1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Tty buffer allocation management
4  */
5 
6 #include <linux/types.h>
7 #include <linux/errno.h>
8 #include <linux/tty.h>
9 #include <linux/tty_driver.h>
10 #include <linux/tty_flip.h>
11 #include <linux/timer.h>
12 #include <linux/string.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/wait.h>
16 #include <linux/bitops.h>
17 #include <linux/delay.h>
18 #include <linux/module.h>
19 #include <linux/ratelimit.h>
20 
21 
22 #define MIN_TTYB_SIZE	256
23 #define TTYB_ALIGN_MASK	255
24 
25 /*
26  * Byte threshold to limit memory consumption for flip buffers.
27  * The actual memory limit is > 2x this amount.
28  */
29 #define TTYB_DEFAULT_MEM_LIMIT	65536
30 
31 /*
32  * We default to dicing tty buffer allocations to this many characters
33  * in order to avoid multiple page allocations. We know the size of
34  * tty_buffer itself but it must also be taken into account that the
35  * the buffer is 256 byte aligned. See tty_buffer_find for the allocation
36  * logic this must match
37  */
38 
39 #define TTY_BUFFER_PAGE	(((PAGE_SIZE - sizeof(struct tty_buffer)) / 2) & ~0xFF)
40 
41 /**
42  *	tty_buffer_lock_exclusive	-	gain exclusive access to buffer
43  *	tty_buffer_unlock_exclusive	-	release exclusive access
44  *
45  *	@port - tty_port owning the flip buffer
46  *
47  *	Guarantees safe use of the line discipline's receive_buf() method by
48  *	excluding the buffer work and any pending flush from using the flip
49  *	buffer. Data can continue to be added concurrently to the flip buffer
50  *	from the driver side.
51  *
52  *	On release, the buffer work is restarted if there is data in the
53  *	flip buffer
54  */
55 
tty_buffer_lock_exclusive(struct tty_port * port)56 void tty_buffer_lock_exclusive(struct tty_port *port)
57 {
58 	struct tty_bufhead *buf = &port->buf;
59 
60 	atomic_inc(&buf->priority);
61 	mutex_lock(&buf->lock);
62 }
63 EXPORT_SYMBOL_GPL(tty_buffer_lock_exclusive);
64 
tty_buffer_unlock_exclusive(struct tty_port * port)65 void tty_buffer_unlock_exclusive(struct tty_port *port)
66 {
67 	struct tty_bufhead *buf = &port->buf;
68 	int restart;
69 
70 	restart = buf->head->commit != buf->head->read;
71 
72 	atomic_dec(&buf->priority);
73 	mutex_unlock(&buf->lock);
74 	if (restart)
75 		queue_work(system_unbound_wq, &buf->work);
76 }
77 EXPORT_SYMBOL_GPL(tty_buffer_unlock_exclusive);
78 
79 /**
80  *	tty_buffer_space_avail	-	return unused buffer space
81  *	@port - tty_port owning the flip buffer
82  *
83  *	Returns the # of bytes which can be written by the driver without
84  *	reaching the buffer limit.
85  *
86  *	Note: this does not guarantee that memory is available to write
87  *	the returned # of bytes (use tty_prepare_flip_string_xxx() to
88  *	pre-allocate if memory guarantee is required).
89  */
90 
tty_buffer_space_avail(struct tty_port * port)91 int tty_buffer_space_avail(struct tty_port *port)
92 {
93 	int space = port->buf.mem_limit - atomic_read(&port->buf.mem_used);
94 	return max(space, 0);
95 }
96 EXPORT_SYMBOL_GPL(tty_buffer_space_avail);
97 
tty_buffer_reset(struct tty_buffer * p,size_t size)98 static void tty_buffer_reset(struct tty_buffer *p, size_t size)
99 {
100 	p->used = 0;
101 	p->size = size;
102 	p->next = NULL;
103 	p->commit = 0;
104 	p->read = 0;
105 	p->flags = 0;
106 }
107 
108 /**
109  *	tty_buffer_free_all		-	free buffers used by a tty
110  *	@tty: tty to free from
111  *
112  *	Remove all the buffers pending on a tty whether queued with data
113  *	or in the free ring. Must be called when the tty is no longer in use
114  */
115 
tty_buffer_free_all(struct tty_port * port)116 void tty_buffer_free_all(struct tty_port *port)
117 {
118 	struct tty_bufhead *buf = &port->buf;
119 	struct tty_buffer *p, *next;
120 	struct llist_node *llist;
121 
122 	while ((p = buf->head) != NULL) {
123 		buf->head = p->next;
124 		if (p->size > 0)
125 			kfree(p);
126 	}
127 	llist = llist_del_all(&buf->free);
128 	llist_for_each_entry_safe(p, next, llist, free)
129 		kfree(p);
130 
131 	tty_buffer_reset(&buf->sentinel, 0);
132 	buf->head = &buf->sentinel;
133 	buf->tail = &buf->sentinel;
134 
135 	atomic_set(&buf->mem_used, 0);
136 }
137 
138 /**
139  *	tty_buffer_alloc	-	allocate a tty buffer
140  *	@tty: tty device
141  *	@size: desired size (characters)
142  *
143  *	Allocate a new tty buffer to hold the desired number of characters.
144  *	We round our buffers off in 256 character chunks to get better
145  *	allocation behaviour.
146  *	Return NULL if out of memory or the allocation would exceed the
147  *	per device queue
148  */
149 
tty_buffer_alloc(struct tty_port * port,size_t size)150 static struct tty_buffer *tty_buffer_alloc(struct tty_port *port, size_t size)
151 {
152 	struct llist_node *free;
153 	struct tty_buffer *p;
154 
155 	/* Round the buffer size out */
156 	size = __ALIGN_MASK(size, TTYB_ALIGN_MASK);
157 
158 	if (size <= MIN_TTYB_SIZE) {
159 		free = llist_del_first(&port->buf.free);
160 		if (free) {
161 			p = llist_entry(free, struct tty_buffer, free);
162 			goto found;
163 		}
164 	}
165 
166 	/* Should possibly check if this fails for the largest buffer we
167 	   have queued and recycle that ? */
168 	if (atomic_read(&port->buf.mem_used) > port->buf.mem_limit)
169 		return NULL;
170 	p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
171 	if (p == NULL)
172 		return NULL;
173 
174 found:
175 	tty_buffer_reset(p, size);
176 	atomic_add(size, &port->buf.mem_used);
177 	return p;
178 }
179 
180 /**
181  *	tty_buffer_free		-	free a tty buffer
182  *	@tty: tty owning the buffer
183  *	@b: the buffer to free
184  *
185  *	Free a tty buffer, or add it to the free list according to our
186  *	internal strategy
187  */
188 
tty_buffer_free(struct tty_port * port,struct tty_buffer * b)189 static void tty_buffer_free(struct tty_port *port, struct tty_buffer *b)
190 {
191 	struct tty_bufhead *buf = &port->buf;
192 
193 	/* Dumb strategy for now - should keep some stats */
194 	WARN_ON(atomic_sub_return(b->size, &buf->mem_used) < 0);
195 
196 	if (b->size > MIN_TTYB_SIZE)
197 		kfree(b);
198 	else if (b->size > 0)
199 		llist_add(&b->free, &buf->free);
200 }
201 
202 /**
203  *	tty_buffer_flush		-	flush full tty buffers
204  *	@tty: tty to flush
205  *	@ld:  optional ldisc ptr (must be referenced)
206  *
207  *	flush all the buffers containing receive data. If ld != NULL,
208  *	flush the ldisc input buffer.
209  *
210  *	Locking: takes buffer lock to ensure single-threaded flip buffer
211  *		 'consumer'
212  */
213 
tty_buffer_flush(struct tty_struct * tty,struct tty_ldisc * ld)214 void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
215 {
216 	struct tty_port *port = tty->port;
217 	struct tty_bufhead *buf = &port->buf;
218 	struct tty_buffer *next;
219 
220 	atomic_inc(&buf->priority);
221 
222 	mutex_lock(&buf->lock);
223 	/* paired w/ release in __tty_buffer_request_room; ensures there are
224 	 * no pending memory accesses to the freed buffer
225 	 */
226 	while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
227 		tty_buffer_free(port, buf->head);
228 		buf->head = next;
229 	}
230 	buf->head->read = buf->head->commit;
231 
232 	if (ld && ld->ops->flush_buffer)
233 		ld->ops->flush_buffer(tty);
234 
235 	atomic_dec(&buf->priority);
236 	mutex_unlock(&buf->lock);
237 }
238 
239 /**
240  *	tty_buffer_request_room		-	grow tty buffer if needed
241  *	@tty: tty structure
242  *	@size: size desired
243  *	@flags: buffer flags if new buffer allocated (default = 0)
244  *
245  *	Make at least size bytes of linear space available for the tty
246  *	buffer. If we fail return the size we managed to find.
247  *
248  *	Will change over to a new buffer if the current buffer is encoded as
249  *	TTY_NORMAL (so has no flags buffer) and the new buffer requires
250  *	a flags buffer.
251  */
__tty_buffer_request_room(struct tty_port * port,size_t size,int flags)252 static int __tty_buffer_request_room(struct tty_port *port, size_t size,
253 				     int flags)
254 {
255 	struct tty_bufhead *buf = &port->buf;
256 	struct tty_buffer *b, *n;
257 	int left, change;
258 
259 	b = buf->tail;
260 	if (b->flags & TTYB_NORMAL)
261 		left = 2 * b->size - b->used;
262 	else
263 		left = b->size - b->used;
264 
265 	change = (b->flags & TTYB_NORMAL) && (~flags & TTYB_NORMAL);
266 	if (change || left < size) {
267 		/* This is the slow path - looking for new buffers to use */
268 		n = tty_buffer_alloc(port, size);
269 		if (n != NULL) {
270 			n->flags = flags;
271 			buf->tail = n;
272 			/* paired w/ acquire in flush_to_ldisc(); ensures
273 			 * flush_to_ldisc() sees buffer data.
274 			 */
275 			smp_store_release(&b->commit, b->used);
276 			/* paired w/ acquire in flush_to_ldisc(); ensures the
277 			 * latest commit value can be read before the head is
278 			 * advanced to the next buffer
279 			 */
280 			smp_store_release(&b->next, n);
281 		} else if (change)
282 			size = 0;
283 		else
284 			size = left;
285 	}
286 	return size;
287 }
288 
tty_buffer_request_room(struct tty_port * port,size_t size)289 int tty_buffer_request_room(struct tty_port *port, size_t size)
290 {
291 	return __tty_buffer_request_room(port, size, 0);
292 }
293 EXPORT_SYMBOL_GPL(tty_buffer_request_room);
294 
295 /**
296  *	tty_insert_flip_string_fixed_flag - Add characters to the tty buffer
297  *	@port: tty port
298  *	@chars: characters
299  *	@flag: flag value for each character
300  *	@size: size
301  *
302  *	Queue a series of bytes to the tty buffering. All the characters
303  *	passed are marked with the supplied flag. Returns the number added.
304  */
305 
tty_insert_flip_string_fixed_flag(struct tty_port * port,const unsigned char * chars,char flag,size_t size)306 int tty_insert_flip_string_fixed_flag(struct tty_port *port,
307 		const unsigned char *chars, char flag, size_t size)
308 {
309 	int copied = 0;
310 	do {
311 		int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
312 		int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
313 		int space = __tty_buffer_request_room(port, goal, flags);
314 		struct tty_buffer *tb = port->buf.tail;
315 		if (unlikely(space == 0))
316 			break;
317 		memcpy(char_buf_ptr(tb, tb->used), chars, space);
318 		if (~tb->flags & TTYB_NORMAL)
319 			memset(flag_buf_ptr(tb, tb->used), flag, space);
320 		tb->used += space;
321 		copied += space;
322 		chars += space;
323 		/* There is a small chance that we need to split the data over
324 		   several buffers. If this is the case we must loop */
325 	} while (unlikely(size > copied));
326 	return copied;
327 }
328 EXPORT_SYMBOL(tty_insert_flip_string_fixed_flag);
329 
330 /**
331  *	tty_insert_flip_string_flags	-	Add characters to the tty buffer
332  *	@port: tty port
333  *	@chars: characters
334  *	@flags: flag bytes
335  *	@size: size
336  *
337  *	Queue a series of bytes to the tty buffering. For each character
338  *	the flags array indicates the status of the character. Returns the
339  *	number added.
340  */
341 
tty_insert_flip_string_flags(struct tty_port * port,const unsigned char * chars,const char * flags,size_t size)342 int tty_insert_flip_string_flags(struct tty_port *port,
343 		const unsigned char *chars, const char *flags, size_t size)
344 {
345 	int copied = 0;
346 	do {
347 		int goal = min_t(size_t, size - copied, TTY_BUFFER_PAGE);
348 		int space = tty_buffer_request_room(port, goal);
349 		struct tty_buffer *tb = port->buf.tail;
350 		if (unlikely(space == 0))
351 			break;
352 		memcpy(char_buf_ptr(tb, tb->used), chars, space);
353 		memcpy(flag_buf_ptr(tb, tb->used), flags, space);
354 		tb->used += space;
355 		copied += space;
356 		chars += space;
357 		flags += space;
358 		/* There is a small chance that we need to split the data over
359 		   several buffers. If this is the case we must loop */
360 	} while (unlikely(size > copied));
361 	return copied;
362 }
363 EXPORT_SYMBOL(tty_insert_flip_string_flags);
364 
365 /**
366  *	__tty_insert_flip_char   -	Add one character to the tty buffer
367  *	@port: tty port
368  *	@ch: character
369  *	@flag: flag byte
370  *
371  *	Queue a single byte to the tty buffering, with an optional flag.
372  *	This is the slow path of tty_insert_flip_char.
373  */
__tty_insert_flip_char(struct tty_port * port,unsigned char ch,char flag)374 int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
375 {
376 	struct tty_buffer *tb;
377 	int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
378 
379 	if (!__tty_buffer_request_room(port, 1, flags))
380 		return 0;
381 
382 	tb = port->buf.tail;
383 	if (~tb->flags & TTYB_NORMAL)
384 		*flag_buf_ptr(tb, tb->used) = flag;
385 	*char_buf_ptr(tb, tb->used++) = ch;
386 
387 	return 1;
388 }
389 EXPORT_SYMBOL(__tty_insert_flip_char);
390 
391 /**
392  *	tty_schedule_flip	-	push characters to ldisc
393  *	@port: tty port to push from
394  *
395  *	Takes any pending buffers and transfers their ownership to the
396  *	ldisc side of the queue. It then schedules those characters for
397  *	processing by the line discipline.
398  */
399 
tty_schedule_flip(struct tty_port * port)400 void tty_schedule_flip(struct tty_port *port)
401 {
402 	struct tty_bufhead *buf = &port->buf;
403 
404 	/* paired w/ acquire in flush_to_ldisc(); ensures
405 	 * flush_to_ldisc() sees buffer data.
406 	 */
407 	smp_store_release(&buf->tail->commit, buf->tail->used);
408 	queue_work(system_unbound_wq, &buf->work);
409 }
410 EXPORT_SYMBOL(tty_schedule_flip);
411 
412 /**
413  *	tty_prepare_flip_string		-	make room for characters
414  *	@port: tty port
415  *	@chars: return pointer for character write area
416  *	@size: desired size
417  *
418  *	Prepare a block of space in the buffer for data. Returns the length
419  *	available and buffer pointer to the space which is now allocated and
420  *	accounted for as ready for normal characters. This is used for drivers
421  *	that need their own block copy routines into the buffer. There is no
422  *	guarantee the buffer is a DMA target!
423  */
424 
tty_prepare_flip_string(struct tty_port * port,unsigned char ** chars,size_t size)425 int tty_prepare_flip_string(struct tty_port *port, unsigned char **chars,
426 		size_t size)
427 {
428 	int space = __tty_buffer_request_room(port, size, TTYB_NORMAL);
429 	if (likely(space)) {
430 		struct tty_buffer *tb = port->buf.tail;
431 		*chars = char_buf_ptr(tb, tb->used);
432 		if (~tb->flags & TTYB_NORMAL)
433 			memset(flag_buf_ptr(tb, tb->used), TTY_NORMAL, space);
434 		tb->used += space;
435 	}
436 	return space;
437 }
438 EXPORT_SYMBOL_GPL(tty_prepare_flip_string);
439 
440 /**
441  *	tty_ldisc_receive_buf		-	forward data to line discipline
442  *	@ld:	line discipline to process input
443  *	@p:	char buffer
444  *	@f:	TTY_* flags buffer
445  *	@count:	number of bytes to process
446  *
447  *	Callers other than flush_to_ldisc() need to exclude the kworker
448  *	from concurrent use of the line discipline, see paste_selection().
449  *
450  *	Returns the number of bytes processed
451  */
tty_ldisc_receive_buf(struct tty_ldisc * ld,const unsigned char * p,char * f,int count)452 int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p,
453 			  char *f, int count)
454 {
455 	if (ld->ops->receive_buf2)
456 		count = ld->ops->receive_buf2(ld->tty, p, f, count);
457 	else {
458 		count = min_t(int, count, ld->tty->receive_room);
459 		if (count && ld->ops->receive_buf)
460 			ld->ops->receive_buf(ld->tty, p, f, count);
461 	}
462 	return count;
463 }
464 EXPORT_SYMBOL_GPL(tty_ldisc_receive_buf);
465 
466 static int
receive_buf(struct tty_port * port,struct tty_buffer * head,int count)467 receive_buf(struct tty_port *port, struct tty_buffer *head, int count)
468 {
469 	unsigned char *p = char_buf_ptr(head, head->read);
470 	char	      *f = NULL;
471 
472 	if (~head->flags & TTYB_NORMAL)
473 		f = flag_buf_ptr(head, head->read);
474 
475 	return port->client_ops->receive_buf(port, p, f, count);
476 }
477 
478 /**
479  *	flush_to_ldisc
480  *	@work: tty structure passed from work queue.
481  *
482  *	This routine is called out of the software interrupt to flush data
483  *	from the buffer chain to the line discipline.
484  *
485  *	The receive_buf method is single threaded for each tty instance.
486  *
487  *	Locking: takes buffer lock to ensure single-threaded flip buffer
488  *		 'consumer'
489  */
490 
flush_to_ldisc(struct work_struct * work)491 static void flush_to_ldisc(struct work_struct *work)
492 {
493 	struct tty_port *port = container_of(work, struct tty_port, buf.work);
494 	struct tty_bufhead *buf = &port->buf;
495 
496 	mutex_lock(&buf->lock);
497 
498 	while (1) {
499 		struct tty_buffer *head = buf->head;
500 		struct tty_buffer *next;
501 		int count;
502 
503 		/* Ldisc or user is trying to gain exclusive access */
504 		if (atomic_read(&buf->priority))
505 			break;
506 
507 		/* paired w/ release in __tty_buffer_request_room();
508 		 * ensures commit value read is not stale if the head
509 		 * is advancing to the next buffer
510 		 */
511 		next = smp_load_acquire(&head->next);
512 		/* paired w/ release in __tty_buffer_request_room() or in
513 		 * tty_buffer_flush(); ensures we see the committed buffer data
514 		 */
515 		count = smp_load_acquire(&head->commit) - head->read;
516 		if (!count) {
517 			if (next == NULL)
518 				break;
519 			buf->head = next;
520 			tty_buffer_free(port, head);
521 			continue;
522 		}
523 
524 		count = receive_buf(port, head, count);
525 		if (!count)
526 			break;
527 		head->read += count;
528 	}
529 
530 	mutex_unlock(&buf->lock);
531 
532 }
533 
534 /**
535  *	tty_flip_buffer_push	-	terminal
536  *	@port: tty port to push
537  *
538  *	Queue a push of the terminal flip buffers to the line discipline.
539  *	Can be called from IRQ/atomic context.
540  *
541  *	In the event of the queue being busy for flipping the work will be
542  *	held off and retried later.
543  */
544 
tty_flip_buffer_push(struct tty_port * port)545 void tty_flip_buffer_push(struct tty_port *port)
546 {
547 	tty_schedule_flip(port);
548 }
549 EXPORT_SYMBOL(tty_flip_buffer_push);
550 
551 /**
552  *	tty_buffer_init		-	prepare a tty buffer structure
553  *	@tty: tty to initialise
554  *
555  *	Set up the initial state of the buffer management for a tty device.
556  *	Must be called before the other tty buffer functions are used.
557  */
558 
tty_buffer_init(struct tty_port * port)559 void tty_buffer_init(struct tty_port *port)
560 {
561 	struct tty_bufhead *buf = &port->buf;
562 
563 	mutex_init(&buf->lock);
564 	tty_buffer_reset(&buf->sentinel, 0);
565 	buf->head = &buf->sentinel;
566 	buf->tail = &buf->sentinel;
567 	init_llist_head(&buf->free);
568 	atomic_set(&buf->mem_used, 0);
569 	atomic_set(&buf->priority, 0);
570 	INIT_WORK(&buf->work, flush_to_ldisc);
571 	buf->mem_limit = TTYB_DEFAULT_MEM_LIMIT;
572 }
573 
574 /**
575  *	tty_buffer_set_limit	-	change the tty buffer memory limit
576  *	@port: tty port to change
577  *
578  *	Change the tty buffer memory limit.
579  *	Must be called before the other tty buffer functions are used.
580  */
581 
tty_buffer_set_limit(struct tty_port * port,int limit)582 int tty_buffer_set_limit(struct tty_port *port, int limit)
583 {
584 	if (limit < MIN_TTYB_SIZE)
585 		return -EINVAL;
586 	port->buf.mem_limit = limit;
587 	return 0;
588 }
589 EXPORT_SYMBOL_GPL(tty_buffer_set_limit);
590 
591 /* slave ptys can claim nested buffer lock when handling BRK and INTR */
tty_buffer_set_lock_subclass(struct tty_port * port)592 void tty_buffer_set_lock_subclass(struct tty_port *port)
593 {
594 	lockdep_set_subclass(&port->buf.lock, TTY_LOCK_SLAVE);
595 }
596 
tty_buffer_restart_work(struct tty_port * port)597 bool tty_buffer_restart_work(struct tty_port *port)
598 {
599 	return queue_work(system_unbound_wq, &port->buf.work);
600 }
601 
tty_buffer_cancel_work(struct tty_port * port)602 bool tty_buffer_cancel_work(struct tty_port *port)
603 {
604 	return cancel_work_sync(&port->buf.work);
605 }
606 
tty_buffer_flush_work(struct tty_port * port)607 void tty_buffer_flush_work(struct tty_port *port)
608 {
609 	flush_work(&port->buf.work);
610 }
611