agp: fix arbitrary kernel memory writes
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / net / can / raw.c
blob649acfa7c70a98ceb5fd3f131544f02e3cf838c8
1 /*
2 * raw.c - Raw sockets for protocol family CAN
4 * Copyright (c) 2002-2007 Volkswagen Group Electronic Research
5 * All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of Volkswagen nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * Alternatively, provided that this notice is retained in full, this
20 * software may be distributed under the terms of the GNU General
21 * Public License ("GPL") version 2, in which case the provisions of the
22 * GPL apply INSTEAD OF those given above.
24 * The provided data structures and external interfaces from this code
25 * are not restricted to be used by modules with a GPL compatible license.
27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
30 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
31 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
32 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
33 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
37 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
38 * DAMAGE.
40 * Send feedback to <socketcan-users@lists.berlios.de>
44 #include <linux/module.h>
45 #include <linux/init.h>
46 #include <linux/uio.h>
47 #include <linux/net.h>
48 #include <linux/slab.h>
49 #include <linux/netdevice.h>
50 #include <linux/socket.h>
51 #include <linux/if_arp.h>
52 #include <linux/skbuff.h>
53 #include <linux/can.h>
54 #include <linux/can/core.h>
55 #include <linux/can/raw.h>
56 #include <net/sock.h>
57 #include <net/net_namespace.h>
59 #define CAN_RAW_VERSION CAN_VERSION
60 static __initdata const char banner[] =
61 KERN_INFO "can: raw protocol (rev " CAN_RAW_VERSION ")\n";
63 MODULE_DESCRIPTION("PF_CAN raw protocol");
64 MODULE_LICENSE("Dual BSD/GPL");
65 MODULE_AUTHOR("Urs Thuermann <urs.thuermann@volkswagen.de>");
66 MODULE_ALIAS("can-proto-1");
68 #define MASK_ALL 0
71 * A raw socket has a list of can_filters attached to it, each receiving
72 * the CAN frames matching that filter. If the filter list is empty,
73 * no CAN frames will be received by the socket. The default after
74 * opening the socket, is to have one filter which receives all frames.
75 * The filter list is allocated dynamically with the exception of the
76 * list containing only one item. This common case is optimized by
77 * storing the single filter in dfilter, to avoid using dynamic memory.
80 struct raw_sock {
81 struct sock sk;
82 int bound;
83 int ifindex;
84 struct notifier_block notifier;
85 int loopback;
86 int recv_own_msgs;
87 int count; /* number of active filters */
88 struct can_filter dfilter; /* default/single filter */
89 struct can_filter *filter; /* pointer to filter(s) */
90 can_err_mask_t err_mask;
94 * Return pointer to store the extra msg flags for raw_recvmsg().
95 * We use the space of one unsigned int beyond the 'struct sockaddr_can'
96 * in skb->cb.
98 static inline unsigned int *raw_flags(struct sk_buff *skb)
100 BUILD_BUG_ON(sizeof(skb->cb) <= (sizeof(struct sockaddr_can) +
101 sizeof(unsigned int)));
103 /* return pointer after struct sockaddr_can */
104 return (unsigned int *)(&((struct sockaddr_can *)skb->cb)[1]);
107 static inline struct raw_sock *raw_sk(const struct sock *sk)
109 return (struct raw_sock *)sk;
112 static void raw_rcv(struct sk_buff *oskb, void *data)
114 struct sock *sk = (struct sock *)data;
115 struct raw_sock *ro = raw_sk(sk);
116 struct sockaddr_can *addr;
117 struct sk_buff *skb;
118 unsigned int *pflags;
120 /* check the received tx sock reference */
121 if (!ro->recv_own_msgs && oskb->sk == sk)
122 return;
124 /* clone the given skb to be able to enqueue it into the rcv queue */
125 skb = skb_clone(oskb, GFP_ATOMIC);
126 if (!skb)
127 return;
130 * Put the datagram to the queue so that raw_recvmsg() can
131 * get it from there. We need to pass the interface index to
132 * raw_recvmsg(). We pass a whole struct sockaddr_can in skb->cb
133 * containing the interface index.
136 BUILD_BUG_ON(sizeof(skb->cb) < sizeof(struct sockaddr_can));
137 addr = (struct sockaddr_can *)skb->cb;
138 memset(addr, 0, sizeof(*addr));
139 addr->can_family = AF_CAN;
140 addr->can_ifindex = skb->dev->ifindex;
142 /* add CAN specific message flags for raw_recvmsg() */
143 pflags = raw_flags(skb);
144 *pflags = 0;
145 if (oskb->sk)
146 *pflags |= MSG_DONTROUTE;
147 if (oskb->sk == sk)
148 *pflags |= MSG_CONFIRM;
150 if (sock_queue_rcv_skb(sk, skb) < 0)
151 kfree_skb(skb);
154 static int raw_enable_filters(struct net_device *dev, struct sock *sk,
155 struct can_filter *filter, int count)
157 int err = 0;
158 int i;
160 for (i = 0; i < count; i++) {
161 err = can_rx_register(dev, filter[i].can_id,
162 filter[i].can_mask,
163 raw_rcv, sk, "raw");
164 if (err) {
165 /* clean up successfully registered filters */
166 while (--i >= 0)
167 can_rx_unregister(dev, filter[i].can_id,
168 filter[i].can_mask,
169 raw_rcv, sk);
170 break;
174 return err;
177 static int raw_enable_errfilter(struct net_device *dev, struct sock *sk,
178 can_err_mask_t err_mask)
180 int err = 0;
182 if (err_mask)
183 err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
184 raw_rcv, sk, "raw");
186 return err;
189 static void raw_disable_filters(struct net_device *dev, struct sock *sk,
190 struct can_filter *filter, int count)
192 int i;
194 for (i = 0; i < count; i++)
195 can_rx_unregister(dev, filter[i].can_id, filter[i].can_mask,
196 raw_rcv, sk);
199 static inline void raw_disable_errfilter(struct net_device *dev,
200 struct sock *sk,
201 can_err_mask_t err_mask)
204 if (err_mask)
205 can_rx_unregister(dev, 0, err_mask | CAN_ERR_FLAG,
206 raw_rcv, sk);
209 static inline void raw_disable_allfilters(struct net_device *dev,
210 struct sock *sk)
212 struct raw_sock *ro = raw_sk(sk);
214 raw_disable_filters(dev, sk, ro->filter, ro->count);
215 raw_disable_errfilter(dev, sk, ro->err_mask);
218 static int raw_enable_allfilters(struct net_device *dev, struct sock *sk)
220 struct raw_sock *ro = raw_sk(sk);
221 int err;
223 err = raw_enable_filters(dev, sk, ro->filter, ro->count);
224 if (!err) {
225 err = raw_enable_errfilter(dev, sk, ro->err_mask);
226 if (err)
227 raw_disable_filters(dev, sk, ro->filter, ro->count);
230 return err;
233 static int raw_notifier(struct notifier_block *nb,
234 unsigned long msg, void *data)
236 struct net_device *dev = (struct net_device *)data;
237 struct raw_sock *ro = container_of(nb, struct raw_sock, notifier);
238 struct sock *sk = &ro->sk;
240 if (!net_eq(dev_net(dev), &init_net))
241 return NOTIFY_DONE;
243 if (dev->type != ARPHRD_CAN)
244 return NOTIFY_DONE;
246 if (ro->ifindex != dev->ifindex)
247 return NOTIFY_DONE;
249 switch (msg) {
251 case NETDEV_UNREGISTER:
252 lock_sock(sk);
253 /* remove current filters & unregister */
254 if (ro->bound)
255 raw_disable_allfilters(dev, sk);
257 if (ro->count > 1)
258 kfree(ro->filter);
260 ro->ifindex = 0;
261 ro->bound = 0;
262 ro->count = 0;
263 release_sock(sk);
265 sk->sk_err = ENODEV;
266 if (!sock_flag(sk, SOCK_DEAD))
267 sk->sk_error_report(sk);
268 break;
270 case NETDEV_DOWN:
271 sk->sk_err = ENETDOWN;
272 if (!sock_flag(sk, SOCK_DEAD))
273 sk->sk_error_report(sk);
274 break;
277 return NOTIFY_DONE;
280 static int raw_init(struct sock *sk)
282 struct raw_sock *ro = raw_sk(sk);
284 ro->bound = 0;
285 ro->ifindex = 0;
287 /* set default filter to single entry dfilter */
288 ro->dfilter.can_id = 0;
289 ro->dfilter.can_mask = MASK_ALL;
290 ro->filter = &ro->dfilter;
291 ro->count = 1;
293 /* set default loopback behaviour */
294 ro->loopback = 1;
295 ro->recv_own_msgs = 0;
297 /* set notifier */
298 ro->notifier.notifier_call = raw_notifier;
300 register_netdevice_notifier(&ro->notifier);
302 return 0;
305 static int raw_release(struct socket *sock)
307 struct sock *sk = sock->sk;
308 struct raw_sock *ro = raw_sk(sk);
310 unregister_netdevice_notifier(&ro->notifier);
312 lock_sock(sk);
314 /* remove current filters & unregister */
315 if (ro->bound) {
316 if (ro->ifindex) {
317 struct net_device *dev;
319 dev = dev_get_by_index(&init_net, ro->ifindex);
320 if (dev) {
321 raw_disable_allfilters(dev, sk);
322 dev_put(dev);
324 } else
325 raw_disable_allfilters(NULL, sk);
328 if (ro->count > 1)
329 kfree(ro->filter);
331 ro->ifindex = 0;
332 ro->bound = 0;
333 ro->count = 0;
335 sock_orphan(sk);
336 sock->sk = NULL;
338 release_sock(sk);
339 sock_put(sk);
341 return 0;
344 static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len)
346 struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
347 struct sock *sk = sock->sk;
348 struct raw_sock *ro = raw_sk(sk);
349 int ifindex;
350 int err = 0;
351 int notify_enetdown = 0;
353 if (len < sizeof(*addr))
354 return -EINVAL;
356 lock_sock(sk);
358 if (ro->bound && addr->can_ifindex == ro->ifindex)
359 goto out;
361 if (addr->can_ifindex) {
362 struct net_device *dev;
364 dev = dev_get_by_index(&init_net, addr->can_ifindex);
365 if (!dev) {
366 err = -ENODEV;
367 goto out;
369 if (dev->type != ARPHRD_CAN) {
370 dev_put(dev);
371 err = -ENODEV;
372 goto out;
374 if (!(dev->flags & IFF_UP))
375 notify_enetdown = 1;
377 ifindex = dev->ifindex;
379 /* filters set by default/setsockopt */
380 err = raw_enable_allfilters(dev, sk);
381 dev_put(dev);
382 } else {
383 ifindex = 0;
385 /* filters set by default/setsockopt */
386 err = raw_enable_allfilters(NULL, sk);
389 if (!err) {
390 if (ro->bound) {
391 /* unregister old filters */
392 if (ro->ifindex) {
393 struct net_device *dev;
395 dev = dev_get_by_index(&init_net, ro->ifindex);
396 if (dev) {
397 raw_disable_allfilters(dev, sk);
398 dev_put(dev);
400 } else
401 raw_disable_allfilters(NULL, sk);
403 ro->ifindex = ifindex;
404 ro->bound = 1;
407 out:
408 release_sock(sk);
410 if (notify_enetdown) {
411 sk->sk_err = ENETDOWN;
412 if (!sock_flag(sk, SOCK_DEAD))
413 sk->sk_error_report(sk);
416 return err;
419 static int raw_getname(struct socket *sock, struct sockaddr *uaddr,
420 int *len, int peer)
422 struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
423 struct sock *sk = sock->sk;
424 struct raw_sock *ro = raw_sk(sk);
426 if (peer)
427 return -EOPNOTSUPP;
429 memset(addr, 0, sizeof(*addr));
430 addr->can_family = AF_CAN;
431 addr->can_ifindex = ro->ifindex;
433 *len = sizeof(*addr);
435 return 0;
438 static int raw_setsockopt(struct socket *sock, int level, int optname,
439 char __user *optval, unsigned int optlen)
441 struct sock *sk = sock->sk;
442 struct raw_sock *ro = raw_sk(sk);
443 struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
444 struct can_filter sfilter; /* single filter */
445 struct net_device *dev = NULL;
446 can_err_mask_t err_mask = 0;
447 int count = 0;
448 int err = 0;
450 if (level != SOL_CAN_RAW)
451 return -EINVAL;
453 switch (optname) {
455 case CAN_RAW_FILTER:
456 if (optlen % sizeof(struct can_filter) != 0)
457 return -EINVAL;
459 count = optlen / sizeof(struct can_filter);
461 if (count > 1) {
462 /* filter does not fit into dfilter => alloc space */
463 filter = memdup_user(optval, optlen);
464 if (IS_ERR(filter))
465 return PTR_ERR(filter);
466 } else if (count == 1) {
467 if (copy_from_user(&sfilter, optval, sizeof(sfilter)))
468 return -EFAULT;
471 lock_sock(sk);
473 if (ro->bound && ro->ifindex)
474 dev = dev_get_by_index(&init_net, ro->ifindex);
476 if (ro->bound) {
477 /* (try to) register the new filters */
478 if (count == 1)
479 err = raw_enable_filters(dev, sk, &sfilter, 1);
480 else
481 err = raw_enable_filters(dev, sk, filter,
482 count);
483 if (err) {
484 if (count > 1)
485 kfree(filter);
486 goto out_fil;
489 /* remove old filter registrations */
490 raw_disable_filters(dev, sk, ro->filter, ro->count);
493 /* remove old filter space */
494 if (ro->count > 1)
495 kfree(ro->filter);
497 /* link new filters to the socket */
498 if (count == 1) {
499 /* copy filter data for single filter */
500 ro->dfilter = sfilter;
501 filter = &ro->dfilter;
503 ro->filter = filter;
504 ro->count = count;
506 out_fil:
507 if (dev)
508 dev_put(dev);
510 release_sock(sk);
512 break;
514 case CAN_RAW_ERR_FILTER:
515 if (optlen != sizeof(err_mask))
516 return -EINVAL;
518 if (copy_from_user(&err_mask, optval, optlen))
519 return -EFAULT;
521 err_mask &= CAN_ERR_MASK;
523 lock_sock(sk);
525 if (ro->bound && ro->ifindex)
526 dev = dev_get_by_index(&init_net, ro->ifindex);
528 /* remove current error mask */
529 if (ro->bound) {
530 /* (try to) register the new err_mask */
531 err = raw_enable_errfilter(dev, sk, err_mask);
533 if (err)
534 goto out_err;
536 /* remove old err_mask registration */
537 raw_disable_errfilter(dev, sk, ro->err_mask);
540 /* link new err_mask to the socket */
541 ro->err_mask = err_mask;
543 out_err:
544 if (dev)
545 dev_put(dev);
547 release_sock(sk);
549 break;
551 case CAN_RAW_LOOPBACK:
552 if (optlen != sizeof(ro->loopback))
553 return -EINVAL;
555 if (copy_from_user(&ro->loopback, optval, optlen))
556 return -EFAULT;
558 break;
560 case CAN_RAW_RECV_OWN_MSGS:
561 if (optlen != sizeof(ro->recv_own_msgs))
562 return -EINVAL;
564 if (copy_from_user(&ro->recv_own_msgs, optval, optlen))
565 return -EFAULT;
567 break;
569 default:
570 return -ENOPROTOOPT;
572 return err;
575 static int raw_getsockopt(struct socket *sock, int level, int optname,
576 char __user *optval, int __user *optlen)
578 struct sock *sk = sock->sk;
579 struct raw_sock *ro = raw_sk(sk);
580 int len;
581 void *val;
582 int err = 0;
584 if (level != SOL_CAN_RAW)
585 return -EINVAL;
586 if (get_user(len, optlen))
587 return -EFAULT;
588 if (len < 0)
589 return -EINVAL;
591 switch (optname) {
593 case CAN_RAW_FILTER:
594 lock_sock(sk);
595 if (ro->count > 0) {
596 int fsize = ro->count * sizeof(struct can_filter);
597 if (len > fsize)
598 len = fsize;
599 if (copy_to_user(optval, ro->filter, len))
600 err = -EFAULT;
601 } else
602 len = 0;
603 release_sock(sk);
605 if (!err)
606 err = put_user(len, optlen);
607 return err;
609 case CAN_RAW_ERR_FILTER:
610 if (len > sizeof(can_err_mask_t))
611 len = sizeof(can_err_mask_t);
612 val = &ro->err_mask;
613 break;
615 case CAN_RAW_LOOPBACK:
616 if (len > sizeof(int))
617 len = sizeof(int);
618 val = &ro->loopback;
619 break;
621 case CAN_RAW_RECV_OWN_MSGS:
622 if (len > sizeof(int))
623 len = sizeof(int);
624 val = &ro->recv_own_msgs;
625 break;
627 default:
628 return -ENOPROTOOPT;
631 if (put_user(len, optlen))
632 return -EFAULT;
633 if (copy_to_user(optval, val, len))
634 return -EFAULT;
635 return 0;
638 static int raw_sendmsg(struct kiocb *iocb, struct socket *sock,
639 struct msghdr *msg, size_t size)
641 struct sock *sk = sock->sk;
642 struct raw_sock *ro = raw_sk(sk);
643 struct sk_buff *skb;
644 struct net_device *dev;
645 int ifindex;
646 int err;
648 if (msg->msg_name) {
649 struct sockaddr_can *addr =
650 (struct sockaddr_can *)msg->msg_name;
652 if (msg->msg_namelen < sizeof(*addr))
653 return -EINVAL;
655 if (addr->can_family != AF_CAN)
656 return -EINVAL;
658 ifindex = addr->can_ifindex;
659 } else
660 ifindex = ro->ifindex;
662 if (size != sizeof(struct can_frame))
663 return -EINVAL;
665 dev = dev_get_by_index(&init_net, ifindex);
666 if (!dev)
667 return -ENXIO;
669 skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT,
670 &err);
671 if (!skb)
672 goto put_dev;
674 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
675 if (err < 0)
676 goto free_skb;
677 err = sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
678 if (err < 0)
679 goto free_skb;
681 /* to be able to check the received tx sock reference in raw_rcv() */
682 skb_shinfo(skb)->tx_flags |= SKBTX_DRV_NEEDS_SK_REF;
684 skb->dev = dev;
685 skb->sk = sk;
687 err = can_send(skb, ro->loopback);
689 dev_put(dev);
691 if (err)
692 goto send_failed;
694 return size;
696 free_skb:
697 kfree_skb(skb);
698 put_dev:
699 dev_put(dev);
700 send_failed:
701 return err;
704 static int raw_recvmsg(struct kiocb *iocb, struct socket *sock,
705 struct msghdr *msg, size_t size, int flags)
707 struct sock *sk = sock->sk;
708 struct sk_buff *skb;
709 int err = 0;
710 int noblock;
712 noblock = flags & MSG_DONTWAIT;
713 flags &= ~MSG_DONTWAIT;
715 skb = skb_recv_datagram(sk, flags, noblock, &err);
716 if (!skb)
717 return err;
719 if (size < skb->len)
720 msg->msg_flags |= MSG_TRUNC;
721 else
722 size = skb->len;
724 err = memcpy_toiovec(msg->msg_iov, skb->data, size);
725 if (err < 0) {
726 skb_free_datagram(sk, skb);
727 return err;
730 sock_recv_ts_and_drops(msg, sk, skb);
732 if (msg->msg_name) {
733 msg->msg_namelen = sizeof(struct sockaddr_can);
734 memcpy(msg->msg_name, skb->cb, msg->msg_namelen);
737 /* assign the flags that have been recorded in raw_rcv() */
738 msg->msg_flags |= *(raw_flags(skb));
740 skb_free_datagram(sk, skb);
742 return size;
745 static const struct proto_ops raw_ops = {
746 .family = PF_CAN,
747 .release = raw_release,
748 .bind = raw_bind,
749 .connect = sock_no_connect,
750 .socketpair = sock_no_socketpair,
751 .accept = sock_no_accept,
752 .getname = raw_getname,
753 .poll = datagram_poll,
754 .ioctl = can_ioctl, /* use can_ioctl() from af_can.c */
755 .listen = sock_no_listen,
756 .shutdown = sock_no_shutdown,
757 .setsockopt = raw_setsockopt,
758 .getsockopt = raw_getsockopt,
759 .sendmsg = raw_sendmsg,
760 .recvmsg = raw_recvmsg,
761 .mmap = sock_no_mmap,
762 .sendpage = sock_no_sendpage,
765 static struct proto raw_proto __read_mostly = {
766 .name = "CAN_RAW",
767 .owner = THIS_MODULE,
768 .obj_size = sizeof(struct raw_sock),
769 .init = raw_init,
772 static struct can_proto raw_can_proto __read_mostly = {
773 .type = SOCK_RAW,
774 .protocol = CAN_RAW,
775 .ops = &raw_ops,
776 .prot = &raw_proto,
779 static __init int raw_module_init(void)
781 int err;
783 printk(banner);
785 err = can_proto_register(&raw_can_proto);
786 if (err < 0)
787 printk(KERN_ERR "can: registration of raw protocol failed\n");
789 return err;
792 static __exit void raw_module_exit(void)
794 can_proto_unregister(&raw_can_proto);
797 module_init(raw_module_init);
798 module_exit(raw_module_exit);