1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * Copyright (C) 2011  Intel Corporation. All rights reserved.
4
 * Copyright (C) 2014 Marvell International Ltd.
5
 */
6

7
#define pr_fmt(fmt) "llcp: %s: " fmt, __func__
8

9
#include <linux/init.h>
10
#include <linux/kernel.h>
11
#include <linux/list.h>
12
#include <linux/nfc.h>
13

14
#include "nfc.h"
15
#include "llcp.h"
16

17
static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
18

19
static LIST_HEAD(llcp_devices);
20
/* Protects llcp_devices list */
21
static DEFINE_SPINLOCK(llcp_devices_lock);
22

23
static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
24

25
void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
26
{
27
	write_lock(&l->lock);
28
	sk_add_node(sk, &l->head);
29
	write_unlock(&l->lock);
30
}
31

32
void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
33
{
34
	write_lock(&l->lock);
35
	sk_del_node_init(sk);
36
	write_unlock(&l->lock);
37
}
38

39
void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock)
40
{
41
	sock->remote_rw = LLCP_DEFAULT_RW;
42
	sock->remote_miu = LLCP_MAX_MIU + 1;
43
}
44

45
static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
46
{
47
	struct nfc_llcp_local *local = sock->local;
48
	struct sk_buff *s, *tmp;
49

50
	skb_queue_purge(&sock->tx_queue);
51
	skb_queue_purge(&sock->tx_pending_queue);
52

53
	if (local == NULL)
54
		return;
55

56
	/* Search for local pending SKBs that are related to this socket */
57
	skb_queue_walk_safe(&local->tx_queue, s, tmp) {
58
		if (s->sk != &sock->sk)
59
			continue;
60

61
		skb_unlink(s, &local->tx_queue);
62
		kfree_skb(s);
63
	}
64
}
65

66
static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
67
				    int err)
68
{
69
	struct sock *sk;
70
	struct hlist_node *tmp;
71
	struct nfc_llcp_sock *llcp_sock;
72

73
	skb_queue_purge(&local->tx_queue);
74

75
	write_lock(&local->sockets.lock);
76

77
	sk_for_each_safe(sk, tmp, &local->sockets.head) {
78
		llcp_sock = nfc_llcp_sock(sk);
79

80
		bh_lock_sock(sk);
81

82
		nfc_llcp_socket_purge(llcp_sock);
83

84
		if (sk->sk_state == LLCP_CONNECTED)
85
			nfc_put_device(llcp_sock->dev);
86

87
		if (sk->sk_state == LLCP_LISTEN) {
88
			struct nfc_llcp_sock *lsk, *n;
89
			struct sock *accept_sk;
90

91
			list_for_each_entry_safe(lsk, n,
92
						 &llcp_sock->accept_queue,
93
						 accept_queue) {
94
				accept_sk = &lsk->sk;
95
				bh_lock_sock(accept_sk);
96

97
				nfc_llcp_accept_unlink(accept_sk);
98

99
				if (err)
100
					accept_sk->sk_err = err;
101
				accept_sk->sk_state = LLCP_CLOSED;
102
				accept_sk->sk_state_change(sk);
103

104
				bh_unlock_sock(accept_sk);
105
			}
106
		}
107

108
		if (err)
109
			sk->sk_err = err;
110
		sk->sk_state = LLCP_CLOSED;
111
		sk->sk_state_change(sk);
112

113
		bh_unlock_sock(sk);
114

115
		sk_del_node_init(sk);
116
	}
117

118
	write_unlock(&local->sockets.lock);
119

120
	/* If we still have a device, we keep the RAW sockets alive */
121
	if (device == true)
122
		return;
123

124
	write_lock(&local->raw_sockets.lock);
125

126
	sk_for_each_safe(sk, tmp, &local->raw_sockets.head) {
127
		llcp_sock = nfc_llcp_sock(sk);
128

129
		bh_lock_sock(sk);
130

131
		nfc_llcp_socket_purge(llcp_sock);
132

133
		if (err)
134
			sk->sk_err = err;
135
		sk->sk_state = LLCP_CLOSED;
136
		sk->sk_state_change(sk);
137

138
		bh_unlock_sock(sk);
139

140
		sk_del_node_init(sk);
141
	}
142

143
	write_unlock(&local->raw_sockets.lock);
144
}
145

146
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
147
{
148
	/* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
149
	 * we hold a reference to local, we also need to hold a reference to
150
	 * the device to avoid UAF.
151
	 */
152
	if (!nfc_get_device(local->dev->idx))
153
		return NULL;
154

155
	kref_get(&local->ref);
156

157
	return local;
158
}
159

160
static void local_cleanup(struct nfc_llcp_local *local)
161
{
162
	nfc_llcp_socket_release(local, false, ENXIO);
163
	timer_delete_sync(&local->link_timer);
164
	skb_queue_purge(&local->tx_queue);
165
	cancel_work_sync(&local->tx_work);
166
	cancel_work_sync(&local->rx_work);
167
	cancel_work_sync(&local->timeout_work);
168
	kfree_skb(local->rx_pending);
169
	local->rx_pending = NULL;
170
	timer_delete_sync(&local->sdreq_timer);
171
	cancel_work_sync(&local->sdreq_timeout_work);
172
	nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
173
}
174

175
static void local_release(struct kref *ref)
176
{
177
	struct nfc_llcp_local *local;
178

179
	local = container_of(ref, struct nfc_llcp_local, ref);
180

181
	local_cleanup(local);
182
	kfree(local);
183
}
184

185
int nfc_llcp_local_put(struct nfc_llcp_local *local)
186
{
187
	struct nfc_dev *dev;
188
	int ret;
189

190
	if (local == NULL)
191
		return 0;
192

193
	dev = local->dev;
194

195
	ret = kref_put(&local->ref, local_release);
196
	nfc_put_device(dev);
197

198
	return ret;
199
}
200

201
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
202
					       u8 ssap, u8 dsap)
203
{
204
	struct sock *sk;
205
	struct nfc_llcp_sock *llcp_sock, *tmp_sock;
206

207
	pr_debug("ssap dsap %d %d\n", ssap, dsap);
208

209
	if (ssap == 0 && dsap == 0)
210
		return NULL;
211

212
	read_lock(&local->sockets.lock);
213

214
	llcp_sock = NULL;
215

216
	sk_for_each(sk, &local->sockets.head) {
217
		tmp_sock = nfc_llcp_sock(sk);
218

219
		if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
220
			llcp_sock = tmp_sock;
221
			sock_hold(&llcp_sock->sk);
222
			break;
223
		}
224
	}
225

226
	read_unlock(&local->sockets.lock);
227

228
	return llcp_sock;
229
}
230

231
static void nfc_llcp_sock_put(struct nfc_llcp_sock *sock)
232
{
233
	sock_put(&sock->sk);
234
}
235

236
static void nfc_llcp_timeout_work(struct work_struct *work)
237
{
238
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
239
						    timeout_work);
240

241
	nfc_dep_link_down(local->dev);
242
}
243

244
static void nfc_llcp_symm_timer(struct timer_list *t)
245
{
246
	struct nfc_llcp_local *local = timer_container_of(local, t,
247
							  link_timer);
248

249
	pr_err("SYMM timeout\n");
250

251
	schedule_work(&local->timeout_work);
252
}
253

254
static void nfc_llcp_sdreq_timeout_work(struct work_struct *work)
255
{
256
	unsigned long time;
257
	HLIST_HEAD(nl_sdres_list);
258
	struct hlist_node *n;
259
	struct nfc_llcp_sdp_tlv *sdp;
260
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
261
						    sdreq_timeout_work);
262

263
	mutex_lock(&local->sdreq_lock);
264

265
	time = jiffies - msecs_to_jiffies(3 * local->remote_lto);
266

267
	hlist_for_each_entry_safe(sdp, n, &local->pending_sdreqs, node) {
268
		if (time_after(sdp->time, time))
269
			continue;
270

271
		sdp->sap = LLCP_SDP_UNBOUND;
272

273
		hlist_del(&sdp->node);
274

275
		hlist_add_head(&sdp->node, &nl_sdres_list);
276
	}
277

278
	if (!hlist_empty(&local->pending_sdreqs))
279
		mod_timer(&local->sdreq_timer,
280
			  jiffies + msecs_to_jiffies(3 * local->remote_lto));
281

282
	mutex_unlock(&local->sdreq_lock);
283

284
	if (!hlist_empty(&nl_sdres_list))
285
		nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
286
}
287

288
static void nfc_llcp_sdreq_timer(struct timer_list *t)
289
{
290
	struct nfc_llcp_local *local = timer_container_of(local, t,
291
							  sdreq_timer);
292

293
	schedule_work(&local->sdreq_timeout_work);
294
}
295

296
struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
297
{
298
	struct nfc_llcp_local *local;
299
	struct nfc_llcp_local *res = NULL;
300

301
	spin_lock(&llcp_devices_lock);
302
	list_for_each_entry(local, &llcp_devices, list)
303
		if (local->dev == dev) {
304
			res = nfc_llcp_local_get(local);
305
			break;
306
		}
307
	spin_unlock(&llcp_devices_lock);
308

309
	return res;
310
}
311

312
static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
313
{
314
	struct nfc_llcp_local *local, *tmp;
315

316
	spin_lock(&llcp_devices_lock);
317
	list_for_each_entry_safe(local, tmp, &llcp_devices, list)
318
		if (local->dev == dev) {
319
			spin_lock(&local->tx_queue.lock);
320
			list_del_init(&local->list);
321
			spin_unlock(&local->tx_queue.lock);
322
			spin_unlock(&llcp_devices_lock);
323
			return local;
324
		}
325
	spin_unlock(&llcp_devices_lock);
326

327
	pr_warn("Shutting down device not found\n");
328

329
	return NULL;
330
}
331

332
static char *wks[] = {
333
	NULL,
334
	NULL, /* SDP */
335
	"urn:nfc:sn:ip",
336
	"urn:nfc:sn:obex",
337
	"urn:nfc:sn:snep",
338
};
339

340
static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
341
{
342
	int sap, num_wks;
343

344
	pr_debug("%s\n", service_name);
345

346
	if (service_name == NULL)
347
		return -EINVAL;
348

349
	num_wks = ARRAY_SIZE(wks);
350

351
	for (sap = 0; sap < num_wks; sap++) {
352
		if (wks[sap] == NULL)
353
			continue;
354

355
		if (strncmp(wks[sap], service_name, service_name_len) == 0)
356
			return sap;
357
	}
358

359
	return -EINVAL;
360
}
361

362
static
363
struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
364
					    const u8 *sn, size_t sn_len,
365
					    bool needref)
366
{
367
	struct sock *sk;
368
	struct nfc_llcp_sock *llcp_sock, *tmp_sock;
369

370
	pr_debug("sn %zd %p\n", sn_len, sn);
371

372
	if (sn == NULL || sn_len == 0)
373
		return NULL;
374

375
	read_lock(&local->sockets.lock);
376

377
	llcp_sock = NULL;
378

379
	sk_for_each(sk, &local->sockets.head) {
380
		tmp_sock = nfc_llcp_sock(sk);
381

382
		pr_debug("llcp sock %p\n", tmp_sock);
383

384
		if (tmp_sock->sk.sk_type == SOCK_STREAM &&
385
		    tmp_sock->sk.sk_state != LLCP_LISTEN)
386
			continue;
387

388
		if (tmp_sock->sk.sk_type == SOCK_DGRAM &&
389
		    tmp_sock->sk.sk_state != LLCP_BOUND)
390
			continue;
391

392
		if (tmp_sock->service_name == NULL ||
393
		    tmp_sock->service_name_len == 0)
394
			continue;
395

396
		if (tmp_sock->service_name_len != sn_len)
397
			continue;
398

399
		if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) {
400
			llcp_sock = tmp_sock;
401
			if (needref)
402
				sock_hold(&llcp_sock->sk);
403
			break;
404
		}
405
	}
406

407
	read_unlock(&local->sockets.lock);
408

409
	pr_debug("Found llcp sock %p\n", llcp_sock);
410

411
	return llcp_sock;
412
}
413

414
u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
415
			 struct nfc_llcp_sock *sock)
416
{
417
	mutex_lock(&local->sdp_lock);
418

419
	if (sock->service_name != NULL && sock->service_name_len > 0) {
420
		int ssap = nfc_llcp_wks_sap(sock->service_name,
421
					    sock->service_name_len);
422

423
		if (ssap > 0) {
424
			pr_debug("WKS %d\n", ssap);
425

426
			/* This is a WKS, let's check if it's free */
427
			if (test_bit(ssap, &local->local_wks)) {
428
				mutex_unlock(&local->sdp_lock);
429

430
				return LLCP_SAP_MAX;
431
			}
432

433
			set_bit(ssap, &local->local_wks);
434
			mutex_unlock(&local->sdp_lock);
435

436
			return ssap;
437
		}
438

439
		/*
440
		 * Check if there already is a non WKS socket bound
441
		 * to this service name.
442
		 */
443
		if (nfc_llcp_sock_from_sn(local, sock->service_name,
444
					  sock->service_name_len,
445
					  false) != NULL) {
446
			mutex_unlock(&local->sdp_lock);
447

448
			return LLCP_SAP_MAX;
449
		}
450

451
		mutex_unlock(&local->sdp_lock);
452

453
		return LLCP_SDP_UNBOUND;
454

455
	} else if (sock->ssap != 0 && sock->ssap < LLCP_WKS_NUM_SAP) {
456
		if (!test_bit(sock->ssap, &local->local_wks)) {
457
			set_bit(sock->ssap, &local->local_wks);
458
			mutex_unlock(&local->sdp_lock);
459

460
			return sock->ssap;
461
		}
462
	}
463

464
	mutex_unlock(&local->sdp_lock);
465

466
	return LLCP_SAP_MAX;
467
}
468

469
u8 nfc_llcp_get_local_ssap(struct nfc_llcp_local *local)
470
{
471
	u8 local_ssap;
472

473
	mutex_lock(&local->sdp_lock);
474

475
	local_ssap = find_first_zero_bit(&local->local_sap, LLCP_LOCAL_NUM_SAP);
476
	if (local_ssap == LLCP_LOCAL_NUM_SAP) {
477
		mutex_unlock(&local->sdp_lock);
478
		return LLCP_SAP_MAX;
479
	}
480

481
	set_bit(local_ssap, &local->local_sap);
482

483
	mutex_unlock(&local->sdp_lock);
484

485
	return local_ssap + LLCP_LOCAL_SAP_OFFSET;
486
}
487

488
void nfc_llcp_put_ssap(struct nfc_llcp_local *local, u8 ssap)
489
{
490
	u8 local_ssap;
491
	unsigned long *sdp;
492

493
	if (ssap < LLCP_WKS_NUM_SAP) {
494
		local_ssap = ssap;
495
		sdp = &local->local_wks;
496
	} else if (ssap < LLCP_LOCAL_NUM_SAP) {
497
		atomic_t *client_cnt;
498

499
		local_ssap = ssap - LLCP_WKS_NUM_SAP;
500
		sdp = &local->local_sdp;
501
		client_cnt = &local->local_sdp_cnt[local_ssap];
502

503
		pr_debug("%d clients\n", atomic_read(client_cnt));
504

505
		mutex_lock(&local->sdp_lock);
506

507
		if (atomic_dec_and_test(client_cnt)) {
508
			struct nfc_llcp_sock *l_sock;
509

510
			pr_debug("No more clients for SAP %d\n", ssap);
511

512
			clear_bit(local_ssap, sdp);
513

514
			/* Find the listening sock and set it back to UNBOUND */
515
			l_sock = nfc_llcp_sock_get(local, ssap, LLCP_SAP_SDP);
516
			if (l_sock) {
517
				l_sock->ssap = LLCP_SDP_UNBOUND;
518
				nfc_llcp_sock_put(l_sock);
519
			}
520
		}
521

522
		mutex_unlock(&local->sdp_lock);
523

524
		return;
525
	} else if (ssap < LLCP_MAX_SAP) {
526
		local_ssap = ssap - LLCP_LOCAL_NUM_SAP;
527
		sdp = &local->local_sap;
528
	} else {
529
		return;
530
	}
531

532
	mutex_lock(&local->sdp_lock);
533

534
	clear_bit(local_ssap, sdp);
535

536
	mutex_unlock(&local->sdp_lock);
537
}
538

539
static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
540
{
541
	u8 ssap;
542

543
	mutex_lock(&local->sdp_lock);
544

545
	ssap = find_first_zero_bit(&local->local_sdp, LLCP_SDP_NUM_SAP);
546
	if (ssap == LLCP_SDP_NUM_SAP) {
547
		mutex_unlock(&local->sdp_lock);
548

549
		return LLCP_SAP_MAX;
550
	}
551

552
	pr_debug("SDP ssap %d\n", LLCP_WKS_NUM_SAP + ssap);
553

554
	set_bit(ssap, &local->local_sdp);
555

556
	mutex_unlock(&local->sdp_lock);
557

558
	return LLCP_WKS_NUM_SAP + ssap;
559
}
560

561
static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
562
{
563
	u8 *gb_cur, version, version_length;
564
	u8 lto_length, wks_length, miux_length;
565
	const u8 *version_tlv = NULL, *lto_tlv = NULL,
566
	   *wks_tlv = NULL, *miux_tlv = NULL;
567
	__be16 wks = cpu_to_be16(local->local_wks);
568
	u8 gb_len = 0;
569
	int ret = 0;
570

571
	version = LLCP_VERSION_11;
572
	version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
573
					 1, &version_length);
574
	if (!version_tlv) {
575
		ret = -ENOMEM;
576
		goto out;
577
	}
578
	gb_len += version_length;
579

580
	lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length);
581
	if (!lto_tlv) {
582
		ret = -ENOMEM;
583
		goto out;
584
	}
585
	gb_len += lto_length;
586

587
	pr_debug("Local wks 0x%lx\n", local->local_wks);
588
	wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
589
	if (!wks_tlv) {
590
		ret = -ENOMEM;
591
		goto out;
592
	}
593
	gb_len += wks_length;
594

595
	miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
596
				      &miux_length);
597
	if (!miux_tlv) {
598
		ret = -ENOMEM;
599
		goto out;
600
	}
601
	gb_len += miux_length;
602

603
	gb_len += ARRAY_SIZE(llcp_magic);
604

605
	if (gb_len > NFC_MAX_GT_LEN) {
606
		ret = -EINVAL;
607
		goto out;
608
	}
609

610
	gb_cur = local->gb;
611

612
	memcpy(gb_cur, llcp_magic, ARRAY_SIZE(llcp_magic));
613
	gb_cur += ARRAY_SIZE(llcp_magic);
614

615
	memcpy(gb_cur, version_tlv, version_length);
616
	gb_cur += version_length;
617

618
	memcpy(gb_cur, lto_tlv, lto_length);
619
	gb_cur += lto_length;
620

621
	memcpy(gb_cur, wks_tlv, wks_length);
622
	gb_cur += wks_length;
623

624
	memcpy(gb_cur, miux_tlv, miux_length);
625
	gb_cur += miux_length;
626

627
	local->gb_len = gb_len;
628

629
out:
630
	kfree(version_tlv);
631
	kfree(lto_tlv);
632
	kfree(wks_tlv);
633
	kfree(miux_tlv);
634

635
	return ret;
636
}
637

638
u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
639
{
640
	struct nfc_llcp_local *local;
641

642
	local = nfc_llcp_find_local(dev);
643
	if (local == NULL) {
644
		*general_bytes_len = 0;
645
		return NULL;
646
	}
647

648
	nfc_llcp_build_gb(local);
649

650
	*general_bytes_len = local->gb_len;
651

652
	nfc_llcp_local_put(local);
653

654
	return local->gb;
655
}
656

657
int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
658
{
659
	struct nfc_llcp_local *local;
660
	int err;
661

662
	if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN)
663
		return -EINVAL;
664

665
	local = nfc_llcp_find_local(dev);
666
	if (local == NULL) {
667
		pr_err("No LLCP device\n");
668
		return -ENODEV;
669
	}
670

671
	memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
672
	memcpy(local->remote_gb, gb, gb_len);
673
	local->remote_gb_len = gb_len;
674

675
	if (memcmp(local->remote_gb, llcp_magic, 3)) {
676
		pr_err("MAC does not support LLCP\n");
677
		err = -EINVAL;
678
		goto out;
679
	}
680

681
	err = nfc_llcp_parse_gb_tlv(local,
682
				     &local->remote_gb[3],
683
				     local->remote_gb_len - 3);
684
out:
685
	nfc_llcp_local_put(local);
686
	return err;
687
}
688

689
static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
690
{
691
	return (pdu->data[0] & 0xfc) >> 2;
692
}
693

694
static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
695
{
696
	return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
697
}
698

699
static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
700
{
701
	return pdu->data[1] & 0x3f;
702
}
703

704
static u8 nfc_llcp_ns(const struct sk_buff *pdu)
705
{
706
	return pdu->data[2] >> 4;
707
}
708

709
static u8 nfc_llcp_nr(const struct sk_buff *pdu)
710
{
711
	return pdu->data[2] & 0xf;
712
}
713

714
static void nfc_llcp_set_nrns(struct nfc_llcp_sock *sock, struct sk_buff *pdu)
715
{
716
	pdu->data[2] = (sock->send_n << 4) | (sock->recv_n);
717
	sock->send_n = (sock->send_n + 1) % 16;
718
	sock->recv_ack_n = (sock->recv_n - 1) % 16;
719
}
720

721
void nfc_llcp_send_to_raw_sock(struct nfc_llcp_local *local,
722
			       struct sk_buff *skb, u8 direction)
723
{
724
	struct sk_buff *skb_copy = NULL, *nskb;
725
	struct sock *sk;
726
	u8 *data;
727

728
	read_lock(&local->raw_sockets.lock);
729

730
	sk_for_each(sk, &local->raw_sockets.head) {
731
		if (sk->sk_state != LLCP_BOUND)
732
			continue;
733

734
		if (skb_copy == NULL) {
735
			skb_copy = __pskb_copy_fclone(skb, NFC_RAW_HEADER_SIZE,
736
						      GFP_ATOMIC, true);
737

738
			if (skb_copy == NULL)
739
				continue;
740

741
			data = skb_push(skb_copy, NFC_RAW_HEADER_SIZE);
742

743
			data[0] = local->dev ? local->dev->idx : 0xFF;
744
			data[1] = direction & 0x01;
745
			data[1] |= (RAW_PAYLOAD_LLCP << 1);
746
		}
747

748
		nskb = skb_clone(skb_copy, GFP_ATOMIC);
749
		if (!nskb)
750
			continue;
751

752
		if (sock_queue_rcv_skb(sk, nskb))
753
			kfree_skb(nskb);
754
	}
755

756
	read_unlock(&local->raw_sockets.lock);
757

758
	kfree_skb(skb_copy);
759
}
760

761
static void nfc_llcp_tx_work(struct work_struct *work)
762
{
763
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
764
						    tx_work);
765
	struct sk_buff *skb;
766
	struct sock *sk;
767
	struct nfc_llcp_sock *llcp_sock;
768

769
	skb = skb_dequeue(&local->tx_queue);
770
	if (skb != NULL) {
771
		sk = skb->sk;
772
		llcp_sock = nfc_llcp_sock(sk);
773

774
		if (llcp_sock == NULL && nfc_llcp_ptype(skb) == LLCP_PDU_I) {
775
			kfree_skb(skb);
776
			nfc_llcp_send_symm(local->dev);
777
		} else if (llcp_sock && !llcp_sock->remote_ready) {
778
			skb_queue_head(&local->tx_queue, skb);
779
			nfc_llcp_send_symm(local->dev);
780
		} else {
781
			struct sk_buff *copy_skb = NULL;
782
			u8 ptype = nfc_llcp_ptype(skb);
783
			int ret;
784

785
			pr_debug("Sending pending skb\n");
786
			print_hex_dump_debug("LLCP Tx: ", DUMP_PREFIX_OFFSET,
787
					     16, 1, skb->data, skb->len, true);
788

789
			if (ptype == LLCP_PDU_I)
790
				copy_skb = skb_copy(skb, GFP_ATOMIC);
791

792
			__net_timestamp(skb);
793

794
			nfc_llcp_send_to_raw_sock(local, skb,
795
						  NFC_DIRECTION_TX);
796

797
			ret = nfc_data_exchange(local->dev, local->target_idx,
798
						skb, nfc_llcp_recv, local);
799

800
			if (ret) {
801
				kfree_skb(copy_skb);
802
				goto out;
803
			}
804

805
			if (ptype == LLCP_PDU_I && copy_skb)
806
				skb_queue_tail(&llcp_sock->tx_pending_queue,
807
					       copy_skb);
808
		}
809
	} else {
810
		nfc_llcp_send_symm(local->dev);
811
	}
812

813
out:
814
	mod_timer(&local->link_timer,
815
		  jiffies + msecs_to_jiffies(2 * local->remote_lto));
816
}
817

818
static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local *local,
819
							  u8 ssap)
820
{
821
	struct sock *sk;
822
	struct nfc_llcp_sock *llcp_sock;
823

824
	read_lock(&local->connecting_sockets.lock);
825

826
	sk_for_each(sk, &local->connecting_sockets.head) {
827
		llcp_sock = nfc_llcp_sock(sk);
828

829
		if (llcp_sock->ssap == ssap) {
830
			sock_hold(&llcp_sock->sk);
831
			goto out;
832
		}
833
	}
834

835
	llcp_sock = NULL;
836

837
out:
838
	read_unlock(&local->connecting_sockets.lock);
839

840
	return llcp_sock;
841
}
842

843
static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
844
						  const u8 *sn, size_t sn_len)
845
{
846
	return nfc_llcp_sock_from_sn(local, sn, sn_len, true);
847
}
848

849
static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
850
{
851
	u8 type, length;
852
	const u8 *tlv = &skb->data[2];
853
	size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
854

855
	while (offset < tlv_array_len) {
856
		type = tlv[0];
857
		length = tlv[1];
858

859
		pr_debug("type 0x%x length %d\n", type, length);
860

861
		if (type == LLCP_TLV_SN) {
862
			*sn_len = length;
863
			return &tlv[2];
864
		}
865

866
		offset += length + 2;
867
		tlv += length + 2;
868
	}
869

870
	return NULL;
871
}
872

873
static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
874
			     struct sk_buff *skb)
875
{
876
	struct nfc_llcp_sock *llcp_sock;
877
	struct nfc_llcp_ui_cb *ui_cb;
878
	u8 dsap, ssap;
879

880
	dsap = nfc_llcp_dsap(skb);
881
	ssap = nfc_llcp_ssap(skb);
882

883
	ui_cb = nfc_llcp_ui_skb_cb(skb);
884
	ui_cb->dsap = dsap;
885
	ui_cb->ssap = ssap;
886

887
	pr_debug("%d %d\n", dsap, ssap);
888

889
	/* We're looking for a bound socket, not a client one */
890
	llcp_sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
891
	if (llcp_sock == NULL || llcp_sock->sk.sk_type != SOCK_DGRAM)
892
		return;
893

894
	/* There is no sequence with UI frames */
895
	skb_pull(skb, LLCP_HEADER_SIZE);
896
	if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
897
		/*
898
		 * UI frames will be freed from the socket layer, so we
899
		 * need to keep them alive until someone receives them.
900
		 */
901
		skb_get(skb);
902
	} else {
903
		pr_err("Receive queue is full\n");
904
	}
905

906
	nfc_llcp_sock_put(llcp_sock);
907
}
908

909
static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
910
				  const struct sk_buff *skb)
911
{
912
	struct sock *new_sk, *parent;
913
	struct nfc_llcp_sock *sock, *new_sock;
914
	u8 dsap, ssap, reason;
915

916
	dsap = nfc_llcp_dsap(skb);
917
	ssap = nfc_llcp_ssap(skb);
918

919
	pr_debug("%d %d\n", dsap, ssap);
920

921
	if (dsap != LLCP_SAP_SDP) {
922
		sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
923
		if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
924
			reason = LLCP_DM_NOBOUND;
925
			goto fail;
926
		}
927
	} else {
928
		const u8 *sn;
929
		size_t sn_len;
930

931
		sn = nfc_llcp_connect_sn(skb, &sn_len);
932
		if (sn == NULL) {
933
			reason = LLCP_DM_NOBOUND;
934
			goto fail;
935
		}
936

937
		pr_debug("Service name length %zu\n", sn_len);
938

939
		sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
940
		if (sock == NULL) {
941
			reason = LLCP_DM_NOBOUND;
942
			goto fail;
943
		}
944
	}
945

946
	lock_sock(&sock->sk);
947

948
	parent = &sock->sk;
949

950
	if (sk_acceptq_is_full(parent)) {
951
		reason = LLCP_DM_REJ;
952
		release_sock(&sock->sk);
953
		sock_put(&sock->sk);
954
		goto fail;
955
	}
956

957
	if (sock->ssap == LLCP_SDP_UNBOUND) {
958
		u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
959

960
		pr_debug("First client, reserving %d\n", ssap);
961

962
		if (ssap == LLCP_SAP_MAX) {
963
			reason = LLCP_DM_REJ;
964
			release_sock(&sock->sk);
965
			sock_put(&sock->sk);
966
			goto fail;
967
		}
968

969
		sock->ssap = ssap;
970
	}
971

972
	new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
973
	if (new_sk == NULL) {
974
		reason = LLCP_DM_REJ;
975
		release_sock(&sock->sk);
976
		sock_put(&sock->sk);
977
		goto fail;
978
	}
979

980
	new_sock = nfc_llcp_sock(new_sk);
981

982
	new_sock->local = nfc_llcp_local_get(local);
983
	if (!new_sock->local) {
984
		reason = LLCP_DM_REJ;
985
		sock_put(&new_sock->sk);
986
		release_sock(&sock->sk);
987
		sock_put(&sock->sk);
988
		goto fail;
989
	}
990

991
	new_sock->dev = local->dev;
992
	new_sock->rw = sock->rw;
993
	new_sock->miux = sock->miux;
994
	new_sock->nfc_protocol = sock->nfc_protocol;
995
	new_sock->dsap = ssap;
996
	new_sock->target_idx = local->target_idx;
997
	new_sock->parent = parent;
998
	new_sock->ssap = sock->ssap;
999
	if (sock->ssap < LLCP_LOCAL_NUM_SAP && sock->ssap >= LLCP_WKS_NUM_SAP) {
1000
		atomic_t *client_count;
1001

1002
		pr_debug("reserved_ssap %d for %p\n", sock->ssap, new_sock);
1003

1004
		client_count =
1005
			&local->local_sdp_cnt[sock->ssap - LLCP_WKS_NUM_SAP];
1006

1007
		atomic_inc(client_count);
1008
		new_sock->reserved_ssap = sock->ssap;
1009
	}
1010

1011
	nfc_llcp_parse_connection_tlv(new_sock, &skb->data[LLCP_HEADER_SIZE],
1012
				      skb->len - LLCP_HEADER_SIZE);
1013

1014
	pr_debug("new sock %p sk %p\n", new_sock, &new_sock->sk);
1015

1016
	nfc_llcp_sock_link(&local->sockets, new_sk);
1017

1018
	nfc_llcp_accept_enqueue(&sock->sk, new_sk);
1019

1020
	nfc_get_device(local->dev->idx);
1021

1022
	new_sk->sk_state = LLCP_CONNECTED;
1023

1024
	/* Wake the listening processes */
1025
	parent->sk_data_ready(parent);
1026

1027
	/* Send CC */
1028
	nfc_llcp_send_cc(new_sock);
1029

1030
	release_sock(&sock->sk);
1031
	sock_put(&sock->sk);
1032

1033
	return;
1034

1035
fail:
1036
	/* Send DM */
1037
	nfc_llcp_send_dm(local, dsap, ssap, reason);
1038
}
1039

1040
int nfc_llcp_queue_i_frames(struct nfc_llcp_sock *sock)
1041
{
1042
	int nr_frames = 0;
1043
	struct nfc_llcp_local *local = sock->local;
1044

1045
	pr_debug("Remote ready %d tx queue len %d remote rw %d",
1046
		 sock->remote_ready, skb_queue_len(&sock->tx_pending_queue),
1047
		 sock->remote_rw);
1048

1049
	/* Try to queue some I frames for transmission */
1050
	while (sock->remote_ready &&
1051
	       skb_queue_len(&sock->tx_pending_queue) < sock->remote_rw) {
1052
		struct sk_buff *pdu;
1053

1054
		pdu = skb_dequeue(&sock->tx_queue);
1055
		if (pdu == NULL)
1056
			break;
1057

1058
		/* Update N(S)/N(R) */
1059
		nfc_llcp_set_nrns(sock, pdu);
1060

1061
		skb_queue_tail(&local->tx_queue, pdu);
1062
		nr_frames++;
1063
	}
1064

1065
	return nr_frames;
1066
}
1067

1068
static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
1069
			       struct sk_buff *skb)
1070
{
1071
	struct nfc_llcp_sock *llcp_sock;
1072
	struct sock *sk;
1073
	u8 dsap, ssap, ptype, ns, nr;
1074

1075
	ptype = nfc_llcp_ptype(skb);
1076
	dsap = nfc_llcp_dsap(skb);
1077
	ssap = nfc_llcp_ssap(skb);
1078
	ns = nfc_llcp_ns(skb);
1079
	nr = nfc_llcp_nr(skb);
1080

1081
	pr_debug("%d %d R %d S %d\n", dsap, ssap, nr, ns);
1082

1083
	llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1084
	if (llcp_sock == NULL) {
1085
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1086
		return;
1087
	}
1088

1089
	sk = &llcp_sock->sk;
1090
	lock_sock(sk);
1091
	if (sk->sk_state == LLCP_CLOSED) {
1092
		release_sock(sk);
1093
		nfc_llcp_sock_put(llcp_sock);
1094
	}
1095

1096
	/* Pass the payload upstream */
1097
	if (ptype == LLCP_PDU_I) {
1098
		pr_debug("I frame, queueing on %p\n", &llcp_sock->sk);
1099

1100
		if (ns == llcp_sock->recv_n)
1101
			llcp_sock->recv_n = (llcp_sock->recv_n + 1) % 16;
1102
		else
1103
			pr_err("Received out of sequence I PDU\n");
1104

1105
		skb_pull(skb, LLCP_HEADER_SIZE + LLCP_SEQUENCE_SIZE);
1106
		if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
1107
			/*
1108
			 * I frames will be freed from the socket layer, so we
1109
			 * need to keep them alive until someone receives them.
1110
			 */
1111
			skb_get(skb);
1112
		} else {
1113
			pr_err("Receive queue is full\n");
1114
		}
1115
	}
1116

1117
	/* Remove skbs from the pending queue */
1118
	if (llcp_sock->send_ack_n != nr) {
1119
		struct sk_buff *s, *tmp;
1120
		u8 n;
1121

1122
		llcp_sock->send_ack_n = nr;
1123

1124
		/* Remove and free all skbs until ns == nr */
1125
		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
1126
			n = nfc_llcp_ns(s);
1127

1128
			skb_unlink(s, &llcp_sock->tx_pending_queue);
1129
			kfree_skb(s);
1130

1131
			if (n == nr)
1132
				break;
1133
		}
1134

1135
		/* Re-queue the remaining skbs for transmission */
1136
		skb_queue_reverse_walk_safe(&llcp_sock->tx_pending_queue,
1137
					    s, tmp) {
1138
			skb_unlink(s, &llcp_sock->tx_pending_queue);
1139
			skb_queue_head(&local->tx_queue, s);
1140
		}
1141
	}
1142

1143
	if (ptype == LLCP_PDU_RR)
1144
		llcp_sock->remote_ready = true;
1145
	else if (ptype == LLCP_PDU_RNR)
1146
		llcp_sock->remote_ready = false;
1147

1148
	if (nfc_llcp_queue_i_frames(llcp_sock) == 0 && ptype == LLCP_PDU_I)
1149
		nfc_llcp_send_rr(llcp_sock);
1150

1151
	release_sock(sk);
1152
	nfc_llcp_sock_put(llcp_sock);
1153
}
1154

1155
static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
1156
			       const struct sk_buff *skb)
1157
{
1158
	struct nfc_llcp_sock *llcp_sock;
1159
	struct sock *sk;
1160
	u8 dsap, ssap;
1161

1162
	dsap = nfc_llcp_dsap(skb);
1163
	ssap = nfc_llcp_ssap(skb);
1164

1165
	if ((dsap == 0) && (ssap == 0)) {
1166
		pr_debug("Connection termination");
1167
		nfc_dep_link_down(local->dev);
1168
		return;
1169
	}
1170

1171
	llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1172
	if (llcp_sock == NULL) {
1173
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1174
		return;
1175
	}
1176

1177
	sk = &llcp_sock->sk;
1178
	lock_sock(sk);
1179

1180
	nfc_llcp_socket_purge(llcp_sock);
1181

1182
	if (sk->sk_state == LLCP_CLOSED) {
1183
		release_sock(sk);
1184
		nfc_llcp_sock_put(llcp_sock);
1185
	}
1186

1187
	if (sk->sk_state == LLCP_CONNECTED) {
1188
		nfc_put_device(local->dev);
1189
		sk->sk_state = LLCP_CLOSED;
1190
		sk->sk_state_change(sk);
1191
	}
1192

1193
	nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_DISC);
1194

1195
	release_sock(sk);
1196
	nfc_llcp_sock_put(llcp_sock);
1197
}
1198

1199
static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
1200
			     const struct sk_buff *skb)
1201
{
1202
	struct nfc_llcp_sock *llcp_sock;
1203
	struct sock *sk;
1204
	u8 dsap, ssap;
1205

1206
	dsap = nfc_llcp_dsap(skb);
1207
	ssap = nfc_llcp_ssap(skb);
1208

1209
	llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1210
	if (llcp_sock == NULL) {
1211
		pr_err("Invalid CC\n");
1212
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1213

1214
		return;
1215
	}
1216

1217
	sk = &llcp_sock->sk;
1218

1219
	/* Unlink from connecting and link to the client array */
1220
	nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
1221
	nfc_llcp_sock_link(&local->sockets, sk);
1222
	llcp_sock->dsap = ssap;
1223

1224
	nfc_llcp_parse_connection_tlv(llcp_sock, &skb->data[LLCP_HEADER_SIZE],
1225
				      skb->len - LLCP_HEADER_SIZE);
1226

1227
	sk->sk_state = LLCP_CONNECTED;
1228
	sk->sk_state_change(sk);
1229

1230
	nfc_llcp_sock_put(llcp_sock);
1231
}
1232

1233
static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
1234
			     const struct sk_buff *skb)
1235
{
1236
	struct nfc_llcp_sock *llcp_sock;
1237
	struct sock *sk;
1238
	u8 dsap, ssap, reason;
1239

1240
	dsap = nfc_llcp_dsap(skb);
1241
	ssap = nfc_llcp_ssap(skb);
1242
	reason = skb->data[2];
1243

1244
	pr_debug("%d %d reason %d\n", ssap, dsap, reason);
1245

1246
	switch (reason) {
1247
	case LLCP_DM_NOBOUND:
1248
	case LLCP_DM_REJ:
1249
		llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1250
		break;
1251

1252
	default:
1253
		llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1254
		break;
1255
	}
1256

1257
	if (llcp_sock == NULL) {
1258
		pr_debug("Already closed\n");
1259
		return;
1260
	}
1261

1262
	sk = &llcp_sock->sk;
1263

1264
	sk->sk_err = ENXIO;
1265
	sk->sk_state = LLCP_CLOSED;
1266
	sk->sk_state_change(sk);
1267

1268
	nfc_llcp_sock_put(llcp_sock);
1269
}
1270

1271
static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
1272
			      const struct sk_buff *skb)
1273
{
1274
	struct nfc_llcp_sock *llcp_sock;
1275
	u8 dsap, ssap, type, length, tid, sap;
1276
	const u8 *tlv;
1277
	u16 tlv_len, offset;
1278
	const char *service_name;
1279
	size_t service_name_len;
1280
	struct nfc_llcp_sdp_tlv *sdp;
1281
	HLIST_HEAD(llc_sdres_list);
1282
	size_t sdres_tlvs_len;
1283
	HLIST_HEAD(nl_sdres_list);
1284

1285
	dsap = nfc_llcp_dsap(skb);
1286
	ssap = nfc_llcp_ssap(skb);
1287

1288
	pr_debug("%d %d\n", dsap, ssap);
1289

1290
	if (dsap != LLCP_SAP_SDP || ssap != LLCP_SAP_SDP) {
1291
		pr_err("Wrong SNL SAP\n");
1292
		return;
1293
	}
1294

1295
	tlv = &skb->data[LLCP_HEADER_SIZE];
1296
	tlv_len = skb->len - LLCP_HEADER_SIZE;
1297
	offset = 0;
1298
	sdres_tlvs_len = 0;
1299

1300
	while (offset < tlv_len) {
1301
		type = tlv[0];
1302
		length = tlv[1];
1303

1304
		switch (type) {
1305
		case LLCP_TLV_SDREQ:
1306
			tid = tlv[2];
1307
			service_name = (char *) &tlv[3];
1308
			service_name_len = length - 1;
1309

1310
			pr_debug("Looking for %.16s\n", service_name);
1311

1312
			if (service_name_len == strlen("urn:nfc:sn:sdp") &&
1313
			    !strncmp(service_name, "urn:nfc:sn:sdp",
1314
				     service_name_len)) {
1315
				sap = 1;
1316
				goto add_snl;
1317
			}
1318

1319
			llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
1320
							  service_name_len,
1321
							  true);
1322
			if (!llcp_sock) {
1323
				sap = 0;
1324
				goto add_snl;
1325
			}
1326

1327
			/*
1328
			 * We found a socket but its ssap has not been reserved
1329
			 * yet. We need to assign it for good and send a reply.
1330
			 * The ssap will be freed when the socket is closed.
1331
			 */
1332
			if (llcp_sock->ssap == LLCP_SDP_UNBOUND) {
1333
				atomic_t *client_count;
1334

1335
				sap = nfc_llcp_reserve_sdp_ssap(local);
1336

1337
				pr_debug("Reserving %d\n", sap);
1338

1339
				if (sap == LLCP_SAP_MAX) {
1340
					sap = 0;
1341
					nfc_llcp_sock_put(llcp_sock);
1342
					goto add_snl;
1343
				}
1344

1345
				client_count =
1346
					&local->local_sdp_cnt[sap -
1347
							      LLCP_WKS_NUM_SAP];
1348

1349
				atomic_inc(client_count);
1350

1351
				llcp_sock->ssap = sap;
1352
				llcp_sock->reserved_ssap = sap;
1353
			} else {
1354
				sap = llcp_sock->ssap;
1355
			}
1356

1357
			pr_debug("%p %d\n", llcp_sock, sap);
1358

1359
			nfc_llcp_sock_put(llcp_sock);
1360
add_snl:
1361
			sdp = nfc_llcp_build_sdres_tlv(tid, sap);
1362
			if (sdp == NULL)
1363
				goto exit;
1364

1365
			sdres_tlvs_len += sdp->tlv_len;
1366
			hlist_add_head(&sdp->node, &llc_sdres_list);
1367
			break;
1368

1369
		case LLCP_TLV_SDRES:
1370
			mutex_lock(&local->sdreq_lock);
1371

1372
			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
1373

1374
			hlist_for_each_entry(sdp, &local->pending_sdreqs, node) {
1375
				if (sdp->tid != tlv[2])
1376
					continue;
1377

1378
				sdp->sap = tlv[3];
1379

1380
				pr_debug("Found: uri=%s, sap=%d\n",
1381
					 sdp->uri, sdp->sap);
1382

1383
				hlist_del(&sdp->node);
1384

1385
				hlist_add_head(&sdp->node, &nl_sdres_list);
1386

1387
				break;
1388
			}
1389

1390
			mutex_unlock(&local->sdreq_lock);
1391
			break;
1392

1393
		default:
1394
			pr_err("Invalid SNL tlv value 0x%x\n", type);
1395
			break;
1396
		}
1397

1398
		offset += length + 2;
1399
		tlv += length + 2;
1400
	}
1401

1402
exit:
1403
	if (!hlist_empty(&nl_sdres_list))
1404
		nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
1405

1406
	if (!hlist_empty(&llc_sdres_list))
1407
		nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len);
1408
}
1409

1410
static void nfc_llcp_recv_agf(struct nfc_llcp_local *local, struct sk_buff *skb)
1411
{
1412
	u8 ptype;
1413
	u16 pdu_len;
1414
	struct sk_buff *new_skb;
1415

1416
	if (skb->len <= LLCP_HEADER_SIZE) {
1417
		pr_err("Malformed AGF PDU\n");
1418
		return;
1419
	}
1420

1421
	skb_pull(skb, LLCP_HEADER_SIZE);
1422

1423
	while (skb->len > LLCP_AGF_PDU_HEADER_SIZE) {
1424
		pdu_len = skb->data[0] << 8 | skb->data[1];
1425

1426
		skb_pull(skb, LLCP_AGF_PDU_HEADER_SIZE);
1427

1428
		if (pdu_len < LLCP_HEADER_SIZE || pdu_len > skb->len) {
1429
			pr_err("Malformed AGF PDU\n");
1430
			return;
1431
		}
1432

1433
		ptype = nfc_llcp_ptype(skb);
1434

1435
		if (ptype == LLCP_PDU_SYMM || ptype == LLCP_PDU_AGF)
1436
			goto next;
1437

1438
		new_skb = nfc_alloc_recv_skb(pdu_len, GFP_KERNEL);
1439
		if (new_skb == NULL) {
1440
			pr_err("Could not allocate PDU\n");
1441
			return;
1442
		}
1443

1444
		skb_put_data(new_skb, skb->data, pdu_len);
1445

1446
		nfc_llcp_rx_skb(local, new_skb);
1447

1448
		kfree_skb(new_skb);
1449
next:
1450
		skb_pull(skb, pdu_len);
1451
	}
1452
}
1453

1454
static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb)
1455
{
1456
	u8 dsap, ssap, ptype;
1457

1458
	ptype = nfc_llcp_ptype(skb);
1459
	dsap = nfc_llcp_dsap(skb);
1460
	ssap = nfc_llcp_ssap(skb);
1461

1462
	pr_debug("ptype 0x%x dsap 0x%x ssap 0x%x\n", ptype, dsap, ssap);
1463

1464
	if (ptype != LLCP_PDU_SYMM)
1465
		print_hex_dump_debug("LLCP Rx: ", DUMP_PREFIX_OFFSET, 16, 1,
1466
				     skb->data, skb->len, true);
1467

1468
	switch (ptype) {
1469
	case LLCP_PDU_SYMM:
1470
		pr_debug("SYMM\n");
1471
		break;
1472

1473
	case LLCP_PDU_UI:
1474
		pr_debug("UI\n");
1475
		nfc_llcp_recv_ui(local, skb);
1476
		break;
1477

1478
	case LLCP_PDU_CONNECT:
1479
		pr_debug("CONNECT\n");
1480
		nfc_llcp_recv_connect(local, skb);
1481
		break;
1482

1483
	case LLCP_PDU_DISC:
1484
		pr_debug("DISC\n");
1485
		nfc_llcp_recv_disc(local, skb);
1486
		break;
1487

1488
	case LLCP_PDU_CC:
1489
		pr_debug("CC\n");
1490
		nfc_llcp_recv_cc(local, skb);
1491
		break;
1492

1493
	case LLCP_PDU_DM:
1494
		pr_debug("DM\n");
1495
		nfc_llcp_recv_dm(local, skb);
1496
		break;
1497

1498
	case LLCP_PDU_SNL:
1499
		pr_debug("SNL\n");
1500
		nfc_llcp_recv_snl(local, skb);
1501
		break;
1502

1503
	case LLCP_PDU_I:
1504
	case LLCP_PDU_RR:
1505
	case LLCP_PDU_RNR:
1506
		pr_debug("I frame\n");
1507
		nfc_llcp_recv_hdlc(local, skb);
1508
		break;
1509

1510
	case LLCP_PDU_AGF:
1511
		pr_debug("AGF frame\n");
1512
		nfc_llcp_recv_agf(local, skb);
1513
		break;
1514
	}
1515
}
1516

1517
static void nfc_llcp_rx_work(struct work_struct *work)
1518
{
1519
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
1520
						    rx_work);
1521
	struct sk_buff *skb;
1522

1523
	skb = local->rx_pending;
1524
	if (skb == NULL) {
1525
		pr_debug("No pending SKB\n");
1526
		return;
1527
	}
1528

1529
	__net_timestamp(skb);
1530

1531
	nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_RX);
1532

1533
	nfc_llcp_rx_skb(local, skb);
1534

1535
	schedule_work(&local->tx_work);
1536
	kfree_skb(local->rx_pending);
1537
	local->rx_pending = NULL;
1538
}
1539

1540
static void __nfc_llcp_recv(struct nfc_llcp_local *local, struct sk_buff *skb)
1541
{
1542
	local->rx_pending = skb;
1543
	timer_delete(&local->link_timer);
1544
	schedule_work(&local->rx_work);
1545
}
1546

1547
void nfc_llcp_recv(void *data, struct sk_buff *skb, int err)
1548
{
1549
	struct nfc_llcp_local *local = (struct nfc_llcp_local *) data;
1550

1551
	if (err < 0) {
1552
		pr_err("LLCP PDU receive err %d\n", err);
1553
		return;
1554
	}
1555

1556
	__nfc_llcp_recv(local, skb);
1557
}
1558

1559
int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
1560
{
1561
	struct nfc_llcp_local *local;
1562

1563
	local = nfc_llcp_find_local(dev);
1564
	if (local == NULL) {
1565
		kfree_skb(skb);
1566
		return -ENODEV;
1567
	}
1568

1569
	__nfc_llcp_recv(local, skb);
1570

1571
	nfc_llcp_local_put(local);
1572

1573
	return 0;
1574
}
1575

1576
void nfc_llcp_mac_is_down(struct nfc_dev *dev)
1577
{
1578
	struct nfc_llcp_local *local;
1579

1580
	local = nfc_llcp_find_local(dev);
1581
	if (local == NULL)
1582
		return;
1583

1584
	local->remote_miu = LLCP_DEFAULT_MIU;
1585
	local->remote_lto = LLCP_DEFAULT_LTO;
1586

1587
	/* Close and purge all existing sockets */
1588
	nfc_llcp_socket_release(local, true, 0);
1589

1590
	nfc_llcp_local_put(local);
1591
}
1592

1593
void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
1594
			u8 comm_mode, u8 rf_mode)
1595
{
1596
	struct nfc_llcp_local *local;
1597

1598
	pr_debug("rf mode %d\n", rf_mode);
1599

1600
	local = nfc_llcp_find_local(dev);
1601
	if (local == NULL)
1602
		return;
1603

1604
	local->target_idx = target_idx;
1605
	local->comm_mode = comm_mode;
1606
	local->rf_mode = rf_mode;
1607

1608
	if (rf_mode == NFC_RF_INITIATOR) {
1609
		pr_debug("Queueing Tx work\n");
1610

1611
		schedule_work(&local->tx_work);
1612
	} else {
1613
		mod_timer(&local->link_timer,
1614
			  jiffies + msecs_to_jiffies(local->remote_lto));
1615
	}
1616

1617
	nfc_llcp_local_put(local);
1618
}
1619

1620
int nfc_llcp_register_device(struct nfc_dev *ndev)
1621
{
1622
	struct nfc_llcp_local *local;
1623

1624
	local = kzalloc(sizeof(struct nfc_llcp_local), GFP_KERNEL);
1625
	if (local == NULL)
1626
		return -ENOMEM;
1627

1628
	/* As we are going to initialize local's refcount, we need to get the
1629
	 * nfc_dev to avoid UAF, otherwise there is no point in continuing.
1630
	 * See nfc_llcp_local_get().
1631
	 */
1632
	local->dev = nfc_get_device(ndev->idx);
1633
	if (!local->dev) {
1634
		kfree(local);
1635
		return -ENODEV;
1636
	}
1637

1638
	INIT_LIST_HEAD(&local->list);
1639
	kref_init(&local->ref);
1640
	mutex_init(&local->sdp_lock);
1641
	timer_setup(&local->link_timer, nfc_llcp_symm_timer, 0);
1642

1643
	skb_queue_head_init(&local->tx_queue);
1644
	INIT_WORK(&local->tx_work, nfc_llcp_tx_work);
1645

1646
	local->rx_pending = NULL;
1647
	INIT_WORK(&local->rx_work, nfc_llcp_rx_work);
1648

1649
	INIT_WORK(&local->timeout_work, nfc_llcp_timeout_work);
1650

1651
	rwlock_init(&local->sockets.lock);
1652
	rwlock_init(&local->connecting_sockets.lock);
1653
	rwlock_init(&local->raw_sockets.lock);
1654

1655
	local->lto = 150; /* 1500 ms */
1656
	local->rw = LLCP_MAX_RW;
1657
	local->miux = cpu_to_be16(LLCP_MAX_MIUX);
1658
	local->local_wks = 0x1; /* LLC Link Management */
1659

1660
	nfc_llcp_build_gb(local);
1661

1662
	local->remote_miu = LLCP_DEFAULT_MIU;
1663
	local->remote_lto = LLCP_DEFAULT_LTO;
1664

1665
	mutex_init(&local->sdreq_lock);
1666
	INIT_HLIST_HEAD(&local->pending_sdreqs);
1667
	timer_setup(&local->sdreq_timer, nfc_llcp_sdreq_timer, 0);
1668
	INIT_WORK(&local->sdreq_timeout_work, nfc_llcp_sdreq_timeout_work);
1669

1670
	spin_lock(&llcp_devices_lock);
1671
	list_add(&local->list, &llcp_devices);
1672
	spin_unlock(&llcp_devices_lock);
1673

1674
	return 0;
1675
}
1676

1677
void nfc_llcp_unregister_device(struct nfc_dev *dev)
1678
{
1679
	struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
1680

1681
	if (local == NULL) {
1682
		pr_debug("No such device\n");
1683
		return;
1684
	}
1685

1686
	local_cleanup(local);
1687

1688
	nfc_llcp_local_put(local);
1689
}
1690

1691
int __init nfc_llcp_init(void)
1692
{
1693
	return nfc_llcp_sock_init();
1694
}
1695

1696
void nfc_llcp_exit(void)
1697
{
1698
	nfc_llcp_sock_exit();
1699
}
1700

1701