2019-05-19 15:08:20 +03:00
// SPDX-License-Identifier: GPL-2.0-only
2005-04-17 02:20:36 +04:00
/*
* 6 pack . c This module implements the 6 pack protocol for kernel - based
* devices like TTY . It interfaces between a raw TTY and the
* kernel ' s AX .25 protocol layers .
*
2009-07-17 08:47:19 +04:00
* Authors : Andreas Könsgen < ajk @ comnets . uni - bremen . de >
2005-04-17 02:20:36 +04:00
* Ralf Baechle DL5RB < ralf @ linux - mips . org >
*
* Quite a lot of stuff " stolen " by Joerg Reuter from slip . c , written by
*
* Laurence Culhane , < loz @ holmes . demon . co . uk >
* Fred N . van Kempen , < waltje @ uwalt . nl . mugnet . org >
*/
# include <linux/module.h>
2016-12-24 22:46:01 +03:00
# include <linux/uaccess.h>
2005-04-17 02:20:36 +04:00
# include <linux/bitops.h>
# include <linux/string.h>
# include <linux/mm.h>
# include <linux/interrupt.h>
# include <linux/in.h>
# include <linux/tty.h>
# include <linux/errno.h>
# include <linux/netdevice.h>
# include <linux/timer.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
# include <linux/slab.h>
2005-04-17 02:20:36 +04:00
# include <net/ax25.h>
# include <linux/etherdevice.h>
# include <linux/skbuff.h>
# include <linux/rtnetlink.h>
# include <linux/spinlock.h>
# include <linux/if_arp.h>
# include <linux/init.h>
# include <linux/ip.h>
# include <linux/tcp.h>
2008-04-19 06:21:05 +04:00
# include <linux/semaphore.h>
2017-10-20 10:23:42 +03:00
# include <linux/refcount.h>
2005-04-17 02:20:36 +04:00
# define SIXPACK_VERSION "Revision: 0.3.0"
/* sixpack priority commands */
# define SIXP_SEOF 0x40 /* start and end of a 6pack frame */
# define SIXP_TX_URUN 0x48 /* transmit overrun */
# define SIXP_RX_ORUN 0x50 /* receive overrun */
# define SIXP_RX_BUF_OVL 0x58 /* receive buffer overflow */
# define SIXP_CHKSUM 0xFF /* valid checksum of a 6pack frame */
/* masks to get certain bits out of the status bytes sent by the TNC */
# define SIXP_CMD_MASK 0xC0
# define SIXP_CHN_MASK 0x07
# define SIXP_PRIO_CMD_MASK 0x80
# define SIXP_STD_CMD_MASK 0x40
# define SIXP_PRIO_DATA_MASK 0x38
# define SIXP_TX_MASK 0x20
# define SIXP_RX_MASK 0x10
# define SIXP_RX_DCD_MASK 0x18
# define SIXP_LEDS_ON 0x78
# define SIXP_LEDS_OFF 0x60
# define SIXP_CON 0x08
# define SIXP_STA 0x10
# define SIXP_FOUND_TNC 0xe9
# define SIXP_CON_ON 0x68
# define SIXP_DCD_MASK 0x08
# define SIXP_DAMA_OFF 0
/* default level 2 parameters */
2021-09-09 06:57:43 +03:00
# define SIXP_TXDELAY 25 /* 250 ms */
2005-04-17 02:20:36 +04:00
# define SIXP_PERSIST 50 /* in 256ths */
2021-09-09 06:57:43 +03:00
# define SIXP_SLOTTIME 10 /* 100 ms */
2005-04-17 02:20:36 +04:00
# define SIXP_INIT_RESYNC_TIMEOUT (3*HZ / 2) /* in 1 s */
# define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */
/* 6pack configuration. */
# define SIXP_NRUNIT 31 /* MAX number of 6pack channels */
# define SIXP_MTU 256 /* Default MTU */
enum sixpack_flags {
SIXPF_ERROR , /* Parity, etc. error */
} ;
struct sixpack {
/* Various fields. */
struct tty_struct * tty ; /* ptr to TTY structure */
struct net_device * dev ; /* easy for intr handling */
/* These are pointers to the malloc()ed frame buffers. */
unsigned char * rbuff ; /* receiver buffer */
int rcount ; /* received chars counter */
unsigned char * xbuff ; /* transmitter buffer */
unsigned char * xhead ; /* next byte to XMIT */
int xleft ; /* bytes left in XMIT queue */
unsigned char raw_buf [ 4 ] ;
unsigned char cooked_buf [ 400 ] ;
unsigned int rx_count ;
unsigned int rx_count_cooked ;
int mtu ; /* Our mtu (to spot changes!) */
int buffsize ; /* Max buffers sizes */
unsigned long flags ; /* Flag values/ mode etc */
unsigned char mode ; /* 6pack mode */
/* 6pack stuff */
unsigned char tx_delay ;
unsigned char persistence ;
unsigned char slottime ;
unsigned char duplex ;
unsigned char led_state ;
unsigned char status ;
unsigned char status1 ;
unsigned char status2 ;
unsigned char tx_enable ;
unsigned char tnc_state ;
struct timer_list tx_t ;
struct timer_list resync_t ;
2017-10-20 10:23:42 +03:00
refcount_t refcnt ;
2018-12-11 00:52:56 +03:00
struct completion dead ;
2005-04-17 02:20:36 +04:00
spinlock_t lock ;
} ;
# define AX25_6PACK_HEADER_LEN 0
2016-09-19 22:15:24 +03:00
static void sixpack_decode ( struct sixpack * , const unsigned char [ ] , int ) ;
2005-04-17 02:20:36 +04:00
static int encode_sixpack ( unsigned char * , unsigned char * , int , unsigned char ) ;
/*
2005-08-10 21:03:20 +04:00
* Perform the persistence / slottime algorithm for CSMA access . If the
2005-04-17 02:20:36 +04:00
* persistence check was successful , write the data to the serial driver .
* Note that in case of DAMA operation , the data is not sent here .
*/
2017-10-17 03:28:55 +03:00
static void sp_xmit_on_air ( struct timer_list * t )
2005-04-17 02:20:36 +04:00
{
2017-10-17 03:28:55 +03:00
struct sixpack * sp = from_timer ( sp , t , tx_t ) ;
2005-08-10 21:03:20 +04:00
int actual , when = sp - > slottime ;
2005-04-17 02:20:36 +04:00
static unsigned char random ;
random = random * 17 + 41 ;
if ( ( ( sp - > status1 & SIXP_DCD_MASK ) = = 0 ) & & ( random < sp - > persistence ) ) {
sp - > led_state = 0x70 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
sp - > tx_enable = 1 ;
2008-04-30 11:54:13 +04:00
actual = sp - > tty - > ops - > write ( sp - > tty , sp - > xbuff , sp - > status2 ) ;
2005-04-17 02:20:36 +04:00
sp - > xleft - = actual ;
sp - > xhead + = actual ;
sp - > led_state = 0x60 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
sp - > status2 = 0 ;
} else
2005-08-10 21:03:20 +04:00
mod_timer ( & sp - > tx_t , jiffies + ( ( when + 1 ) * HZ ) / 100 ) ;
2005-04-17 02:20:36 +04:00
}
/* ----> 6pack timer interrupt handler and friends. <---- */
/* Encapsulate one AX.25 frame and stuff into a TTY queue. */
static void sp_encaps ( struct sixpack * sp , unsigned char * icp , int len )
{
unsigned char * msg , * p = icp ;
int actual , count ;
if ( len > sp - > mtu ) { /* sp->mtu = AX25_MTU = max. PACLEN = 256 */
msg = " oversized transmit packet! " ;
goto out_drop ;
}
if ( p [ 0 ] > 5 ) {
msg = " invalid KISS command " ;
goto out_drop ;
}
if ( ( p [ 0 ] ! = 0 ) & & ( len > 2 ) ) {
msg = " KISS control packet too long " ;
goto out_drop ;
}
if ( ( p [ 0 ] = = 0 ) & & ( len < 15 ) ) {
msg = " bad AX.25 packet to transmit " ;
goto out_drop ;
}
count = encode_sixpack ( p , sp - > xbuff , len , sp - > tx_delay ) ;
set_bit ( TTY_DO_WRITE_WAKEUP , & sp - > tty - > flags ) ;
switch ( p [ 0 ] ) {
case 1 : sp - > tx_delay = p [ 1 ] ;
return ;
case 2 : sp - > persistence = p [ 1 ] ;
return ;
case 3 : sp - > slottime = p [ 1 ] ;
return ;
case 4 : /* ignored */
return ;
case 5 : sp - > duplex = p [ 1 ] ;
return ;
}
if ( p [ 0 ] ! = 0 )
return ;
/*
* In case of fullduplex or DAMA operation , we don ' t take care about the
* state of the DCD or of any timers , as the determination of the
* correct time to send is the job of the AX .25 layer . We send
* immediately after data has arrived .
*/
if ( sp - > duplex = = 1 ) {
sp - > led_state = 0x70 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
sp - > tx_enable = 1 ;
2008-04-30 11:54:13 +04:00
actual = sp - > tty - > ops - > write ( sp - > tty , sp - > xbuff , count ) ;
2005-04-17 02:20:36 +04:00
sp - > xleft = count - actual ;
sp - > xhead = sp - > xbuff + actual ;
sp - > led_state = 0x60 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
} else {
sp - > xleft = count ;
sp - > xhead = sp - > xbuff ;
sp - > status2 = count ;
2017-10-17 03:28:55 +03:00
sp_xmit_on_air ( & sp - > tx_t ) ;
2005-04-17 02:20:36 +04:00
}
return ;
out_drop :
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . tx_dropped + + ;
2005-04-17 02:20:36 +04:00
netif_start_queue ( sp - > dev ) ;
if ( net_ratelimit ( ) )
printk ( KERN_DEBUG " %s: %s - dropped. \n " , sp - > dev - > name , msg ) ;
}
/* Encapsulate an IP datagram and kick it into a TTY queue. */
2009-08-31 23:50:43 +04:00
static netdev_tx_t sp_xmit ( struct sk_buff * skb , struct net_device * dev )
2005-04-17 02:20:36 +04:00
{
struct sixpack * sp = netdev_priv ( dev ) ;
2015-03-03 18:41:47 +03:00
if ( skb - > protocol = = htons ( ETH_P_IP ) )
return ax25_ip_xmit ( skb ) ;
2005-04-17 02:20:36 +04:00
spin_lock_bh ( & sp - > lock ) ;
/* We were not busy, so we are now... :-) */
netif_stop_queue ( dev ) ;
2008-04-30 02:49:15 +04:00
dev - > stats . tx_bytes + = skb - > len ;
2005-04-17 02:20:36 +04:00
sp_encaps ( sp , skb - > data , skb - > len ) ;
spin_unlock_bh ( & sp - > lock ) ;
dev_kfree_skb ( skb ) ;
2009-06-23 10:03:08 +04:00
return NETDEV_TX_OK ;
2005-04-17 02:20:36 +04:00
}
static int sp_open_dev ( struct net_device * dev )
{
struct sixpack * sp = netdev_priv ( dev ) ;
if ( sp - > tty = = NULL )
return - ENODEV ;
return 0 ;
}
/* Close the low-level part of the 6pack channel. */
static int sp_close ( struct net_device * dev )
{
struct sixpack * sp = netdev_priv ( dev ) ;
spin_lock_bh ( & sp - > lock ) ;
if ( sp - > tty ) {
/* TTY discipline is running. */
clear_bit ( TTY_DO_WRITE_WAKEUP , & sp - > tty - > flags ) ;
}
netif_stop_queue ( dev ) ;
spin_unlock_bh ( & sp - > lock ) ;
return 0 ;
}
static int sp_set_mac_address ( struct net_device * dev , void * addr )
{
struct sockaddr_ax25 * sa = addr ;
2006-06-09 23:20:56 +04:00
netif_tx_lock_bh ( dev ) ;
2008-07-15 11:13:44 +04:00
netif_addr_lock ( dev ) ;
2021-10-12 19:06:33 +03:00
__dev_addr_set ( dev , & sa - > sax25_call , AX25_ADDR_LEN ) ;
2008-07-15 11:13:44 +04:00
netif_addr_unlock ( dev ) ;
2006-06-09 23:20:56 +04:00
netif_tx_unlock_bh ( dev ) ;
2005-04-17 02:20:36 +04:00
return 0 ;
}
2009-01-09 16:01:28 +03:00
static const struct net_device_ops sp_netdev_ops = {
. ndo_open = sp_open_dev ,
. ndo_stop = sp_close ,
. ndo_start_xmit = sp_xmit ,
. ndo_set_mac_address = sp_set_mac_address ,
} ;
2005-04-17 02:20:36 +04:00
static void sp_setup ( struct net_device * dev )
{
/* Finish setting up the DEVICE info. */
2009-01-09 16:01:28 +03:00
dev - > netdev_ops = & sp_netdev_ops ;
net: Fix inconsistent teardown and release of private netdev state.
Network devices can allocate reasources and private memory using
netdev_ops->ndo_init(). However, the release of these resources
can occur in one of two different places.
Either netdev_ops->ndo_uninit() or netdev->destructor().
The decision of which operation frees the resources depends upon
whether it is necessary for all netdev refs to be released before it
is safe to perform the freeing.
netdev_ops->ndo_uninit() presumably can occur right after the
NETDEV_UNREGISTER notifier completes and the unicast and multicast
address lists are flushed.
netdev->destructor(), on the other hand, does not run until the
netdev references all go away.
Further complicating the situation is that netdev->destructor()
almost universally does also a free_netdev().
This creates a problem for the logic in register_netdevice().
Because all callers of register_netdevice() manage the freeing
of the netdev, and invoke free_netdev(dev) if register_netdevice()
fails.
If netdev_ops->ndo_init() succeeds, but something else fails inside
of register_netdevice(), it does call ndo_ops->ndo_uninit(). But
it is not able to invoke netdev->destructor().
This is because netdev->destructor() will do a free_netdev() and
then the caller of register_netdevice() will do the same.
However, this means that the resources that would normally be released
by netdev->destructor() will not be.
Over the years drivers have added local hacks to deal with this, by
invoking their destructor parts by hand when register_netdevice()
fails.
Many drivers do not try to deal with this, and instead we have leaks.
Let's close this hole by formalizing the distinction between what
private things need to be freed up by netdev->destructor() and whether
the driver needs unregister_netdevice() to perform the free_netdev().
netdev->priv_destructor() performs all actions to free up the private
resources that used to be freed by netdev->destructor(), except for
free_netdev().
netdev->needs_free_netdev is a boolean that indicates whether
free_netdev() should be done at the end of unregister_netdevice().
Now, register_netdevice() can sanely release all resources after
ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
and netdev->priv_destructor().
And at the end of unregister_netdevice(), we invoke
netdev->priv_destructor() and optionally call free_netdev().
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-08 19:52:56 +03:00
dev - > needs_free_netdev = true ;
2009-01-09 16:01:28 +03:00
dev - > mtu = SIXP_MTU ;
2005-04-17 02:20:36 +04:00
dev - > hard_header_len = AX25_MAX_HEADER_LEN ;
2015-03-02 09:03:45 +03:00
dev - > header_ops = & ax25_header_ops ;
2007-10-09 12:40:57 +04:00
2005-04-17 02:20:36 +04:00
dev - > addr_len = AX25_ADDR_LEN ;
dev - > type = ARPHRD_AX25 ;
dev - > tx_queue_len = 10 ;
/* Only activated in AX.25 mode */
2006-12-08 02:47:08 +03:00
memcpy ( dev - > broadcast , & ax25_bcast , AX25_ADDR_LEN ) ;
2021-10-12 19:06:33 +03:00
dev_addr_set ( dev , ( u8 * ) & ax25_defaddr ) ;
2005-04-17 02:20:36 +04:00
dev - > flags = 0 ;
}
/* Send one completely decapsulated IP datagram to the IP layer. */
/*
* This is the routine that sends the received data to the kernel AX .25 .
* ' cmd ' is the KISS command . For AX .25 data , it is zero .
*/
static void sp_bump ( struct sixpack * sp , char cmd )
{
struct sk_buff * skb ;
int count ;
unsigned char * ptr ;
count = sp - > rcount + 1 ;
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . rx_bytes + = count ;
2005-04-17 02:20:36 +04:00
2019-08-26 22:02:09 +03:00
if ( ( skb = dev_alloc_skb ( count + 1 ) ) = = NULL )
2005-04-17 02:20:36 +04:00
goto out_mem ;
2019-08-26 22:02:09 +03:00
ptr = skb_put ( skb , count + 1 ) ;
2005-04-17 02:20:36 +04:00
* ptr + + = cmd ; /* KISS command */
memcpy ( ptr , sp - > cooked_buf + 1 , count ) ;
2005-04-25 05:53:06 +04:00
skb - > protocol = ax25_type_trans ( skb , sp - > dev ) ;
2005-04-17 02:20:36 +04:00
netif_rx ( skb ) ;
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . rx_packets + + ;
2005-04-17 02:20:36 +04:00
return ;
out_mem :
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . rx_dropped + + ;
2005-04-17 02:20:36 +04:00
}
/* ----------------------------------------------------------------------- */
/*
* We have a potential race on dereferencing tty - > disc_data , because the tty
* layer provides no locking at all - thus one cpu could be running
* sixpack_receive_buf while another calls sixpack_close , which zeroes
* tty - > disc_data and frees the memory that sixpack_receive_buf is using . The
* best way to fix this is to use a rwlock in the tty struct , but for now we
* use a single global rwlock for all ttys in ppp line discipline .
*/
static DEFINE_RWLOCK ( disc_data_lock ) ;
static struct sixpack * sp_get ( struct tty_struct * tty )
{
struct sixpack * sp ;
read_lock ( & disc_data_lock ) ;
sp = tty - > disc_data ;
if ( sp )
2017-10-20 10:23:42 +03:00
refcount_inc ( & sp - > refcnt ) ;
2005-04-17 02:20:36 +04:00
read_unlock ( & disc_data_lock ) ;
return sp ;
}
static void sp_put ( struct sixpack * sp )
{
2017-10-20 10:23:42 +03:00
if ( refcount_dec_and_test ( & sp - > refcnt ) )
2018-12-11 00:52:56 +03:00
complete ( & sp - > dead ) ;
2005-04-17 02:20:36 +04:00
}
/*
* Called by the TTY driver when there ' s room for more data . If we have
* more packets to send , we send them here .
*/
static void sixpack_write_wakeup ( struct tty_struct * tty )
{
struct sixpack * sp = sp_get ( tty ) ;
int actual ;
if ( ! sp )
return ;
if ( sp - > xleft < = 0 ) {
/* Now serial buffer is almost free & we can start
* transmission of another packet */
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . tx_packets + + ;
2005-04-17 02:20:36 +04:00
clear_bit ( TTY_DO_WRITE_WAKEUP , & tty - > flags ) ;
sp - > tx_enable = 0 ;
netif_wake_queue ( sp - > dev ) ;
goto out ;
}
if ( sp - > tx_enable ) {
2008-04-30 11:54:13 +04:00
actual = tty - > ops - > write ( tty , sp - > xhead , sp - > xleft ) ;
2005-04-17 02:20:36 +04:00
sp - > xleft - = actual ;
sp - > xhead + = actual ;
}
out :
sp_put ( sp ) ;
}
/* ----------------------------------------------------------------------- */
/*
* Handle the ' receiver data ready ' interrupt .
2016-09-19 22:15:24 +03:00
* This function is called by the tty module in the kernel when
2005-04-17 02:20:36 +04:00
* a block of 6 pack data has been received , which can now be decapsulated
* and sent on to some IP layer for further processing .
*/
2011-06-04 01:33:24 +04:00
static void sixpack_receive_buf ( struct tty_struct * tty ,
2021-05-05 12:19:04 +03:00
const unsigned char * cp , const char * fp , int count )
2005-04-17 02:20:36 +04:00
{
struct sixpack * sp ;
int count1 ;
if ( ! count )
2011-06-04 01:33:24 +04:00
return ;
2005-04-17 02:20:36 +04:00
sp = sp_get ( tty ) ;
if ( ! sp )
2011-06-04 01:33:24 +04:00
return ;
2005-04-17 02:20:36 +04:00
/* Read the characters out of the buffer */
count1 = count ;
while ( count ) {
count - - ;
if ( fp & & * fp + + ) {
if ( ! test_and_set_bit ( SIXPF_ERROR , & sp - > flags ) )
2008-04-30 02:49:15 +04:00
sp - > dev - > stats . rx_errors + + ;
2005-04-17 02:20:36 +04:00
continue ;
}
}
2016-09-19 22:15:24 +03:00
sixpack_decode ( sp , cp , count1 ) ;
2005-04-17 02:20:36 +04:00
sp_put ( sp ) ;
2008-04-30 11:54:18 +04:00
tty_unthrottle ( tty ) ;
2005-04-17 02:20:36 +04:00
}
/*
* Try to resync the TNC . Called by the resync timer defined in
* decode_prio_command
*/
# define TNC_UNINITIALIZED 0
# define TNC_UNSYNC_STARTUP 1
# define TNC_UNSYNCED 2
# define TNC_IN_SYNC 3
static void __tnc_set_sync_state ( struct sixpack * sp , int new_tnc_state )
{
char * msg ;
switch ( new_tnc_state ) {
default : /* gcc oh piece-o-crap ... */
case TNC_UNSYNC_STARTUP :
msg = " Synchronizing with TNC " ;
break ;
case TNC_UNSYNCED :
msg = " Lost synchronization with TNC \n " ;
break ;
case TNC_IN_SYNC :
msg = " Found TNC " ;
break ;
}
sp - > tnc_state = new_tnc_state ;
printk ( KERN_INFO " %s: %s \n " , sp - > dev - > name , msg ) ;
}
static inline void tnc_set_sync_state ( struct sixpack * sp , int new_tnc_state )
{
int old_tnc_state = sp - > tnc_state ;
if ( old_tnc_state ! = new_tnc_state )
__tnc_set_sync_state ( sp , new_tnc_state ) ;
}
2017-10-17 03:28:55 +03:00
static void resync_tnc ( struct timer_list * t )
2005-04-17 02:20:36 +04:00
{
2017-10-17 03:28:55 +03:00
struct sixpack * sp = from_timer ( sp , t , resync_t ) ;
2005-04-17 02:20:36 +04:00
static char resync_cmd = 0xe8 ;
/* clear any data that might have been received */
sp - > rx_count = 0 ;
sp - > rx_count_cooked = 0 ;
/* reset state machine */
sp - > status = 1 ;
sp - > status1 = 1 ;
sp - > status2 = 0 ;
/* resync the TNC */
sp - > led_state = 0x60 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
sp - > tty - > ops - > write ( sp - > tty , & resync_cmd , 1 ) ;
2005-04-17 02:20:36 +04:00
/* Start resync timer again -- the TNC might be still absent */
2019-01-02 15:24:20 +03:00
mod_timer ( & sp - > resync_t , jiffies + SIXP_RESYNC_TIMEOUT ) ;
2005-04-17 02:20:36 +04:00
}
static inline int tnc_init ( struct sixpack * sp )
{
unsigned char inbyte = 0xe8 ;
tnc_set_sync_state ( sp , TNC_UNSYNC_STARTUP ) ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & inbyte , 1 ) ;
2005-04-17 02:20:36 +04:00
2019-01-02 15:24:20 +03:00
mod_timer ( & sp - > resync_t , jiffies + SIXP_RESYNC_TIMEOUT ) ;
2005-04-17 02:20:36 +04:00
return 0 ;
}
/*
* Open the high - level part of the 6 pack channel .
* This function is called by the TTY module when the
* 6 pack line discipline is called for . Because we are
* sure the tty line exists , we only have to link it to
* a free 6 pcack channel . . .
*/
static int sixpack_open ( struct tty_struct * tty )
{
char * rbuff = NULL , * xbuff = NULL ;
struct net_device * dev ;
struct sixpack * sp ;
unsigned long len ;
int err = 0 ;
if ( ! capable ( CAP_NET_ADMIN ) )
return - EPERM ;
2008-04-30 11:54:13 +04:00
if ( tty - > ops - > write = = NULL )
return - EOPNOTSUPP ;
2005-04-17 02:20:36 +04:00
net: set name_assign_type in alloc_netdev()
Extend alloc_netdev{,_mq{,s}}() to take name_assign_type as argument, and convert
all users to pass NET_NAME_UNKNOWN.
Coccinelle patch:
@@
expression sizeof_priv, name, setup, txqs, rxqs, count;
@@
(
-alloc_netdev_mqs(sizeof_priv, name, setup, txqs, rxqs)
+alloc_netdev_mqs(sizeof_priv, name, NET_NAME_UNKNOWN, setup, txqs, rxqs)
|
-alloc_netdev_mq(sizeof_priv, name, setup, count)
+alloc_netdev_mq(sizeof_priv, name, NET_NAME_UNKNOWN, setup, count)
|
-alloc_netdev(sizeof_priv, name, setup)
+alloc_netdev(sizeof_priv, name, NET_NAME_UNKNOWN, setup)
)
v9: move comments here from the wrong commit
Signed-off-by: Tom Gundersen <teg@jklm.no>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-07-14 18:37:24 +04:00
dev = alloc_netdev ( sizeof ( struct sixpack ) , " sp%d " , NET_NAME_UNKNOWN ,
sp_setup ) ;
2005-04-17 02:20:36 +04:00
if ( ! dev ) {
err = - ENOMEM ;
goto out ;
}
sp = netdev_priv ( dev ) ;
sp - > dev = dev ;
spin_lock_init ( & sp - > lock ) ;
2017-10-20 10:23:42 +03:00
refcount_set ( & sp - > refcnt , 1 ) ;
2018-12-11 00:52:56 +03:00
init_completion ( & sp - > dead ) ;
2005-04-17 02:20:36 +04:00
/* !!! length of the buffers. MTU is IP MTU, not PACLEN! */
len = dev - > mtu * 2 ;
rbuff = kmalloc ( len + 4 , GFP_KERNEL ) ;
xbuff = kmalloc ( len + 4 , GFP_KERNEL ) ;
if ( rbuff = = NULL | | xbuff = = NULL ) {
err = - ENOBUFS ;
goto out_free ;
}
spin_lock_bh ( & sp - > lock ) ;
sp - > tty = tty ;
sp - > rbuff = rbuff ;
sp - > xbuff = xbuff ;
sp - > mtu = AX25_MTU + 73 ;
sp - > buffsize = len ;
sp - > rcount = 0 ;
sp - > rx_count = 0 ;
sp - > rx_count_cooked = 0 ;
sp - > xleft = 0 ;
sp - > flags = 0 ; /* Clear ESCAPE & ERROR flags */
sp - > duplex = 0 ;
sp - > tx_delay = SIXP_TXDELAY ;
sp - > persistence = SIXP_PERSIST ;
sp - > slottime = SIXP_SLOTTIME ;
sp - > led_state = 0x60 ;
sp - > status = 1 ;
sp - > status1 = 1 ;
sp - > status2 = 0 ;
sp - > tx_enable = 0 ;
netif_start_queue ( dev ) ;
2017-10-17 03:28:55 +03:00
timer_setup ( & sp - > tx_t , sp_xmit_on_air , 0 ) ;
2005-08-25 22:38:30 +04:00
2017-10-17 03:28:55 +03:00
timer_setup ( & sp - > resync_t , resync_tnc , 0 ) ;
2005-04-17 02:20:36 +04:00
spin_unlock_bh ( & sp - > lock ) ;
/* Done. We have linked the TTY line to a channel. */
tty - > disc_data = sp ;
[PATCH] TTY layer buffering revamp
The API and code have been through various bits of initial review by
serial driver people but they definitely need to live somewhere for a
while so the unconverted drivers can get knocked into shape, existing
drivers that have been updated can be better tuned and bugs whacked out.
This replaces the tty flip buffers with kmalloc objects in rings. In the
normal situation for an IRQ driven serial port at typical speeds the
behaviour is pretty much the same, two buffers end up allocated and the
kernel cycles between them as before.
When there are delays or at high speed we now behave far better as the
buffer pool can grow a bit rather than lose characters. This also means
that we can operate at higher speeds reliably.
For drivers that receive characters in blocks (DMA based, USB and
especially virtualisation) the layer allows a lot of driver specific
code that works around the tty layer with private secondary queues to be
removed. The IBM folks need this sort of layer, the smart serial port
people do, the virtualisers do (because a virtualised tty typically
operates at infinite speed rather than emulating 9600 baud).
Finally many drivers had invalid and unsafe attempts to avoid buffer
overflows by directly invoking tty methods extracted out of the innards
of work queue structs. These are no longer needed and all go away. That
fixes various random hangs with serial ports on overflow.
The other change in here is to optimise the receive_room path that is
used by some callers. It turns out that only one ldisc uses receive room
except asa constant and it updates it far far less than the value is
read. We thus make it a variable not a function call.
I expect the code to contain bugs due to the size alone but I'll be
watching and squashing them and feeding out new patches as it goes.
Because the buffers now dynamically expand you should only run out of
buffering when the kernel runs out of memory for real. That means a lot of
the horrible hacks high performance drivers used to do just aren't needed any
more.
Description:
tty_insert_flip_char is an old API and continues to work as before, as does
tty_flip_buffer_push() [this is why many drivers dont need modification]. It
does now also return the number of chars inserted
There are also
tty_buffer_request_room(tty, len)
which asks for a buffer block of the length requested and returns the space
found. This improves efficiency with hardware that knows how much to
transfer.
and tty_insert_flip_string_flags(tty, str, flags, len)
to insert a string of characters and flags
For a smart interface the usual code is
len = tty_request_buffer_room(tty, amount_hardware_says);
tty_insert_flip_string(tty, buffer_from_card, len);
More description!
At the moment tty buffers are attached directly to the tty. This is causing a
lot of the problems related to tty layer locking, also problems at high speed
and also with bursty data (such as occurs in virtualised environments)
I'm working on ripping out the flip buffers and replacing them with a pool of
dynamically allocated buffers. This allows both for old style "byte I/O"
devices and also helps virtualisation and smart devices where large blocks of
data suddenely materialise and need storing.
So far so good. Lots of drivers reference tty->flip.*. Several of them also
call directly and unsafely into function pointers it provides. This will all
break. Most drivers can use tty_insert_flip_char which can be kept as an API
but others need more.
At the moment I've added the following interfaces, if people think more will
be needed now is a good time to say
int tty_buffer_request_room(tty, size)
Try and ensure at least size bytes are available, returns actual room (may be
zero). At the moment it just uses the flipbuf space but that will change.
Repeated calls without characters being added are not cumulative. (ie if you
call it with 1, 1, 1, and then 4 you'll have four characters of space. The
other functions will also try and grow buffers in future but this will be a
more efficient way when you know block sizes.
int tty_insert_flip_char(tty, ch, flag)
As before insert a character if there is room. Now returns 1 for success, 0
for failure.
int tty_insert_flip_string(tty, str, len)
Insert a block of non error characters. Returns the number inserted.
int tty_prepare_flip_string(tty, strptr, len)
Adjust the buffer to allow len characters to be added. Returns a buffer
pointer in strptr and the length available. This allows for hardware that
needs to use functions like insl or mencpy_fromio.
Signed-off-by: Alan Cox <alan@redhat.com>
Cc: Paul Fulghum <paulkf@microgate.com>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: John Hawkes <hawkes@sgi.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-01-10 07:54:13 +03:00
tty - > receive_room = 65536 ;
2005-04-17 02:20:36 +04:00
/* Now we're ready to register. */
2013-12-30 02:47:28 +04:00
err = register_netdev ( dev ) ;
if ( err )
2005-04-17 02:20:36 +04:00
goto out_free ;
tnc_init ( sp ) ;
return 0 ;
out_free :
kfree ( xbuff ) ;
kfree ( rbuff ) ;
2014-11-03 15:12:29 +03:00
free_netdev ( dev ) ;
2005-04-17 02:20:36 +04:00
out :
return err ;
}
/*
* Close down a 6 pack channel .
* This means flushing out any pending queues , and then restoring the
* TTY line discipline to what it was before it got hooked to 6 pack
* ( which usually is TTY again ) .
*/
static void sixpack_close ( struct tty_struct * tty )
{
struct sixpack * sp ;
6pack,mkiss: fix possible deadlock
We got another syzbot report [1] that tells us we must use
write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
[1]
WARNING: inconsistent lock state
5.5.0-rc1-syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
{HARDIRQ-ON-W} state was registered at:
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
tiocsetd drivers/tty/tty_io.c:2337 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:545 [inline]
do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 3946
hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(disc_data_lock);
<Interrupt>
lock(disc_data_lock);
*** DEADLOCK ***
5 locks held by syz-executor826/9605:
#0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
#1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
#2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
#2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
#3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
#4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
stack backtrace:
CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
valid_state kernel/locking/lockdep.c:3112 [inline]
mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
mark_usage kernel/locking/lockdep.c:3554 [inline]
__lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
</IRQ>
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
__mutex_lock_common kernel/locking/mutex.c:962 [inline]
__mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x8e7/0x2ef0 kernel/exit.c:797
do_group_exit+0x135/0x360 kernel/exit.c:895
__do_sys_exit_group kernel/exit.c:906 [inline]
__se_sys_exit_group kernel/exit.c:904 [inline]
__x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fef8
Code: Bad RIP value.
RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
2019-12-12 21:32:13 +03:00
write_lock_irq ( & disc_data_lock ) ;
2005-04-17 02:20:36 +04:00
sp = tty - > disc_data ;
tty - > disc_data = NULL ;
6pack,mkiss: fix possible deadlock
We got another syzbot report [1] that tells us we must use
write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
[1]
WARNING: inconsistent lock state
5.5.0-rc1-syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
{HARDIRQ-ON-W} state was registered at:
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
tiocsetd drivers/tty/tty_io.c:2337 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:545 [inline]
do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 3946
hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(disc_data_lock);
<Interrupt>
lock(disc_data_lock);
*** DEADLOCK ***
5 locks held by syz-executor826/9605:
#0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
#1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
#2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
#2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
#3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
#4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
stack backtrace:
CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
valid_state kernel/locking/lockdep.c:3112 [inline]
mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
mark_usage kernel/locking/lockdep.c:3554 [inline]
__lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
</IRQ>
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
__mutex_lock_common kernel/locking/mutex.c:962 [inline]
__mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x8e7/0x2ef0 kernel/exit.c:797
do_group_exit+0x135/0x360 kernel/exit.c:895
__do_sys_exit_group kernel/exit.c:906 [inline]
__se_sys_exit_group kernel/exit.c:904 [inline]
__x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fef8
Code: Bad RIP value.
RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
2019-12-12 21:32:13 +03:00
write_unlock_irq ( & disc_data_lock ) ;
2008-01-24 13:06:46 +03:00
if ( ! sp )
2005-04-17 02:20:36 +04:00
return ;
/*
* We have now ensured that nobody can start using ap from now on , but
* we have to wait for all existing users to finish .
*/
2017-10-20 10:23:42 +03:00
if ( ! refcount_dec_and_test ( & sp - > refcnt ) )
2018-12-11 00:52:56 +03:00
wait_for_completion ( & sp - > dead ) ;
2005-04-17 02:20:36 +04:00
2016-01-05 14:51:25 +03:00
/* We must stop the queue to avoid potentially scribbling
2018-12-11 00:52:56 +03:00
* on the free buffers . The sp - > dead completion is not sufficient
2016-01-05 14:51:25 +03:00
* to protect us from sp - > xbuff access .
*/
netif_stop_queue ( sp - > dev ) ;
2015-12-18 00:05:32 +03:00
del_timer_sync ( & sp - > tx_t ) ;
del_timer_sync ( & sp - > resync_t ) ;
2005-04-17 02:20:36 +04:00
/* Free all 6pack frame buffers. */
kfree ( sp - > rbuff ) ;
kfree ( sp - > xbuff ) ;
2015-12-18 00:05:32 +03:00
unregister_netdev ( sp - > dev ) ;
2005-04-17 02:20:36 +04:00
}
/* Perform I/O control on an active 6pack channel. */
static int sixpack_ioctl ( struct tty_struct * tty , struct file * file ,
unsigned int cmd , unsigned long arg )
{
struct sixpack * sp = sp_get ( tty ) ;
2009-01-09 13:23:09 +03:00
struct net_device * dev ;
2005-04-17 02:20:36 +04:00
unsigned int tmp , err ;
if ( ! sp )
return - ENXIO ;
2009-01-09 13:23:09 +03:00
dev = sp - > dev ;
2005-04-17 02:20:36 +04:00
switch ( cmd ) {
case SIOCGIFNAME :
err = copy_to_user ( ( void __user * ) arg , dev - > name ,
strlen ( dev - > name ) + 1 ) ? - EFAULT : 0 ;
break ;
case SIOCGIFENCAP :
err = put_user ( 0 , ( int __user * ) arg ) ;
break ;
case SIOCSIFENCAP :
if ( get_user ( tmp , ( int __user * ) arg ) ) {
err = - EFAULT ;
break ;
}
sp - > mode = tmp ;
dev - > addr_len = AX25_ADDR_LEN ;
dev - > hard_header_len = AX25_KISS_HEADER_LEN +
AX25_MAX_HEADER_LEN + 3 ;
dev - > type = ARPHRD_AX25 ;
err = 0 ;
break ;
2021-05-25 13:55:45 +03:00
case SIOCSIFHWADDR : {
char addr [ AX25_ADDR_LEN ] ;
2005-04-17 02:20:36 +04:00
2021-05-25 13:55:45 +03:00
if ( copy_from_user ( & addr ,
( void __user * ) arg , AX25_ADDR_LEN ) ) {
2007-11-07 12:27:34 +03:00
err = - EFAULT ;
break ;
}
2005-04-17 02:20:36 +04:00
2007-11-07 12:27:34 +03:00
netif_tx_lock_bh ( dev ) ;
2021-10-12 19:06:33 +03:00
__dev_addr_set ( dev , & addr , AX25_ADDR_LEN ) ;
2007-11-07 12:27:34 +03:00
netif_tx_unlock_bh ( dev ) ;
err = 0 ;
break ;
}
2005-04-17 02:20:36 +04:00
default :
2007-11-07 12:27:34 +03:00
err = tty_mode_ioctl ( tty , file , cmd , arg ) ;
2005-04-17 02:20:36 +04:00
}
sp_put ( sp ) ;
return err ;
}
2008-07-17 00:53:12 +04:00
static struct tty_ldisc_ops sp_ldisc = {
2005-04-17 02:20:36 +04:00
. owner = THIS_MODULE ,
2021-05-05 12:19:07 +03:00
. num = N_6PACK ,
2005-04-17 02:20:36 +04:00
. name = " 6pack " ,
. open = sixpack_open ,
. close = sixpack_close ,
. ioctl = sixpack_ioctl ,
. receive_buf = sixpack_receive_buf ,
. write_wakeup = sixpack_write_wakeup ,
} ;
/* Initialize 6pack control device -- register 6pack line discipline */
2012-10-05 04:11:55 +04:00
static const char msg_banner [ ] __initconst = KERN_INFO \
2005-04-17 02:20:36 +04:00
" AX.25: 6pack driver, " SIXPACK_VERSION " \n " ;
2012-10-05 04:11:55 +04:00
static const char msg_regfail [ ] __initconst = KERN_ERR \
2005-04-17 02:20:36 +04:00
" 6pack: can't register line discipline (err = %d) \n " ;
static int __init sixpack_init_driver ( void )
{
int status ;
printk ( msg_banner ) ;
/* Register the provided line protocol discipline */
2021-05-05 12:19:07 +03:00
status = tty_register_ldisc ( & sp_ldisc ) ;
if ( status )
2005-04-17 02:20:36 +04:00
printk ( msg_regfail , status ) ;
return status ;
}
static void __exit sixpack_exit_driver ( void )
{
2021-05-05 12:19:11 +03:00
tty_unregister_ldisc ( & sp_ldisc ) ;
2005-04-17 02:20:36 +04:00
}
/* encode an AX.25 packet into 6pack */
static int encode_sixpack ( unsigned char * tx_buf , unsigned char * tx_buf_raw ,
int length , unsigned char tx_delay )
{
int count = 0 ;
unsigned char checksum = 0 , buf [ 400 ] ;
int raw_count = 0 ;
tx_buf_raw [ raw_count + + ] = SIXP_PRIO_CMD_MASK | SIXP_TX_MASK ;
tx_buf_raw [ raw_count + + ] = SIXP_SEOF ;
buf [ 0 ] = tx_delay ;
for ( count = 1 ; count < length ; count + + )
buf [ count ] = tx_buf [ count ] ;
for ( count = 0 ; count < length ; count + + )
checksum + = buf [ count ] ;
buf [ length ] = ( unsigned char ) 0xff - checksum ;
for ( count = 0 ; count < = length ; count + + ) {
if ( ( count % 3 ) = = 0 ) {
tx_buf_raw [ raw_count + + ] = ( buf [ count ] & 0x3f ) ;
tx_buf_raw [ raw_count ] = ( ( buf [ count ] > > 2 ) & 0x30 ) ;
} else if ( ( count % 3 ) = = 1 ) {
tx_buf_raw [ raw_count + + ] | = ( buf [ count ] & 0x0f ) ;
tx_buf_raw [ raw_count ] = ( ( buf [ count ] > > 2 ) & 0x3c ) ;
} else {
tx_buf_raw [ raw_count + + ] | = ( buf [ count ] & 0x03 ) ;
tx_buf_raw [ raw_count + + ] = ( buf [ count ] > > 2 ) ;
}
}
if ( ( length % 3 ) ! = 2 )
raw_count + + ;
tx_buf_raw [ raw_count + + ] = SIXP_SEOF ;
return raw_count ;
}
/* decode 4 sixpack-encoded bytes into 3 data bytes */
static void decode_data ( struct sixpack * sp , unsigned char inbyte )
{
unsigned char * buf ;
if ( sp - > rx_count ! = 3 ) {
sp - > raw_buf [ sp - > rx_count + + ] = inbyte ;
return ;
}
2021-08-13 18:14:33 +03:00
if ( sp - > rx_count_cooked + 2 > = sizeof ( sp - > cooked_buf ) ) {
pr_err ( " 6pack: cooked buffer overrun, data loss \n " ) ;
sp - > rx_count = 0 ;
return ;
}
2005-04-17 02:20:36 +04:00
buf = sp - > raw_buf ;
sp - > cooked_buf [ sp - > rx_count_cooked + + ] =
buf [ 0 ] | ( ( buf [ 1 ] < < 2 ) & 0xc0 ) ;
sp - > cooked_buf [ sp - > rx_count_cooked + + ] =
( buf [ 1 ] & 0x0f ) | ( ( buf [ 2 ] < < 2 ) & 0xf0 ) ;
sp - > cooked_buf [ sp - > rx_count_cooked + + ] =
( buf [ 2 ] & 0x03 ) | ( inbyte < < 2 ) ;
sp - > rx_count = 0 ;
}
/* identify and execute a 6pack priority command byte */
static void decode_prio_command ( struct sixpack * sp , unsigned char cmd )
{
int actual ;
if ( ( cmd & SIXP_PRIO_DATA_MASK ) ! = 0 ) { /* idle ? */
/* RX and DCD flags can only be set in the same prio command,
if the DCD flag has been set without the RX flag in the previous
prio command . If DCD has not been set before , something in the
transmission has gone wrong . In this case , RX and DCD are
cleared in order to prevent the decode_data routine from
reading further data that might be corrupt . */
if ( ( ( sp - > status & SIXP_DCD_MASK ) = = 0 ) & &
( ( cmd & SIXP_RX_DCD_MASK ) = = SIXP_RX_DCD_MASK ) ) {
if ( sp - > status ! = 1 )
printk ( KERN_DEBUG " 6pack: protocol violation \n " ) ;
else
sp - > status = 0 ;
2006-11-23 22:48:28 +03:00
cmd & = ~ SIXP_RX_DCD_MASK ;
2005-04-17 02:20:36 +04:00
}
sp - > status = cmd & SIXP_PRIO_DATA_MASK ;
} else { /* output watchdog char if idle */
if ( ( sp - > status2 ! = 0 ) & & ( sp - > duplex = = 1 ) ) {
sp - > led_state = 0x70 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
sp - > tx_enable = 1 ;
2008-04-30 11:54:13 +04:00
actual = sp - > tty - > ops - > write ( sp - > tty , sp - > xbuff , sp - > status2 ) ;
2005-04-17 02:20:36 +04:00
sp - > xleft - = actual ;
sp - > xhead + = actual ;
sp - > led_state = 0x60 ;
sp - > status2 = 0 ;
}
}
/* needed to trigger the TNC watchdog */
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
/* if the state byte has been received, the TNC is present,
so the resync timer can be reset . */
2019-01-02 15:24:20 +03:00
if ( sp - > tnc_state = = TNC_IN_SYNC )
mod_timer ( & sp - > resync_t , jiffies + SIXP_INIT_RESYNC_TIMEOUT ) ;
2005-04-17 02:20:36 +04:00
sp - > status1 = cmd & SIXP_PRIO_DATA_MASK ;
}
/* identify and execute a standard 6pack command byte */
static void decode_std_command ( struct sixpack * sp , unsigned char cmd )
{
2018-07-05 13:11:07 +03:00
unsigned char checksum = 0 , rest = 0 ;
2005-04-17 02:20:36 +04:00
short i ;
switch ( cmd & SIXP_CMD_MASK ) { /* normal command */
case SIXP_SEOF :
if ( ( sp - > rx_count = = 0 ) & & ( sp - > rx_count_cooked = = 0 ) ) {
if ( ( sp - > status & SIXP_RX_DCD_MASK ) = =
SIXP_RX_DCD_MASK ) {
sp - > led_state = 0x68 ;
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
}
} else {
sp - > led_state = 0x60 ;
/* fill trailing bytes with zeroes */
2008-04-30 11:54:13 +04:00
sp - > tty - > ops - > write ( sp - > tty , & sp - > led_state , 1 ) ;
2005-04-17 02:20:36 +04:00
rest = sp - > rx_count ;
if ( rest ! = 0 )
for ( i = rest ; i < = 3 ; i + + )
decode_data ( sp , 0 ) ;
if ( rest = = 2 )
sp - > rx_count_cooked - = 2 ;
else if ( rest = = 3 )
sp - > rx_count_cooked - = 1 ;
for ( i = 0 ; i < sp - > rx_count_cooked ; i + + )
checksum + = sp - > cooked_buf [ i ] ;
if ( checksum ! = SIXP_CHKSUM ) {
printk ( KERN_DEBUG " 6pack: bad checksum %2.2x \n " , checksum ) ;
} else {
sp - > rcount = sp - > rx_count_cooked - 2 ;
sp_bump ( sp , 0 ) ;
}
sp - > rx_count_cooked = 0 ;
}
break ;
case SIXP_TX_URUN : printk ( KERN_DEBUG " 6pack: TX underrun \n " ) ;
break ;
case SIXP_RX_ORUN : printk ( KERN_DEBUG " 6pack: RX overrun \n " ) ;
break ;
case SIXP_RX_BUF_OVL :
printk ( KERN_DEBUG " 6pack: RX buffer overflow \n " ) ;
}
}
/* decode a 6pack packet */
static void
2016-09-19 22:15:24 +03:00
sixpack_decode ( struct sixpack * sp , const unsigned char * pre_rbuff , int count )
2005-04-17 02:20:36 +04:00
{
unsigned char inbyte ;
int count1 ;
for ( count1 = 0 ; count1 < count ; count1 + + ) {
inbyte = pre_rbuff [ count1 ] ;
if ( inbyte = = SIXP_FOUND_TNC ) {
tnc_set_sync_state ( sp , TNC_IN_SYNC ) ;
del_timer ( & sp - > resync_t ) ;
}
if ( ( inbyte & SIXP_PRIO_CMD_MASK ) ! = 0 )
decode_prio_command ( sp , inbyte ) ;
else if ( ( inbyte & SIXP_STD_CMD_MASK ) ! = 0 )
decode_std_command ( sp , inbyte ) ;
else if ( ( sp - > status & SIXP_RX_DCD_MASK ) = = SIXP_RX_DCD_MASK )
decode_data ( sp , inbyte ) ;
}
}
MODULE_AUTHOR ( " Ralf Baechle DO1GRB <ralf@linux-mips.org> " ) ;
MODULE_DESCRIPTION ( " 6pack driver for AX.25 " ) ;
MODULE_LICENSE ( " GPL " ) ;
MODULE_ALIAS_LDISC ( N_6PACK ) ;
module_init ( sixpack_init_driver ) ;
module_exit ( sixpack_exit_driver ) ;