search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bnxt_en: Fix NULL ptr dereference crash in bnxt_fw_reset_task()
[linux/fpc-iii.git] / drivers / rpmsg / rpmsg_char.c
blobc655074c07c2ec063410c20f3b32c131af84c0a7
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2016, Linaro Ltd.
4 * Copyright (c) 2012, Michal Simek <monstr@monstr.eu>
5 * Copyright (c) 2012, PetaLogix
6 * Copyright (c) 2011, Texas Instruments, Inc.
7 * Copyright (c) 2011, Google, Inc.
8 *
9 * Based on rpmsg performance statistics driver by Michal Simek, which in turn
10 * was based on TI & Google OMX rpmsg driver.
11 */
12 #include <linux/cdev.h>
13 #include <linux/device.h>
14 #include <linux/fs.h>
15 #include <linux/idr.h>
16 #include <linux/kernel.h>
17 #include <linux/module.h>
18 #include <linux/poll.h>
19 #include <linux/rpmsg.h>
20 #include <linux/skbuff.h>
21 #include <linux/slab.h>
22 #include <linux/uaccess.h>
23 #include <uapi/linux/rpmsg.h>
24
25 #include "rpmsg_internal.h"
26
27 #define RPMSG_DEV_MAX (MINORMASK + 1)
28
29 static dev_t rpmsg_major;
30 static struct class *rpmsg_class;
31
32 static DEFINE_IDA(rpmsg_ctrl_ida);
33 static DEFINE_IDA(rpmsg_ept_ida);
34 static DEFINE_IDA(rpmsg_minor_ida);
35
36 #define dev_to_eptdev(dev) container_of(dev, struct rpmsg_eptdev, dev)
37 #define cdev_to_eptdev(i_cdev) container_of(i_cdev, struct rpmsg_eptdev, cdev)
38
39 #define dev_to_ctrldev(dev) container_of(dev, struct rpmsg_ctrldev, dev)
40 #define cdev_to_ctrldev(i_cdev) container_of(i_cdev, struct rpmsg_ctrldev, cdev)
41
42 /**
43 * struct rpmsg_ctrldev - control device for instantiating endpoint devices
44 * @rpdev: underlaying rpmsg device
45 * @cdev: cdev for the ctrl device
46 * @dev: device for the ctrl device
47 */
48 struct rpmsg_ctrldev {
49 struct rpmsg_device *rpdev;
50 struct cdev cdev;
51 struct device dev;
52 };
53
54 /**
55 * struct rpmsg_eptdev - endpoint device context
56 * @dev: endpoint device
57 * @cdev: cdev for the endpoint device
58 * @rpdev: underlaying rpmsg device
59 * @chinfo: info used to open the endpoint
60 * @ept_lock: synchronization of @ept modifications
61 * @ept: rpmsg endpoint reference, when open
62 * @queue_lock: synchronization of @queue operations
63 * @queue: incoming message queue
64 * @readq: wait object for incoming queue
65 */
66 struct rpmsg_eptdev {
67 struct device dev;
68 struct cdev cdev;
69
70 struct rpmsg_device *rpdev;
71 struct rpmsg_channel_info chinfo;
72
73 struct mutex ept_lock;
74 struct rpmsg_endpoint *ept;
75
76 spinlock_t queue_lock;
77 struct sk_buff_head queue;
78 wait_queue_head_t readq;
79 };
80
81 static int rpmsg_eptdev_destroy(struct device *dev, void *data)
82 {
83 struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
84
85 mutex_lock(&eptdev->ept_lock);
86 if (eptdev->ept) {
87 rpmsg_destroy_ept(eptdev->ept);
88 eptdev->ept = NULL;
89 }
90 mutex_unlock(&eptdev->ept_lock);
91
92 /* wake up any blocked readers */
93 wake_up_interruptible(&eptdev->readq);
94
95 device_del(&eptdev->dev);
96 put_device(&eptdev->dev);
97
98 return 0;
99 }
100
101 static int rpmsg_ept_cb(struct rpmsg_device *rpdev, void *buf, int len,
102 void *priv, u32 addr)
103 {
104 struct rpmsg_eptdev *eptdev = priv;
105 struct sk_buff *skb;
106
107 skb = alloc_skb(len, GFP_ATOMIC);
108 if (!skb)
109 return -ENOMEM;
110
111 skb_put_data(skb, buf, len);
112
113 spin_lock(&eptdev->queue_lock);
114 skb_queue_tail(&eptdev->queue, skb);
115 spin_unlock(&eptdev->queue_lock);
116
117 /* wake up any blocking processes, waiting for new data */
118 wake_up_interruptible(&eptdev->readq);
119
120 return 0;
121 }
122
123 static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
124 {
125 struct rpmsg_eptdev *eptdev = cdev_to_eptdev(inode->i_cdev);
126 struct rpmsg_endpoint *ept;
127 struct rpmsg_device *rpdev = eptdev->rpdev;
128 struct device *dev = &eptdev->dev;
129
130 get_device(dev);
131
132 ept = rpmsg_create_ept(rpdev, rpmsg_ept_cb, eptdev, eptdev->chinfo);
133 if (!ept) {
134 dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
135 put_device(dev);
136 return -EINVAL;
137 }
138
139 eptdev->ept = ept;
140 filp->private_data = eptdev;
141
142 return 0;
143 }
144
145 static int rpmsg_eptdev_release(struct inode *inode, struct file *filp)
146 {
147 struct rpmsg_eptdev *eptdev = cdev_to_eptdev(inode->i_cdev);
148 struct device *dev = &eptdev->dev;
149 struct sk_buff *skb;
150
151 /* Close the endpoint, if it's not already destroyed by the parent */
152 mutex_lock(&eptdev->ept_lock);
153 if (eptdev->ept) {
154 rpmsg_destroy_ept(eptdev->ept);
155 eptdev->ept = NULL;
156 }
157 mutex_unlock(&eptdev->ept_lock);
158
159 /* Discard all SKBs */
160 while (!skb_queue_empty(&eptdev->queue)) {
161 skb = skb_dequeue(&eptdev->queue);
162 kfree_skb(skb);
163 }
164
165 put_device(dev);
166
167 return 0;
168 }
169
170 static ssize_t rpmsg_eptdev_read_iter(struct kiocb *iocb, struct iov_iter *to)
171 {
172 struct file *filp = iocb->ki_filp;
173 struct rpmsg_eptdev *eptdev = filp->private_data;
174 unsigned long flags;
175 struct sk_buff *skb;
176 int use;
177
178 if (!eptdev->ept)
179 return -EPIPE;
180
181 spin_lock_irqsave(&eptdev->queue_lock, flags);
182
183 /* Wait for data in the queue */
184 if (skb_queue_empty(&eptdev->queue)) {
185 spin_unlock_irqrestore(&eptdev->queue_lock, flags);
186
187 if (filp->f_flags & O_NONBLOCK)
188 return -EAGAIN;
189
190 /* Wait until we get data or the endpoint goes away */
191 if (wait_event_interruptible(eptdev->readq,
192 !skb_queue_empty(&eptdev->queue) ||
193 !eptdev->ept))
194 return -ERESTARTSYS;
195
196 /* We lost the endpoint while waiting */
197 if (!eptdev->ept)
198 return -EPIPE;
199
200 spin_lock_irqsave(&eptdev->queue_lock, flags);
201 }
202
203 skb = skb_dequeue(&eptdev->queue);
204 spin_unlock_irqrestore(&eptdev->queue_lock, flags);
205 if (!skb)
206 return -EFAULT;
207
208 use = min_t(size_t, iov_iter_count(to), skb->len);
209 if (copy_to_iter(skb->data, use, to) != use)
210 use = -EFAULT;
211
212 kfree_skb(skb);
213
214 return use;
215 }
216
217 static ssize_t rpmsg_eptdev_write_iter(struct kiocb *iocb,
218 struct iov_iter *from)
219 {
220 struct file *filp = iocb->ki_filp;
221 struct rpmsg_eptdev *eptdev = filp->private_data;
222 size_t len = iov_iter_count(from);
223 void *kbuf;
224 int ret;
225
226 kbuf = kzalloc(len, GFP_KERNEL);
227 if (!kbuf)
228 return -ENOMEM;
229
230 if (!copy_from_iter_full(kbuf, len, from)) {
231 ret = -EFAULT;
232 goto free_kbuf;
233 }
234
235 if (mutex_lock_interruptible(&eptdev->ept_lock)) {
236 ret = -ERESTARTSYS;
237 goto free_kbuf;
238 }
239
240 if (!eptdev->ept) {
241 ret = -EPIPE;
242 goto unlock_eptdev;
243 }
244
245 if (filp->f_flags & O_NONBLOCK)
246 ret = rpmsg_trysend(eptdev->ept, kbuf, len);
247 else
248 ret = rpmsg_send(eptdev->ept, kbuf, len);
249
250 unlock_eptdev:
251 mutex_unlock(&eptdev->ept_lock);
252
253 free_kbuf:
254 kfree(kbuf);
255 return ret < 0 ? ret : len;
256 }
257
258 static __poll_t rpmsg_eptdev_poll(struct file *filp, poll_table *wait)
259 {
260 struct rpmsg_eptdev *eptdev = filp->private_data;
261 __poll_t mask = 0;
262
263 if (!eptdev->ept)
264 return EPOLLERR;
265
266 poll_wait(filp, &eptdev->readq, wait);
267
268 if (!skb_queue_empty(&eptdev->queue))
269 mask |= EPOLLIN | EPOLLRDNORM;
270
271 mask |= rpmsg_poll(eptdev->ept, filp, wait);
272
273 return mask;
274 }
275
276 static long rpmsg_eptdev_ioctl(struct file *fp, unsigned int cmd,
277 unsigned long arg)
278 {
279 struct rpmsg_eptdev *eptdev = fp->private_data;
280
281 if (cmd != RPMSG_DESTROY_EPT_IOCTL)
282 return -EINVAL;
283
284 return rpmsg_eptdev_destroy(&eptdev->dev, NULL);
285 }
286
287 static const struct file_operations rpmsg_eptdev_fops = {
288 .owner = THIS_MODULE,
289 .open = rpmsg_eptdev_open,
290 .release = rpmsg_eptdev_release,
291 .read_iter = rpmsg_eptdev_read_iter,
292 .write_iter = rpmsg_eptdev_write_iter,
293 .poll = rpmsg_eptdev_poll,
294 .unlocked_ioctl = rpmsg_eptdev_ioctl,
295 .compat_ioctl = rpmsg_eptdev_ioctl,
296 };
297
298 static ssize_t name_show(struct device *dev, struct device_attribute *attr,
299 char *buf)
300 {
301 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
302
303 return sprintf(buf, "%s\n", eptdev->chinfo.name);
304 }
305 static DEVICE_ATTR_RO(name);
306
307 static ssize_t src_show(struct device *dev, struct device_attribute *attr,
308 char *buf)
309 {
310 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
311
312 return sprintf(buf, "%d\n", eptdev->chinfo.src);
313 }
314 static DEVICE_ATTR_RO(src);
315
316 static ssize_t dst_show(struct device *dev, struct device_attribute *attr,
317 char *buf)
318 {
319 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
320
321 return sprintf(buf, "%d\n", eptdev->chinfo.dst);
322 }
323 static DEVICE_ATTR_RO(dst);
324
325 static struct attribute *rpmsg_eptdev_attrs[] = {
326 &dev_attr_name.attr,
327 &dev_attr_src.attr,
328 &dev_attr_dst.attr,
329 NULL
330 };
331 ATTRIBUTE_GROUPS(rpmsg_eptdev);
332
333 static void rpmsg_eptdev_release_device(struct device *dev)
334 {
335 struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
336
337 ida_simple_remove(&rpmsg_ept_ida, dev->id);
338 ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
339 cdev_del(&eptdev->cdev);
340 kfree(eptdev);
341 }
342
343 static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev,
344 struct rpmsg_channel_info chinfo)
345 {
346 struct rpmsg_device *rpdev = ctrldev->rpdev;
347 struct rpmsg_eptdev *eptdev;
348 struct device *dev;
349 int ret;
350
351 eptdev = kzalloc(sizeof(*eptdev), GFP_KERNEL);
352 if (!eptdev)
353 return -ENOMEM;
354
355 dev = &eptdev->dev;
356 eptdev->rpdev = rpdev;
357 eptdev->chinfo = chinfo;
358
359 mutex_init(&eptdev->ept_lock);
360 spin_lock_init(&eptdev->queue_lock);
361 skb_queue_head_init(&eptdev->queue);
362 init_waitqueue_head(&eptdev->readq);
363
364 device_initialize(dev);
365 dev->class = rpmsg_class;
366 dev->parent = &ctrldev->dev;
367 dev->groups = rpmsg_eptdev_groups;
368 dev_set_drvdata(dev, eptdev);
369
370 cdev_init(&eptdev->cdev, &rpmsg_eptdev_fops);
371 eptdev->cdev.owner = THIS_MODULE;
372
373 ret = ida_simple_get(&rpmsg_minor_ida, 0, RPMSG_DEV_MAX, GFP_KERNEL);
374 if (ret < 0)
375 goto free_eptdev;
376 dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
377
378 ret = ida_simple_get(&rpmsg_ept_ida, 0, 0, GFP_KERNEL);
379 if (ret < 0)
380 goto free_minor_ida;
381 dev->id = ret;
382 dev_set_name(dev, "rpmsg%d", ret);
383
384 ret = cdev_add(&eptdev->cdev, dev->devt, 1);
385 if (ret)
386 goto free_ept_ida;
387
388 /* We can now rely on the release function for cleanup */
389 dev->release = rpmsg_eptdev_release_device;
390
391 ret = device_add(dev);
392 if (ret) {
393 dev_err(dev, "device_add failed: %d\n", ret);
394 put_device(dev);
395 }
396
397 return ret;
398
399 free_ept_ida:
400 ida_simple_remove(&rpmsg_ept_ida, dev->id);
401 free_minor_ida:
402 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
403 free_eptdev:
404 put_device(dev);
405 kfree(eptdev);
406
407 return ret;
408 }
409
410 static int rpmsg_ctrldev_open(struct inode *inode, struct file *filp)
411 {
412 struct rpmsg_ctrldev *ctrldev = cdev_to_ctrldev(inode->i_cdev);
413
414 get_device(&ctrldev->dev);
415 filp->private_data = ctrldev;
416
417 return 0;
418 }
419
420 static int rpmsg_ctrldev_release(struct inode *inode, struct file *filp)
421 {
422 struct rpmsg_ctrldev *ctrldev = cdev_to_ctrldev(inode->i_cdev);
423
424 put_device(&ctrldev->dev);
425
426 return 0;
427 }
428
429 static long rpmsg_ctrldev_ioctl(struct file *fp, unsigned int cmd,
430 unsigned long arg)
431 {
432 struct rpmsg_ctrldev *ctrldev = fp->private_data;
433 void __user *argp = (void __user *)arg;
434 struct rpmsg_endpoint_info eptinfo;
435 struct rpmsg_channel_info chinfo;
436
437 if (cmd != RPMSG_CREATE_EPT_IOCTL)
438 return -EINVAL;
439
440 if (copy_from_user(&eptinfo, argp, sizeof(eptinfo)))
441 return -EFAULT;
442
443 memcpy(chinfo.name, eptinfo.name, RPMSG_NAME_SIZE);
444 chinfo.name[RPMSG_NAME_SIZE-1] = '\0';
445 chinfo.src = eptinfo.src;
446 chinfo.dst = eptinfo.dst;
447
448 return rpmsg_eptdev_create(ctrldev, chinfo);
449 };
450
451 static const struct file_operations rpmsg_ctrldev_fops = {
452 .owner = THIS_MODULE,
453 .open = rpmsg_ctrldev_open,
454 .release = rpmsg_ctrldev_release,
455 .unlocked_ioctl = rpmsg_ctrldev_ioctl,
456 .compat_ioctl = rpmsg_ctrldev_ioctl,
457 };
458
459 static void rpmsg_ctrldev_release_device(struct device *dev)
460 {
461 struct rpmsg_ctrldev *ctrldev = dev_to_ctrldev(dev);
462
463 ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
464 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
465 cdev_del(&ctrldev->cdev);
466 kfree(ctrldev);
467 }
468
469 static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
470 {
471 struct rpmsg_ctrldev *ctrldev;
472 struct device *dev;
473 int ret;
474
475 ctrldev = kzalloc(sizeof(*ctrldev), GFP_KERNEL);
476 if (!ctrldev)
477 return -ENOMEM;
478
479 ctrldev->rpdev = rpdev;
480
481 dev = &ctrldev->dev;
482 device_initialize(dev);
483 dev->parent = &rpdev->dev;
484 dev->class = rpmsg_class;
485
486 cdev_init(&ctrldev->cdev, &rpmsg_ctrldev_fops);
487 ctrldev->cdev.owner = THIS_MODULE;
488
489 ret = ida_simple_get(&rpmsg_minor_ida, 0, RPMSG_DEV_MAX, GFP_KERNEL);
490 if (ret < 0)
491 goto free_ctrldev;
492 dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
493
494 ret = ida_simple_get(&rpmsg_ctrl_ida, 0, 0, GFP_KERNEL);
495 if (ret < 0)
496 goto free_minor_ida;
497 dev->id = ret;
498 dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret);
499
500 ret = cdev_add(&ctrldev->cdev, dev->devt, 1);
501 if (ret)
502 goto free_ctrl_ida;
503
504 /* We can now rely on the release function for cleanup */
505 dev->release = rpmsg_ctrldev_release_device;
506
507 ret = device_add(dev);
508 if (ret) {
509 dev_err(&rpdev->dev, "device_add failed: %d\n", ret);
510 put_device(dev);
511 }
512
513 dev_set_drvdata(&rpdev->dev, ctrldev);
514
515 return ret;
516
517 free_ctrl_ida:
518 ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
519 free_minor_ida:
520 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
521 free_ctrldev:
522 put_device(dev);
523 kfree(ctrldev);
524
525 return ret;
526 }
527
528 static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
529 {
530 struct rpmsg_ctrldev *ctrldev = dev_get_drvdata(&rpdev->dev);
531 int ret;
532
533 /* Destroy all endpoints */
534 ret = device_for_each_child(&ctrldev->dev, NULL, rpmsg_eptdev_destroy);
535 if (ret)
536 dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
537
538 device_del(&ctrldev->dev);
539 put_device(&ctrldev->dev);
540 }
541
542 static struct rpmsg_driver rpmsg_chrdev_driver = {
543 .probe = rpmsg_chrdev_probe,
544 .remove = rpmsg_chrdev_remove,
545 .drv = {
546 .name = "rpmsg_chrdev",
547 },
548 };
549
550 static int rpmsg_char_init(void)
551 {
552 int ret;
553
554 ret = alloc_chrdev_region(&rpmsg_major, 0, RPMSG_DEV_MAX, "rpmsg");
555 if (ret < 0) {
556 pr_err("rpmsg: failed to allocate char dev region\n");
557 return ret;
558 }
559
560 rpmsg_class = class_create(THIS_MODULE, "rpmsg");
561 if (IS_ERR(rpmsg_class)) {
562 pr_err("failed to create rpmsg class\n");
563 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
564 return PTR_ERR(rpmsg_class);
565 }
566
567 ret = register_rpmsg_driver(&rpmsg_chrdev_driver);
568 if (ret < 0) {
569 pr_err("rpmsgchr: failed to register rpmsg driver\n");
570 class_destroy(rpmsg_class);
571 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
572 }
573
574 return ret;
575 }
576 postcore_initcall(rpmsg_char_init);
577
578 static void rpmsg_chrdev_exit(void)
579 {
580 unregister_rpmsg_driver(&rpmsg_chrdev_driver);
581 class_destroy(rpmsg_class);
582 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
583 }
584 module_exit(rpmsg_chrdev_exit);
585
586 MODULE_ALIAS("rpmsg:rpmsg_chrdev");
587 MODULE_LICENSE("GPL v2");
Linux with added FPC-III support