bpf: Prevent memory disambiguation attack
[linux/fpc-iii.git] / drivers / uwb / neh.c
blobfbdca728bd9f8b947fa9af19103232a0850655c7
1 /*
2 * WUSB Wire Adapter: Radio Control Interface (WUSB[8])
3 * Notification and Event Handling
5 * Copyright (C) 2005-2006 Intel Corporation
6 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License version
10 * 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 * 02110-1301, USA.
23 * The RC interface of the Host Wire Adapter (USB dongle) or WHCI PCI
24 * card delivers a stream of notifications and events to the
25 * notification end event endpoint or area. This code takes care of
26 * getting a buffer with that data, breaking it up in separate
27 * notifications and events and then deliver those.
29 * Events are answers to commands and they carry a context ID that
30 * associates them to the command. Notifications are that,
31 * notifications, they come out of the blue and have a context ID of
32 * zero. Think of the context ID kind of like a handler. The
33 * uwb_rc_neh_* code deals with managing context IDs.
35 * This is why you require a handle to operate on a UWB host. When you
36 * open a handle a context ID is assigned to you.
38 * So, as it is done is:
40 * 1. Add an event handler [uwb_rc_neh_add()] (assigns a ctx id)
41 * 2. Issue command [rc->cmd(rc, ...)]
42 * 3. Arm the timeout timer [uwb_rc_neh_arm()]
43 * 4, Release the reference to the neh [uwb_rc_neh_put()]
44 * 5. Wait for the callback
45 * 6. Command result (RCEB) is passed to the callback
47 * If (2) fails, you should remove the handle [uwb_rc_neh_rm()]
48 * instead of arming the timer.
50 * Handles are for using in *serialized* code, single thread.
52 * When the notification/event comes, the IRQ handler/endpoint
53 * callback passes the data read to uwb_rc_neh_grok() which will break
54 * it up in a discrete series of events, look up who is listening for
55 * them and execute the pertinent callbacks.
57 * If the reader detects an error while reading the data stream, call
58 * uwb_rc_neh_error().
60 * CONSTRAINTS/ASSUMPTIONS:
62 * - Most notifications/events are small (less thank .5k), copying
63 * around is ok.
65 * - Notifications/events are ALWAYS smaller than PAGE_SIZE
67 * - Notifications/events always come in a single piece (ie: a buffer
68 * will always contain entire notifications/events).
70 * - we cannot know in advance how long each event is (because they
71 * lack a length field in their header--smart move by the standards
72 * body, btw). So we need a facility to get the event size given the
73 * header. This is what the EST code does (notif/Event Size
74 * Tables), check nest.c--as well, you can associate the size to
75 * the handle [w/ neh->extra_size()].
77 * - Most notifications/events are fixed size; only a few are variable
78 * size (NEST takes care of that).
80 * - Listeners of events expect them, so they usually provide a
81 * buffer, as they know the size. Listeners to notifications don't,
82 * so we allocate their buffers dynamically.
84 #include <linux/kernel.h>
85 #include <linux/timer.h>
86 #include <linux/slab.h>
87 #include <linux/err.h>
88 #include <linux/export.h>
90 #include "uwb-internal.h"
93 * UWB Radio Controller Notification/Event Handle
95 * Represents an entity waiting for an event coming from the UWB Radio
96 * Controller with a given context id (context) and type (evt_type and
97 * evt). On reception of the notification/event, the callback (cb) is
98 * called with the event.
100 * If the timer expires before the event is received, the callback is
101 * called with -ETIMEDOUT as the event size.
103 struct uwb_rc_neh {
104 struct kref kref;
106 struct uwb_rc *rc;
107 u8 evt_type;
108 __le16 evt;
109 u8 context;
110 u8 completed;
111 uwb_rc_cmd_cb_f cb;
112 void *arg;
114 struct timer_list timer;
115 struct list_head list_node;
118 static void uwb_rc_neh_timer(struct timer_list *t);
120 static void uwb_rc_neh_release(struct kref *kref)
122 struct uwb_rc_neh *neh = container_of(kref, struct uwb_rc_neh, kref);
124 kfree(neh);
127 static void uwb_rc_neh_get(struct uwb_rc_neh *neh)
129 kref_get(&neh->kref);
133 * uwb_rc_neh_put - release reference to a neh
134 * @neh: the neh
136 void uwb_rc_neh_put(struct uwb_rc_neh *neh)
138 kref_put(&neh->kref, uwb_rc_neh_release);
143 * Assigns @neh a context id from @rc's pool
145 * @rc: UWB Radio Controller descriptor; @rc->neh_lock taken
146 * @neh: Notification/Event Handle
147 * @returns 0 if context id was assigned ok; < 0 errno on error (if
148 * all the context IDs are taken).
150 * (assumes @wa is locked).
152 * NOTE: WUSB spec reserves context ids 0x00 for notifications and
153 * 0xff is invalid, so they must not be used. Initialization
154 * fills up those two in the bitmap so they are not allocated.
156 * We spread the allocation around to reduce the possibility of two
157 * consecutive opened @neh's getting the same context ID assigned (to
158 * avoid surprises with late events that timed out long time ago). So
159 * first we search from where @rc->ctx_roll is, if not found, we
160 * search from zero.
162 static
163 int __uwb_rc_ctx_get(struct uwb_rc *rc, struct uwb_rc_neh *neh)
165 int result;
166 result = find_next_zero_bit(rc->ctx_bm, UWB_RC_CTX_MAX,
167 rc->ctx_roll++);
168 if (result < UWB_RC_CTX_MAX)
169 goto found;
170 result = find_first_zero_bit(rc->ctx_bm, UWB_RC_CTX_MAX);
171 if (result < UWB_RC_CTX_MAX)
172 goto found;
173 return -ENFILE;
174 found:
175 set_bit(result, rc->ctx_bm);
176 neh->context = result;
177 return 0;
181 /** Releases @neh's context ID back to @rc (@rc->neh_lock is locked). */
182 static
183 void __uwb_rc_ctx_put(struct uwb_rc *rc, struct uwb_rc_neh *neh)
185 struct device *dev = &rc->uwb_dev.dev;
186 if (neh->context == 0)
187 return;
188 if (test_bit(neh->context, rc->ctx_bm) == 0) {
189 dev_err(dev, "context %u not set in bitmap\n",
190 neh->context);
191 WARN_ON(1);
193 clear_bit(neh->context, rc->ctx_bm);
194 neh->context = 0;
198 * uwb_rc_neh_add - add a neh for a radio controller command
199 * @rc: the radio controller
200 * @cmd: the radio controller command
201 * @expected_type: the type of the expected response event
202 * @expected_event: the expected event ID
203 * @cb: callback for when the event is received
204 * @arg: argument for the callback
206 * Creates a neh and adds it to the list of those waiting for an
207 * event. A context ID will be assigned to the command.
209 struct uwb_rc_neh *uwb_rc_neh_add(struct uwb_rc *rc, struct uwb_rccb *cmd,
210 u8 expected_type, u16 expected_event,
211 uwb_rc_cmd_cb_f cb, void *arg)
213 int result;
214 unsigned long flags;
215 struct device *dev = &rc->uwb_dev.dev;
216 struct uwb_rc_neh *neh;
218 neh = kzalloc(sizeof(*neh), GFP_KERNEL);
219 if (neh == NULL) {
220 result = -ENOMEM;
221 goto error_kzalloc;
224 kref_init(&neh->kref);
225 INIT_LIST_HEAD(&neh->list_node);
226 timer_setup(&neh->timer, uwb_rc_neh_timer, 0);
228 neh->rc = rc;
229 neh->evt_type = expected_type;
230 neh->evt = cpu_to_le16(expected_event);
231 neh->cb = cb;
232 neh->arg = arg;
234 spin_lock_irqsave(&rc->neh_lock, flags);
235 result = __uwb_rc_ctx_get(rc, neh);
236 if (result >= 0) {
237 cmd->bCommandContext = neh->context;
238 list_add_tail(&neh->list_node, &rc->neh_list);
239 uwb_rc_neh_get(neh);
241 spin_unlock_irqrestore(&rc->neh_lock, flags);
242 if (result < 0)
243 goto error_ctx_get;
245 return neh;
247 error_ctx_get:
248 kfree(neh);
249 error_kzalloc:
250 dev_err(dev, "cannot open handle to radio controller: %d\n", result);
251 return ERR_PTR(result);
254 static void __uwb_rc_neh_rm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
256 __uwb_rc_ctx_put(rc, neh);
257 list_del(&neh->list_node);
261 * uwb_rc_neh_rm - remove a neh.
262 * @rc: the radio controller
263 * @neh: the neh to remove
265 * Remove an active neh immediately instead of waiting for the event
266 * (or a time out).
268 void uwb_rc_neh_rm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
270 unsigned long flags;
272 spin_lock_irqsave(&rc->neh_lock, flags);
273 __uwb_rc_neh_rm(rc, neh);
274 spin_unlock_irqrestore(&rc->neh_lock, flags);
276 del_timer_sync(&neh->timer);
277 uwb_rc_neh_put(neh);
281 * uwb_rc_neh_arm - arm an event handler timeout timer
283 * @rc: UWB Radio Controller
284 * @neh: Notification/event handler for @rc
286 * The timer is only armed if the neh is active.
288 void uwb_rc_neh_arm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
290 unsigned long flags;
292 spin_lock_irqsave(&rc->neh_lock, flags);
293 if (neh->context)
294 mod_timer(&neh->timer,
295 jiffies + msecs_to_jiffies(UWB_RC_CMD_TIMEOUT_MS));
296 spin_unlock_irqrestore(&rc->neh_lock, flags);
299 static void uwb_rc_neh_cb(struct uwb_rc_neh *neh, struct uwb_rceb *rceb, size_t size)
301 (*neh->cb)(neh->rc, neh->arg, rceb, size);
302 uwb_rc_neh_put(neh);
305 static bool uwb_rc_neh_match(struct uwb_rc_neh *neh, const struct uwb_rceb *rceb)
307 return neh->evt_type == rceb->bEventType
308 && neh->evt == rceb->wEvent
309 && neh->context == rceb->bEventContext;
313 * Find the handle waiting for a RC Radio Control Event
315 * @rc: UWB Radio Controller
316 * @rceb: Pointer to the RCEB buffer
317 * @event_size: Pointer to the size of the RCEB buffer. Might be
318 * adjusted to take into account the @neh->extra_size
319 * settings.
321 * If the listener has no buffer (NULL buffer), one is allocated for
322 * the right size (the amount of data received). @neh->ptr will point
323 * to the event payload, which always starts with a 'struct
324 * uwb_rceb'. kfree() it when done.
326 static
327 struct uwb_rc_neh *uwb_rc_neh_lookup(struct uwb_rc *rc,
328 const struct uwb_rceb *rceb)
330 struct uwb_rc_neh *neh = NULL, *h;
331 unsigned long flags;
333 spin_lock_irqsave(&rc->neh_lock, flags);
335 list_for_each_entry(h, &rc->neh_list, list_node) {
336 if (uwb_rc_neh_match(h, rceb)) {
337 neh = h;
338 break;
342 if (neh)
343 __uwb_rc_neh_rm(rc, neh);
345 spin_unlock_irqrestore(&rc->neh_lock, flags);
347 return neh;
352 * Process notifications coming from the radio control interface
354 * @rc: UWB Radio Control Interface descriptor
355 * @neh: Notification/Event Handler @neh->ptr points to
356 * @uwb_evt->buffer.
358 * This function is called by the event/notif handling subsystem when
359 * notifications arrive (hwarc_probe() arms a notification/event handle
360 * that calls back this function for every received notification; this
361 * function then will rearm itself).
363 * Notification data buffers are dynamically allocated by the NEH
364 * handling code in neh.c [uwb_rc_neh_lookup()]. What is actually
365 * allocated is space to contain the notification data.
367 * Buffers are prefixed with a Radio Control Event Block (RCEB) as
368 * defined by the WUSB Wired-Adapter Radio Control interface. We
369 * just use it for the notification code.
371 * On each case statement we just transcode endianess of the different
372 * fields. We declare a pointer to a RCI definition of an event, and
373 * then to a UWB definition of the same event (which are the same,
374 * remember). Event if we use different pointers
376 static
377 void uwb_rc_notif(struct uwb_rc *rc, struct uwb_rceb *rceb, ssize_t size)
379 struct device *dev = &rc->uwb_dev.dev;
380 struct uwb_event *uwb_evt;
382 if (size == -ESHUTDOWN)
383 return;
384 if (size < 0) {
385 dev_err(dev, "ignoring event with error code %zu\n",
386 size);
387 return;
390 uwb_evt = kzalloc(sizeof(*uwb_evt), GFP_ATOMIC);
391 if (unlikely(uwb_evt == NULL)) {
392 dev_err(dev, "no memory to queue event 0x%02x/%04x/%02x\n",
393 rceb->bEventType, le16_to_cpu(rceb->wEvent),
394 rceb->bEventContext);
395 return;
397 uwb_evt->rc = __uwb_rc_get(rc); /* will be put by uwbd's uwbd_event_handle() */
398 uwb_evt->ts_jiffies = jiffies;
399 uwb_evt->type = UWB_EVT_TYPE_NOTIF;
400 uwb_evt->notif.size = size;
401 uwb_evt->notif.rceb = rceb;
403 uwbd_event_queue(uwb_evt);
406 static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size_t size)
408 struct device *dev = &rc->uwb_dev.dev;
409 struct uwb_rc_neh *neh;
410 struct uwb_rceb *notif;
411 unsigned long flags;
413 if (rceb->bEventContext == 0) {
414 notif = kmalloc(size, GFP_ATOMIC);
415 if (notif) {
416 memcpy(notif, rceb, size);
417 uwb_rc_notif(rc, notif, size);
418 } else
419 dev_err(dev, "event 0x%02x/%04x/%02x (%zu bytes): no memory\n",
420 rceb->bEventType, le16_to_cpu(rceb->wEvent),
421 rceb->bEventContext, size);
422 } else {
423 neh = uwb_rc_neh_lookup(rc, rceb);
424 if (neh) {
425 spin_lock_irqsave(&rc->neh_lock, flags);
426 /* to guard against a timeout */
427 neh->completed = 1;
428 del_timer(&neh->timer);
429 spin_unlock_irqrestore(&rc->neh_lock, flags);
430 uwb_rc_neh_cb(neh, rceb, size);
431 } else
432 dev_warn(dev, "event 0x%02x/%04x/%02x (%zu bytes): nobody cared\n",
433 rceb->bEventType, le16_to_cpu(rceb->wEvent),
434 rceb->bEventContext, size);
439 * Given a buffer with one or more UWB RC events/notifications, break
440 * them up and dispatch them.
442 * @rc: UWB Radio Controller
443 * @buf: Buffer with the stream of notifications/events
444 * @buf_size: Amount of data in the buffer
446 * Note each notification/event starts always with a 'struct
447 * uwb_rceb', so the minimum size if 4 bytes.
449 * The device may pass us events formatted differently than expected.
450 * These are first filtered, potentially creating a new event in a new
451 * memory location. If a new event is created by the filter it is also
452 * freed here.
454 * For each notif/event, tries to guess the size looking at the EST
455 * tables, then looks for a neh that is waiting for that event and if
456 * found, copies the payload to the neh's buffer and calls it back. If
457 * not, the data is ignored.
459 * Note that if we can't find a size description in the EST tables, we
460 * still might find a size in the 'neh' handle in uwb_rc_neh_lookup().
462 * Assumptions:
464 * @rc->neh_lock is NOT taken
466 * We keep track of various sizes here:
467 * size: contains the size of the buffer that is processed for the
468 * incoming event. this buffer may contain events that are not
469 * formatted as WHCI.
470 * real_size: the actual space taken by this event in the buffer.
471 * We need to keep track of the real size of an event to be able to
472 * advance the buffer correctly.
473 * event_size: the size of the event as expected by the core layer
474 * [OR] the size of the event after filtering. if the filtering
475 * created a new event in a new memory location then this is
476 * effectively the size of a new event buffer
478 void uwb_rc_neh_grok(struct uwb_rc *rc, void *buf, size_t buf_size)
480 struct device *dev = &rc->uwb_dev.dev;
481 void *itr;
482 struct uwb_rceb *rceb;
483 size_t size, real_size, event_size;
484 int needtofree;
486 itr = buf;
487 size = buf_size;
488 while (size > 0) {
489 if (size < sizeof(*rceb)) {
490 dev_err(dev, "not enough data in event buffer to "
491 "process incoming events (%zu left, minimum is "
492 "%zu)\n", size, sizeof(*rceb));
493 break;
496 rceb = itr;
497 if (rc->filter_event) {
498 needtofree = rc->filter_event(rc, &rceb, size,
499 &real_size, &event_size);
500 if (needtofree < 0 && needtofree != -ENOANO) {
501 dev_err(dev, "BUG: Unable to filter event "
502 "(0x%02x/%04x/%02x) from "
503 "device. \n", rceb->bEventType,
504 le16_to_cpu(rceb->wEvent),
505 rceb->bEventContext);
506 break;
508 } else
509 needtofree = -ENOANO;
510 /* do real processing if there was no filtering or the
511 * filtering didn't act */
512 if (needtofree == -ENOANO) {
513 ssize_t ret = uwb_est_find_size(rc, rceb, size);
514 if (ret < 0)
515 break;
516 if (ret > size) {
517 dev_err(dev, "BUG: hw sent incomplete event "
518 "0x%02x/%04x/%02x (%zd bytes), only got "
519 "%zu bytes. We don't handle that.\n",
520 rceb->bEventType, le16_to_cpu(rceb->wEvent),
521 rceb->bEventContext, ret, size);
522 break;
524 real_size = event_size = ret;
526 uwb_rc_neh_grok_event(rc, rceb, event_size);
528 if (needtofree == 1)
529 kfree(rceb);
531 itr += real_size;
532 size -= real_size;
535 EXPORT_SYMBOL_GPL(uwb_rc_neh_grok);
539 * The entity that reads from the device notification/event channel has
540 * detected an error.
542 * @rc: UWB Radio Controller
543 * @error: Errno error code
546 void uwb_rc_neh_error(struct uwb_rc *rc, int error)
548 struct uwb_rc_neh *neh;
549 unsigned long flags;
551 for (;;) {
552 spin_lock_irqsave(&rc->neh_lock, flags);
553 if (list_empty(&rc->neh_list)) {
554 spin_unlock_irqrestore(&rc->neh_lock, flags);
555 break;
557 neh = list_first_entry(&rc->neh_list, struct uwb_rc_neh, list_node);
558 __uwb_rc_neh_rm(rc, neh);
559 spin_unlock_irqrestore(&rc->neh_lock, flags);
561 del_timer_sync(&neh->timer);
562 uwb_rc_neh_cb(neh, NULL, error);
565 EXPORT_SYMBOL_GPL(uwb_rc_neh_error);
568 static void uwb_rc_neh_timer(struct timer_list *t)
570 struct uwb_rc_neh *neh = from_timer(neh, t, timer);
571 struct uwb_rc *rc = neh->rc;
572 unsigned long flags;
574 spin_lock_irqsave(&rc->neh_lock, flags);
575 if (neh->completed) {
576 spin_unlock_irqrestore(&rc->neh_lock, flags);
577 return;
579 if (neh->context)
580 __uwb_rc_neh_rm(rc, neh);
581 else
582 neh = NULL;
583 spin_unlock_irqrestore(&rc->neh_lock, flags);
585 if (neh)
586 uwb_rc_neh_cb(neh, NULL, -ETIMEDOUT);
589 /** Initializes the @rc's neh subsystem
591 void uwb_rc_neh_create(struct uwb_rc *rc)
593 spin_lock_init(&rc->neh_lock);
594 INIT_LIST_HEAD(&rc->neh_list);
595 set_bit(0, rc->ctx_bm); /* 0 is reserved (see [WUSB] table 8-65) */
596 set_bit(0xff, rc->ctx_bm); /* and 0xff is invalid */
597 rc->ctx_roll = 1;
601 /** Release's the @rc's neh subsystem */
602 void uwb_rc_neh_destroy(struct uwb_rc *rc)
604 unsigned long flags;
605 struct uwb_rc_neh *neh;
607 for (;;) {
608 spin_lock_irqsave(&rc->neh_lock, flags);
609 if (list_empty(&rc->neh_list)) {
610 spin_unlock_irqrestore(&rc->neh_lock, flags);
611 break;
613 neh = list_first_entry(&rc->neh_list, struct uwb_rc_neh, list_node);
614 __uwb_rc_neh_rm(rc, neh);
615 spin_unlock_irqrestore(&rc->neh_lock, flags);
617 del_timer_sync(&neh->timer);
618 uwb_rc_neh_put(neh);