1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * Copyright (C) 2011  Intel Corporation. All rights reserved.
4
 * Copyright (C) 2014 Marvell International Ltd.
5
 */
6

7
#define pr_fmt(fmt) "llcp: %s: " fmt, __func__
8

9
#include <linux/init.h>
10
#include <linux/kernel.h>
11
#include <linux/list.h>
12
#include <linux/nfc.h>
13

14
#include "nfc.h"
15
#include "llcp.h"
16

17
static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
18

19
static LIST_HEAD(llcp_devices);
20
/* Protects llcp_devices list */
21
static DEFINE_SPINLOCK(llcp_devices_lock);
22

23
static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
24

25
void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
26
{
27
	write_lock(&l->lock);
28
	sk_add_node(sk, &l->head);
29
	write_unlock(&l->lock);
30
}
31

32
void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
33
{
34
	write_lock(&l->lock);
35
	sk_del_node_init(sk);
36
	write_unlock(&l->lock);
37
}
38

39
void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock)
40
{
41
	sock->remote_rw = LLCP_DEFAULT_RW;
42
	sock->remote_miu = LLCP_MAX_MIU + 1;
43
}
44

45
static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
46
{
47
	struct nfc_llcp_local *local = sock->local;
48
	struct sk_buff *s, *tmp;
49

50
	skb_queue_purge(&sock->tx_queue);
51
	skb_queue_purge(&sock->tx_pending_queue);
52

53
	if (local == NULL)
54
		return;
55

56
	/* Search for local pending SKBs that are related to this socket */
57
	skb_queue_walk_safe(&local->tx_queue, s, tmp) {
58
		if (s->sk != &sock->sk)
59
			continue;
60

61
		skb_unlink(s, &local->tx_queue);
62
		kfree_skb(s);
63
	}
64
}
65

66
static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
67
				    int err)
68
{
69
	struct sock *sk;
70
	struct hlist_node *tmp;
71
	struct nfc_llcp_sock *llcp_sock;
72

73
	skb_queue_purge(&local->tx_queue);
74

75
	write_lock(&local->sockets.lock);
76

77
	sk_for_each_safe(sk, tmp, &local->sockets.head) {
78
		llcp_sock = nfc_llcp_sock(sk);
79

80
		bh_lock_sock(sk);
81

82
		nfc_llcp_socket_purge(llcp_sock);
83

84
		if (sk->sk_state == LLCP_CONNECTED)
85
			nfc_put_device(llcp_sock->dev);
86

87
		if (sk->sk_state == LLCP_LISTEN) {
88
			struct nfc_llcp_sock *lsk, *n;
89
			struct sock *accept_sk;
90

91
			list_for_each_entry_safe(lsk, n,
92
						 &llcp_sock->accept_queue,
93
						 accept_queue) {
94
				accept_sk = &lsk->sk;
95
				bh_lock_sock(accept_sk);
96

97
				nfc_llcp_accept_unlink(accept_sk);
98

99
				if (err)
100
					accept_sk->sk_err = err;
101
				accept_sk->sk_state = LLCP_CLOSED;
102
				accept_sk->sk_state_change(sk);
103

104
				bh_unlock_sock(accept_sk);
105
			}
106
		}
107

108
		if (err)
109
			sk->sk_err = err;
110
		sk->sk_state = LLCP_CLOSED;
111
		sk->sk_state_change(sk);
112

113
		bh_unlock_sock(sk);
114

115
		sk_del_node_init(sk);
116
	}
117

118
	write_unlock(&local->sockets.lock);
119

120
	/* If we still have a device, we keep the RAW sockets alive */
121
	if (device == true)
122
		return;
123

124
	write_lock(&local->raw_sockets.lock);
125

126
	sk_for_each_safe(sk, tmp, &local->raw_sockets.head) {
127
		llcp_sock = nfc_llcp_sock(sk);
128

129
		bh_lock_sock(sk);
130

131
		nfc_llcp_socket_purge(llcp_sock);
132

133
		if (err)
134
			sk->sk_err = err;
135
		sk->sk_state = LLCP_CLOSED;
136
		sk->sk_state_change(sk);
137

138
		bh_unlock_sock(sk);
139

140
		sk_del_node_init(sk);
141
	}
142

143
	write_unlock(&local->raw_sockets.lock);
144
}
145

146
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
147
{
148
	/* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
149
	 * we hold a reference to local, we also need to hold a reference to
150
	 * the device to avoid UAF.
151
	 */
152
	if (!nfc_get_device(local->dev->idx))
153
		return NULL;
154

155
	kref_get(&local->ref);
156

157
	return local;
158
}
159

160
static void local_cleanup(struct nfc_llcp_local *local)
161
{
162
	nfc_llcp_socket_release(local, false, ENXIO);
163
	timer_delete_sync(&local->link_timer);
164
	skb_queue_purge(&local->tx_queue);
165
	cancel_work_sync(&local->tx_work);
166
	cancel_work_sync(&local->rx_work);
167
	cancel_work_sync(&local->timeout_work);
168
	kfree_skb(local->rx_pending);
169
	local->rx_pending = NULL;
170
	timer_delete_sync(&local->sdreq_timer);
171
	cancel_work_sync(&local->sdreq_timeout_work);
172
	nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
173
}
174

175
static void local_release(struct kref *ref)
176
{
177
	struct nfc_llcp_local *local;
178

179
	local = container_of(ref, struct nfc_llcp_local, ref);
180

181
	local_cleanup(local);
182
	kfree(local);
183
}
184

185
int nfc_llcp_local_put(struct nfc_llcp_local *local)
186
{
187
	struct nfc_dev *dev;
188
	int ret;
189

190
	if (local == NULL)
191
		return 0;
192

193
	dev = local->dev;
194

195
	ret = kref_put(&local->ref, local_release);
196
	nfc_put_device(dev);
197

198
	return ret;
199
}
200

201
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
202
					       u8 ssap, u8 dsap)
203
{
204
	struct sock *sk;
205
	struct nfc_llcp_sock *llcp_sock, *tmp_sock;
206

207
	pr_debug("ssap dsap %d %d\n", ssap, dsap);
208

209
	if (ssap == 0 && dsap == 0)
210
		return NULL;
211

212
	read_lock(&local->sockets.lock);
213

214
	llcp_sock = NULL;
215

216
	sk_for_each(sk, &local->sockets.head) {
217
		tmp_sock = nfc_llcp_sock(sk);
218

219
		if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
220
			llcp_sock = tmp_sock;
221
			sock_hold(&llcp_sock->sk);
222
			break;
223
		}
224
	}
225

226
	read_unlock(&local->sockets.lock);
227

228
	return llcp_sock;
229
}
230

231
static void nfc_llcp_sock_put(struct nfc_llcp_sock *sock)
232
{
233
	sock_put(&sock->sk);
234
}
235

236
static void nfc_llcp_timeout_work(struct work_struct *work)
237
{
238
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
239
						    timeout_work);
240

241
	nfc_dep_link_down(local->dev);
242
}
243

244
static void nfc_llcp_symm_timer(struct timer_list *t)
245
{
246
	struct nfc_llcp_local *local = timer_container_of(local, t,
247
							  link_timer);
248

249
	pr_err("SYMM timeout\n");
250

251
	schedule_work(&local->timeout_work);
252
}
253

254
static void nfc_llcp_sdreq_timeout_work(struct work_struct *work)
255
{
256
	unsigned long time;
257
	HLIST_HEAD(nl_sdres_list);
258
	struct hlist_node *n;
259
	struct nfc_llcp_sdp_tlv *sdp;
260
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
261
						    sdreq_timeout_work);
262

263
	mutex_lock(&local->sdreq_lock);
264

265
	time = jiffies - msecs_to_jiffies(3 * local->remote_lto);
266

267
	hlist_for_each_entry_safe(sdp, n, &local->pending_sdreqs, node) {
268
		if (time_after(sdp->time, time))
269
			continue;
270

271
		sdp->sap = LLCP_SDP_UNBOUND;
272

273
		hlist_del(&sdp->node);
274

275
		hlist_add_head(&sdp->node, &nl_sdres_list);
276
	}
277

278
	if (!hlist_empty(&local->pending_sdreqs))
279
		mod_timer(&local->sdreq_timer,
280
			  jiffies + msecs_to_jiffies(3 * local->remote_lto));
281

282
	mutex_unlock(&local->sdreq_lock);
283

284
	if (!hlist_empty(&nl_sdres_list))
285
		nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
286
}
287

288
static void nfc_llcp_sdreq_timer(struct timer_list *t)
289
{
290
	struct nfc_llcp_local *local = timer_container_of(local, t,
291
							  sdreq_timer);
292

293
	schedule_work(&local->sdreq_timeout_work);
294
}
295

296
struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
297
{
298
	struct nfc_llcp_local *local;
299
	struct nfc_llcp_local *res = NULL;
300

301
	spin_lock(&llcp_devices_lock);
302
	list_for_each_entry(local, &llcp_devices, list)
303
		if (local->dev == dev) {
304
			res = nfc_llcp_local_get(local);
305
			break;
306
		}
307
	spin_unlock(&llcp_devices_lock);
308

309
	return res;
310
}
311

312
static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
313
{
314
	struct nfc_llcp_local *local, *tmp;
315

316
	spin_lock(&llcp_devices_lock);
317
	list_for_each_entry_safe(local, tmp, &llcp_devices, list)
318
		if (local->dev == dev) {
319
			list_del(&local->list);
320
			spin_unlock(&llcp_devices_lock);
321
			return local;
322
		}
323
	spin_unlock(&llcp_devices_lock);
324

325
	pr_warn("Shutting down device not found\n");
326

327
	return NULL;
328
}
329

330
static char *wks[] = {
331
	NULL,
332
	NULL, /* SDP */
333
	"urn:nfc:sn:ip",
334
	"urn:nfc:sn:obex",
335
	"urn:nfc:sn:snep",
336
};
337

338
static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
339
{
340
	int sap, num_wks;
341

342
	pr_debug("%s\n", service_name);
343

344
	if (service_name == NULL)
345
		return -EINVAL;
346

347
	num_wks = ARRAY_SIZE(wks);
348

349
	for (sap = 0; sap < num_wks; sap++) {
350
		if (wks[sap] == NULL)
351
			continue;
352

353
		if (strncmp(wks[sap], service_name, service_name_len) == 0)
354
			return sap;
355
	}
356

357
	return -EINVAL;
358
}
359

360
static
361
struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
362
					    const u8 *sn, size_t sn_len,
363
					    bool needref)
364
{
365
	struct sock *sk;
366
	struct nfc_llcp_sock *llcp_sock, *tmp_sock;
367

368
	pr_debug("sn %zd %p\n", sn_len, sn);
369

370
	if (sn == NULL || sn_len == 0)
371
		return NULL;
372

373
	read_lock(&local->sockets.lock);
374

375
	llcp_sock = NULL;
376

377
	sk_for_each(sk, &local->sockets.head) {
378
		tmp_sock = nfc_llcp_sock(sk);
379

380
		pr_debug("llcp sock %p\n", tmp_sock);
381

382
		if (tmp_sock->sk.sk_type == SOCK_STREAM &&
383
		    tmp_sock->sk.sk_state != LLCP_LISTEN)
384
			continue;
385

386
		if (tmp_sock->sk.sk_type == SOCK_DGRAM &&
387
		    tmp_sock->sk.sk_state != LLCP_BOUND)
388
			continue;
389

390
		if (tmp_sock->service_name == NULL ||
391
		    tmp_sock->service_name_len == 0)
392
			continue;
393

394
		if (tmp_sock->service_name_len != sn_len)
395
			continue;
396

397
		if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) {
398
			llcp_sock = tmp_sock;
399
			if (needref)
400
				sock_hold(&llcp_sock->sk);
401
			break;
402
		}
403
	}
404

405
	read_unlock(&local->sockets.lock);
406

407
	pr_debug("Found llcp sock %p\n", llcp_sock);
408

409
	return llcp_sock;
410
}
411

412
u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
413
			 struct nfc_llcp_sock *sock)
414
{
415
	mutex_lock(&local->sdp_lock);
416

417
	if (sock->service_name != NULL && sock->service_name_len > 0) {
418
		int ssap = nfc_llcp_wks_sap(sock->service_name,
419
					    sock->service_name_len);
420

421
		if (ssap > 0) {
422
			pr_debug("WKS %d\n", ssap);
423

424
			/* This is a WKS, let's check if it's free */
425
			if (test_bit(ssap, &local->local_wks)) {
426
				mutex_unlock(&local->sdp_lock);
427

428
				return LLCP_SAP_MAX;
429
			}
430

431
			set_bit(ssap, &local->local_wks);
432
			mutex_unlock(&local->sdp_lock);
433

434
			return ssap;
435
		}
436

437
		/*
438
		 * Check if there already is a non WKS socket bound
439
		 * to this service name.
440
		 */
441
		if (nfc_llcp_sock_from_sn(local, sock->service_name,
442
					  sock->service_name_len,
443
					  false) != NULL) {
444
			mutex_unlock(&local->sdp_lock);
445

446
			return LLCP_SAP_MAX;
447
		}
448

449
		mutex_unlock(&local->sdp_lock);
450

451
		return LLCP_SDP_UNBOUND;
452

453
	} else if (sock->ssap != 0 && sock->ssap < LLCP_WKS_NUM_SAP) {
454
		if (!test_bit(sock->ssap, &local->local_wks)) {
455
			set_bit(sock->ssap, &local->local_wks);
456
			mutex_unlock(&local->sdp_lock);
457

458
			return sock->ssap;
459
		}
460
	}
461

462
	mutex_unlock(&local->sdp_lock);
463

464
	return LLCP_SAP_MAX;
465
}
466

467
u8 nfc_llcp_get_local_ssap(struct nfc_llcp_local *local)
468
{
469
	u8 local_ssap;
470

471
	mutex_lock(&local->sdp_lock);
472

473
	local_ssap = find_first_zero_bit(&local->local_sap, LLCP_LOCAL_NUM_SAP);
474
	if (local_ssap == LLCP_LOCAL_NUM_SAP) {
475
		mutex_unlock(&local->sdp_lock);
476
		return LLCP_SAP_MAX;
477
	}
478

479
	set_bit(local_ssap, &local->local_sap);
480

481
	mutex_unlock(&local->sdp_lock);
482

483
	return local_ssap + LLCP_LOCAL_SAP_OFFSET;
484
}
485

486
void nfc_llcp_put_ssap(struct nfc_llcp_local *local, u8 ssap)
487
{
488
	u8 local_ssap;
489
	unsigned long *sdp;
490

491
	if (ssap < LLCP_WKS_NUM_SAP) {
492
		local_ssap = ssap;
493
		sdp = &local->local_wks;
494
	} else if (ssap < LLCP_LOCAL_NUM_SAP) {
495
		atomic_t *client_cnt;
496

497
		local_ssap = ssap - LLCP_WKS_NUM_SAP;
498
		sdp = &local->local_sdp;
499
		client_cnt = &local->local_sdp_cnt[local_ssap];
500

501
		pr_debug("%d clients\n", atomic_read(client_cnt));
502

503
		mutex_lock(&local->sdp_lock);
504

505
		if (atomic_dec_and_test(client_cnt)) {
506
			struct nfc_llcp_sock *l_sock;
507

508
			pr_debug("No more clients for SAP %d\n", ssap);
509

510
			clear_bit(local_ssap, sdp);
511

512
			/* Find the listening sock and set it back to UNBOUND */
513
			l_sock = nfc_llcp_sock_get(local, ssap, LLCP_SAP_SDP);
514
			if (l_sock) {
515
				l_sock->ssap = LLCP_SDP_UNBOUND;
516
				nfc_llcp_sock_put(l_sock);
517
			}
518
		}
519

520
		mutex_unlock(&local->sdp_lock);
521

522
		return;
523
	} else if (ssap < LLCP_MAX_SAP) {
524
		local_ssap = ssap - LLCP_LOCAL_NUM_SAP;
525
		sdp = &local->local_sap;
526
	} else {
527
		return;
528
	}
529

530
	mutex_lock(&local->sdp_lock);
531

532
	clear_bit(local_ssap, sdp);
533

534
	mutex_unlock(&local->sdp_lock);
535
}
536

537
static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
538
{
539
	u8 ssap;
540

541
	mutex_lock(&local->sdp_lock);
542

543
	ssap = find_first_zero_bit(&local->local_sdp, LLCP_SDP_NUM_SAP);
544
	if (ssap == LLCP_SDP_NUM_SAP) {
545
		mutex_unlock(&local->sdp_lock);
546

547
		return LLCP_SAP_MAX;
548
	}
549

550
	pr_debug("SDP ssap %d\n", LLCP_WKS_NUM_SAP + ssap);
551

552
	set_bit(ssap, &local->local_sdp);
553

554
	mutex_unlock(&local->sdp_lock);
555

556
	return LLCP_WKS_NUM_SAP + ssap;
557
}
558

559
static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
560
{
561
	u8 *gb_cur, version, version_length;
562
	u8 lto_length, wks_length, miux_length;
563
	const u8 *version_tlv = NULL, *lto_tlv = NULL,
564
	   *wks_tlv = NULL, *miux_tlv = NULL;
565
	__be16 wks = cpu_to_be16(local->local_wks);
566
	u8 gb_len = 0;
567
	int ret = 0;
568

569
	version = LLCP_VERSION_11;
570
	version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
571
					 1, &version_length);
572
	if (!version_tlv) {
573
		ret = -ENOMEM;
574
		goto out;
575
	}
576
	gb_len += version_length;
577

578
	lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length);
579
	if (!lto_tlv) {
580
		ret = -ENOMEM;
581
		goto out;
582
	}
583
	gb_len += lto_length;
584

585
	pr_debug("Local wks 0x%lx\n", local->local_wks);
586
	wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
587
	if (!wks_tlv) {
588
		ret = -ENOMEM;
589
		goto out;
590
	}
591
	gb_len += wks_length;
592

593
	miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
594
				      &miux_length);
595
	if (!miux_tlv) {
596
		ret = -ENOMEM;
597
		goto out;
598
	}
599
	gb_len += miux_length;
600

601
	gb_len += ARRAY_SIZE(llcp_magic);
602

603
	if (gb_len > NFC_MAX_GT_LEN) {
604
		ret = -EINVAL;
605
		goto out;
606
	}
607

608
	gb_cur = local->gb;
609

610
	memcpy(gb_cur, llcp_magic, ARRAY_SIZE(llcp_magic));
611
	gb_cur += ARRAY_SIZE(llcp_magic);
612

613
	memcpy(gb_cur, version_tlv, version_length);
614
	gb_cur += version_length;
615

616
	memcpy(gb_cur, lto_tlv, lto_length);
617
	gb_cur += lto_length;
618

619
	memcpy(gb_cur, wks_tlv, wks_length);
620
	gb_cur += wks_length;
621

622
	memcpy(gb_cur, miux_tlv, miux_length);
623
	gb_cur += miux_length;
624

625
	local->gb_len = gb_len;
626

627
out:
628
	kfree(version_tlv);
629
	kfree(lto_tlv);
630
	kfree(wks_tlv);
631
	kfree(miux_tlv);
632

633
	return ret;
634
}
635

636
u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
637
{
638
	struct nfc_llcp_local *local;
639

640
	local = nfc_llcp_find_local(dev);
641
	if (local == NULL) {
642
		*general_bytes_len = 0;
643
		return NULL;
644
	}
645

646
	nfc_llcp_build_gb(local);
647

648
	*general_bytes_len = local->gb_len;
649

650
	nfc_llcp_local_put(local);
651

652
	return local->gb;
653
}
654

655
int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
656
{
657
	struct nfc_llcp_local *local;
658
	int err;
659

660
	if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN)
661
		return -EINVAL;
662

663
	local = nfc_llcp_find_local(dev);
664
	if (local == NULL) {
665
		pr_err("No LLCP device\n");
666
		return -ENODEV;
667
	}
668

669
	memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
670
	memcpy(local->remote_gb, gb, gb_len);
671
	local->remote_gb_len = gb_len;
672

673
	if (memcmp(local->remote_gb, llcp_magic, 3)) {
674
		pr_err("MAC does not support LLCP\n");
675
		err = -EINVAL;
676
		goto out;
677
	}
678

679
	err = nfc_llcp_parse_gb_tlv(local,
680
				     &local->remote_gb[3],
681
				     local->remote_gb_len - 3);
682
out:
683
	nfc_llcp_local_put(local);
684
	return err;
685
}
686

687
static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
688
{
689
	return (pdu->data[0] & 0xfc) >> 2;
690
}
691

692
static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
693
{
694
	return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
695
}
696

697
static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
698
{
699
	return pdu->data[1] & 0x3f;
700
}
701

702
static u8 nfc_llcp_ns(const struct sk_buff *pdu)
703
{
704
	return pdu->data[2] >> 4;
705
}
706

707
static u8 nfc_llcp_nr(const struct sk_buff *pdu)
708
{
709
	return pdu->data[2] & 0xf;
710
}
711

712
static void nfc_llcp_set_nrns(struct nfc_llcp_sock *sock, struct sk_buff *pdu)
713
{
714
	pdu->data[2] = (sock->send_n << 4) | (sock->recv_n);
715
	sock->send_n = (sock->send_n + 1) % 16;
716
	sock->recv_ack_n = (sock->recv_n - 1) % 16;
717
}
718

719
void nfc_llcp_send_to_raw_sock(struct nfc_llcp_local *local,
720
			       struct sk_buff *skb, u8 direction)
721
{
722
	struct sk_buff *skb_copy = NULL, *nskb;
723
	struct sock *sk;
724
	u8 *data;
725

726
	read_lock(&local->raw_sockets.lock);
727

728
	sk_for_each(sk, &local->raw_sockets.head) {
729
		if (sk->sk_state != LLCP_BOUND)
730
			continue;
731

732
		if (skb_copy == NULL) {
733
			skb_copy = __pskb_copy_fclone(skb, NFC_RAW_HEADER_SIZE,
734
						      GFP_ATOMIC, true);
735

736
			if (skb_copy == NULL)
737
				continue;
738

739
			data = skb_push(skb_copy, NFC_RAW_HEADER_SIZE);
740

741
			data[0] = local->dev ? local->dev->idx : 0xFF;
742
			data[1] = direction & 0x01;
743
			data[1] |= (RAW_PAYLOAD_LLCP << 1);
744
		}
745

746
		nskb = skb_clone(skb_copy, GFP_ATOMIC);
747
		if (!nskb)
748
			continue;
749

750
		if (sock_queue_rcv_skb(sk, nskb))
751
			kfree_skb(nskb);
752
	}
753

754
	read_unlock(&local->raw_sockets.lock);
755

756
	kfree_skb(skb_copy);
757
}
758

759
static void nfc_llcp_tx_work(struct work_struct *work)
760
{
761
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
762
						    tx_work);
763
	struct sk_buff *skb;
764
	struct sock *sk;
765
	struct nfc_llcp_sock *llcp_sock;
766

767
	skb = skb_dequeue(&local->tx_queue);
768
	if (skb != NULL) {
769
		sk = skb->sk;
770
		llcp_sock = nfc_llcp_sock(sk);
771

772
		if (llcp_sock == NULL && nfc_llcp_ptype(skb) == LLCP_PDU_I) {
773
			kfree_skb(skb);
774
			nfc_llcp_send_symm(local->dev);
775
		} else if (llcp_sock && !llcp_sock->remote_ready) {
776
			skb_queue_head(&local->tx_queue, skb);
777
			nfc_llcp_send_symm(local->dev);
778
		} else {
779
			struct sk_buff *copy_skb = NULL;
780
			u8 ptype = nfc_llcp_ptype(skb);
781
			int ret;
782

783
			pr_debug("Sending pending skb\n");
784
			print_hex_dump_debug("LLCP Tx: ", DUMP_PREFIX_OFFSET,
785
					     16, 1, skb->data, skb->len, true);
786

787
			if (ptype == LLCP_PDU_I)
788
				copy_skb = skb_copy(skb, GFP_ATOMIC);
789

790
			__net_timestamp(skb);
791

792
			nfc_llcp_send_to_raw_sock(local, skb,
793
						  NFC_DIRECTION_TX);
794

795
			ret = nfc_data_exchange(local->dev, local->target_idx,
796
						skb, nfc_llcp_recv, local);
797

798
			if (ret) {
799
				kfree_skb(copy_skb);
800
				goto out;
801
			}
802

803
			if (ptype == LLCP_PDU_I && copy_skb)
804
				skb_queue_tail(&llcp_sock->tx_pending_queue,
805
					       copy_skb);
806
		}
807
	} else {
808
		nfc_llcp_send_symm(local->dev);
809
	}
810

811
out:
812
	mod_timer(&local->link_timer,
813
		  jiffies + msecs_to_jiffies(2 * local->remote_lto));
814
}
815

816
static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local *local,
817
							  u8 ssap)
818
{
819
	struct sock *sk;
820
	struct nfc_llcp_sock *llcp_sock;
821

822
	read_lock(&local->connecting_sockets.lock);
823

824
	sk_for_each(sk, &local->connecting_sockets.head) {
825
		llcp_sock = nfc_llcp_sock(sk);
826

827
		if (llcp_sock->ssap == ssap) {
828
			sock_hold(&llcp_sock->sk);
829
			goto out;
830
		}
831
	}
832

833
	llcp_sock = NULL;
834

835
out:
836
	read_unlock(&local->connecting_sockets.lock);
837

838
	return llcp_sock;
839
}
840

841
static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
842
						  const u8 *sn, size_t sn_len)
843
{
844
	return nfc_llcp_sock_from_sn(local, sn, sn_len, true);
845
}
846

847
static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
848
{
849
	u8 type, length;
850
	const u8 *tlv = &skb->data[2];
851
	size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
852

853
	while (offset < tlv_array_len) {
854
		type = tlv[0];
855
		length = tlv[1];
856

857
		pr_debug("type 0x%x length %d\n", type, length);
858

859
		if (type == LLCP_TLV_SN) {
860
			*sn_len = length;
861
			return &tlv[2];
862
		}
863

864
		offset += length + 2;
865
		tlv += length + 2;
866
	}
867

868
	return NULL;
869
}
870

871
static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
872
			     struct sk_buff *skb)
873
{
874
	struct nfc_llcp_sock *llcp_sock;
875
	struct nfc_llcp_ui_cb *ui_cb;
876
	u8 dsap, ssap;
877

878
	dsap = nfc_llcp_dsap(skb);
879
	ssap = nfc_llcp_ssap(skb);
880

881
	ui_cb = nfc_llcp_ui_skb_cb(skb);
882
	ui_cb->dsap = dsap;
883
	ui_cb->ssap = ssap;
884

885
	pr_debug("%d %d\n", dsap, ssap);
886

887
	/* We're looking for a bound socket, not a client one */
888
	llcp_sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
889
	if (llcp_sock == NULL || llcp_sock->sk.sk_type != SOCK_DGRAM)
890
		return;
891

892
	/* There is no sequence with UI frames */
893
	skb_pull(skb, LLCP_HEADER_SIZE);
894
	if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
895
		/*
896
		 * UI frames will be freed from the socket layer, so we
897
		 * need to keep them alive until someone receives them.
898
		 */
899
		skb_get(skb);
900
	} else {
901
		pr_err("Receive queue is full\n");
902
	}
903

904
	nfc_llcp_sock_put(llcp_sock);
905
}
906

907
static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
908
				  const struct sk_buff *skb)
909
{
910
	struct sock *new_sk, *parent;
911
	struct nfc_llcp_sock *sock, *new_sock;
912
	u8 dsap, ssap, reason;
913

914
	dsap = nfc_llcp_dsap(skb);
915
	ssap = nfc_llcp_ssap(skb);
916

917
	pr_debug("%d %d\n", dsap, ssap);
918

919
	if (dsap != LLCP_SAP_SDP) {
920
		sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
921
		if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
922
			reason = LLCP_DM_NOBOUND;
923
			goto fail;
924
		}
925
	} else {
926
		const u8 *sn;
927
		size_t sn_len;
928

929
		sn = nfc_llcp_connect_sn(skb, &sn_len);
930
		if (sn == NULL) {
931
			reason = LLCP_DM_NOBOUND;
932
			goto fail;
933
		}
934

935
		pr_debug("Service name length %zu\n", sn_len);
936

937
		sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
938
		if (sock == NULL) {
939
			reason = LLCP_DM_NOBOUND;
940
			goto fail;
941
		}
942
	}
943

944
	lock_sock(&sock->sk);
945

946
	parent = &sock->sk;
947

948
	if (sk_acceptq_is_full(parent)) {
949
		reason = LLCP_DM_REJ;
950
		release_sock(&sock->sk);
951
		sock_put(&sock->sk);
952
		goto fail;
953
	}
954

955
	if (sock->ssap == LLCP_SDP_UNBOUND) {
956
		u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
957

958
		pr_debug("First client, reserving %d\n", ssap);
959

960
		if (ssap == LLCP_SAP_MAX) {
961
			reason = LLCP_DM_REJ;
962
			release_sock(&sock->sk);
963
			sock_put(&sock->sk);
964
			goto fail;
965
		}
966

967
		sock->ssap = ssap;
968
	}
969

970
	new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
971
	if (new_sk == NULL) {
972
		reason = LLCP_DM_REJ;
973
		release_sock(&sock->sk);
974
		sock_put(&sock->sk);
975
		goto fail;
976
	}
977

978
	new_sock = nfc_llcp_sock(new_sk);
979

980
	new_sock->local = nfc_llcp_local_get(local);
981
	if (!new_sock->local) {
982
		reason = LLCP_DM_REJ;
983
		sock_put(&new_sock->sk);
984
		release_sock(&sock->sk);
985
		sock_put(&sock->sk);
986
		goto fail;
987
	}
988

989
	new_sock->dev = local->dev;
990
	new_sock->rw = sock->rw;
991
	new_sock->miux = sock->miux;
992
	new_sock->nfc_protocol = sock->nfc_protocol;
993
	new_sock->dsap = ssap;
994
	new_sock->target_idx = local->target_idx;
995
	new_sock->parent = parent;
996
	new_sock->ssap = sock->ssap;
997
	if (sock->ssap < LLCP_LOCAL_NUM_SAP && sock->ssap >= LLCP_WKS_NUM_SAP) {
998
		atomic_t *client_count;
999

1000
		pr_debug("reserved_ssap %d for %p\n", sock->ssap, new_sock);
1001

1002
		client_count =
1003
			&local->local_sdp_cnt[sock->ssap - LLCP_WKS_NUM_SAP];
1004

1005
		atomic_inc(client_count);
1006
		new_sock->reserved_ssap = sock->ssap;
1007
	}
1008

1009
	nfc_llcp_parse_connection_tlv(new_sock, &skb->data[LLCP_HEADER_SIZE],
1010
				      skb->len - LLCP_HEADER_SIZE);
1011

1012
	pr_debug("new sock %p sk %p\n", new_sock, &new_sock->sk);
1013

1014
	nfc_llcp_sock_link(&local->sockets, new_sk);
1015

1016
	nfc_llcp_accept_enqueue(&sock->sk, new_sk);
1017

1018
	nfc_get_device(local->dev->idx);
1019

1020
	new_sk->sk_state = LLCP_CONNECTED;
1021

1022
	/* Wake the listening processes */
1023
	parent->sk_data_ready(parent);
1024

1025
	/* Send CC */
1026
	nfc_llcp_send_cc(new_sock);
1027

1028
	release_sock(&sock->sk);
1029
	sock_put(&sock->sk);
1030

1031
	return;
1032

1033
fail:
1034
	/* Send DM */
1035
	nfc_llcp_send_dm(local, dsap, ssap, reason);
1036
}
1037

1038
int nfc_llcp_queue_i_frames(struct nfc_llcp_sock *sock)
1039
{
1040
	int nr_frames = 0;
1041
	struct nfc_llcp_local *local = sock->local;
1042

1043
	pr_debug("Remote ready %d tx queue len %d remote rw %d",
1044
		 sock->remote_ready, skb_queue_len(&sock->tx_pending_queue),
1045
		 sock->remote_rw);
1046

1047
	/* Try to queue some I frames for transmission */
1048
	while (sock->remote_ready &&
1049
	       skb_queue_len(&sock->tx_pending_queue) < sock->remote_rw) {
1050
		struct sk_buff *pdu;
1051

1052
		pdu = skb_dequeue(&sock->tx_queue);
1053
		if (pdu == NULL)
1054
			break;
1055

1056
		/* Update N(S)/N(R) */
1057
		nfc_llcp_set_nrns(sock, pdu);
1058

1059
		skb_queue_tail(&local->tx_queue, pdu);
1060
		nr_frames++;
1061
	}
1062

1063
	return nr_frames;
1064
}
1065

1066
static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
1067
			       struct sk_buff *skb)
1068
{
1069
	struct nfc_llcp_sock *llcp_sock;
1070
	struct sock *sk;
1071
	u8 dsap, ssap, ptype, ns, nr;
1072

1073
	ptype = nfc_llcp_ptype(skb);
1074
	dsap = nfc_llcp_dsap(skb);
1075
	ssap = nfc_llcp_ssap(skb);
1076
	ns = nfc_llcp_ns(skb);
1077
	nr = nfc_llcp_nr(skb);
1078

1079
	pr_debug("%d %d R %d S %d\n", dsap, ssap, nr, ns);
1080

1081
	llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1082
	if (llcp_sock == NULL) {
1083
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1084
		return;
1085
	}
1086

1087
	sk = &llcp_sock->sk;
1088
	lock_sock(sk);
1089
	if (sk->sk_state == LLCP_CLOSED) {
1090
		release_sock(sk);
1091
		nfc_llcp_sock_put(llcp_sock);
1092
	}
1093

1094
	/* Pass the payload upstream */
1095
	if (ptype == LLCP_PDU_I) {
1096
		pr_debug("I frame, queueing on %p\n", &llcp_sock->sk);
1097

1098
		if (ns == llcp_sock->recv_n)
1099
			llcp_sock->recv_n = (llcp_sock->recv_n + 1) % 16;
1100
		else
1101
			pr_err("Received out of sequence I PDU\n");
1102

1103
		skb_pull(skb, LLCP_HEADER_SIZE + LLCP_SEQUENCE_SIZE);
1104
		if (!sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
1105
			/*
1106
			 * I frames will be freed from the socket layer, so we
1107
			 * need to keep them alive until someone receives them.
1108
			 */
1109
			skb_get(skb);
1110
		} else {
1111
			pr_err("Receive queue is full\n");
1112
		}
1113
	}
1114

1115
	/* Remove skbs from the pending queue */
1116
	if (llcp_sock->send_ack_n != nr) {
1117
		struct sk_buff *s, *tmp;
1118
		u8 n;
1119

1120
		llcp_sock->send_ack_n = nr;
1121

1122
		/* Remove and free all skbs until ns == nr */
1123
		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
1124
			n = nfc_llcp_ns(s);
1125

1126
			skb_unlink(s, &llcp_sock->tx_pending_queue);
1127
			kfree_skb(s);
1128

1129
			if (n == nr)
1130
				break;
1131
		}
1132

1133
		/* Re-queue the remaining skbs for transmission */
1134
		skb_queue_reverse_walk_safe(&llcp_sock->tx_pending_queue,
1135
					    s, tmp) {
1136
			skb_unlink(s, &llcp_sock->tx_pending_queue);
1137
			skb_queue_head(&local->tx_queue, s);
1138
		}
1139
	}
1140

1141
	if (ptype == LLCP_PDU_RR)
1142
		llcp_sock->remote_ready = true;
1143
	else if (ptype == LLCP_PDU_RNR)
1144
		llcp_sock->remote_ready = false;
1145

1146
	if (nfc_llcp_queue_i_frames(llcp_sock) == 0 && ptype == LLCP_PDU_I)
1147
		nfc_llcp_send_rr(llcp_sock);
1148

1149
	release_sock(sk);
1150
	nfc_llcp_sock_put(llcp_sock);
1151
}
1152

1153
static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
1154
			       const struct sk_buff *skb)
1155
{
1156
	struct nfc_llcp_sock *llcp_sock;
1157
	struct sock *sk;
1158
	u8 dsap, ssap;
1159

1160
	dsap = nfc_llcp_dsap(skb);
1161
	ssap = nfc_llcp_ssap(skb);
1162

1163
	if ((dsap == 0) && (ssap == 0)) {
1164
		pr_debug("Connection termination");
1165
		nfc_dep_link_down(local->dev);
1166
		return;
1167
	}
1168

1169
	llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1170
	if (llcp_sock == NULL) {
1171
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1172
		return;
1173
	}
1174

1175
	sk = &llcp_sock->sk;
1176
	lock_sock(sk);
1177

1178
	nfc_llcp_socket_purge(llcp_sock);
1179

1180
	if (sk->sk_state == LLCP_CLOSED) {
1181
		release_sock(sk);
1182
		nfc_llcp_sock_put(llcp_sock);
1183
	}
1184

1185
	if (sk->sk_state == LLCP_CONNECTED) {
1186
		nfc_put_device(local->dev);
1187
		sk->sk_state = LLCP_CLOSED;
1188
		sk->sk_state_change(sk);
1189
	}
1190

1191
	nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_DISC);
1192

1193
	release_sock(sk);
1194
	nfc_llcp_sock_put(llcp_sock);
1195
}
1196

1197
static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
1198
			     const struct sk_buff *skb)
1199
{
1200
	struct nfc_llcp_sock *llcp_sock;
1201
	struct sock *sk;
1202
	u8 dsap, ssap;
1203

1204
	dsap = nfc_llcp_dsap(skb);
1205
	ssap = nfc_llcp_ssap(skb);
1206

1207
	llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1208
	if (llcp_sock == NULL) {
1209
		pr_err("Invalid CC\n");
1210
		nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
1211

1212
		return;
1213
	}
1214

1215
	sk = &llcp_sock->sk;
1216

1217
	/* Unlink from connecting and link to the client array */
1218
	nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
1219
	nfc_llcp_sock_link(&local->sockets, sk);
1220
	llcp_sock->dsap = ssap;
1221

1222
	nfc_llcp_parse_connection_tlv(llcp_sock, &skb->data[LLCP_HEADER_SIZE],
1223
				      skb->len - LLCP_HEADER_SIZE);
1224

1225
	sk->sk_state = LLCP_CONNECTED;
1226
	sk->sk_state_change(sk);
1227

1228
	nfc_llcp_sock_put(llcp_sock);
1229
}
1230

1231
static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
1232
			     const struct sk_buff *skb)
1233
{
1234
	struct nfc_llcp_sock *llcp_sock;
1235
	struct sock *sk;
1236
	u8 dsap, ssap, reason;
1237

1238
	dsap = nfc_llcp_dsap(skb);
1239
	ssap = nfc_llcp_ssap(skb);
1240
	reason = skb->data[2];
1241

1242
	pr_debug("%d %d reason %d\n", ssap, dsap, reason);
1243

1244
	switch (reason) {
1245
	case LLCP_DM_NOBOUND:
1246
	case LLCP_DM_REJ:
1247
		llcp_sock = nfc_llcp_connecting_sock_get(local, dsap);
1248
		break;
1249

1250
	default:
1251
		llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1252
		break;
1253
	}
1254

1255
	if (llcp_sock == NULL) {
1256
		pr_debug("Already closed\n");
1257
		return;
1258
	}
1259

1260
	sk = &llcp_sock->sk;
1261

1262
	sk->sk_err = ENXIO;
1263
	sk->sk_state = LLCP_CLOSED;
1264
	sk->sk_state_change(sk);
1265

1266
	nfc_llcp_sock_put(llcp_sock);
1267
}
1268

1269
static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
1270
			      const struct sk_buff *skb)
1271
{
1272
	struct nfc_llcp_sock *llcp_sock;
1273
	u8 dsap, ssap, type, length, tid, sap;
1274
	const u8 *tlv;
1275
	u16 tlv_len, offset;
1276
	const char *service_name;
1277
	size_t service_name_len;
1278
	struct nfc_llcp_sdp_tlv *sdp;
1279
	HLIST_HEAD(llc_sdres_list);
1280
	size_t sdres_tlvs_len;
1281
	HLIST_HEAD(nl_sdres_list);
1282

1283
	dsap = nfc_llcp_dsap(skb);
1284
	ssap = nfc_llcp_ssap(skb);
1285

1286
	pr_debug("%d %d\n", dsap, ssap);
1287

1288
	if (dsap != LLCP_SAP_SDP || ssap != LLCP_SAP_SDP) {
1289
		pr_err("Wrong SNL SAP\n");
1290
		return;
1291
	}
1292

1293
	tlv = &skb->data[LLCP_HEADER_SIZE];
1294
	tlv_len = skb->len - LLCP_HEADER_SIZE;
1295
	offset = 0;
1296
	sdres_tlvs_len = 0;
1297

1298
	while (offset < tlv_len) {
1299
		type = tlv[0];
1300
		length = tlv[1];
1301

1302
		switch (type) {
1303
		case LLCP_TLV_SDREQ:
1304
			tid = tlv[2];
1305
			service_name = (char *) &tlv[3];
1306
			service_name_len = length - 1;
1307

1308
			pr_debug("Looking for %.16s\n", service_name);
1309

1310
			if (service_name_len == strlen("urn:nfc:sn:sdp") &&
1311
			    !strncmp(service_name, "urn:nfc:sn:sdp",
1312
				     service_name_len)) {
1313
				sap = 1;
1314
				goto add_snl;
1315
			}
1316

1317
			llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
1318
							  service_name_len,
1319
							  true);
1320
			if (!llcp_sock) {
1321
				sap = 0;
1322
				goto add_snl;
1323
			}
1324

1325
			/*
1326
			 * We found a socket but its ssap has not been reserved
1327
			 * yet. We need to assign it for good and send a reply.
1328
			 * The ssap will be freed when the socket is closed.
1329
			 */
1330
			if (llcp_sock->ssap == LLCP_SDP_UNBOUND) {
1331
				atomic_t *client_count;
1332

1333
				sap = nfc_llcp_reserve_sdp_ssap(local);
1334

1335
				pr_debug("Reserving %d\n", sap);
1336

1337
				if (sap == LLCP_SAP_MAX) {
1338
					sap = 0;
1339
					nfc_llcp_sock_put(llcp_sock);
1340
					goto add_snl;
1341
				}
1342

1343
				client_count =
1344
					&local->local_sdp_cnt[sap -
1345
							      LLCP_WKS_NUM_SAP];
1346

1347
				atomic_inc(client_count);
1348

1349
				llcp_sock->ssap = sap;
1350
				llcp_sock->reserved_ssap = sap;
1351
			} else {
1352
				sap = llcp_sock->ssap;
1353
			}
1354

1355
			pr_debug("%p %d\n", llcp_sock, sap);
1356

1357
			nfc_llcp_sock_put(llcp_sock);
1358
add_snl:
1359
			sdp = nfc_llcp_build_sdres_tlv(tid, sap);
1360
			if (sdp == NULL)
1361
				goto exit;
1362

1363
			sdres_tlvs_len += sdp->tlv_len;
1364
			hlist_add_head(&sdp->node, &llc_sdres_list);
1365
			break;
1366

1367
		case LLCP_TLV_SDRES:
1368
			mutex_lock(&local->sdreq_lock);
1369

1370
			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
1371

1372
			hlist_for_each_entry(sdp, &local->pending_sdreqs, node) {
1373
				if (sdp->tid != tlv[2])
1374
					continue;
1375

1376
				sdp->sap = tlv[3];
1377

1378
				pr_debug("Found: uri=%s, sap=%d\n",
1379
					 sdp->uri, sdp->sap);
1380

1381
				hlist_del(&sdp->node);
1382

1383
				hlist_add_head(&sdp->node, &nl_sdres_list);
1384

1385
				break;
1386
			}
1387

1388
			mutex_unlock(&local->sdreq_lock);
1389
			break;
1390

1391
		default:
1392
			pr_err("Invalid SNL tlv value 0x%x\n", type);
1393
			break;
1394
		}
1395

1396
		offset += length + 2;
1397
		tlv += length + 2;
1398
	}
1399

1400
exit:
1401
	if (!hlist_empty(&nl_sdres_list))
1402
		nfc_genl_llc_send_sdres(local->dev, &nl_sdres_list);
1403

1404
	if (!hlist_empty(&llc_sdres_list))
1405
		nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len);
1406
}
1407

1408
static void nfc_llcp_recv_agf(struct nfc_llcp_local *local, struct sk_buff *skb)
1409
{
1410
	u8 ptype;
1411
	u16 pdu_len;
1412
	struct sk_buff *new_skb;
1413

1414
	if (skb->len <= LLCP_HEADER_SIZE) {
1415
		pr_err("Malformed AGF PDU\n");
1416
		return;
1417
	}
1418

1419
	skb_pull(skb, LLCP_HEADER_SIZE);
1420

1421
	while (skb->len > LLCP_AGF_PDU_HEADER_SIZE) {
1422
		pdu_len = skb->data[0] << 8 | skb->data[1];
1423

1424
		skb_pull(skb, LLCP_AGF_PDU_HEADER_SIZE);
1425

1426
		if (pdu_len < LLCP_HEADER_SIZE || pdu_len > skb->len) {
1427
			pr_err("Malformed AGF PDU\n");
1428
			return;
1429
		}
1430

1431
		ptype = nfc_llcp_ptype(skb);
1432

1433
		if (ptype == LLCP_PDU_SYMM || ptype == LLCP_PDU_AGF)
1434
			goto next;
1435

1436
		new_skb = nfc_alloc_recv_skb(pdu_len, GFP_KERNEL);
1437
		if (new_skb == NULL) {
1438
			pr_err("Could not allocate PDU\n");
1439
			return;
1440
		}
1441

1442
		skb_put_data(new_skb, skb->data, pdu_len);
1443

1444
		nfc_llcp_rx_skb(local, new_skb);
1445

1446
		kfree_skb(new_skb);
1447
next:
1448
		skb_pull(skb, pdu_len);
1449
	}
1450
}
1451

1452
static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb)
1453
{
1454
	u8 dsap, ssap, ptype;
1455

1456
	ptype = nfc_llcp_ptype(skb);
1457
	dsap = nfc_llcp_dsap(skb);
1458
	ssap = nfc_llcp_ssap(skb);
1459

1460
	pr_debug("ptype 0x%x dsap 0x%x ssap 0x%x\n", ptype, dsap, ssap);
1461

1462
	if (ptype != LLCP_PDU_SYMM)
1463
		print_hex_dump_debug("LLCP Rx: ", DUMP_PREFIX_OFFSET, 16, 1,
1464
				     skb->data, skb->len, true);
1465

1466
	switch (ptype) {
1467
	case LLCP_PDU_SYMM:
1468
		pr_debug("SYMM\n");
1469
		break;
1470

1471
	case LLCP_PDU_UI:
1472
		pr_debug("UI\n");
1473
		nfc_llcp_recv_ui(local, skb);
1474
		break;
1475

1476
	case LLCP_PDU_CONNECT:
1477
		pr_debug("CONNECT\n");
1478
		nfc_llcp_recv_connect(local, skb);
1479
		break;
1480

1481
	case LLCP_PDU_DISC:
1482
		pr_debug("DISC\n");
1483
		nfc_llcp_recv_disc(local, skb);
1484
		break;
1485

1486
	case LLCP_PDU_CC:
1487
		pr_debug("CC\n");
1488
		nfc_llcp_recv_cc(local, skb);
1489
		break;
1490

1491
	case LLCP_PDU_DM:
1492
		pr_debug("DM\n");
1493
		nfc_llcp_recv_dm(local, skb);
1494
		break;
1495

1496
	case LLCP_PDU_SNL:
1497
		pr_debug("SNL\n");
1498
		nfc_llcp_recv_snl(local, skb);
1499
		break;
1500

1501
	case LLCP_PDU_I:
1502
	case LLCP_PDU_RR:
1503
	case LLCP_PDU_RNR:
1504
		pr_debug("I frame\n");
1505
		nfc_llcp_recv_hdlc(local, skb);
1506
		break;
1507

1508
	case LLCP_PDU_AGF:
1509
		pr_debug("AGF frame\n");
1510
		nfc_llcp_recv_agf(local, skb);
1511
		break;
1512
	}
1513
}
1514

1515
static void nfc_llcp_rx_work(struct work_struct *work)
1516
{
1517
	struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
1518
						    rx_work);
1519
	struct sk_buff *skb;
1520

1521
	skb = local->rx_pending;
1522
	if (skb == NULL) {
1523
		pr_debug("No pending SKB\n");
1524
		return;
1525
	}
1526

1527
	__net_timestamp(skb);
1528

1529
	nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_RX);
1530

1531
	nfc_llcp_rx_skb(local, skb);
1532

1533
	schedule_work(&local->tx_work);
1534
	kfree_skb(local->rx_pending);
1535
	local->rx_pending = NULL;
1536
}
1537

1538
static void __nfc_llcp_recv(struct nfc_llcp_local *local, struct sk_buff *skb)
1539
{
1540
	local->rx_pending = skb;
1541
	timer_delete(&local->link_timer);
1542
	schedule_work(&local->rx_work);
1543
}
1544

1545
void nfc_llcp_recv(void *data, struct sk_buff *skb, int err)
1546
{
1547
	struct nfc_llcp_local *local = (struct nfc_llcp_local *) data;
1548

1549
	if (err < 0) {
1550
		pr_err("LLCP PDU receive err %d\n", err);
1551
		return;
1552
	}
1553

1554
	__nfc_llcp_recv(local, skb);
1555
}
1556

1557
int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
1558
{
1559
	struct nfc_llcp_local *local;
1560

1561
	local = nfc_llcp_find_local(dev);
1562
	if (local == NULL) {
1563
		kfree_skb(skb);
1564
		return -ENODEV;
1565
	}
1566

1567
	__nfc_llcp_recv(local, skb);
1568

1569
	nfc_llcp_local_put(local);
1570

1571
	return 0;
1572
}
1573

1574
void nfc_llcp_mac_is_down(struct nfc_dev *dev)
1575
{
1576
	struct nfc_llcp_local *local;
1577

1578
	local = nfc_llcp_find_local(dev);
1579
	if (local == NULL)
1580
		return;
1581

1582
	local->remote_miu = LLCP_DEFAULT_MIU;
1583
	local->remote_lto = LLCP_DEFAULT_LTO;
1584

1585
	/* Close and purge all existing sockets */
1586
	nfc_llcp_socket_release(local, true, 0);
1587

1588
	nfc_llcp_local_put(local);
1589
}
1590

1591
void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
1592
			u8 comm_mode, u8 rf_mode)
1593
{
1594
	struct nfc_llcp_local *local;
1595

1596
	pr_debug("rf mode %d\n", rf_mode);
1597

1598
	local = nfc_llcp_find_local(dev);
1599
	if (local == NULL)
1600
		return;
1601

1602
	local->target_idx = target_idx;
1603
	local->comm_mode = comm_mode;
1604
	local->rf_mode = rf_mode;
1605

1606
	if (rf_mode == NFC_RF_INITIATOR) {
1607
		pr_debug("Queueing Tx work\n");
1608

1609
		schedule_work(&local->tx_work);
1610
	} else {
1611
		mod_timer(&local->link_timer,
1612
			  jiffies + msecs_to_jiffies(local->remote_lto));
1613
	}
1614

1615
	nfc_llcp_local_put(local);
1616
}
1617

1618
int nfc_llcp_register_device(struct nfc_dev *ndev)
1619
{
1620
	struct nfc_llcp_local *local;
1621

1622
	local = kzalloc(sizeof(struct nfc_llcp_local), GFP_KERNEL);
1623
	if (local == NULL)
1624
		return -ENOMEM;
1625

1626
	/* As we are going to initialize local's refcount, we need to get the
1627
	 * nfc_dev to avoid UAF, otherwise there is no point in continuing.
1628
	 * See nfc_llcp_local_get().
1629
	 */
1630
	local->dev = nfc_get_device(ndev->idx);
1631
	if (!local->dev) {
1632
		kfree(local);
1633
		return -ENODEV;
1634
	}
1635

1636
	INIT_LIST_HEAD(&local->list);
1637
	kref_init(&local->ref);
1638
	mutex_init(&local->sdp_lock);
1639
	timer_setup(&local->link_timer, nfc_llcp_symm_timer, 0);
1640

1641
	skb_queue_head_init(&local->tx_queue);
1642
	INIT_WORK(&local->tx_work, nfc_llcp_tx_work);
1643

1644
	local->rx_pending = NULL;
1645
	INIT_WORK(&local->rx_work, nfc_llcp_rx_work);
1646

1647
	INIT_WORK(&local->timeout_work, nfc_llcp_timeout_work);
1648

1649
	rwlock_init(&local->sockets.lock);
1650
	rwlock_init(&local->connecting_sockets.lock);
1651
	rwlock_init(&local->raw_sockets.lock);
1652

1653
	local->lto = 150; /* 1500 ms */
1654
	local->rw = LLCP_MAX_RW;
1655
	local->miux = cpu_to_be16(LLCP_MAX_MIUX);
1656
	local->local_wks = 0x1; /* LLC Link Management */
1657

1658
	nfc_llcp_build_gb(local);
1659

1660
	local->remote_miu = LLCP_DEFAULT_MIU;
1661
	local->remote_lto = LLCP_DEFAULT_LTO;
1662

1663
	mutex_init(&local->sdreq_lock);
1664
	INIT_HLIST_HEAD(&local->pending_sdreqs);
1665
	timer_setup(&local->sdreq_timer, nfc_llcp_sdreq_timer, 0);
1666
	INIT_WORK(&local->sdreq_timeout_work, nfc_llcp_sdreq_timeout_work);
1667

1668
	spin_lock(&llcp_devices_lock);
1669
	list_add(&local->list, &llcp_devices);
1670
	spin_unlock(&llcp_devices_lock);
1671

1672
	return 0;
1673
}
1674

1675
void nfc_llcp_unregister_device(struct nfc_dev *dev)
1676
{
1677
	struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
1678

1679
	if (local == NULL) {
1680
		pr_debug("No such device\n");
1681
		return;
1682
	}
1683

1684
	local_cleanup(local);
1685

1686
	nfc_llcp_local_put(local);
1687
}
1688

1689
int __init nfc_llcp_init(void)
1690
{
1691
	return nfc_llcp_sock_init();
1692
}
1693

1694
void nfc_llcp_exit(void)
1695
{
1696
	nfc_llcp_sock_exit();
1697
}
1698

1699