mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
f7cf8ece8c
`caif_connect()` can tear down an existing client after remote shutdown by
calling `caif_disconnect_client()` followed by `caif_free_client()`.
`caif_free_client()` releases the service layer referenced by
`adap_layer->dn`, but leaves that pointer stale.
When the socket is later destroyed, `caif_sock_destructor()` calls
`caif_free_client()` again and dereferences the freed service pointer.
Clear the client/service links before releasing the service object so
repeated teardown becomes harmless.
Fixes: 43e3692101 ("caif: Move refcount from service layer to sock and dev.")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
225 lines
5.4 KiB
C
225 lines
5.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (C) ST-Ericsson AB 2010
|
|
* Author: Sjur Brendeland
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ":%s(): " fmt, __func__
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/types.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/module.h>
|
|
#include <linux/pkt_sched.h>
|
|
#include <net/caif/caif_layer.h>
|
|
#include <net/caif/cfsrvl.h>
|
|
#include <net/caif/cfpkt.h>
|
|
#include <net/caif/caif_dev.h>
|
|
|
|
#define SRVL_CTRL_PKT_SIZE 1
|
|
#define SRVL_FLOW_OFF 0x81
|
|
#define SRVL_FLOW_ON 0x80
|
|
#define SRVL_SET_PIN 0x82
|
|
|
|
#define container_obj(layr) container_of(layr, struct cfsrvl, layer)
|
|
|
|
static void cfservl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
|
|
int phyid)
|
|
{
|
|
struct cfsrvl *service = container_obj(layr);
|
|
|
|
if (layr->up == NULL || layr->up->ctrlcmd == NULL)
|
|
return;
|
|
|
|
switch (ctrl) {
|
|
case CAIF_CTRLCMD_INIT_RSP:
|
|
service->open = true;
|
|
layr->up->ctrlcmd(layr->up, ctrl, phyid);
|
|
break;
|
|
case CAIF_CTRLCMD_DEINIT_RSP:
|
|
case CAIF_CTRLCMD_INIT_FAIL_RSP:
|
|
service->open = false;
|
|
layr->up->ctrlcmd(layr->up, ctrl, phyid);
|
|
break;
|
|
case _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND:
|
|
if (phyid != service->dev_info.id)
|
|
break;
|
|
if (service->modem_flow_on)
|
|
layr->up->ctrlcmd(layr->up,
|
|
CAIF_CTRLCMD_FLOW_OFF_IND, phyid);
|
|
service->phy_flow_on = false;
|
|
break;
|
|
case _CAIF_CTRLCMD_PHYIF_FLOW_ON_IND:
|
|
if (phyid != service->dev_info.id)
|
|
return;
|
|
if (service->modem_flow_on) {
|
|
layr->up->ctrlcmd(layr->up,
|
|
CAIF_CTRLCMD_FLOW_ON_IND,
|
|
phyid);
|
|
}
|
|
service->phy_flow_on = true;
|
|
break;
|
|
case CAIF_CTRLCMD_FLOW_OFF_IND:
|
|
if (service->phy_flow_on) {
|
|
layr->up->ctrlcmd(layr->up,
|
|
CAIF_CTRLCMD_FLOW_OFF_IND, phyid);
|
|
}
|
|
service->modem_flow_on = false;
|
|
break;
|
|
case CAIF_CTRLCMD_FLOW_ON_IND:
|
|
if (service->phy_flow_on) {
|
|
layr->up->ctrlcmd(layr->up,
|
|
CAIF_CTRLCMD_FLOW_ON_IND, phyid);
|
|
}
|
|
service->modem_flow_on = true;
|
|
break;
|
|
case _CAIF_CTRLCMD_PHYIF_DOWN_IND:
|
|
/* In case interface is down, let's fake a remove shutdown */
|
|
layr->up->ctrlcmd(layr->up,
|
|
CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND, phyid);
|
|
break;
|
|
case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
|
|
layr->up->ctrlcmd(layr->up, ctrl, phyid);
|
|
break;
|
|
default:
|
|
pr_warn("Unexpected ctrl in cfsrvl (%d)\n", ctrl);
|
|
/* We have both modem and phy flow on, send flow on */
|
|
layr->up->ctrlcmd(layr->up, ctrl, phyid);
|
|
service->phy_flow_on = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
static int cfservl_modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
|
|
{
|
|
struct cfsrvl *service = container_obj(layr);
|
|
|
|
caif_assert(layr != NULL);
|
|
caif_assert(layr->dn != NULL);
|
|
caif_assert(layr->dn->transmit != NULL);
|
|
|
|
if (!service->supports_flowctrl)
|
|
return 0;
|
|
|
|
switch (ctrl) {
|
|
case CAIF_MODEMCMD_FLOW_ON_REQ:
|
|
{
|
|
struct cfpkt *pkt;
|
|
struct caif_payload_info *info;
|
|
u8 flow_on = SRVL_FLOW_ON;
|
|
pkt = cfpkt_create(SRVL_CTRL_PKT_SIZE);
|
|
if (!pkt)
|
|
return -ENOMEM;
|
|
|
|
if (cfpkt_add_head(pkt, &flow_on, 1) < 0) {
|
|
pr_err("Packet is erroneous!\n");
|
|
cfpkt_destroy(pkt);
|
|
return -EPROTO;
|
|
}
|
|
info = cfpkt_info(pkt);
|
|
info->channel_id = service->layer.id;
|
|
info->hdr_len = 1;
|
|
info->dev_info = &service->dev_info;
|
|
cfpkt_set_prio(pkt, TC_PRIO_CONTROL);
|
|
return layr->dn->transmit(layr->dn, pkt);
|
|
}
|
|
case CAIF_MODEMCMD_FLOW_OFF_REQ:
|
|
{
|
|
struct cfpkt *pkt;
|
|
struct caif_payload_info *info;
|
|
u8 flow_off = SRVL_FLOW_OFF;
|
|
pkt = cfpkt_create(SRVL_CTRL_PKT_SIZE);
|
|
if (!pkt)
|
|
return -ENOMEM;
|
|
|
|
if (cfpkt_add_head(pkt, &flow_off, 1) < 0) {
|
|
pr_err("Packet is erroneous!\n");
|
|
cfpkt_destroy(pkt);
|
|
return -EPROTO;
|
|
}
|
|
info = cfpkt_info(pkt);
|
|
info->channel_id = service->layer.id;
|
|
info->hdr_len = 1;
|
|
info->dev_info = &service->dev_info;
|
|
cfpkt_set_prio(pkt, TC_PRIO_CONTROL);
|
|
return layr->dn->transmit(layr->dn, pkt);
|
|
}
|
|
default:
|
|
break;
|
|
}
|
|
return -EINVAL;
|
|
}
|
|
|
|
static void cfsrvl_release(struct cflayer *layer)
|
|
{
|
|
struct cfsrvl *service = container_of(layer, struct cfsrvl, layer);
|
|
kfree(service);
|
|
}
|
|
|
|
void cfsrvl_init(struct cfsrvl *service,
|
|
u8 channel_id,
|
|
struct dev_info *dev_info,
|
|
bool supports_flowctrl)
|
|
{
|
|
caif_assert(offsetof(struct cfsrvl, layer) == 0);
|
|
service->open = false;
|
|
service->modem_flow_on = true;
|
|
service->phy_flow_on = true;
|
|
service->layer.id = channel_id;
|
|
service->layer.ctrlcmd = cfservl_ctrlcmd;
|
|
service->layer.modemcmd = cfservl_modemcmd;
|
|
service->dev_info = *dev_info;
|
|
service->supports_flowctrl = supports_flowctrl;
|
|
service->release = cfsrvl_release;
|
|
}
|
|
|
|
bool cfsrvl_ready(struct cfsrvl *service, int *err)
|
|
{
|
|
if (!service->open) {
|
|
*err = -ENOTCONN;
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool cfsrvl_phyid_match(struct cflayer *layer, int phyid)
|
|
{
|
|
struct cfsrvl *servl = container_obj(layer);
|
|
return servl->dev_info.id == phyid;
|
|
}
|
|
|
|
void caif_free_client(struct cflayer *adap_layer)
|
|
{
|
|
struct cflayer *serv_layer;
|
|
struct cfsrvl *servl;
|
|
|
|
if (!adap_layer)
|
|
return;
|
|
|
|
serv_layer = adap_layer->dn;
|
|
if (!serv_layer)
|
|
return;
|
|
|
|
layer_set_dn(adap_layer, NULL);
|
|
layer_set_up(serv_layer, NULL);
|
|
|
|
servl = container_obj(serv_layer);
|
|
servl->release(&servl->layer);
|
|
}
|
|
EXPORT_SYMBOL(caif_free_client);
|
|
|
|
void caif_client_register_refcnt(struct cflayer *adapt_layer,
|
|
void (*hold)(struct cflayer *lyr),
|
|
void (*put)(struct cflayer *lyr))
|
|
{
|
|
struct cfsrvl *service;
|
|
|
|
if (WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL))
|
|
return;
|
|
service = container_of(adapt_layer->dn, struct cfsrvl, layer);
|
|
service->hold = hold;
|
|
service->put = put;
|
|
}
|
|
EXPORT_SYMBOL(caif_client_register_refcnt);
|