tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.infradead.org/users/dwmw2/atm
David Woodhouse says:
====================
This is the result of pulling on the thread started by Krzysztof Mazur's
original patch 'pppoatm: don't send frames to destroyed vcc'.
Various problems in the pppoatm and br2684 code are solved, some of which
were easily triggered and would panic the kernel.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
+158
-62
+32
-51
drivers/atm/solos-pci.c
+32
-51
drivers/atm/solos-pci.c
···
164
164
static uint32_t fpga_tx(struct solos_card *);
165
165
static irqreturn_t solos_irq(int irq, void *dev_id);
166
166
static struct atm_vcc* find_vcc(struct atm_dev *dev, short vpi, int vci);
167
-
static int list_vccs(int vci);
168
167
static int atm_init(struct solos_card *, struct device *);
169
168
static void atm_remove(struct solos_card *);
170
169
static int send_command(struct solos_card *card, int dev, const char *buf, size_t size);
···
709
710
dev_warn(&card->dev->dev, "Received packet for unknown VPI.VCI %d.%d on port %d\n",
710
711
le16_to_cpu(header->vpi), le16_to_cpu(header->vci),
711
712
port);
712
-
continue;
713
+
dev_kfree_skb_any(skb);
714
+
break;
713
715
}
714
716
atm_charge(vcc, skb->truesize);
715
717
vcc->push(vcc, skb);
···
790
790
return vcc;
791
791
}
792
792
793
-
static int list_vccs(int vci)
794
-
{
795
-
struct hlist_head *head;
796
-
struct atm_vcc *vcc;
797
-
struct hlist_node *node;
798
-
struct sock *s;
799
-
int num_found = 0;
800
-
int i;
801
-
802
-
read_lock(&vcc_sklist_lock);
803
-
if (vci != 0){
804
-
head = &vcc_hash[vci & (VCC_HTABLE_SIZE -1)];
805
-
sk_for_each(s, node, head) {
806
-
num_found ++;
807
-
vcc = atm_sk(s);
808
-
printk(KERN_DEBUG "Device: %d Vpi: %d Vci: %d\n",
809
-
vcc->dev->number,
810
-
vcc->vpi,
811
-
vcc->vci);
812
-
}
813
-
} else {
814
-
for(i = 0; i < VCC_HTABLE_SIZE; i++){
815
-
head = &vcc_hash[i];
816
-
sk_for_each(s, node, head) {
817
-
num_found ++;
818
-
vcc = atm_sk(s);
819
-
printk(KERN_DEBUG "Device: %d Vpi: %d Vci: %d\n",
820
-
vcc->dev->number,
821
-
vcc->vpi,
822
-
vcc->vci);
823
-
}
824
-
}
825
-
}
826
-
read_unlock(&vcc_sklist_lock);
827
-
return num_found;
828
-
}
829
-
830
-
831
793
static int popen(struct atm_vcc *vcc)
832
794
{
833
795
struct solos_card *card = vcc->dev->dev_data;
···
802
840
return -EINVAL;
803
841
}
804
842
805
-
skb = alloc_skb(sizeof(*header), GFP_ATOMIC);
843
+
skb = alloc_skb(sizeof(*header), GFP_KERNEL);
806
844
if (!skb) {
807
845
if (net_ratelimit())
808
846
dev_warn(&card->dev->dev, "Failed to allocate sk_buff in popen()\n");
···
819
857
820
858
set_bit(ATM_VF_ADDR, &vcc->flags);
821
859
set_bit(ATM_VF_READY, &vcc->flags);
822
-
list_vccs(0);
823
-
824
860
825
861
return 0;
826
862
}
···
826
866
static void pclose(struct atm_vcc *vcc)
827
867
{
828
868
struct solos_card *card = vcc->dev->dev_data;
829
-
struct sk_buff *skb;
869
+
unsigned char port = SOLOS_CHAN(vcc->dev);
870
+
struct sk_buff *skb, *tmpskb;
830
871
struct pkt_hdr *header;
831
872
832
-
skb = alloc_skb(sizeof(*header), GFP_ATOMIC);
873
+
/* Remove any yet-to-be-transmitted packets from the pending queue */
874
+
spin_lock(&card->tx_queue_lock);
875
+
skb_queue_walk_safe(&card->tx_queue[port], skb, tmpskb) {
876
+
if (SKB_CB(skb)->vcc == vcc) {
877
+
skb_unlink(skb, &card->tx_queue[port]);
878
+
solos_pop(vcc, skb);
879
+
}
880
+
}
881
+
spin_unlock(&card->tx_queue_lock);
882
+
883
+
skb = alloc_skb(sizeof(*header), GFP_KERNEL);
833
884
if (!skb) {
834
885
dev_warn(&card->dev->dev, "Failed to allocate sk_buff in pclose()\n");
835
886
return;
···
852
881
header->vci = cpu_to_le16(vcc->vci);
853
882
header->type = cpu_to_le16(PKT_PCLOSE);
854
883
855
-
fpga_queue(card, SOLOS_CHAN(vcc->dev), skb, NULL);
884
+
skb_get(skb);
885
+
fpga_queue(card, port, skb, NULL);
856
886
857
-
clear_bit(ATM_VF_ADDR, &vcc->flags);
858
-
clear_bit(ATM_VF_READY, &vcc->flags);
887
+
if (!wait_event_timeout(card->param_wq, !skb_shared(skb), 5 * HZ))
888
+
dev_warn(&card->dev->dev,
889
+
"Timeout waiting for VCC close on port %d\n", port);
890
+
891
+
dev_kfree_skb(skb);
859
892
860
893
/* Hold up vcc_destroy_socket() (our caller) until solos_bh() in the
861
894
tasklet has finished processing any incoming packets (and, more to
862
895
the point, using the vcc pointer). */
863
896
tasklet_unlock_wait(&card->tlet);
897
+
898
+
clear_bit(ATM_VF_ADDR, &vcc->flags);
899
+
864
900
return;
865
901
}
866
902
···
989
1011
if (vcc) {
990
1012
atomic_inc(&vcc->stats->tx);
991
1013
solos_pop(vcc, oldskb);
992
-
} else
1014
+
} else {
993
1015
dev_kfree_skb_irq(oldskb);
994
-
1016
+
wake_up(&card->param_wq);
1017
+
}
995
1018
}
996
1019
}
997
1020
/* For non-DMA TX, write the 'TX start' bit for all four ports simultaneously */
···
1227
1248
card->atmdev[i]->phy_data = (void *)(unsigned long)i;
1228
1249
atm_dev_signal_change(card->atmdev[i], ATM_PHY_SIG_FOUND);
1229
1250
1230
-
skb = alloc_skb(sizeof(*header), GFP_ATOMIC);
1251
+
skb = alloc_skb(sizeof(*header), GFP_KERNEL);
1231
1252
if (!skb) {
1232
1253
dev_warn(&card->dev->dev, "Failed to allocate sk_buff in atm_init()\n");
1233
1254
continue;
···
1324
1345
1325
1346
static int __init solos_pci_init(void)
1326
1347
{
1348
+
BUILD_BUG_ON(sizeof(struct solos_skb_cb) > sizeof(((struct sk_buff *)0)->cb));
1349
+
1327
1350
printk(KERN_INFO "Solos PCI Driver Version %s\n", VERSION);
1328
1351
return pci_register_driver(&fpga_driver);
1329
1352
}
+2
include/linux/atmdev.h
+2
include/linux/atmdev.h
···
99
99
struct atm_dev *dev; /* device back pointer */
100
100
struct atm_qos qos; /* QOS */
101
101
struct atm_sap sap; /* SAP */
102
+
void (*release_cb)(struct atm_vcc *vcc); /* release_sock callback */
102
103
void (*push)(struct atm_vcc *vcc,struct sk_buff *skb);
103
104
void (*pop)(struct atm_vcc *vcc,struct sk_buff *skb); /* optional */
104
105
int (*push_oam)(struct atm_vcc *vcc,void *cell);
···
107
106
void *dev_data; /* per-device data */
108
107
void *proto_data; /* per-protocol data */
109
108
struct k_atm_aal_stats *stats; /* pointer to AAL stats group */
109
+
struct module *owner; /* owner of ->push function */
110
110
/* SVC part --- may move later ------------------------------------- */
111
111
short itf; /* interface number */
112
112
struct sockaddr_atmsvc local;
+49
-6
net/atm/br2684.c
+49
-6
net/atm/br2684.c
···
68
68
/* keep old push, pop functions for chaining */
69
69
void (*old_push)(struct atm_vcc *vcc, struct sk_buff *skb);
70
70
void (*old_pop)(struct atm_vcc *vcc, struct sk_buff *skb);
71
+
void (*old_release_cb)(struct atm_vcc *vcc);
72
+
struct module *old_owner;
71
73
enum br2684_encaps encaps;
72
74
struct list_head brvccs;
73
75
#ifdef CONFIG_ATM_BR2684_IPFILTER
···
271
269
return !atmvcc->send(atmvcc, skb);
272
270
}
273
271
272
+
static void br2684_release_cb(struct atm_vcc *atmvcc)
273
+
{
274
+
struct br2684_vcc *brvcc = BR2684_VCC(atmvcc);
275
+
276
+
if (atomic_read(&brvcc->qspace) > 0)
277
+
netif_wake_queue(brvcc->device);
278
+
279
+
if (brvcc->old_release_cb)
280
+
brvcc->old_release_cb(atmvcc);
281
+
}
282
+
274
283
static inline struct br2684_vcc *pick_outgoing_vcc(const struct sk_buff *skb,
275
284
const struct br2684_dev *brdev)
276
285
{
···
293
280
{
294
281
struct br2684_dev *brdev = BRPRIV(dev);
295
282
struct br2684_vcc *brvcc;
283
+
struct atm_vcc *atmvcc;
284
+
netdev_tx_t ret = NETDEV_TX_OK;
296
285
297
286
pr_debug("skb_dst(skb)=%p\n", skb_dst(skb));
298
287
read_lock(&devs_lock);
···
305
290
dev->stats.tx_carrier_errors++;
306
291
/* netif_stop_queue(dev); */
307
292
dev_kfree_skb(skb);
308
-
read_unlock(&devs_lock);
309
-
return NETDEV_TX_OK;
293
+
goto out_devs;
310
294
}
295
+
atmvcc = brvcc->atmvcc;
296
+
297
+
bh_lock_sock(sk_atm(atmvcc));
298
+
299
+
if (test_bit(ATM_VF_RELEASED, &atmvcc->flags) ||
300
+
test_bit(ATM_VF_CLOSE, &atmvcc->flags) ||
301
+
!test_bit(ATM_VF_READY, &atmvcc->flags)) {
302
+
dev->stats.tx_dropped++;
303
+
dev_kfree_skb(skb);
304
+
goto out;
305
+
}
306
+
307
+
if (sock_owned_by_user(sk_atm(atmvcc))) {
308
+
netif_stop_queue(brvcc->device);
309
+
ret = NETDEV_TX_BUSY;
310
+
goto out;
311
+
}
312
+
311
313
if (!br2684_xmit_vcc(skb, dev, brvcc)) {
312
314
/*
313
315
* We should probably use netif_*_queue() here, but that
···
336
304
dev->stats.tx_errors++;
337
305
dev->stats.tx_fifo_errors++;
338
306
}
307
+
out:
308
+
bh_unlock_sock(sk_atm(atmvcc));
309
+
out_devs:
339
310
read_unlock(&devs_lock);
340
-
return NETDEV_TX_OK;
311
+
return ret;
341
312
}
342
313
343
314
/*
···
413
378
list_del(&brvcc->brvccs);
414
379
write_unlock_irq(&devs_lock);
415
380
brvcc->atmvcc->user_back = NULL; /* what about vcc->recvq ??? */
381
+
brvcc->atmvcc->release_cb = brvcc->old_release_cb;
416
382
brvcc->old_push(brvcc->atmvcc, NULL); /* pass on the bad news */
383
+
module_put(brvcc->old_owner);
417
384
kfree(brvcc);
418
-
module_put(THIS_MODULE);
419
385
}
420
386
421
387
/* when AAL5 PDU comes in: */
···
590
554
brvcc->encaps = (enum br2684_encaps)be.encaps;
591
555
brvcc->old_push = atmvcc->push;
592
556
brvcc->old_pop = atmvcc->pop;
557
+
brvcc->old_release_cb = atmvcc->release_cb;
558
+
brvcc->old_owner = atmvcc->owner;
593
559
barrier();
594
560
atmvcc->push = br2684_push;
595
561
atmvcc->pop = br2684_pop;
562
+
atmvcc->release_cb = br2684_release_cb;
563
+
atmvcc->owner = THIS_MODULE;
596
564
597
565
/* initialize netdev carrier state */
598
566
if (atmvcc->dev->signal == ATM_PHY_SIG_LOST)
···
735
695
return -ENOIOCTLCMD;
736
696
if (!capable(CAP_NET_ADMIN))
737
697
return -EPERM;
738
-
if (cmd == ATM_SETBACKEND)
698
+
if (cmd == ATM_SETBACKEND) {
699
+
if (sock->state != SS_CONNECTED)
700
+
return -EINVAL;
739
701
return br2684_regvcc(atmvcc, argp);
740
-
else
702
+
} else {
741
703
return br2684_create(argp);
704
+
}
742
705
#ifdef CONFIG_ATM_BR2684_IPFILTER
743
706
case BR2684_SETFILT:
744
707
if (atmvcc->push != br2684_push)
+12
net/atm/common.c
+12
net/atm/common.c
···
126
126
rcu_read_unlock();
127
127
}
128
128
129
+
static void vcc_release_cb(struct sock *sk)
130
+
{
131
+
struct atm_vcc *vcc = atm_sk(sk);
132
+
133
+
if (vcc->release_cb)
134
+
vcc->release_cb(vcc);
135
+
}
136
+
129
137
static struct proto vcc_proto = {
130
138
.name = "VCC",
131
139
.owner = THIS_MODULE,
132
140
.obj_size = sizeof(struct atm_vcc),
141
+
.release_cb = vcc_release_cb,
133
142
};
134
143
135
144
int vcc_create(struct net *net, struct socket *sock, int protocol, int family)
···
165
156
atomic_set(&sk->sk_rmem_alloc, 0);
166
157
vcc->push = NULL;
167
158
vcc->pop = NULL;
159
+
vcc->owner = NULL;
168
160
vcc->push_oam = NULL;
161
+
vcc->release_cb = NULL;
169
162
vcc->vpi = vcc->vci = 0; /* no VCI/VPI yet */
170
163
vcc->atm_options = vcc->aal_options = 0;
171
164
sk->sk_destruct = vcc_sock_destruct;
···
186
175
vcc->dev->ops->close(vcc);
187
176
if (vcc->push)
188
177
vcc->push(vcc, NULL); /* atmarpd has no push */
178
+
module_put(vcc->owner);
189
179
190
180
while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
191
181
atm_return(vcc, skb->truesize);
+63
-5
net/atm/pppoatm.c
+63
-5
net/atm/pppoatm.c
···
60
60
struct atm_vcc *atmvcc; /* VCC descriptor */
61
61
void (*old_push)(struct atm_vcc *, struct sk_buff *);
62
62
void (*old_pop)(struct atm_vcc *, struct sk_buff *);
63
+
void (*old_release_cb)(struct atm_vcc *);
64
+
struct module *old_owner;
63
65
/* keep old push/pop for detaching */
64
66
enum pppoatm_encaps encaps;
65
67
atomic_t inflight;
···
109
107
ppp_output_wakeup((struct ppp_channel *) arg);
110
108
}
111
109
110
+
static void pppoatm_release_cb(struct atm_vcc *atmvcc)
111
+
{
112
+
struct pppoatm_vcc *pvcc = atmvcc_to_pvcc(atmvcc);
113
+
114
+
/*
115
+
* As in pppoatm_pop(), it's safe to clear the BLOCKED bit here because
116
+
* the wakeup *can't* race with pppoatm_send(). They both hold the PPP
117
+
* channel's ->downl lock. And the potential race with *setting* it,
118
+
* which leads to the double-check dance in pppoatm_may_send(), doesn't
119
+
* exist here. In the sock_owned_by_user() case in pppoatm_send(), we
120
+
* set the BLOCKED bit while the socket is still locked. We know that
121
+
* ->release_cb() can't be called until that's done.
122
+
*/
123
+
if (test_and_clear_bit(BLOCKED, &pvcc->blocked))
124
+
tasklet_schedule(&pvcc->wakeup_tasklet);
125
+
if (pvcc->old_release_cb)
126
+
pvcc->old_release_cb(atmvcc);
127
+
}
112
128
/*
113
129
* This gets called every time the ATM card has finished sending our
114
130
* skb. The ->old_pop will take care up normal atm flow control,
···
171
151
pvcc = atmvcc_to_pvcc(atmvcc);
172
152
atmvcc->push = pvcc->old_push;
173
153
atmvcc->pop = pvcc->old_pop;
154
+
atmvcc->release_cb = pvcc->old_release_cb;
174
155
tasklet_kill(&pvcc->wakeup_tasklet);
175
156
ppp_unregister_channel(&pvcc->chan);
176
157
atmvcc->user_back = NULL;
177
158
kfree(pvcc);
178
-
/* Gee, I hope we have the big kernel lock here... */
179
-
module_put(THIS_MODULE);
180
159
}
181
160
182
161
/* Called when an AAL5 PDU comes in */
···
184
165
struct pppoatm_vcc *pvcc = atmvcc_to_pvcc(atmvcc);
185
166
pr_debug("\n");
186
167
if (skb == NULL) { /* VCC was closed */
168
+
struct module *module;
169
+
187
170
pr_debug("removing ATMPPP VCC %p\n", pvcc);
171
+
module = pvcc->old_owner;
188
172
pppoatm_unassign_vcc(atmvcc);
189
173
atmvcc->push(atmvcc, NULL); /* Pass along bad news */
174
+
module_put(module);
190
175
return;
191
176
}
192
177
atm_return(atmvcc, skb->truesize);
···
234
211
ppp_input_error(&pvcc->chan, 0);
235
212
}
236
213
237
-
static inline int pppoatm_may_send(struct pppoatm_vcc *pvcc, int size)
214
+
static int pppoatm_may_send(struct pppoatm_vcc *pvcc, int size)
238
215
{
239
216
/*
240
217
* It's not clear that we need to bother with using atm_may_send()
···
292
269
static int pppoatm_send(struct ppp_channel *chan, struct sk_buff *skb)
293
270
{
294
271
struct pppoatm_vcc *pvcc = chan_to_pvcc(chan);
272
+
struct atm_vcc *vcc;
273
+
int ret;
274
+
295
275
ATM_SKB(skb)->vcc = pvcc->atmvcc;
296
276
pr_debug("(skb=0x%p, vcc=0x%p)\n", skb, pvcc->atmvcc);
297
277
if (skb->data[0] == '\0' && (pvcc->flags & SC_COMP_PROT))
298
278
(void) skb_pull(skb, 1);
279
+
280
+
vcc = ATM_SKB(skb)->vcc;
281
+
bh_lock_sock(sk_atm(vcc));
282
+
if (sock_owned_by_user(sk_atm(vcc))) {
283
+
/*
284
+
* Needs to happen (and be flushed, hence test_and_) before we unlock
285
+
* the socket. It needs to be seen by the time our ->release_cb gets
286
+
* called.
287
+
*/
288
+
test_and_set_bit(BLOCKED, &pvcc->blocked);
289
+
goto nospace;
290
+
}
291
+
if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
292
+
test_bit(ATM_VF_CLOSE, &vcc->flags) ||
293
+
!test_bit(ATM_VF_READY, &vcc->flags)) {
294
+
bh_unlock_sock(sk_atm(vcc));
295
+
kfree_skb(skb);
296
+
return DROP_PACKET;
297
+
}
298
+
299
299
switch (pvcc->encaps) { /* LLC encapsulation needed */
300
300
case e_llc:
301
301
if (skb_headroom(skb) < LLC_LEN) {
···
331
285
}
332
286
consume_skb(skb);
333
287
skb = n;
334
-
if (skb == NULL)
288
+
if (skb == NULL) {
289
+
bh_unlock_sock(sk_atm(vcc));
335
290
return DROP_PACKET;
291
+
}
336
292
} else if (!pppoatm_may_send(pvcc, skb->truesize))
337
293
goto nospace;
338
294
memcpy(skb_push(skb, LLC_LEN), pppllc, LLC_LEN);
···
344
296
goto nospace;
345
297
break;
346
298
case e_autodetect:
299
+
bh_unlock_sock(sk_atm(vcc));
347
300
pr_debug("Trying to send without setting encaps!\n");
348
301
kfree_skb(skb);
349
302
return 1;
···
354
305
ATM_SKB(skb)->atm_options = ATM_SKB(skb)->vcc->atm_options;
355
306
pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n",
356
307
skb, ATM_SKB(skb)->vcc, ATM_SKB(skb)->vcc->dev);
357
-
return ATM_SKB(skb)->vcc->send(ATM_SKB(skb)->vcc, skb)
308
+
ret = ATM_SKB(skb)->vcc->send(ATM_SKB(skb)->vcc, skb)
358
309
? DROP_PACKET : 1;
310
+
bh_unlock_sock(sk_atm(vcc));
311
+
return ret;
359
312
nospace:
313
+
bh_unlock_sock(sk_atm(vcc));
360
314
/*
361
315
* We don't have space to send this SKB now, but we might have
362
316
* already applied SC_COMP_PROT compression, so may need to undo
···
414
362
atomic_set(&pvcc->inflight, NONE_INFLIGHT);
415
363
pvcc->old_push = atmvcc->push;
416
364
pvcc->old_pop = atmvcc->pop;
365
+
pvcc->old_owner = atmvcc->owner;
366
+
pvcc->old_release_cb = atmvcc->release_cb;
417
367
pvcc->encaps = (enum pppoatm_encaps) be.encaps;
418
368
pvcc->chan.private = pvcc;
419
369
pvcc->chan.ops = &pppoatm_ops;
···
431
377
atmvcc->user_back = pvcc;
432
378
atmvcc->push = pppoatm_push;
433
379
atmvcc->pop = pppoatm_pop;
380
+
atmvcc->release_cb = pppoatm_release_cb;
434
381
__module_get(THIS_MODULE);
382
+
atmvcc->owner = THIS_MODULE;
435
383
436
384
/* re-process everything received between connection setup and
437
385
backend setup */
···
462
406
return -ENOIOCTLCMD;
463
407
if (!capable(CAP_NET_ADMIN))
464
408
return -EPERM;
409
+
if (sock->state != SS_CONNECTED)
410
+
return -EINVAL;
465
411
return pppoatm_assign_vcc(atmvcc, argp);
466
412
}
467
413
case PPPIOCGCHAN: