// SPDX-License-Identifier: GPL-2.0+ /* * Provides user-space access to the SSAM EC via the /dev/surface/aggregator * misc device. Intended for debugging and development. * * Copyright (C) 2020-2022 Maximilian Luz */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define SSAM_CDEV_DEVICE_NAME "surface_aggregator_cdev" /* -- Main structures. ------------------------------------------------------ */ enum ssam_cdev_device_state { SSAM_CDEV_DEVICE_SHUTDOWN_BIT = BIT(0), }; struct ssam_cdev { struct kref kref; struct rw_semaphore lock; struct device *dev; struct ssam_controller *ctrl; struct miscdevice mdev; unsigned long flags; struct rw_semaphore client_lock; /* Guards client list. */ struct list_head client_list; }; struct ssam_cdev_client; struct ssam_cdev_notifier { struct ssam_cdev_client *client; struct ssam_event_notifier nf; }; struct ssam_cdev_client { struct ssam_cdev *cdev; struct list_head node; struct mutex notifier_lock; /* Guards notifier access for registration */ struct ssam_cdev_notifier *notifier[SSH_NUM_EVENTS]; struct mutex read_lock; /* Guards FIFO buffer read access */ struct mutex write_lock; /* Guards FIFO buffer write access */ DECLARE_KFIFO(buffer, u8, 4096); wait_queue_head_t waitq; struct fasync_struct *fasync; }; static void __ssam_cdev_release(struct kref *kref) { kfree(container_of(kref, struct ssam_cdev, kref)); } static struct ssam_cdev *ssam_cdev_get(struct ssam_cdev *cdev) { if (cdev) kref_get(&cdev->kref); return cdev; } static void ssam_cdev_put(struct ssam_cdev *cdev) { if (cdev) kref_put(&cdev->kref, __ssam_cdev_release); } /* -- Notifier handling. ---------------------------------------------------- */ static u32 ssam_cdev_notifier(struct ssam_event_notifier *nf, const struct ssam_event *in) { struct ssam_cdev_notifier *cdev_nf = container_of(nf, struct ssam_cdev_notifier, nf); struct ssam_cdev_client *client = cdev_nf->client; struct ssam_cdev_event event; size_t n = struct_size(&event, data, in->length); /* Translate event. */ event.target_category = in->target_category; event.target_id = in->target_id; event.command_id = in->command_id; event.instance_id = in->instance_id; event.length = in->length; mutex_lock(&client->write_lock); /* Make sure we have enough space. */ if (kfifo_avail(&client->buffer) < n) { dev_warn(client->cdev->dev, "buffer full, dropping event (tc: %#04x, tid: %#04x, cid: %#04x, iid: %#04x)\n", in->target_category, in->target_id, in->command_id, in->instance_id); mutex_unlock(&client->write_lock); return 0; } /* Copy event header and payload. */ kfifo_in(&client->buffer, (const u8 *)&event, struct_size(&event, data, 0)); kfifo_in(&client->buffer, &in->data[0], in->length); mutex_unlock(&client->write_lock); /* Notify waiting readers. */ kill_fasync(&client->fasync, SIGIO, POLL_IN); wake_up_interruptible(&client->waitq); /* * Don't mark events as handled, this is the job of a proper driver and * not the debugging interface. */ return 0; } static int ssam_cdev_notifier_register(struct ssam_cdev_client *client, u8 tc, int priority) { const u16 rqid = ssh_tc_to_rqid(tc); const u16 event = ssh_rqid_to_event(rqid); struct ssam_cdev_notifier *nf; int status; lockdep_assert_held_read(&client->cdev->lock); /* Validate notifier target category. */ if (!ssh_rqid_is_event(rqid)) return -EINVAL; mutex_lock(&client->notifier_lock); /* Check if the notifier has already been registered. */ if (client->notifier[event]) { mutex_unlock(&client->notifier_lock); return -EEXIST; } /* Allocate new notifier. */ nf = kzalloc(sizeof(*nf), GFP_KERNEL); if (!nf) { mutex_unlock(&client->notifier_lock); return -ENOMEM; } /* * Create a dummy notifier with the minimal required fields for * observer registration. Note that we can skip fully specifying event * and registry here as we do not need any matching and use silent * registration, which does not enable the corresponding event. */ nf->client = client; nf->nf.base.fn = ssam_cdev_notifier; nf->nf.base.priority = priority; nf->nf.event.id.target_category = tc; nf->nf.event.mask = 0; /* Do not do any matching. */ nf->nf.flags = SSAM_EVENT_NOTIFIER_OBSERVER; /* Register notifier. */ status = ssam_notifier_register(client->cdev->ctrl, &nf->nf); if (status) kfree(nf); else client->notifier[event] = nf; mutex_unlock(&client->notifier_lock); return status; } static int ssam_cdev_notifier_unregister(struct ssam_cdev_client *client, u8 tc) { const u16 rqid = ssh_tc_to_rqid(tc); const u16 event = ssh_rqid_to_event(rqid); int status; lockdep_assert_held_read(&client->cdev->lock); /* Validate notifier target category. */ if (!ssh_rqid_is_event(rqid)) return -EINVAL; mutex_lock(&client->notifier_lock); /* Check if the notifier is currently registered. */ if (!client->notifier[event]) { mutex_unlock(&client->notifier_lock); return -ENOENT; } /* Unregister and free notifier. */ status = ssam_notifier_unregister(client->cdev->ctrl, &client->notifier[event]->nf); kfree(client->notifier[event]); client->notifier[event] = NULL; mutex_unlock(&client->notifier_lock); return status; } static void ssam_cdev_notifier_unregister_all(struct ssam_cdev_client *client) { int i; down_read(&client->cdev->lock); /* * This function may be used during shutdown, thus we need to test for * cdev->ctrl instead of the SSAM_CDEV_DEVICE_SHUTDOWN_BIT bit. */ if (client->cdev->ctrl) { for (i = 0; i < SSH_NUM_EVENTS; i++) ssam_cdev_notifier_unregister(client, i + 1); } else { int count = 0; /* * Device has been shut down. Any notifier remaining is a bug, * so warn about that as this would otherwise hardly be * noticeable. Nevertheless, free them as well. */ mutex_lock(&client->notifier_lock); for (i = 0; i < SSH_NUM_EVENTS; i++) { count += !!(client->notifier[i]); kfree(client->notifier[i]); client->notifier[i] = NULL; } mutex_unlock(&client->notifier_lock); WARN_ON(count > 0); } up_read(&client->cdev->lock); } /* -- IOCTL functions. ------------------------------------------------------ */ static long ssam_cdev_request(struct ssam_cdev_client *client, struct ssam_cdev_request __user *r) { struct ssam_cdev_request rqst; struct ssam_request spec = {}; struct ssam_response rsp = {}; const void __user *plddata; void __user *rspdata; int status = 0, ret = 0, tmp; lockdep_assert_held_read(&client->cdev->lock); ret = copy_struct_from_user(&rqst, sizeof(rqst), r, sizeof(*r)); if (ret) goto out; plddata = u64_to_user_ptr(rqst.payload.data); rspdata = u64_to_user_ptr(rqst.response.data); /* Setup basic request fields. */ spec.target_category = rqst.target_category; spec.target_id = rqst.target_id; spec.command_id = rqst.command_id; spec.instance_id = rqst.instance_id; spec.flags = 0; spec.length = rqst.payload.length; spec.payload = NULL; if (rqst.flags & SSAM_CDEV_REQUEST_HAS_RESPONSE) spec.flags |= SSAM_REQUEST_HAS_RESPONSE; if (rqst.flags & SSAM_CDEV_REQUEST_UNSEQUENCED) spec.flags |= SSAM_REQUEST_UNSEQUENCED; rsp.capacity = rqst.response.length; rsp.length = 0; rsp.pointer = NULL; /* Get request payload from user-space. */ if (spec.length) { if (!plddata) { ret = -EINVAL; goto out; } /* * Note: spec.length is limited to U16_MAX bytes via struct * ssam_cdev_request. This is slightly larger than the * theoretical maximum (SSH_COMMAND_MAX_PAYLOAD_SIZE) of the * underlying protocol (note that nothing remotely this size * should ever be allocated in any normal case). This size is * validated later in ssam_request_do_sync(), for allocation * the bound imposed by u16 should be enough. */ spec.payload = kzalloc(spec.length, GFP_KERNEL); if (!spec.payload) { ret = -ENOMEM; goto out; } if (copy_from_user((void *)spec.payload, plddata, spec.length)) { ret = -EFAULT; goto out; } } /* Allocate response buffer. */ if (rsp.capacity) { if (!rspdata) { ret = -EINVAL; goto out; } /* * Note: rsp.capacity is limited to U16_MAX bytes via struct * ssam_cdev_request. This is slightly larger than the * theoretical maximum (SSH_COMMAND_MAX_PAYLOAD_SIZE) of the * underlying protocol (note that nothing remotely this size * should ever be allocated in any normal case). In later use, * this capacity does not have to be strictly bounded, as it * is only used as an output buffer to be written to. For * allocation the bound imposed by u16 should be enough. */ rsp.pointer = kzalloc(rsp.capacity, GFP_KERNEL); if (!rsp.pointer) { ret = -ENOMEM; goto out; } } /* Perform request. */ status = ssam_request_do_sync(client->cdev->ctrl, &spec, &rsp); if (status) goto out; /* Copy response to user-space. */ if (rsp.length && copy_to_user(rspdata, rsp.pointer, rsp.length)) ret = -EFAULT; out: /* Always try to set response-length and status. */ tmp = put_user(rsp.length, &r->response.length); if (tmp) ret = tmp; tmp = put_user(status, &r->status); if (tmp) ret = tmp; /* Cleanup. */ kfree(spec.payload); kfree(rsp.pointer); return ret; } static long ssam_cdev_notif_register(struct ssam_cdev_client *client, const struct ssam_cdev_notifier_desc __user *d) { struct ssam_cdev_notifier_desc desc; long ret; lockdep_assert_held_read(&client->cdev->lock); ret = copy_struct_from_user(&desc, sizeof(desc), d, sizeof(*d)); if (ret) return ret; return ssam_cdev_notifier_register(client, desc.target_category, desc.priority); } static long ssam_cdev_notif_unregister(struct ssam_cdev_client *client, const struct ssam_cdev_notifier_desc __user *d) { struct ssam_cdev_notifier_desc desc; long ret; lockdep_assert_held_read(&client->cdev->lock); ret = copy_struct_from_user(&desc, sizeof(desc), d, sizeof(*d)); if (ret) return ret; return ssam_cdev_notifier_unregister(client, desc.target_category); } static long ssam_cdev_event_enable(struct ssam_cdev_client *client, const struct ssam_cdev_event_desc __user *d) { struct ssam_cdev_event_desc desc; struct ssam_event_registry reg; struct ssam_event_id id; long ret; lockdep_assert_held_read(&client->cdev->lock); /* Read descriptor from user-space. */ ret = copy_struct_from_user(&desc, sizeof(desc), d, sizeof(*d)); if (ret) return ret; /* Translate descriptor. */ reg.target_category = desc.reg.target_category; reg.target_id = desc.reg.target_id; reg.cid_enable = desc.reg.cid_enable; reg.cid_disable = desc.reg.cid_disable; id.target_category = desc.id.target_category; id.instance = desc.id.instance; /* Disable event. */ return ssam_controller_event_enable(client->cdev->ctrl, reg, id, desc.flags); } static long ssam_cdev_event_disable(struct ssam_cdev_client *client, const struct ssam_cdev_event_desc __user *d) { struct ssam_cdev_event_desc desc; struct ssam_event_registry reg; struct ssam_event_id id; long ret; lockdep_assert_held_read(&client->cdev->lock); /* Read descriptor from user-space. */ ret = copy_struct_from_user(&desc, sizeof(desc), d, sizeof(*d)); if (ret) return ret; /* Translate descriptor. */ reg.target_category = desc.reg.target_category; reg.target_id = desc.reg.target_id; reg.cid_enable = desc.reg.cid_enable; reg.cid_disable = desc.reg.cid_disable; id.target_category = desc.id.target_category; id.instance = desc.id.instance; /* Disable event. */ return ssam_controller_event_disable(client->cdev->ctrl, reg, id, desc.flags); } /* -- File operations. ------------------------------------------------------ */ static int ssam_cdev_device_open(struct inode *inode, struct file *filp) { struct miscdevice *mdev = filp->private_data; struct ssam_cdev_client *client; struct ssam_cdev *cdev = container_of(mdev, struct ssam_cdev, mdev); /* Initialize client */ client = vzalloc(sizeof(*client)); if (!client) return -ENOMEM; client->cdev = ssam_cdev_get(cdev); INIT_LIST_HEAD(&client->node); mutex_init(&client->notifier_lock); mutex_init(&client->read_lock); mutex_init(&client->write_lock); INIT_KFIFO(client->buffer); init_waitqueue_head(&client->waitq); filp->private_data = client; /* Attach client. */ down_write(&cdev->client_lock); if (test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &cdev->flags)) { up_write(&cdev->client_lock); mutex_destroy(&client->write_lock); mutex_destroy(&client->read_lock); mutex_destroy(&client->notifier_lock); ssam_cdev_put(client->cdev); vfree(client); return -ENODEV; } list_add_tail(&client->node, &cdev->client_list); up_write(&cdev->client_lock); stream_open(inode, filp); return 0; } static int ssam_cdev_device_release(struct inode *inode, struct file *filp) { struct ssam_cdev_client *client = filp->private_data; /* Force-unregister all remaining notifiers of this client. */ ssam_cdev_notifier_unregister_all(client); /* Detach client. */ down_write(&client->cdev->client_lock); list_del(&client->node); up_write(&client->cdev->client_lock); /* Free client. */ mutex_destroy(&client->write_lock); mutex_destroy(&client->read_lock); mutex_destroy(&client->notifier_lock); ssam_cdev_put(client->cdev); vfree(client); return 0; } static long __ssam_cdev_device_ioctl(struct ssam_cdev_client *client, unsigned int cmd, unsigned long arg) { lockdep_assert_held_read(&client->cdev->lock); switch (cmd) { case SSAM_CDEV_REQUEST: return ssam_cdev_request(client, (struct ssam_cdev_request __user *)arg); case SSAM_CDEV_NOTIF_REGISTER: return ssam_cdev_notif_register(client, (struct ssam_cdev_notifier_desc __user *)arg); case SSAM_CDEV_NOTIF_UNREGISTER: return ssam_cdev_notif_unregister(client, (struct ssam_cdev_notifier_desc __user *)arg); case SSAM_CDEV_EVENT_ENABLE: return ssam_cdev_event_enable(client, (struct ssam_cdev_event_desc __user *)arg); case SSAM_CDEV_EVENT_DISABLE: return ssam_cdev_event_disable(client, (struct ssam_cdev_event_desc __user *)arg); default: return -ENOTTY; } } static long ssam_cdev_device_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct ssam_cdev_client *client = file->private_data; long status; /* Ensure that controller is valid for as long as we need it. */ if (down_read_killable(&client->cdev->lock)) return -ERESTARTSYS; if (test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &client->cdev->flags)) { up_read(&client->cdev->lock); return -ENODEV; } status = __ssam_cdev_device_ioctl(client, cmd, arg); up_read(&client->cdev->lock); return status; } static ssize_t ssam_cdev_read(struct file *file, char __user *buf, size_t count, loff_t *offs) { struct ssam_cdev_client *client = file->private_data; struct ssam_cdev *cdev = client->cdev; unsigned int copied; int status = 0; if (down_read_killable(&cdev->lock)) return -ERESTARTSYS; /* Make sure we're not shut down. */ if (test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &cdev->flags)) { up_read(&cdev->lock); return -ENODEV; } do { /* Check availability, wait if necessary. */ if (kfifo_is_empty(&client->buffer)) { up_read(&cdev->lock); if (file->f_flags & O_NONBLOCK) return -EAGAIN; status = wait_event_interruptible(client->waitq, !kfifo_is_empty(&client->buffer) || test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &cdev->flags)); if (status < 0) return status; if (down_read_killable(&cdev->lock)) return -ERESTARTSYS; /* Need to check that we're not shut down again. */ if (test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &cdev->flags)) { up_read(&cdev->lock); return -ENODEV; } } /* Try to read from FIFO. */ if (mutex_lock_interruptible(&client->read_lock)) { up_read(&cdev->lock); return -ERESTARTSYS; } status = kfifo_to_user(&client->buffer, buf, count, &copied); mutex_unlock(&client->read_lock); if (status < 0) { up_read(&cdev->lock); return status; } /* We might not have gotten anything, check this here. */ if (copied == 0 && (file->f_flags & O_NONBLOCK)) { up_read(&cdev->lock); return -EAGAIN; } } while (copied == 0); up_read(&cdev->lock); return copied; } static __poll_t ssam_cdev_poll(struct file *file, struct poll_table_struct *pt) { struct ssam_cdev_client *client = file->private_data; __poll_t events = 0; if (test_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &client->cdev->flags)) return EPOLLHUP | EPOLLERR; poll_wait(file, &client->waitq, pt); if (!kfifo_is_empty(&client->buffer)) events |= EPOLLIN | EPOLLRDNORM; return events; } static int ssam_cdev_fasync(int fd, struct file *file, int on) { struct ssam_cdev_client *client = file->private_data; return fasync_helper(fd, file, on, &client->fasync); } static const struct file_operations ssam_controller_fops = { .owner = THIS_MODULE, .open = ssam_cdev_device_open, .release = ssam_cdev_device_release, .read = ssam_cdev_read, .poll = ssam_cdev_poll, .fasync = ssam_cdev_fasync, .unlocked_ioctl = ssam_cdev_device_ioctl, .compat_ioctl = ssam_cdev_device_ioctl, }; /* -- Device and driver setup ----------------------------------------------- */ static int ssam_dbg_device_probe(struct platform_device *pdev) { struct ssam_controller *ctrl; struct ssam_cdev *cdev; int status; ctrl = ssam_client_bind(&pdev->dev); if (IS_ERR(ctrl)) return PTR_ERR(ctrl) == -ENODEV ? -EPROBE_DEFER : PTR_ERR(ctrl); cdev = kzalloc(sizeof(*cdev), GFP_KERNEL); if (!cdev) return -ENOMEM; kref_init(&cdev->kref); init_rwsem(&cdev->lock); cdev->ctrl = ctrl; cdev->dev = &pdev->dev; cdev->mdev.parent = &pdev->dev; cdev->mdev.minor = MISC_DYNAMIC_MINOR; cdev->mdev.name = "surface_aggregator"; cdev->mdev.nodename = "surface/aggregator"; cdev->mdev.fops = &ssam_controller_fops; init_rwsem(&cdev->client_lock); INIT_LIST_HEAD(&cdev->client_list); status = misc_register(&cdev->mdev); if (status) { kfree(cdev); return status; } platform_set_drvdata(pdev, cdev); return 0; } static void ssam_dbg_device_remove(struct platform_device *pdev) { struct ssam_cdev *cdev = platform_get_drvdata(pdev); struct ssam_cdev_client *client; /* * Mark device as shut-down. Prevent new clients from being added and * new operations from being executed. */ set_bit(SSAM_CDEV_DEVICE_SHUTDOWN_BIT, &cdev->flags); down_write(&cdev->client_lock); /* Remove all notifiers registered by us. */ list_for_each_entry(client, &cdev->client_list, node) { ssam_cdev_notifier_unregister_all(client); } /* Wake up async clients. */ list_for_each_entry(client, &cdev->client_list, node) { kill_fasync(&client->fasync, SIGIO, POLL_HUP); } /* Wake up blocking clients. */ list_for_each_entry(client, &cdev->client_list, node) { wake_up_interruptible(&client->waitq); } up_write(&cdev->client_lock); /* * The controller is only guaranteed to be valid for as long as the * driver is bound. Remove controller so that any lingering open files * cannot access it any more after we're gone. */ down_write(&cdev->lock); cdev->ctrl = NULL; cdev->dev = NULL; up_write(&cdev->lock); misc_deregister(&cdev->mdev); ssam_cdev_put(cdev); } static struct platform_device *ssam_cdev_device; static struct platform_driver ssam_cdev_driver = { .probe = ssam_dbg_device_probe, .remove_new = ssam_dbg_device_remove, .driver = { .name = SSAM_CDEV_DEVICE_NAME, .probe_type = PROBE_PREFER_ASYNCHRONOUS, }, }; static int __init ssam_debug_init(void) { int status; ssam_cdev_device = platform_device_alloc(SSAM_CDEV_DEVICE_NAME, PLATFORM_DEVID_NONE); if (!ssam_cdev_device) return -ENOMEM; status = platform_device_add(ssam_cdev_device); if (status) goto err_device; status = platform_driver_register(&ssam_cdev_driver); if (status) goto err_driver; return 0; err_driver: platform_device_del(ssam_cdev_device); err_device: platform_device_put(ssam_cdev_device); return status; } module_init(ssam_debug_init); static void __exit ssam_debug_exit(void) { platform_driver_unregister(&ssam_cdev_driver); platform_device_unregister(ssam_cdev_device); } module_exit(ssam_debug_exit); MODULE_AUTHOR("Maximilian Luz "); MODULE_DESCRIPTION("User-space interface for Surface System Aggregator Module"); MODULE_LICENSE("GPL");