]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - drivers/rpmsg/rpmsg_char.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev
[mirror_ubuntu-jammy-kernel.git] / drivers / rpmsg / rpmsg_char.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2016, Linaro Ltd.
4 * Copyright (c) 2012, Michal Simek <monstr@monstr.eu>
5 * Copyright (c) 2012, PetaLogix
6 * Copyright (c) 2011, Texas Instruments, Inc.
7 * Copyright (c) 2011, Google, Inc.
8 *
9 * Based on rpmsg performance statistics driver by Michal Simek, which in turn
10 * was based on TI & Google OMX rpmsg driver.
11 */
12 #include <linux/cdev.h>
13 #include <linux/device.h>
14 #include <linux/fs.h>
15 #include <linux/idr.h>
16 #include <linux/kernel.h>
17 #include <linux/module.h>
18 #include <linux/poll.h>
19 #include <linux/rpmsg.h>
20 #include <linux/skbuff.h>
21 #include <linux/slab.h>
22 #include <linux/uaccess.h>
23 #include <uapi/linux/rpmsg.h>
24
25 #include "rpmsg_internal.h"
26
27 #define RPMSG_DEV_MAX (MINORMASK + 1)
28
29 static dev_t rpmsg_major;
30 static struct class *rpmsg_class;
31
32 static DEFINE_IDA(rpmsg_ctrl_ida);
33 static DEFINE_IDA(rpmsg_ept_ida);
34 static DEFINE_IDA(rpmsg_minor_ida);
35
36 #define dev_to_eptdev(dev) container_of(dev, struct rpmsg_eptdev, dev)
37 #define cdev_to_eptdev(i_cdev) container_of(i_cdev, struct rpmsg_eptdev, cdev)
38
39 #define dev_to_ctrldev(dev) container_of(dev, struct rpmsg_ctrldev, dev)
40 #define cdev_to_ctrldev(i_cdev) container_of(i_cdev, struct rpmsg_ctrldev, cdev)
41
42 /**
43 * struct rpmsg_ctrldev - control device for instantiating endpoint devices
44 * @rpdev: underlaying rpmsg device
45 * @cdev: cdev for the ctrl device
46 * @dev: device for the ctrl device
47 */
48 struct rpmsg_ctrldev {
49 struct rpmsg_device *rpdev;
50 struct cdev cdev;
51 struct device dev;
52 };
53
54 /**
55 * struct rpmsg_eptdev - endpoint device context
56 * @dev: endpoint device
57 * @cdev: cdev for the endpoint device
58 * @rpdev: underlaying rpmsg device
59 * @chinfo: info used to open the endpoint
60 * @ept_lock: synchronization of @ept modifications
61 * @ept: rpmsg endpoint reference, when open
62 * @queue_lock: synchronization of @queue operations
63 * @queue: incoming message queue
64 * @readq: wait object for incoming queue
65 */
66 struct rpmsg_eptdev {
67 struct device dev;
68 struct cdev cdev;
69
70 struct rpmsg_device *rpdev;
71 struct rpmsg_channel_info chinfo;
72
73 struct mutex ept_lock;
74 struct rpmsg_endpoint *ept;
75
76 spinlock_t queue_lock;
77 struct sk_buff_head queue;
78 wait_queue_head_t readq;
79 };
80
81 static int rpmsg_eptdev_destroy(struct device *dev, void *data)
82 {
83 struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
84
85 mutex_lock(&eptdev->ept_lock);
86 if (eptdev->ept) {
87 rpmsg_destroy_ept(eptdev->ept);
88 eptdev->ept = NULL;
89 }
90 mutex_unlock(&eptdev->ept_lock);
91
92 /* wake up any blocked readers */
93 wake_up_interruptible(&eptdev->readq);
94
95 cdev_device_del(&eptdev->cdev, &eptdev->dev);
96 put_device(&eptdev->dev);
97
98 return 0;
99 }
100
101 static int rpmsg_ept_cb(struct rpmsg_device *rpdev, void *buf, int len,
102 void *priv, u32 addr)
103 {
104 struct rpmsg_eptdev *eptdev = priv;
105 struct sk_buff *skb;
106
107 skb = alloc_skb(len, GFP_ATOMIC);
108 if (!skb)
109 return -ENOMEM;
110
111 skb_put_data(skb, buf, len);
112
113 spin_lock(&eptdev->queue_lock);
114 skb_queue_tail(&eptdev->queue, skb);
115 spin_unlock(&eptdev->queue_lock);
116
117 /* wake up any blocking processes, waiting for new data */
118 wake_up_interruptible(&eptdev->readq);
119
120 return 0;
121 }
122
123 static int rpmsg_eptdev_open(struct inode *inode, struct file *filp)
124 {
125 struct rpmsg_eptdev *eptdev = cdev_to_eptdev(inode->i_cdev);
126 struct rpmsg_endpoint *ept;
127 struct rpmsg_device *rpdev = eptdev->rpdev;
128 struct device *dev = &eptdev->dev;
129
130 if (eptdev->ept)
131 return -EBUSY;
132
133 get_device(dev);
134
135 ept = rpmsg_create_ept(rpdev, rpmsg_ept_cb, eptdev, eptdev->chinfo);
136 if (!ept) {
137 dev_err(dev, "failed to open %s\n", eptdev->chinfo.name);
138 put_device(dev);
139 return -EINVAL;
140 }
141
142 eptdev->ept = ept;
143 filp->private_data = eptdev;
144
145 return 0;
146 }
147
148 static int rpmsg_eptdev_release(struct inode *inode, struct file *filp)
149 {
150 struct rpmsg_eptdev *eptdev = cdev_to_eptdev(inode->i_cdev);
151 struct device *dev = &eptdev->dev;
152
153 /* Close the endpoint, if it's not already destroyed by the parent */
154 mutex_lock(&eptdev->ept_lock);
155 if (eptdev->ept) {
156 rpmsg_destroy_ept(eptdev->ept);
157 eptdev->ept = NULL;
158 }
159 mutex_unlock(&eptdev->ept_lock);
160
161 /* Discard all SKBs */
162 skb_queue_purge(&eptdev->queue);
163
164 put_device(dev);
165
166 return 0;
167 }
168
169 static ssize_t rpmsg_eptdev_read_iter(struct kiocb *iocb, struct iov_iter *to)
170 {
171 struct file *filp = iocb->ki_filp;
172 struct rpmsg_eptdev *eptdev = filp->private_data;
173 unsigned long flags;
174 struct sk_buff *skb;
175 int use;
176
177 if (!eptdev->ept)
178 return -EPIPE;
179
180 spin_lock_irqsave(&eptdev->queue_lock, flags);
181
182 /* Wait for data in the queue */
183 if (skb_queue_empty(&eptdev->queue)) {
184 spin_unlock_irqrestore(&eptdev->queue_lock, flags);
185
186 if (filp->f_flags & O_NONBLOCK)
187 return -EAGAIN;
188
189 /* Wait until we get data or the endpoint goes away */
190 if (wait_event_interruptible(eptdev->readq,
191 !skb_queue_empty(&eptdev->queue) ||
192 !eptdev->ept))
193 return -ERESTARTSYS;
194
195 /* We lost the endpoint while waiting */
196 if (!eptdev->ept)
197 return -EPIPE;
198
199 spin_lock_irqsave(&eptdev->queue_lock, flags);
200 }
201
202 skb = skb_dequeue(&eptdev->queue);
203 spin_unlock_irqrestore(&eptdev->queue_lock, flags);
204 if (!skb)
205 return -EFAULT;
206
207 use = min_t(size_t, iov_iter_count(to), skb->len);
208 if (copy_to_iter(skb->data, use, to) != use)
209 use = -EFAULT;
210
211 kfree_skb(skb);
212
213 return use;
214 }
215
216 static ssize_t rpmsg_eptdev_write_iter(struct kiocb *iocb,
217 struct iov_iter *from)
218 {
219 struct file *filp = iocb->ki_filp;
220 struct rpmsg_eptdev *eptdev = filp->private_data;
221 size_t len = iov_iter_count(from);
222 void *kbuf;
223 int ret;
224
225 kbuf = kzalloc(len, GFP_KERNEL);
226 if (!kbuf)
227 return -ENOMEM;
228
229 if (!copy_from_iter_full(kbuf, len, from)) {
230 ret = -EFAULT;
231 goto free_kbuf;
232 }
233
234 if (mutex_lock_interruptible(&eptdev->ept_lock)) {
235 ret = -ERESTARTSYS;
236 goto free_kbuf;
237 }
238
239 if (!eptdev->ept) {
240 ret = -EPIPE;
241 goto unlock_eptdev;
242 }
243
244 if (filp->f_flags & O_NONBLOCK)
245 ret = rpmsg_trysendto(eptdev->ept, kbuf, len, eptdev->chinfo.dst);
246 else
247 ret = rpmsg_sendto(eptdev->ept, kbuf, len, eptdev->chinfo.dst);
248
249 unlock_eptdev:
250 mutex_unlock(&eptdev->ept_lock);
251
252 free_kbuf:
253 kfree(kbuf);
254 return ret < 0 ? ret : len;
255 }
256
257 static __poll_t rpmsg_eptdev_poll(struct file *filp, poll_table *wait)
258 {
259 struct rpmsg_eptdev *eptdev = filp->private_data;
260 __poll_t mask = 0;
261
262 if (!eptdev->ept)
263 return EPOLLERR;
264
265 poll_wait(filp, &eptdev->readq, wait);
266
267 if (!skb_queue_empty(&eptdev->queue))
268 mask |= EPOLLIN | EPOLLRDNORM;
269
270 mask |= rpmsg_poll(eptdev->ept, filp, wait);
271
272 return mask;
273 }
274
275 static long rpmsg_eptdev_ioctl(struct file *fp, unsigned int cmd,
276 unsigned long arg)
277 {
278 struct rpmsg_eptdev *eptdev = fp->private_data;
279
280 if (cmd != RPMSG_DESTROY_EPT_IOCTL)
281 return -EINVAL;
282
283 return rpmsg_eptdev_destroy(&eptdev->dev, NULL);
284 }
285
286 static const struct file_operations rpmsg_eptdev_fops = {
287 .owner = THIS_MODULE,
288 .open = rpmsg_eptdev_open,
289 .release = rpmsg_eptdev_release,
290 .read_iter = rpmsg_eptdev_read_iter,
291 .write_iter = rpmsg_eptdev_write_iter,
292 .poll = rpmsg_eptdev_poll,
293 .unlocked_ioctl = rpmsg_eptdev_ioctl,
294 .compat_ioctl = compat_ptr_ioctl,
295 };
296
297 static ssize_t name_show(struct device *dev, struct device_attribute *attr,
298 char *buf)
299 {
300 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
301
302 return sprintf(buf, "%s\n", eptdev->chinfo.name);
303 }
304 static DEVICE_ATTR_RO(name);
305
306 static ssize_t src_show(struct device *dev, struct device_attribute *attr,
307 char *buf)
308 {
309 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
310
311 return sprintf(buf, "%d\n", eptdev->chinfo.src);
312 }
313 static DEVICE_ATTR_RO(src);
314
315 static ssize_t dst_show(struct device *dev, struct device_attribute *attr,
316 char *buf)
317 {
318 struct rpmsg_eptdev *eptdev = dev_get_drvdata(dev);
319
320 return sprintf(buf, "%d\n", eptdev->chinfo.dst);
321 }
322 static DEVICE_ATTR_RO(dst);
323
324 static struct attribute *rpmsg_eptdev_attrs[] = {
325 &dev_attr_name.attr,
326 &dev_attr_src.attr,
327 &dev_attr_dst.attr,
328 NULL
329 };
330 ATTRIBUTE_GROUPS(rpmsg_eptdev);
331
332 static void rpmsg_eptdev_release_device(struct device *dev)
333 {
334 struct rpmsg_eptdev *eptdev = dev_to_eptdev(dev);
335
336 ida_simple_remove(&rpmsg_ept_ida, dev->id);
337 ida_simple_remove(&rpmsg_minor_ida, MINOR(eptdev->dev.devt));
338 kfree(eptdev);
339 }
340
341 static int rpmsg_eptdev_create(struct rpmsg_ctrldev *ctrldev,
342 struct rpmsg_channel_info chinfo)
343 {
344 struct rpmsg_device *rpdev = ctrldev->rpdev;
345 struct rpmsg_eptdev *eptdev;
346 struct device *dev;
347 int ret;
348
349 eptdev = kzalloc(sizeof(*eptdev), GFP_KERNEL);
350 if (!eptdev)
351 return -ENOMEM;
352
353 dev = &eptdev->dev;
354 eptdev->rpdev = rpdev;
355 eptdev->chinfo = chinfo;
356
357 mutex_init(&eptdev->ept_lock);
358 spin_lock_init(&eptdev->queue_lock);
359 skb_queue_head_init(&eptdev->queue);
360 init_waitqueue_head(&eptdev->readq);
361
362 device_initialize(dev);
363 dev->class = rpmsg_class;
364 dev->parent = &ctrldev->dev;
365 dev->groups = rpmsg_eptdev_groups;
366 dev_set_drvdata(dev, eptdev);
367
368 cdev_init(&eptdev->cdev, &rpmsg_eptdev_fops);
369 eptdev->cdev.owner = THIS_MODULE;
370
371 ret = ida_simple_get(&rpmsg_minor_ida, 0, RPMSG_DEV_MAX, GFP_KERNEL);
372 if (ret < 0)
373 goto free_eptdev;
374 dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
375
376 ret = ida_simple_get(&rpmsg_ept_ida, 0, 0, GFP_KERNEL);
377 if (ret < 0)
378 goto free_minor_ida;
379 dev->id = ret;
380 dev_set_name(dev, "rpmsg%d", ret);
381
382 ret = cdev_device_add(&eptdev->cdev, &eptdev->dev);
383 if (ret)
384 goto free_ept_ida;
385
386 /* We can now rely on the release function for cleanup */
387 dev->release = rpmsg_eptdev_release_device;
388
389 return ret;
390
391 free_ept_ida:
392 ida_simple_remove(&rpmsg_ept_ida, dev->id);
393 free_minor_ida:
394 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
395 free_eptdev:
396 put_device(dev);
397 kfree(eptdev);
398
399 return ret;
400 }
401
402 static int rpmsg_ctrldev_open(struct inode *inode, struct file *filp)
403 {
404 struct rpmsg_ctrldev *ctrldev = cdev_to_ctrldev(inode->i_cdev);
405
406 get_device(&ctrldev->dev);
407 filp->private_data = ctrldev;
408
409 return 0;
410 }
411
412 static int rpmsg_ctrldev_release(struct inode *inode, struct file *filp)
413 {
414 struct rpmsg_ctrldev *ctrldev = cdev_to_ctrldev(inode->i_cdev);
415
416 put_device(&ctrldev->dev);
417
418 return 0;
419 }
420
421 static long rpmsg_ctrldev_ioctl(struct file *fp, unsigned int cmd,
422 unsigned long arg)
423 {
424 struct rpmsg_ctrldev *ctrldev = fp->private_data;
425 void __user *argp = (void __user *)arg;
426 struct rpmsg_endpoint_info eptinfo;
427 struct rpmsg_channel_info chinfo;
428
429 if (cmd != RPMSG_CREATE_EPT_IOCTL)
430 return -EINVAL;
431
432 if (copy_from_user(&eptinfo, argp, sizeof(eptinfo)))
433 return -EFAULT;
434
435 memcpy(chinfo.name, eptinfo.name, RPMSG_NAME_SIZE);
436 chinfo.name[RPMSG_NAME_SIZE-1] = '\0';
437 chinfo.src = eptinfo.src;
438 chinfo.dst = eptinfo.dst;
439
440 return rpmsg_eptdev_create(ctrldev, chinfo);
441 };
442
443 static const struct file_operations rpmsg_ctrldev_fops = {
444 .owner = THIS_MODULE,
445 .open = rpmsg_ctrldev_open,
446 .release = rpmsg_ctrldev_release,
447 .unlocked_ioctl = rpmsg_ctrldev_ioctl,
448 .compat_ioctl = compat_ptr_ioctl,
449 };
450
451 static void rpmsg_ctrldev_release_device(struct device *dev)
452 {
453 struct rpmsg_ctrldev *ctrldev = dev_to_ctrldev(dev);
454
455 ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
456 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
457 kfree(ctrldev);
458 }
459
460 static int rpmsg_chrdev_probe(struct rpmsg_device *rpdev)
461 {
462 struct rpmsg_ctrldev *ctrldev;
463 struct device *dev;
464 int ret;
465
466 ctrldev = kzalloc(sizeof(*ctrldev), GFP_KERNEL);
467 if (!ctrldev)
468 return -ENOMEM;
469
470 ctrldev->rpdev = rpdev;
471
472 dev = &ctrldev->dev;
473 device_initialize(dev);
474 dev->parent = &rpdev->dev;
475 dev->class = rpmsg_class;
476
477 cdev_init(&ctrldev->cdev, &rpmsg_ctrldev_fops);
478 ctrldev->cdev.owner = THIS_MODULE;
479
480 ret = ida_simple_get(&rpmsg_minor_ida, 0, RPMSG_DEV_MAX, GFP_KERNEL);
481 if (ret < 0)
482 goto free_ctrldev;
483 dev->devt = MKDEV(MAJOR(rpmsg_major), ret);
484
485 ret = ida_simple_get(&rpmsg_ctrl_ida, 0, 0, GFP_KERNEL);
486 if (ret < 0)
487 goto free_minor_ida;
488 dev->id = ret;
489 dev_set_name(&ctrldev->dev, "rpmsg_ctrl%d", ret);
490
491 ret = cdev_device_add(&ctrldev->cdev, &ctrldev->dev);
492 if (ret)
493 goto free_ctrl_ida;
494
495 /* We can now rely on the release function for cleanup */
496 dev->release = rpmsg_ctrldev_release_device;
497
498 dev_set_drvdata(&rpdev->dev, ctrldev);
499
500 return ret;
501
502 free_ctrl_ida:
503 ida_simple_remove(&rpmsg_ctrl_ida, dev->id);
504 free_minor_ida:
505 ida_simple_remove(&rpmsg_minor_ida, MINOR(dev->devt));
506 free_ctrldev:
507 put_device(dev);
508 kfree(ctrldev);
509
510 return ret;
511 }
512
513 static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
514 {
515 struct rpmsg_ctrldev *ctrldev = dev_get_drvdata(&rpdev->dev);
516 int ret;
517
518 /* Destroy all endpoints */
519 ret = device_for_each_child(&ctrldev->dev, NULL, rpmsg_eptdev_destroy);
520 if (ret)
521 dev_warn(&rpdev->dev, "failed to nuke endpoints: %d\n", ret);
522
523 cdev_device_del(&ctrldev->cdev, &ctrldev->dev);
524 put_device(&ctrldev->dev);
525 }
526
527 static struct rpmsg_driver rpmsg_chrdev_driver = {
528 .probe = rpmsg_chrdev_probe,
529 .remove = rpmsg_chrdev_remove,
530 .drv = {
531 .name = "rpmsg_chrdev",
532 },
533 };
534
535 static int rpmsg_chrdev_init(void)
536 {
537 int ret;
538
539 ret = alloc_chrdev_region(&rpmsg_major, 0, RPMSG_DEV_MAX, "rpmsg");
540 if (ret < 0) {
541 pr_err("rpmsg: failed to allocate char dev region\n");
542 return ret;
543 }
544
545 rpmsg_class = class_create(THIS_MODULE, "rpmsg");
546 if (IS_ERR(rpmsg_class)) {
547 pr_err("failed to create rpmsg class\n");
548 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
549 return PTR_ERR(rpmsg_class);
550 }
551
552 ret = register_rpmsg_driver(&rpmsg_chrdev_driver);
553 if (ret < 0) {
554 pr_err("rpmsgchr: failed to register rpmsg driver\n");
555 class_destroy(rpmsg_class);
556 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
557 }
558
559 return ret;
560 }
561 postcore_initcall(rpmsg_chrdev_init);
562
563 static void rpmsg_chrdev_exit(void)
564 {
565 unregister_rpmsg_driver(&rpmsg_chrdev_driver);
566 class_destroy(rpmsg_class);
567 unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX);
568 }
569 module_exit(rpmsg_chrdev_exit);
570
571 MODULE_ALIAS("rpmsg:rpmsg_chrdev");
572 MODULE_LICENSE("GPL v2");
Ubuntu Jammy Linux kernel mirror