1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Copyright (C) 2011 Intel Corporation. All rights reserved.
4 * Copyright (C) 2014 Marvell International Ltd.
7 #define pr_fmt(fmt) "llcp: %s: " fmt, __func__
9 #include <linux/init.h>
10 #include <linux/kernel.h>
11 #include <linux/list.h>
12 #include <linux/nfc.h>
17 static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
19 static LIST_HEAD(llcp_devices);
20 /* Protects llcp_devices list */
21 static DEFINE_SPINLOCK(llcp_devices_lock);
23 static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
25 void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
28 sk_add_node(sk, &l->head);
29 write_unlock(&l->lock);
32 void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
36 write_unlock(&l->lock);
39 void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock)
41 sock->remote_rw = LLCP_DEFAULT_RW;
42 sock->remote_miu = LLCP_MAX_MIU + 1;
45 static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
47 struct nfc_llcp_local *local = sock->local;
48 struct sk_buff *s, *tmp;
50 pr_debug("%p\n", &sock->sk);
52 skb_queue_purge(&sock->tx_queue);
53 skb_queue_purge(&sock->tx_pending_queue);
58 /* Search for local pending SKBs that are related to this socket */
59 skb_queue_walk_safe(&local->tx_queue, s, tmp) {
60 if (s->sk != &sock->sk)
63 skb_unlink(s, &local->tx_queue);
68 static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
72 struct hlist_node *tmp;
73 struct nfc_llcp_sock *llcp_sock;
75 skb_queue_purge(&local->tx_queue);
77 write_lock(&local->sockets.lock);
79 sk_for_each_safe(sk, tmp, &local->sockets.head) {
80 llcp_sock = nfc_llcp_sock(sk);
84 nfc_llcp_socket_purge(llcp_sock);
86 if (sk->sk_state == LLCP_CONNECTED)
87 nfc_put_device(llcp_sock->dev);
89 if (sk->sk_state == LLCP_LISTEN) {
90 struct nfc_llcp_sock *lsk, *n;
91 struct sock *accept_sk;
93 list_for_each_entry_safe(lsk, n,
94 &llcp_sock->accept_queue,
97 bh_lock_sock(accept_sk);
99 nfc_llcp_accept_unlink(accept_sk);
102 accept_sk->sk_err = err;
103 accept_sk->sk_state = LLCP_CLOSED;
104 accept_sk->sk_state_change(sk);
106 bh_unlock_sock(accept_sk);
112 sk->sk_state = LLCP_CLOSED;
113 sk->sk_state_change(sk);
117 sk_del_node_init(sk);
120 write_unlock(&local->sockets.lock);
122 /* If we still have a device, we keep the RAW sockets alive */
126 write_lock(&local->raw_sockets.lock);
128 sk_for_each_safe(sk, tmp, &local->raw_sockets.head) {
129 llcp_sock = nfc_llcp_sock(sk);
133 nfc_llcp_socket_purge(llcp_sock);
137 sk->sk_state = LLCP_CLOSED;
138 sk->sk_state_change(sk);
142 sk_del_node_init(sk);
145 write_unlock(&local->raw_sockets.lock);
148 static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
150 /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
151 * we hold a reference to local, we also need to hold a reference to
152 * the device to avoid UAF.
154 if (!nfc_get_device(local->dev->idx))
157 kref_get(&local->ref);
162 static void local_cleanup(struct nfc_llcp_local *local)
164 nfc_llcp_socket_release(local, false, ENXIO);
165 del_timer_sync(&local->link_timer);
166 skb_queue_purge(&local->tx_queue);
167 cancel_work_sync(&local->tx_work);
168 cancel_work_sync(&local->rx_work);
169 cancel_work_sync(&local->timeout_work);
170 kfree_skb(local->rx_pending);
171 local->rx_pending = NULL;
172 del_timer_sync(&local->sdreq_timer);
173 cancel_work_sync(&local->sdreq_timeout_work);
174 nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
177 static void local_release(struct kref *ref)
179 struct nfc_llcp_local *local;
181 local = container_of(ref, struct nfc_llcp_local, ref);
183 local_cleanup(local);
187 int nfc_llcp_local_put(struct nfc_llcp_local *local)
197 ret = kref_put(&local->ref, local_release);
203 static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
207 struct nfc_llcp_sock *llcp_sock, *tmp_sock;
209 pr_debug("ssap dsap %d %d\n", ssap, dsap);
211 if (ssap == 0 && dsap == 0)
214 read_lock(&local->sockets.lock);
218 sk_for_each(sk, &local->sockets.head) {
219 tmp_sock = nfc_llcp_sock(sk);
221 if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
222 llcp_sock = tmp_sock;
223 sock_hold(&llcp_sock->sk);
228 read_unlock(&local->sockets.lock);
233 static void nfc_llcp_sock_put(struct nfc_llcp_sock *sock)
238 static void nfc_llcp_timeout_work(struct work_struct *work)
240 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
243 nfc_dep_link_down(local->dev);
246 static void nfc_llcp_symm_timer(struct timer_list *t)
248 struct nfc_llcp_local *local = from_timer(local, t, link_timer);
250 pr_err("SYMM timeout\n");
252 schedule_work(&local->timeout_work);
255 static void nfc_llcp_sdreq_timeout_work(struct work_struct *work)
258 HLIST_HEAD(nl_sdres_list);
259 struct hlist_node *n;
260 struct nfc_llcp_sdp_tlv *sdp;
261 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
264 mutex_lock(&local->sdreq_lock);
266 time = jiffies - msecs_to_jiffies(3 * local->remote_lto);
268 hlist_for_each_entry_safe(sdp, n, &local->pending_sdreqs, node) {
269 if (time_after(sdp->time, time))
272 sdp->sap = LLCP_SDP_UNBOUND;
274 hlist_del(&sdp->node);
276 hlist_add_head(&sdp->node, &nl_sdres_list);
279 if (!hlist_empty(&local->pending_sdreqs))
280 mod_timer(&local->sdreq_timer,
281 jiffies + msecs_to_jiffies(3 * local->remote_lto));
283 mutex_unlock(&local->sdreq_lock);
285 if (!hlist_empty(&nl_sdres_list))
286 nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
289 static void nfc_llcp_sdreq_timer(struct timer_list *t)
291 struct nfc_llcp_local *local = from_timer(local, t, sdreq_timer);
293 schedule_work(&local->sdreq_timeout_work);
296 struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
298 struct nfc_llcp_local *local;
299 struct nfc_llcp_local *res = NULL;
301 spin_lock(&llcp_devices_lock);
302 list_for_each_entry(local, &llcp_devices, list)
303 if (local->dev == dev) {
304 res = nfc_llcp_local_get(local);
307 spin_unlock(&llcp_devices_lock);
312 static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
314 struct nfc_llcp_local *local, *tmp;
316 spin_lock(&llcp_devices_lock);
317 list_for_each_entry_safe(local, tmp, &llcp_devices, list)
318 if (local->dev == dev) {
319 list_del(&local->list);
320 spin_unlock(&llcp_devices_lock);
323 spin_unlock(&llcp_devices_lock);
325 pr_warn("Shutting down device not found\n");
330 static char *wks[] = {
338 static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
342 pr_debug("%s\n", service_name);
344 if (service_name == NULL)
347 num_wks = ARRAY_SIZE(wks);
349 for (sap = 0; sap < num_wks; sap++) {
350 if (wks[sap] == NULL)
353 if (strncmp(wks[sap], service_name, service_name_len) == 0)
361 struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
362 const u8 *sn, size_t sn_len,
366 struct nfc_llcp_sock *llcp_sock, *tmp_sock;
368 pr_debug("sn %zd %p\n", sn_len, sn);
370 if (sn == NULL || sn_len == 0)
373 read_lock(&local->sockets.lock);
377 sk_for_each(sk, &local->sockets.head) {
378 tmp_sock = nfc_llcp_sock(sk);
380 pr_debug("llcp sock %p\n", tmp_sock);
382 if (tmp_sock->sk.sk_type == SOCK_STREAM &&
383 tmp_sock->sk.sk_state != LLCP_LISTEN)
386 if (tmp_sock->sk.sk_type == SOCK_DGRAM &&
387 tmp_sock->sk.sk_state != LLCP_BOUND)
390 if (tmp_sock->service_name == NULL ||
391 tmp_sock->service_name_len == 0)
394 if (tmp_sock->service_name_len != sn_len)
397 if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) {
398 llcp_sock = tmp_sock;
400 sock_hold(&llcp_sock->sk);
405 read_unlock(&local->sockets.lock);
407 pr_debug("Found llcp sock %p\n", llcp_sock);
412 u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
413 struct nfc_llcp_sock *sock)
415 mutex_lock(&local->sdp_lock);
417 if (sock->service_name != NULL && sock->service_name_len > 0) {
418 int ssap = nfc_llcp_wks_sap(sock->service_name,
419 sock->service_name_len);
422 pr_debug("WKS %d\n", ssap);
424 /* This is a WKS, let's check if it's free */
425 if (local->local_wks & BIT(ssap)) {
426 mutex_unlock(&local->sdp_lock);
431 set_bit(ssap, &local->local_wks);
432 mutex_unlock(&local->sdp_lock);
438 * Check if there already is a non WKS socket bound
439 * to this service name.
441 if (nfc_llcp_sock_from_sn(local, sock->service_name,
442 sock->service_name_len,
444 mutex_unlock(&local->sdp_lock);
449 mutex_unlock(&local->sdp_lock);
451 return LLCP_SDP_UNBOUND;
453 } else if (sock->ssap != 0 && sock->ssap < LLCP_WKS_NUM_SAP) {
454 if (!test_bit(sock->ssap, &local->local_wks)) {
455 set_bit(sock->ssap, &local->local_wks);
456 mutex_unlock(&local->sdp_lock);
462 mutex_unlock(&local->sdp_lock);
467 u8 nfc_llcp_get_local_ssap(struct nfc_llcp_local *local)
471 mutex_lock(&local->sdp_lock);
473 local_ssap = find_first_zero_bit(&local->local_sap, LLCP_LOCAL_NUM_SAP);
474 if (local_ssap == LLCP_LOCAL_NUM_SAP) {
475 mutex_unlock(&local->sdp_lock);
479 set_bit(local_ssap, &local->local_sap);
481 mutex_unlock(&local->sdp_lock);
483 return local_ssap + LLCP_LOCAL_SAP_OFFSET;
486 void nfc_llcp_put_ssap(struct nfc_llcp_local *local, u8 ssap)
491 if (ssap < LLCP_WKS_NUM_SAP) {
493 sdp = &local->local_wks;
494 } else if (ssap < LLCP_LOCAL_NUM_SAP) {
495 atomic_t *client_cnt;
497 local_ssap = ssap - LLCP_WKS_NUM_SAP;
498 sdp = &local->local_sdp;
499 client_cnt = &local->local_sdp_cnt[local_ssap];
501 pr_debug("%d clients\n", atomic_read(client_cnt));
503 mutex_lock(&local->sdp_lock);
505 if (atomic_dec_and_test(client_cnt)) {
506 struct nfc_llcp_sock *l_sock;
508 pr_debug("No more clients for SAP %d\n", ssap);
510 clear_bit(local_ssap, sdp);
512 /* Find the listening sock and set it back to UNBOUND */
513 l_sock = nfc_llcp_sock_get(local, ssap, LLCP_SAP_SDP);
515 l_sock->ssap = LLCP_SDP_UNBOUND;
516 nfc_llcp_sock_put(l_sock);
520 mutex_unlock(&local->sdp_lock);
523 } else if (ssap < LLCP_MAX_SAP) {
524 local_ssap = ssap - LLCP_LOCAL_NUM_SAP;
525 sdp = &local->local_sap;
530 mutex_lock(&local->sdp_lock);
532 clear_bit(local_ssap, sdp);
534 mutex_unlock(&local->sdp_lock);
537 static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
541 mutex_lock(&local->sdp_lock);
543 ssap = find_first_zero_bit(&local->local_sdp, LLCP_SDP_NUM_SAP);
544 if (ssap == LLCP_SDP_NUM_SAP) {
545 mutex_unlock(&local->sdp_lock);
550 pr_debug("SDP ssap %d\n", LLCP_WKS_NUM_SAP + ssap);
552 set_bit(ssap, &local->local_sdp);
554 mutex_unlock(&local->sdp_lock);
556 return LLCP_WKS_NUM_SAP + ssap;
559 static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
561 u8 *gb_cur, version, version_length;
562 u8 lto_length, wks_length, miux_length;
563 const u8 *version_tlv = NULL, *lto_tlv = NULL,
564 *wks_tlv = NULL, *miux_tlv = NULL;
565 __be16 wks = cpu_to_be16(local->local_wks);
569 version = LLCP_VERSION_11;
570 version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
576 gb_len += version_length;
578 lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length);
583 gb_len += lto_length;
585 pr_debug("Local wks 0x%lx\n", local->local_wks);
586 wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
591 gb_len += wks_length;
593 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
599 gb_len += miux_length;
601 gb_len += ARRAY_SIZE(llcp_magic);
603 if (gb_len > NFC_MAX_GT_LEN) {
610 memcpy(gb_cur, llcp_magic, ARRAY_SIZE(llcp_magic));
611 gb_cur += ARRAY_SIZE(llcp_magic);
613 memcpy(gb_cur, version_tlv, version_length);
614 gb_cur += version_length;
616 memcpy(gb_cur, lto_tlv, lto_length);
617 gb_cur += lto_length;
619 memcpy(gb_cur, wks_tlv, wks_length);
620 gb_cur += wks_length;
622 memcpy(gb_cur, miux_tlv, miux_length);
623 gb_cur += miux_length;
625 local->gb_len = gb_len;
636 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
638 struct nfc_llcp_local *local;
640 local = nfc_llcp_find_local(dev);
642 *general_bytes_len = 0;
646 nfc_llcp_build_gb(local);
648 *general_bytes_len = local->gb_len;
650 nfc_llcp_local_put(local);
655 int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
657 struct nfc_llcp_local *local;
660 if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN)
663 local = nfc_llcp_find_local(dev);
665 pr_err("No LLCP device\n");
669 memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
670 memcpy(local->remote_gb, gb, gb_len);
671 local->remote_gb_len = gb_len;
673 if (memcmp(local->remote_gb, llcp_magic, 3)) {
674 pr_err("MAC does not support LLCP\n");
679 err = nfc_llcp_parse_gb_tlv(local,
680 &local->remote_gb[3],
681 local->remote_gb_len - 3);
683 nfc_llcp_local_put(local);
687 static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
689 return (pdu->data[0] & 0xfc) >> 2;
692 static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
694 return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
697 static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
699 return pdu->data[1] & 0x3f;
702 static u8 nfc_llcp_ns(const struct sk_buff *pdu)
704 return pdu->data[2] >> 4;
707 static u8 nfc_llcp_nr(const struct sk_buff *pdu)
709 return pdu->data[2] & 0xf;
712 static void nfc_llcp_set_nrns(struct nfc_llcp_sock *sock, struct sk_buff *pdu)
714 pdu->data[2] = (sock->send_n << 4) | (sock->recv_n);
715 sock->send_n = (sock->send_n + 1) % 16;
716 sock->recv_ack_n = (sock->recv_n - 1) % 16;
719 void nfc_llcp_send_to_raw_sock(struct nfc_llcp_local *local,
720 struct sk_buff *skb, u8 direction)
722 struct sk_buff *skb_copy = NULL, *nskb;
726 read_lock(&local->raw_sockets.lock);
728 sk_for_each(sk, &local->raw_sockets.head) {
729 if (sk->sk_state != LLCP_BOUND)
732 if (skb_copy == NULL) {
733 skb_copy = __pskb_copy_fclone(skb, NFC_RAW_HEADER_SIZE,
736 if (skb_copy == NULL)
739 data = skb_push(skb_copy, NFC_RAW_HEADER_SIZE);
741 data[0] = local->dev ? local->dev->idx : 0xFF;
742 data[1] = direction & 0x01;
743 data[1] |= (RAW_PAYLOAD_LLCP << 1);
746 nskb = skb_clone(skb_copy, GFP_ATOMIC);
750 if (sock_queue_rcv_skb(sk, nskb))
754 read_unlock(&local->raw_sockets.lock);
759 static void nfc_llcp_tx_work(struct work_struct *work)
761 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
765 struct nfc_llcp_sock *llcp_sock;
767 skb = skb_dequeue(&local->tx_queue);
770 llcp_sock = nfc_llcp_sock(sk);
772 if (llcp_sock == NULL && nfc_llcp_ptype(skb) == LLCP_PDU_I) {
774 nfc_llcp_send_symm(local->dev);
775 } else if (llcp_sock && !llcp_sock->remote_ready) {
776 skb_queue_head(&local->tx_queue, skb);
777 nfc_llcp_send_symm(local->dev);
779 struct sk_buff *copy_skb = NULL;
780 u8 ptype = nfc_llcp_ptype(skb);
783 pr_debug("Sending pending skb\n");
784 print_hex_dump_debug("LLCP Tx: ", DUMP_PREFIX_OFFSET,
785 16, 1, skb->data, skb->len, true);
787 if (ptype == LLCP_PDU_DISC && sk != NULL &&
788 sk->sk_state == LLCP_DISCONNECTING) {
789 nfc_llcp_sock_unlink(&local->sockets, sk);
794 if (ptype == LLCP_PDU_I)
795 copy_skb = skb_copy(skb, GFP_ATOMIC);
797 __net_timestamp(skb);
799 nfc_llcp_send_to_raw_sock(local, skb,
802 ret = nfc_data_exchange(local->dev, local->target_idx,
803 skb, nfc_llcp_recv, local);
810 if (ptype == LLCP_PDU_I && copy_skb)
811 skb_queue_tail(&llcp_sock->tx_pending_queue,
815 nfc_llcp_send_symm(local->dev);
819 mod_timer(&local->link_timer,
820 jiffies + msecs_to_jiffies(2 * local->remote_lto));
823 static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local *local,
827 struct nfc_llcp_sock *llcp_sock;
829 read_lock(&local->connecting_sockets.lock);
831 sk_for_each(sk, &local->connecting_sockets.head) {
832 llcp_sock = nfc_llcp_sock(sk);
834 if (llcp_sock->ssap == ssap) {
835 sock_hold(&llcp_sock->sk);
843 read_unlock(&local->connecting_sockets.lock);
848 static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
849 const u8 *sn, size_t sn_len)
851 return nfc_llcp_sock_from_sn(local, sn, sn_len, true);
854 static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
857 const u8 *tlv = &skb->data[2];
858 size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
860 while (offset < tlv_array_len) {
864 pr_debug("type 0x%x length %d\n", type, length);
866 if (type == LLCP_TLV_SN) {
871 offset += length + 2;
878 static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
881 struct nfc_llcp_sock *llcp_sock;
882 struct nfc_llcp_ui_cb *ui_cb;
885 dsap = nfc_llcp_dsap(skb);
886 ssap = nfc_llcp_ssap(skb);
888 ui_cb = nfc_llcp_ui_skb_cb(skb);
892 pr_debug("%d %d\n", dsap, ssap);
894 /* We're looking for a bound socket, not a client one */
895 llcp_sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
896 if (llcp_sock == NULL || llcp_sock->sk.sk_type != SOCK_DGRAM)
899 /* There is no sequence with UI frames */
900 skb_pull(skb, LLCP_HEADER_SIZE);
901 if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
903 * UI frames will be freed from the socket layer, so we
904 * need to keep them alive until someone receives them.
908 pr_err("Receive queue is full\n");
911 nfc_llcp_sock_put(llcp_sock);
914 static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
915 const struct sk_buff *skb)
917 struct sock *new_sk, *parent;
918 struct nfc_llcp_sock *sock, *new_sock;
919 u8 dsap, ssap, reason;
921 dsap = nfc_llcp_dsap(skb);
922 ssap = nfc_llcp_ssap(skb);
924 pr_debug("%d %d\n", dsap, ssap);
926 if (dsap != LLCP_SAP_SDP) {
927 sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
928 if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
929 reason = LLCP_DM_NOBOUND;
936 sn = nfc_llcp_connect_sn(skb, &sn_len);
938 reason = LLCP_DM_NOBOUND;
942 pr_debug("Service name length %zu\n", sn_len);
944 sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
946 reason = LLCP_DM_NOBOUND;
951 lock_sock(&sock->sk);
955 if (sk_acceptq_is_full(parent)) {
956 reason = LLCP_DM_REJ;
957 release_sock(&sock->sk);
962 if (sock->ssap == LLCP_SDP_UNBOUND) {
963 u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
965 pr_debug("First client, reserving %d\n", ssap);
967 if (ssap == LLCP_SAP_MAX) {
968 reason = LLCP_DM_REJ;
969 release_sock(&sock->sk);
977 new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
978 if (new_sk == NULL) {
979 reason = LLCP_DM_REJ;
980 release_sock(&sock->sk);
985 new_sock = nfc_llcp_sock(new_sk);
987 new_sock->local = nfc_llcp_local_get(local);
988 if (!new_sock->local) {
989 reason = LLCP_DM_REJ;
990 sock_put(&new_sock->sk);
991 release_sock(&sock->sk);
996 new_sock->dev = local->dev;
997 new_sock->rw = sock->rw;
998 new_sock->miux = sock->miux;
999 new_sock->nfc_protocol = sock->nfc_protocol;
1000 new_sock->dsap = ssap;
1001 new_sock->target_idx = local->target_idx;
1002 new_sock->parent = parent;
1003 new_sock->ssap = sock->ssap;
1004 if (sock->ssap < LLCP_LOCAL_NUM_SAP && sock->ssap >= LLCP_WKS_NUM_SAP) {
1005 atomic_t *client_count;
1007 pr_debug("reserved_ssap %d for %p\n", sock->ssap, new_sock);
1010 &local->local_sdp_cnt[sock->ssap - LLCP_WKS_NUM_SAP];
1012 atomic_inc(client_count);
1013 new_sock->reserved_ssap = sock->ssap;
1016 nfc_llcp_parse_connection_tlv(new_sock, &skb->data[LLCP_HEADER_SIZE],
1017 skb->len - LLCP_HEADER_SIZE);
1019 pr_debug("new sock %p sk %p\n", new_sock, &new_sock->sk);
1021 nfc_llcp_sock_link(&local->sockets, new_sk);
1023 nfc_llcp_accept_enqueue(&sock->sk, new_sk);
1025 nfc_get_device(local->dev->idx);
1027 new_sk->sk_state = LLCP_CONNECTED;
1029 /* Wake the listening processes */
1030 parent->sk_data_ready(parent);
1033 nfc_llcp_send_cc(new_sock);
1035 release_sock(&sock->sk);
1036 sock_put(&sock->sk);
1042 nfc_llcp_send_dm(local, dsap, ssap, reason);
1045 int nfc_llcp_queue_i_frames(struct nfc_llcp_sock *sock)
1048 struct nfc_llcp_local *local = sock->local;
1050 pr_debug("Remote ready %d tx queue len %d remote rw %d",
1051 sock->remote_ready, skb_queue_len(&sock->tx_pending_queue),
1054 /* Try to queue some I frames for transmission */
1055 while (sock->remote_ready &&
1056 skb_queue_len(&sock->tx_pending_queue) < sock->remote_rw) {
1057 struct sk_buff *pdu;
1059 pdu = skb_dequeue(&sock->tx_queue);
1063 /* Update N(S)/N(R) */
1064 nfc_llcp_set_nrns(sock, pdu);
1066 skb_queue_tail(&local->tx_queue, pdu);
1073 static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
1074 struct sk_buff *skb)
1076 struct nfc_llcp_sock *llcp_sock;
1078 u8 dsap, ssap, ptype, ns, nr;
1080 ptype = nfc_llcp_ptype(skb);
1081 dsap = nfc_llcp_dsap(skb);
1082 ssap = nfc_llcp_ssap(skb);
1083 ns = nfc_llcp_ns(skb);
1084 nr = nfc_llcp_nr(skb);
1086 pr_debug("%d %d R %d S %d\n", dsap, ssap, nr, ns);
1088 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1089 if (llcp_sock == NULL) {
1090 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1094 sk = &llcp_sock->sk;
1096 if (sk->sk_state == LLCP_CLOSED) {
1098 nfc_llcp_sock_put(llcp_sock);
1101 /* Pass the payload upstream */
1102 if (ptype == LLCP_PDU_I) {
1103 pr_debug("I frame, queueing on %p\n", &llcp_sock->sk);
1105 if (ns == llcp_sock->recv_n)
1106 llcp_sock->recv_n = (llcp_sock->recv_n + 1) % 16;
1108 pr_err("Received out of sequence I PDU\n");
1110 skb_pull(skb, LLCP_HEADER_SIZE + LLCP_SEQUENCE_SIZE);
1111 if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
1113 * I frames will be freed from the socket layer, so we
1114 * need to keep them alive until someone receives them.
1118 pr_err("Receive queue is full\n");
1122 /* Remove skbs from the pending queue */
1123 if (llcp_sock->send_ack_n != nr) {
1124 struct sk_buff *s, *tmp;
1127 llcp_sock->send_ack_n = nr;
1129 /* Remove and free all skbs until ns == nr */
1130 skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
1133 skb_unlink(s, &llcp_sock->tx_pending_queue);
1140 /* Re-queue the remaining skbs for transmission */
1141 skb_queue_reverse_walk_safe(&llcp_sock->tx_pending_queue,
1143 skb_unlink(s, &llcp_sock->tx_pending_queue);
1144 skb_queue_head(&local->tx_queue, s);
1148 if (ptype == LLCP_PDU_RR)
1149 llcp_sock->remote_ready = true;
1150 else if (ptype == LLCP_PDU_RNR)
1151 llcp_sock->remote_ready = false;
1153 if (nfc_llcp_queue_i_frames(llcp_sock) == 0 && ptype == LLCP_PDU_I)
1154 nfc_llcp_send_rr(llcp_sock);
1157 nfc_llcp_sock_put(llcp_sock);
1160 static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
1161 const struct sk_buff *skb)
1163 struct nfc_llcp_sock *llcp_sock;
1167 dsap = nfc_llcp_dsap(skb);
1168 ssap = nfc_llcp_ssap(skb);
1170 if ((dsap == 0) && (ssap == 0)) {
1171 pr_debug("Connection termination");
1172 nfc_dep_link_down(local->dev);
1176 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1177 if (llcp_sock == NULL) {
1178 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1182 sk = &llcp_sock->sk;
1185 nfc_llcp_socket_purge(llcp_sock);
1187 if (sk->sk_state == LLCP_CLOSED) {
1189 nfc_llcp_sock_put(llcp_sock);
1192 if (sk->sk_state == LLCP_CONNECTED) {
1193 nfc_put_device(local->dev);
1194 sk->sk_state = LLCP_CLOSED;
1195 sk->sk_state_change(sk);
1198 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_DISC);
1201 nfc_llcp_sock_put(llcp_sock);
1204 static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
1205 const struct sk_buff *skb)
1207 struct nfc_llcp_sock *llcp_sock;
1211 dsap = nfc_llcp_dsap(skb);
1212 ssap = nfc_llcp_ssap(skb);
1214 llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1215 if (llcp_sock == NULL) {
1216 pr_err("Invalid CC\n");
1217 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1222 sk = &llcp_sock->sk;
1224 /* Unlink from connecting and link to the client array */
1225 nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
1226 nfc_llcp_sock_link(&local->sockets, sk);
1227 llcp_sock->dsap = ssap;
1229 nfc_llcp_parse_connection_tlv(llcp_sock, &skb->data[LLCP_HEADER_SIZE],
1230 skb->len - LLCP_HEADER_SIZE);
1232 sk->sk_state = LLCP_CONNECTED;
1233 sk->sk_state_change(sk);
1235 nfc_llcp_sock_put(llcp_sock);
1238 static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
1239 const struct sk_buff *skb)
1241 struct nfc_llcp_sock *llcp_sock;
1243 u8 dsap, ssap, reason;
1245 dsap = nfc_llcp_dsap(skb);
1246 ssap = nfc_llcp_ssap(skb);
1247 reason = skb->data[2];
1249 pr_debug("%d %d reason %d\n", ssap, dsap, reason);
1252 case LLCP_DM_NOBOUND:
1254 llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1258 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1262 if (llcp_sock == NULL) {
1263 pr_debug("Already closed\n");
1267 sk = &llcp_sock->sk;
1270 sk->sk_state = LLCP_CLOSED;
1271 sk->sk_state_change(sk);
1273 nfc_llcp_sock_put(llcp_sock);
1276 static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
1277 const struct sk_buff *skb)
1279 struct nfc_llcp_sock *llcp_sock;
1280 u8 dsap, ssap, type, length, tid, sap;
1282 u16 tlv_len, offset;
1283 const char *service_name;
1284 size_t service_name_len;
1285 struct nfc_llcp_sdp_tlv *sdp;
1286 HLIST_HEAD(llc_sdres_list);
1287 size_t sdres_tlvs_len;
1288 HLIST_HEAD(nl_sdres_list);
1290 dsap = nfc_llcp_dsap(skb);
1291 ssap = nfc_llcp_ssap(skb);
1293 pr_debug("%d %d\n", dsap, ssap);
1295 if (dsap != LLCP_SAP_SDP || ssap != LLCP_SAP_SDP) {
1296 pr_err("Wrong SNL SAP\n");
1300 tlv = &skb->data[LLCP_HEADER_SIZE];
1301 tlv_len = skb->len - LLCP_HEADER_SIZE;
1305 while (offset < tlv_len) {
1310 case LLCP_TLV_SDREQ:
1312 service_name = (char *) &tlv[3];
1313 service_name_len = length - 1;
1315 pr_debug("Looking for %.16s\n", service_name);
1317 if (service_name_len == strlen("urn:nfc:sn:sdp") &&
1318 !strncmp(service_name, "urn:nfc:sn:sdp",
1319 service_name_len)) {
1324 llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
1333 * We found a socket but its ssap has not been reserved
1334 * yet. We need to assign it for good and send a reply.
1335 * The ssap will be freed when the socket is closed.
1337 if (llcp_sock->ssap == LLCP_SDP_UNBOUND) {
1338 atomic_t *client_count;
1340 sap = nfc_llcp_reserve_sdp_ssap(local);
1342 pr_debug("Reserving %d\n", sap);
1344 if (sap == LLCP_SAP_MAX) {
1346 nfc_llcp_sock_put(llcp_sock);
1351 &local->local_sdp_cnt[sap -
1354 atomic_inc(client_count);
1356 llcp_sock->ssap = sap;
1357 llcp_sock->reserved_ssap = sap;
1359 sap = llcp_sock->ssap;
1362 pr_debug("%p %d\n", llcp_sock, sap);
1364 nfc_llcp_sock_put(llcp_sock);
1366 sdp = nfc_llcp_build_sdres_tlv(tid, sap);
1370 sdres_tlvs_len += sdp->tlv_len;
1371 hlist_add_head(&sdp->node, &llc_sdres_list);
1374 case LLCP_TLV_SDRES:
1375 mutex_lock(&local->sdreq_lock);
1377 pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
1379 hlist_for_each_entry(sdp, &local->pending_sdreqs, node) {
1380 if (sdp->tid != tlv[2])
1385 pr_debug("Found: uri=%s, sap=%d\n",
1386 sdp->uri, sdp->sap);
1388 hlist_del(&sdp->node);
1390 hlist_add_head(&sdp->node, &nl_sdres_list);
1395 mutex_unlock(&local->sdreq_lock);
1399 pr_err("Invalid SNL tlv value 0x%x\n", type);
1403 offset += length + 2;
1408 if (!hlist_empty(&nl_sdres_list))
1409 nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
1411 if (!hlist_empty(&llc_sdres_list))
1412 nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len);
1415 static void nfc_llcp_recv_agf(struct nfc_llcp_local *local, struct sk_buff *skb)
1419 struct sk_buff *new_skb;
1421 if (skb->len <= LLCP_HEADER_SIZE) {
1422 pr_err("Malformed AGF PDU\n");
1426 skb_pull(skb, LLCP_HEADER_SIZE);
1428 while (skb->len > LLCP_AGF_PDU_HEADER_SIZE) {
1429 pdu_len = skb->data[0] << 8 | skb->data[1];
1431 skb_pull(skb, LLCP_AGF_PDU_HEADER_SIZE);
1433 if (pdu_len < LLCP_HEADER_SIZE || pdu_len > skb->len) {
1434 pr_err("Malformed AGF PDU\n");
1438 ptype = nfc_llcp_ptype(skb);
1440 if (ptype == LLCP_PDU_SYMM || ptype == LLCP_PDU_AGF)
1443 new_skb = nfc_alloc_recv_skb(pdu_len, GFP_KERNEL);
1444 if (new_skb == NULL) {
1445 pr_err("Could not allocate PDU\n");
1449 skb_put_data(new_skb, skb->data, pdu_len);
1451 nfc_llcp_rx_skb(local, new_skb);
1455 skb_pull(skb, pdu_len);
1459 static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb)
1461 u8 dsap, ssap, ptype;
1463 ptype = nfc_llcp_ptype(skb);
1464 dsap = nfc_llcp_dsap(skb);
1465 ssap = nfc_llcp_ssap(skb);
1467 pr_debug("ptype 0x%x dsap 0x%x ssap 0x%x\n", ptype, dsap, ssap);
1469 if (ptype != LLCP_PDU_SYMM)
1470 print_hex_dump_debug("LLCP Rx: ", DUMP_PREFIX_OFFSET, 16, 1,
1471 skb->data, skb->len, true);
1480 nfc_llcp_recv_ui(local, skb);
1483 case LLCP_PDU_CONNECT:
1484 pr_debug("CONNECT\n");
1485 nfc_llcp_recv_connect(local, skb);
1490 nfc_llcp_recv_disc(local, skb);
1495 nfc_llcp_recv_cc(local, skb);
1500 nfc_llcp_recv_dm(local, skb);
1505 nfc_llcp_recv_snl(local, skb);
1511 pr_debug("I frame\n");
1512 nfc_llcp_recv_hdlc(local, skb);
1516 pr_debug("AGF frame\n");
1517 nfc_llcp_recv_agf(local, skb);
1522 static void nfc_llcp_rx_work(struct work_struct *work)
1524 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
1526 struct sk_buff *skb;
1528 skb = local->rx_pending;
1530 pr_debug("No pending SKB\n");
1534 __net_timestamp(skb);
1536 nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_RX);
1538 nfc_llcp_rx_skb(local, skb);
1540 schedule_work(&local->tx_work);
1541 kfree_skb(local->rx_pending);
1542 local->rx_pending = NULL;
1545 static void __nfc_llcp_recv(struct nfc_llcp_local *local, struct sk_buff *skb)
1547 local->rx_pending = skb;
1548 del_timer(&local->link_timer);
1549 schedule_work(&local->rx_work);
1552 void nfc_llcp_recv(void *data, struct sk_buff *skb, int err)
1554 struct nfc_llcp_local *local = (struct nfc_llcp_local *) data;
1556 pr_debug("Received an LLCP PDU\n");
1558 pr_err("err %d\n", err);
1562 __nfc_llcp_recv(local, skb);
1565 int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
1567 struct nfc_llcp_local *local;
1569 local = nfc_llcp_find_local(dev);
1570 if (local == NULL) {
1575 __nfc_llcp_recv(local, skb);
1577 nfc_llcp_local_put(local);
1582 void nfc_llcp_mac_is_down(struct nfc_dev *dev)
1584 struct nfc_llcp_local *local;
1586 local = nfc_llcp_find_local(dev);
1590 local->remote_miu = LLCP_DEFAULT_MIU;
1591 local->remote_lto = LLCP_DEFAULT_LTO;
1593 /* Close and purge all existing sockets */
1594 nfc_llcp_socket_release(local, true, 0);
1596 nfc_llcp_local_put(local);
1599 void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
1600 u8 comm_mode, u8 rf_mode)
1602 struct nfc_llcp_local *local;
1604 pr_debug("rf mode %d\n", rf_mode);
1606 local = nfc_llcp_find_local(dev);
1610 local->target_idx = target_idx;
1611 local->comm_mode = comm_mode;
1612 local->rf_mode = rf_mode;
1614 if (rf_mode == NFC_RF_INITIATOR) {
1615 pr_debug("Queueing Tx work\n");
1617 schedule_work(&local->tx_work);
1619 mod_timer(&local->link_timer,
1620 jiffies + msecs_to_jiffies(local->remote_lto));
1623 nfc_llcp_local_put(local);
1626 int nfc_llcp_register_device(struct nfc_dev *ndev)
1628 struct nfc_llcp_local *local;
1630 local = kzalloc(sizeof(struct nfc_llcp_local), GFP_KERNEL);
1634 /* As we are going to initialize local's refcount, we need to get the
1635 * nfc_dev to avoid UAF, otherwise there is no point in continuing.
1636 * See nfc_llcp_local_get().
1638 local->dev = nfc_get_device(ndev->idx);
1644 INIT_LIST_HEAD(&local->list);
1645 kref_init(&local->ref);
1646 mutex_init(&local->sdp_lock);
1647 timer_setup(&local->link_timer, nfc_llcp_symm_timer, 0);
1649 skb_queue_head_init(&local->tx_queue);
1650 INIT_WORK(&local->tx_work, nfc_llcp_tx_work);
1652 local->rx_pending = NULL;
1653 INIT_WORK(&local->rx_work, nfc_llcp_rx_work);
1655 INIT_WORK(&local->timeout_work, nfc_llcp_timeout_work);
1657 rwlock_init(&local->sockets.lock);
1658 rwlock_init(&local->connecting_sockets.lock);
1659 rwlock_init(&local->raw_sockets.lock);
1661 local->lto = 150; /* 1500 ms */
1662 local->rw = LLCP_MAX_RW;
1663 local->miux = cpu_to_be16(LLCP_MAX_MIUX);
1664 local->local_wks = 0x1; /* LLC Link Management */
1666 nfc_llcp_build_gb(local);
1668 local->remote_miu = LLCP_DEFAULT_MIU;
1669 local->remote_lto = LLCP_DEFAULT_LTO;
1671 mutex_init(&local->sdreq_lock);
1672 INIT_HLIST_HEAD(&local->pending_sdreqs);
1673 timer_setup(&local->sdreq_timer, nfc_llcp_sdreq_timer, 0);
1674 INIT_WORK(&local->sdreq_timeout_work, nfc_llcp_sdreq_timeout_work);
1676 spin_lock(&llcp_devices_lock);
1677 list_add(&local->list, &llcp_devices);
1678 spin_unlock(&llcp_devices_lock);
1683 void nfc_llcp_unregister_device(struct nfc_dev *dev)
1685 struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
1687 if (local == NULL) {
1688 pr_debug("No such device\n");
1692 local_cleanup(local);
1694 nfc_llcp_local_put(local);
1697 int __init nfc_llcp_init(void)
1699 return nfc_llcp_sock_init();
1702 void nfc_llcp_exit(void)
1704 nfc_llcp_sock_exit();
projects / releases.git / blob