ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1740

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	drivers/net/tun.c
Line in file:	478
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-10 20:24:52 UTC
Source:

   1/*
   2 *  TUN - Universal TUN/TAP device driver.
   3 *  Copyright (C) 1999-2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4 *
   5 *  This program is free software; you can redistribute it and/or modify
   6 *  it under the terms of the GNU General Public License as published by
   7 *  the Free Software Foundation; either version 2 of the License, or
   8 *  (at your option) any later version.
   9 *
  10 *  This program is distributed in the hope that it will be useful,
  11 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13 *  GNU General Public License for more details.
  14 *
  15 *  $Id: tun.c,v 1.15 2002/03/01 02:44:24 maxk Exp $
  16 */
  17
  18/*
  19 *  Changes:
  20 *
  21 *  Mike Kershaw <dragorn@kismetwireless.net> 2005/08/14
  22 *    Add TUNSETLINK ioctl to set the link encapsulation
  23 *
  24 *  Mark Smith <markzzzsmith@yahoo.com.au>
  25 *    Use random_ether_addr() for tap MAC address.
  26 *
  27 *  Harald Roelle <harald.roelle@ifi.lmu.de>  2004/04/20
  28 *    Fixes in packet dropping, queue length setting and queue wakeup.
  29 *    Increased default tx queue length.
  30 *    Added ethtool API.
  31 *    Minor cleanups
  32 *
  33 *  Daniel Podlejski <underley@underley.eu.org>
  34 *    Modifications for 2.3.99-pre5 kernel.
  35 */
  36
  37#define DRV_NAME        "tun"
  38#define DRV_VERSION        "1.6"
  39#define DRV_DESCRIPTION        "Universal TUN/TAP device driver"
  40#define DRV_COPYRIGHT        "(C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>"
  41
  42#include <linux/module.h>
  43#include <linux/errno.h>
  44#include <linux/kernel.h>
  45#include <linux/major.h>
  46#include <linux/slab.h>
  47#include <linux/smp_lock.h>
  48#include <linux/poll.h>
  49#include <linux/fcntl.h>
  50#include <linux/init.h>
  51#include <linux/skbuff.h>
  52#include <linux/netdevice.h>
  53#include <linux/etherdevice.h>
  54#include <linux/miscdevice.h>
  55#include <linux/ethtool.h>
  56#include <linux/rtnetlink.h>
  57#include <linux/if.h>
  58#include <linux/if_arp.h>
  59#include <linux/if_ether.h>
  60#include <linux/if_tun.h>
  61#include <linux/crc32.h>
  62#include <linux/nsproxy.h>
  63#include <linux/virtio_net.h>
  64#include <net/net_namespace.h>
  65#include <net/netns/generic.h>
  66
  67#include <asm/system.h>
  68#include <asm/uaccess.h>
  69
  70/* Uncomment to enable debugging */
  71/* #define TUN_DEBUG 1 */
  72
  73#ifdef TUN_DEBUG
  74static int debug;
  75
  76#define DBG  if(tun->debug)printk
  77#define DBG1 if(debug==2)printk
  78#else
  79#define DBG( a... )
  80#define DBG1( a... )
  81#endif
  82
  83#define FLT_EXACT_COUNT 8
  84struct tap_filter {
  85        unsigned int    count;    /* Number of addrs. Zero means disabled */
  86        u32             mask[2];  /* Mask of the hashed addrs */
  87        unsigned char        addr[FLT_EXACT_COUNT][ETH_ALEN];
  88};
  89
  90struct tun_struct {
  91        struct list_head        list;
  92        unsigned int                 flags;
  93        int                        attached;
  94        uid_t                        owner;
  95        gid_t                        group;
  96
  97        wait_queue_head_t        read_wait;
  98        struct sk_buff_head        readq;
  99
 100        struct net_device        *dev;
 101        struct fasync_struct        *fasync;
 102
 103        struct tap_filter       txflt;
 104
 105#ifdef TUN_DEBUG
 106        int debug;
 107#endif
 108};
 109
 110/* TAP filterting */
 111static void addr_hash_set(u32 *mask, const u8 *addr)
 112{
 113        int n = ether_crc(ETH_ALEN, addr) >> 26;
 114        mask[n >> 5] |= (1 << (n & 31));
 115}
 116
 117static unsigned int addr_hash_test(const u32 *mask, const u8 *addr)
 118{
 119        int n = ether_crc(ETH_ALEN, addr) >> 26;
 120        return mask[n >> 5] & (1 << (n & 31));
 121}
 122
 123static int update_filter(struct tap_filter *filter, void __user *arg)
 124{
 125        struct { u8 u[ETH_ALEN]; } *addr;
 126        struct tun_filter uf;
 127        int err, alen, n, nexact;
 128
 129        if (copy_from_user(&uf, arg, sizeof(uf)))
 130                return -EFAULT;
 131
 132        if (!uf.count) {
 133                /* Disabled */
 134                filter->count = 0;
 135                return 0;
 136        }
 137
 138        alen = ETH_ALEN * uf.count;
 139        addr = kmalloc(alen, GFP_KERNEL);
 140        if (!addr)
 141                return -ENOMEM;
 142
 143        if (copy_from_user(addr, arg + sizeof(uf), alen)) {
 144                err = -EFAULT;
 145                goto done;
 146        }
 147
 148        /* The filter is updated without holding any locks. Which is
 149         * perfectly safe. We disable it first and in the worst
 150         * case we'll accept a few undesired packets. */
 151        filter->count = 0;
 152        wmb();
 153
 154        /* Use first set of addresses as an exact filter */
 155        for (n = 0; n < uf.count && n < FLT_EXACT_COUNT; n++)
 156                memcpy(filter->addr[n], addr[n].u, ETH_ALEN);
 157
 158        nexact = n;
 159
 160        /* The rest is hashed */
 161        memset(filter->mask, 0, sizeof(filter->mask));
 162        for (; n < uf.count; n++)
 163                addr_hash_set(filter->mask, addr[n].u);
 164
 165        /* For ALLMULTI just set the mask to all ones.
 166         * This overrides the mask populated above. */
 167        if ((uf.flags & TUN_FLT_ALLMULTI))
 168                memset(filter->mask, ~0, sizeof(filter->mask));
 169
 170        /* Now enable the filter */
 171        wmb();
 172        filter->count = nexact;
 173
 174        /* Return the number of exact filters */
 175        err = nexact;
 176
 177done:
 178        kfree(addr);
 179        return err;
 180}
 181
 182/* Returns: 0 - drop, !=0 - accept */
 183static int run_filter(struct tap_filter *filter, const struct sk_buff *skb)
 184{
 185        /* Cannot use eth_hdr(skb) here because skb_mac_hdr() is incorrect
 186         * at this point. */
 187        struct ethhdr *eh = (struct ethhdr *) skb->data;
 188        int i;
 189
 190        /* Exact match */
 191        for (i = 0; i < filter->count; i++)
 192                if (!compare_ether_addr(eh->h_dest, filter->addr[i]))
 193                        return 1;
 194
 195        /* Inexact match (multicast only) */
 196        if (is_multicast_ether_addr(eh->h_dest))
 197                return addr_hash_test(filter->mask, eh->h_dest);
 198
 199        return 0;
 200}
 201
 202/*
 203 * Checks whether the packet is accepted or not.
 204 * Returns: 0 - drop, !=0 - accept
 205 */
 206static int check_filter(struct tap_filter *filter, const struct sk_buff *skb)
 207{
 208        if (!filter->count)
 209                return 1;
 210
 211        return run_filter(filter, skb);
 212}
 213
 214/* Network device part of the driver */
 215
 216static unsigned int tun_net_id;
 217struct tun_net {
 218        struct list_head dev_list;
 219};
 220
 221static const struct ethtool_ops tun_ethtool_ops;
 222
 223/* Net device open. */
 224static int tun_net_open(struct net_device *dev)
 225{
 226        netif_start_queue(dev);
 227        return 0;
 228}
 229
 230/* Net device close. */
 231static int tun_net_close(struct net_device *dev)
 232{
 233        netif_stop_queue(dev);
 234        return 0;
 235}
 236
 237/* Net device start xmit */
 238static int tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
 239{
 240        struct tun_struct *tun = netdev_priv(dev);
 241
 242        DBG(KERN_INFO "%s: tun_net_xmit %d\n", tun->dev->name, skb->len);
 243
 244        /* Drop packet if interface is not attached */
 245        if (!tun->attached)
 246                goto drop;
 247
 248        /* Drop if the filter does not like it.
 249         * This is a noop if the filter is disabled.
 250         * Filter can be enabled only for the TAP devices. */
 251        if (!check_filter(&tun->txflt, skb))
 252                goto drop;
 253
 254        if (skb_queue_len(&tun->readq) >= dev->tx_queue_len) {
 255                if (!(tun->flags & TUN_ONE_QUEUE)) {
 256                        /* Normal queueing mode. */
 257                        /* Packet scheduler handles dropping of further packets. */
 258                        netif_stop_queue(dev);
 259
 260                        /* We won't see all dropped packets individually, so overrun
 261                         * error is more appropriate. */
 262                        dev->stats.tx_fifo_errors++;
 263                } else {
 264                        /* Single queue mode.
 265                         * Driver handles dropping of all packets itself. */
 266                        goto drop;
 267                }
 268        }
 269
 270        /* Enqueue packet */
 271        skb_queue_tail(&tun->readq, skb);
 272        dev->trans_start = jiffies;
 273
 274        /* Notify and wake up reader process */
 275        if (tun->flags & TUN_FASYNC)
 276                kill_fasync(&tun->fasync, SIGIO, POLL_IN);
 277        wake_up_interruptible(&tun->read_wait);
 278        return 0;
 279
 280drop:
 281        dev->stats.tx_dropped++;
 282        kfree_skb(skb);
 283        return 0;
 284}
 285
 286static void tun_net_mclist(struct net_device *dev)
 287{
 288        /*
 289         * This callback is supposed to deal with mc filter in
 290         * _rx_ path and has nothing to do with the _tx_ path.
 291         * In rx path we always accept everything userspace gives us.
 292         */
 293        return;
 294}
 295
 296#define MIN_MTU 68
 297#define MAX_MTU 65535
 298
 299static int
 300tun_net_change_mtu(struct net_device *dev, int new_mtu)
 301{
 302        if (new_mtu < MIN_MTU || new_mtu + dev->hard_header_len > MAX_MTU)
 303                return -EINVAL;
 304        dev->mtu = new_mtu;
 305        return 0;
 306}
 307
 308/* Initialize net device. */
 309static void tun_net_init(struct net_device *dev)
 310{
 311        struct tun_struct *tun = netdev_priv(dev);
 312
 313        switch (tun->flags & TUN_TYPE_MASK) {
 314        case TUN_TUN_DEV:
 315                /* Point-to-Point TUN Device */
 316                dev->hard_header_len = 0;
 317                dev->addr_len = 0;
 318                dev->mtu = 1500;
 319                dev->change_mtu = tun_net_change_mtu;
 320
 321                /* Zero header length */
 322                dev->type = ARPHRD_NONE;
 323                dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
 324                dev->tx_queue_len = TUN_READQ_SIZE;  /* We prefer our own queue length */
 325                break;
 326
 327        case TUN_TAP_DEV:
 328                /* Ethernet TAP Device */
 329                ether_setup(dev);
 330                dev->change_mtu         = tun_net_change_mtu;
 331                dev->set_multicast_list = tun_net_mclist;
 332
 333                random_ether_addr(dev->dev_addr);
 334
 335                dev->tx_queue_len = TUN_READQ_SIZE;  /* We prefer our own queue length */
 336                break;
 337        }
 338}
 339
 340/* Character device part */
 341
 342/* Poll */
 343static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
 344{
 345        struct tun_struct *tun = file->private_data;
 346        unsigned int mask = POLLOUT | POLLWRNORM;
 347
 348        if (!tun)
 349                return -EBADFD;
 350
 351        DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
 352
 353        poll_wait(file, &tun->read_wait, wait);
 354
 355        if (!skb_queue_empty(&tun->readq))
 356                mask |= POLLIN | POLLRDNORM;
 357
 358        return mask;
 359}
 360
 361/* prepad is the amount to reserve at front.  len is length after that.
 362 * linear is a hint as to how much to copy (usually headers). */
 363static struct sk_buff *tun_alloc_skb(size_t prepad, size_t len, size_t linear,
 364                                     gfp_t gfp)
 365{
 366        struct sk_buff *skb;
 367        unsigned int i;
 368
 369        skb = alloc_skb(prepad + len, gfp|__GFP_NOWARN);
 370        if (skb) {
 371                skb_reserve(skb, prepad);
 372                skb_put(skb, len);
 373                return skb;
 374        }
 375
 376        /* Under a page?  Don't bother with paged skb. */
 377        if (prepad + len < PAGE_SIZE)
 378                return NULL;
 379
 380        /* Start with a normal skb, and add pages. */
 381        skb = alloc_skb(prepad + linear, gfp);
 382        if (!skb)
 383                return NULL;
 384
 385        skb_reserve(skb, prepad);
 386        skb_put(skb, linear);
 387
 388        len -= linear;
 389
 390        for (i = 0; i < MAX_SKB_FRAGS; i++) {
 391                skb_frag_t *f = &skb_shinfo(skb)->frags[i];
 392
 393                f->page = alloc_page(gfp|__GFP_ZERO);
 394                if (!f->page)
 395                        break;
 396
 397                f->page_offset = 0;
 398                f->size = PAGE_SIZE;
 399
 400                skb->data_len += PAGE_SIZE;
 401                skb->len += PAGE_SIZE;
 402                skb->truesize += PAGE_SIZE;
 403                skb_shinfo(skb)->nr_frags++;
 404
 405                if (len < PAGE_SIZE) {
 406                        len = 0;
 407                        break;
 408                }
 409                len -= PAGE_SIZE;
 410        }
 411
 412        /* Too large, or alloc fail? */
 413        if (unlikely(len)) {
 414                kfree_skb(skb);
 415                skb = NULL;
 416        }
 417
 418        return skb;
 419}
 420
 421/* Get packet from user space buffer */
 422static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv, size_t count)
 423{
 424        struct tun_pi pi = { 0, __constant_htons(ETH_P_IP) };
 425        struct sk_buff *skb;
 426        size_t len = count, align = 0;
 427        struct virtio_net_hdr gso = { 0 };
 428
 429        if (!(tun->flags & TUN_NO_PI)) {
 430                if ((len -= sizeof(pi)) > count)
 431                        return -EINVAL;
 432
 433                if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
 434                        return -EFAULT;
 435        }
 436
 437        if (tun->flags & TUN_VNET_HDR) {
 438                if ((len -= sizeof(gso)) > count)
 439                        return -EINVAL;
 440
 441                if (memcpy_fromiovec((void *)&gso, iv, sizeof(gso)))
 442                        return -EFAULT;
 443
 444                if (gso.hdr_len > len)
 445                        return -EINVAL;
 446        }
 447
 448        if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
 449                align = NET_IP_ALIGN;
 450                if (unlikely(len < ETH_HLEN))
 451                        return -EINVAL;
 452        }
 453
 454        if (!(skb = tun_alloc_skb(align, len, gso.hdr_len, GFP_KERNEL))) {
 455                tun->dev->stats.rx_dropped++;
 456                return -ENOMEM;
 457        }
 458
 459        if (skb_copy_datagram_from_iovec(skb, 0, iv, len)) {
 460                tun->dev->stats.rx_dropped++;
 461                kfree_skb(skb);
 462                return -EFAULT;
 463        }
 464
 465        if (gso.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
 466                if (!skb_partial_csum_set(skb, gso.csum_start,
 467                                          gso.csum_offset)) {
 468                        tun->dev->stats.rx_frame_errors++;
 469                        kfree_skb(skb);
 470                        return -EINVAL;
 471                }
 472        } else if (tun->flags & TUN_NOCHECKSUM)
 473                skb->ip_summed = CHECKSUM_UNNECESSARY;
 474
 475        switch (tun->flags & TUN_TYPE_MASK) {
 476        case TUN_TUN_DEV:
 477                if (tun->flags & TUN_NO_PI) {
 478                        switch (skb->data[0] & 0xf0) {
 479                        case 0x40:
 480                                pi.proto = htons(ETH_P_IP);
 481                                break;
 482                        case 0x60:
 483                                pi.proto = htons(ETH_P_IPV6);
 484                                break;
 485                        default:
 486                                tun->dev->stats.rx_dropped++;
 487                                kfree_skb(skb);
 488                                return -EINVAL;
 489                        }
 490                }
 491
 492                skb_reset_mac_header(skb);
 493                skb->protocol = pi.proto;
 494                skb->dev = tun->dev;
 495                break;
 496        case TUN_TAP_DEV:
 497                skb->protocol = eth_type_trans(skb, tun->dev);
 498                break;
 499        };
 500
 501        if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
 502                pr_debug("GSO!\n");
 503                switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
 504                case VIRTIO_NET_HDR_GSO_TCPV4:
 505                        skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
 506                        break;
 507                case VIRTIO_NET_HDR_GSO_TCPV6:
 508                        skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
 509                        break;
 510                default:
 511                        tun->dev->stats.rx_frame_errors++;
 512                        kfree_skb(skb);
 513                        return -EINVAL;
 514                }
 515
 516                if (gso.gso_type & VIRTIO_NET_HDR_GSO_ECN)
 517                        skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_ECN;
 518
 519                skb_shinfo(skb)->gso_size = gso.gso_size;
 520                if (skb_shinfo(skb)->gso_size == 0) {
 521                        tun->dev->stats.rx_frame_errors++;
 522                        kfree_skb(skb);
 523                        return -EINVAL;
 524                }
 525
 526                /* Header must be checked, and gso_segs computed. */
 527                skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
 528                skb_shinfo(skb)->gso_segs = 0;
 529        }
 530
 531        netif_rx_ni(skb);
 532        tun->dev->last_rx = jiffies;
 533
 534        tun->dev->stats.rx_packets++;
 535        tun->dev->stats.rx_bytes += len;
 536
 537        return count;
 538}
 539
 540static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv,
 541                              unsigned long count, loff_t pos)
 542{
 543        struct tun_struct *tun = iocb->ki_filp->private_data;
 544
 545        if (!tun)
 546                return -EBADFD;
 547
 548        DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count);
 549
 550        return tun_get_user(tun, (struct iovec *) iv, iov_length(iv, count));
 551}
 552
 553/* Put packet to the user space buffer */
 554static __inline__ ssize_t tun_put_user(struct tun_struct *tun,
 555                                       struct sk_buff *skb,
 556                                       struct iovec *iv, int len)
 557{
 558        struct tun_pi pi = { 0, skb->protocol };
 559        ssize_t total = 0;
 560
 561        if (!(tun->flags & TUN_NO_PI)) {
 562                if ((len -= sizeof(pi)) < 0)
 563                        return -EINVAL;
 564
 565                if (len < skb->len) {
 566                        /* Packet will be striped */
 567                        pi.flags |= TUN_PKT_STRIP;
 568                }
 569
 570                if (memcpy_toiovec(iv, (void *) &pi, sizeof(pi)))
 571                        return -EFAULT;
 572                total += sizeof(pi);
 573        }
 574
 575        if (tun->flags & TUN_VNET_HDR) {
 576                struct virtio_net_hdr gso = { 0 }; /* no info leak */
 577                if ((len -= sizeof(gso)) < 0)
 578                        return -EINVAL;
 579
 580                if (skb_is_gso(skb)) {
 581                        struct skb_shared_info *sinfo = skb_shinfo(skb);
 582
 583                        /* This is a hint as to how much should be linear. */
 584                        gso.hdr_len = skb_headlen(skb);
 585                        gso.gso_size = sinfo->gso_size;
 586                        if (sinfo->gso_type & SKB_GSO_TCPV4)
 587                                gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
 588                        else if (sinfo->gso_type & SKB_GSO_TCPV6)
 589                                gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
 590                        else
 591                                BUG();
 592                        if (sinfo->gso_type & SKB_GSO_TCP_ECN)
 593                                gso.gso_type |= VIRTIO_NET_HDR_GSO_ECN;
 594                } else
 595                        gso.gso_type = VIRTIO_NET_HDR_GSO_NONE;
 596
 597                if (skb->ip_summed == CHECKSUM_PARTIAL) {
 598                        gso.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
 599                        gso.csum_start = skb->csum_start - skb_headroom(skb);
 600                        gso.csum_offset = skb->csum_offset;
 601                } /* else everything is zero */
 602
 603                if (unlikely(memcpy_toiovec(iv, (void *)&gso, sizeof(gso))))
 604                        return -EFAULT;
 605                total += sizeof(gso);
 606        }
 607
 608        len = min_t(int, skb->len, len);
 609
 610        skb_copy_datagram_iovec(skb, 0, iv, len);
 611        total += len;
 612
 613        tun->dev->stats.tx_packets++;
 614        tun->dev->stats.tx_bytes += len;
 615
 616        return total;
 617}
 618
 619static ssize_t tun_chr_aio_read(struct kiocb *iocb, const struct iovec *iv,
 620                            unsigned long count, loff_t pos)
 621{
 622        struct file *file = iocb->ki_filp;
 623        struct tun_struct *tun = file->private_data;
 624        DECLARE_WAITQUEUE(wait, current);
 625        struct sk_buff *skb;
 626        ssize_t len, ret = 0;
 627
 628        if (!tun)
 629                return -EBADFD;
 630
 631        DBG(KERN_INFO "%s: tun_chr_read\n", tun->dev->name);
 632
 633        len = iov_length(iv, count);
 634        if (len < 0)
 635                return -EINVAL;
 636
 637        add_wait_queue(&tun->read_wait, &wait);
 638        while (len) {
 639                current->state = TASK_INTERRUPTIBLE;
 640
 641                /* Read frames from the queue */
 642                if (!(skb=skb_dequeue(&tun->readq))) {
 643                        if (file->f_flags & O_NONBLOCK) {
 644                                ret = -EAGAIN;
 645                                break;
 646                        }
 647                        if (signal_pending(current)) {
 648                                ret = -ERESTARTSYS;
 649                                break;
 650                        }
 651
 652                        /* Nothing to read, let's sleep */
 653                        schedule();
 654                        continue;
 655                }
 656                netif_wake_queue(tun->dev);
 657
 658                ret = tun_put_user(tun, skb, (struct iovec *) iv, len);
 659                kfree_skb(skb);
 660                break;
 661        }
 662
 663        current->state = TASK_RUNNING;
 664        remove_wait_queue(&tun->read_wait, &wait);
 665
 666        return ret;
 667}
 668
 669static void tun_setup(struct net_device *dev)
 670{
 671        struct tun_struct *tun = netdev_priv(dev);
 672
 673        skb_queue_head_init(&tun->readq);
 674        init_waitqueue_head(&tun->read_wait);
 675
 676        tun->owner = -1;
 677        tun->group = -1;
 678
 679        dev->open = tun_net_open;
 680        dev->hard_start_xmit = tun_net_xmit;
 681        dev->stop = tun_net_close;
 682        dev->ethtool_ops = &tun_ethtool_ops;
 683        dev->destructor = free_netdev;
 684        dev->features |= NETIF_F_NETNS_LOCAL;
 685}
 686
 687static struct tun_struct *tun_get_by_name(struct tun_net *tn, const char *name)
 688{
 689        struct tun_struct *tun;
 690
 691        ASSERT_RTNL();
 692        list_for_each_entry(tun, &tn->dev_list, list) {
 693                if (!strncmp(tun->dev->name, name, IFNAMSIZ))
 694                    return tun;
 695        }
 696
 697        return NULL;
 698}
 699
 700static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 701{
 702        struct tun_net *tn;
 703        struct tun_struct *tun;
 704        struct net_device *dev;
 705        int err;
 706
 707        tn = net_generic(net, tun_net_id);
 708        tun = tun_get_by_name(tn, ifr->ifr_name);
 709        if (tun) {
 710                if (tun->attached)
 711                        return -EBUSY;
 712
 713                /* Check permissions */
 714                if (((tun->owner != -1 &&
 715                      current->euid != tun->owner) ||
 716                     (tun->group != -1 &&
 717                      current->egid != tun->group)) &&
 718                     !capable(CAP_NET_ADMIN))
 719                        return -EPERM;
 720        }
 721        else if (__dev_get_by_name(net, ifr->ifr_name))
 722                return -EINVAL;
 723        else {
 724                char *name;
 725                unsigned long flags = 0;
 726
 727                err = -EINVAL;
 728
 729                if (!capable(CAP_NET_ADMIN))
 730                        return -EPERM;
 731
 732                /* Set dev type */
 733                if (ifr->ifr_flags & IFF_TUN) {
 734                        /* TUN device */
 735                        flags |= TUN_TUN_DEV;
 736                        name = "tun%d";
 737                } else if (ifr->ifr_flags & IFF_TAP) {
 738                        /* TAP device */
 739                        flags |= TUN_TAP_DEV;
 740                        name = "tap%d";
 741                } else
 742                        goto failed;
 743
 744                if (*ifr->ifr_name)
 745                        name = ifr->ifr_name;
 746
 747                dev = alloc_netdev(sizeof(struct tun_struct), name,
 748                                   tun_setup);
 749                if (!dev)
 750                        return -ENOMEM;
 751
 752                dev_net_set(dev, net);
 753                tun = netdev_priv(dev);
 754                tun->dev = dev;
 755                tun->flags = flags;
 756                tun->txflt.count = 0;
 757
 758                tun_net_init(dev);
 759
 760                if (strchr(dev->name, '%')) {
 761                        err = dev_alloc_name(dev, dev->name);
 762                        if (err < 0)
 763                                goto err_free_dev;
 764                }
 765
 766                err = register_netdevice(tun->dev);
 767                if (err < 0)
 768                        goto err_free_dev;
 769
 770                list_add(&tun->list, &tn->dev_list);
 771        }
 772
 773        DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name);
 774
 775        if (ifr->ifr_flags & IFF_NO_PI)
 776                tun->flags |= TUN_NO_PI;
 777        else
 778                tun->flags &= ~TUN_NO_PI;
 779
 780        if (ifr->ifr_flags & IFF_ONE_QUEUE)
 781                tun->flags |= TUN_ONE_QUEUE;
 782        else
 783                tun->flags &= ~TUN_ONE_QUEUE;
 784
 785        if (ifr->ifr_flags & IFF_VNET_HDR)
 786                tun->flags |= TUN_VNET_HDR;
 787        else
 788                tun->flags &= ~TUN_VNET_HDR;
 789
 790        file->private_data = tun;
 791        tun->attached = 1;
 792        get_net(dev_net(tun->dev));
 793
 794        /* Make sure persistent devices do not get stuck in
 795         * xoff state.
 796         */
 797        if (netif_running(tun->dev))
 798                netif_wake_queue(tun->dev);
 799
 800        strcpy(ifr->ifr_name, tun->dev->name);
 801        return 0;
 802
 803 err_free_dev:
 804        free_netdev(dev);
 805 failed:
 806        return err;
 807}
 808
 809static int tun_get_iff(struct net *net, struct file *file, struct ifreq *ifr)
 810{
 811        struct tun_struct *tun = file->private_data;
 812
 813        if (!tun)
 814                return -EBADFD;
 815
 816        DBG(KERN_INFO "%s: tun_get_iff\n", tun->dev->name);
 817
 818        strcpy(ifr->ifr_name, tun->dev->name);
 819
 820        ifr->ifr_flags = 0;
 821
 822        if (ifr->ifr_flags & TUN_TUN_DEV)
 823                ifr->ifr_flags |= IFF_TUN;
 824        else
 825                ifr->ifr_flags |= IFF_TAP;
 826
 827        if (tun->flags & TUN_NO_PI)
 828                ifr->ifr_flags |= IFF_NO_PI;
 829
 830        if (tun->flags & TUN_ONE_QUEUE)
 831                ifr->ifr_flags |= IFF_ONE_QUEUE;
 832
 833        if (tun->flags & TUN_VNET_HDR)
 834                ifr->ifr_flags |= IFF_VNET_HDR;
 835
 836        return 0;
 837}
 838
 839/* This is like a cut-down ethtool ops, except done via tun fd so no
 840 * privs required. */
 841static int set_offload(struct net_device *dev, unsigned long arg)
 842{
 843        unsigned int old_features, features;
 844
 845        old_features = dev->features;
 846        /* Unset features, set them as we chew on the arg. */
 847        features = (old_features & ~(NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST
 848                                    |NETIF_F_TSO_ECN|NETIF_F_TSO|NETIF_F_TSO6));
 849
 850        if (arg & TUN_F_CSUM) {
 851                features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
 852                arg &= ~TUN_F_CSUM;
 853
 854                if (arg & (TUN_F_TSO4|TUN_F_TSO6)) {
 855                        if (arg & TUN_F_TSO_ECN) {
 856                                features |= NETIF_F_TSO_ECN;
 857                                arg &= ~TUN_F_TSO_ECN;
 858                        }
 859                        if (arg & TUN_F_TSO4)
 860                                features |= NETIF_F_TSO;
 861                        if (arg & TUN_F_TSO6)
 862                                features |= NETIF_F_TSO6;
 863                        arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
 864                }
 865        }
 866
 867        /* This gives the user a way to test for new features in future by
 868         * trying to set them. */
 869        if (arg)
 870                return -EINVAL;
 871
 872        dev->features = features;
 873        if (old_features != dev->features)
 874                netdev_features_change(dev);
 875
 876        return 0;
 877}
 878
 879static int tun_chr_ioctl(struct inode *inode, struct file *file,
 880                         unsigned int cmd, unsigned long arg)
 881{
 882        struct tun_struct *tun = file->private_data;
 883        void __user* argp = (void __user*)arg;
 884        struct ifreq ifr;
 885        int ret;
 886        DECLARE_MAC_BUF(mac);
 887
 888        if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
 889                if (copy_from_user(&ifr, argp, sizeof ifr))
 890                        return -EFAULT;
 891
 892        if (cmd == TUNSETIFF && !tun) {
 893                int err;
 894
 895                ifr.ifr_name[IFNAMSIZ-1] = '\0';
 896
 897                rtnl_lock();
 898                err = tun_set_iff(current->nsproxy->net_ns, file, &ifr);
 899                rtnl_unlock();
 900
 901                if (err)
 902                        return err;
 903
 904                if (copy_to_user(argp, &ifr, sizeof(ifr)))
 905                        return -EFAULT;
 906                return 0;
 907        }
 908
 909        if (cmd == TUNGETFEATURES) {
 910                /* Currently this just means: "what IFF flags are valid?".
 911                 * This is needed because we never checked for invalid flags on
 912                 * TUNSETIFF. */
 913                return put_user(IFF_TUN | IFF_TAP | IFF_NO_PI | IFF_ONE_QUEUE |
 914                                IFF_VNET_HDR,
 915                                (unsigned int __user*)argp);
 916        }
 917
 918        if (!tun)
 919                return -EBADFD;
 920
 921        DBG(KERN_INFO "%s: tun_chr_ioctl cmd %d\n", tun->dev->name, cmd);
 922
 923        switch (cmd) {
 924        case TUNGETIFF:
 925                ret = tun_get_iff(current->nsproxy->net_ns, file, &ifr);
 926                if (ret)
 927                        return ret;
 928
 929                if (copy_to_user(argp, &ifr, sizeof(ifr)))
 930                        return -EFAULT;
 931                break;
 932
 933        case TUNSETNOCSUM:
 934                /* Disable/Enable checksum */
 935                if (arg)
 936                        tun->flags |= TUN_NOCHECKSUM;
 937                else
 938                        tun->flags &= ~TUN_NOCHECKSUM;
 939
 940                DBG(KERN_INFO "%s: checksum %s\n",
 941                    tun->dev->name, arg ? "disabled" : "enabled");
 942                break;
 943
 944        case TUNSETPERSIST:
 945                /* Disable/Enable persist mode */
 946                if (arg)
 947                        tun->flags |= TUN_PERSIST;
 948                else
 949                        tun->flags &= ~TUN_PERSIST;
 950
 951                DBG(KERN_INFO "%s: persist %s\n",
 952                    tun->dev->name, arg ? "enabled" : "disabled");
 953                break;
 954
 955        case TUNSETOWNER:
 956                /* Set owner of the device */
 957                tun->owner = (uid_t) arg;
 958
 959                DBG(KERN_INFO "%s: owner set to %d\n", tun->dev->name, tun->owner);
 960                break;
 961
 962        case TUNSETGROUP:
 963                /* Set group of the device */
 964                tun->group= (gid_t) arg;
 965
 966                DBG(KERN_INFO "%s: group set to %d\n", tun->dev->name, tun->group);
 967                break;
 968
 969        case TUNSETLINK:
 970                /* Only allow setting the type when the interface is down */
 971                rtnl_lock();
 972                if (tun->dev->flags & IFF_UP) {
 973                        DBG(KERN_INFO "%s: Linktype set failed because interface is up\n",
 974                                tun->dev->name);
 975                        ret = -EBUSY;
 976                } else {
 977                        tun->dev->type = (int) arg;
 978                        DBG(KERN_INFO "%s: linktype set to %d\n", tun->dev->name, tun->dev->type);
 979                        ret = 0;
 980                }
 981                rtnl_unlock();
 982                return ret;
 983
 984#ifdef TUN_DEBUG
 985        case TUNSETDEBUG:
 986                tun->debug = arg;
 987                break;
 988#endif
 989        case TUNSETOFFLOAD:
 990                rtnl_lock();
 991                ret = set_offload(tun->dev, arg);
 992                rtnl_unlock();
 993                return ret;
 994
 995        case TUNSETTXFILTER:
 996                /* Can be set only for TAPs */
 997                if ((tun->flags & TUN_TYPE_MASK) != TUN_TAP_DEV)
 998                        return -EINVAL;
 999                rtnl_lock();
1000                ret = update_filter(&tun->txflt, (void __user *)arg);
1001                rtnl_unlock();
1002                return ret;
1003
1004        case SIOCGIFHWADDR:
1005                /* Get hw addres */
1006                memcpy(ifr.ifr_hwaddr.sa_data, tun->dev->dev_addr, ETH_ALEN);
1007                ifr.ifr_hwaddr.sa_family = tun->dev->type;
1008                if (copy_to_user(argp, &ifr, sizeof ifr))
1009                        return -EFAULT;
1010                return 0;
1011
1012        case SIOCSIFHWADDR:
1013                /* Set hw address */
1014                DBG(KERN_DEBUG "%s: set hw address: %s\n",
1015                        tun->dev->name, print_mac(mac, ifr.ifr_hwaddr.sa_data));
1016
1017                rtnl_lock();
1018                ret = dev_set_mac_address(tun->dev, &ifr.ifr_hwaddr);
1019                rtnl_unlock();
1020                return ret;
1021
1022        default:
1023                return -EINVAL;
1024        };
1025
1026        return 0;
1027}
1028
1029static int tun_chr_fasync(int fd, struct file *file, int on)
1030{
1031        struct tun_struct *tun = file->private_data;
1032        int ret;
1033
1034        if (!tun)
1035                return -EBADFD;
1036
1037        DBG(KERN_INFO "%s: tun_chr_fasync %d\n", tun->dev->name, on);
1038
1039        lock_kernel();
1040        if ((ret = fasync_helper(fd, file, on, &tun->fasync)) < 0)
1041                goto out;
1042
1043        if (on) {
1044                ret = __f_setown(file, task_pid(current), PIDTYPE_PID, 0);
1045                if (ret)
1046                        goto out;
1047                tun->flags |= TUN_FASYNC;
1048        } else
1049                tun->flags &= ~TUN_FASYNC;
1050        ret = 0;
1051out:
1052        unlock_kernel();
1053        return ret;
1054}
1055
1056static int tun_chr_open(struct inode *inode, struct file * file)
1057{
1058        cycle_kernel_lock();
1059        DBG1(KERN_INFO "tunX: tun_chr_open\n");
1060        file->private_data = NULL;
1061        return 0;
1062}
1063
1064static int tun_chr_close(struct inode *inode, struct file *file)
1065{
1066        struct tun_struct *tun = file->private_data;
1067
1068        if (!tun)
1069                return 0;
1070
1071        DBG(KERN_INFO "%s: tun_chr_close\n", tun->dev->name);
1072
1073        rtnl_lock();
1074
1075        /* Detach from net device */
1076        file->private_data = NULL;
1077        tun->attached = 0;
1078        put_net(dev_net(tun->dev));
1079
1080        /* Drop read queue */
1081        skb_queue_purge(&tun->readq);
1082
1083        if (!(tun->flags & TUN_PERSIST)) {
1084                list_del(&tun->list);
1085                unregister_netdevice(tun->dev);
1086        }
1087
1088        rtnl_unlock();
1089
1090        return 0;
1091}
1092
1093static const struct file_operations tun_fops = {
1094        .owner        = THIS_MODULE,
1095        .llseek = no_llseek,
1096        .read  = do_sync_read,
1097        .aio_read  = tun_chr_aio_read,
1098        .write = do_sync_write,
1099        .aio_write = tun_chr_aio_write,
1100        .poll        = tun_chr_poll,
1101        .ioctl        = tun_chr_ioctl,
1102        .open        = tun_chr_open,
1103        .release = tun_chr_close,
1104        .fasync = tun_chr_fasync
1105};
1106
1107static struct miscdevice tun_miscdev = {
1108        .minor = TUN_MINOR,
1109        .name = "tun",
1110        .fops = &tun_fops,
1111};
1112
1113/* ethtool interface */
1114
1115static int tun_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
1116{
1117        cmd->supported                = 0;
1118        cmd->advertising        = 0;
1119        cmd->speed                = SPEED_10;
1120        cmd->duplex                = DUPLEX_FULL;
1121        cmd->port                = PORT_TP;
1122        cmd->phy_address        = 0;
1123        cmd->transceiver        = XCVR_INTERNAL;
1124        cmd->autoneg                = AUTONEG_DISABLE;
1125        cmd->maxtxpkt                = 0;
1126        cmd->maxrxpkt                = 0;
1127        return 0;
1128}
1129
1130static void tun_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info)
1131{
1132        struct tun_struct *tun = netdev_priv(dev);
1133
1134        strcpy(info->driver, DRV_NAME);
1135        strcpy(info->version, DRV_VERSION);
1136        strcpy(info->fw_version, "N/A");
1137
1138        switch (tun->flags & TUN_TYPE_MASK) {
1139        case TUN_TUN_DEV:
1140                strcpy(info->bus_info, "tun");
1141                break;
1142        case TUN_TAP_DEV:
1143                strcpy(info->bus_info, "tap");
1144                break;
1145        }
1146}
1147
1148static u32 tun_get_msglevel(struct net_device *dev)
1149{
1150#ifdef TUN_DEBUG
1151        struct tun_struct *tun = netdev_priv(dev);
1152        return tun->debug;
1153#else
1154        return -EOPNOTSUPP;
1155#endif
1156}
1157
1158static void tun_set_msglevel(struct net_device *dev, u32 value)
1159{
1160#ifdef TUN_DEBUG
1161        struct tun_struct *tun = netdev_priv(dev);
1162        tun->debug = value;
1163#endif
1164}
1165
1166static u32 tun_get_link(struct net_device *dev)
1167{
1168        struct tun_struct *tun = netdev_priv(dev);
1169        return tun->attached;
1170}
1171
1172static u32 tun_get_rx_csum(struct net_device *dev)
1173{
1174        struct tun_struct *tun = netdev_priv(dev);
1175        return (tun->flags & TUN_NOCHECKSUM) == 0;
1176}
1177
1178static int tun_set_rx_csum(struct net_device *dev, u32 data)
1179{
1180        struct tun_struct *tun = netdev_priv(dev);
1181        if (data)
1182                tun->flags &= ~TUN_NOCHECKSUM;
1183        else
1184                tun->flags |= TUN_NOCHECKSUM;
1185        return 0;
1186}
1187
1188static const struct ethtool_ops tun_ethtool_ops = {
1189        .get_settings        = tun_get_settings,
1190        .get_drvinfo        = tun_get_drvinfo,
1191        .get_msglevel        = tun_get_msglevel,
1192        .set_msglevel        = tun_set_msglevel,
1193        .get_link        = tun_get_link,
1194        .get_rx_csum        = tun_get_rx_csum,
1195        .set_rx_csum        = tun_set_rx_csum
1196};
1197
1198static int tun_init_net(struct net *net)
1199{
1200        struct tun_net *tn;
1201
1202        tn = kmalloc(sizeof(*tn), GFP_KERNEL);
1203        if (tn == NULL)
1204                return -ENOMEM;
1205
1206        INIT_LIST_HEAD(&tn->dev_list);
1207
1208        if (net_assign_generic(net, tun_net_id, tn)) {
1209                kfree(tn);
1210                return -ENOMEM;
1211        }
1212
1213        return 0;
1214}
1215
1216static void tun_exit_net(struct net *net)
1217{
1218        struct tun_net *tn;
1219        struct tun_struct *tun, *nxt;
1220
1221        tn = net_generic(net, tun_net_id);
1222
1223        rtnl_lock();
1224        list_for_each_entry_safe(tun, nxt, &tn->dev_list, list) {
1225                DBG(KERN_INFO "%s cleaned up\n", tun->dev->name);
1226                unregister_netdevice(tun->dev);
1227        }
1228        rtnl_unlock();
1229
1230        kfree(tn);
1231}
1232
1233static struct pernet_operations tun_net_ops = {
1234        .init = tun_init_net,
1235        .exit = tun_exit_net,
1236};
1237
1238static int __init tun_init(void)
1239{
1240        int ret = 0;
1241
1242        printk(KERN_INFO "tun: %s, %s\n", DRV_DESCRIPTION, DRV_VERSION);
1243        printk(KERN_INFO "tun: %s\n", DRV_COPYRIGHT);
1244
1245        ret = register_pernet_gen_device(&tun_net_id, &tun_net_ops);
1246        if (ret) {
1247                printk(KERN_ERR "tun: Can't register pernet ops\n");
1248                goto err_pernet;
1249        }
1250
1251        ret = misc_register(&tun_miscdev);
1252        if (ret) {
1253                printk(KERN_ERR "tun: Can't register misc device %d\n", TUN_MINOR);
1254                goto err_misc;
1255        }
1256        return 0;
1257
1258err_misc:
1259        unregister_pernet_gen_device(tun_net_id, &tun_net_ops);
1260err_pernet:
1261        return ret;
1262}
1263
1264static void tun_cleanup(void)
1265{
1266        misc_deregister(&tun_miscdev);
1267        unregister_pernet_gen_device(tun_net_id, &tun_net_ops);
1268}
1269
1270module_init(tun_init);
1271module_exit(tun_cleanup);
1272MODULE_DESCRIPTION(DRV_DESCRIPTION);
1273MODULE_AUTHOR(DRV_COPYRIGHT);
1274MODULE_LICENSE("GPL");
1275MODULE_ALIAS_MISCDEV(TUN_MINOR);