2005-04-17 06:20:36 +08:00
|
|
|
/* $Id: capi.c,v 1.1.2.7 2004/04/28 09:48:59 armin Exp $
|
|
|
|
*
|
|
|
|
* CAPI 2.0 Interface for Linux
|
|
|
|
*
|
|
|
|
* Copyright 1996 by Carsten Paeth <calle@calle.de>
|
|
|
|
*
|
|
|
|
* This software may be used and distributed according to the terms
|
|
|
|
* of the GNU General Public License, incorporated herein by reference.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/major.h>
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/fcntl.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/signal.h>
|
2007-05-08 15:32:43 +08:00
|
|
|
#include <linux/mutex.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/timer.h>
|
|
|
|
#include <linux/wait.h>
|
|
|
|
#include <linux/tty.h>
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/ppp_defs.h>
|
2012-03-04 20:56:55 +08:00
|
|
|
#include <linux/ppp-ioctl.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/proc_fs.h>
|
2010-01-14 19:10:54 +08:00
|
|
|
#include <linux/seq_file.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/poll.h>
|
|
|
|
#include <linux/capi.h>
|
|
|
|
#include <linux/kernelcapi.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/device.h>
|
|
|
|
#include <linux/moduleparam.h>
|
|
|
|
#include <linux/isdn/capiutil.h>
|
|
|
|
#include <linux/isdn/capicmd.h>
|
2010-02-08 18:12:06 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
MODULE_DESCRIPTION("CAPI4Linux: Userspace /dev/capi20 interface");
|
|
|
|
MODULE_AUTHOR("Carsten Paeth");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
|
|
|
/* -------- driver information -------------------------------------- */
|
|
|
|
|
2010-07-11 19:18:53 +08:00
|
|
|
static DEFINE_MUTEX(capi_mutex);
|
2005-03-24 02:01:41 +08:00
|
|
|
static struct class *capi_class;
|
2005-05-01 23:59:29 +08:00
|
|
|
static int capi_major = 68; /* allocated */
|
2010-02-08 18:12:16 +08:00
|
|
|
|
|
|
|
module_param_named(major, capi_major, uint, 0);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
2010-02-08 18:12:16 +08:00
|
|
|
#define CAPINC_NR_PORTS 32
|
2005-04-17 06:20:36 +08:00
|
|
|
#define CAPINC_MAX_PORTS 256
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2005-05-01 23:59:29 +08:00
|
|
|
static int capi_ttyminors = CAPINC_NR_PORTS;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
module_param_named(ttyminors, capi_ttyminors, uint, 0);
|
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
|
|
|
|
/* -------- defines ------------------------------------------------- */
|
|
|
|
|
|
|
|
#define CAPINC_MAX_RECVQUEUE 10
|
|
|
|
#define CAPINC_MAX_SENDQUEUE 10
|
|
|
|
#define CAPI_MAX_BLKSIZE 2048
|
|
|
|
|
|
|
|
/* -------- data structures ----------------------------------------- */
|
|
|
|
|
|
|
|
struct capidev;
|
|
|
|
struct capincci;
|
|
|
|
struct capiminor;
|
|
|
|
|
2010-02-08 18:12:37 +08:00
|
|
|
struct ackqueue_entry {
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
struct list_head list;
|
|
|
|
u16 datahandle;
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct capiminor {
|
|
|
|
unsigned int minor;
|
|
|
|
|
2010-02-08 18:12:38 +08:00
|
|
|
struct capi20_appl *ap;
|
|
|
|
u32 ncci;
|
|
|
|
atomic_t datahandle;
|
|
|
|
atomic_t msgid;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
struct tty_port port;
|
2005-04-17 06:20:36 +08:00
|
|
|
int ttyinstop;
|
|
|
|
int ttyoutstop;
|
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
struct sk_buff_head inqueue;
|
|
|
|
|
|
|
|
struct sk_buff_head outqueue;
|
|
|
|
int outbytes;
|
|
|
|
struct sk_buff *outskb;
|
|
|
|
spinlock_t outlock;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* transmit path */
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
struct list_head ackqueue;
|
2005-04-17 06:20:36 +08:00
|
|
|
int nack;
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
spinlock_t ackqlock;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
struct capincci {
|
2010-02-08 18:12:22 +08:00
|
|
|
struct list_head list;
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 ncci;
|
|
|
|
struct capidev *cdev;
|
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
|
|
|
struct capiminor *minorp;
|
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
};
|
|
|
|
|
|
|
|
struct capidev {
|
|
|
|
struct list_head list;
|
|
|
|
struct capi20_appl ap;
|
|
|
|
u16 errcode;
|
|
|
|
unsigned userflags;
|
|
|
|
|
|
|
|
struct sk_buff_head recvqueue;
|
|
|
|
wait_queue_head_t recvwait;
|
|
|
|
|
2010-02-08 18:12:22 +08:00
|
|
|
struct list_head nccis;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
struct mutex lock;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/* -------- global variables ---------------------------------------- */
|
|
|
|
|
2010-02-08 18:12:17 +08:00
|
|
|
static DEFINE_MUTEX(capidev_list_lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
static LIST_HEAD(capidev_list);
|
|
|
|
|
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2010-02-08 18:12:33 +08:00
|
|
|
static DEFINE_SPINLOCK(capiminors_lock);
|
2010-02-08 18:12:23 +08:00
|
|
|
static struct capiminor **capiminors;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:25 +08:00
|
|
|
static struct tty_driver *capinc_tty_driver;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* -------- datahandles --------------------------------------------- */
|
|
|
|
|
2010-02-08 18:12:16 +08:00
|
|
|
static int capiminor_add_ack(struct capiminor *mp, u16 datahandle)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:37 +08:00
|
|
|
struct ackqueue_entry *n;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
n = kmalloc(sizeof(*n), GFP_ATOMIC);
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
if (unlikely(!n)) {
|
|
|
|
printk(KERN_ERR "capi: alloc datahandle failed\n");
|
|
|
|
return -1;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
n->datahandle = datahandle;
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
INIT_LIST_HEAD(&n->list);
|
2010-02-08 18:12:41 +08:00
|
|
|
spin_lock_bh(&mp->ackqlock);
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
list_add_tail(&n->list, &mp->ackqueue);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->nack++;
|
2010-02-08 18:12:41 +08:00
|
|
|
spin_unlock_bh(&mp->ackqlock);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int capiminor_del_ack(struct capiminor *mp, u16 datahandle)
|
|
|
|
{
|
2010-02-08 18:12:37 +08:00
|
|
|
struct ackqueue_entry *p, *tmp;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:41 +08:00
|
|
|
spin_lock_bh(&mp->ackqlock);
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
list_for_each_entry_safe(p, tmp, &mp->ackqueue, list) {
|
2012-02-20 11:52:38 +08:00
|
|
|
if (p->datahandle == datahandle) {
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
list_del(&p->list);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->nack--;
|
2010-02-08 18:12:41 +08:00
|
|
|
spin_unlock_bh(&mp->ackqlock);
|
|
|
|
kfree(p);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
2010-02-08 18:12:41 +08:00
|
|
|
spin_unlock_bh(&mp->ackqlock);
|
2005-04-17 06:20:36 +08:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void capiminor_del_all_ack(struct capiminor *mp)
|
|
|
|
{
|
2010-02-08 18:12:37 +08:00
|
|
|
struct ackqueue_entry *p, *tmp;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
list_for_each_entry_safe(p, tmp, &mp->ackqueue, list) {
|
|
|
|
list_del(&p->list);
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree(p);
|
|
|
|
mp->nack--;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* -------- struct capiminor ---------------------------------------- */
|
|
|
|
|
2012-11-15 16:49:50 +08:00
|
|
|
static void capiminor_destroy(struct tty_port *port)
|
|
|
|
{
|
|
|
|
struct capiminor *mp = container_of(port, struct capiminor, port);
|
|
|
|
|
|
|
|
kfree_skb(mp->outskb);
|
|
|
|
skb_queue_purge(&mp->inqueue);
|
|
|
|
skb_queue_purge(&mp->outqueue);
|
|
|
|
capiminor_del_all_ack(mp);
|
|
|
|
kfree(mp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct tty_port_operations capiminor_port_ops = {
|
|
|
|
.destruct = capiminor_destroy,
|
|
|
|
};
|
2010-02-08 18:12:29 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static struct capiminor *capiminor_alloc(struct capi20_appl *ap, u32 ncci)
|
|
|
|
{
|
2010-02-08 18:12:23 +08:00
|
|
|
struct capiminor *mp;
|
2010-02-08 18:12:25 +08:00
|
|
|
struct device *dev;
|
2010-02-08 18:12:23 +08:00
|
|
|
unsigned int minor;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:20 +08:00
|
|
|
mp = kzalloc(sizeof(*mp), GFP_KERNEL);
|
2012-02-20 11:52:38 +08:00
|
|
|
if (!mp) {
|
|
|
|
printk(KERN_ERR "capi: can't alloc capiminor\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
mp->ap = ap;
|
|
|
|
mp->ncci = ncci;
|
[PATCH] CAPI crash / race condition
I am getting more or less reproducible crashes from the CAPI subsystem
using the fcdsl driver:
Unable to handle kernel NULL pointer dereference at virtual address 00000010
printing eip:
c39bbca4
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bbca4>] Tainted: P VLI
EFLAGS: 00010202 (2.6.16.11 #3)
EIP is at handle_minor_send+0x17a/0x241 [capi]
eax: c24abbc0 ebx: c0b4c980 ecx: 00000010 edx: 00000010
esi: c1679140 edi: c2783016 ebp: 0000c28d esp: c0327e24
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c0326000 task=c02e1300)
Stack: <0>000005b4 c1679180 00000000 c28d0000 c1ce04e0 c2f69654 c221604e c1679140
c39bc19a 00000038 c20c0400 c075c560 c1f2f800 00000000 c01dc9b5 c1e96a40
c075c560 c2ed64c0 c1e96a40 c01dcd3b c2fb94e8 c075c560 c0327f00 c1e96a40
Call Trace:
[<c39bc19a>] capinc_tty_write+0xda/0xf3 [capi]
[<c01dc9b5>] ppp_sync_push+0x52/0xfe
[<c01dcd3b>] ppp_sync_send+0x1f5/0x204
[<c01d9bc1>] ppp_push+0x3e/0x9c
[<c01dacd4>] ppp_xmit_process+0x422/0x4cc
[<c01daf3f>] ppp_start_xmit+0x1c1/0x1f6
[<c0213ea5>] qdisc_restart+0xa7/0x135
[<c020b112>] dev_queue_xmit+0xba/0x19e
[<c0223f69>] ip_output+0x1eb/0x236
[<c0220907>] ip_forward+0x1c1/0x21a
[<c021fa6c>] ip_rcv+0x38e/0x3ea
[<c020b4c2>] netif_receive_skb+0x166/0x195
[<c020b55e>] process_backlog+0x6d/0xd2
[<c020a30f>] net_rx_action+0x6a/0xff
[<c0112909>] __do_softirq+0x35/0x7d
[<c0112973>] do_softirq+0x22/0x26
[<c0103a9d>] do_IRQ+0x1e/0x25
[<c010255a>] common_interrupt+0x1a/0x20
[<c01013c5>] default_idle+0x2b/0x53
[<c0101426>] cpu_idle+0x39/0x4e
[<c0328386>] start_kernel+0x20b/0x20d
Code: c0 e8 b3 b6 77 fc 85 c0 75 10 68 d8 c8 9b c3 e8 82 3d 75 fc 8b 43 60 5a eb 50 8d 56 50 c7 00 00 00 00 00 66 89 68 04 eb 02 89
ca <8b> 0a 85 c9 75 f8 89 02 89 da ff 46 54 8b 46 10 e8 30 79 fd ff
<0>Kernel panic - not syncing: Fatal exception in interrupt
That oops took me to the "ackqueue" implementation in capi.c. The crash
occured in capincci_add_ack() (auto-inlined by the compiler).
I read the code a bit and finally decided to replace the custom linked list
implementation (struct capiminor->ackqueue) by a struct list_head. That
did not solve the crash, but produced the following interresting oops:
Unable to handle kernel paging request at virtual address 00200200
printing eip:
c39bb1f5
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: netconsole capi capifs 3c59x mii fcdsl kernelcapi uhci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c39bb1f5>] Tainted: P VLI
EFLAGS: 00010246 (2.6.16.11 #3)
EIP is at capiminor_del_ack+0x18/0x49 [capi]
eax: 00200200 ebx: c18d41a0 ecx: c1385620 edx: 00100100
esi: 0000d147 edi: 00001103 ebp: 0000d147 esp: c1093f3c
ds: 007b es: 007b ss: 0068
Process events/0 (pid: 3, threadinfo=c1092000 task=c1089030)
Stack: <0>c2a17580 c18d41a0 c39bbd16 00000038 c18d41e0 00000000 d147c640 c29e0b68
c29e0b90 00000212 c29e0b68 c39932b2 c29e0bb0 c10736a0 c0119ef0 c399326c
c10736a8 c10736a0 c10736b0 c0119f93 c011a06e 00000001 00000000 00000000
Call Trace:
[<c39bbd16>] handle_minor_send+0x1af/0x241 [capi]
[<c39932b2>] recv_handler+0x46/0x5f [kernelcapi]
[<c0119ef0>] run_workqueue+0x5e/0x8d
[<c399326c>] recv_handler+0x0/0x5f [kernelcapi]
[<c0119f93>] worker_thread+0x0/0x10b
[<c011a06e>] worker_thread+0xdb/0x10b
[<c010c998>] default_wake_function+0x0/0xc
[<c011c399>] kthread+0x90/0xbc
[<c011c309>] kthread+0x0/0xbc
[<c0100a65>] kernel_thread_helper+0x5/0xb
Code: 7e 02 89 ee 89 f0 5a f7 d0 c1 f8 1f 5b 21 f0 5e 5f 5d c3 56 53 8b 48 50 89 d6 89 c3 8b 11 eb 2f 66 39 71 08 75 25 8b 41 04 8b 11 <89> 10 89 42 04 c7 01 00 01 10 00 89 c8 c7 41 04 00 02 20 00 e8
The interresting part of it is the "virtual address 00200200", which is
LIST_POISON2. I thought about some race condition, but as this is an UP
system, it leads to questions on how it can happen. If we look at EFLAGS:
00010202, we see that interrupts are enabled at the time of the crash
(eflags & 0x200).
Finally, I don't understand all the capi code, but I think that
handle_minor_send() is racing somehow against capi_recv_message(), which
call both capiminor_del_ack(). So if an IRQ occurs in the middle of
capiminor_del_ack() and another instance of it is invoked, it leads to
linked list corruption.
I came up with the following patch. With this, I could not reproduce the
crash anymore. Clearly, this is not the correct fix for the issue. As this
seems to be some locking issue, there might be more locking issues in that
code. For example, doesn't the whole struct capiminor have to be locked
somehow?
Cc: Carsten Paeth <calle@calle.de>
Cc: Kai Germaschewski <kai.germaschewski@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 15:25:30 +08:00
|
|
|
INIT_LIST_HEAD(&mp->ackqueue);
|
|
|
|
spin_lock_init(&mp->ackqlock);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
skb_queue_head_init(&mp->inqueue);
|
|
|
|
skb_queue_head_init(&mp->outqueue);
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_lock_init(&mp->outlock);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_port_init(&mp->port);
|
|
|
|
mp->port.ops = &capiminor_port_ops;
|
|
|
|
|
2010-02-08 18:12:23 +08:00
|
|
|
/* Allocate the least unused minor number. */
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_lock(&capiminors_lock);
|
2010-02-08 18:12:23 +08:00
|
|
|
for (minor = 0; minor < capi_ttyminors; minor++)
|
|
|
|
if (!capiminors[minor]) {
|
|
|
|
capiminors[minor] = mp;
|
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_unlock(&capiminors_lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:23 +08:00
|
|
|
if (minor == capi_ttyminors) {
|
2005-04-17 06:20:36 +08:00
|
|
|
printk(KERN_NOTICE "capi: out of minors\n");
|
2010-02-08 18:12:25 +08:00
|
|
|
goto err_out1;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:23 +08:00
|
|
|
mp->minor = minor;
|
|
|
|
|
2012-08-08 03:47:47 +08:00
|
|
|
dev = tty_port_register_device(&mp->port, capinc_tty_driver, minor,
|
|
|
|
NULL);
|
2010-02-08 18:12:25 +08:00
|
|
|
if (IS_ERR(dev))
|
|
|
|
goto err_out2;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return mp;
|
2010-02-08 18:12:25 +08:00
|
|
|
|
|
|
|
err_out2:
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_lock(&capiminors_lock);
|
2010-02-08 18:12:25 +08:00
|
|
|
capiminors[minor] = NULL;
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_unlock(&capiminors_lock);
|
2010-02-08 18:12:25 +08:00
|
|
|
|
|
|
|
err_out1:
|
2012-11-15 16:49:50 +08:00
|
|
|
tty_port_put(&mp->port);
|
2010-02-08 18:12:25 +08:00
|
|
|
return NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:25 +08:00
|
|
|
static struct capiminor *capiminor_get(unsigned int minor)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:23 +08:00
|
|
|
struct capiminor *mp;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_lock(&capiminors_lock);
|
2010-02-08 18:12:23 +08:00
|
|
|
mp = capiminors[minor];
|
2010-02-08 18:12:27 +08:00
|
|
|
if (mp)
|
2012-11-15 16:49:50 +08:00
|
|
|
tty_port_get(&mp->port);
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_unlock(&capiminors_lock);
|
2010-02-08 18:12:23 +08:00
|
|
|
|
|
|
|
return mp;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:27 +08:00
|
|
|
static inline void capiminor_put(struct capiminor *mp)
|
|
|
|
{
|
2012-11-15 16:49:50 +08:00
|
|
|
tty_port_put(&mp->port);
|
2010-02-08 18:12:27 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capiminor_free(struct capiminor *mp)
|
|
|
|
{
|
|
|
|
tty_unregister_device(capinc_tty_driver, mp->minor);
|
|
|
|
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_lock(&capiminors_lock);
|
2010-02-08 18:12:27 +08:00
|
|
|
capiminors[mp->minor] = NULL;
|
2010-02-08 18:12:33 +08:00
|
|
|
spin_unlock(&capiminors_lock);
|
2010-02-08 18:12:27 +08:00
|
|
|
|
|
|
|
capiminor_put(mp);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* -------- struct capincci ----------------------------------------- */
|
|
|
|
|
2010-02-08 18:12:16 +08:00
|
|
|
static void capincci_alloc_minor(struct capidev *cdev, struct capincci *np)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-04-06 18:58:37 +08:00
|
|
|
if (cdev->userflags & CAPIFLAG_HIGHJACKING)
|
|
|
|
np->minorp = capiminor_alloc(&cdev->ap, np->ncci);
|
2010-02-08 18:12:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capincci_free_minor(struct capincci *np)
|
|
|
|
{
|
|
|
|
struct capiminor *mp = np->minorp;
|
2010-02-08 18:12:29 +08:00
|
|
|
struct tty_struct *tty;
|
2010-02-08 18:12:16 +08:00
|
|
|
|
|
|
|
if (mp) {
|
2010-02-08 18:12:29 +08:00
|
|
|
tty = tty_port_tty_get(&mp->port);
|
|
|
|
if (tty) {
|
2010-02-08 18:12:31 +08:00
|
|
|
tty_vhangup(tty);
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_kref_put(tty);
|
2010-02-08 18:12:16 +08:00
|
|
|
}
|
2010-02-08 18:12:29 +08:00
|
|
|
|
|
|
|
capiminor_free(mp);
|
2010-02-08 18:12:16 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline unsigned int capincci_minor_opencount(struct capincci *np)
|
|
|
|
{
|
|
|
|
struct capiminor *mp = np->minorp;
|
2010-02-08 18:12:34 +08:00
|
|
|
unsigned int count = 0;
|
|
|
|
struct tty_struct *tty;
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2010-02-08 18:12:34 +08:00
|
|
|
if (mp) {
|
|
|
|
tty = tty_port_tty_get(&mp->port);
|
|
|
|
if (tty) {
|
|
|
|
count = tty->count;
|
|
|
|
tty_kref_put(tty);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return count;
|
2010-02-08 18:12:16 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#else /* !CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
capincci_alloc_minor(struct capidev *cdev, struct capincci *np) { }
|
|
|
|
static inline void capincci_free_minor(struct capincci *np) { }
|
|
|
|
|
|
|
|
#endif /* !CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
|
|
|
|
static struct capincci *capincci_alloc(struct capidev *cdev, u32 ncci)
|
|
|
|
{
|
2010-02-08 18:12:22 +08:00
|
|
|
struct capincci *np;
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2010-02-08 18:12:20 +08:00
|
|
|
np = kzalloc(sizeof(*np), GFP_KERNEL);
|
2010-02-08 18:12:16 +08:00
|
|
|
if (!np)
|
|
|
|
return NULL;
|
|
|
|
np->ncci = ncci;
|
|
|
|
np->cdev = cdev;
|
|
|
|
|
|
|
|
capincci_alloc_minor(cdev, np);
|
|
|
|
|
2010-02-08 18:12:22 +08:00
|
|
|
list_add_tail(&np->list, &cdev->nccis);
|
|
|
|
|
|
|
|
return np;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capincci_free(struct capidev *cdev, u32 ncci)
|
|
|
|
{
|
2010-02-08 18:12:22 +08:00
|
|
|
struct capincci *np, *tmp;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:22 +08:00
|
|
|
list_for_each_entry_safe(np, tmp, &cdev->nccis, list)
|
2005-04-17 06:20:36 +08:00
|
|
|
if (ncci == 0xffffffff || np->ncci == ncci) {
|
2010-02-08 18:12:16 +08:00
|
|
|
capincci_free_minor(np);
|
2010-02-08 18:12:22 +08:00
|
|
|
list_del(&np->list);
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree(np);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-04-25 21:02:20 +08:00
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
2005-04-17 06:20:36 +08:00
|
|
|
static struct capincci *capincci_find(struct capidev *cdev, u32 ncci)
|
|
|
|
{
|
2010-02-08 18:12:22 +08:00
|
|
|
struct capincci *np;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:22 +08:00
|
|
|
list_for_each_entry(np, &cdev->nccis, list)
|
|
|
|
if (np->ncci == ncci)
|
|
|
|
return np;
|
|
|
|
return NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* -------- handle data queue --------------------------------------- */
|
|
|
|
|
|
|
|
static struct sk_buff *
|
|
|
|
gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct sk_buff *nskb;
|
2010-02-08 18:12:40 +08:00
|
|
|
nskb = alloc_skb(CAPI_DATA_B3_RESP_LEN, GFP_KERNEL);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (nskb) {
|
2012-02-20 11:52:38 +08:00
|
|
|
u16 datahandle = CAPIMSG_U16(skb->data, CAPIMSG_BASELEN + 4 + 4 + 2);
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned char *s = skb_put(nskb, CAPI_DATA_B3_RESP_LEN);
|
|
|
|
capimsg_setu16(s, 0, CAPI_DATA_B3_RESP_LEN);
|
|
|
|
capimsg_setu16(s, 2, mp->ap->applid);
|
|
|
|
capimsg_setu8 (s, 4, CAPI_DATA_B3);
|
|
|
|
capimsg_setu8 (s, 5, CAPI_RESP);
|
2010-02-08 18:12:38 +08:00
|
|
|
capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
|
2005-04-17 06:20:36 +08:00
|
|
|
capimsg_setu32(s, 8, mp->ncci);
|
|
|
|
capimsg_setu16(s, 12, datahandle);
|
|
|
|
}
|
|
|
|
return nskb;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int handle_recv_skb(struct capiminor *mp, struct sk_buff *skb)
|
|
|
|
{
|
2010-02-08 18:12:36 +08:00
|
|
|
unsigned int datalen = skb->len - CAPIMSG_LEN(skb->data);
|
2010-02-08 18:12:29 +08:00
|
|
|
struct tty_struct *tty;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *nskb;
|
|
|
|
u16 errcode, datahandle;
|
|
|
|
struct tty_ldisc *ld;
|
2010-02-08 18:12:29 +08:00
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
tty = tty_port_tty_get(&mp->port);
|
|
|
|
if (!tty) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: currently no receiver\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
return -1;
|
|
|
|
}
|
2012-02-20 11:52:38 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
ld = tty_ldisc_ref(tty);
|
2010-02-08 18:12:36 +08:00
|
|
|
if (!ld) {
|
|
|
|
/* fatal error, do not requeue */
|
|
|
|
ret = 0;
|
|
|
|
kfree_skb(skb);
|
|
|
|
goto deref_tty;
|
|
|
|
}
|
2010-02-08 18:12:29 +08:00
|
|
|
|
2008-07-17 04:53:12 +08:00
|
|
|
if (ld->ops->receive_buf == NULL) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: ldisc has no receive_buf function\n");
|
2010-02-08 18:12:36 +08:00
|
|
|
/* fatal error, do not requeue */
|
|
|
|
goto free_skb;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
if (mp->ttyinstop) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: recv tty throttled\n");
|
2010-02-08 18:12:36 +08:00
|
|
|
goto deref_ldisc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:36 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
if (tty->receive_room < datalen) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: no room in tty\n");
|
2010-02-08 18:12:36 +08:00
|
|
|
goto deref_ldisc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
nskb = gen_data_b3_resp_for(mp, skb);
|
|
|
|
if (!nskb) {
|
2005-04-17 06:20:36 +08:00
|
|
|
printk(KERN_ERR "capi: gen_data_b3_resp failed\n");
|
2010-02-08 18:12:36 +08:00
|
|
|
goto deref_ldisc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
datahandle = CAPIMSG_U16(skb->data, CAPIMSG_BASELEN + 4);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
errcode = capi20_put_message(mp->ap, nskb);
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
if (errcode == CAPI_NOERROR) {
|
|
|
|
skb_pull(skb, CAPIMSG_LEN(skb->data));
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: DATA_B3_RESP %u len=%d => ldisc\n",
|
|
|
|
datahandle, skb->len);
|
2010-02-08 18:12:36 +08:00
|
|
|
ld->ops->receive_buf(tty, skb->data, NULL, skb->len);
|
|
|
|
} else {
|
2005-04-17 06:20:36 +08:00
|
|
|
printk(KERN_ERR "capi: send DATA_B3_RESP failed=%x\n",
|
2012-02-20 11:52:38 +08:00
|
|
|
errcode);
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree_skb(nskb);
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
if (errcode == CAPI_SENDQUEUEFULL)
|
|
|
|
goto deref_ldisc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
free_skb:
|
2010-02-08 18:12:29 +08:00
|
|
|
ret = 0;
|
2010-02-08 18:12:36 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
|
|
|
deref_ldisc:
|
2005-04-17 06:20:36 +08:00
|
|
|
tty_ldisc_deref(ld);
|
2010-02-08 18:12:36 +08:00
|
|
|
|
|
|
|
deref_tty:
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_kref_put(tty);
|
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void handle_minor_recv(struct capiminor *mp)
|
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
2010-02-08 18:12:39 +08:00
|
|
|
|
|
|
|
while ((skb = skb_dequeue(&mp->inqueue)) != NULL)
|
2005-04-17 06:20:36 +08:00
|
|
|
if (handle_recv_skb(mp, skb) < 0) {
|
|
|
|
skb_queue_head(&mp->inqueue, skb);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:42 +08:00
|
|
|
static void handle_minor_send(struct capiminor *mp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:29 +08:00
|
|
|
struct tty_struct *tty;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
u16 len;
|
|
|
|
u16 errcode;
|
|
|
|
u16 datahandle;
|
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
tty = tty_port_tty_get(&mp->port);
|
|
|
|
if (!tty)
|
2010-02-08 18:12:42 +08:00
|
|
|
return;
|
2010-02-08 18:12:29 +08:00
|
|
|
|
|
|
|
if (mp->ttyoutstop) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: send: tty stopped\n");
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_kref_put(tty);
|
2010-02-08 18:12:42 +08:00
|
|
|
return;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
while (1) {
|
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
skb = __skb_dequeue(&mp->outqueue);
|
|
|
|
if (!skb) {
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
break;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
len = (u16)skb->len;
|
2010-02-08 18:12:40 +08:00
|
|
|
mp->outbytes -= len;
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
|
|
|
datahandle = atomic_inc_return(&mp->datahandle);
|
2005-04-17 06:20:36 +08:00
|
|
|
skb_push(skb, CAPI_DATA_B3_REQ_LEN);
|
|
|
|
memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
|
|
|
|
capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
|
|
|
|
capimsg_setu16(skb->data, 2, mp->ap->applid);
|
|
|
|
capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
|
|
|
|
capimsg_setu8 (skb->data, 5, CAPI_REQ);
|
2010-02-08 18:12:38 +08:00
|
|
|
capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
|
2005-04-17 06:20:36 +08:00
|
|
|
capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
|
2007-07-17 19:04:22 +08:00
|
|
|
capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
|
2005-04-17 06:20:36 +08:00
|
|
|
capimsg_setu16(skb->data, 16, len); /* Data length */
|
|
|
|
capimsg_setu16(skb->data, 18, datahandle);
|
|
|
|
capimsg_setu16(skb->data, 20, 0); /* Flags */
|
|
|
|
|
2010-02-08 18:12:16 +08:00
|
|
|
if (capiminor_add_ack(mp, datahandle) < 0) {
|
2005-04-17 06:20:36 +08:00
|
|
|
skb_pull(skb, CAPI_DATA_B3_REQ_LEN);
|
2010-02-08 18:12:40 +08:00
|
|
|
|
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
__skb_queue_head(&mp->outqueue, skb);
|
|
|
|
mp->outbytes += len;
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
2010-02-08 18:12:42 +08:00
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
errcode = capi20_put_message(mp->ap, skb);
|
|
|
|
if (errcode == CAPI_NOERROR) {
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi: DATA_B3_REQ %u len=%u\n",
|
|
|
|
datahandle, len);
|
2005-04-17 06:20:36 +08:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
capiminor_del_ack(mp, datahandle);
|
|
|
|
|
|
|
|
if (errcode == CAPI_SENDQUEUEFULL) {
|
|
|
|
skb_pull(skb, CAPI_DATA_B3_REQ_LEN);
|
2010-02-08 18:12:40 +08:00
|
|
|
|
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
__skb_queue_head(&mp->outqueue, skb);
|
|
|
|
mp->outbytes += len;
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ups, drop packet */
|
|
|
|
printk(KERN_ERR "capi: put_message = %x\n", errcode);
|
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_kref_put(tty);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
/* -------- function called by lower level -------------------------- */
|
|
|
|
|
|
|
|
static void capi_recv_message(struct capi20_appl *ap, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct capidev *cdev = ap->private;
|
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
|
|
|
struct capiminor *mp;
|
|
|
|
u16 datahandle;
|
|
|
|
struct capincci *np;
|
2012-04-25 21:02:20 +08:00
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_lock(&cdev->lock);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (CAPIMSG_CMD(skb->data) == CAPI_CONNECT_B3_CONF) {
|
|
|
|
u16 info = CAPIMSG_U16(skb->data, 12); // Info field
|
2010-02-08 18:12:19 +08:00
|
|
|
if ((info & 0xff00) == 0)
|
2005-04-17 06:20:36 +08:00
|
|
|
capincci_alloc(cdev, CAPIMSG_NCCI(skb->data));
|
|
|
|
}
|
2010-02-08 18:12:19 +08:00
|
|
|
if (CAPIMSG_CMD(skb->data) == CAPI_CONNECT_B3_IND)
|
2005-04-17 06:20:36 +08:00
|
|
|
capincci_alloc(cdev, CAPIMSG_NCCI(skb->data));
|
2010-02-08 18:12:19 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (CAPIMSG_COMMAND(skb->data) != CAPI_DATA_B3) {
|
|
|
|
skb_queue_tail(&cdev->recvqueue, skb);
|
|
|
|
wake_up_interruptible(&cdev->recvwait);
|
2010-02-08 18:12:19 +08:00
|
|
|
goto unlock_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:19 +08:00
|
|
|
|
2012-04-25 21:02:20 +08:00
|
|
|
#ifndef CONFIG_ISDN_CAPI_MIDDLEWARE
|
|
|
|
skb_queue_tail(&cdev->recvqueue, skb);
|
|
|
|
wake_up_interruptible(&cdev->recvwait);
|
|
|
|
|
|
|
|
#else /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
np = capincci_find(cdev, CAPIMSG_CONTROL(skb->data));
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!np) {
|
|
|
|
printk(KERN_ERR "BUG: capi_signal: ncci not found\n");
|
|
|
|
skb_queue_tail(&cdev->recvqueue, skb);
|
|
|
|
wake_up_interruptible(&cdev->recvwait);
|
2010-02-08 18:12:19 +08:00
|
|
|
goto unlock_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
mp = np->minorp;
|
|
|
|
if (!mp) {
|
|
|
|
skb_queue_tail(&cdev->recvqueue, skb);
|
|
|
|
wake_up_interruptible(&cdev->recvwait);
|
2010-02-08 18:12:19 +08:00
|
|
|
goto unlock_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
if (CAPIMSG_SUBCOMMAND(skb->data) == CAPI_IND) {
|
2012-02-20 11:52:38 +08:00
|
|
|
datahandle = CAPIMSG_U16(skb->data, CAPIMSG_BASELEN + 4 + 4 + 2);
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi_signal: DATA_B3_IND %u len=%d\n",
|
|
|
|
datahandle, skb->len-CAPIMSG_LEN(skb->data));
|
2005-04-17 06:20:36 +08:00
|
|
|
skb_queue_tail(&mp->inqueue, skb);
|
2010-02-08 18:12:39 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
handle_minor_recv(mp);
|
|
|
|
|
|
|
|
} else if (CAPIMSG_SUBCOMMAND(skb->data) == CAPI_CONF) {
|
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
datahandle = CAPIMSG_U16(skb->data, CAPIMSG_BASELEN + 4);
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capi_signal: DATA_B3_CONF %u 0x%x\n",
|
|
|
|
datahandle,
|
2012-02-20 11:52:38 +08:00
|
|
|
CAPIMSG_U16(skb->data, CAPIMSG_BASELEN + 4 + 2));
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree_skb(skb);
|
2010-02-08 18:12:41 +08:00
|
|
|
capiminor_del_ack(mp, datahandle);
|
2013-03-07 20:12:29 +08:00
|
|
|
tty_port_tty_wakeup(&mp->port);
|
2010-02-08 18:12:42 +08:00
|
|
|
handle_minor_send(mp);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
} else {
|
|
|
|
/* ups, let capi application handle it :-) */
|
|
|
|
skb_queue_tail(&cdev->recvqueue, skb);
|
|
|
|
wake_up_interruptible(&cdev->recvwait);
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
2010-02-08 18:12:16 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
unlock_out:
|
|
|
|
mutex_unlock(&cdev->lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* -------- file_operations for capidev ----------------------------- */
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
capi_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
|
|
|
|
{
|
2010-07-12 18:50:02 +08:00
|
|
|
struct capidev *cdev = file->private_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
size_t copied;
|
2010-02-08 18:12:21 +08:00
|
|
|
int err;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (!cdev->ap.applid)
|
|
|
|
return -ENODEV;
|
|
|
|
|
2010-02-08 18:12:21 +08:00
|
|
|
skb = skb_dequeue(&cdev->recvqueue);
|
|
|
|
if (!skb) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (file->f_flags & O_NONBLOCK)
|
|
|
|
return -EAGAIN;
|
2010-02-08 18:12:21 +08:00
|
|
|
err = wait_event_interruptible(cdev->recvwait,
|
2012-02-20 11:52:38 +08:00
|
|
|
(skb = skb_dequeue(&cdev->recvqueue)));
|
2010-02-08 18:12:21 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
if (skb->len > count) {
|
|
|
|
skb_queue_head(&cdev->recvqueue, skb);
|
|
|
|
return -EMSGSIZE;
|
|
|
|
}
|
|
|
|
if (copy_to_user(buf, skb->data, skb->len)) {
|
|
|
|
skb_queue_head(&cdev->recvqueue, skb);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
copied = skb->len;
|
|
|
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
|
|
|
return copied;
|
|
|
|
}
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
capi_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
|
|
|
|
{
|
2010-07-12 18:50:02 +08:00
|
|
|
struct capidev *cdev = file->private_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
u16 mlen;
|
|
|
|
|
|
|
|
if (!cdev->ap.applid)
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
|
|
skb = alloc_skb(count, GFP_USER);
|
|
|
|
if (!skb)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
if (copy_from_user(skb_put(skb, count), buf, count)) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
mlen = CAPIMSG_LEN(skb->data);
|
|
|
|
if (CAPIMSG_CMD(skb->data) == CAPI_DATA_B3_REQ) {
|
|
|
|
if ((size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (mlen != count) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
CAPIMSG_SETAPPID(skb->data, cdev->ap.applid);
|
|
|
|
|
|
|
|
if (CAPIMSG_CMD(skb->data) == CAPI_DISCONNECT_B3_RESP) {
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_lock(&cdev->lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
capincci_free(cdev, CAPIMSG_NCCI(skb->data));
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_unlock(&cdev->lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
cdev->errcode = capi20_put_message(&cdev->ap, skb);
|
|
|
|
|
|
|
|
if (cdev->errcode) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return -EIO;
|
|
|
|
}
|
|
|
|
return count;
|
|
|
|
}
|
|
|
|
|
2017-07-03 18:39:46 +08:00
|
|
|
static __poll_t
|
2012-02-20 11:52:38 +08:00
|
|
|
capi_poll(struct file *file, poll_table *wait)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-07-12 18:50:02 +08:00
|
|
|
struct capidev *cdev = file->private_data;
|
2017-07-03 18:39:46 +08:00
|
|
|
__poll_t mask = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (!cdev->ap.applid)
|
2018-02-12 06:34:03 +08:00
|
|
|
return EPOLLERR;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
poll_wait(file, &(cdev->recvwait), wait);
|
2018-02-12 06:34:03 +08:00
|
|
|
mask = EPOLLOUT | EPOLLWRNORM;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!skb_queue_empty(&cdev->recvqueue))
|
2018-02-12 06:34:03 +08:00
|
|
|
mask |= EPOLLIN | EPOLLRDNORM;
|
2005-04-17 06:20:36 +08:00
|
|
|
return mask;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2010-04-27 06:24:02 +08:00
|
|
|
capi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct capidev *cdev = file->private_data;
|
|
|
|
capi_ioctl_struct data;
|
|
|
|
int retval = -EINVAL;
|
|
|
|
void __user *argp = (void __user *)arg;
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case CAPI_REGISTER:
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_lock(&cdev->lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
if (cdev->ap.applid) {
|
|
|
|
retval = -EEXIST;
|
|
|
|
goto register_out;
|
|
|
|
}
|
|
|
|
if (copy_from_user(&cdev->ap.rparam, argp,
|
|
|
|
sizeof(struct capi_register_params))) {
|
|
|
|
retval = -EFAULT;
|
|
|
|
goto register_out;
|
|
|
|
}
|
|
|
|
cdev->ap.private = cdev;
|
|
|
|
cdev->ap.recv_message = capi_recv_message;
|
|
|
|
cdev->errcode = capi20_register(&cdev->ap);
|
|
|
|
retval = (int)cdev->ap.applid;
|
|
|
|
if (cdev->errcode) {
|
|
|
|
cdev->ap.applid = 0;
|
|
|
|
retval = -EIO;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:19 +08:00
|
|
|
|
|
|
|
register_out:
|
|
|
|
mutex_unlock(&cdev->lock);
|
|
|
|
return retval;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
case CAPI_GET_VERSION:
|
2012-02-20 11:52:38 +08:00
|
|
|
if (copy_from_user(&data.contr, argp,
|
|
|
|
sizeof(data.contr)))
|
|
|
|
return -EFAULT;
|
|
|
|
cdev->errcode = capi20_get_version(data.contr, &data.version);
|
|
|
|
if (cdev->errcode)
|
|
|
|
return -EIO;
|
|
|
|
if (copy_to_user(argp, &data.version,
|
|
|
|
sizeof(data.version)))
|
|
|
|
return -EFAULT;
|
2012-04-25 21:02:20 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
case CAPI_GET_SERIAL:
|
2012-02-20 11:52:38 +08:00
|
|
|
if (copy_from_user(&data.contr, argp,
|
|
|
|
sizeof(data.contr)))
|
|
|
|
return -EFAULT;
|
|
|
|
cdev->errcode = capi20_get_serial(data.contr, data.serial);
|
|
|
|
if (cdev->errcode)
|
|
|
|
return -EIO;
|
|
|
|
if (copy_to_user(argp, data.serial,
|
|
|
|
sizeof(data.serial)))
|
|
|
|
return -EFAULT;
|
2012-04-25 21:02:20 +08:00
|
|
|
return 0;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
case CAPI_GET_PROFILE:
|
2012-02-20 11:52:38 +08:00
|
|
|
if (copy_from_user(&data.contr, argp,
|
|
|
|
sizeof(data.contr)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
if (data.contr == 0) {
|
|
|
|
cdev->errcode = capi20_get_profile(data.contr, &data.profile);
|
|
|
|
if (cdev->errcode)
|
|
|
|
return -EIO;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
retval = copy_to_user(argp,
|
|
|
|
&data.profile.ncontroller,
|
|
|
|
sizeof(data.profile.ncontroller));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
} else {
|
|
|
|
cdev->errcode = capi20_get_profile(data.contr, &data.profile);
|
|
|
|
if (cdev->errcode)
|
|
|
|
return -EIO;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
retval = copy_to_user(argp, &data.profile,
|
|
|
|
sizeof(data.profile));
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2012-02-20 11:52:38 +08:00
|
|
|
if (retval)
|
|
|
|
return -EFAULT;
|
2012-04-25 21:02:20 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
case CAPI_GET_MANUFACTURER:
|
2012-02-20 11:52:38 +08:00
|
|
|
if (copy_from_user(&data.contr, argp,
|
|
|
|
sizeof(data.contr)))
|
|
|
|
return -EFAULT;
|
|
|
|
cdev->errcode = capi20_get_manufacturer(data.contr, data.manufacturer);
|
|
|
|
if (cdev->errcode)
|
|
|
|
return -EIO;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
if (copy_to_user(argp, data.manufacturer,
|
|
|
|
sizeof(data.manufacturer)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-04-25 21:02:20 +08:00
|
|
|
return 0;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
case CAPI_GET_ERRCODE:
|
|
|
|
data.errcode = cdev->errcode;
|
|
|
|
cdev->errcode = CAPI_NOERROR;
|
|
|
|
if (arg) {
|
|
|
|
if (copy_to_user(argp, &data.errcode,
|
|
|
|
sizeof(data.errcode)))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
return data.errcode;
|
|
|
|
|
|
|
|
case CAPI_INSTALLED:
|
|
|
|
if (capi20_isinstalled() == CAPI_NOERROR)
|
|
|
|
return 0;
|
|
|
|
return -ENXIO;
|
|
|
|
|
2012-04-25 21:02:20 +08:00
|
|
|
case CAPI_MANUFACTURER_CMD: {
|
2012-02-20 11:52:38 +08:00
|
|
|
struct capi_manufacturer_cmd mcmd;
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
if (copy_from_user(&mcmd, argp, sizeof(mcmd)))
|
|
|
|
return -EFAULT;
|
|
|
|
return capi20_manufacturer(mcmd.cmd, mcmd.data);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
case CAPI_SET_FLAGS:
|
2010-02-08 18:12:19 +08:00
|
|
|
case CAPI_CLR_FLAGS: {
|
|
|
|
unsigned userflags;
|
|
|
|
|
|
|
|
if (copy_from_user(&userflags, argp, sizeof(userflags)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_lock(&cdev->lock);
|
|
|
|
if (cmd == CAPI_SET_FLAGS)
|
|
|
|
cdev->userflags |= userflags;
|
|
|
|
else
|
|
|
|
cdev->userflags &= ~userflags;
|
|
|
|
mutex_unlock(&cdev->lock);
|
|
|
|
return 0;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
case CAPI_GET_FLAGS:
|
|
|
|
if (copy_to_user(argp, &cdev->userflags,
|
|
|
|
sizeof(cdev->userflags)))
|
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
|
2012-04-25 21:02:20 +08:00
|
|
|
#ifndef CONFIG_ISDN_CAPI_MIDDLEWARE
|
|
|
|
case CAPI_NCCI_OPENCOUNT:
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
#else /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
2010-02-08 18:12:19 +08:00
|
|
|
case CAPI_NCCI_OPENCOUNT: {
|
|
|
|
struct capincci *nccip;
|
|
|
|
unsigned ncci;
|
|
|
|
int count = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
if (copy_from_user(&ncci, argp, sizeof(ncci)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
mutex_lock(&cdev->lock);
|
|
|
|
nccip = capincci_find(cdev, (u32)ncci);
|
|
|
|
if (nccip)
|
|
|
|
count = capincci_minor_opencount(nccip);
|
|
|
|
mutex_unlock(&cdev->lock);
|
|
|
|
return count;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
case CAPI_NCCI_GETUNIT: {
|
|
|
|
struct capincci *nccip;
|
|
|
|
struct capiminor *mp;
|
|
|
|
unsigned ncci;
|
|
|
|
int unit = -ESRCH;
|
|
|
|
|
|
|
|
if (copy_from_user(&ncci, argp, sizeof(ncci)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
mutex_lock(&cdev->lock);
|
|
|
|
nccip = capincci_find(cdev, (u32)ncci);
|
|
|
|
if (nccip) {
|
|
|
|
mp = nccip->minorp;
|
|
|
|
if (mp)
|
|
|
|
unit = mp->minor;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_unlock(&cdev->lock);
|
|
|
|
return unit;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif /* CONFIG_ISDN_CAPI_MIDDLEWARE */
|
2010-02-08 18:12:19 +08:00
|
|
|
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-04-27 06:24:02 +08:00
|
|
|
static long
|
|
|
|
capi_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
2010-07-11 19:18:53 +08:00
|
|
|
mutex_lock(&capi_mutex);
|
2010-04-27 06:24:02 +08:00
|
|
|
ret = capi_ioctl(file, cmd, arg);
|
2010-07-11 19:18:53 +08:00
|
|
|
mutex_unlock(&capi_mutex);
|
2010-04-27 06:24:02 +08:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:18 +08:00
|
|
|
static int capi_open(struct inode *inode, struct file *file)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:18 +08:00
|
|
|
struct capidev *cdev;
|
|
|
|
|
|
|
|
cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
|
|
|
|
if (!cdev)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_init(&cdev->lock);
|
2010-02-08 18:12:18 +08:00
|
|
|
skb_queue_head_init(&cdev->recvqueue);
|
|
|
|
init_waitqueue_head(&cdev->recvwait);
|
2010-02-08 18:12:22 +08:00
|
|
|
INIT_LIST_HEAD(&cdev->nccis);
|
2010-02-08 18:12:18 +08:00
|
|
|
file->private_data = cdev;
|
|
|
|
|
|
|
|
mutex_lock(&capidev_list_lock);
|
|
|
|
list_add_tail(&cdev->list, &capidev_list);
|
|
|
|
mutex_unlock(&capidev_list_lock);
|
|
|
|
|
|
|
|
return nonseekable_open(inode, file);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:18 +08:00
|
|
|
static int capi_release(struct inode *inode, struct file *file)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:18 +08:00
|
|
|
struct capidev *cdev = file->private_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:18 +08:00
|
|
|
mutex_lock(&capidev_list_lock);
|
|
|
|
list_del(&cdev->list);
|
|
|
|
mutex_unlock(&capidev_list_lock);
|
|
|
|
|
2010-02-08 18:12:19 +08:00
|
|
|
if (cdev->ap.applid)
|
2010-02-08 18:12:18 +08:00
|
|
|
capi20_release(&cdev->ap);
|
|
|
|
skb_queue_purge(&cdev->recvqueue);
|
|
|
|
capincci_free(cdev, 0xffffffff);
|
|
|
|
|
|
|
|
kfree(cdev);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-02-12 16:55:32 +08:00
|
|
|
static const struct file_operations capi_fops =
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.llseek = no_llseek,
|
|
|
|
.read = capi_read,
|
|
|
|
.write = capi_write,
|
|
|
|
.poll = capi_poll,
|
2010-04-27 06:24:02 +08:00
|
|
|
.unlocked_ioctl = capi_unlocked_ioctl,
|
2005-04-17 06:20:36 +08:00
|
|
|
.open = capi_open,
|
|
|
|
.release = capi_release,
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
|
|
|
/* -------- tty_operations for capincci ----------------------------- */
|
|
|
|
|
2010-02-08 18:12:28 +08:00
|
|
|
static int
|
|
|
|
capinc_tty_install(struct tty_driver *driver, struct tty_struct *tty)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-03-05 21:52:01 +08:00
|
|
|
struct capiminor *mp = capiminor_get(tty->index);
|
2012-01-31 04:14:30 +08:00
|
|
|
int ret = tty_standard_install(driver, tty);
|
2010-02-08 18:12:28 +08:00
|
|
|
|
2012-01-31 04:14:30 +08:00
|
|
|
if (ret == 0)
|
2010-02-08 18:12:28 +08:00
|
|
|
tty->driver_data = mp;
|
2012-01-31 04:14:30 +08:00
|
|
|
else
|
2010-02-08 18:12:28 +08:00
|
|
|
capiminor_put(mp);
|
|
|
|
return ret;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:28 +08:00
|
|
|
static void capinc_tty_cleanup(struct tty_struct *tty)
|
|
|
|
{
|
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
tty->driver_data = NULL;
|
|
|
|
capiminor_put(mp);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
static int capinc_tty_open(struct tty_struct *tty, struct file *filp)
|
2010-02-08 18:12:28 +08:00
|
|
|
{
|
|
|
|
struct capiminor *mp = tty->driver_data;
|
2010-02-08 18:12:29 +08:00
|
|
|
int err;
|
|
|
|
|
|
|
|
err = tty_port_open(&mp->port, tty, filp);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
handle_minor_recv(mp);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
static void capinc_tty_close(struct tty_struct *tty, struct file *filp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:28 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_port_close(&mp->port, tty, filp);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:32 +08:00
|
|
|
static int capinc_tty_write(struct tty_struct *tty,
|
2005-04-17 06:20:36 +08:00
|
|
|
const unsigned char *buf, int count)
|
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_write(count=%d)\n", count);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
skb = mp->outskb;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (skb) {
|
2010-02-08 18:12:40 +08:00
|
|
|
mp->outskb = NULL;
|
|
|
|
__skb_queue_tail(&mp->outqueue, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->outbytes += skb->len;
|
|
|
|
}
|
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
skb = alloc_skb(CAPI_DATA_B3_REQ_LEN + count, GFP_ATOMIC);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!skb) {
|
|
|
|
printk(KERN_ERR "capinc_tty_write: alloc_skb failed\n");
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_unlock_bh(&mp->outlock);
|
2005-04-17 06:20:36 +08:00
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
skb_reserve(skb, CAPI_DATA_B3_REQ_LEN);
|
networking: introduce and use skb_put_data()
A common pattern with skb_put() is to just want to memcpy()
some data into the new space, introduce skb_put_data() for
this.
An spatch similar to the one for skb_put_zero() converts many
of the places using it:
@@
identifier p, p2;
expression len, skb, data;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_data(skb, data, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_data(skb, data, len);
)
(
p2 = (t2)p;
-memcpy(p2, data, len);
|
-memcpy(p, data, len);
)
@@
type t, t2;
identifier p, p2;
expression skb, data;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
)
(
p2 = (t2)p;
-memcpy(p2, data, sizeof(*p));
|
-memcpy(p, data, sizeof(*p));
)
@@
expression skb, len, data;
@@
-memcpy(skb_put(skb, len), data, len);
+skb_put_data(skb, data, len);
(again, manually post-processed to retain some comments)
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 20:29:20 +08:00
|
|
|
skb_put_data(skb, buf, count);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
__skb_queue_tail(&mp->outqueue, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->outbytes += skb->len;
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
2010-02-08 18:12:42 +08:00
|
|
|
handle_minor_send(mp);
|
2010-02-08 18:12:40 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return count;
|
|
|
|
}
|
|
|
|
|
2008-04-30 15:54:09 +08:00
|
|
|
static int capinc_tty_put_char(struct tty_struct *tty, unsigned char ch)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2010-02-08 18:12:40 +08:00
|
|
|
bool invoke_send = false;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
2008-04-30 15:54:09 +08:00
|
|
|
int ret = 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_put_char(%u)\n", ch);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
skb = mp->outskb;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (skb) {
|
|
|
|
if (skb_tailroom(skb) > 0) {
|
networking: add and use skb_put_u8()
Joe and Bjørn suggested that it'd be nicer to not have the
cast in the fairly common case of doing
*(u8 *)skb_put(skb, 1) = c;
Add skb_put_u8() for this case, and use it across the code,
using the following spatch:
@@
expression SKB, C, S;
typedef u8;
identifier fn = {skb_put};
fresh identifier fn2 = fn ## "_u8";
@@
- *(u8 *)fn(SKB, S) = C;
+ fn2(SKB, C);
Note that due to the "S", the spatch isn't perfect, it should
have checked that S is 1, but there's also places that use a
sizeof expression like sizeof(var) or sizeof(u8) etc. Turns
out that nobody ever did something like
*(u8 *)skb_put(skb, 2) = c;
which would be wrong anyway since the second byte wouldn't be
initialized.
Suggested-by: Joe Perches <joe@perches.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 20:29:24 +08:00
|
|
|
skb_put_u8(skb, ch);
|
2010-02-08 18:12:40 +08:00
|
|
|
goto unlock_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:40 +08:00
|
|
|
mp->outskb = NULL;
|
|
|
|
__skb_queue_tail(&mp->outqueue, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->outbytes += skb->len;
|
2010-02-08 18:12:40 +08:00
|
|
|
invoke_send = true;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:40 +08:00
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
skb = alloc_skb(CAPI_DATA_B3_REQ_LEN + CAPI_MAX_BLKSIZE, GFP_ATOMIC);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (skb) {
|
|
|
|
skb_reserve(skb, CAPI_DATA_B3_REQ_LEN);
|
networking: add and use skb_put_u8()
Joe and Bjørn suggested that it'd be nicer to not have the
cast in the fairly common case of doing
*(u8 *)skb_put(skb, 1) = c;
Add skb_put_u8() for this case, and use it across the code,
using the following spatch:
@@
expression SKB, C, S;
typedef u8;
identifier fn = {skb_put};
fresh identifier fn2 = fn ## "_u8";
@@
- *(u8 *)fn(SKB, S) = C;
+ fn2(SKB, C);
Note that due to the "S", the spatch isn't perfect, it should
have checked that S is 1, but there's also places that use a
sizeof expression like sizeof(var) or sizeof(u8) etc. Turns
out that nobody ever did something like
*(u8 *)skb_put(skb, 2) = c;
which would be wrong anyway since the second byte wouldn't be
initialized.
Suggested-by: Joe Perches <joe@perches.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 20:29:24 +08:00
|
|
|
skb_put_u8(skb, ch);
|
2010-02-08 18:12:40 +08:00
|
|
|
mp->outskb = skb;
|
2005-04-17 06:20:36 +08:00
|
|
|
} else {
|
|
|
|
printk(KERN_ERR "capinc_put_char: char %u lost\n", ch);
|
2008-04-30 15:54:09 +08:00
|
|
|
ret = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:40 +08:00
|
|
|
|
|
|
|
unlock_out:
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
|
|
|
if (invoke_send)
|
2010-02-08 18:12:42 +08:00
|
|
|
handle_minor_send(mp);
|
2010-02-08 18:12:40 +08:00
|
|
|
|
2008-04-30 15:54:09 +08:00
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_flush_chars(struct tty_struct *tty)
|
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sk_buff *skb;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_flush_chars\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_lock_bh(&mp->outlock);
|
|
|
|
skb = mp->outskb;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (skb) {
|
2010-02-08 18:12:40 +08:00
|
|
|
mp->outskb = NULL;
|
|
|
|
__skb_queue_tail(&mp->outqueue, skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
mp->outbytes += skb->len;
|
2010-02-08 18:12:40 +08:00
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
2010-02-08 18:12:42 +08:00
|
|
|
handle_minor_send(mp);
|
2010-02-08 18:12:40 +08:00
|
|
|
} else
|
|
|
|
spin_unlock_bh(&mp->outlock);
|
|
|
|
|
|
|
|
handle_minor_recv(mp);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int capinc_tty_write_room(struct tty_struct *tty)
|
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2005-04-17 06:20:36 +08:00
|
|
|
int room;
|
2010-02-08 18:12:30 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
room = CAPINC_MAX_SENDQUEUE-skb_queue_len(&mp->outqueue);
|
|
|
|
room *= CAPI_MAX_BLKSIZE;
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_write_room = %d\n", room);
|
2005-04-17 06:20:36 +08:00
|
|
|
return room;
|
|
|
|
}
|
|
|
|
|
2005-05-01 23:59:29 +08:00
|
|
|
static int capinc_tty_chars_in_buffer(struct tty_struct *tty)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_chars_in_buffer = %d nack=%d sq=%d rq=%d\n",
|
|
|
|
mp->outbytes, mp->nack,
|
|
|
|
skb_queue_len(&mp->outqueue),
|
|
|
|
skb_queue_len(&mp->inqueue));
|
2005-04-17 06:20:36 +08:00
|
|
|
return mp->outbytes;
|
|
|
|
}
|
|
|
|
|
2011-02-15 00:27:22 +08:00
|
|
|
static int capinc_tty_ioctl(struct tty_struct *tty,
|
2012-02-20 11:52:38 +08:00
|
|
|
unsigned int cmd, unsigned long arg)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-02-15 00:27:22 +08:00
|
|
|
return -ENOIOCTLCMD;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2012-02-20 11:52:38 +08:00
|
|
|
static void capinc_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_set_termios\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:30 +08:00
|
|
|
static void capinc_tty_throttle(struct tty_struct *tty)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_throttle\n");
|
2010-02-08 18:12:30 +08:00
|
|
|
mp->ttyinstop = 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:30 +08:00
|
|
|
static void capinc_tty_unthrottle(struct tty_struct *tty)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_unthrottle\n");
|
2010-02-08 18:12:30 +08:00
|
|
|
mp->ttyinstop = 0;
|
|
|
|
handle_minor_recv(mp);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_stop(struct tty_struct *tty)
|
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_stop\n");
|
2010-02-08 18:12:30 +08:00
|
|
|
mp->ttyoutstop = 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_start(struct tty_struct *tty)
|
|
|
|
{
|
2010-02-08 18:12:30 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_start\n");
|
2010-02-08 18:12:30 +08:00
|
|
|
mp->ttyoutstop = 0;
|
2010-02-08 18:12:42 +08:00
|
|
|
handle_minor_send(mp);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_hangup(struct tty_struct *tty)
|
|
|
|
{
|
2010-02-08 18:12:29 +08:00
|
|
|
struct capiminor *mp = tty->driver_data;
|
|
|
|
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_hangup\n");
|
2010-02-08 18:12:29 +08:00
|
|
|
tty_port_hangup(&mp->port);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2008-07-22 18:18:03 +08:00
|
|
|
static int capinc_tty_break_ctl(struct tty_struct *tty, int state)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_break_ctl(%d)\n", state);
|
2008-07-22 18:18:03 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_flush_buffer(struct tty_struct *tty)
|
|
|
|
{
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_flush_buffer\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_set_ldisc(struct tty_struct *tty)
|
|
|
|
{
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_set_ldisc\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void capinc_tty_send_xchar(struct tty_struct *tty, char ch)
|
|
|
|
{
|
2011-05-20 06:20:29 +08:00
|
|
|
pr_debug("capinc_tty_send_xchar(%d)\n", ch);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2006-10-02 17:17:18 +08:00
|
|
|
static const struct tty_operations capinc_ops = {
|
2005-04-17 06:20:36 +08:00
|
|
|
.open = capinc_tty_open,
|
|
|
|
.close = capinc_tty_close,
|
|
|
|
.write = capinc_tty_write,
|
|
|
|
.put_char = capinc_tty_put_char,
|
|
|
|
.flush_chars = capinc_tty_flush_chars,
|
|
|
|
.write_room = capinc_tty_write_room,
|
|
|
|
.chars_in_buffer = capinc_tty_chars_in_buffer,
|
|
|
|
.ioctl = capinc_tty_ioctl,
|
|
|
|
.set_termios = capinc_tty_set_termios,
|
|
|
|
.throttle = capinc_tty_throttle,
|
|
|
|
.unthrottle = capinc_tty_unthrottle,
|
|
|
|
.stop = capinc_tty_stop,
|
|
|
|
.start = capinc_tty_start,
|
|
|
|
.hangup = capinc_tty_hangup,
|
|
|
|
.break_ctl = capinc_tty_break_ctl,
|
|
|
|
.flush_buffer = capinc_tty_flush_buffer,
|
|
|
|
.set_ldisc = capinc_tty_set_ldisc,
|
|
|
|
.send_xchar = capinc_tty_send_xchar,
|
2010-02-08 18:12:28 +08:00
|
|
|
.install = capinc_tty_install,
|
|
|
|
.cleanup = capinc_tty_cleanup,
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
2010-02-08 18:12:24 +08:00
|
|
|
static int __init capinc_tty_init(void)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct tty_driver *drv;
|
2010-02-08 18:12:24 +08:00
|
|
|
int err;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (capi_ttyminors > CAPINC_MAX_PORTS)
|
|
|
|
capi_ttyminors = CAPINC_MAX_PORTS;
|
|
|
|
if (capi_ttyminors <= 0)
|
|
|
|
capi_ttyminors = CAPINC_NR_PORTS;
|
|
|
|
|
2014-07-29 23:16:44 +08:00
|
|
|
capiminors = kzalloc(sizeof(struct capiminor *) * capi_ttyminors,
|
2010-02-08 18:12:23 +08:00
|
|
|
GFP_KERNEL);
|
|
|
|
if (!capiminors)
|
2005-04-17 06:20:36 +08:00
|
|
|
return -ENOMEM;
|
|
|
|
|
2010-02-08 18:12:23 +08:00
|
|
|
drv = alloc_tty_driver(capi_ttyminors);
|
|
|
|
if (!drv) {
|
|
|
|
kfree(capiminors);
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
drv->driver_name = "capi_nc";
|
2014-06-02 05:47:24 +08:00
|
|
|
drv->name = "capi!";
|
2010-02-08 18:12:26 +08:00
|
|
|
drv->major = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
drv->minor_start = 0;
|
|
|
|
drv->type = TTY_DRIVER_TYPE_SERIAL;
|
|
|
|
drv->subtype = SERIAL_TYPE_NORMAL;
|
|
|
|
drv->init_termios = tty_std_termios;
|
|
|
|
drv->init_termios.c_iflag = ICRNL;
|
|
|
|
drv->init_termios.c_oflag = OPOST | ONLCR;
|
|
|
|
drv->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL;
|
|
|
|
drv->init_termios.c_lflag = 0;
|
2010-02-08 18:12:25 +08:00
|
|
|
drv->flags =
|
|
|
|
TTY_DRIVER_REAL_RAW | TTY_DRIVER_RESET_TERMIOS |
|
|
|
|
TTY_DRIVER_DYNAMIC_DEV;
|
2005-04-17 06:20:36 +08:00
|
|
|
tty_set_operations(drv, &capinc_ops);
|
2010-02-08 18:12:24 +08:00
|
|
|
|
|
|
|
err = tty_register_driver(drv);
|
|
|
|
if (err) {
|
2005-04-17 06:20:36 +08:00
|
|
|
put_tty_driver(drv);
|
2010-02-08 18:12:23 +08:00
|
|
|
kfree(capiminors);
|
2005-04-17 06:20:36 +08:00
|
|
|
printk(KERN_ERR "Couldn't register capi_nc driver\n");
|
2010-02-08 18:12:24 +08:00
|
|
|
return err;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
capinc_tty_driver = drv;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:24 +08:00
|
|
|
static void __exit capinc_tty_exit(void)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:24 +08:00
|
|
|
tty_unregister_driver(capinc_tty_driver);
|
|
|
|
put_tty_driver(capinc_tty_driver);
|
2010-02-08 18:12:23 +08:00
|
|
|
kfree(capiminors);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-02-08 18:12:16 +08:00
|
|
|
#else /* !CONFIG_ISDN_CAPI_MIDDLEWARE */
|
|
|
|
|
|
|
|
static inline int capinc_tty_init(void)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void capinc_tty_exit(void) { }
|
|
|
|
|
|
|
|
#endif /* !CONFIG_ISDN_CAPI_MIDDLEWARE */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* -------- /proc functions ----------------------------------------- */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* /proc/capi/capi20:
|
|
|
|
* minor applid nrecvctlpkt nrecvdatapkt nsendctlpkt nsenddatapkt
|
|
|
|
*/
|
2010-01-14 19:10:54 +08:00
|
|
|
static int capi20_proc_show(struct seq_file *m, void *v)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-02-20 11:52:38 +08:00
|
|
|
struct capidev *cdev;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct list_head *l;
|
|
|
|
|
2010-02-08 18:12:17 +08:00
|
|
|
mutex_lock(&capidev_list_lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
list_for_each(l, &capidev_list) {
|
|
|
|
cdev = list_entry(l, struct capidev, list);
|
2010-01-14 19:10:54 +08:00
|
|
|
seq_printf(m, "0 %d %lu %lu %lu %lu\n",
|
2012-02-20 11:52:38 +08:00
|
|
|
cdev->ap.applid,
|
|
|
|
cdev->ap.nrecvctlpkt,
|
|
|
|
cdev->ap.nrecvdatapkt,
|
|
|
|
cdev->ap.nsentctlpkt,
|
|
|
|
cdev->ap.nsentdatapkt);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:17 +08:00
|
|
|
mutex_unlock(&capidev_list_lock);
|
2010-01-14 19:10:54 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-01-14 19:10:54 +08:00
|
|
|
static int capi20_proc_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
return single_open(file, capi20_proc_show, NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct file_operations capi20_proc_fops = {
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.open = capi20_proc_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
.release = single_release,
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* /proc/capi/capi20ncci:
|
|
|
|
* applid ncci
|
|
|
|
*/
|
2010-01-14 19:10:54 +08:00
|
|
|
static int capi20ncci_proc_show(struct seq_file *m, void *v)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-08 18:12:22 +08:00
|
|
|
struct capidev *cdev;
|
|
|
|
struct capincci *np;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-02-08 18:12:17 +08:00
|
|
|
mutex_lock(&capidev_list_lock);
|
2010-02-08 18:12:22 +08:00
|
|
|
list_for_each_entry(cdev, &capidev_list, list) {
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_lock(&cdev->lock);
|
2010-02-08 18:12:22 +08:00
|
|
|
list_for_each_entry(np, &cdev->nccis, list)
|
|
|
|
seq_printf(m, "%d 0x%x\n", cdev->ap.applid, np->ncci);
|
2010-02-08 18:12:19 +08:00
|
|
|
mutex_unlock(&cdev->lock);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-02-08 18:12:17 +08:00
|
|
|
mutex_unlock(&capidev_list_lock);
|
2010-01-14 19:10:54 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-01-14 19:10:54 +08:00
|
|
|
static int capi20ncci_proc_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
return single_open(file, capi20ncci_proc_show, NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct file_operations capi20ncci_proc_fops = {
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.open = capi20ncci_proc_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
.release = single_release,
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static void __init proc_init(void)
|
|
|
|
{
|
2010-01-14 19:10:54 +08:00
|
|
|
proc_create("capi/capi20", 0, NULL, &capi20_proc_fops);
|
|
|
|
proc_create("capi/capi20ncci", 0, NULL, &capi20ncci_proc_fops);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit proc_exit(void)
|
|
|
|
{
|
2010-01-14 19:10:54 +08:00
|
|
|
remove_proc_entry("capi/capi20", NULL);
|
|
|
|
remove_proc_entry("capi/capi20ncci", NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* -------- init function and module interface ---------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
static int __init capi_init(void)
|
|
|
|
{
|
2010-02-08 18:12:09 +08:00
|
|
|
const char *compileinfo;
|
2006-03-28 17:56:19 +08:00
|
|
|
int major_ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-03-28 17:56:19 +08:00
|
|
|
major_ret = register_chrdev(capi_major, "capi20", &capi_fops);
|
|
|
|
if (major_ret < 0) {
|
2005-04-17 06:20:36 +08:00
|
|
|
printk(KERN_ERR "capi20: unable to get major %d\n", capi_major);
|
2006-03-28 17:56:19 +08:00
|
|
|
return major_ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2005-03-24 02:01:41 +08:00
|
|
|
capi_class = class_create(THIS_MODULE, "capi");
|
2005-04-17 06:20:36 +08:00
|
|
|
if (IS_ERR(capi_class)) {
|
|
|
|
unregister_chrdev(capi_major, "capi20");
|
|
|
|
return PTR_ERR(capi_class);
|
|
|
|
}
|
|
|
|
|
2014-06-02 05:47:24 +08:00
|
|
|
device_create(capi_class, NULL, MKDEV(capi_major, 0), NULL, "capi20");
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (capinc_tty_init() < 0) {
|
2007-09-25 08:03:03 +08:00
|
|
|
device_destroy(capi_class, MKDEV(capi_major, 0));
|
2005-03-24 02:01:41 +08:00
|
|
|
class_destroy(capi_class);
|
2005-04-17 06:20:36 +08:00
|
|
|
unregister_chrdev(capi_major, "capi20");
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
proc_init();
|
|
|
|
|
2011-04-06 18:58:37 +08:00
|
|
|
#ifdef CONFIG_ISDN_CAPI_MIDDLEWARE
|
2012-02-20 11:52:38 +08:00
|
|
|
compileinfo = " (middleware)";
|
2005-04-17 06:20:36 +08:00
|
|
|
#else
|
2012-02-20 11:52:38 +08:00
|
|
|
compileinfo = " (no middleware)";
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif
|
2010-02-08 18:12:09 +08:00
|
|
|
printk(KERN_NOTICE "CAPI 2.0 started up with major %d%s\n",
|
|
|
|
capi_major, compileinfo);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit capi_exit(void)
|
|
|
|
{
|
|
|
|
proc_exit();
|
|
|
|
|
2007-09-25 08:03:03 +08:00
|
|
|
device_destroy(capi_class, MKDEV(capi_major, 0));
|
2005-03-24 02:01:41 +08:00
|
|
|
class_destroy(capi_class);
|
2005-04-17 06:20:36 +08:00
|
|
|
unregister_chrdev(capi_major, "capi20");
|
|
|
|
|
|
|
|
capinc_tty_exit();
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(capi_init);
|
|
|
|
module_exit(capi_exit);
|