brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 23:36:23 +09:00
Code Issues Projects Releases Wiki Activity
afbb7e0176
linux-brain/net/lapb/lapb_out.c
Xie He bf0507fb20 net: lapb: Copy the skb before sending a packet 
[ Upstream commit 88c7a9fd9bdd3e453f04018920964c6f848a591a ]

When sending a packet, we will prepend it with an LAPB header.
This modifies the shared parts of a cloned skb, so we should copy the
skb rather than just clone it, before we prepend the header.

In "Documentation/networking/driver.rst" (the 2nd point), it states
that drivers shouldn't modify the shared parts of a cloned skb when
transmitting.

The "dev_queue_xmit_nit" function in "net/core/dev.c", which is called
when an skb is being sent, clones the skb and sents the clone to
AF_PACKET sockets. Because the LAPB drivers first remove a 1-byte
pseudo-header before handing over the skb to us, if we don't copy the
skb before prepending the LAPB header, the first byte of the packets
received on AF_PACKET sockets can be corrupted.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xie He <xie.he.0141@gmail.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/20210201055706.415842-1-xie.he.0141@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-02-10 09:25:28 +01:00

206 lines
4.7 KiB
C
Raw Blame History

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* LAPB release 002
*
* This code REQUIRES 2.1.15 or higher/ NET3.038
*
* History
* LAPB 001 Jonathan Naylor Started Coding
* LAPB 002 Jonathan Naylor New timer architecture.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/socket.h>
#include <linux/in.h>
#include <linux/kernel.h>
#include <linux/timer.h>
#include <linux/string.h>
#include <linux/sockios.h>
#include <linux/net.h>
#include <linux/inet.h>
#include <linux/skbuff.h>
#include <linux/slab.h>
#include <net/sock.h>
#include <linux/uaccess.h>
#include <linux/fcntl.h>
#include <linux/mm.h>
#include <linux/interrupt.h>
#include <net/lapb.h>
/*
* This procedure is passed a buffer descriptor for an iframe. It builds
* the rest of the control part of the frame and then writes it out.
*/
static void lapb_send_iframe(struct lapb_cb *lapb, struct sk_buff *skb, int poll_bit)
{
unsigned char *frame;
if (!skb)
return;
if (lapb->mode & LAPB_EXTENDED) {
frame = skb_push(skb, 2);
frame[0] = LAPB_I;
frame[0] |= lapb->vs << 1;
frame[1] = poll_bit ? LAPB_EPF : 0;
frame[1] |= lapb->vr << 1;
} else {
frame = skb_push(skb, 1);
*frame = LAPB_I;
*frame |= poll_bit ? LAPB_SPF : 0;
*frame |= lapb->vr << 5;
*frame |= lapb->vs << 1;
}
lapb_dbg(1, "(%p) S%d TX I(%d) S%d R%d\n",
lapb->dev, lapb->state, poll_bit, lapb->vs, lapb->vr);
lapb_transmit_buffer(lapb, skb, LAPB_COMMAND);
}
void lapb_kick(struct lapb_cb *lapb)
{
struct sk_buff *skb, *skbn;
unsigned short modulus, start, end;
modulus = (lapb->mode & LAPB_EXTENDED) ? LAPB_EMODULUS : LAPB_SMODULUS;
start = !skb_peek(&lapb->ack_queue) ? lapb->va : lapb->vs;
end = (lapb->va + lapb->window) % modulus;
if (!(lapb->condition & LAPB_PEER_RX_BUSY_CONDITION) &&
start != end && skb_peek(&lapb->write_queue)) {
lapb->vs = start;
/*
* Dequeue the frame and copy it.
*/
skb = skb_dequeue(&lapb->write_queue);
do {
skbn = skb_copy(skb, GFP_ATOMIC);
if (!skbn) {
skb_queue_head(&lapb->write_queue, skb);
break;
}
if (skb->sk)
skb_set_owner_w(skbn, skb->sk);
/*
* Transmit the frame copy.
*/
lapb_send_iframe(lapb, skbn, LAPB_POLLOFF);
lapb->vs = (lapb->vs + 1) % modulus;
/*
* Requeue the original data frame.
*/
skb_queue_tail(&lapb->ack_queue, skb);
} while (lapb->vs != end && (skb = skb_dequeue(&lapb->write_queue)) != NULL);
lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
if (!lapb_t1timer_running(lapb))
lapb_start_t1timer(lapb);
}
}
void lapb_transmit_buffer(struct lapb_cb *lapb, struct sk_buff *skb, int type)
{
unsigned char *ptr;
ptr = skb_push(skb, 1);
if (lapb->mode & LAPB_MLP) {
if (lapb->mode & LAPB_DCE) {
if (type == LAPB_COMMAND)
*ptr = LAPB_ADDR_C;
if (type == LAPB_RESPONSE)
*ptr = LAPB_ADDR_D;
} else {
if (type == LAPB_COMMAND)
*ptr = LAPB_ADDR_D;
if (type == LAPB_RESPONSE)
*ptr = LAPB_ADDR_C;
}
} else {
if (lapb->mode & LAPB_DCE) {
if (type == LAPB_COMMAND)
*ptr = LAPB_ADDR_A;
if (type == LAPB_RESPONSE)
*ptr = LAPB_ADDR_B;
} else {
if (type == LAPB_COMMAND)
*ptr = LAPB_ADDR_B;
if (type == LAPB_RESPONSE)
*ptr = LAPB_ADDR_A;
}
}
lapb_dbg(2, "(%p) S%d TX %3ph\n", lapb->dev, lapb->state, skb->data);
if (!lapb_data_transmit(lapb, skb))
kfree_skb(skb);
}
void lapb_establish_data_link(struct lapb_cb *lapb)
{
lapb->condition = 0x00;
lapb->n2count = 0;
if (lapb->mode & LAPB_EXTENDED) {
lapb_dbg(1, "(%p) S%d TX SABME(1)\n", lapb->dev, lapb->state);
lapb_send_control(lapb, LAPB_SABME, LAPB_POLLON, LAPB_COMMAND);
} else {
lapb_dbg(1, "(%p) S%d TX SABM(1)\n", lapb->dev, lapb->state);
lapb_send_control(lapb, LAPB_SABM, LAPB_POLLON, LAPB_COMMAND);
}
lapb_start_t1timer(lapb);
lapb_stop_t2timer(lapb);
}
void lapb_enquiry_response(struct lapb_cb *lapb)
{
lapb_dbg(1, "(%p) S%d TX RR(1) R%d\n",
lapb->dev, lapb->state, lapb->vr);
lapb_send_control(lapb, LAPB_RR, LAPB_POLLON, LAPB_RESPONSE);
lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
}
void lapb_timeout_response(struct lapb_cb *lapb)
{
lapb_dbg(1, "(%p) S%d TX RR(0) R%d\n",
lapb->dev, lapb->state, lapb->vr);
lapb_send_control(lapb, LAPB_RR, LAPB_POLLOFF, LAPB_RESPONSE);
lapb->condition &= ~LAPB_ACK_PENDING_CONDITION;
}
void lapb_check_iframes_acked(struct lapb_cb *lapb, unsigned short nr)
{
if (lapb->vs == nr) {
lapb_frames_acked(lapb, nr);
lapb_stop_t1timer(lapb);
lapb->n2count = 0;
} else if (lapb->va != nr) {
lapb_frames_acked(lapb, nr);
lapb_start_t1timer(lapb);
}
}
void lapb_check_need_response(struct lapb_cb *lapb, int type, int pf)
{
if (type == LAPB_COMMAND && pf)
lapb_enquiry_response(lapb);
}
Reference in New Issue View Git Blame Copy Permalink