xref: /linux/drivers/net/ppp/ppp_async.c (revision a0efa2f362a69e47b9d8b48f770ef3a0249a7911)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * PPP async serial channel driver for Linux.
4  *
5  * Copyright 1999 Paul Mackerras.
6  *
7  * This driver provides the encapsulation and framing for sending
8  * and receiving PPP frames over async serial lines.  It relies on
9  * the generic PPP layer to give it frames to send and to process
10  * received frames.  It implements the PPP line discipline.
11  *
12  * Part of the code in this driver was inspired by the old async-only
13  * PPP driver, written by Michael Callahan and Al Longyear, and
14  * subsequently hacked by Paul Mackerras.
15  */
16 
17 #include <linux/module.h>
18 #include <linux/kernel.h>
19 #include <linux/skbuff.h>
20 #include <linux/tty.h>
21 #include <linux/netdevice.h>
22 #include <linux/poll.h>
23 #include <linux/crc-ccitt.h>
24 #include <linux/ppp_defs.h>
25 #include <linux/ppp-ioctl.h>
26 #include <linux/ppp_channel.h>
27 #include <linux/spinlock.h>
28 #include <linux/init.h>
29 #include <linux/interrupt.h>
30 #include <linux/jiffies.h>
31 #include <linux/slab.h>
32 #include <linux/unaligned.h>
33 #include <linux/uaccess.h>
34 #include <asm/string.h>
35 
36 #define PPP_VERSION	"2.4.2"
37 
38 #define OBUFSIZE	4096
39 
40 /* Structure for storing local state. */
41 struct asyncppp {
42 	struct tty_struct *tty;
43 	unsigned int	flags;
44 	unsigned int	state;
45 	unsigned int	rbits;
46 	int		mru;
47 	spinlock_t	xmit_lock;
48 	spinlock_t	recv_lock;
49 	unsigned long	xmit_flags;
50 	u32		xaccm[8];
51 	u32		raccm;
52 	unsigned int	bytes_sent;
53 	unsigned int	bytes_rcvd;
54 
55 	struct sk_buff	*tpkt;
56 	int		tpkt_pos;
57 	u16		tfcs;
58 	unsigned char	*optr;
59 	unsigned char	*olim;
60 	unsigned long	last_xmit;
61 
62 	struct sk_buff	*rpkt;
63 	int		lcp_fcs;
64 	struct sk_buff_head rqueue;
65 
66 	struct tasklet_struct tsk;
67 
68 	refcount_t	refcnt;
69 	struct completion dead;
70 	struct ppp_channel chan;	/* interface to generic ppp layer */
71 	unsigned char	obuf[OBUFSIZE];
72 };
73 
74 /* Bit numbers in xmit_flags */
75 #define XMIT_WAKEUP	0
76 #define XMIT_FULL	1
77 #define XMIT_BUSY	2
78 
79 /* State bits */
80 #define SC_TOSS		1
81 #define SC_ESCAPE	2
82 #define SC_PREV_ERROR	4
83 
84 /* Bits in rbits */
85 #define SC_RCV_BITS	(SC_RCV_B7_1|SC_RCV_B7_0|SC_RCV_ODDP|SC_RCV_EVNP)
86 
87 static int flag_time = HZ;
88 module_param(flag_time, int, 0);
89 MODULE_PARM_DESC(flag_time, "ppp_async: interval between flagged packets (in clock ticks)");
90 MODULE_DESCRIPTION("PPP async serial channel module");
91 MODULE_LICENSE("GPL");
92 MODULE_ALIAS_LDISC(N_PPP);
93 
94 /*
95  * Prototypes.
96  */
97 static int ppp_async_encode(struct asyncppp *ap);
98 static int ppp_async_send(struct ppp_channel *chan, struct sk_buff *skb);
99 static int ppp_async_push(struct asyncppp *ap);
100 static void ppp_async_flush_output(struct asyncppp *ap);
101 static void ppp_async_input(struct asyncppp *ap, const unsigned char *buf,
102 			    const u8 *flags, int count);
103 static int ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd,
104 			   unsigned long arg);
105 static void ppp_async_process(struct tasklet_struct *t);
106 
107 static void async_lcp_peek(struct asyncppp *ap, unsigned char *data,
108 			   int len, int inbound);
109 
110 static const struct ppp_channel_ops async_ops = {
111 	.start_xmit = ppp_async_send,
112 	.ioctl      = ppp_async_ioctl,
113 };
114 
115 /*
116  * Routines implementing the PPP line discipline.
117  */
118 
119 /*
120  * We have a potential race on dereferencing tty->disc_data,
121  * because the tty layer provides no locking at all - thus one
122  * cpu could be running ppp_asynctty_receive while another
123  * calls ppp_asynctty_close, which zeroes tty->disc_data and
124  * frees the memory that ppp_asynctty_receive is using.  The best
125  * way to fix this is to use a rwlock in the tty struct, but for now
126  * we use a single global rwlock for all ttys in ppp line discipline.
127  *
128  * FIXME: this is no longer true. The _close path for the ldisc is
129  * now guaranteed to be sane.
130  */
131 static DEFINE_RWLOCK(disc_data_lock);
132 
133 static struct asyncppp *ap_get(struct tty_struct *tty)
134 {
135 	struct asyncppp *ap;
136 
137 	read_lock(&disc_data_lock);
138 	ap = tty->disc_data;
139 	if (ap != NULL)
140 		refcount_inc(&ap->refcnt);
141 	read_unlock(&disc_data_lock);
142 	return ap;
143 }
144 
145 static void ap_put(struct asyncppp *ap)
146 {
147 	if (refcount_dec_and_test(&ap->refcnt))
148 		complete(&ap->dead);
149 }
150 
151 /*
152  * Called when a tty is put into PPP line discipline. Called in process
153  * context.
154  */
155 static int
156 ppp_asynctty_open(struct tty_struct *tty)
157 {
158 	struct asyncppp *ap;
159 	int err;
160 	int speed;
161 
162 	if (tty->ops->write == NULL)
163 		return -EOPNOTSUPP;
164 
165 	err = -ENOMEM;
166 	ap = kzalloc(sizeof(*ap), GFP_KERNEL);
167 	if (!ap)
168 		goto out;
169 
170 	/* initialize the asyncppp structure */
171 	ap->tty = tty;
172 	ap->mru = PPP_MRU;
173 	spin_lock_init(&ap->xmit_lock);
174 	spin_lock_init(&ap->recv_lock);
175 	ap->xaccm[0] = ~0U;
176 	ap->xaccm[3] = 0x60000000U;
177 	ap->raccm = ~0U;
178 	ap->optr = ap->obuf;
179 	ap->olim = ap->obuf;
180 	ap->lcp_fcs = -1;
181 
182 	skb_queue_head_init(&ap->rqueue);
183 	tasklet_setup(&ap->tsk, ppp_async_process);
184 
185 	refcount_set(&ap->refcnt, 1);
186 	init_completion(&ap->dead);
187 
188 	ap->chan.private = ap;
189 	ap->chan.ops = &async_ops;
190 	ap->chan.mtu = PPP_MRU;
191 	speed = tty_get_baud_rate(tty);
192 	ap->chan.speed = speed;
193 	err = ppp_register_channel(&ap->chan);
194 	if (err)
195 		goto out_free;
196 
197 	tty->disc_data = ap;
198 	tty->receive_room = 65536;
199 	return 0;
200 
201  out_free:
202 	kfree(ap);
203  out:
204 	return err;
205 }
206 
207 /*
208  * Called when the tty is put into another line discipline
209  * or it hangs up.  We have to wait for any cpu currently
210  * executing in any of the other ppp_asynctty_* routines to
211  * finish before we can call ppp_unregister_channel and free
212  * the asyncppp struct.  This routine must be called from
213  * process context, not interrupt or softirq context.
214  */
215 static void
216 ppp_asynctty_close(struct tty_struct *tty)
217 {
218 	struct asyncppp *ap;
219 
220 	write_lock_irq(&disc_data_lock);
221 	ap = tty->disc_data;
222 	tty->disc_data = NULL;
223 	write_unlock_irq(&disc_data_lock);
224 	if (!ap)
225 		return;
226 
227 	/*
228 	 * We have now ensured that nobody can start using ap from now
229 	 * on, but we have to wait for all existing users to finish.
230 	 * Note that ppp_unregister_channel ensures that no calls to
231 	 * our channel ops (i.e. ppp_async_send/ioctl) are in progress
232 	 * by the time it returns.
233 	 */
234 	if (!refcount_dec_and_test(&ap->refcnt))
235 		wait_for_completion(&ap->dead);
236 	tasklet_kill(&ap->tsk);
237 
238 	ppp_unregister_channel(&ap->chan);
239 	kfree_skb(ap->rpkt);
240 	skb_queue_purge(&ap->rqueue);
241 	kfree_skb(ap->tpkt);
242 	kfree(ap);
243 }
244 
245 /*
246  * Called on tty hangup in process context.
247  *
248  * Wait for I/O to driver to complete and unregister PPP channel.
249  * This is already done by the close routine, so just call that.
250  */
251 static void ppp_asynctty_hangup(struct tty_struct *tty)
252 {
253 	ppp_asynctty_close(tty);
254 }
255 
256 /*
257  * Read does nothing - no data is ever available this way.
258  * Pppd reads and writes packets via /dev/ppp instead.
259  */
260 static ssize_t
261 ppp_asynctty_read(struct tty_struct *tty, struct file *file, u8 *buf,
262 		  size_t count, void **cookie, unsigned long offset)
263 {
264 	return -EAGAIN;
265 }
266 
267 /*
268  * Write on the tty does nothing, the packets all come in
269  * from the ppp generic stuff.
270  */
271 static ssize_t
272 ppp_asynctty_write(struct tty_struct *tty, struct file *file, const u8 *buf,
273 		   size_t count)
274 {
275 	return -EAGAIN;
276 }
277 
278 /*
279  * Called in process context only. May be re-entered by multiple
280  * ioctl calling threads.
281  */
282 
283 static int
284 ppp_asynctty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
285 {
286 	struct asyncppp *ap = ap_get(tty);
287 	int err, val;
288 	int __user *p = (int __user *)arg;
289 
290 	if (!ap)
291 		return -ENXIO;
292 	err = -EFAULT;
293 	switch (cmd) {
294 	case PPPIOCGCHAN:
295 		err = -EFAULT;
296 		if (put_user(ppp_channel_index(&ap->chan), p))
297 			break;
298 		err = 0;
299 		break;
300 
301 	case PPPIOCGUNIT:
302 		err = -EFAULT;
303 		if (put_user(ppp_unit_number(&ap->chan), p))
304 			break;
305 		err = 0;
306 		break;
307 
308 	case TCFLSH:
309 		/* flush our buffers and the serial port's buffer */
310 		if (arg == TCIOFLUSH || arg == TCOFLUSH)
311 			ppp_async_flush_output(ap);
312 		err = n_tty_ioctl_helper(tty, cmd, arg);
313 		break;
314 
315 	case FIONREAD:
316 		val = 0;
317 		if (put_user(val, p))
318 			break;
319 		err = 0;
320 		break;
321 
322 	default:
323 		/* Try the various mode ioctls */
324 		err = tty_mode_ioctl(tty, cmd, arg);
325 	}
326 
327 	ap_put(ap);
328 	return err;
329 }
330 
331 /* May sleep, don't call from interrupt level or with interrupts disabled */
332 static void
333 ppp_asynctty_receive(struct tty_struct *tty, const u8 *buf, const u8 *cflags,
334 		     size_t count)
335 {
336 	struct asyncppp *ap = ap_get(tty);
337 	unsigned long flags;
338 
339 	if (!ap)
340 		return;
341 	spin_lock_irqsave(&ap->recv_lock, flags);
342 	ppp_async_input(ap, buf, cflags, count);
343 	spin_unlock_irqrestore(&ap->recv_lock, flags);
344 	if (!skb_queue_empty(&ap->rqueue))
345 		tasklet_schedule(&ap->tsk);
346 	ap_put(ap);
347 	tty_unthrottle(tty);
348 }
349 
350 static void
351 ppp_asynctty_wakeup(struct tty_struct *tty)
352 {
353 	struct asyncppp *ap = ap_get(tty);
354 
355 	clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
356 	if (!ap)
357 		return;
358 	set_bit(XMIT_WAKEUP, &ap->xmit_flags);
359 	tasklet_schedule(&ap->tsk);
360 	ap_put(ap);
361 }
362 
363 
364 static struct tty_ldisc_ops ppp_ldisc = {
365 	.owner  = THIS_MODULE,
366 	.num	= N_PPP,
367 	.name	= "ppp",
368 	.open	= ppp_asynctty_open,
369 	.close	= ppp_asynctty_close,
370 	.hangup	= ppp_asynctty_hangup,
371 	.read	= ppp_asynctty_read,
372 	.write	= ppp_asynctty_write,
373 	.ioctl	= ppp_asynctty_ioctl,
374 	.receive_buf = ppp_asynctty_receive,
375 	.write_wakeup = ppp_asynctty_wakeup,
376 };
377 
378 static int __init
379 ppp_async_init(void)
380 {
381 	int err;
382 
383 	err = tty_register_ldisc(&ppp_ldisc);
384 	if (err != 0)
385 		printk(KERN_ERR "PPP_async: error %d registering line disc.\n",
386 		       err);
387 	return err;
388 }
389 
390 /*
391  * The following routines provide the PPP channel interface.
392  */
393 static int
394 ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg)
395 {
396 	struct asyncppp *ap = chan->private;
397 	void __user *argp = (void __user *)arg;
398 	int __user *p = argp;
399 	int err, val;
400 	u32 accm[8];
401 
402 	err = -EFAULT;
403 	switch (cmd) {
404 	case PPPIOCGFLAGS:
405 		val = ap->flags | ap->rbits;
406 		if (put_user(val, p))
407 			break;
408 		err = 0;
409 		break;
410 	case PPPIOCSFLAGS:
411 		if (get_user(val, p))
412 			break;
413 		ap->flags = val & ~SC_RCV_BITS;
414 		spin_lock_irq(&ap->recv_lock);
415 		ap->rbits = val & SC_RCV_BITS;
416 		spin_unlock_irq(&ap->recv_lock);
417 		err = 0;
418 		break;
419 
420 	case PPPIOCGASYNCMAP:
421 		if (put_user(ap->xaccm[0], (u32 __user *)argp))
422 			break;
423 		err = 0;
424 		break;
425 	case PPPIOCSASYNCMAP:
426 		if (get_user(ap->xaccm[0], (u32 __user *)argp))
427 			break;
428 		err = 0;
429 		break;
430 
431 	case PPPIOCGRASYNCMAP:
432 		if (put_user(ap->raccm, (u32 __user *)argp))
433 			break;
434 		err = 0;
435 		break;
436 	case PPPIOCSRASYNCMAP:
437 		if (get_user(ap->raccm, (u32 __user *)argp))
438 			break;
439 		err = 0;
440 		break;
441 
442 	case PPPIOCGXASYNCMAP:
443 		if (copy_to_user(argp, ap->xaccm, sizeof(ap->xaccm)))
444 			break;
445 		err = 0;
446 		break;
447 	case PPPIOCSXASYNCMAP:
448 		if (copy_from_user(accm, argp, sizeof(accm)))
449 			break;
450 		accm[2] &= ~0x40000000U;	/* can't escape 0x5e */
451 		accm[3] |= 0x60000000U;		/* must escape 0x7d, 0x7e */
452 		memcpy(ap->xaccm, accm, sizeof(ap->xaccm));
453 		err = 0;
454 		break;
455 
456 	case PPPIOCGMRU:
457 		if (put_user(ap->mru, p))
458 			break;
459 		err = 0;
460 		break;
461 	case PPPIOCSMRU:
462 		if (get_user(val, p))
463 			break;
464 		if (val > U16_MAX) {
465 			err = -EINVAL;
466 			break;
467 		}
468 		if (val < PPP_MRU)
469 			val = PPP_MRU;
470 		ap->mru = val;
471 		err = 0;
472 		break;
473 
474 	default:
475 		err = -ENOTTY;
476 	}
477 
478 	return err;
479 }
480 
481 /*
482  * This is called at softirq level to deliver received packets
483  * to the ppp_generic code, and to tell the ppp_generic code
484  * if we can accept more output now.
485  */
486 static void ppp_async_process(struct tasklet_struct *t)
487 {
488 	struct asyncppp *ap = from_tasklet(ap, t, tsk);
489 	struct sk_buff *skb;
490 
491 	/* process received packets */
492 	while ((skb = skb_dequeue(&ap->rqueue)) != NULL) {
493 		if (skb->cb[0])
494 			ppp_input_error(&ap->chan, 0);
495 		ppp_input(&ap->chan, skb);
496 	}
497 
498 	/* try to push more stuff out */
499 	if (test_bit(XMIT_WAKEUP, &ap->xmit_flags) && ppp_async_push(ap))
500 		ppp_output_wakeup(&ap->chan);
501 }
502 
503 /*
504  * Procedures for encapsulation and framing.
505  */
506 
507 /*
508  * Procedure to encode the data for async serial transmission.
509  * Does octet stuffing (escaping), puts the address/control bytes
510  * on if A/C compression is disabled, and does protocol compression.
511  * Assumes ap->tpkt != 0 on entry.
512  * Returns 1 if we finished the current frame, 0 otherwise.
513  */
514 
515 #define PUT_BYTE(ap, buf, c, islcp)	do {		\
516 	if ((islcp && c < 0x20) || (ap->xaccm[c >> 5] & (1 << (c & 0x1f)))) {\
517 		*buf++ = PPP_ESCAPE;			\
518 		*buf++ = c ^ PPP_TRANS;			\
519 	} else						\
520 		*buf++ = c;				\
521 } while (0)
522 
523 static int
524 ppp_async_encode(struct asyncppp *ap)
525 {
526 	int fcs, i, count, c, proto;
527 	unsigned char *buf, *buflim;
528 	unsigned char *data;
529 	int islcp;
530 
531 	buf = ap->obuf;
532 	ap->olim = buf;
533 	ap->optr = buf;
534 	i = ap->tpkt_pos;
535 	data = ap->tpkt->data;
536 	count = ap->tpkt->len;
537 	fcs = ap->tfcs;
538 	proto = get_unaligned_be16(data);
539 
540 	/*
541 	 * LCP packets with code values between 1 (configure-request)
542 	 * and 7 (code-reject) must be sent as though no options
543 	 * had been negotiated.
544 	 */
545 	islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7;
546 
547 	if (i == 0) {
548 		if (islcp)
549 			async_lcp_peek(ap, data, count, 0);
550 
551 		/*
552 		 * Start of a new packet - insert the leading FLAG
553 		 * character if necessary.
554 		 */
555 		if (islcp || flag_time == 0 ||
556 		    time_after_eq(jiffies, ap->last_xmit + flag_time))
557 			*buf++ = PPP_FLAG;
558 		ap->last_xmit = jiffies;
559 		fcs = PPP_INITFCS;
560 
561 		/*
562 		 * Put in the address/control bytes if necessary
563 		 */
564 		if ((ap->flags & SC_COMP_AC) == 0 || islcp) {
565 			PUT_BYTE(ap, buf, 0xff, islcp);
566 			fcs = PPP_FCS(fcs, 0xff);
567 			PUT_BYTE(ap, buf, 0x03, islcp);
568 			fcs = PPP_FCS(fcs, 0x03);
569 		}
570 	}
571 
572 	/*
573 	 * Once we put in the last byte, we need to put in the FCS
574 	 * and closing flag, so make sure there is at least 7 bytes
575 	 * of free space in the output buffer.
576 	 */
577 	buflim = ap->obuf + OBUFSIZE - 6;
578 	while (i < count && buf < buflim) {
579 		c = data[i++];
580 		if (i == 1 && c == 0 && (ap->flags & SC_COMP_PROT))
581 			continue;	/* compress protocol field */
582 		fcs = PPP_FCS(fcs, c);
583 		PUT_BYTE(ap, buf, c, islcp);
584 	}
585 
586 	if (i < count) {
587 		/*
588 		 * Remember where we are up to in this packet.
589 		 */
590 		ap->olim = buf;
591 		ap->tpkt_pos = i;
592 		ap->tfcs = fcs;
593 		return 0;
594 	}
595 
596 	/*
597 	 * We have finished the packet.  Add the FCS and flag.
598 	 */
599 	fcs = ~fcs;
600 	c = fcs & 0xff;
601 	PUT_BYTE(ap, buf, c, islcp);
602 	c = (fcs >> 8) & 0xff;
603 	PUT_BYTE(ap, buf, c, islcp);
604 	*buf++ = PPP_FLAG;
605 	ap->olim = buf;
606 
607 	consume_skb(ap->tpkt);
608 	ap->tpkt = NULL;
609 	return 1;
610 }
611 
612 /*
613  * Transmit-side routines.
614  */
615 
616 /*
617  * Send a packet to the peer over an async tty line.
618  * Returns 1 iff the packet was accepted.
619  * If the packet was not accepted, we will call ppp_output_wakeup
620  * at some later time.
621  */
622 static int
623 ppp_async_send(struct ppp_channel *chan, struct sk_buff *skb)
624 {
625 	struct asyncppp *ap = chan->private;
626 
627 	ppp_async_push(ap);
628 
629 	if (test_and_set_bit(XMIT_FULL, &ap->xmit_flags))
630 		return 0;	/* already full */
631 	ap->tpkt = skb;
632 	ap->tpkt_pos = 0;
633 
634 	ppp_async_push(ap);
635 	return 1;
636 }
637 
638 /*
639  * Push as much data as possible out to the tty.
640  */
641 static int
642 ppp_async_push(struct asyncppp *ap)
643 {
644 	int avail, sent, done = 0;
645 	struct tty_struct *tty = ap->tty;
646 	int tty_stuffed = 0;
647 
648 	/*
649 	 * We can get called recursively here if the tty write
650 	 * function calls our wakeup function.  This can happen
651 	 * for example on a pty with both the master and slave
652 	 * set to PPP line discipline.
653 	 * We use the XMIT_BUSY bit to detect this and get out,
654 	 * leaving the XMIT_WAKEUP bit set to tell the other
655 	 * instance that it may now be able to write more now.
656 	 */
657 	if (test_and_set_bit(XMIT_BUSY, &ap->xmit_flags))
658 		return 0;
659 	spin_lock_bh(&ap->xmit_lock);
660 	for (;;) {
661 		if (test_and_clear_bit(XMIT_WAKEUP, &ap->xmit_flags))
662 			tty_stuffed = 0;
663 		if (!tty_stuffed && ap->optr < ap->olim) {
664 			avail = ap->olim - ap->optr;
665 			set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
666 			sent = tty->ops->write(tty, ap->optr, avail);
667 			if (sent < 0)
668 				goto flush;	/* error, e.g. loss of CD */
669 			ap->optr += sent;
670 			if (sent < avail)
671 				tty_stuffed = 1;
672 			continue;
673 		}
674 		if (ap->optr >= ap->olim && ap->tpkt) {
675 			if (ppp_async_encode(ap)) {
676 				/* finished processing ap->tpkt */
677 				clear_bit(XMIT_FULL, &ap->xmit_flags);
678 				done = 1;
679 			}
680 			continue;
681 		}
682 		/*
683 		 * We haven't made any progress this time around.
684 		 * Clear XMIT_BUSY to let other callers in, but
685 		 * after doing so we have to check if anyone set
686 		 * XMIT_WAKEUP since we last checked it.  If they
687 		 * did, we should try again to set XMIT_BUSY and go
688 		 * around again in case XMIT_BUSY was still set when
689 		 * the other caller tried.
690 		 */
691 		clear_bit(XMIT_BUSY, &ap->xmit_flags);
692 		/* any more work to do? if not, exit the loop */
693 		if (!(test_bit(XMIT_WAKEUP, &ap->xmit_flags) ||
694 		      (!tty_stuffed && ap->tpkt)))
695 			break;
696 		/* more work to do, see if we can do it now */
697 		if (test_and_set_bit(XMIT_BUSY, &ap->xmit_flags))
698 			break;
699 	}
700 	spin_unlock_bh(&ap->xmit_lock);
701 	return done;
702 
703 flush:
704 	clear_bit(XMIT_BUSY, &ap->xmit_flags);
705 	if (ap->tpkt) {
706 		kfree_skb(ap->tpkt);
707 		ap->tpkt = NULL;
708 		clear_bit(XMIT_FULL, &ap->xmit_flags);
709 		done = 1;
710 	}
711 	ap->optr = ap->olim;
712 	spin_unlock_bh(&ap->xmit_lock);
713 	return done;
714 }
715 
716 /*
717  * Flush output from our internal buffers.
718  * Called for the TCFLSH ioctl. Can be entered in parallel
719  * but this is covered by the xmit_lock.
720  */
721 static void
722 ppp_async_flush_output(struct asyncppp *ap)
723 {
724 	int done = 0;
725 
726 	spin_lock_bh(&ap->xmit_lock);
727 	ap->optr = ap->olim;
728 	if (ap->tpkt != NULL) {
729 		kfree_skb(ap->tpkt);
730 		ap->tpkt = NULL;
731 		clear_bit(XMIT_FULL, &ap->xmit_flags);
732 		done = 1;
733 	}
734 	spin_unlock_bh(&ap->xmit_lock);
735 	if (done)
736 		ppp_output_wakeup(&ap->chan);
737 }
738 
739 /*
740  * Receive-side routines.
741  */
742 
743 /* see how many ordinary chars there are at the start of buf */
744 static inline int
745 scan_ordinary(struct asyncppp *ap, const unsigned char *buf, int count)
746 {
747 	int i, c;
748 
749 	for (i = 0; i < count; ++i) {
750 		c = buf[i];
751 		if (c == PPP_ESCAPE || c == PPP_FLAG ||
752 		    (c < 0x20 && (ap->raccm & (1 << c)) != 0))
753 			break;
754 	}
755 	return i;
756 }
757 
758 /* called when a flag is seen - do end-of-packet processing */
759 static void
760 process_input_packet(struct asyncppp *ap)
761 {
762 	struct sk_buff *skb;
763 	unsigned char *p;
764 	unsigned int len, fcs;
765 
766 	skb = ap->rpkt;
767 	if (ap->state & (SC_TOSS | SC_ESCAPE))
768 		goto err;
769 
770 	if (skb == NULL)
771 		return;		/* 0-length packet */
772 
773 	/* check the FCS */
774 	p = skb->data;
775 	len = skb->len;
776 	if (len < 3)
777 		goto err;	/* too short */
778 	fcs = PPP_INITFCS;
779 	for (; len > 0; --len)
780 		fcs = PPP_FCS(fcs, *p++);
781 	if (fcs != PPP_GOODFCS)
782 		goto err;	/* bad FCS */
783 	skb_trim(skb, skb->len - 2);
784 
785 	/* check for address/control and protocol compression */
786 	p = skb->data;
787 	if (p[0] == PPP_ALLSTATIONS) {
788 		/* chop off address/control */
789 		if (p[1] != PPP_UI || skb->len < 3)
790 			goto err;
791 		p = skb_pull(skb, 2);
792 	}
793 
794 	/* If protocol field is not compressed, it can be LCP packet */
795 	if (!(p[0] & 0x01)) {
796 		unsigned int proto;
797 
798 		if (skb->len < 2)
799 			goto err;
800 		proto = (p[0] << 8) + p[1];
801 		if (proto == PPP_LCP)
802 			async_lcp_peek(ap, p, skb->len, 1);
803 	}
804 
805 	/* queue the frame to be processed */
806 	skb->cb[0] = ap->state;
807 	skb_queue_tail(&ap->rqueue, skb);
808 	ap->rpkt = NULL;
809 	ap->state = 0;
810 	return;
811 
812  err:
813 	/* frame had an error, remember that, reset SC_TOSS & SC_ESCAPE */
814 	ap->state = SC_PREV_ERROR;
815 	if (skb) {
816 		/* make skb appear as freshly allocated */
817 		skb_trim(skb, 0);
818 		skb_reserve(skb, - skb_headroom(skb));
819 	}
820 }
821 
822 /* Called when the tty driver has data for us. Runs parallel with the
823    other ldisc functions but will not be re-entered */
824 
825 static void
826 ppp_async_input(struct asyncppp *ap, const u8 *buf, const u8 *flags, int count)
827 {
828 	struct sk_buff *skb;
829 	int c, i, j, n, s, f;
830 	unsigned char *sp;
831 
832 	/* update bits used for 8-bit cleanness detection */
833 	if (~ap->rbits & SC_RCV_BITS) {
834 		s = 0;
835 		for (i = 0; i < count; ++i) {
836 			c = buf[i];
837 			if (flags && flags[i] != 0)
838 				continue;
839 			s |= (c & 0x80)? SC_RCV_B7_1: SC_RCV_B7_0;
840 			c = ((c >> 4) ^ c) & 0xf;
841 			s |= (0x6996 & (1 << c))? SC_RCV_ODDP: SC_RCV_EVNP;
842 		}
843 		ap->rbits |= s;
844 	}
845 
846 	while (count > 0) {
847 		/* scan through and see how many chars we can do in bulk */
848 		if ((ap->state & SC_ESCAPE) && buf[0] == PPP_ESCAPE)
849 			n = 1;
850 		else
851 			n = scan_ordinary(ap, buf, count);
852 
853 		f = 0;
854 		if (flags && (ap->state & SC_TOSS) == 0) {
855 			/* check the flags to see if any char had an error */
856 			for (j = 0; j < n; ++j)
857 				if ((f = flags[j]) != 0)
858 					break;
859 		}
860 		if (f != 0) {
861 			/* start tossing */
862 			ap->state |= SC_TOSS;
863 
864 		} else if (n > 0 && (ap->state & SC_TOSS) == 0) {
865 			/* stuff the chars in the skb */
866 			skb = ap->rpkt;
867 			if (!skb) {
868 				skb = dev_alloc_skb(ap->mru + PPP_HDRLEN + 2);
869 				if (!skb)
870 					goto nomem;
871 				ap->rpkt = skb;
872 			}
873 			if (skb->len == 0) {
874 				/* Try to get the payload 4-byte aligned.
875 				 * This should match the
876 				 * PPP_ALLSTATIONS/PPP_UI/compressed tests in
877 				 * process_input_packet, but we do not have
878 				 * enough chars here to test buf[1] and buf[2].
879 				 */
880 				if (buf[0] != PPP_ALLSTATIONS)
881 					skb_reserve(skb, 2 + (buf[0] & 1));
882 			}
883 			if (n > skb_tailroom(skb)) {
884 				/* packet overflowed MRU */
885 				ap->state |= SC_TOSS;
886 			} else {
887 				sp = skb_put_data(skb, buf, n);
888 				if (ap->state & SC_ESCAPE) {
889 					sp[0] ^= PPP_TRANS;
890 					ap->state &= ~SC_ESCAPE;
891 				}
892 			}
893 		}
894 
895 		if (n >= count)
896 			break;
897 
898 		c = buf[n];
899 		if (flags != NULL && flags[n] != 0) {
900 			ap->state |= SC_TOSS;
901 		} else if (c == PPP_FLAG) {
902 			process_input_packet(ap);
903 		} else if (c == PPP_ESCAPE) {
904 			ap->state |= SC_ESCAPE;
905 		} else if (I_IXON(ap->tty)) {
906 			if (c == START_CHAR(ap->tty))
907 				start_tty(ap->tty);
908 			else if (c == STOP_CHAR(ap->tty))
909 				stop_tty(ap->tty);
910 		}
911 		/* otherwise it's a char in the recv ACCM */
912 		++n;
913 
914 		buf += n;
915 		if (flags)
916 			flags += n;
917 		count -= n;
918 	}
919 	return;
920 
921  nomem:
922 	printk(KERN_ERR "PPPasync: no memory (input pkt)\n");
923 	ap->state |= SC_TOSS;
924 }
925 
926 /*
927  * We look at LCP frames going past so that we can notice
928  * and react to the LCP configure-ack from the peer.
929  * In the situation where the peer has been sent a configure-ack
930  * already, LCP is up once it has sent its configure-ack
931  * so the immediately following packet can be sent with the
932  * configured LCP options.  This allows us to process the following
933  * packet correctly without pppd needing to respond quickly.
934  *
935  * We only respond to the received configure-ack if we have just
936  * sent a configure-request, and the configure-ack contains the
937  * same data (this is checked using a 16-bit crc of the data).
938  */
939 #define CONFREQ		1	/* LCP code field values */
940 #define CONFACK		2
941 #define LCP_MRU		1	/* LCP option numbers */
942 #define LCP_ASYNCMAP	2
943 
944 static void async_lcp_peek(struct asyncppp *ap, unsigned char *data,
945 			   int len, int inbound)
946 {
947 	int dlen, fcs, i, code;
948 	u32 val;
949 
950 	data += 2;		/* skip protocol bytes */
951 	len -= 2;
952 	if (len < 4)		/* 4 = code, ID, length */
953 		return;
954 	code = data[0];
955 	if (code != CONFACK && code != CONFREQ)
956 		return;
957 	dlen = get_unaligned_be16(data + 2);
958 	if (len < dlen)
959 		return;		/* packet got truncated or length is bogus */
960 
961 	if (code == (inbound? CONFACK: CONFREQ)) {
962 		/*
963 		 * sent confreq or received confack:
964 		 * calculate the crc of the data from the ID field on.
965 		 */
966 		fcs = PPP_INITFCS;
967 		for (i = 1; i < dlen; ++i)
968 			fcs = PPP_FCS(fcs, data[i]);
969 
970 		if (!inbound) {
971 			/* outbound confreq - remember the crc for later */
972 			ap->lcp_fcs = fcs;
973 			return;
974 		}
975 
976 		/* received confack, check the crc */
977 		fcs ^= ap->lcp_fcs;
978 		ap->lcp_fcs = -1;
979 		if (fcs != 0)
980 			return;
981 	} else if (inbound)
982 		return;	/* not interested in received confreq */
983 
984 	/* process the options in the confack */
985 	data += 4;
986 	dlen -= 4;
987 	/* data[0] is code, data[1] is length */
988 	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
989 		switch (data[0]) {
990 		case LCP_MRU:
991 			val = get_unaligned_be16(data + 2);
992 			if (inbound)
993 				ap->mru = val;
994 			else
995 				ap->chan.mtu = val;
996 			break;
997 		case LCP_ASYNCMAP:
998 			val = get_unaligned_be32(data + 2);
999 			if (inbound)
1000 				ap->raccm = val;
1001 			else
1002 				ap->xaccm[0] = val;
1003 			break;
1004 		}
1005 		dlen -= data[1];
1006 		data += data[1];
1007 	}
1008 }
1009 
1010 static void __exit ppp_async_cleanup(void)
1011 {
1012 	tty_unregister_ldisc(&ppp_ldisc);
1013 }
1014 
1015 module_init(ppp_async_init);
1016 module_exit(ppp_async_cleanup);
1017