Void-Hardened-Kernel/drivers/w1/w1_netlink.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Copyright (c) 2003 Evgeniy Polyakov <zbr@ioremap.net>
 */

#include <linux/slab.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/connector.h>

#include "w1_internal.h"
#include "w1_netlink.h"

#if defined(CONFIG_W1_CON) && (defined(CONFIG_CONNECTOR) || (defined(CONFIG_CONNECTOR_MODULE) && defined(CONFIG_W1_MODULE)))

/* Bundle together everything required to process a request in one memory
 * allocation.
 */
struct w1_cb_block {
	atomic_t refcnt;
	u32 portid; /* Sending process port ID */
	/* maximum value for first_cn->len */
	u16 maxlen;
	/* pointers to building up the reply message */
	struct cn_msg *first_cn; /* fixed once the structure is populated */
	struct cn_msg *cn; /* advances as cn_msg is appeneded */
	struct w1_netlink_msg *msg; /* advances as w1_netlink_msg is appened */
	struct w1_netlink_cmd *cmd; /* advances as cmds are appened */
	struct w1_netlink_msg *cur_msg; /* currently message being processed */
	/* copy of the original request follows */
	struct cn_msg request_cn;
	/* followed by variable length:
	 * cn_msg, data (w1_netlink_msg and w1_netlink_cmd)
	 * one or more struct w1_cb_node
	 * reply first_cn, data (w1_netlink_msg and w1_netlink_cmd)
	 */
};
struct w1_cb_node {
	struct w1_async_cmd async;
	/* pointers within w1_cb_block and cn data */
	struct w1_cb_block *block;
	struct w1_netlink_msg *msg;
	struct w1_slave *sl;
	struct w1_master *dev;
};

/**
 * w1_reply_len() - calculate current reply length, compare to maxlen
 * @block: block to calculate
 *
 * Calculates the current message length including possible multiple
 * cn_msg and data, excludes the first sizeof(struct cn_msg).  Direclty
 * compariable to maxlen and usable to send the message.
 */
static u16 w1_reply_len(struct w1_cb_block *block)
{
	if (!block->cn)
		return 0;
	return (u8 *)block->cn - (u8 *)block->first_cn + block->cn->len;
}

static void w1_unref_block(struct w1_cb_block *block)
{
	if (atomic_sub_return(1, &block->refcnt) == 0) {
		u16 len = w1_reply_len(block);
		if (len) {
			cn_netlink_send_mult(block->first_cn, len,
				block->portid, 0, GFP_KERNEL);
		}
		kfree(block);
	}
}

/**
 * w1_reply_make_space() - send message if needed to make space
 * @block: block to make space on
 * @space: how many bytes requested
 *
 * Verify there is enough room left for the caller to add "space" bytes to the
 * message, if there isn't send the message and reset.
 */
static void w1_reply_make_space(struct w1_cb_block *block, u16 space)
{
	u16 len = w1_reply_len(block);
	if (len + space >= block->maxlen) {
		cn_netlink_send_mult(block->first_cn, len, block->portid, 0, GFP_KERNEL);
		block->first_cn->len = 0;
		block->cn = NULL;
		block->msg = NULL;
		block->cmd = NULL;
	}
}

/* Early send when replies aren't bundled. */
static void w1_netlink_check_send(struct w1_cb_block *block)
{
	if (!(block->request_cn.flags & W1_CN_BUNDLE) && block->cn)
		w1_reply_make_space(block, block->maxlen);
}

/**
 * w1_netlink_setup_msg() - prepare to write block->msg
 * @block: block to operate on
 * @ack: determines if cn can be reused
 *
 * block->cn will be setup with the correct ack, advancing if needed
 * block->cn->len does not include space for block->msg
 * block->msg advances but remains uninitialized
 */
static void w1_netlink_setup_msg(struct w1_cb_block *block, u32 ack)
{
	if (block->cn && block->cn->ack == ack) {
		block->msg = (struct w1_netlink_msg *)(block->cn->data + block->cn->len);
	} else {
		/* advance or set to data */
		if (block->cn)
			block->cn = (struct cn_msg *)(block->cn->data +
				block->cn->len);
		else
			block->cn = block->first_cn;

		memcpy(block->cn, &block->request_cn, sizeof(*block->cn));
		block->cn->len = 0;
		block->cn->ack = ack;
		block->msg = (struct w1_netlink_msg *)block->cn->data;
	}
}

/* Append cmd to msg, include cmd->data as well.  This is because
 * any following data goes with the command and in the case of a read is
 * the results.
 */
static void w1_netlink_queue_cmd(struct w1_cb_block *block,
	struct w1_netlink_cmd *cmd)
{
	u32 space;
	w1_reply_make_space(block, sizeof(struct cn_msg) +
		sizeof(struct w1_netlink_msg) + sizeof(*cmd) + cmd->len);

	/* There's a status message sent after each command, so no point
	 * in trying to bundle this cmd after an existing one, because
	 * there won't be one.  Allocate and copy over a new cn_msg.
	 */
	w1_netlink_setup_msg(block, block->request_cn.seq + 1);
	memcpy(block->msg, block->cur_msg, sizeof(*block->msg));
	block->cn->len += sizeof(*block->msg);
	block->msg->len = 0;
	block->cmd = (struct w1_netlink_cmd *)(block->msg->data);

	space = sizeof(*cmd) + cmd->len;
	if (block->cmd != cmd)
		memcpy(block->cmd, cmd, space);
	block->cn->len += space;
	block->msg->len += space;
}

/* Append req_msg and req_cmd, no other commands and no data from req_cmd are
 * copied.
 */
static void w1_netlink_queue_status(struct w1_cb_block *block,
	struct w1_netlink_msg *req_msg, struct w1_netlink_cmd *req_cmd,
	int error)
{
	u16 space = sizeof(struct cn_msg) + sizeof(*req_msg) + sizeof(*req_cmd);
	w1_reply_make_space(block, space);
	w1_netlink_setup_msg(block, block->request_cn.ack);

	memcpy(block->msg, req_msg, sizeof(*req_msg));
	block->cn->len += sizeof(*req_msg);
	block->msg->len = 0;
	block->msg->status = (u8)-error;
	if (req_cmd) {
		struct w1_netlink_cmd *cmd = (struct w1_netlink_cmd *)block->msg->data;
		memcpy(cmd, req_cmd, sizeof(*cmd));
		block->cn->len += sizeof(*cmd);
		block->msg->len += sizeof(*cmd);
		cmd->len = 0;
	}
	w1_netlink_check_send(block);
}

/**
 * w1_netlink_send_error() - sends the error message now
 * @cn: original cn_msg
 * @msg: original w1_netlink_msg
 * @portid: where to send it
 * @error: error status
 *
 * Use when a block isn't available to queue the message to and cn, msg
 * might not be contiguous.
 */
static void w1_netlink_send_error(struct cn_msg *cn, struct w1_netlink_msg *msg,
	int portid, int error)
{
	struct {
		struct cn_msg cn;
		struct w1_netlink_msg msg;
	} packet;
	memcpy(&packet.cn, cn, sizeof(packet.cn));
	memcpy(&packet.msg, msg, sizeof(packet.msg));
	packet.cn.len = sizeof(packet.msg);
	packet.msg.len = 0;
	packet.msg.status = (u8)-error;
	cn_netlink_send(&packet.cn, portid, 0, GFP_KERNEL);
}

/**
 * w1_netlink_send() - sends w1 netlink notifications
 * @dev: w1_master the even is associated with or for
 * @msg: w1_netlink_msg message to be sent
 *
 * This are notifications generated from the kernel.
 */
void w1_netlink_send(struct w1_master *dev, struct w1_netlink_msg *msg)
{
	struct {
		struct cn_msg cn;
		struct w1_netlink_msg msg;
	} packet;
	memset(&packet, 0, sizeof(packet));

	packet.cn.id.idx = CN_W1_IDX;
	packet.cn.id.val = CN_W1_VAL;

	packet.cn.seq = dev->seq++;
	packet.cn.len = sizeof(*msg);

	memcpy(&packet.msg, msg, sizeof(*msg));
	packet.msg.len = 0;

	cn_netlink_send(&packet.cn, 0, 0, GFP_KERNEL);
}

static void w1_send_slave(struct w1_master *dev, u64 rn)
{
	struct w1_cb_block *block = dev->priv;
	struct w1_netlink_cmd *cache_cmd = block->cmd;
	u64 *data;

	w1_reply_make_space(block, sizeof(*data));

	/* Add cmd back if the packet was sent */
	if (!block->cmd) {
		cache_cmd->len = 0;
		w1_netlink_queue_cmd(block, cache_cmd);
	}

	data = (u64 *)(block->cmd->data + block->cmd->len);

	*data = rn;
	block->cn->len += sizeof(*data);
	block->msg->len += sizeof(*data);
	block->cmd->len += sizeof(*data);
}

static void w1_found_send_slave(struct w1_master *dev, u64 rn)
{
	/* update kernel slave list */
	w1_slave_found(dev, rn);

	w1_send_slave(dev, rn);
}

/* Get the current slave list, or search (with or without alarm) */
static int w1_get_slaves(struct w1_master *dev, struct w1_netlink_cmd *req_cmd)
{
	struct w1_slave *sl;

	req_cmd->len = 0;
	w1_netlink_queue_cmd(dev->priv, req_cmd);

	if (req_cmd->cmd == W1_CMD_LIST_SLAVES) {
		u64 rn;
		mutex_lock(&dev->list_mutex);
		list_for_each_entry(sl, &dev->slist, w1_slave_entry) {
			memcpy(&rn, &sl->reg_num, sizeof(rn));
			w1_send_slave(dev, rn);
		}
		mutex_unlock(&dev->list_mutex);
	} else {
		w1_search_process_cb(dev, req_cmd->cmd == W1_CMD_ALARM_SEARCH ?
			W1_ALARM_SEARCH : W1_SEARCH, w1_found_send_slave);
	}

	return 0;
}

static int w1_process_command_io(struct w1_master *dev,
	struct w1_netlink_cmd *cmd)
{
	int err = 0;

	switch (cmd->cmd) {
	case W1_CMD_TOUCH:
		w1_touch_block(dev, cmd->data, cmd->len);
		w1_netlink_queue_cmd(dev->priv, cmd);
		break;
	case W1_CMD_READ:
		w1_read_block(dev, cmd->data, cmd->len);
		w1_netlink_queue_cmd(dev->priv, cmd);
		break;
	case W1_CMD_WRITE:
		w1_write_block(dev, cmd->data, cmd->len);
		break;
	default:
		err = -EINVAL;
		break;
	}

	return err;
}

static int w1_process_command_addremove(struct w1_master *dev,
	struct w1_netlink_cmd *cmd)
{
	struct w1_slave *sl;
	int err = 0;
	struct w1_reg_num *id;

	if (cmd->len != sizeof(*id))
		return -EINVAL;

	id = (struct w1_reg_num *)cmd->data;

	sl = w1_slave_search_device(dev, id);
	switch (cmd->cmd) {
	case W1_CMD_SLAVE_ADD:
		if (sl)
			err = -EINVAL;
		else
			err = w1_attach_slave_device(dev, id);
		break;
	case W1_CMD_SLAVE_REMOVE:
		if (sl)
			w1_slave_detach(sl);
		else
			err = -EINVAL;
		break;
	default:
		err = -EINVAL;
		break;
	}

	return err;
}

static int w1_process_command_master(struct w1_master *dev,
	struct w1_netlink_cmd *req_cmd)
{
	int err = -EINVAL;

	/* drop bus_mutex for search (does it's own locking), and add/remove
	 * which doesn't use the bus
	 */
	switch (req_cmd->cmd) {
	case W1_CMD_SEARCH:
	case W1_CMD_ALARM_SEARCH:
	case W1_CMD_LIST_SLAVES:
		mutex_unlock(&dev->bus_mutex);
		err = w1_get_slaves(dev, req_cmd);
		mutex_lock(&dev->bus_mutex);
		break;
	case W1_CMD_READ:
	case W1_CMD_WRITE:
	case W1_CMD_TOUCH:
		err = w1_process_command_io(dev, req_cmd);
		break;
	case W1_CMD_RESET:
		err = w1_reset_bus(dev);
		break;
	case W1_CMD_SLAVE_ADD:
	case W1_CMD_SLAVE_REMOVE:
		mutex_unlock(&dev->bus_mutex);
		mutex_lock(&dev->mutex);
		err = w1_process_command_addremove(dev, req_cmd);
		mutex_unlock(&dev->mutex);
		mutex_lock(&dev->bus_mutex);
		break;
	default:
		err = -EINVAL;
		break;
	}

	return err;
}

static int w1_process_command_slave(struct w1_slave *sl,
		struct w1_netlink_cmd *cmd)
{
	dev_dbg(&sl->master->dev, "%s: %02x.%012llx.%02x: cmd=%02x, len=%u.\n",
		__func__, sl->reg_num.family, (unsigned long long)sl->reg_num.id,
		sl->reg_num.crc, cmd->cmd, cmd->len);

	return w1_process_command_io(sl->master, cmd);
}

static int w1_process_command_root(struct cn_msg *req_cn, u32 portid)
{
	struct w1_master *dev;
	struct cn_msg *cn;
	struct w1_netlink_msg *msg;
	u32 *id;

	cn = kmalloc(PAGE_SIZE, GFP_KERNEL);
	if (!cn)
		return -ENOMEM;

	cn->id.idx = CN_W1_IDX;
	cn->id.val = CN_W1_VAL;

	cn->seq = req_cn->seq;
	cn->ack = req_cn->seq + 1;
	cn->len = sizeof(struct w1_netlink_msg);
	msg = (struct w1_netlink_msg *)cn->data;

	msg->type = W1_LIST_MASTERS;
	msg->status = 0;
	msg->len = 0;
	id = (u32 *)msg->data;

	mutex_lock(&w1_mlock);
	list_for_each_entry(dev, &w1_masters, w1_master_entry) {
		if (cn->len + sizeof(*id) > PAGE_SIZE - sizeof(struct cn_msg)) {
			cn_netlink_send(cn, portid, 0, GFP_KERNEL);
			cn->len = sizeof(struct w1_netlink_msg);
			msg->len = 0;
			id = (u32 *)msg->data;
		}

		*id = dev->id;
		msg->len += sizeof(*id);
		cn->len += sizeof(*id);
		id++;
	}
	cn_netlink_send(cn, portid, 0, GFP_KERNEL);
	mutex_unlock(&w1_mlock);

	kfree(cn);
	return 0;
}

static void w1_process_cb(struct w1_master *dev, struct w1_async_cmd *async_cmd)
{
	struct w1_cb_node *node = container_of(async_cmd, struct w1_cb_node,
		async);
	u16 mlen = node->msg->len;
	u16 len;
	int err = 0;
	struct w1_slave *sl = node->sl;
	struct w1_netlink_cmd *cmd = (struct w1_netlink_cmd *)node->msg->data;

	mutex_lock(&dev->bus_mutex);
	dev->priv = node->block;
	if (sl && w1_reset_select_slave(sl))
		err = -ENODEV;
	node->block->cur_msg = node->msg;

	while (mlen && !err) {
		if (cmd->len + sizeof(struct w1_netlink_cmd) > mlen) {
			err = -E2BIG;
			break;
		}

		if (sl)
			err = w1_process_command_slave(sl, cmd);
		else
			err = w1_process_command_master(dev, cmd);
		w1_netlink_check_send(node->block);

		w1_netlink_queue_status(node->block, node->msg, cmd, err);
		err = 0;

		len = sizeof(*cmd) + cmd->len;
		cmd = (struct w1_netlink_cmd *)((u8 *)cmd + len);
		mlen -= len;
	}

	if (!cmd || err)
		w1_netlink_queue_status(node->block, node->msg, cmd, err);

	/* ref taken in w1_search_slave or w1_search_master_id when building
	 * the block
	 */
	if (sl)
		w1_unref_slave(sl);
	else
		atomic_dec(&dev->refcnt);
	dev->priv = NULL;
	mutex_unlock(&dev->bus_mutex);

	mutex_lock(&dev->list_mutex);
	list_del(&async_cmd->async_entry);
	mutex_unlock(&dev->list_mutex);

	w1_unref_block(node->block);
}

static void w1_list_count_cmds(struct w1_netlink_msg *msg, int *cmd_count,
	u16 *slave_len)
{
	struct w1_netlink_cmd *cmd = (struct w1_netlink_cmd *)msg->data;
	u16 mlen = msg->len;
	u16 len;
	int slave_list = 0;
	while (mlen) {
		if (cmd->len + sizeof(struct w1_netlink_cmd) > mlen)
			break;

		switch (cmd->cmd) {
		case W1_CMD_SEARCH:
		case W1_CMD_ALARM_SEARCH:
		case W1_CMD_LIST_SLAVES:
			++slave_list;
		}
		++*cmd_count;
		len = sizeof(*cmd) + cmd->len;
		cmd = (struct w1_netlink_cmd *)((u8 *)cmd + len);
		mlen -= len;
	}

	if (slave_list) {
		struct w1_master *dev = w1_search_master_id(msg->id.mst.id);
		if (dev) {
			/* Bytes, and likely an overstimate, and if it isn't
			 * the results can still be split between packets.
			 */
			*slave_len += sizeof(struct w1_reg_num) * slave_list *
				(dev->slave_count + dev->max_slave_count);
			/* search incremented it */
			atomic_dec(&dev->refcnt);
		}
	}
}

static void w1_cn_callback(struct cn_msg *cn, struct netlink_skb_parms *nsp)
{
	struct w1_netlink_msg *msg = (struct w1_netlink_msg *)(cn + 1);
	struct w1_slave *sl;
	struct w1_master *dev;
	u16 msg_len;
	u16 slave_len = 0;
	int err = 0;
	struct w1_cb_block *block = NULL;
	struct w1_cb_node *node = NULL;
	int node_count = 0;
	int cmd_count = 0;

	/* If any unknown flag is set let the application know, that way
	 * applications can detect the absence of features in kernels that
	 * don't know about them.  http://lwn.net/Articles/587527/
	 */
	if (cn->flags & ~(W1_CN_BUNDLE)) {
		w1_netlink_send_error(cn, msg, nsp->portid, -EINVAL);
		return;
	}

	/* Count the number of master or slave commands there are to allocate
	 * space for one cb_node each.
	 */
	msg_len = cn->len;
	while (msg_len && !err) {
		if (msg->len + sizeof(struct w1_netlink_msg) > msg_len) {
			err = -E2BIG;
			break;
		}

		/* count messages for nodes and allocate any additional space
		 * required for slave lists
		 */
		if (msg->type == W1_MASTER_CMD || msg->type == W1_SLAVE_CMD) {
			++node_count;
			w1_list_count_cmds(msg, &cmd_count, &slave_len);
		}

		msg_len -= sizeof(struct w1_netlink_msg) + msg->len;
		msg = (struct w1_netlink_msg *)(((u8 *)msg) +
			sizeof(struct w1_netlink_msg) + msg->len);
	}
	msg = (struct w1_netlink_msg *)(cn + 1);
	if (node_count) {
		int size;
		int reply_size = sizeof(*cn) + cn->len + slave_len;
		if (cn->flags & W1_CN_BUNDLE) {
			/* bundling duplicats some of the messages */
			reply_size += 2 * cmd_count * (sizeof(struct cn_msg) +
				sizeof(struct w1_netlink_msg) +
				sizeof(struct w1_netlink_cmd));
		}
		reply_size = min(CONNECTOR_MAX_MSG_SIZE, reply_size);

		/* allocate space for the block, a copy of the original message,
		 * one node per cmd to point into the original message,
		 * space for replies which is the original message size plus
		 * space for any list slave data and status messages
		 * cn->len doesn't include itself which is part of the block
		 * */
		size =  /* block + original message */
			sizeof(struct w1_cb_block) + sizeof(*cn) + cn->len +
			/* space for nodes */
			node_count * sizeof(struct w1_cb_node) +
			/* replies */
			sizeof(struct cn_msg) + reply_size;
		block = kzalloc(size, GFP_KERNEL);
		if (!block) {
			/* if the system is already out of memory,
			 * (A) will this work, and (B) would it be better
			 * to not try?
			 */
			w1_netlink_send_error(cn, msg, nsp->portid, -ENOMEM);
			return;
		}
		atomic_set(&block->refcnt, 1);
		block->portid = nsp->portid;
		memcpy(&block->request_cn, cn, sizeof(*cn) + cn->len);
		node = (struct w1_cb_node *)(block->request_cn.data + cn->len);

		/* Sneeky, when not bundling, reply_size is the allocated space
		 * required for the reply, cn_msg isn't part of maxlen so
		 * it should be reply_size - sizeof(struct cn_msg), however
		 * when checking if there is enough space, w1_reply_make_space
		 * is called with the full message size including cn_msg,
		 * because it isn't known at that time if an additional cn_msg
		 * will need to be allocated.  So an extra cn_msg is added
		 * above in "size".
		 */
		block->maxlen = reply_size;
		block->first_cn = (struct cn_msg *)(node + node_count);
		memset(block->first_cn, 0, sizeof(*block->first_cn));
	}

	msg_len = cn->len;
	while (msg_len && !err) {

		dev = NULL;
		sl = NULL;

		if (msg->len + sizeof(struct w1_netlink_msg) > msg_len) {
			err = -E2BIG;
			break;
		}

		/* execute on this thread, no need to process later */
		if (msg->type == W1_LIST_MASTERS) {
			err = w1_process_command_root(cn, nsp->portid);
			goto out_cont;
		}

		/* All following message types require additional data,
		 * check here before references are taken.
		 */
		if (!msg->len) {
			err = -EPROTO;
			goto out_cont;
		}

		/* both search calls take references */
		if (msg->type == W1_MASTER_CMD) {
			dev = w1_search_master_id(msg->id.mst.id);
		} else if (msg->type == W1_SLAVE_CMD) {
			sl = w1_search_slave((struct w1_reg_num *)msg->id.id);
			if (sl)
				dev = sl->master;
		} else {
			pr_notice("%s: cn: %x.%x, wrong type: %u, len: %u.\n",
				__func__, cn->id.idx, cn->id.val,
				msg->type, msg->len);
			err = -EPROTO;
			goto out_cont;
		}

		if (!dev) {
			err = -ENODEV;
			goto out_cont;
		}

		err = 0;

		atomic_inc(&block->refcnt);
		node->async.cb = w1_process_cb;
		node->block = block;
		node->msg = (struct w1_netlink_msg *)((u8 *)&block->request_cn +
			(size_t)((u8 *)msg - (u8 *)cn));
		node->sl = sl;
		node->dev = dev;

		mutex_lock(&dev->list_mutex);
		list_add_tail(&node->async.async_entry, &dev->async_list);
		wake_up_process(dev->thread);
		mutex_unlock(&dev->list_mutex);
		++node;

out_cont:
		/* Can't queue because that modifies block and another
		 * thread could be processing the messages by now and
		 * there isn't a lock, send directly.
		 */
		if (err)
			w1_netlink_send_error(cn, msg, nsp->portid, err);
		msg_len -= sizeof(struct w1_netlink_msg) + msg->len;
		msg = (struct w1_netlink_msg *)(((u8 *)msg) +
			sizeof(struct w1_netlink_msg) + msg->len);

		/*
		 * Let's allow requests for nonexisting devices.
		 */
		if (err == -ENODEV)
			err = 0;
	}
	if (block)
		w1_unref_block(block);
}

int w1_init_netlink(void)
{
	struct cb_id w1_id = {.idx = CN_W1_IDX, .val = CN_W1_VAL};

	return cn_add_callback(&w1_id, "w1", &w1_cn_callback);
}

void w1_fini_netlink(void)
{
	struct cb_id w1_id = {.idx = CN_W1_IDX, .val = CN_W1_VAL};

	cn_del_callback(&w1_id);
}
#else
void w1_netlink_send(struct w1_master *dev, struct w1_netlink_msg *cn)
{
}

int w1_init_netlink(void)
{
	return 0;
}

void w1_fini_netlink(void)
{
}
#endif