Adjust the buffer to allow len characters to be added. Returns a buffer pointer in strptr and the length available. This allows for hardware that needs to use functions like insl or mencpy_fromio. Signed-off-by: Alan Cox <alan@redhat.com> Cc: Paul Fulghum <paulkf@microgate.com> Signed-off-by: Hirokazu Takata <takata@linux-m32r.org> Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Jeff Dike <jdike@addtoit.com> Signed-off-by: John Hawkes <hawkes@sgi.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-01-10 12:54:13 +08:00
tty->receive_room = 65536;
tty_driver_flush_buffer(tty);
tty_ldisc_flush(tty);
/* Restore default settings */
sl->dev->type = ARPHRD_X25;
/* Perform the low-level X.25 async init */
err = x25_asy_open(sl->dev);
if (err) {
x25_asy_free(sl);
return err;
}
/* Done. We have linked the TTY line to a channel. */
return 0;
}
/*
* Close down an X.25 channel.
* This means flushing out any pending queues, and then restoring the
* TTY line discipline to what it was before it got hooked to X.25
* (which usually is TTY again).
*/
static void x25_asy_close_tty(struct tty_struct *tty)
{
struct x25_asy *sl = tty->disc_data;
int err;
/* First make sure we're connected. */
if (!sl || sl->magic != X25_ASY_MAGIC)
return;
rtnl_lock();
if (sl->dev->flags & IFF_UP)
dev_close(sl->dev);
rtnl_unlock();
err = lapb_unregister(sl->dev);
if (err != LAPB_OK)
pr_err("x25_asy_close: lapb_unregister error: %d\n",
err);
tty->disc_data = NULL;
sl->tty = NULL;
x25_asy_free(sl);
}
/************************************************************************
* STANDARD X.25 ENCAPSULATION *
************************************************************************/
static int x25_asy_esc(unsigned char *s, unsigned char *d, int len)
{
unsigned char *ptr = d;
unsigned char c;
/*
* Send an initial END character to flush out any
* data that may have accumulated in the receiver
* due to line noise.
*/
*ptr++ = X25_END; /* Send 10111110 bit seq */
/*
* For each byte in the packet, send the appropriate
* character sequence, according to the X.25 protocol.
*/
while (len-- > 0) {
switch (c = *s++) {
case X25_END:
*ptr++ = X25_ESC;
*ptr++ = X25_ESCAPE(X25_END);
break;
case X25_ESC:
*ptr++ = X25_ESC;
*ptr++ = X25_ESCAPE(X25_ESC);
break;
default:
*ptr++ = c;
break;
}
}
*ptr++ = X25_END;
return ptr - d;
}
static void x25_asy_unesc(struct x25_asy *sl, unsigned char s)
{
switch (s) {
case X25_END:
if (!test_and_clear_bit(SLF_ERROR, &sl->flags) &&
sl->rcount > 2)
x25_asy_bump(sl);
clear_bit(SLF_ESCAPE, &sl->flags);
sl->rcount = 0;
return;
case X25_ESC:
set_bit(SLF_ESCAPE, &sl->flags);
return;
case X25_ESCAPE(X25_ESC):
case X25_ESCAPE(X25_END):
if (test_and_clear_bit(SLF_ESCAPE, &sl->flags))
s = X25_UNESCAPE(s);
break;
}
if (!test_bit(SLF_ERROR, &sl->flags)) {
if (sl->rcount < sl->buffsize) {
sl->rbuff[sl->rcount++] = s;
return;
}
sl->dev->stats.rx_over_errors++;
set_bit(SLF_ERROR, &sl->flags);
}
}
/* Perform I/O control on an active X.25 channel. */
static int x25_asy_ioctl(struct tty_struct *tty, struct file *file,
unsigned int cmd, unsigned long arg)
{
struct x25_asy *sl = tty->disc_data;
/* First make sure we're connected. */
if (!sl || sl->magic != X25_ASY_MAGIC)
return -EINVAL;
switch (cmd) {
case SIOCGIFNAME:
if (copy_to_user((void __user *)arg, sl->dev->name,
strlen(sl->dev->name) + 1))
return -EFAULT;
return 0;
case SIOCSIFHWADDR:
return -EINVAL;
default:
return tty_mode_ioctl(tty, file, cmd, arg);
}
}
#ifdef CONFIG_COMPAT
static long x25_asy_compat_ioctl(struct tty_struct *tty, struct file *file,
unsigned int cmd, unsigned long arg)
{
switch (cmd) {
case SIOCGIFNAME:
case SIOCSIFHWADDR:
return x25_asy_ioctl(tty, file, cmd,
(unsigned long)compat_ptr(arg));
}
return -ENOIOCTLCMD;
}
#endif
static int x25_asy_open_dev(struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
if (sl->tty == NULL)
return -ENODEV;
return 0;
}
static const struct net_device_ops x25_asy_netdev_ops = {
.ndo_open = x25_asy_open_dev,
.ndo_stop = x25_asy_close,
.ndo_start_xmit = x25_asy_xmit,
.ndo_tx_timeout = x25_asy_timeout,
.ndo_change_mtu = x25_asy_change_mtu,
};
/* Initialise the X.25 driver. Called by the device init code */
static void x25_asy_setup(struct net_device *dev)
{
struct x25_asy *sl = netdev_priv(dev);
sl->magic = X25_ASY_MAGIC;
sl->dev = dev;
spin_lock_init(&sl->lock);
set_bit(SLF_INUSE, &sl->flags);
/*
* Finish setting up the DEVICE info.
*/
dev->mtu = SL_MTU;
dev->min_mtu = 0;
dev->max_mtu = 65534;
dev->netdev_ops = &x25_asy_netdev_ops;
dev->watchdog_timeo = HZ*20;
dev->hard_header_len = 0;
dev->addr_len = 0;
dev->type = ARPHRD_X25;
dev->tx_queue_len = 10;
/* New-style flags. */
dev->flags = IFF_NOARP;
}
static struct tty_ldisc_ops x25_ldisc = {
.owner = THIS_MODULE,
.magic = TTY_LDISC_MAGIC,
.name = "X.25",
.open = x25_asy_open_tty,
.close = x25_asy_close_tty,
.ioctl = x25_asy_ioctl,
#ifdef CONFIG_COMPAT
.compat_ioctl = x25_asy_compat_ioctl,
#endif
.receive_buf = x25_asy_receive_buf,
.write_wakeup = x25_asy_write_wakeup,
};
static int __init init_x25_asy(void)
{
if (x25_asy_maxdev < 4)
x25_asy_maxdev = 4; /* Sanity */
pr_info("X.25 async: version 0.00 ALPHA (dynamic channels, max=%d)\n",
x25_asy_maxdev);
x25_asy_devs = kcalloc(x25_asy_maxdev, sizeof(struct net_device *),
GFP_KERNEL);
if (!x25_asy_devs)
return -ENOMEM;
return tty_register_ldisc(N_X25, &x25_ldisc);
}
static void __exit exit_x25_asy(void)
{
struct net_device *dev;
int i;
for (i = 0; i < x25_asy_maxdev; i++) {
dev = x25_asy_devs[i];
if (dev) {
struct x25_asy *sl = netdev_priv(dev);
spin_lock_bh(&sl->lock);
if (sl->tty)
tty_hangup(sl->tty);
spin_unlock_bh(&sl->lock);
/*
* VSV = if dev->start==0, then device
* unregistered while close proc.
*/
unregister_netdev(dev);
free_netdev(dev);
}
}
kfree(x25_asy_devs);
tty_unregister_ldisc(N_X25);
}
module_init(init_x25_asy);
module_exit(exit_x25_asy);