bpf: Prevent memory disambiguation attack
[linux/fpc-iii.git] / drivers / tty / tty_buffer.c
blobc996b6859c5e70c72827f28c33c46bd3d96a1cda
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Tty buffer allocation management
4 */
6 #include <linux/types.h>
7 #include <linux/errno.h>
8 #include <linux/tty.h>
9 #include <linux/tty_driver.h>
10 #include <linux/tty_flip.h>
11 #include <linux/timer.h>
12 #include <linux/string.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/wait.h>
16 #include <linux/bitops.h>
17 #include <linux/delay.h>
18 #include <linux/module.h>
19 #include <linux/ratelimit.h>
22 #define MIN_TTYB_SIZE 256
23 #define TTYB_ALIGN_MASK 255
26 * Byte threshold to limit memory consumption for flip buffers.
27 * The actual memory limit is > 2x this amount.
29 #define TTYB_DEFAULT_MEM_LIMIT 65536
32 * We default to dicing tty buffer allocations to this many characters
33 * in order to avoid multiple page allocations. We know the size of
34 * tty_buffer itself but it must also be taken into account that the
35 * the buffer is 256 byte aligned. See tty_buffer_find for the allocation
36 * logic this must match
39 #define TTY_BUFFER_PAGE (((PAGE_SIZE - sizeof(struct tty_buffer)) / 2) & ~0xFF)
41 /**
42 * tty_buffer_lock_exclusive - gain exclusive access to buffer
43 * tty_buffer_unlock_exclusive - release exclusive access
45 * @port - tty_port owning the flip buffer
47 * Guarantees safe use of the line discipline's receive_buf() method by
48 * excluding the buffer work and any pending flush from using the flip
49 * buffer. Data can continue to be added concurrently to the flip buffer
50 * from the driver side.
52 * On release, the buffer work is restarted if there is data in the
53 * flip buffer
56 void tty_buffer_lock_exclusive(struct tty_port *port)
58 struct tty_bufhead *buf = &port->buf;
60 atomic_inc(&buf->priority);
61 mutex_lock(&buf->lock);
63 EXPORT_SYMBOL_GPL(tty_buffer_lock_exclusive);
65 void tty_buffer_unlock_exclusive(struct tty_port *port)
67 struct tty_bufhead *buf = &port->buf;
68 int restart;
70 restart = buf->head->commit != buf->head->read;
72 atomic_dec(&buf->priority);
73 mutex_unlock(&buf->lock);
74 if (restart)
75 queue_work(system_unbound_wq, &buf->work);
77 EXPORT_SYMBOL_GPL(tty_buffer_unlock_exclusive);
79 /**
80 * tty_buffer_space_avail - return unused buffer space
81 * @port - tty_port owning the flip buffer
83 * Returns the # of bytes which can be written by the driver without
84 * reaching the buffer limit.
86 * Note: this does not guarantee that memory is available to write
87 * the returned # of bytes (use tty_prepare_flip_string_xxx() to
88 * pre-allocate if memory guarantee is required).
91 int tty_buffer_space_avail(struct tty_port *port)
93 int space = port->buf.mem_limit - atomic_read(&port->buf.mem_used);
94 return max(space, 0);
96 EXPORT_SYMBOL_GPL(tty_buffer_space_avail);
98 static void tty_buffer_reset(struct tty_buffer *p, size_t size)
100 p->used = 0;
101 p->size = size;
102 p->next = NULL;
103 p->commit = 0;
104 p->read = 0;
105 p->flags = 0;
109 * tty_buffer_free_all - free buffers used by a tty
110 * @tty: tty to free from
112 * Remove all the buffers pending on a tty whether queued with data
113 * or in the free ring. Must be called when the tty is no longer in use
116 void tty_buffer_free_all(struct tty_port *port)
118 struct tty_bufhead *buf = &port->buf;
119 struct tty_buffer *p, *next;
120 struct llist_node *llist;
122 while ((p = buf->head) != NULL) {
123 buf->head = p->next;
124 if (p->size > 0)
125 kfree(p);
127 llist = llist_del_all(&buf->free);
128 llist_for_each_entry_safe(p, next, llist, free)
129 kfree(p);
131 tty_buffer_reset(&buf->sentinel, 0);
132 buf->head = &buf->sentinel;
133 buf->tail = &buf->sentinel;
135 atomic_set(&buf->mem_used, 0);
139 * tty_buffer_alloc - allocate a tty buffer
140 * @tty: tty device
141 * @size: desired size (characters)
143 * Allocate a new tty buffer to hold the desired number of characters.
144 * We round our buffers off in 256 character chunks to get better
145 * allocation behaviour.
146 * Return NULL if out of memory or the allocation would exceed the
147 * per device queue
150 static struct tty_buffer *tty_buffer_alloc(struct tty_port *port, size_t size)
152 struct llist_node *free;
153 struct tty_buffer *p;
155 /* Round the buffer size out */
156 size = __ALIGN_MASK(size, TTYB_ALIGN_MASK);
158 if (size <= MIN_TTYB_SIZE) {
159 free = llist_del_first(&port->buf.free);
160 if (free) {
161 p = llist_entry(free, struct tty_buffer, free);
162 goto found;
166 /* Should possibly check if this fails for the largest buffer we
167 have queued and recycle that ? */
168 if (atomic_read(&port->buf.mem_used) > port->buf.mem_limit)
169 return NULL;
170 p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
171 if (p == NULL)
172 return NULL;
174 found:
175 tty_buffer_reset(p, size);
176 atomic_add(size, &port->buf.mem_used);
177 return p;
181 * tty_buffer_free - free a tty buffer
182 * @tty: tty owning the buffer
183 * @b: the buffer to free
185 * Free a tty buffer, or add it to the free list according to our
186 * internal strategy
189 static void tty_buffer_free(struct tty_port *port, struct tty_buffer *b)
191 struct tty_bufhead *buf = &port->buf;
193 /* Dumb strategy for now - should keep some stats */
194 WARN_ON(atomic_sub_return(b->size, &buf->mem_used) < 0);
196 if (b->size > MIN_TTYB_SIZE)
197 kfree(b);
198 else if (b->size > 0)
199 llist_add(&b->free, &buf->free);
203 * tty_buffer_flush - flush full tty buffers
204 * @tty: tty to flush
205 * @ld: optional ldisc ptr (must be referenced)
207 * flush all the buffers containing receive data. If ld != NULL,
208 * flush the ldisc input buffer.
210 * Locking: takes buffer lock to ensure single-threaded flip buffer
211 * 'consumer'
214 void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
216 struct tty_port *port = tty->port;
217 struct tty_bufhead *buf = &port->buf;
218 struct tty_buffer *next;
220 atomic_inc(&buf->priority);
222 mutex_lock(&buf->lock);
223 /* paired w/ release in __tty_buffer_request_room; ensures there are
224 * no pending memory accesses to the freed buffer
226 while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
227 tty_buffer_free(port, buf->head);
228 buf->head = next;
230 buf->head->read = buf->head->commit;
232 if (ld && ld->ops->flush_buffer)
233 ld->ops->flush_buffer(tty);
235 atomic_dec(&buf->priority);
236 mutex_unlock(&buf->lock);
240 * tty_buffer_request_room - grow tty buffer if needed
241 * @tty: tty structure
242 * @size: size desired
243 * @flags: buffer flags if new buffer allocated (default = 0)
245 * Make at least size bytes of linear space available for the tty
246 * buffer. If we fail return the size we managed to find.
248 * Will change over to a new buffer if the current buffer is encoded as
249 * TTY_NORMAL (so has no flags buffer) and the new buffer requires
250 * a flags buffer.
252 static int __tty_buffer_request_room(struct tty_port *port, size_t size,
253 int flags)
255 struct tty_bufhead *buf = &port->buf;
256 struct tty_buffer *b, *n;
257 int left, change;
259 b = buf->tail;
260 if (b->flags & TTYB_NORMAL)
261 left = 2 * b->size - b->used;
262 else
263 left = b->size - b->used;
265 change = (b->flags & TTYB_NORMAL) && (~flags & TTYB_NORMAL);
266 if (change || left < size) {
267 /* This is the slow path - looking for new buffers to use */
268 n = tty_buffer_alloc(port, size);
269 if (n != NULL) {
270 n->flags = flags;
271 buf->tail = n;
272 /* paired w/ acquire in flush_to_ldisc(); ensures
273 * flush_to_ldisc() sees buffer data.
275 smp_store_release(&b->commit, b->used);
276 /* paired w/ acquire in flush_to_ldisc(); ensures the
277 * latest commit value can be read before the head is
278 * advanced to the next buffer
280 smp_store_release(&b->next, n);
281 } else if (change)
282 size = 0;
283 else
284 size = left;
286 return size;
289 int tty_buffer_request_room(struct tty_port *port, size_t size)
291 return __tty_buffer_request_room(port, size, 0);
293 EXPORT_SYMBOL_GPL(tty_buffer_request_room);
296 * tty_insert_flip_string_fixed_flag - Add characters to the tty buffer
297 * @port: tty port
298 * @chars: characters
299 * @flag: flag value for each character
300 * @size: size
302 * Queue a series of bytes to the tty buffering. All the characters
303 * passed are marked with the supplied flag. Returns the number added.
306 int tty_insert_flip_string_fixed_flag(struct tty_port *port,
307 const unsigned char *chars, char flag, size_t size)
309 int copied = 0;
310 do {
311 int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
312 int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
313 int space = __tty_buffer_request_room(port, goal, flags);
314 struct tty_buffer *tb = port->buf.tail;
315 if (unlikely(space == 0))
316 break;
317 memcpy(char_buf_ptr(tb, tb->used), chars, space);
318 if (~tb->flags & TTYB_NORMAL)
319 memset(flag_buf_ptr(tb, tb->used), flag, space);
320 tb->used += space;
321 copied += space;
322 chars += space;
323 /* There is a small chance that we need to split the data over
324 several buffers. If this is the case we must loop */
325 } while (unlikely(size > copied));
326 return copied;
328 EXPORT_SYMBOL(tty_insert_flip_string_fixed_flag);
331 * tty_insert_flip_string_flags - Add characters to the tty buffer
332 * @port: tty port
333 * @chars: characters
334 * @flags: flag bytes
335 * @size: size
337 * Queue a series of bytes to the tty buffering. For each character
338 * the flags array indicates the status of the character. Returns the
339 * number added.
342 int tty_insert_flip_string_flags(struct tty_port *port,
343 const unsigned char *chars, const char *flags, size_t size)
345 int copied = 0;
346 do {
347 int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
348 int space = tty_buffer_request_room(port, goal);
349 struct tty_buffer *tb = port->buf.tail;
350 if (unlikely(space == 0))
351 break;
352 memcpy(char_buf_ptr(tb, tb->used), chars, space);
353 memcpy(flag_buf_ptr(tb, tb->used), flags, space);
354 tb->used += space;
355 copied += space;
356 chars += space;
357 flags += space;
358 /* There is a small chance that we need to split the data over
359 several buffers. If this is the case we must loop */
360 } while (unlikely(size > copied));
361 return copied;
363 EXPORT_SYMBOL(tty_insert_flip_string_flags);
366 * __tty_insert_flip_char - Add one character to the tty buffer
367 * @port: tty port
368 * @ch: character
369 * @flag: flag byte
371 * Queue a single byte to the tty buffering, with an optional flag.
372 * This is the slow path of tty_insert_flip_char.
374 int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
376 struct tty_buffer *tb;
377 int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
379 if (!__tty_buffer_request_room(port, 1, flags))
380 return 0;
382 tb = port->buf.tail;
383 if (~tb->flags & TTYB_NORMAL)
384 *flag_buf_ptr(tb, tb->used) = flag;
385 *char_buf_ptr(tb, tb->used++) = ch;
387 return 1;
389 EXPORT_SYMBOL(__tty_insert_flip_char);
392 * tty_schedule_flip - push characters to ldisc
393 * @port: tty port to push from
395 * Takes any pending buffers and transfers their ownership to the
396 * ldisc side of the queue. It then schedules those characters for
397 * processing by the line discipline.
400 void tty_schedule_flip(struct tty_port *port)
402 struct tty_bufhead *buf = &port->buf;
404 /* paired w/ acquire in flush_to_ldisc(); ensures
405 * flush_to_ldisc() sees buffer data.
407 smp_store_release(&buf->tail->commit, buf->tail->used);
408 queue_work(system_unbound_wq, &buf->work);
410 EXPORT_SYMBOL(tty_schedule_flip);
413 * tty_prepare_flip_string - make room for characters
414 * @port: tty port
415 * @chars: return pointer for character write area
416 * @size: desired size
418 * Prepare a block of space in the buffer for data. Returns the length
419 * available and buffer pointer to the space which is now allocated and
420 * accounted for as ready for normal characters. This is used for drivers
421 * that need their own block copy routines into the buffer. There is no
422 * guarantee the buffer is a DMA target!
425 int tty_prepare_flip_string(struct tty_port *port, unsigned char **chars,
426 size_t size)
428 int space = __tty_buffer_request_room(port, size, TTYB_NORMAL);
429 if (likely(space)) {
430 struct tty_buffer *tb = port->buf.tail;
431 *chars = char_buf_ptr(tb, tb->used);
432 if (~tb->flags & TTYB_NORMAL)
433 memset(flag_buf_ptr(tb, tb->used), TTY_NORMAL, space);
434 tb->used += space;
436 return space;
438 EXPORT_SYMBOL_GPL(tty_prepare_flip_string);
441 * tty_ldisc_receive_buf - forward data to line discipline
442 * @ld: line discipline to process input
443 * @p: char buffer
444 * @f: TTY_* flags buffer
445 * @count: number of bytes to process
447 * Callers other than flush_to_ldisc() need to exclude the kworker
448 * from concurrent use of the line discipline, see paste_selection().
450 * Returns the number of bytes processed
452 int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p,
453 char *f, int count)
455 if (ld->ops->receive_buf2)
456 count = ld->ops->receive_buf2(ld->tty, p, f, count);
457 else {
458 count = min_t(int, count, ld->tty->receive_room);
459 if (count && ld->ops->receive_buf)
460 ld->ops->receive_buf(ld->tty, p, f, count);
462 return count;
464 EXPORT_SYMBOL_GPL(tty_ldisc_receive_buf);
466 static int
467 receive_buf(struct tty_port *port, struct tty_buffer *head, int count)
469 unsigned char *p = char_buf_ptr(head, head->read);
470 char *f = NULL;
472 if (~head->flags & TTYB_NORMAL)
473 f = flag_buf_ptr(head, head->read);
475 return port->client_ops->receive_buf(port, p, f, count);
479 * flush_to_ldisc
480 * @work: tty structure passed from work queue.
482 * This routine is called out of the software interrupt to flush data
483 * from the buffer chain to the line discipline.
485 * The receive_buf method is single threaded for each tty instance.
487 * Locking: takes buffer lock to ensure single-threaded flip buffer
488 * 'consumer'
491 static void flush_to_ldisc(struct work_struct *work)
493 struct tty_port *port = container_of(work, struct tty_port, buf.work);
494 struct tty_bufhead *buf = &port->buf;
496 mutex_lock(&buf->lock);
498 while (1) {
499 struct tty_buffer *head = buf->head;
500 struct tty_buffer *next;
501 int count;
503 /* Ldisc or user is trying to gain exclusive access */
504 if (atomic_read(&buf->priority))
505 break;
507 /* paired w/ release in __tty_buffer_request_room();
508 * ensures commit value read is not stale if the head
509 * is advancing to the next buffer
511 next = smp_load_acquire(&head->next);
512 /* paired w/ release in __tty_buffer_request_room() or in
513 * tty_buffer_flush(); ensures we see the committed buffer data
515 count = smp_load_acquire(&head->commit) - head->read;
516 if (!count) {
517 if (next == NULL)
518 break;
519 buf->head = next;
520 tty_buffer_free(port, head);
521 continue;
524 count = receive_buf(port, head, count);
525 if (!count)
526 break;
527 head->read += count;
530 mutex_unlock(&buf->lock);
535 * tty_flip_buffer_push - terminal
536 * @port: tty port to push
538 * Queue a push of the terminal flip buffers to the line discipline.
539 * Can be called from IRQ/atomic context.
541 * In the event of the queue being busy for flipping the work will be
542 * held off and retried later.
545 void tty_flip_buffer_push(struct tty_port *port)
547 tty_schedule_flip(port);
549 EXPORT_SYMBOL(tty_flip_buffer_push);
552 * tty_buffer_init - prepare a tty buffer structure
553 * @tty: tty to initialise
555 * Set up the initial state of the buffer management for a tty device.
556 * Must be called before the other tty buffer functions are used.
559 void tty_buffer_init(struct tty_port *port)
561 struct tty_bufhead *buf = &port->buf;
563 mutex_init(&buf->lock);
564 tty_buffer_reset(&buf->sentinel, 0);
565 buf->head = &buf->sentinel;
566 buf->tail = &buf->sentinel;
567 init_llist_head(&buf->free);
568 atomic_set(&buf->mem_used, 0);
569 atomic_set(&buf->priority, 0);
570 INIT_WORK(&buf->work, flush_to_ldisc);
571 buf->mem_limit = TTYB_DEFAULT_MEM_LIMIT;
575 * tty_buffer_set_limit - change the tty buffer memory limit
576 * @port: tty port to change
578 * Change the tty buffer memory limit.
579 * Must be called before the other tty buffer functions are used.
582 int tty_buffer_set_limit(struct tty_port *port, int limit)
584 if (limit < MIN_TTYB_SIZE)
585 return -EINVAL;
586 port->buf.mem_limit = limit;
587 return 0;
589 EXPORT_SYMBOL_GPL(tty_buffer_set_limit);
591 /* slave ptys can claim nested buffer lock when handling BRK and INTR */
592 void tty_buffer_set_lock_subclass(struct tty_port *port)
594 lockdep_set_subclass(&port->buf.lock, TTY_LOCK_SLAVE);
597 bool tty_buffer_restart_work(struct tty_port *port)
599 return queue_work(system_unbound_wq, &port->buf.work);
602 bool tty_buffer_cancel_work(struct tty_port *port)
604 return cancel_work_sync(&port->buf.work);
607 void tty_buffer_flush_work(struct tty_port *port)
609 flush_work(&port->buf.work);