From 43ebb99002df0e6f40af5e310a05f5b9a29fa61f Mon Sep 17 00:00:00 2001
From: Shaun Ruffell <sruffell@digium.com>
Date: Fri, 21 Jan 2011 05:28:28 +0000
Subject: [PATCH] dahdi: Be more tolerant of surprise removal of channels.

Enable DAHDI to detect if an operation on a file handle refers to a
channel that may have been unregistered. This can occur, for example,
when a board driver is hot-swapped out in a live system.

This patch ensures that file->private_data is always properly set for
any open channel, and it's set back to NULL when a channel is
unregistered.  This way file->private_data can be used to check whether
it's valid to perform an operation on the channel.  (NOTE:  There is
still a race condition here if the driver was unbound on one processor
during the window of time between when file->private_data was checked
and the system call finishes).

Also, since DAHDI should only return -ENODEV on read or write when there
was a surprise device removal on a running system this sleep can prevent
the system from becoming unresponsive if the userspace application does
not check for the -ENODEV error and constantly tries to call read with
elevated privileges.

(issue #17669)
Reported by: tzafrir
Tested by: sruffell

Review: https://reviewboard.asterisk.org/r/905/

Signed-off-by: Shaun Ruffell <sruffell@digium.com>

Origin: http://svnview.digium.com/svn/dahdi?view=rev&rev=9353

git-svn-id: http://svn.asterisk.org/svn/dahdi/linux/branches/2.4@9662 a0bf4364-ded3-4de4-8d8a-66a801d63aff
---
 drivers/dahdi/dahdi-base.c | 72 ++++++++++++++++++++++++++++----------
 1 file changed, 54 insertions(+), 18 deletions(-)

diff --git a/drivers/dahdi/dahdi-base.c b/drivers/dahdi/dahdi-base.c
index 1c4dc8f..5e1137d 100644
--- a/drivers/dahdi/dahdi-base.c
+++ b/drivers/dahdi/dahdi-base.c
@@ -47,6 +47,7 @@
 #include <linux/moduleparam.h>
 #include <linux/sched.h>
 #include <linux/list.h>
+#include <linux/delay.h>
 
 #ifdef HAVE_UNLOCKED_IOCTL
 #include <linux/smp_lock.h>
@@ -2000,6 +2001,15 @@ static void dahdi_chan_unreg(struct dahdi_chan *chan)
 
 	might_sleep();
 
+	/* In the case of surprise removal of hardware, make sure any open
+	 * file handles to this channel are disassociated with the actual
+	 * dahdi_chan. */
+	if (chan->file) {
+		chan->file->private_data = NULL;
+		if (chan->span)
+			module_put(chan->span->ops->owner);
+	}
+
 	release_echocan(chan->ec_factory);
 
 #ifdef CONFIG_DAHDI_NET
@@ -2053,9 +2063,10 @@ static void dahdi_chan_unreg(struct dahdi_chan *chan)
 	write_unlock_irqrestore(&chan_lock, flags);
 }
 
-static ssize_t dahdi_chan_read(struct file *file, char __user *usrbuf, size_t count, int unit)
+static ssize_t dahdi_chan_read(struct file *file, char __user *usrbuf,
+			       size_t count)
 {
-	struct dahdi_chan *chan = chans[unit];
+	struct dahdi_chan *chan = file->private_data;
 	int amnt;
 	int res, rv;
 	int oldbuf,x;
@@ -2064,10 +2075,19 @@ static ssize_t dahdi_chan_read(struct file *file, char __user *usrbuf, size_t co
 	/* Make sure count never exceeds 65k, and make sure it's unsigned */
 	count &= 0xffff;
 
-	if (!chan)
-		return -EINVAL;
+	if (unlikely(!chan)) {
+		/* We would typically be here because of surprise hardware
+		 * removal or driver unbinding while a user space application
+		 * has a channel open.  Most telephony applications are run at
+		 * elevated priorities so this sleep can prevent the high
+		 * priority threads from consuming the CPU if they're not
+		 * expecting surprise device removal.
+		 */
+		msleep(5);
+		return -ENODEV;
+	}
 
-	if (count < 1)
+	if (unlikely(count < 1))
 		return -EINVAL;
 
 	for (;;) {
@@ -2179,22 +2199,31 @@ static int num_filled_bufs(struct dahdi_chan *chan)
 	return range1 + range2;
 }
 
-static ssize_t dahdi_chan_write(struct file *file, const char __user *usrbuf, size_t count, int unit)
+static ssize_t dahdi_chan_write(struct file *file, const char __user *usrbuf,
+				size_t count)
 {
 	unsigned long flags;
-	struct dahdi_chan *chan = chans[unit];
+	struct dahdi_chan *chan = file->private_data;
 	int res, amnt, oldbuf, rv, x;
 
 	/* Make sure count never exceeds 65k, and make sure it's unsigned */
 	count &= 0xffff;
 
-	if (!chan)
-		return -EINVAL;
-
-	if (count < 1) {
-		return -EINVAL;
+	if (unlikely(!chan)) {
+		/* We would typically be here because of surprise hardware
+		 * removal or driver unbinding while a user space application
+		 * has a channel open.  Most telephony applications are run at
+		 * elevated priorities so this sleep can prevent the high
+		 * priority threads from consuming the CPU if they're not
+		 * expecting surprise device removal.
+		 */
+		msleep(5);
+		return -ENODEV;
 	}
 
+	if (unlikely(count < 1))
+		return -EINVAL;
+
 	for (;;) {
 		spin_lock_irqsave(&chan->lock, flags);
 		if ((chan->curtone || chan->pdialcount) && !(chan->flags & DAHDI_FLAG_PSEUDO)) {
@@ -2777,6 +2806,7 @@ static int dahdi_specchan_open(struct file *file, int unit)
 			}
 			if (!res) {
 				chan->file = file;
+				file->private_data = chan;
 				spin_unlock_irqrestore(&chan->lock, flags);
 			} else {
 				spin_unlock_irqrestore(&chan->lock, flags);
@@ -2941,7 +2971,7 @@ static ssize_t dahdi_read(struct file *file, char __user *usrbuf, size_t count,
 		chan = file->private_data;
 		if (!chan)
 			return -EINVAL;
-		return dahdi_chan_read(file, usrbuf, count, chan->channo);
+		return dahdi_chan_read(file, usrbuf, count);
 	}
 
 	if (unit == 255) {
@@ -2950,12 +2980,12 @@ static ssize_t dahdi_read(struct file *file, char __user *usrbuf, size_t count,
 			module_printk(KERN_NOTICE, "No pseudo channel structure to read?\n");
 			return -EINVAL;
 		}
-		return dahdi_chan_read(file, usrbuf, count, chan->channo);
+		return dahdi_chan_read(file, usrbuf, count);
 	}
 	if (count < 0)
 		return -EINVAL;
 
-	return dahdi_chan_read(file, usrbuf, count, unit);
+	return dahdi_chan_read(file, usrbuf, count);
 }
 
 static ssize_t dahdi_write(struct file *file, const char __user *usrbuf, size_t count, loff_t *ppos)
@@ -2973,7 +3003,7 @@ static ssize_t dahdi_write(struct file *file, const char __user *usrbuf, size_t
 		chan = file->private_data;
 		if (!chan)
 			return -EINVAL;
-		return dahdi_chan_write(file, usrbuf, count, chan->channo);
+		return dahdi_chan_write(file, usrbuf, count);
 	}
 	if (unit == 255) {
 		chan = file->private_data;
@@ -2981,9 +3011,9 @@ static ssize_t dahdi_write(struct file *file, const char __user *usrbuf, size_t
 			module_printk(KERN_NOTICE, "No pseudo channel structure to read?\n");
 			return -EINVAL;
 		}
-		return dahdi_chan_write(file, usrbuf, count, chan->channo);
+		return dahdi_chan_write(file, usrbuf, count);
 	}
-	return dahdi_chan_write(file, usrbuf, count, unit);
+	return dahdi_chan_write(file, usrbuf, count);
 
 }
 
@@ -5918,6 +5948,12 @@ static int dahdi_ioctl(struct inode *inode, struct file *file,
 		ret = dahdi_chanandpseudo_ioctl(file, cmd, data, chan->channo);
 		goto unlock_exit;
 	}
+
+	if (!file->private_data) {
+		ret = -ENXIO;
+		goto unlock_exit;
+	}
+
 	ret = dahdi_chan_ioctl(file, cmd, data, unit);
 
 unlock_exit: