mirror of
https://github.com/torvalds/linux.git
synced 2024-12-22 02:52:56 +00:00
e0652f8bb4
nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.
Fix this by freeing hci_dev in nci_free_device.
BUG: memory leak
unreferenced object 0xffff888111ea6800 (size 1024):
comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline]
[<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline]
[<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784
[<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline]
[<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132
[<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153
[<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345
[<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
[<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554
[<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740
[<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846
[<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431
[<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914
[<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491
[<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109
[<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164
[<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
[<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
[<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554
Reported-by: syzbot+19bcfc64a8df1318d1c3@syzkaller.appspotmail.com
Fixes: 11f54f2286
("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
463 lines
13 KiB
C
463 lines
13 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* The NFC Controller Interface is the communication protocol between an
|
|
* NFC Controller (NFCC) and a Device Host (DH).
|
|
*
|
|
* Copyright (C) 2011 Texas Instruments, Inc.
|
|
* Copyright (C) 2013 Intel Corporation. All rights reserved.
|
|
* Copyright (C) 2014 Marvell International Ltd.
|
|
*
|
|
* Written by Ilan Elias <ilane@ti.com>
|
|
*
|
|
* Acknowledgements:
|
|
* This file is based on hci_core.h, which was written
|
|
* by Maxim Krasnyansky.
|
|
*/
|
|
|
|
#ifndef __NCI_CORE_H
|
|
#define __NCI_CORE_H
|
|
|
|
#include <linux/interrupt.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/tty.h>
|
|
|
|
#include <net/nfc/nfc.h>
|
|
#include <net/nfc/nci.h>
|
|
|
|
/* NCI device flags */
|
|
enum nci_flag {
|
|
NCI_INIT,
|
|
NCI_UP,
|
|
NCI_DATA_EXCHANGE,
|
|
NCI_DATA_EXCHANGE_TO,
|
|
};
|
|
|
|
/* NCI device states */
|
|
enum nci_state {
|
|
NCI_IDLE,
|
|
NCI_DISCOVERY,
|
|
NCI_W4_ALL_DISCOVERIES,
|
|
NCI_W4_HOST_SELECT,
|
|
NCI_POLL_ACTIVE,
|
|
NCI_LISTEN_ACTIVE,
|
|
NCI_LISTEN_SLEEP,
|
|
};
|
|
|
|
/* NCI timeouts */
|
|
#define NCI_RESET_TIMEOUT 5000
|
|
#define NCI_INIT_TIMEOUT 5000
|
|
#define NCI_SET_CONFIG_TIMEOUT 5000
|
|
#define NCI_RF_DISC_TIMEOUT 5000
|
|
#define NCI_RF_DISC_SELECT_TIMEOUT 5000
|
|
#define NCI_RF_DEACTIVATE_TIMEOUT 30000
|
|
#define NCI_CMD_TIMEOUT 5000
|
|
#define NCI_DATA_TIMEOUT 700
|
|
|
|
struct nci_dev;
|
|
|
|
struct nci_driver_ops {
|
|
__u16 opcode;
|
|
int (*rsp)(struct nci_dev *dev, struct sk_buff *skb);
|
|
int (*ntf)(struct nci_dev *dev, struct sk_buff *skb);
|
|
};
|
|
|
|
struct nci_ops {
|
|
int (*init)(struct nci_dev *ndev);
|
|
int (*open)(struct nci_dev *ndev);
|
|
int (*close)(struct nci_dev *ndev);
|
|
int (*send)(struct nci_dev *ndev, struct sk_buff *skb);
|
|
int (*setup)(struct nci_dev *ndev);
|
|
int (*post_setup)(struct nci_dev *ndev);
|
|
int (*fw_download)(struct nci_dev *ndev, const char *firmware_name);
|
|
__u32 (*get_rfprotocol)(struct nci_dev *ndev, __u8 rf_protocol);
|
|
int (*discover_se)(struct nci_dev *ndev);
|
|
int (*disable_se)(struct nci_dev *ndev, u32 se_idx);
|
|
int (*enable_se)(struct nci_dev *ndev, u32 se_idx);
|
|
int (*se_io)(struct nci_dev *ndev, u32 se_idx,
|
|
u8 *apdu, size_t apdu_length,
|
|
se_io_cb_t cb, void *cb_context);
|
|
int (*hci_load_session)(struct nci_dev *ndev);
|
|
void (*hci_event_received)(struct nci_dev *ndev, u8 pipe, u8 event,
|
|
struct sk_buff *skb);
|
|
void (*hci_cmd_received)(struct nci_dev *ndev, u8 pipe, u8 cmd,
|
|
struct sk_buff *skb);
|
|
|
|
struct nci_driver_ops *prop_ops;
|
|
size_t n_prop_ops;
|
|
|
|
struct nci_driver_ops *core_ops;
|
|
size_t n_core_ops;
|
|
};
|
|
|
|
#define NCI_MAX_SUPPORTED_RF_INTERFACES 4
|
|
#define NCI_MAX_DISCOVERED_TARGETS 10
|
|
#define NCI_MAX_NUM_NFCEE 255
|
|
#define NCI_MAX_CONN_ID 7
|
|
#define NCI_MAX_PROPRIETARY_CMD 64
|
|
|
|
struct nci_conn_info {
|
|
struct list_head list;
|
|
/* NCI specification 4.4.2 Connection Creation
|
|
* The combination of destination type and destination specific
|
|
* parameters shall uniquely identify a single destination for the
|
|
* Logical Connection
|
|
*/
|
|
struct dest_spec_params *dest_params;
|
|
__u8 dest_type;
|
|
__u8 conn_id;
|
|
__u8 max_pkt_payload_len;
|
|
|
|
atomic_t credits_cnt;
|
|
__u8 initial_num_credits;
|
|
|
|
data_exchange_cb_t data_exchange_cb;
|
|
void *data_exchange_cb_context;
|
|
|
|
struct sk_buff *rx_skb;
|
|
};
|
|
|
|
#define NCI_INVALID_CONN_ID 0x80
|
|
|
|
#define NCI_HCI_ANY_OPEN_PIPE 0x03
|
|
|
|
/* Gates */
|
|
#define NCI_HCI_ADMIN_GATE 0x00
|
|
#define NCI_HCI_LOOPBACK_GATE 0x04
|
|
#define NCI_HCI_IDENTITY_MGMT_GATE 0x05
|
|
#define NCI_HCI_LINK_MGMT_GATE 0x06
|
|
|
|
/* Pipes */
|
|
#define NCI_HCI_LINK_MGMT_PIPE 0x00
|
|
#define NCI_HCI_ADMIN_PIPE 0x01
|
|
|
|
/* Generic responses */
|
|
#define NCI_HCI_ANY_OK 0x00
|
|
#define NCI_HCI_ANY_E_NOT_CONNECTED 0x01
|
|
#define NCI_HCI_ANY_E_CMD_PAR_UNKNOWN 0x02
|
|
#define NCI_HCI_ANY_E_NOK 0x03
|
|
#define NCI_HCI_ANY_E_PIPES_FULL 0x04
|
|
#define NCI_HCI_ANY_E_REG_PAR_UNKNOWN 0x05
|
|
#define NCI_HCI_ANY_E_PIPE_NOT_OPENED 0x06
|
|
#define NCI_HCI_ANY_E_CMD_NOT_SUPPORTED 0x07
|
|
#define NCI_HCI_ANY_E_INHIBITED 0x08
|
|
#define NCI_HCI_ANY_E_TIMEOUT 0x09
|
|
#define NCI_HCI_ANY_E_REG_ACCESS_DENIED 0x0a
|
|
#define NCI_HCI_ANY_E_PIPE_ACCESS_DENIED 0x0b
|
|
|
|
#define NCI_HCI_DO_NOT_OPEN_PIPE 0x81
|
|
#define NCI_HCI_INVALID_PIPE 0x80
|
|
#define NCI_HCI_INVALID_GATE 0xFF
|
|
#define NCI_HCI_INVALID_HOST 0x80
|
|
|
|
#define NCI_HCI_MAX_CUSTOM_GATES 50
|
|
/*
|
|
* According to specification 102 622 chapter 4.4 Pipes,
|
|
* the pipe identifier is 7 bits long.
|
|
*/
|
|
#define NCI_HCI_MAX_PIPES 128
|
|
|
|
struct nci_hci_gate {
|
|
u8 gate;
|
|
u8 pipe;
|
|
u8 dest_host;
|
|
} __packed;
|
|
|
|
struct nci_hci_pipe {
|
|
u8 gate;
|
|
u8 host;
|
|
} __packed;
|
|
|
|
struct nci_hci_init_data {
|
|
u8 gate_count;
|
|
struct nci_hci_gate gates[NCI_HCI_MAX_CUSTOM_GATES];
|
|
char session_id[9];
|
|
};
|
|
|
|
#define NCI_HCI_MAX_GATES 256
|
|
|
|
struct nci_hci_dev {
|
|
u8 nfcee_id;
|
|
struct nci_dev *ndev;
|
|
struct nci_conn_info *conn_info;
|
|
|
|
struct nci_hci_init_data init_data;
|
|
struct nci_hci_pipe pipes[NCI_HCI_MAX_PIPES];
|
|
u8 gate2pipe[NCI_HCI_MAX_GATES];
|
|
int expected_pipes;
|
|
int count_pipes;
|
|
|
|
struct sk_buff_head rx_hcp_frags;
|
|
struct work_struct msg_rx_work;
|
|
struct sk_buff_head msg_rx_queue;
|
|
};
|
|
|
|
/* NCI Core structures */
|
|
struct nci_dev {
|
|
struct nfc_dev *nfc_dev;
|
|
struct nci_ops *ops;
|
|
struct nci_hci_dev *hci_dev;
|
|
|
|
int tx_headroom;
|
|
int tx_tailroom;
|
|
|
|
atomic_t state;
|
|
unsigned long flags;
|
|
|
|
atomic_t cmd_cnt;
|
|
__u8 cur_conn_id;
|
|
|
|
struct list_head conn_info_list;
|
|
struct nci_conn_info *rf_conn_info;
|
|
|
|
struct timer_list cmd_timer;
|
|
struct timer_list data_timer;
|
|
|
|
struct workqueue_struct *cmd_wq;
|
|
struct work_struct cmd_work;
|
|
|
|
struct workqueue_struct *rx_wq;
|
|
struct work_struct rx_work;
|
|
|
|
struct workqueue_struct *tx_wq;
|
|
struct work_struct tx_work;
|
|
|
|
struct sk_buff_head cmd_q;
|
|
struct sk_buff_head rx_q;
|
|
struct sk_buff_head tx_q;
|
|
|
|
struct mutex req_lock;
|
|
struct completion req_completion;
|
|
__u32 req_status;
|
|
__u32 req_result;
|
|
|
|
void *driver_data;
|
|
|
|
__u32 poll_prots;
|
|
__u32 target_active_prot;
|
|
|
|
struct nfc_target targets[NCI_MAX_DISCOVERED_TARGETS];
|
|
int n_targets;
|
|
|
|
/* received during NCI_OP_CORE_RESET_RSP */
|
|
__u8 nci_ver;
|
|
|
|
/* received during NCI_OP_CORE_INIT_RSP */
|
|
__u32 nfcc_features;
|
|
__u8 num_supported_rf_interfaces;
|
|
__u8 supported_rf_interfaces
|
|
[NCI_MAX_SUPPORTED_RF_INTERFACES];
|
|
__u8 max_logical_connections;
|
|
__u16 max_routing_table_size;
|
|
__u8 max_ctrl_pkt_payload_len;
|
|
__u16 max_size_for_large_params;
|
|
__u8 manufact_id;
|
|
__u32 manufact_specific_info;
|
|
|
|
/* Save RF Discovery ID or NFCEE ID under conn_create */
|
|
struct dest_spec_params cur_params;
|
|
/* Save destination type under conn_create */
|
|
__u8 cur_dest_type;
|
|
|
|
/* stored during nci_data_exchange */
|
|
struct sk_buff *rx_data_reassembly;
|
|
|
|
/* stored during intf_activated_ntf */
|
|
__u8 remote_gb[NFC_MAX_GT_LEN];
|
|
__u8 remote_gb_len;
|
|
};
|
|
|
|
/* ----- NCI Devices ----- */
|
|
struct nci_dev *nci_allocate_device(struct nci_ops *ops,
|
|
__u32 supported_protocols,
|
|
int tx_headroom,
|
|
int tx_tailroom);
|
|
void nci_free_device(struct nci_dev *ndev);
|
|
int nci_register_device(struct nci_dev *ndev);
|
|
void nci_unregister_device(struct nci_dev *ndev);
|
|
int nci_request(struct nci_dev *ndev,
|
|
void (*req)(struct nci_dev *ndev,
|
|
unsigned long opt),
|
|
unsigned long opt, __u32 timeout);
|
|
int nci_prop_cmd(struct nci_dev *ndev, __u8 oid, size_t len, __u8 *payload);
|
|
int nci_core_cmd(struct nci_dev *ndev, __u16 opcode, size_t len, __u8 *payload);
|
|
int nci_core_reset(struct nci_dev *ndev);
|
|
int nci_core_init(struct nci_dev *ndev);
|
|
|
|
int nci_recv_frame(struct nci_dev *ndev, struct sk_buff *skb);
|
|
int nci_send_frame(struct nci_dev *ndev, struct sk_buff *skb);
|
|
int nci_set_config(struct nci_dev *ndev, __u8 id, size_t len, __u8 *val);
|
|
|
|
int nci_nfcee_discover(struct nci_dev *ndev, u8 action);
|
|
int nci_nfcee_mode_set(struct nci_dev *ndev, u8 nfcee_id, u8 nfcee_mode);
|
|
int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
|
|
u8 number_destination_params,
|
|
size_t params_len,
|
|
struct core_conn_create_dest_spec_params *params);
|
|
int nci_core_conn_close(struct nci_dev *ndev, u8 conn_id);
|
|
int nci_nfcc_loopback(struct nci_dev *ndev, void *data, size_t data_len,
|
|
struct sk_buff **resp);
|
|
|
|
struct nci_hci_dev *nci_hci_allocate(struct nci_dev *ndev);
|
|
void nci_hci_deallocate(struct nci_dev *ndev);
|
|
int nci_hci_send_event(struct nci_dev *ndev, u8 gate, u8 event,
|
|
const u8 *param, size_t param_len);
|
|
int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate,
|
|
u8 cmd, const u8 *param, size_t param_len,
|
|
struct sk_buff **skb);
|
|
int nci_hci_open_pipe(struct nci_dev *ndev, u8 pipe);
|
|
int nci_hci_connect_gate(struct nci_dev *ndev, u8 dest_host,
|
|
u8 dest_gate, u8 pipe);
|
|
int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
|
|
const u8 *param, size_t param_len);
|
|
int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
|
|
struct sk_buff **skb);
|
|
int nci_hci_clear_all_pipes(struct nci_dev *ndev);
|
|
int nci_hci_dev_session_init(struct nci_dev *ndev);
|
|
|
|
static inline struct sk_buff *nci_skb_alloc(struct nci_dev *ndev,
|
|
unsigned int len,
|
|
gfp_t how)
|
|
{
|
|
struct sk_buff *skb;
|
|
|
|
skb = alloc_skb(len + ndev->tx_headroom + ndev->tx_tailroom, how);
|
|
if (skb)
|
|
skb_reserve(skb, ndev->tx_headroom);
|
|
|
|
return skb;
|
|
}
|
|
|
|
static inline void nci_set_parent_dev(struct nci_dev *ndev, struct device *dev)
|
|
{
|
|
nfc_set_parent_dev(ndev->nfc_dev, dev);
|
|
}
|
|
|
|
static inline void nci_set_drvdata(struct nci_dev *ndev, void *data)
|
|
{
|
|
ndev->driver_data = data;
|
|
}
|
|
|
|
static inline void *nci_get_drvdata(struct nci_dev *ndev)
|
|
{
|
|
return ndev->driver_data;
|
|
}
|
|
|
|
static inline int nci_set_vendor_cmds(struct nci_dev *ndev,
|
|
struct nfc_vendor_cmd *cmds,
|
|
int n_cmds)
|
|
{
|
|
return nfc_set_vendor_cmds(ndev->nfc_dev, cmds, n_cmds);
|
|
}
|
|
|
|
void nci_rsp_packet(struct nci_dev *ndev, struct sk_buff *skb);
|
|
void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb);
|
|
int nci_prop_rsp_packet(struct nci_dev *ndev, __u16 opcode,
|
|
struct sk_buff *skb);
|
|
int nci_prop_ntf_packet(struct nci_dev *ndev, __u16 opcode,
|
|
struct sk_buff *skb);
|
|
int nci_core_rsp_packet(struct nci_dev *ndev, __u16 opcode,
|
|
struct sk_buff *skb);
|
|
int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode,
|
|
struct sk_buff *skb);
|
|
void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb);
|
|
int nci_send_cmd(struct nci_dev *ndev, __u16 opcode, __u8 plen, void *payload);
|
|
int nci_send_data(struct nci_dev *ndev, __u8 conn_id, struct sk_buff *skb);
|
|
int nci_conn_max_data_pkt_payload_size(struct nci_dev *ndev, __u8 conn_id);
|
|
void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
|
|
__u8 conn_id, int err);
|
|
void nci_hci_data_received_cb(void *context, struct sk_buff *skb, int err);
|
|
|
|
void nci_clear_target_list(struct nci_dev *ndev);
|
|
|
|
/* ----- NCI requests ----- */
|
|
#define NCI_REQ_DONE 0
|
|
#define NCI_REQ_PEND 1
|
|
#define NCI_REQ_CANCELED 2
|
|
|
|
void nci_req_complete(struct nci_dev *ndev, int result);
|
|
struct nci_conn_info *nci_get_conn_info_by_conn_id(struct nci_dev *ndev,
|
|
int conn_id);
|
|
int nci_get_conn_info_by_dest_type_params(struct nci_dev *ndev, u8 dest_type,
|
|
struct dest_spec_params *params);
|
|
|
|
/* ----- NCI status code ----- */
|
|
int nci_to_errno(__u8 code);
|
|
|
|
/* ----- NCI over SPI acknowledge modes ----- */
|
|
#define NCI_SPI_CRC_DISABLED 0x00
|
|
#define NCI_SPI_CRC_ENABLED 0x01
|
|
|
|
/* ----- NCI SPI structures ----- */
|
|
struct nci_spi {
|
|
struct nci_dev *ndev;
|
|
struct spi_device *spi;
|
|
|
|
unsigned int xfer_udelay; /* microseconds delay between
|
|
transactions */
|
|
|
|
unsigned int xfer_speed_hz; /*
|
|
* SPI clock frequency
|
|
* 0 => default clock
|
|
*/
|
|
|
|
u8 acknowledge_mode;
|
|
|
|
struct completion req_completion;
|
|
u8 req_result;
|
|
};
|
|
|
|
/* ----- NCI SPI ----- */
|
|
struct nci_spi *nci_spi_allocate_spi(struct spi_device *spi,
|
|
u8 acknowledge_mode, unsigned int delay,
|
|
struct nci_dev *ndev);
|
|
int nci_spi_send(struct nci_spi *nspi,
|
|
struct completion *write_handshake_completion,
|
|
struct sk_buff *skb);
|
|
struct sk_buff *nci_spi_read(struct nci_spi *nspi);
|
|
|
|
/* ----- NCI UART ---- */
|
|
|
|
/* Ioctl */
|
|
#define NCIUARTSETDRIVER _IOW('U', 0, char *)
|
|
|
|
enum nci_uart_driver {
|
|
NCI_UART_DRIVER_MARVELL = 0,
|
|
NCI_UART_DRIVER_MAX
|
|
};
|
|
|
|
struct nci_uart;
|
|
|
|
struct nci_uart_ops {
|
|
int (*open)(struct nci_uart *nci_uart);
|
|
void (*close)(struct nci_uart *nci_uart);
|
|
int (*recv)(struct nci_uart *nci_uart, struct sk_buff *skb);
|
|
int (*send)(struct nci_uart *nci_uart, struct sk_buff *skb);
|
|
void (*tx_start)(struct nci_uart *nci_uart);
|
|
void (*tx_done)(struct nci_uart *nci_uart);
|
|
};
|
|
|
|
struct nci_uart {
|
|
struct module *owner;
|
|
struct nci_uart_ops ops;
|
|
const char *name;
|
|
enum nci_uart_driver driver;
|
|
|
|
/* Dynamic data */
|
|
struct nci_dev *ndev;
|
|
spinlock_t rx_lock;
|
|
struct work_struct write_work;
|
|
struct tty_struct *tty;
|
|
unsigned long tx_state;
|
|
struct sk_buff_head tx_q;
|
|
struct sk_buff *tx_skb;
|
|
struct sk_buff *rx_skb;
|
|
int rx_packet_len;
|
|
void *drv_data;
|
|
};
|
|
|
|
int nci_uart_register(struct nci_uart *nu);
|
|
void nci_uart_unregister(struct nci_uart *nu);
|
|
void nci_uart_set_config(struct nci_uart *nu, int baudrate, int flow_ctrl);
|
|
|
|
#endif /* __NCI_CORE_H */
|