1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * PPP synchronous tty channel driver for Linux. 4 * 5 * This is a ppp channel driver that can be used with tty device drivers 6 * that are frame oriented, such as synchronous HDLC devices. 7 * 8 * Complete PPP frames without encoding/decoding are exchanged between 9 * the channel driver and the device driver. 10 * 11 * The async map IOCTL codes are implemented to keep the user mode 12 * applications happy if they call them. Synchronous PPP does not use 13 * the async maps. 14 * 15 * Copyright 1999 Paul Mackerras. 16 * 17 * Also touched by the grubby hands of Paul Fulghum paulkf@microgate.com 18 * 19 * This driver provides the encapsulation and framing for sending 20 * and receiving PPP frames over sync serial lines. It relies on 21 * the generic PPP layer to give it frames to send and to process 22 * received frames. It implements the PPP line discipline. 23 * 24 * Part of the code in this driver was inspired by the old async-only 25 * PPP driver, written by Michael Callahan and Al Longyear, and 26 * subsequently hacked by Paul Mackerras. 27 * 28 * ==FILEVERSION 20040616== 29 */ 30 31 #include <linux/module.h> 32 #include <linux/kernel.h> 33 #include <linux/skbuff.h> 34 #include <linux/tty.h> 35 #include <linux/netdevice.h> 36 #include <linux/poll.h> 37 #include <linux/ppp_defs.h> 38 #include <linux/ppp-ioctl.h> 39 #include <linux/ppp_channel.h> 40 #include <linux/spinlock.h> 41 #include <linux/completion.h> 42 #include <linux/init.h> 43 #include <linux/interrupt.h> 44 #include <linux/slab.h> 45 #include <linux/refcount.h> 46 #include <asm/unaligned.h> 47 #include <linux/uaccess.h> 48 49 #define PPP_VERSION "2.4.2" 50 51 /* Structure for storing local state. */ 52 struct syncppp { 53 struct tty_struct *tty; 54 unsigned int flags; 55 unsigned int rbits; 56 int mru; 57 spinlock_t xmit_lock; 58 spinlock_t recv_lock; 59 unsigned long xmit_flags; 60 u32 xaccm[8]; 61 u32 raccm; 62 unsigned int bytes_sent; 63 unsigned int bytes_rcvd; 64 65 struct sk_buff *tpkt; 66 unsigned long last_xmit; 67 68 struct sk_buff_head rqueue; 69 70 struct tasklet_struct tsk; 71 72 refcount_t refcnt; 73 struct completion dead_cmp; 74 struct ppp_channel chan; /* interface to generic ppp layer */ 75 }; 76 77 /* Bit numbers in xmit_flags */ 78 #define XMIT_WAKEUP 0 79 #define XMIT_FULL 1 80 81 /* Bits in rbits */ 82 #define SC_RCV_BITS (SC_RCV_B7_1|SC_RCV_B7_0|SC_RCV_ODDP|SC_RCV_EVNP) 83 84 #define PPPSYNC_MAX_RQLEN 32 /* arbitrary */ 85 86 /* 87 * Prototypes. 88 */ 89 static struct sk_buff* ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *); 90 static int ppp_sync_send(struct ppp_channel *chan, struct sk_buff *skb); 91 static int ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, 92 unsigned long arg); 93 static void ppp_sync_process(struct tasklet_struct *t); 94 static int ppp_sync_push(struct syncppp *ap); 95 static void ppp_sync_flush_output(struct syncppp *ap); 96 static void ppp_sync_input(struct syncppp *ap, const unsigned char *buf, 97 const char *flags, int count); 98 99 static const struct ppp_channel_ops sync_ops = { 100 .start_xmit = ppp_sync_send, 101 .ioctl = ppp_sync_ioctl, 102 }; 103 104 /* 105 * Utility procedure to print a buffer in hex/ascii 106 */ 107 static void 108 ppp_print_buffer (const char *name, const __u8 *buf, int count) 109 { 110 if (name != NULL) 111 printk(KERN_DEBUG "ppp_synctty: %s, count = %d\n", name, count); 112 113 print_hex_dump_bytes("", DUMP_PREFIX_NONE, buf, count); 114 } 115 116 117 /* 118 * Routines implementing the synchronous PPP line discipline. 119 */ 120 121 /* 122 * We have a potential race on dereferencing tty->disc_data, 123 * because the tty layer provides no locking at all - thus one 124 * cpu could be running ppp_synctty_receive while another 125 * calls ppp_synctty_close, which zeroes tty->disc_data and 126 * frees the memory that ppp_synctty_receive is using. The best 127 * way to fix this is to use a rwlock in the tty struct, but for now 128 * we use a single global rwlock for all ttys in ppp line discipline. 129 * 130 * FIXME: Fixed in tty_io nowadays. 131 */ 132 static DEFINE_RWLOCK(disc_data_lock); 133 134 static struct syncppp *sp_get(struct tty_struct *tty) 135 { 136 struct syncppp *ap; 137 138 read_lock(&disc_data_lock); 139 ap = tty->disc_data; 140 if (ap != NULL) 141 refcount_inc(&ap->refcnt); 142 read_unlock(&disc_data_lock); 143 return ap; 144 } 145 146 static void sp_put(struct syncppp *ap) 147 { 148 if (refcount_dec_and_test(&ap->refcnt)) 149 complete(&ap->dead_cmp); 150 } 151 152 /* 153 * Called when a tty is put into sync-PPP line discipline. 154 */ 155 static int 156 ppp_sync_open(struct tty_struct *tty) 157 { 158 struct syncppp *ap; 159 int err; 160 int speed; 161 162 if (tty->ops->write == NULL) 163 return -EOPNOTSUPP; 164 165 ap = kzalloc(sizeof(*ap), GFP_KERNEL); 166 err = -ENOMEM; 167 if (!ap) 168 goto out; 169 170 /* initialize the syncppp structure */ 171 ap->tty = tty; 172 ap->mru = PPP_MRU; 173 spin_lock_init(&ap->xmit_lock); 174 spin_lock_init(&ap->recv_lock); 175 ap->xaccm[0] = ~0U; 176 ap->xaccm[3] = 0x60000000U; 177 ap->raccm = ~0U; 178 179 skb_queue_head_init(&ap->rqueue); 180 tasklet_setup(&ap->tsk, ppp_sync_process); 181 182 refcount_set(&ap->refcnt, 1); 183 init_completion(&ap->dead_cmp); 184 185 ap->chan.private = ap; 186 ap->chan.ops = &sync_ops; 187 ap->chan.mtu = PPP_MRU; 188 ap->chan.hdrlen = 2; /* for A/C bytes */ 189 speed = tty_get_baud_rate(tty); 190 ap->chan.speed = speed; 191 err = ppp_register_channel(&ap->chan); 192 if (err) 193 goto out_free; 194 195 tty->disc_data = ap; 196 tty->receive_room = 65536; 197 return 0; 198 199 out_free: 200 kfree(ap); 201 out: 202 return err; 203 } 204 205 /* 206 * Called when the tty is put into another line discipline 207 * or it hangs up. We have to wait for any cpu currently 208 * executing in any of the other ppp_synctty_* routines to 209 * finish before we can call ppp_unregister_channel and free 210 * the syncppp struct. This routine must be called from 211 * process context, not interrupt or softirq context. 212 */ 213 static void 214 ppp_sync_close(struct tty_struct *tty) 215 { 216 struct syncppp *ap; 217 218 write_lock_irq(&disc_data_lock); 219 ap = tty->disc_data; 220 tty->disc_data = NULL; 221 write_unlock_irq(&disc_data_lock); 222 if (!ap) 223 return; 224 225 /* 226 * We have now ensured that nobody can start using ap from now 227 * on, but we have to wait for all existing users to finish. 228 * Note that ppp_unregister_channel ensures that no calls to 229 * our channel ops (i.e. ppp_sync_send/ioctl) are in progress 230 * by the time it returns. 231 */ 232 if (!refcount_dec_and_test(&ap->refcnt)) 233 wait_for_completion(&ap->dead_cmp); 234 tasklet_kill(&ap->tsk); 235 236 ppp_unregister_channel(&ap->chan); 237 skb_queue_purge(&ap->rqueue); 238 kfree_skb(ap->tpkt); 239 kfree(ap); 240 } 241 242 /* 243 * Called on tty hangup in process context. 244 * 245 * Wait for I/O to driver to complete and unregister PPP channel. 246 * This is already done by the close routine, so just call that. 247 */ 248 static int ppp_sync_hangup(struct tty_struct *tty) 249 { 250 ppp_sync_close(tty); 251 return 0; 252 } 253 254 /* 255 * Read does nothing - no data is ever available this way. 256 * Pppd reads and writes packets via /dev/ppp instead. 257 */ 258 static ssize_t 259 ppp_sync_read(struct tty_struct *tty, struct file *file, 260 unsigned char *buf, size_t count, 261 void **cookie, unsigned long offset) 262 { 263 return -EAGAIN; 264 } 265 266 /* 267 * Write on the tty does nothing, the packets all come in 268 * from the ppp generic stuff. 269 */ 270 static ssize_t 271 ppp_sync_write(struct tty_struct *tty, struct file *file, 272 const unsigned char *buf, size_t count) 273 { 274 return -EAGAIN; 275 } 276 277 static int 278 ppp_synctty_ioctl(struct tty_struct *tty, struct file *file, 279 unsigned int cmd, unsigned long arg) 280 { 281 struct syncppp *ap = sp_get(tty); 282 int __user *p = (int __user *)arg; 283 int err, val; 284 285 if (!ap) 286 return -ENXIO; 287 err = -EFAULT; 288 switch (cmd) { 289 case PPPIOCGCHAN: 290 err = -EFAULT; 291 if (put_user(ppp_channel_index(&ap->chan), p)) 292 break; 293 err = 0; 294 break; 295 296 case PPPIOCGUNIT: 297 err = -EFAULT; 298 if (put_user(ppp_unit_number(&ap->chan), p)) 299 break; 300 err = 0; 301 break; 302 303 case TCFLSH: 304 /* flush our buffers and the serial port's buffer */ 305 if (arg == TCIOFLUSH || arg == TCOFLUSH) 306 ppp_sync_flush_output(ap); 307 err = n_tty_ioctl_helper(tty, file, cmd, arg); 308 break; 309 310 case FIONREAD: 311 val = 0; 312 if (put_user(val, p)) 313 break; 314 err = 0; 315 break; 316 317 default: 318 err = tty_mode_ioctl(tty, file, cmd, arg); 319 break; 320 } 321 322 sp_put(ap); 323 return err; 324 } 325 326 /* No kernel lock - fine */ 327 static __poll_t 328 ppp_sync_poll(struct tty_struct *tty, struct file *file, poll_table *wait) 329 { 330 return 0; 331 } 332 333 /* May sleep, don't call from interrupt level or with interrupts disabled */ 334 static void 335 ppp_sync_receive(struct tty_struct *tty, const unsigned char *buf, 336 const char *cflags, int count) 337 { 338 struct syncppp *ap = sp_get(tty); 339 unsigned long flags; 340 341 if (!ap) 342 return; 343 spin_lock_irqsave(&ap->recv_lock, flags); 344 ppp_sync_input(ap, buf, cflags, count); 345 spin_unlock_irqrestore(&ap->recv_lock, flags); 346 if (!skb_queue_empty(&ap->rqueue)) 347 tasklet_schedule(&ap->tsk); 348 sp_put(ap); 349 tty_unthrottle(tty); 350 } 351 352 static void 353 ppp_sync_wakeup(struct tty_struct *tty) 354 { 355 struct syncppp *ap = sp_get(tty); 356 357 clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); 358 if (!ap) 359 return; 360 set_bit(XMIT_WAKEUP, &ap->xmit_flags); 361 tasklet_schedule(&ap->tsk); 362 sp_put(ap); 363 } 364 365 366 static struct tty_ldisc_ops ppp_sync_ldisc = { 367 .owner = THIS_MODULE, 368 .num = N_SYNC_PPP, 369 .name = "pppsync", 370 .open = ppp_sync_open, 371 .close = ppp_sync_close, 372 .hangup = ppp_sync_hangup, 373 .read = ppp_sync_read, 374 .write = ppp_sync_write, 375 .ioctl = ppp_synctty_ioctl, 376 .poll = ppp_sync_poll, 377 .receive_buf = ppp_sync_receive, 378 .write_wakeup = ppp_sync_wakeup, 379 }; 380 381 static int __init 382 ppp_sync_init(void) 383 { 384 int err; 385 386 err = tty_register_ldisc(&ppp_sync_ldisc); 387 if (err != 0) 388 printk(KERN_ERR "PPP_sync: error %d registering line disc.\n", 389 err); 390 return err; 391 } 392 393 /* 394 * The following routines provide the PPP channel interface. 395 */ 396 static int 397 ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg) 398 { 399 struct syncppp *ap = chan->private; 400 int err, val; 401 u32 accm[8]; 402 void __user *argp = (void __user *)arg; 403 u32 __user *p = argp; 404 405 err = -EFAULT; 406 switch (cmd) { 407 case PPPIOCGFLAGS: 408 val = ap->flags | ap->rbits; 409 if (put_user(val, (int __user *) argp)) 410 break; 411 err = 0; 412 break; 413 case PPPIOCSFLAGS: 414 if (get_user(val, (int __user *) argp)) 415 break; 416 ap->flags = val & ~SC_RCV_BITS; 417 spin_lock_irq(&ap->recv_lock); 418 ap->rbits = val & SC_RCV_BITS; 419 spin_unlock_irq(&ap->recv_lock); 420 err = 0; 421 break; 422 423 case PPPIOCGASYNCMAP: 424 if (put_user(ap->xaccm[0], p)) 425 break; 426 err = 0; 427 break; 428 case PPPIOCSASYNCMAP: 429 if (get_user(ap->xaccm[0], p)) 430 break; 431 err = 0; 432 break; 433 434 case PPPIOCGRASYNCMAP: 435 if (put_user(ap->raccm, p)) 436 break; 437 err = 0; 438 break; 439 case PPPIOCSRASYNCMAP: 440 if (get_user(ap->raccm, p)) 441 break; 442 err = 0; 443 break; 444 445 case PPPIOCGXASYNCMAP: 446 if (copy_to_user(argp, ap->xaccm, sizeof(ap->xaccm))) 447 break; 448 err = 0; 449 break; 450 case PPPIOCSXASYNCMAP: 451 if (copy_from_user(accm, argp, sizeof(accm))) 452 break; 453 accm[2] &= ~0x40000000U; /* can't escape 0x5e */ 454 accm[3] |= 0x60000000U; /* must escape 0x7d, 0x7e */ 455 memcpy(ap->xaccm, accm, sizeof(ap->xaccm)); 456 err = 0; 457 break; 458 459 case PPPIOCGMRU: 460 if (put_user(ap->mru, (int __user *) argp)) 461 break; 462 err = 0; 463 break; 464 case PPPIOCSMRU: 465 if (get_user(val, (int __user *) argp)) 466 break; 467 if (val < PPP_MRU) 468 val = PPP_MRU; 469 ap->mru = val; 470 err = 0; 471 break; 472 473 default: 474 err = -ENOTTY; 475 } 476 return err; 477 } 478 479 /* 480 * This is called at softirq level to deliver received packets 481 * to the ppp_generic code, and to tell the ppp_generic code 482 * if we can accept more output now. 483 */ 484 static void ppp_sync_process(struct tasklet_struct *t) 485 { 486 struct syncppp *ap = from_tasklet(ap, t, tsk); 487 struct sk_buff *skb; 488 489 /* process received packets */ 490 while ((skb = skb_dequeue(&ap->rqueue)) != NULL) { 491 if (skb->len == 0) { 492 /* zero length buffers indicate error */ 493 ppp_input_error(&ap->chan, 0); 494 kfree_skb(skb); 495 } 496 else 497 ppp_input(&ap->chan, skb); 498 } 499 500 /* try to push more stuff out */ 501 if (test_bit(XMIT_WAKEUP, &ap->xmit_flags) && ppp_sync_push(ap)) 502 ppp_output_wakeup(&ap->chan); 503 } 504 505 /* 506 * Procedures for encapsulation and framing. 507 */ 508 509 static struct sk_buff* 510 ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb) 511 { 512 int proto; 513 unsigned char *data; 514 int islcp; 515 516 data = skb->data; 517 proto = get_unaligned_be16(data); 518 519 /* LCP packets with codes between 1 (configure-request) 520 * and 7 (code-reject) must be sent as though no options 521 * have been negotiated. 522 */ 523 islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7; 524 525 /* compress protocol field if option enabled */ 526 if (data[0] == 0 && (ap->flags & SC_COMP_PROT) && !islcp) 527 skb_pull(skb,1); 528 529 /* prepend address/control fields if necessary */ 530 if ((ap->flags & SC_COMP_AC) == 0 || islcp) { 531 if (skb_headroom(skb) < 2) { 532 struct sk_buff *npkt = dev_alloc_skb(skb->len + 2); 533 if (npkt == NULL) { 534 kfree_skb(skb); 535 return NULL; 536 } 537 skb_reserve(npkt,2); 538 skb_copy_from_linear_data(skb, 539 skb_put(npkt, skb->len), skb->len); 540 consume_skb(skb); 541 skb = npkt; 542 } 543 skb_push(skb,2); 544 skb->data[0] = PPP_ALLSTATIONS; 545 skb->data[1] = PPP_UI; 546 } 547 548 ap->last_xmit = jiffies; 549 550 if (skb && ap->flags & SC_LOG_OUTPKT) 551 ppp_print_buffer ("send buffer", skb->data, skb->len); 552 553 return skb; 554 } 555 556 /* 557 * Transmit-side routines. 558 */ 559 560 /* 561 * Send a packet to the peer over an sync tty line. 562 * Returns 1 iff the packet was accepted. 563 * If the packet was not accepted, we will call ppp_output_wakeup 564 * at some later time. 565 */ 566 static int 567 ppp_sync_send(struct ppp_channel *chan, struct sk_buff *skb) 568 { 569 struct syncppp *ap = chan->private; 570 571 ppp_sync_push(ap); 572 573 if (test_and_set_bit(XMIT_FULL, &ap->xmit_flags)) 574 return 0; /* already full */ 575 skb = ppp_sync_txmunge(ap, skb); 576 if (skb != NULL) 577 ap->tpkt = skb; 578 else 579 clear_bit(XMIT_FULL, &ap->xmit_flags); 580 581 ppp_sync_push(ap); 582 return 1; 583 } 584 585 /* 586 * Push as much data as possible out to the tty. 587 */ 588 static int 589 ppp_sync_push(struct syncppp *ap) 590 { 591 int sent, done = 0; 592 struct tty_struct *tty = ap->tty; 593 int tty_stuffed = 0; 594 595 if (!spin_trylock_bh(&ap->xmit_lock)) 596 return 0; 597 for (;;) { 598 if (test_and_clear_bit(XMIT_WAKEUP, &ap->xmit_flags)) 599 tty_stuffed = 0; 600 if (!tty_stuffed && ap->tpkt) { 601 set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); 602 sent = tty->ops->write(tty, ap->tpkt->data, ap->tpkt->len); 603 if (sent < 0) 604 goto flush; /* error, e.g. loss of CD */ 605 if (sent < ap->tpkt->len) { 606 tty_stuffed = 1; 607 } else { 608 consume_skb(ap->tpkt); 609 ap->tpkt = NULL; 610 clear_bit(XMIT_FULL, &ap->xmit_flags); 611 done = 1; 612 } 613 continue; 614 } 615 /* haven't made any progress */ 616 spin_unlock_bh(&ap->xmit_lock); 617 if (!(test_bit(XMIT_WAKEUP, &ap->xmit_flags) || 618 (!tty_stuffed && ap->tpkt))) 619 break; 620 if (!spin_trylock_bh(&ap->xmit_lock)) 621 break; 622 } 623 return done; 624 625 flush: 626 if (ap->tpkt) { 627 kfree_skb(ap->tpkt); 628 ap->tpkt = NULL; 629 clear_bit(XMIT_FULL, &ap->xmit_flags); 630 done = 1; 631 } 632 spin_unlock_bh(&ap->xmit_lock); 633 return done; 634 } 635 636 /* 637 * Flush output from our internal buffers. 638 * Called for the TCFLSH ioctl. 639 */ 640 static void 641 ppp_sync_flush_output(struct syncppp *ap) 642 { 643 int done = 0; 644 645 spin_lock_bh(&ap->xmit_lock); 646 if (ap->tpkt != NULL) { 647 kfree_skb(ap->tpkt); 648 ap->tpkt = NULL; 649 clear_bit(XMIT_FULL, &ap->xmit_flags); 650 done = 1; 651 } 652 spin_unlock_bh(&ap->xmit_lock); 653 if (done) 654 ppp_output_wakeup(&ap->chan); 655 } 656 657 /* 658 * Receive-side routines. 659 */ 660 661 /* called when the tty driver has data for us. 662 * 663 * Data is frame oriented: each call to ppp_sync_input is considered 664 * a whole frame. If the 1st flag byte is non-zero then the whole 665 * frame is considered to be in error and is tossed. 666 */ 667 static void 668 ppp_sync_input(struct syncppp *ap, const unsigned char *buf, 669 const char *flags, int count) 670 { 671 struct sk_buff *skb; 672 unsigned char *p; 673 674 if (count == 0) 675 return; 676 677 if (ap->flags & SC_LOG_INPKT) 678 ppp_print_buffer ("receive buffer", buf, count); 679 680 /* stuff the chars in the skb */ 681 skb = dev_alloc_skb(ap->mru + PPP_HDRLEN + 2); 682 if (!skb) { 683 printk(KERN_ERR "PPPsync: no memory (input pkt)\n"); 684 goto err; 685 } 686 /* Try to get the payload 4-byte aligned */ 687 if (buf[0] != PPP_ALLSTATIONS) 688 skb_reserve(skb, 2 + (buf[0] & 1)); 689 690 if (flags && *flags) { 691 /* error flag set, ignore frame */ 692 goto err; 693 } else if (count > skb_tailroom(skb)) { 694 /* packet overflowed MRU */ 695 goto err; 696 } 697 698 skb_put_data(skb, buf, count); 699 700 /* strip address/control field if present */ 701 p = skb->data; 702 if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { 703 /* chop off address/control */ 704 if (skb->len < 3) 705 goto err; 706 p = skb_pull(skb, 2); 707 } 708 709 /* PPP packet length should be >= 2 bytes when protocol field is not 710 * compressed. 711 */ 712 if (!(p[0] & 0x01) && skb->len < 2) 713 goto err; 714 715 /* queue the frame to be processed */ 716 skb_queue_tail(&ap->rqueue, skb); 717 return; 718 719 err: 720 /* queue zero length packet as error indication */ 721 if (skb || (skb = dev_alloc_skb(0))) { 722 skb_trim(skb, 0); 723 skb_queue_tail(&ap->rqueue, skb); 724 } 725 } 726 727 static void __exit 728 ppp_sync_cleanup(void) 729 { 730 tty_unregister_ldisc(&ppp_sync_ldisc); 731 } 732 733 module_init(ppp_sync_init); 734 module_exit(ppp_sync_cleanup); 735 MODULE_LICENSE("GPL"); 736 MODULE_ALIAS_LDISC(N_SYNC_PPP); 737