1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * PPP synchronous tty channel driver for Linux. 4 * 5 * This is a ppp channel driver that can be used with tty device drivers 6 * that are frame oriented, such as synchronous HDLC devices. 7 * 8 * Complete PPP frames without encoding/decoding are exchanged between 9 * the channel driver and the device driver. 10 * 11 * The async map IOCTL codes are implemented to keep the user mode 12 * applications happy if they call them. Synchronous PPP does not use 13 * the async maps. 14 * 15 * Copyright 1999 Paul Mackerras. 16 * 17 * Also touched by the grubby hands of Paul Fulghum paulkf@microgate.com 18 * 19 * This driver provides the encapsulation and framing for sending 20 * and receiving PPP frames over sync serial lines. It relies on 21 * the generic PPP layer to give it frames to send and to process 22 * received frames. It implements the PPP line discipline. 23 * 24 * Part of the code in this driver was inspired by the old async-only 25 * PPP driver, written by Michael Callahan and Al Longyear, and 26 * subsequently hacked by Paul Mackerras. 27 * 28 * ==FILEVERSION 20040616== 29 */ 30 31#include <linux/module.h> 32#include <linux/kernel.h> 33#include <linux/skbuff.h> 34#include <linux/tty.h> 35#include <linux/netdevice.h> 36#include <linux/poll.h> 37#include <linux/ppp_defs.h> 38#include <linux/ppp-ioctl.h> 39#include <linux/ppp_channel.h> 40#include <linux/spinlock.h> 41#include <linux/completion.h> 42#include <linux/init.h> 43#include <linux/interrupt.h> 44#include <linux/slab.h> 45#include <linux/refcount.h> 46#include <asm/unaligned.h> 47#include <linux/uaccess.h> 48 49#define PPP_VERSION "2.4.2" 50 51/* Structure for storing local state. */ 52struct syncppp { 53 struct tty_struct *tty; 54 unsigned int flags; 55 unsigned int rbits; 56 int mru; 57 spinlock_t xmit_lock; 58 spinlock_t recv_lock; 59 unsigned long xmit_flags; 60 u32 xaccm[8]; 61 u32 raccm; 62 unsigned int bytes_sent; 63 unsigned int bytes_rcvd; 64 65 struct sk_buff *tpkt; 66 unsigned long last_xmit; 67 68 struct sk_buff_head rqueue; 69 70 struct tasklet_struct tsk; 71 72 refcount_t refcnt; 73 struct completion dead_cmp; 74 struct ppp_channel chan; /* interface to generic ppp layer */ 75}; 76 77/* Bit numbers in xmit_flags */ 78#define XMIT_WAKEUP 0 79#define XMIT_FULL 1 80 81/* Bits in rbits */ 82#define SC_RCV_BITS (SC_RCV_B7_1|SC_RCV_B7_0|SC_RCV_ODDP|SC_RCV_EVNP) 83 84#define PPPSYNC_MAX_RQLEN 32 /* arbitrary */ 85 86/* 87 * Prototypes. 88 */ 89static struct sk_buff* ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *); 90static int ppp_sync_send(struct ppp_channel *chan, struct sk_buff *skb); 91static int ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, 92 unsigned long arg); 93static void ppp_sync_process(unsigned long arg); 94static int ppp_sync_push(struct syncppp *ap); 95static void ppp_sync_flush_output(struct syncppp *ap); 96static void ppp_sync_input(struct syncppp *ap, const unsigned char *buf, 97 char *flags, int count); 98 99static const struct ppp_channel_ops sync_ops = { 100 .start_xmit = ppp_sync_send, 101 .ioctl = ppp_sync_ioctl, 102}; 103 104/* 105 * Utility procedure to print a buffer in hex/ascii 106 */ 107static void 108ppp_print_buffer (const char *name, const __u8 *buf, int count) 109{ 110 if (name != NULL) 111 printk(KERN_DEBUG "ppp_synctty: %s, count = %d\n", name, count); 112 113 print_hex_dump_bytes("", DUMP_PREFIX_NONE, buf, count); 114} 115 116 117/* 118 * Routines implementing the synchronous PPP line discipline. 119 */ 120 121/* 122 * We have a potential race on dereferencing tty->disc_data, 123 * because the tty layer provides no locking at all - thus one 124 * cpu could be running ppp_synctty_receive while another 125 * calls ppp_synctty_close, which zeroes tty->disc_data and 126 * frees the memory that ppp_synctty_receive is using. The best 127 * way to fix this is to use a rwlock in the tty struct, but for now 128 * we use a single global rwlock for all ttys in ppp line discipline. 129 * 130 * FIXME: Fixed in tty_io nowadays. 131 */ 132static DEFINE_RWLOCK(disc_data_lock); 133 134static struct syncppp *sp_get(struct tty_struct *tty) 135{ 136 struct syncppp *ap; 137 138 read_lock(&disc_data_lock); 139 ap = tty->disc_data; 140 if (ap != NULL) 141 refcount_inc(&ap->refcnt); 142 read_unlock(&disc_data_lock); 143 return ap; 144} 145 146static void sp_put(struct syncppp *ap) 147{ 148 if (refcount_dec_and_test(&ap->refcnt)) 149 complete(&ap->dead_cmp); 150} 151 152/* 153 * Called when a tty is put into sync-PPP line discipline. 154 */ 155static int 156ppp_sync_open(struct tty_struct *tty) 157{ 158 struct syncppp *ap; 159 int err; 160 int speed; 161 162 if (tty->ops->write == NULL) 163 return -EOPNOTSUPP; 164 165 ap = kzalloc(sizeof(*ap), GFP_KERNEL); 166 err = -ENOMEM; 167 if (!ap) 168 goto out; 169 170 /* initialize the syncppp structure */ 171 ap->tty = tty; 172 ap->mru = PPP_MRU; 173 spin_lock_init(&ap->xmit_lock); 174 spin_lock_init(&ap->recv_lock); 175 ap->xaccm[0] = ~0U; 176 ap->xaccm[3] = 0x60000000U; 177 ap->raccm = ~0U; 178 179 skb_queue_head_init(&ap->rqueue); 180 tasklet_init(&ap->tsk, ppp_sync_process, (unsigned long) ap); 181 182 refcount_set(&ap->refcnt, 1); 183 init_completion(&ap->dead_cmp); 184 185 ap->chan.private = ap; 186 ap->chan.ops = &sync_ops; 187 ap->chan.mtu = PPP_MRU; 188 ap->chan.hdrlen = 2; /* for A/C bytes */ 189 speed = tty_get_baud_rate(tty); 190 ap->chan.speed = speed; 191 err = ppp_register_channel(&ap->chan); 192 if (err) 193 goto out_free; 194 195 tty->disc_data = ap; 196 tty->receive_room = 65536; 197 return 0; 198 199 out_free: 200 kfree(ap); 201 out: 202 return err; 203} 204 205/* 206 * Called when the tty is put into another line discipline 207 * or it hangs up. We have to wait for any cpu currently 208 * executing in any of the other ppp_synctty_* routines to 209 * finish before we can call ppp_unregister_channel and free 210 * the syncppp struct. This routine must be called from 211 * process context, not interrupt or softirq context. 212 */ 213static void 214ppp_sync_close(struct tty_struct *tty) 215{ 216 struct syncppp *ap; 217 218 write_lock_irq(&disc_data_lock); 219 ap = tty->disc_data; 220 tty->disc_data = NULL; 221 write_unlock_irq(&disc_data_lock); 222 if (!ap) 223 return; 224 225 /* 226 * We have now ensured that nobody can start using ap from now 227 * on, but we have to wait for all existing users to finish. 228 * Note that ppp_unregister_channel ensures that no calls to 229 * our channel ops (i.e. ppp_sync_send/ioctl) are in progress 230 * by the time it returns. 231 */ 232 if (!refcount_dec_and_test(&ap->refcnt)) 233 wait_for_completion(&ap->dead_cmp); 234 tasklet_kill(&ap->tsk); 235 236 ppp_unregister_channel(&ap->chan); 237 skb_queue_purge(&ap->rqueue); 238 kfree_skb(ap->tpkt); 239 kfree(ap); 240} 241 242/* 243 * Called on tty hangup in process context. 244 * 245 * Wait for I/O to driver to complete and unregister PPP channel. 246 * This is already done by the close routine, so just call that. 247 */ 248static int ppp_sync_hangup(struct tty_struct *tty) 249{ 250 ppp_sync_close(tty); 251 return 0; 252} 253 254/* 255 * Read does nothing - no data is ever available this way. 256 * Pppd reads and writes packets via /dev/ppp instead. 257 */ 258static ssize_t 259ppp_sync_read(struct tty_struct *tty, struct file *file, 260 unsigned char *buf, size_t count, 261 void **cookie, unsigned long offset) 262{ 263 return -EAGAIN; 264} 265 266/* 267 * Write on the tty does nothing, the packets all come in 268 * from the ppp generic stuff. 269 */ 270static ssize_t 271ppp_sync_write(struct tty_struct *tty, struct file *file, 272 const unsigned char *buf, size_t count) 273{ 274 return -EAGAIN; 275} 276 277static int 278ppp_synctty_ioctl(struct tty_struct *tty, struct file *file, 279 unsigned int cmd, unsigned long arg) 280{ 281 struct syncppp *ap = sp_get(tty); 282 int __user *p = (int __user *)arg; 283 int err, val; 284 285 if (!ap) 286 return -ENXIO; 287 err = -EFAULT; 288 switch (cmd) { 289 case PPPIOCGCHAN: 290 err = -EFAULT; 291 if (put_user(ppp_channel_index(&ap->chan), p)) 292 break; 293 err = 0; 294 break; 295 296 case PPPIOCGUNIT: 297 err = -EFAULT; 298 if (put_user(ppp_unit_number(&ap->chan), p)) 299 break; 300 err = 0; 301 break; 302 303 case TCFLSH: 304 /* flush our buffers and the serial port's buffer */ 305 if (arg == TCIOFLUSH || arg == TCOFLUSH) 306 ppp_sync_flush_output(ap); 307 err = n_tty_ioctl_helper(tty, file, cmd, arg); 308 break; 309 310 case FIONREAD: 311 val = 0; 312 if (put_user(val, p)) 313 break; 314 err = 0; 315 break; 316 317 default: 318 err = tty_mode_ioctl(tty, file, cmd, arg); 319 break; 320 } 321 322 sp_put(ap); 323 return err; 324} 325 326/* No kernel lock - fine */ 327static __poll_t 328ppp_sync_poll(struct tty_struct *tty, struct file *file, poll_table *wait) 329{ 330 return 0; 331} 332 333/* May sleep, don't call from interrupt level or with interrupts disabled */ 334static void 335ppp_sync_receive(struct tty_struct *tty, const unsigned char *buf, 336 char *cflags, int count) 337{ 338 struct syncppp *ap = sp_get(tty); 339 unsigned long flags; 340 341 if (!ap) 342 return; 343 spin_lock_irqsave(&ap->recv_lock, flags); 344 ppp_sync_input(ap, buf, cflags, count); 345 spin_unlock_irqrestore(&ap->recv_lock, flags); 346 if (!skb_queue_empty(&ap->rqueue)) 347 tasklet_schedule(&ap->tsk); 348 sp_put(ap); 349 tty_unthrottle(tty); 350} 351 352static void 353ppp_sync_wakeup(struct tty_struct *tty) 354{ 355 struct syncppp *ap = sp_get(tty); 356 357 clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); 358 if (!ap) 359 return; 360 set_bit(XMIT_WAKEUP, &ap->xmit_flags); 361 tasklet_schedule(&ap->tsk); 362 sp_put(ap); 363} 364 365 366static struct tty_ldisc_ops ppp_sync_ldisc = { 367 .owner = THIS_MODULE, 368 .magic = TTY_LDISC_MAGIC, 369 .name = "pppsync", 370 .open = ppp_sync_open, 371 .close = ppp_sync_close, 372 .hangup = ppp_sync_hangup, 373 .read = ppp_sync_read, 374 .write = ppp_sync_write, 375 .ioctl = ppp_synctty_ioctl, 376 .poll = ppp_sync_poll, 377 .receive_buf = ppp_sync_receive, 378 .write_wakeup = ppp_sync_wakeup, 379}; 380 381static int __init 382ppp_sync_init(void) 383{ 384 int err; 385 386 err = tty_register_ldisc(N_SYNC_PPP, &ppp_sync_ldisc); 387 if (err != 0) 388 printk(KERN_ERR "PPP_sync: error %d registering line disc.\n", 389 err); 390 return err; 391} 392 393/* 394 * The following routines provide the PPP channel interface. 395 */ 396static int 397ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) 398{ 399 struct syncppp *ap = chan->private; 400 int err, val; 401 u32 accm[8]; 402 void __user *argp = (void __user *)arg; 403 u32 __user *p = argp; 404 405 err = -EFAULT; 406 switch (cmd) { 407 case PPPIOCGFLAGS: 408 val = ap->flags | ap->rbits; 409 if (put_user(val, (int __user *) argp)) 410 break; 411 err = 0; 412 break; 413 case PPPIOCSFLAGS: 414 if (get_user(val, (int __user *) argp)) 415 break; 416 ap->flags = val & ~SC_RCV_BITS; 417 spin_lock_irq(&ap->recv_lock); 418 ap->rbits = val & SC_RCV_BITS; 419 spin_unlock_irq(&ap->recv_lock); 420 err = 0; 421 break; 422 423 case PPPIOCGASYNCMAP: 424 if (put_user(ap->xaccm[0], p)) 425 break; 426 err = 0; 427 break; 428 case PPPIOCSASYNCMAP: 429 if (get_user(ap->xaccm[0], p)) 430 break; 431 err = 0; 432 break; 433 434 case PPPIOCGRASYNCMAP: 435 if (put_user(ap->raccm, p)) 436 break; 437 err = 0; 438 break; 439 case PPPIOCSRASYNCMAP: 440 if (get_user(ap->raccm, p)) 441 break; 442 err = 0; 443 break; 444 445 case PPPIOCGXASYNCMAP: 446 if (copy_to_user(argp, ap->xaccm, sizeof(ap->xaccm))) 447 break; 448 err = 0; 449 break; 450 case PPPIOCSXASYNCMAP: 451 if (copy_from_user(accm, argp, sizeof(accm))) 452 break; 453 accm[2] &= ~0x40000000U; /* can't escape 0x5e */ 454 accm[3] |= 0x60000000U; /* must escape 0x7d, 0x7e */ 455 memcpy(ap->xaccm, accm, sizeof(ap->xaccm)); 456 err = 0; 457 break; 458 459 case PPPIOCGMRU: 460 if (put_user(ap->mru, (int __user *) argp)) 461 break; 462 err = 0; 463 break; 464 case PPPIOCSMRU: 465 if (get_user(val, (int __user *) argp)) 466 break; 467 if (val > U16_MAX) { 468 err = -EINVAL; 469 break; 470 } 471 if (val < PPP_MRU) 472 val = PPP_MRU; 473 ap->mru = val; 474 err = 0; 475 break; 476 477 default: 478 err = -ENOTTY; 479 } 480 return err; 481} 482 483/* 484 * This is called at softirq level to deliver received packets 485 * to the ppp_generic code, and to tell the ppp_generic code 486 * if we can accept more output now. 487 */ 488static void ppp_sync_process(unsigned long arg) 489{ 490 struct syncppp *ap = (struct syncppp *) arg; 491 struct sk_buff *skb; 492 493 /* process received packets */ 494 while ((skb = skb_dequeue(&ap->rqueue)) != NULL) { 495 if (skb->len == 0) { 496 /* zero length buffers indicate error */ 497 ppp_input_error(&ap->chan, 0); 498 kfree_skb(skb); 499 } 500 else 501 ppp_input(&ap->chan, skb); 502 } 503 504 /* try to push more stuff out */ 505 if (test_bit(XMIT_WAKEUP, &ap->xmit_flags) && ppp_sync_push(ap)) 506 ppp_output_wakeup(&ap->chan); 507} 508 509/* 510 * Procedures for encapsulation and framing. 511 */ 512 513static struct sk_buff* 514ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb) 515{ 516 int proto; 517 unsigned char *data; 518 int islcp; 519 520 data = skb->data; 521 proto = get_unaligned_be16(data); 522 523 /* LCP packets with codes between 1 (configure-request) 524 * and 7 (code-reject) must be sent as though no options 525 * have been negotiated. 526 */ 527 islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7; 528 529 /* compress protocol field if option enabled */ 530 if (data[0] == 0 && (ap->flags & SC_COMP_PROT) && !islcp) 531 skb_pull(skb,1); 532 533 /* prepend address/control fields if necessary */ 534 if ((ap->flags & SC_COMP_AC) == 0 || islcp) { 535 if (skb_headroom(skb) < 2) { 536 struct sk_buff *npkt = dev_alloc_skb(skb->len + 2); 537 if (npkt == NULL) { 538 kfree_skb(skb); 539 return NULL; 540 } 541 skb_reserve(npkt,2); 542 skb_copy_from_linear_data(skb, 543 skb_put(npkt, skb->len), skb->len); 544 consume_skb(skb); 545 skb = npkt; 546 } 547 skb_push(skb,2); 548 skb->data[0] = PPP_ALLSTATIONS; 549 skb->data[1] = PPP_UI; 550 } 551 552 ap->last_xmit = jiffies; 553 554 if (skb && ap->flags & SC_LOG_OUTPKT) 555 ppp_print_buffer ("send buffer", skb->data, skb->len); 556 557 return skb; 558} 559 560/* 561 * Transmit-side routines. 562 */ 563 564/* 565 * Send a packet to the peer over an sync tty line. 566 * Returns 1 iff the packet was accepted. 567 * If the packet was not accepted, we will call ppp_output_wakeup 568 * at some later time. 569 */ 570static int 571ppp_sync_send(struct ppp_channel *chan, struct sk_buff *skb) 572{ 573 struct syncppp *ap = chan->private; 574 575 ppp_sync_push(ap); 576 577 if (test_and_set_bit(XMIT_FULL, &ap->xmit_flags)) 578 return 0; /* already full */ 579 skb = ppp_sync_txmunge(ap, skb); 580 if (skb != NULL) 581 ap->tpkt = skb; 582 else 583 clear_bit(XMIT_FULL, &ap->xmit_flags); 584 585 ppp_sync_push(ap); 586 return 1; 587} 588 589/* 590 * Push as much data as possible out to the tty. 591 */ 592static int 593ppp_sync_push(struct syncppp *ap) 594{ 595 int sent, done = 0; 596 struct tty_struct *tty = ap->tty; 597 int tty_stuffed = 0; 598 599 if (!spin_trylock_bh(&ap->xmit_lock)) 600 return 0; 601 for (;;) { 602 if (test_and_clear_bit(XMIT_WAKEUP, &ap->xmit_flags)) 603 tty_stuffed = 0; 604 if (!tty_stuffed && ap->tpkt) { 605 set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); 606 sent = tty->ops->write(tty, ap->tpkt->data, ap->tpkt->len); 607 if (sent < 0) 608 goto flush; /* error, e.g. loss of CD */ 609 if (sent < ap->tpkt->len) { 610 tty_stuffed = 1; 611 } else { 612 consume_skb(ap->tpkt); 613 ap->tpkt = NULL; 614 clear_bit(XMIT_FULL, &ap->xmit_flags); 615 done = 1; 616 } 617 continue; 618 } 619 /* haven't made any progress */ 620 spin_unlock_bh(&ap->xmit_lock); 621 if (!(test_bit(XMIT_WAKEUP, &ap->xmit_flags) || 622 (!tty_stuffed && ap->tpkt))) 623 break; 624 if (!spin_trylock_bh(&ap->xmit_lock)) 625 break; 626 } 627 return done; 628 629flush: 630 if (ap->tpkt) { 631 kfree_skb(ap->tpkt); 632 ap->tpkt = NULL; 633 clear_bit(XMIT_FULL, &ap->xmit_flags); 634 done = 1; 635 } 636 spin_unlock_bh(&ap->xmit_lock); 637 return done; 638} 639 640/* 641 * Flush output from our internal buffers. 642 * Called for the TCFLSH ioctl. 643 */ 644static void 645ppp_sync_flush_output(struct syncppp *ap) 646{ 647 int done = 0; 648 649 spin_lock_bh(&ap->xmit_lock); 650 if (ap->tpkt != NULL) { 651 kfree_skb(ap->tpkt); 652 ap->tpkt = NULL; 653 clear_bit(XMIT_FULL, &ap->xmit_flags); 654 done = 1; 655 } 656 spin_unlock_bh(&ap->xmit_lock); 657 if (done) 658 ppp_output_wakeup(&ap->chan); 659} 660 661/* 662 * Receive-side routines. 663 */ 664 665/* called when the tty driver has data for us. 666 * 667 * Data is frame oriented: each call to ppp_sync_input is considered 668 * a whole frame. If the 1st flag byte is non-zero then the whole 669 * frame is considered to be in error and is tossed. 670 */ 671static void 672ppp_sync_input(struct syncppp *ap, const unsigned char *buf, 673 char *flags, int count) 674{ 675 struct sk_buff *skb; 676 unsigned char *p; 677 678 if (count == 0) 679 return; 680 681 if (ap->flags & SC_LOG_INPKT) 682 ppp_print_buffer ("receive buffer", buf, count); 683 684 /* stuff the chars in the skb */ 685 skb = dev_alloc_skb(ap->mru + PPP_HDRLEN + 2); 686 if (!skb) { 687 printk(KERN_ERR "PPPsync: no memory (input pkt)\n"); 688 goto err; 689 } 690 /* Try to get the payload 4-byte aligned */ 691 if (buf[0] != PPP_ALLSTATIONS) 692 skb_reserve(skb, 2 + (buf[0] & 1)); 693 694 if (flags && *flags) { 695 /* error flag set, ignore frame */ 696 goto err; 697 } else if (count > skb_tailroom(skb)) { 698 /* packet overflowed MRU */ 699 goto err; 700 } 701 702 skb_put_data(skb, buf, count); 703 704 /* strip address/control field if present */ 705 p = skb->data; 706 if (skb->len >= 2 && p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { 707 /* chop off address/control */ 708 if (skb->len < 3) 709 goto err; 710 p = skb_pull(skb, 2); 711 } 712 713 /* PPP packet length should be >= 2 bytes when protocol field is not 714 * compressed. 715 */ 716 if (!(p[0] & 0x01) && skb->len < 2) 717 goto err; 718 719 /* queue the frame to be processed */ 720 skb_queue_tail(&ap->rqueue, skb); 721 return; 722 723err: 724 /* queue zero length packet as error indication */ 725 if (skb || (skb = dev_alloc_skb(0))) { 726 skb_trim(skb, 0); 727 skb_queue_tail(&ap->rqueue, skb); 728 } 729} 730 731static void __exit 732ppp_sync_cleanup(void) 733{ 734 if (tty_unregister_ldisc(N_SYNC_PPP) != 0) 735 printk(KERN_ERR "failed to unregister Sync PPP line discipline\n"); 736} 737 738module_init(ppp_sync_init); 739module_exit(ppp_sync_cleanup); 740MODULE_LICENSE("GPL"); 741MODULE_ALIAS_LDISC(N_SYNC_PPP); 742