From patchwork Mon May 11 23:48:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Blecker X-Patchwork-Id: 207619 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EA23C47255 for ; Mon, 11 May 2020 23:48:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D8E4F2070B for ; Mon, 11 May 2020 23:48:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="fkyUhQBA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726874AbgEKXsq (ORCPT ); Mon, 11 May 2020 19:48:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726415AbgEKXsq (ORCPT ); Mon, 11 May 2020 19:48:46 -0400 Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E761FC061A0C for ; Mon, 11 May 2020 16:48:45 -0700 (PDT) Received: by mail-pg1-x542.google.com with SMTP id d22so5294349pgk.3 for ; Mon, 11 May 2020 16:48:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=sn1H15pgzRWcAxiQXUKWK/Pp26hvZ24y4+6xate2oQA=; b=fkyUhQBAIZRdkvcbqD8+cSEBho9TJfiMt6hDoEhd7UBpOgZOfNCMncarBoULjt6nbT rZFtWs2k4aVnqiZIOTjHvpvI+NmEu9xAqaxtqE1gRDpAE2IidcvSuvWrJbyPwHnMcdu0 hK0IiUlBWzvQce8HDEnhPvM+mwxsmIj0Bgq2I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=sn1H15pgzRWcAxiQXUKWK/Pp26hvZ24y4+6xate2oQA=; b=GY8Z+7oIQ0u7tSpKFjqnMlbtEvJYqCuw1Nr6XpLgc6Rt0F2MfhQElUrYVTC4asyUno 8wfWQhQ9WSB8RisPbK/rf0nTx7x+A5K/drvxIojX6nYxR7LQDkJQsQh96mGIL9PO1n+S Go7OfjWT3XvEQSeyCo9A1MdwiWJXkOrUb7At0FaJoDg1WzEjRJmFUr8HrEZ+NfTvraX2 Uwa8rfehVXkGlEbf8cqKZCsep0WzvDeGjfGF9xSezAcYl1BnJ7gqarRngFlJ7XdgHP60 IdAm/7eg+j1CfOBTgIOgGNlOZKis/o62SEaAAoDIeC1gFPwRWc38LqCk8gwm8QRQ5Jtt 3Xyw== X-Gm-Message-State: AGi0PuZiJvGYjgXHC9/AXe0ITmVanL2irz4v7jIBgwZkBw/J48iGZEh5 o8GEkdo6gRsEourRcRXaXLVC X-Google-Smtp-Source: APiQypL9lAdNTkTFL6u9FU6eR9/65BaMImkiWRW8yqXv7QFEHj2X4mP8VuGhqhZxiq66/6gyIPW5EQ== X-Received: by 2002:a62:e30f:: with SMTP id g15mr18487306pfh.150.1589240922202; Mon, 11 May 2020 16:48:42 -0700 (PDT) Received: from idle.mtv.corp.google.com ([2620:15c:202:1:fe92:d5a8:f1c5:e510]) by smtp.gmail.com with ESMTPSA id fv12sm208471pjb.42.2020.05.11.16.48.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2020 16:48:41 -0700 (PDT) From: Matthew Blecker X-Google-Original-From: Matthew Blecker To: Wolfram Sang , linux-i2c@vger.kernel.org Cc: Matthew Blecker Subject: [PATCH v3] i2c: Add i2c-pseudo driver for userspace I2C adapters. Date: Mon, 11 May 2020 16:48:17 -0700 Message-Id: <20200511234817.59365-1-matthewb@google.com> X-Mailer: git-send-email 2.26.2.645.ge9eca65c58-goog MIME-Version: 1.0 Sender: linux-i2c-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-i2c@vger.kernel.org From: Matthew Blecker The i2c-pseudo module provides I2C adapters backed by userspace programs. This allows for userspace implementations of functionality such as tunneling I2C through another communication channel, or mocking of real I2C devices whose behavior cannot be modeled with i2c-stub. Signed-off-by: Matthew Blecker --- Module naming: A pseudo I2C adapter is analogous to a pseudo terminal. In the Chromium OS ecosystem we are using this for a userspace I2C adapter built on top of an existing userspace I2C-over-USB implementation used with embedded debug devices that act as I2C master to a device under test (DUT). This arrangement is used for interacting with I2C slaves on the DUT, particularly for transferring firmware to an embedded controller IC which receives programming via I2C. That I2C pseudo controller implementation is here: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/refs/heads/master/servo/interface/i2c_pseudo.py --- Changelog v3: - Replace nonseekable_open() with stream_open(). Changelog v2: - Fix ARCH=um compilation error from non-const strlen("literal"). --- .../i2c/pseudo-controller-interface.rst | 305 ++ drivers/i2c/Kconfig | 17 +- drivers/i2c/Makefile | 1 + drivers/i2c/i2c-pseudo.c | 3202 +++++++++++++++++ 4 files changed, 3524 insertions(+), 1 deletion(-) create mode 100644 Documentation/i2c/pseudo-controller-interface.rst create mode 100644 drivers/i2c/i2c-pseudo.c diff --git a/Documentation/i2c/pseudo-controller-interface.rst b/Documentation/i2c/pseudo-controller-interface.rst new file mode 100644 index 000000000000..444f6cb2710c --- /dev/null +++ b/Documentation/i2c/pseudo-controller-interface.rst @@ -0,0 +1,305 @@ +================= +i2c-pseudo driver +================= + +Usually I2C adapters are implemented in a kernel driver. It is also possible to +implement an adapter in userspace, through the /dev/i2c-pseudo-controller +interface. Load module i2c-pseudo for this. + +Use cases for this module include: + +- Using local I2C device drivers, particularly i2c-dev, with I2C busses on + remote systems. For example, interacting with a Device Under Test (DUT) + connected to a Linux host through a debug interface, or interacting with a + remote host over a network. + +- Implementing I2C device driver tests that are impractical with the i2c-stub + module. For example, when simulating an I2C device where its driver might + issue a sequence of reads and writes without interruption, and the value at a + certain address must change during the sequence. + +This is not intended to replace kernel drivers for actual I2C busses on the +local host machine. + + +Details +======= + +Each time /dev/i2c-pseudo-controller is opened, and the correct initialization +command is written to it (ADAPTER_START), a new I2C adapter is created. The +adapter will live until its file descriptor is closed. Multiple pseudo adapters +can co-exist simultaneously, controlled by the same or different userspace +processes. When an I2C device driver sends an I2C message to a pseudo adapter, +the message becomes readable from its file descriptor. If a reply is written +before the adapter timeout expires, that reply will be sent back to the I2C +device driver. + +Reads and writes are buffered inside i2c-pseudo such that userspace controllers +may split them up into arbitrarily small chunks. Multiple commands, or portions +of multiple commands, may be read or written together. + +Blocking I/O is the default. Non-blocking I/O is supported as well, enabled by +O_NONBLOCK. Polling is supported, with or without non-blocking I/O. A special +command (ADAPTER_SHUTDOWN) is available to unblock any pollers or blocked +reads or writes, as a convenience for a multi-threaded or multi-process program +that wants to exit. + +It is safe to access a single controller fd from multiple threads or processes +concurrently, though it is up to the controller to ensure proper ordering, and +to ensure that writes for different commands do not get interleaved. However, +it is recommended (not required) that controller implementations have only one +reader thread and one writer thread, which may or may not be the same thread. +Avoiding multiple readers and multiple writers greatly simplifies controller +implementation, and there is likely no performance benefit to be gained from +concurrent reads or concurrent writes due to how i2c-pseudo serializes them +internally. After all, on a real I2C bus only one I2C message can be active at +a time. + +Commands are newline-terminated, both those read from the controller device, and +those written to it. + + +Read Commands +============= + +The commands that may be read from a pseudo controller device are: + +---- + +:Read Command: ``I2C_ADAPTER_NUM `` +:Example: ``"I2C_ADAPTER_NUM 5\n"`` +:Details: + | This is read in response to the GET_ADAPTER_NUM command being written. + The number is the I2C adapter number in decimal. This can only occur after + ADAPTER_START, because before that the number is not known and cannot be + predicted reliably. + +---- + +:Read Command: ``I2C_PSEUDO_ID `` +:Example: ``"I2C_PSEUDO_ID 98\n"`` +:Details: + | This is read in response to the GET_PSEUDO_ID command being written. + The number is the pseudo ID in decimal. + +---- + +:Read Command: ``I2C_BEGIN_XFER`` +:Example: ``"I2C_BEGIN_XFER\n"`` +:Details: + | This indicates the start of an I2C transaction request, in other words + the start of the I2C messages from a single invocation of the I2C adapter's + master_xfer() callback. This can only occur after ADAPTER_START. + +---- + +:Read Command: ``I2C_XFER_REQ [[:...]]`` +:Example: ``"I2C_XFER_REQ 3 0 0x0070 0x0000 2 AB:9F\n"`` +:Example: ``"I2C_XFER_REQ 3 1 0x0070 0x0001 4\n"`` +:Details: + | This is a single I2C message that a device driver requested be sent on + the bus, in other words a single struct i2c_msg from master_xfer() msgs arg. + | + | The xfer_id is a number representing the whole I2C transaction, thus all + I2C_XFER_REQ between a I2C_BEGIN_XFER + I2C_COMMIT_XFER pair share an + xfer_id. The purpose is to ensure replies from the userspace controller are + always properly matched to the intended master_xfer() request. The first + transaction has xfer_id 0, and it increases by 1 with each transaction, + however it will eventually wrap back to 0 if enough transactions happen + during the lifetime of a pseudo adapter. It is guaranteed to have a large + enough maximum value such that there can never be multiple outstanding + transactions with the same ID, due to an internal limit in i2c-pseudo that + will block master_xfer() calls when the controller is falling behind in its + replies. + | + | The msg_id is a decimal number representing the index of the I2C message + within its transaction, in other words the index in master_xfer() \*msgs + array arg. This starts at 0 after each I2C_BEGIN_XFER. This is guaranteed + to not wrap. + | + | The addr is the hexadecimal I2C address for this I2C message. + | + | The flags are the same bitmask flags used in struct i2c_msg, in hexadecimal + form. Of particular importance to any pseudo controller is the read bit, + which is guaranteed to be 0x1 per Linux I2C documentation. + | + | The data_len is the decimal number of either how many bytes to write that + will follow, or how many bytes to read and reply with if this is a read + request. + | + | If this is a read, data_len will be the final field in this command. If + this is a write, data_len will be followed by the given number of + colon-separated hexadecimal byte values, in the format shown in the example + above. + +---- + +:Read Command: ``I2C_COMMIT_XFER`` +:Example: ``"I2C_COMMIT_XFER\n"`` +:Details: + | This indicates the end of an I2C transacton request, in other words the + end of the I2C messages from a single invocation of the I2C adapter's + master_xfer() callback. This should be read exactly once after each + I2C_BEGIN_XFER, with a varying number of I2C_XFER_REQ between them. + + +Write Commands +============== + +The commands that may be written to a pseudo controller device are: + + +:Write Command: ``SET_ADAPTER_NAME_SUFFIX `` +:Example: ``"SET_ADAPTER_NAME_SUFFIX My Adapter\n"`` +:Details: + | Sets a suffix to append to the auto-generated I2C adapter name. Only + valid before ADAPTER_START. A space or other separator character will be + placed between the auto-generated name and the suffix, so there is no need + to include a leading separator in the suffix. If the resulting name is too + long for the I2C adapter name field, it will be quietly truncated. + +---- + +:Write Command: ``SET_ADAPTER_TIMEOUT_MS `` +:Example: ``"SET_ADAPTER_TIMEOUT_MS 2000\n"`` +:Details: + | Sets the timeout in milliseconds for each I2C transaction, in other words + for each master_xfer() reply. Only valid before ADAPTER_START. The I2C + subsystem will automatically time out transactions based on this setting. + Set to 0 to use the I2C subsystem default timeout. The default timeout for + new pseudo adapters where this command has not been used is configurable at + i2c-pseudo module load time, and itself has a default independent from the + I2C subsystem default. (If the i2c-pseudo module level default is set to 0, + that has the same meaning as here.) + +---- + +:Write Command: ``ADAPTER_START`` +:Example: ``"ADAPTER_START\n"`` +:Details: + | Tells i2c-pseudo to actually create the I2C adapter. Only valid once per + open controller fd. + +---- + +:Write Command: ``GET_ADAPTER_NUM`` +:Example: ``"GET_ADAPTER_NUM\n"`` +:Details: + | Asks i2c-pseudo for the number assigned to this I2C adapter by the I2C + subsystem. Only valid after ADAPTER_START, because before that the number + is not known and cannot be predicted reliably. + +---- + +:Write Command: ``GET_PSEUDO_ID`` +:Example: ``"GET_PSEUDO_ID\n"`` +:Details: + | Asks i2c-pseudo for the pseudo ID of this I2C adapter. The pseudo ID will + not be reused for the lifetime of the i2c-pseudo module, unless an internal + counter wraps. I2C clients can use this to track specific instances of + pseudo adapters, even when adapter numbers have been reused. + +---- + +:Write Command: ``I2C_XFER_REPLY [[:...]]`` +:Example: ``"I2C_XFER_REPLY 3 0 0x0070 0x0000 0\n"`` +:Example: ``"I2C_XFER_REPLY 3 1 0x0070 0x0001 0 0B:29:02:D9\n"`` +:Details: + | This is how a pseudo controller can reply to I2C_XFER_REQ. Only valid + after I2C_XFER_REQ. A pseudo controller should write one of these for each + I2C_XFER_REQ it reads, including for failures, so that I2C device drivers + need not wait for the adapter timeout upon failure (if failure is known + sooner). + | + | The fields in common with I2C_XFER_REQ have their same meanings, and their + values are expected to exactly match what was read in the I2C_XFER_REQ + command that this is in reply to. + | + | The errno field is how the pseudo controller indicates success or failure + for this I2C message. A 0 value indicates success. A non-zero value + indicates a failure. Pseudo controllers are encouraged to use errno values + to encode some meaning in a failure response, but that is not a requirement, + and the I2C adapter interface does not provide a way to pass per-message + errno values to a device driver anyways. + | + | Pseudo controllers are encouraged to reply in the same order as messages + were received, however i2c-pseudo will properly match up out-of-order + replies with their original requests. + +---- + +:Write Command: ``ADAPTER_SHUTDOWN`` +:Example: ``"ADAPTER_SHUTDOWN\n"`` +:Details: + | This tells i2c-pseudo that the pseudo controller wants to shutdown and + intends to close the controller device fd soon. Use of this is OPTIONAL, it + is perfectly valid to close the controller device fd without ever using this + command. + | + | This commands unblocks any blocked controller I/O (reads, writes, or polls), + and that is its main purpose. + | + | Any I2C transactions attempted by a device driver after this command will + fail, and will not be passed on to the userspace controller. + | + | This DOES NOT delete the I2C adapter. Only closing the fd will do that. + That MAY CHANGE in the future, such that this does delete the I2C adapter. + (However this will never be required, it will always be okay to simply close + the fd.) + + +Example userspace controller code +================================= + +In C, a simple exchange between i2c-pseudo and userspace might look like the +example below. Note that for brevity this lacks any error checking and +handling, which a real pseudo controller implementation should have. + +:: + + int fd; + char buf[1<<12]; + + fd = open("/dev/i2c-pseudo-controller", O_RDWR); + /* Create the I2C adapter. */ + dprintf(fd, "ADAPTER_START\n"); + + /* + * Pretend this I2C adapter number is 5, and the first I2C xfer sent to it was + * from this command (using its i2c-dev interface): + * $ i2cset -y 5 0x70 0xC2 + * + * Then this read would place the following into *buf: + * "I2C_BEGIN_XFER\n" + * "I2C_XFER_REQ 0 0 0x0070 0x0000 1 C2\n" + * "I2C_COMMIT_XFER\n" + */ + read(fd, buf, sizeof(buf)); + + /* This reply would allow the i2cset command above to exit successfully. */ + dprintf(fd, "I2C_XFER_REPLY 0 0 0x0070 0x0000 0\n"); + + /* + * Now pretend the next I2C xfer sent to this adapter was from: + * $ i2cget -y 5 0x70 0xAB + * + * Then this read would place the following into *buf: + * "I2C_BEGIN_XFER\n" + * "I2C_XFER_REQ 1 0 0x0070 0x0000 1 AB\n" + * "I2C_XFER_REQ 1 1 0x0070 0x0001 1\n'" + * "I2C_COMMIT_XFER\n" + */ + read(fd, buf, sizeof(buf)); + + /* + * These replies would allow the i2cget command above to print the following to + * stdout and exit successfully: + * 0x0b + * + * Note that it is also valid to write these together in one write(). + */ + dprintf(fd, "I2C_XFER_REPLY 1 0 0x0070 0x0000 0\n"); + dprintf(fd, "I2C_XFER_REPLY 1 1 0x0070 0x0001 0 0B\n"); + + /* Destroy the I2C adapter. */ + close(fd); diff --git a/drivers/i2c/Kconfig b/drivers/i2c/Kconfig index 1474e57ecafc..78a6f909718a 100644 --- a/drivers/i2c/Kconfig +++ b/drivers/i2c/Kconfig @@ -56,7 +56,7 @@ config I2C_CHARDEV programs use the I2C bus. Information on how to do this is contained in the file . - This support is also available as a module. If so, the module + This support is also available as a module. If so, the module will be called i2c-dev. config I2C_MUX @@ -98,6 +98,21 @@ config I2C_SMBUS source "drivers/i2c/algos/Kconfig" source "drivers/i2c/busses/Kconfig" +config I2C_PSEUDO + tristate "I2C userspace adapter interface" + depends on m + default 'n' + help + Say Y here to have an i2c-pseudo-controller device file, usually + found in the /dev directory on your system. This makes it + possible to have user-space programs implement an I2C bus + (I2C adapter in kernel lingo). Information on how to do this is + contained in the file . + + This support is only available as a module, called i2c-pseudo. + + If you don't know what to do here, definitely say N. + config I2C_STUB tristate "I2C/SMBus Test Stub" depends on m diff --git a/drivers/i2c/Makefile b/drivers/i2c/Makefile index bed6ba63c983..07d7bfea7358 100644 --- a/drivers/i2c/Makefile +++ b/drivers/i2c/Makefile @@ -14,6 +14,7 @@ obj-$(CONFIG_I2C_SMBUS) += i2c-smbus.o obj-$(CONFIG_I2C_CHARDEV) += i2c-dev.o obj-$(CONFIG_I2C_MUX) += i2c-mux.o obj-y += algos/ busses/ muxes/ +obj-$(CONFIG_I2C_PSEUDO) += i2c-pseudo.o obj-$(CONFIG_I2C_STUB) += i2c-stub.o obj-$(CONFIG_I2C_SLAVE_EEPROM) += i2c-slave-eeprom.o diff --git a/drivers/i2c/i2c-pseudo.c b/drivers/i2c/i2c-pseudo.c new file mode 100644 index 000000000000..e409fac581d3 --- /dev/null +++ b/drivers/i2c/i2c-pseudo.c @@ -0,0 +1,3202 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * This Linux kernel module implements pseudo I2C adapters that can be backed + * by userspace programs. This allows for implementing an I2C bus from + * userspace, which can tunnel the I2C commands through another communication + * channel to a remote I2C bus. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Minimum i2cp_limit module parameter value. */ +#define I2CP_ADAPTERS_MIN 0 +/* Maximum i2cp_limit module parameter value. */ +#define I2CP_ADAPTERS_MAX 256 +/* Default i2cp_limit module parameter value. */ +#define I2CP_DEFAULT_LIMIT 8 +/* Value for alloc_chrdev_region() baseminor arg. */ +#define I2CP_CDEV_BASEMINOR 0 +#define I2CP_TIMEOUT_MS_MIN 0 +#define I2CP_TIMEOUT_MS_MAX (60 * MSEC_PER_SEC) +#define I2CP_DEFAULT_TIMEOUT_MS (3 * MSEC_PER_SEC) + +/* Used in struct device.kobj.name field. */ +#define I2CP_DEVICE_NAME "i2c-pseudo-controller" +/* Value for alloc_chrdev_region() name arg. */ +#define I2CP_CHRDEV_NAME "i2c_pseudo" +/* Value for class_create() name arg. */ +#define I2CP_CLASS_NAME "i2c-pseudo" +/* Value for alloc_chrdev_region() count arg. Should always be 1. */ +#define I2CP_CDEV_COUNT 1 + +#define I2CP_ADAP_START_CMD "ADAPTER_START" +#define I2CP_ADAP_SHUTDOWN_CMD "ADAPTER_SHUTDOWN" +#define I2CP_GET_NUMBER_CMD "GET_ADAPTER_NUM" +#define I2CP_NUMBER_REPLY_CMD "I2C_ADAPTER_NUM" +#define I2CP_GET_PSEUDO_ID_CMD "GET_PSEUDO_ID" +#define I2CP_PSEUDO_ID_REPLY_CMD "I2C_PSEUDO_ID" +#define I2CP_SET_NAME_SUFFIX_CMD "SET_ADAPTER_NAME_SUFFIX" +#define I2CP_SET_TIMEOUT_CMD "SET_ADAPTER_TIMEOUT_MS" +#define I2CP_BEGIN_MXFER_REQ_CMD "I2C_BEGIN_XFER" +#define I2CP_COMMIT_MXFER_REQ_CMD "I2C_COMMIT_XFER" +#define I2CP_MXFER_REQ_CMD "I2C_XFER_REQ" +#define I2CP_MXFER_REPLY_CMD "I2C_XFER_REPLY" + +/* Maximum size of a controller command. */ +#define I2CP_CTRLR_CMD_LIMIT 255 +/* Maximum number of controller read responses to allow enqueued at once. */ +#define I2CP_CTRLR_RSP_QUEUE_LIMIT 256 +/* The maximum size of a single controller read response. */ +#define I2CP_MAX_MSG_BUF_SIZE 16384 +/* Maximum length (not size!) of i2cp_cmds static array. */ +#define I2CP_CMDS_SANITY_LIMIT 64 +/* Maximum size of a controller read or write. */ +#define I2CP_RW_SIZE_LIMIT 1048576 + +/* + * Marks the end of a controller command or read response. + * + * Fundamentally, controller commands and read responses could use different end + * marker characters, but for sanity they should be the same. + * + * This must be a variable, not a macro, because it is passed to copy_to_user() + * by address. Taking the address of a character literal causes a compiler + * error. Making these C strings instead of characters would allow for that + * (with other implications), but then copy_to_user() itself refuses to compile, + * because of an assertion that the copy size (1) must match the size of the + * string literal (2 with its trailing null). + */ +static const char i2cp_ctrlr_end_char = '\n'; +/* Separator between I2C message header fields in the controller bytestream. */ +static const char i2cp_ctrlr_header_sep_char = ' '; +/* Separator between I2C message data bytes in the controller bytestream. */ +static const char i2cp_ctrlr_data_sep_char = ':'; + +/* + * This used instead of strcmp(in_str, other_str) because in_str may have null + * characters within its in_size boundaries, which could cause an unintended + * match. + */ +#define STRING_NEQ(in_str, in_size, other_str) \ + (in_size != strlen(other_str) || memcmp(other_str, in_str, in_size)) + +#define STR_HELPER(num) #num +#define STR(num) STR_HELPER(num) + +#define CONST_STRLEN(str) (sizeof(str) - 1) + +/* + * The number of pseudo I2C adapters permitted. This default value can be + * overridden at module load time. Must be in the range + * [I2CP_ADAPTERS_MIN, I2CP_ADAPTERS_MAX]. + * + * As currently used, this MUST NOT be changed during or after module + * initialization. If the ability to change this at runtime is desired, an + * audit of the uses of this variable will be necessary. + */ +static unsigned int i2cp_limit = I2CP_DEFAULT_LIMIT; +module_param(i2cp_limit, uint, 0444); + +/* + * The default I2C pseudo adapter timeout, in milliseconds. + * 0 means use Linux I2C adapter default. + * Can be changed per adapter by the controller. + */ +static unsigned int i2cp_default_timeout_ms = I2CP_DEFAULT_TIMEOUT_MS; +module_param(i2cp_default_timeout_ms, uint, 0444); + +struct i2cp_controller; + +/* This tracks all I2C pseudo adapters. */ +struct i2cp_counters { + /* This must be held while accessing any fields. */ + struct mutex lock; + unsigned int count; + /* + * This is used to make a strong attempt at avoiding ID reuse, + * especially during the lifetime of a userspace i2c-dev client. This + * can wrap by design, and thus makes no perfect guarantees. + */ + /* Same type as struct i2cp_controller.id field. */ + unsigned int next_ctrlr_id; + struct i2cp_controller **all_controllers; +}; + +static struct class *i2cp_class; +static dev_t i2cp_dev_num; + +struct i2cp_device { + struct i2cp_counters counters; + struct cdev cdev; + struct device device; +}; + +static struct i2cp_device *i2cp_device; + +/* + * An instance of this struct in i2cp_cmds[] array defines a command that a + * controller process may write to the I2C pseudo character device, hereafter a + * "write command." + * + * A write command consists of one or more header fields, followed optionally by + * data. Each header field is fully buffered before being sent to + * header_receiver(). Data is not fully buffered, it is chunked in fixed + * increments set by the return value of the final header_receiver() call. + * + * Every write command begins with its name. The name is used both to map the + * command to an instance of this struct, and as the first header field. + * + * A header field ends at either i2cp_ctrlr_end_char or + * i2cp_ctrlr_header_sep_char, neither of which is ever included in header field + * values passed to a callback. + * + * A command always ends at i2cp_ctrlr_end_char. Anything written after that by + * the controller is treated as a new command. + * + * After i2cp_ctrlr_header_sep_char the return value of header_receiver() from + * the previous header field is used to determine whether subsequent input is + * another header field, or data. + * + * Once header_receiver() has indicated that data is expected, all input until + * i2cp_ctrlr_end_char will be handled as data, and header_receiver() will not + * be called again for the command. + * + * For a given I2C pseudo controller instance there will never be more than one + * write command in flight at once, and there will never be more than one of + * these callbacks executing at once. These callbacks need not do any + * cross-thread synchronization among themselves. + * + * Note: Data may contain i2cp_ctrlr_header_sep_char. + * + * Note: There are no restrictions on the use of the null char ('\0') in either + * header fields or data. (If either i2cp_ctrlr_header_sep_char or + * i2cp_ctrlr_end_char is null then the respective restrictions around those + * characters apply as usual, of course.) Write command implementations need + * not use or expect null, but they must at least handle it gracefully and fail + * without bad side effects, same as with any unexpected input. + */ +struct i2cp_cmd { + /* + * Set these to the command name. + * + * The command name must not contain i2cp_ctrlr_header_sep_char or + * i2cp_ctrlr_end_char. The behavior otherwise is undefined; such a + * command would be uncallable, and could become either a build-time or + * runtime error. + * + * The command name must be unique in the i2cp_cmds[] array. The + * behavior with duplicate command names is undefined, subject to + * change, and subject to become either a build-time or runtime error. + */ + char *cmd_string; /* Must be non-NULL. */ + size_t cmd_size; /* Must be non-zero. */ + + /* + * This is called once for each I2C pseudo controller to initialize + * *data, prior to that pointer being passed to any other callbacks. + * + * This will only be called before the I2C adapter device is added. + * + * *data will be set to NULL before this is called. + * + * This callback may be NULL, in which case *data will remain NULL upon + * initialization. + * + * This should return -errno upon failure, 0 upon success. All + * non-negative return values are currently treated as success but + * positive values are reserved for potential future use. + * + * Initialization failure will cause the whole I2C pseudo controller to + * fail to initialize or function, thus *data will not be passed to any + * other callbacks. + */ + int (*data_creator)(void **data); + /* + * This is called once when shutdown of an I2C pseudo controller is + * imminent, and no further I2C replies can be processed. + * + * This callback may be NULL. + */ + void (*data_shutdown)(void *data); + /* + * This is called once upon termination of each I2C pseudo controller to + * free any resources held by @data. + * + * This will never be called while the I2C adapter device is active. + * Normally that means this is called after the I2C adapter device has + * been deleted, but it is also possible for this to be called during + * I2C pseudo controller initialization if a subsequent initialization + * step failed, as part of failure handling cleanup. + * + * This will only be called after a successful return value from + * data_creator(). + * + * This will be passed the same *data pointer that data_creator() placed + * in its **data output arg. + * + * The *data pointer will not be used again by the write command system + * after the start of this function call. + * + * This callback may be NULL. + */ + void (*data_destroyer)(void *data); + /* + * This is called to process write command header fields, including the + * command name itself as the first header field in every command. + * + * This is called once for each header field, in order, including the + * initial command name. + * + * @data is the value of *data from data_creator(). (Thus NULL if + * data_creator field is NULL.) + * + * @in and @in_size are the header value. It will never contain + * i2cp_ctrlr_header_sep_char or i2cp_ctrlr_end_char. + * + * in[in_size] is guaranteed to be null. There may be null characters + * inside the buffer boundary indicated by @in_size as well though! + * + * @non_blocking indicates whether O_NONBLOCK is set on the controller + * file descriptor. This is not expected to be relevant to most write + * command callback implementations, however it should be respected if + * relevant. In other words, if this is true do not block indefinitely, + * instead return EAGAIN or EWOULDBLOCK. If this is false never return + * EAGAIN or EWOULDBLOCK. + * + * Return -errno to indicate a failure. After a failure the next and + * final callback invocation for the command will be cmd_completer(). + * + * Return 0 to indicate success _and_ that another header field is + * expected next. The next header field will be fully buffered before + * being sent to this callback, just as the current one was. + * + * Return a positive value to indicate success _and_ that data is + * expected next. The exact positive value sets the chunk size used to + * buffer the data and pass it to data_receiver. All invocations of + * data_receiver are guaranteed to receive data in a _multiple_ of the + * chunk size, except the final invocation, because + * i2cp_ctrlr_end_char could be received on a non-chunk-size boundary. + * The return value should be less than I2CP_CTRLR_CMD_LIMIT, as that + * minus one is the maximum that will ever be buffered at once, and thus + * the maximum that will ever be sent to a single invocation of + * data_receiver. + * + * If the command is expected to end after a header field without any + * data, it is encouraged to return 1 here and have data_receiver + * indicate a failure if it is called. That avoids having the + * unexpected input buffered unnecessarily. + * + * This callback MUST NOT be NULL. + */ + int (*header_receiver)(void *data, char *in, size_t in_size, + bool non_blocking); + /* + * This is called to process write command data, when requested by the + * header_receiver() return value. + * + * This may be invoked multiple times for each data field, with the data + * broken up into sequential non-overlapping chunks. + * + * @in and @in_size are data. The data will never contain + * i2cp_ctrlr_end_char. + * + * in[in_size] is guaranteed to be null. There may be null characters + * inside the buffer boundary indicated by @in_size as well though! + * + * @in_size is guaranteed to be a multiple of the chunk size as + * specified by the last return value from header_receiver(), unless + * either the chunk size is >= I2CP_CTRLR_CMD_LIMIT, or + * i2cp_ctrlr_end_char was reached on a non-chunk-sized boundary. + * + * @in_size is guaranteed to be greater than zero, and less than + * I2CP_CTRLR_CMD_LIMIT. + * + * @non_blocking indicates whether O_NONBLOCK is set on the controller + * file descriptor. This is not expected to be relevant to most write + * command callback implementations, however it should be respected if + * relevant. In other words, if this is true do not block indefinitely, + * instead return EAGAIN or EWOULDBLOCK. If this is false never return + * EAGAIN or EWOULDBLOCK. + * + * This should return -errno upon failure, 0 upon success. All + * non-negative return values are currently treated as success but + * positive values are reserved for potential future use. After a + * failure the next and final callback invocation for the command will + * be cmd_completer(). + * + * If header_receiver() never returns a positive number, this callback + * should be NULL. Otherwise, this callback MUST NOT be NULL. + */ + int (*data_receiver)(void *data, char *in, size_t in_size, + bool non_blocking); + /* + * This is called to complete processing of a command, after it has been + * received in its entirety. + * + * If @receive_status is positive, it is an error code from the invoking + * routines themselves, e.g. if the controller process wrote a header + * field >= I2CP_CTRLR_CMD_LIMIT. + * + * If @receive_status is zero, it means all invocations of + * header_receiver and data_receiver returned successful values and the + * entire write command was received successfully. + * + * If @receive_status is negative, it is the value returned by the last + * header_receiver or data_receiver invocation. + * + * @non_blocking indicates whether O_NONBLOCK is set on the controller + * file descriptor. This is not expected to be relevant to most write + * command callback implementations, however it should be respected if + * relevant. In other words, if this is true do not block indefinitely, + * instead return EAGAIN or EWOULDBLOCK. If this is false never return + * EAGAIN or EWOULDBLOCK. + * + * This is called exactly once for each write command. This is true + * regardless of the value of @non_blocking and regardless of the return + * value of this function, so it is imperative that this function + * perform any necessary cleanup tasks related to @data, even if + * non_blocking=true and blocking is required! + * + * Thus, even with non_blocking=true, it would only ever make sense to + * return -EAGAIN from this function if the struct i2cp_cmd + * implementation is able to perform the would-be blocked cmd_completer + * operation later, e.g. upon invocation of a callback for the next + * write command, or by way of a background thread. + * + * This should return -errno upon failure, 0 upon success. All + * non-negative return values are currently treated as success but + * positive values are reserved for potential future use. + * + * An error should be returned only to indicate a new error that + * happened during the execution of this callback. Any error from + * @receive_status should *not* be copied to the return value of this + * callback. + * + * This callback may be NULL. + */ + int (*cmd_completer)(void *data, struct i2cp_controller *pdata, + int receive_status, bool non_blocking); +}; + +/* + * These are indexes of i2cp_cmds[]. Every element in that array should have a + * corresponding value in this enum, and the enum value should be used in the + * i2cp_cmds[] initializer. + * + * Command names are matched in this order, so sort by expected frequency. + */ +enum { + I2CP_CMD_MXFER_REPLY_IDX = 0, + I2CP_CMD_ADAP_START_IDX, + I2CP_CMD_ADAP_SHUTDOWN_IDX, + I2CP_CMD_GET_NUMBER_IDX, + I2CP_CMD_GET_PSEUDO_ID_IDX, + I2CP_CMD_SET_NAME_SUFFIX_IDX, + I2CP_CMD_SET_TIMEOUT_IDX, + /* Keep this at the end! This must equal ARRAY_SIZE(i2cp_cmds). */ + I2CP_NUM_WRITE_CMDS, +}; + +/* + * All values must be >= 0. This should not contain any error values. + * + * The state for a new controller must have a zero value, so that + * zero-initialized memory results in the correct default value. + */ +enum i2cp_ctrlr_state { + /* + * i2c_add_adapter() has not been called yet, or has only returned + * failure. + */ + I2CP_CTRLR_STATE_NEW = 0, + /* + * i2c_add_adapter() has return success, and the controller has not + * requested shutdown yet. + */ + I2CP_CTRLR_STATE_RUNNING, + /* + * i2c_add_adapter() has returned success, and the controller has + * requested shutdown. + * + * Note that it is perfectly acceptable for a pseudo controller fd to be + * closed and released without shutdown having been requested + * beforehand. Thus, this state is purely optional in the lifetime of a + * controller. + */ + I2CP_CTRLR_STATE_SHUTDN_REQ, +}; + +/* + * Avoid allocating this struct on the stack, it contains a large buffer as a + * direct member. + * + * To avoid deadlocks, never attempt to hold more than one of the locks in this + * structure at once, with the following exceptions: + * - It is permissible to acquire read_rsp_queue_lock while holding cmd_lock. + * - It is permissible to acquire read_rsp_queue_lock while holding rsp_lock. + */ +struct i2cp_controller { + unsigned int index; + /* + * Never modify the ID after initialization. + * + * This should be an unsigned integer type large enough to hold + * I2CP_ADAPTERS_MAX. + */ + unsigned int id; + /* + * Only i2cp_cdev_open() and i2cp_cdev_release() may access this field. + * Other functions called by them, or called by the I2C subsystem, may + * of course take a reference to this same struct i2c_adapter. However + * no other functions besides the aforementioned two may access the + * i2c_adapter field of struct i2cp_controller. + */ + struct i2c_adapter i2c_adapter; + + struct mutex startstop_lock; + enum i2cp_ctrlr_state startstop_state; + + wait_queue_head_t poll_wait_queue; + + /* This must be held while read or writing cmd_* fields. */ + struct mutex cmd_lock; + /* + * This becomes the @receive_status arg to struct i2cp_cmd.cmd_completer + * callback. + * + * A negative value is an error number from + * struct i2cp_cmd.header_receiver or struct i2cp_cmd.data_receiver. + * + * A zero value means no error has occurred so far in processing the + * current write reply command. + * + * A positive value is an error number from a non-command-specific part + * of write command processing, e.g. from the + * struct file_operations.write callback itself, or function further up + * its call stack that is not specific to any particular write command. + */ + int cmd_receive_status; + /* + * Index of i2cp_cmds[] and .cmd_data[] plus one, i.e. value of 1 means + * 0 index. Value of 0 (zero) means the controller is waiting for a new + * command. + */ + int cmd_idx_plus_one; + int cmd_data_increment; + size_t cmd_size; + /* Add one for trailing null character. */ + char cmd_buf[I2CP_CTRLR_CMD_LIMIT + 1]; + void *cmd_data[I2CP_NUM_WRITE_CMDS]; + + struct completion read_rsp_queued; + /* This must be held while read or writing read_rsp_queue_* fields. */ + struct mutex read_rsp_queue_lock; + /* + * This is a FIFO queue of struct i2cp_rsp.queue . + * + * This MUST be strictly used as FIFO. Only consume or pop the first + * item. Only append to the end. Users of this queue assume this FIFO + * behavior is strictly followed, and their uses of read_rsp_queue_lock + * would not be safe otherwise. + */ + struct list_head read_rsp_queue_head; + unsigned int read_rsp_queue_length; + + /* This must be held while reading or writing rsp_* fields. */ + struct mutex rsp_lock; + bool rsp_invalidated; + /* + * Holds formatted string from most recently popped item of + * read_rsp_queue_head if it was not wholly consumed by the last + * controller read. + */ + char *rsp_buf_start; + char *rsp_buf_pos; + ssize_t rsp_buf_remaining; +}; + +struct i2cp_cmd_mxfer_reply { + /* + * This lock MUST be held while reading or modifying any part of this + * struct i2cp_cmd_mxfer_reply, unless you can guarantee that nothing + * else can access this struct concurrently, such as during + * initialization. + * + * The struct i2cp_cmd_mxfer_reply_data.reply_queue_lock of the + * struct i2cp_cmd_mxfer_reply_data.reply_queue_head list which contains + * this struct i2cp_cmd_mxfer_reply.reply_queue_item MUST be held when + * attempting to acquire this lock. + * + * It is NOT required to keep + * struct i2cp_cmd_mxfer_reply_data.reply_queue_lock held after + * acquisition of this lock (unless also manipulating + * struct i2cp_cmd_mxfer_reply_data.reply_queue_* of course). + */ + struct mutex lock; + + /* + * Never modify the ID after initialization. + * + * This should be an unsigned integer type large enough to hold + * I2CP_CTRLR_RSP_QUEUE_LIMIT. If changing this type, audit for printf + * format strings that need updating! + */ + unsigned int id; + /* Number of I2C messages successfully processed, or negative error. */ + int ret; + /* Same type as struct i2c_algorithm.master_xfer @num arg. */ + int num_msgs; + /* Same type as struct i2c_algorithm.master_xfer @msgs arg. */ + struct i2c_msg *msgs; + /* Same length (not size) as *msgs array. */ + bool *completed; + /* Number of completed[] array entries with true value. */ + int num_completed_true; + + /* + * This is for use in struct i2cp_cmd_mxfer_reply_data.reply_queue_head + * FIFO queue. + * + * Any time this is deleted from its containing + * struct i2cp_cmd_mxfer_reply_data.reply_queue_head list, either + * list_del_init() MUST be used (not list_del()), OR this whole + * struct i2cp_cmd_mxfer_reply MUST be freed. + * + * That way, if this struct is not immediately freed, the code which + * eventually frees it can test whether it still needs to be deleted + * from struct i2cp_cmd_mxfer_reply_data.reply_queue_head by using + * list_empty() on reply_queue_item. (Calling list_del() on an + * already-deleted list item is unsafe.) + */ + struct list_head reply_queue_item; + struct completion data_filled; +}; + +/* + * The state for receiving the first field must have a zero value, so that + * zero-initialized memory results in the correct default value. + */ +enum i2cp_cmd_mxfer_reply_state { + I2CP_CMD_MXFER_REPLY_STATE_CMD_NEXT = 0, + I2CP_CMD_MXFER_REPLY_STATE_ID_NEXT, + I2CP_CMD_MXFER_REPLY_STATE_INDEX_NEXT, + I2CP_CMD_MXFER_REPLY_STATE_ADDR_NEXT, + I2CP_CMD_MXFER_REPLY_STATE_FLAGS_NEXT, + I2CP_CMD_MXFER_REPLY_STATE_ERRNO_NEXT, + I2CP_CMD_MXFER_REPLY_STATE_DATA_NEXT, + /* + * This is used to tell subsequent callback invocations that the write + * command currently being received is invalid, when the receiver wants + * to quietly discard the write command instead of loudly returning an + * error. + */ + I2CP_CMD_MXFER_REPLY_STATE_INVALID, +}; + +struct i2cp_cmd_mxfer_reply_data { + /* This must be held while read or writing reply_queue_* fields. */ + struct mutex reply_queue_lock; + /* + * This is used to make a strong attempt at avoiding ID reuse, + * especially for overlapping master_xfer() calls. + * + * This can wrap by design, and thus makes no perfect guarantees over + * the lifetime of an I2C pseudo adapter. + * + * No code should assume uniqueness, not even for master_xfer() calls of + * overlapping lifetimes. When the controller writes a master_xfer() + * reply command, assume that it is for the oldest outstanding instance + * of the ID number specified. + */ + /* Same type as struct i2cp_cmd_mxfer_reply.id field. */ + unsigned int next_mxfer_id; + /* + * This is a FIFO queue of struct i2cp_cmd_mxfer_reply.reply_queue_item. + * + * This MUST be strictly used as FIFO. Only consume or pop the first + * item. Only append to the end. Users of this queue assume this FIFO + * behavior is strictly followed, and their uses of reply_queue_lock may + * not be safe otherwise. + */ + struct list_head reply_queue_head; + unsigned int reply_queue_length; + struct i2cp_cmd_mxfer_reply *reply_queue_current_item; + + enum i2cp_cmd_mxfer_reply_state state; + + /* Same type as struct i2cp_cmd_mxfer_reply.id field. */ + unsigned int current_id; + /* Same type as struct i2c_msg.addr field. */ + u16 current_addr; + /* Same type as struct i2c_msg.flags field. */ + u16 current_flags; + /* Same type as struct i2c_algorithm.master_xfer @num arg. */ + int current_msg_idx; + /* Same type as struct i2c_msg.len field. */ + u16 current_buf_idx; +}; + +struct i2cp_cmd_set_name_suffix_data { + char name_suffix[sizeof_field(struct i2c_adapter, name)]; + size_t name_suffix_len; +}; + +struct i2cp_cmd_set_timeout_data { + int field_pos; + unsigned int timeout_ms; +}; + +struct i2cp_rsp { + /* + * This callback is invoked to format its associated data for passing to + * the userspace controller process when it read()s the I2C pseudo + * controller character device. + * + * @data will be the data pointer from this struct instance. + * + * @out is an output argument. Upon positive return value, *out must be + * set to a buffer which the caller will take ownership of, and which + * can be freed with kfree(). + * + * Upon positive return value, @data must NOT be freed. + * + * The formatter will be called repeatedly for the same data until it + * returns non-positive. + * + * Upon non-positive return value, *out should not be modified. + * + * Upon non-positive return value, the formatter should have freed data + * with kfree(). Implicitly this means any allocations owned by *data + * should have been freed by the formatter as well. + * + * A negative return value indicates an error occurred and the data + * cannot be formatted successfully. The error code may or may not + * eventually be propagated back to the I2C pseudo adapter controller. + * + * A positive return value is the number of characters/bytes to use from + * the *out buffer, always starting from index 0. It should NOT include + * a trailing NULL character unless that character should be propagated + * to the I2C pseudo adapter controller! It therefore does NOT need to + * be the full size of the allocated *out buffer, instead it can be + * less. (The size is not needed by kfree().) + * + * The formatter owns the memory pointed to by data. The invoking code + * will never mutate or free data. Thus, upon non-positive return value + * from the formatter, the formatter must have already performed any + * reference counting decrement or memory freeing necessary to ensure + * data does not live beyond its final use. + * + * There will never be more than one formatter callback in flight at + * once for a given I2C pseudo controller. This is true even in the + * face of concurrent reads by the controller. + * + * The formatter must NOT use i2cp_ctrlr_end_char in anywhere in *out + * (within the size range indicated by the return value; past that does + * not matter). The i2cp_ctrlr_end_char will be added automatically by + * the caller after a zero return value (successful completion) from the + * formatter. + * + * The formatter must never create or return a buffer larger than + * I2CP_MAX_MSG_BUF_SIZE. The formatter is encouraged to avoid that by + * generating and returning the output in chunks, taking advantage of + * the guarantee that it will be called repeatedly until exhaustion + * (zero return value) or failure (negative return value). If the + * formatter expects its formatted output or natural subsets of it to + * always fit within I2CP_MAX_MSG_BUF_SIZE, and it is called with input + * data not meeting that expectation, the formatter should return + * -ERANGE to indicate this condition. + */ + ssize_t (*formatter)(void *data, char **out); + void *data; + + struct list_head queue; +}; + +struct i2cp_rsp_buffer { + char *buf; + ssize_t size; +}; + +struct i2cp_rsp_master_xfer { + /* Never modify the ID after initialization. */ + /* Same type as struct i2cp_cmd_mxfer_reply.id field. */ + unsigned int id; + + /* These types match those of struct i2c_algorithm.master_xfer args. */ + struct i2c_msg *msgs; + int num; + + /* + * Always initialize fields below here to zero. They are for internal + * use by i2cp_rsp_master_xfer_formatter(). + */ + int num_msgs_done; /* type of @num field */ + size_t buf_start_plus_one; +}; + +/* vanprintf - See anprintf() documentation. */ +static ssize_t vanprintf(char **out, ssize_t max_size, gfp_t gfp, + const char *fmt, va_list ap) +{ + int ret; + ssize_t buf_size; + char *buf = NULL; + va_list args1; + + va_copy(args1, ap); + ret = vsnprintf(NULL, 0, fmt, ap); + if (ret < 0) + goto fail_before_args1; + if (max_size >= 0 && ret > max_size) { + ret = -ERANGE; + goto fail_before_args1; + } + + buf_size = ret + 1; + buf = kmalloc_track_caller(buf_size, gfp); + if (buf == NULL) { + ret = -ENOMEM; + goto fail_before_args1; + } + + ret = vsnprintf(buf, buf_size, fmt, args1); + va_end(args1); + if (ret < 0) + goto fail_after_args1; + if (ret + 1 != buf_size) { + ret = -ENOTRECOVERABLE; + goto fail_after_args1; + } + + *out = buf; + return ret; + + fail_before_args1: + va_end(args1); + fail_after_args1: + kfree(buf); + if (ret >= 0) + ret = -ENOTRECOVERABLE; + return ret; +} + +/* + * anprintf - Format a string and place it into a newly allocated buffer. + * @out: Address of the pointer to place the buffer address into. Will only be + * written to with a successful positive return value. + * @max_size: If non-negative, the maximum buffer size that this function will + * attempt to allocate. If the formatted string including trailing null + * character would not fit, no buffer will be allocated, and an error will + * be returned. (Thus max_size of 0 will always result in an error.) + * @gfp: GFP flags for kmalloc(). + * @fmt: The format string to use. + * @...: Arguments for the format string. + * + * Return value meanings: + * + * >=0: A buffer of this size was allocated and its address written to *out. + * The caller now owns the buffer and is responsible for freeing it with + * kfree(). The final character in the buffer, not counted in this + * return value, is the trailing null. This is the same return value + * meaning as snprintf(3). + * + * <0: An error occurred. Negate the return value for the error number. + * @out will not have been written to. Errors that might come from + * snprintf(3) may come from this function as well. Additionally, the + * following errors may occur from this function: + * + * ERANGE: A buffer larger than @max_size would be needed to fit the + * formatted string including its trailing null character. + * + * ENOMEM: Allocation of the output buffer failed. + * + * ENOTRECOVERABLE: An unexpected condition occurred. This may indicate + * a bug. + */ +static ssize_t anprintf(char **out, ssize_t max_size, gfp_t gfp, + const char *fmt, ...) +{ + ssize_t ret; + va_list args; + + va_start(args, fmt); + ret = vanprintf(out, max_size, gfp, fmt, args); + va_end(args); + return ret; +} + +static ssize_t i2cp_rsp_buffer_formatter(void *data, char **out) +{ + struct i2cp_rsp_buffer *rsp_buf; + + rsp_buf = data; + if (rsp_buf->buf) { + if (rsp_buf->size > 0) { + *out = rsp_buf->buf; + rsp_buf->buf = NULL; + return rsp_buf->size; + } + kfree(rsp_buf->buf); + } + kfree(rsp_buf); + return 0; +} + +static ssize_t i2cp_rsp_master_xfer_formatter(void *data, char **out) +{ + ssize_t ret; + size_t i, buf_size, byte_start, byte_limit; + char *buf_start, *buf_pos; + struct i2cp_rsp_master_xfer *mxfer_rsp; + struct i2c_msg *i2c_msg; + + mxfer_rsp = data; + + /* + * This condition is set by a previous call to this function with the + * same data, when it returned an error but was not consuming the final + * i2c_msg. + */ + if (!mxfer_rsp->msgs) { + ++mxfer_rsp->num_msgs_done; + ret = 0; + goto maybe_free; + } + + i2c_msg = &mxfer_rsp->msgs[mxfer_rsp->num_msgs_done]; + + /* + * If this is a read, or if this is a write and we've finished writing + * the data buffer, we are done with this i2c_msg. + */ + if (mxfer_rsp->buf_start_plus_one >= 1 && + (i2c_msg->flags & I2C_M_RD || + mxfer_rsp->buf_start_plus_one >= (size_t)i2c_msg->len + 1)) { + ++mxfer_rsp->num_msgs_done; + mxfer_rsp->buf_start_plus_one = 0; + ret = 0; + goto maybe_free; + } + + if (mxfer_rsp->buf_start_plus_one <= 0) { + /* + * The length is not strictly necessary with the explicit + * end-of-message marker (i2cp_ctrlr_end_char), however it + * serves as a useful sanity check for controllers to verify + * that no bytes were lost in kernel->userspace transmission. + */ + ret = anprintf(&buf_start, I2CP_MAX_MSG_BUF_SIZE, GFP_KERNEL, + "%*s%c%u%c%d%c0x%04X%c0x%04X%c%u", + (int)strlen(I2CP_MXFER_REQ_CMD), I2CP_MXFER_REQ_CMD, + i2cp_ctrlr_header_sep_char, mxfer_rsp->id, + i2cp_ctrlr_header_sep_char, mxfer_rsp->num_msgs_done, + i2cp_ctrlr_header_sep_char, i2c_msg->addr, + i2cp_ctrlr_header_sep_char, i2c_msg->flags, + i2cp_ctrlr_header_sep_char, i2c_msg->len); + if (ret > 0) { + *out = buf_start; + mxfer_rsp->buf_start_plus_one = 1; + /* + * If we have a zero return value, it means the output buffer + * was allocated as size one, containing only a terminating null + * character. This would be a bug given the requested format + * string above. Also, formatter functions must not mutate *out + * when returning zero. So if this matches, free the useless + * buffer and return an error. + */ + } else if (ret == 0) { + ret = -EINVAL; + kfree(buf_start); + } + goto maybe_free; + } + + byte_start = mxfer_rsp->buf_start_plus_one - 1; + byte_limit = min_t(size_t, i2c_msg->len - byte_start, + I2CP_MAX_MSG_BUF_SIZE / 3); + /* 3 chars per byte == 2 chars for hex + 1 char for separator */ + buf_size = byte_limit * 3; + + buf_start = kzalloc(buf_size, GFP_KERNEL); + if (!buf_start) { + ret = -ENOMEM; + goto maybe_free; + } + + for (buf_pos = buf_start, i = 0; i < byte_limit; ++i) { + *buf_pos++ = (i || byte_start) ? + i2cp_ctrlr_data_sep_char : i2cp_ctrlr_header_sep_char; + buf_pos = hex_byte_pack_upper( + buf_pos, i2c_msg->buf[byte_start + i]); + } + *out = buf_start; + ret = buf_size; + mxfer_rsp->buf_start_plus_one += i; + + maybe_free: + if (ret <= 0) { + if (mxfer_rsp->num_msgs_done >= mxfer_rsp->num) { + kfree(mxfer_rsp->msgs); + kfree(mxfer_rsp); + /* + * If we are returning an error but have not consumed all of + * mxfer_rsp yet, we must not attempt to output any more I2C + * messages from the same mxfer_rsp. Setting mxfer_rsp->msgs to + * NULL tells the remaining invocations with this mxfer_rsp to + * output nothing. + * + * There can be more invocations with the same mxfer_rsp even + * after returning an error here because + * i2cp_adapter_master_xfer() reuses a single + * struct i2cp_rsp_master_xfer (mxfer_rsp) across multiple + * struct i2cp_rsp (rsp_wrappers), one for each struct i2c_msg + * within the mxfer_rsp. + */ + } else if (ret < 0) { + kfree(mxfer_rsp->msgs); + mxfer_rsp->msgs = NULL; + } + } + return ret; +} + +static ssize_t i2cp_id_show(struct device *dev, struct device_attribute *attr, + char *buf) +{ + int ret; + struct i2c_adapter *adap; + struct i2cp_controller *pdata; + + adap = container_of(dev, struct i2c_adapter, dev); + pdata = container_of(adap, struct i2cp_controller, i2c_adapter); + ret = snprintf(buf, PAGE_SIZE, "%u\n", pdata->id); + if (ret >= PAGE_SIZE) + return -ERANGE; + return ret; +} + +static const struct device_attribute i2cp_id_dev_attr = { + .attr = { + .name = "i2c-pseudo-id", + .mode = 0444, + }, + .show = i2cp_id_show, +}; + +static enum i2cp_ctrlr_state i2cp_adap_get_state(struct i2cp_controller *pdata) +{ + enum i2cp_ctrlr_state ret; + + mutex_lock(&pdata->startstop_lock); + ret = pdata->startstop_state; + mutex_unlock(&pdata->startstop_lock); + return ret; +} + +static int i2cp_cmd_mxfer_reply_data_creator(void **data) +{ + struct i2cp_cmd_mxfer_reply_data *cmd_data; + + cmd_data = kzalloc(sizeof(*cmd_data), GFP_KERNEL); + if (!cmd_data) + return -ENOMEM; + mutex_init(&cmd_data->reply_queue_lock); + INIT_LIST_HEAD(&cmd_data->reply_queue_head); + *data = cmd_data; + return 0; +} + +/* + * Notify pending I2C requests of the shutdown. There is no possibility of + * further I2C replies at this point. This stops the I2C requests from waiting + * for the adapter timeout, which could have been set arbitrarily long by the + * userspace controller. + */ +static void i2cp_cmd_mxfer_reply_data_shutdown(void *data) +{ + struct list_head *list_ptr; + struct i2cp_cmd_mxfer_reply_data *cmd_data; + struct i2cp_cmd_mxfer_reply *mxfer_reply; + + cmd_data = data; + mutex_lock(&cmd_data->reply_queue_lock); + list_for_each(list_ptr, &cmd_data->reply_queue_head) { + mxfer_reply = list_entry(list_ptr, struct i2cp_cmd_mxfer_reply, + reply_queue_item); + mutex_lock(&mxfer_reply->lock); + complete_all(&mxfer_reply->data_filled); + mutex_unlock(&mxfer_reply->lock); + } + mutex_unlock(&cmd_data->reply_queue_lock); +} + +static void i2cp_cmd_mxfer_reply_data_destroyer(void *data) +{ + /* + * We do not have to worry about racing with in-flight I2C messages + * because data_destroyer callbacks are guaranteed to never be called + * while the I2C adapter device is active. + */ + kfree(data); +} + +static inline bool i2cp_mxfer_reply_is_current( + struct i2cp_cmd_mxfer_reply_data *cmd_data, + struct i2cp_cmd_mxfer_reply *mxfer_reply) +{ + int i; + + i = cmd_data->current_msg_idx; + return cmd_data->current_id == mxfer_reply->id && + i >= 0 && i < mxfer_reply->num_msgs && + cmd_data->current_addr == mxfer_reply->msgs[i].addr && + cmd_data->current_flags == mxfer_reply->msgs[i].flags; +} + +/* cmd_data->reply_queue_lock must be held. */ +static inline struct i2cp_cmd_mxfer_reply *i2cp_mxfer_reply_find_current( + struct i2cp_cmd_mxfer_reply_data *cmd_data) +{ + struct list_head *list_ptr; + struct i2cp_cmd_mxfer_reply *mxfer_reply; + + list_for_each(list_ptr, &cmd_data->reply_queue_head) { + mxfer_reply = list_entry(list_ptr, struct i2cp_cmd_mxfer_reply, + reply_queue_item); + if (i2cp_mxfer_reply_is_current(cmd_data, mxfer_reply)) + return mxfer_reply; + } + return NULL; +} + +/* cmd_data->reply_queue_lock must NOT already be held. */ +static inline void i2cp_mxfer_reply_update_current( + struct i2cp_cmd_mxfer_reply_data *cmd_data) +{ + mutex_lock(&cmd_data->reply_queue_lock); + cmd_data->reply_queue_current_item = i2cp_mxfer_reply_find_current( + cmd_data); + mutex_unlock(&cmd_data->reply_queue_lock); +} + +static int i2cp_cmd_mxfer_reply_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + int ret, reply_errno = 0; + struct i2cp_cmd_mxfer_reply_data *cmd_data; + + cmd_data = data; + + switch (cmd_data->state) { + case I2CP_CMD_MXFER_REPLY_STATE_CMD_NEXT: + /* Expect the msg/reply ID header field next. */ + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_ID_NEXT; + return 0; + case I2CP_CMD_MXFER_REPLY_STATE_ID_NEXT: + case I2CP_CMD_MXFER_REPLY_STATE_INDEX_NEXT: + case I2CP_CMD_MXFER_REPLY_STATE_ADDR_NEXT: + case I2CP_CMD_MXFER_REPLY_STATE_FLAGS_NEXT: + case I2CP_CMD_MXFER_REPLY_STATE_ERRNO_NEXT: + break; + default: + /* Reaching here is a bug. */ + /* + * Testing this before checking for null characters ensures the + * correct error is indicated. + */ + return -EINVAL; + } + + /* + * The command name is logically outside the control of this function, + * and may contain null characters, even if that would be nonsensical. + * Thus it is handled above, followed by this check, and below here + * the rest of the header fields are handled. Some of them use + * functions that could mishandle input which contains nulls. An actual + * error would be okay, however if the input were consumed incorrectly + * without an error, that could lead to subtle bugs. + */ + if (memchr(in, '\0', in_size)) + return -EPROTO; + + switch (cmd_data->state) { + case I2CP_CMD_MXFER_REPLY_STATE_ID_NEXT: + ret = kstrtouint(in, 0, &cmd_data->current_id); + if (ret < 0) + return ret; + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_INDEX_NEXT; + return 0; + case I2CP_CMD_MXFER_REPLY_STATE_INDEX_NEXT: + ret = kstrtoint(in, 0, &cmd_data->current_msg_idx); + if (ret < 0) + return ret; + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_ADDR_NEXT; + return 0; + case I2CP_CMD_MXFER_REPLY_STATE_ADDR_NEXT: + ret = kstrtou16(in, 0, &cmd_data->current_addr); + if (ret < 0) + return ret; + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_FLAGS_NEXT; + return 0; + case I2CP_CMD_MXFER_REPLY_STATE_FLAGS_NEXT: + ret = kstrtou16(in, 0, &cmd_data->current_flags); + if (ret < 0) + return ret; + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_ERRNO_NEXT; + return 0; + case I2CP_CMD_MXFER_REPLY_STATE_ERRNO_NEXT: + ret = kstrtoint(in, 0, &reply_errno); + if (ret < 0) + return ret; + break; + default: + /* Reaching here is a bug. */ + return -EINVAL; + } + + /* + * Only I2CP_CMD_MXFER_REPLY_STATE_ERRNO_NEXT can reach this point. + * Now that we've received all of the headers, find the matching + * mxfer_reply. + */ + i2cp_mxfer_reply_update_current(cmd_data); + + if (reply_errno || !cmd_data->reply_queue_current_item) { + /* + * reply_errno: + * Drop the specific errno for now. The Linux I2C API + * does not provide a way to return an errno for a + * specific message within a master_xfer() call. The + * cmd_completer callback will indicate this + * controller-reported failure by not incrementing + * mxfer_reply->ret for this I2C msg reply. + * + * cmd_data->reply_queue_current_item == NULL: + * No matching mxfer_reply was found. Discard any + * further input in this command. The cmd_completer + * callback will indicate this failure to the + * controller. + */ + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_INVALID; + /* + * Ask for data bytes in multiples of 1, i.e. no + * boundary requirements, because the we're just going + * to discard it. The next field could even be a header + * instead of data, but it doesn't matter, we're going + * to continue discarding the write input until the end + * of this write command. + */ + return 1; + } + + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_DATA_NEXT; + /* + * Ask for data bytes in multiples of 3. Expected format is + * hexadecimal NN:NN:... e.g. "3C:05:F1:01" is a possible 4 byte + * data value. + */ + return 3; +} + +static int i2cp_cmd_mxfer_reply_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + int ret; + char u8_hex[3] = {0}; + struct i2cp_cmd_mxfer_reply_data *cmd_data; + struct i2cp_cmd_mxfer_reply *mxfer_reply; + struct i2c_msg *i2c_msg; + + cmd_data = data; + + if (cmd_data->state == I2CP_CMD_MXFER_REPLY_STATE_INVALID) + return 0; + if (cmd_data->state != I2CP_CMD_MXFER_REPLY_STATE_DATA_NEXT) + /* Reaching here is a bug. */ + return -EINVAL; + + mutex_lock(&cmd_data->reply_queue_lock); + mxfer_reply = cmd_data->reply_queue_current_item; + if (!mxfer_reply) { + /* Reaching here is a bug. */ + mutex_unlock(&cmd_data->reply_queue_lock); + return -EINVAL; + } + mutex_lock(&mxfer_reply->lock); + mutex_unlock(&cmd_data->reply_queue_lock); + + if (cmd_data->current_msg_idx < 0 || + cmd_data->current_msg_idx >= mxfer_reply->num_msgs) { + /* Reaching here is a bug. */ + ret = -EINVAL; + goto unlock; + } + + i2c_msg = &mxfer_reply->msgs[cmd_data->current_msg_idx]; + + if (!(i2c_msg->flags & I2C_M_RD)) { + /* The controller responded to a write with data. */ + ret = -EIO; + goto unlock; + } + + if (i2c_msg->flags & I2C_M_RECV_LEN) { + /* + * When I2C_M_RECV_LEN is set, struct i2c_algorithm.master_xfer + * is expected to increment struct i2c_msg.len by the actual + * amount of bytes read. + * + * Given the above, an initial struct i2c_msg.len value of 0 + * would be reasonable, since it will be incremented for each + * byte read. + * + * An initial value of 1 representing the expected size byte + * also makes sense, and appears to be common practice. + * + * We consider a larger initial value to indicate a bug in the + * I2C/SMBus client, because it's difficult to reconcile such a + * value with the documented requirement that struct i2c_msg.len + * be "incremented by the number of block data bytes received." + * Besides returning an error, our only options would be to + * ignore and blow away a value that was potentially meaningful + * to the client (e.g. if it indicates the maximum buffer size), + * assume the value is the buffer size or expected read size + * (which would conflict with the documentation), or just + * blindly increment it, leaving it at a value greater than the + * actual number of bytes we wrote to the buffer, and likely + * indicating a size larger than the actual buffer allocation. + */ + if (cmd_data->current_buf_idx == 0) { + if (i2c_msg->len > 1) { + ret = -EPROTO; + goto unlock; + } + /* + * Subtract the read size byte because the in_size + * increment in the loop below will re-add it. + */ + i2c_msg->len = 0; + } + } + + while (in_size > 0 && cmd_data->current_buf_idx < i2c_msg->len) { + if (in_size < 2 || + (in_size > 2 && in[2] != i2cp_ctrlr_data_sep_char) || + memchr(in, '\0', 2)) { + /* + * Reaching here is a bug in the userspace I2C pseudo + * adapter controller. (Or possibly a bug in this + * module itself, of course.) + */ + ret = -EIO; + goto unlock; + } + /* + * When using I2C_M_RECV_LEN, the buffer is required to be able + * to hold: + * + * I2C_SMBUS_BLOCK_MAX + * +1 byte for the read size (first byte) + * +1 byte for the optional PEC byte (last byte if present). + * + * If reading the next byte would exceed that, return EPROTO + * error per Documentation/i2c/fault-codes . + */ + if (i2c_msg->flags & I2C_M_RECV_LEN && + i2c_msg->len >= I2C_SMBUS_BLOCK_MAX + 2) { + ret = -EPROTO; + goto unlock; + } + /* Use u8_hex to get a terminating null byte for kstrtou8(). */ + memcpy(u8_hex, in, 2); + /* + * TODO: Do we need to do anything different based on the + * I2C_M_DMA_SAFE bit? Do we ever need to use copy_to_user()? + */ + ret = kstrtou8(u8_hex, 16, + &i2c_msg->buf[cmd_data->current_buf_idx]); + if (ret < 0) + goto unlock; + if (i2c_msg->flags & I2C_M_RECV_LEN) + ++i2c_msg->len; + ++cmd_data->current_buf_idx; + in += min_t(size_t, 3, in_size); + in_size -= min_t(size_t, 3, in_size); + } + + /* Quietly ignore any bytes beyond the buffer size. */ + ret = 0; + + unlock: + mutex_unlock(&mxfer_reply->lock); + return ret; +} + +static int i2cp_cmd_mxfer_reply_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + int ret; + struct i2cp_cmd_mxfer_reply_data *cmd_data; + struct i2cp_cmd_mxfer_reply *mxfer_reply; + struct i2c_msg *i2c_msg; + + cmd_data = data; + mutex_lock(&cmd_data->reply_queue_lock); + + mxfer_reply = cmd_data->reply_queue_current_item; + if (!mxfer_reply) { + mutex_unlock(&cmd_data->reply_queue_lock); + ret = -EIO; + goto reset_cmd_data; + } + + mutex_lock(&mxfer_reply->lock); + + if (mxfer_reply->completed[cmd_data->current_msg_idx]) { + /* We already received a reply for this msg. */ + mutex_unlock(&cmd_data->reply_queue_lock); + mutex_unlock(&mxfer_reply->lock); + ret = -EIO; + goto reset_cmd_data; + } + + mxfer_reply->completed[cmd_data->current_msg_idx] = true; + if (++mxfer_reply->num_completed_true >= mxfer_reply->num_msgs) { + list_del_init(&mxfer_reply->reply_queue_item); + --cmd_data->reply_queue_length; + cmd_data->reply_queue_current_item = NULL; + complete_all(&mxfer_reply->data_filled); + } + + mutex_unlock(&cmd_data->reply_queue_lock); + i2c_msg = &mxfer_reply->msgs[cmd_data->current_msg_idx]; + + if (!receive_status && + cmd_data->state == I2CP_CMD_MXFER_REPLY_STATE_DATA_NEXT && + (!(i2c_msg->flags & I2C_M_RD) || + cmd_data->current_buf_idx >= i2c_msg->len)) + ++mxfer_reply->ret; + + mutex_unlock(&mxfer_reply->lock); + ret = 0; + + reset_cmd_data: + cmd_data->state = I2CP_CMD_MXFER_REPLY_STATE_CMD_NEXT; + cmd_data->current_id = 0; + cmd_data->current_addr = 0; + cmd_data->current_flags = 0; + cmd_data->current_msg_idx = 0; + cmd_data->current_buf_idx = 0; + return ret; +} + +static int i2cp_cmd_adap_start_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * No more header fields or data are expected. This directs any further + * input in this command to the data_receiver, which for this write + * command will unconditionally indicate a controller error. + */ + return 1; +} + +static int i2cp_cmd_adap_start_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * Reaching here means the controller wrote extra data in the command + * line after the initial command name. That is unexpected and + * indicates a controller bug. + */ + return -EPROTO; +} + +static int i2cp_cmd_adap_start_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + int ret; + + /* Refuse to start if there were errors processing this command. */ + if (receive_status) + return 0; + + /* + * Acquire pdata->startstop_lock manually instead of using + * i2cp_adap_get_state() in order to keep the lock while calling + * i2c_add_adapter(). + */ + mutex_lock(&pdata->startstop_lock); + + if (pdata->startstop_state != I2CP_CTRLR_STATE_NEW) { + ret = -EISCONN; + goto unlock; + } + + /* Add the I2C adapter. */ + ret = i2c_add_adapter(&pdata->i2c_adapter); + if (ret < 0) + goto unlock; + + pdata->startstop_state = I2CP_CTRLR_STATE_RUNNING; + + /* Add the I2C pseudo controller ID sysfs file. */ + ret = device_create_file(&pdata->i2c_adapter.dev, &i2cp_id_dev_attr); + if (ret < 0) + goto unlock; + + ret = 0; + + unlock: + mutex_unlock(&pdata->startstop_lock); + return ret; +} + +static int i2cp_cmd_adap_shutdown_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * No more header fields or data are expected. This directs any further + * input in this command to the data_receiver, which for this write + * command will unconditionally indicate a controller error. + */ + return 1; +} + +static int i2cp_cmd_adap_shutdown_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * Reaching here means the controller wrote extra data in the command + * line after the initial command name. That is unexpected and + * indicates a controller bug. + */ + return -EPROTO; +} + +static int i2cp_cmd_adap_shutdown_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + /* Refuse to shutdown if there were errors processing this command. */ + if (receive_status) + return 0; + + mutex_lock(&pdata->startstop_lock); + pdata->startstop_state = I2CP_CTRLR_STATE_SHUTDN_REQ; + mutex_unlock(&pdata->startstop_lock); + + /* Wake up blocked controller readers. */ + complete_all(&pdata->read_rsp_queued); + /* Wake up blocked controller pollers. */ + wake_up_interruptible_all(&pdata->poll_wait_queue); + return 0; +} + +static int i2cp_cmd_get_number_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * No more header fields or data are expected. This directs any further + * input in this command to the data_receiver, which for this write + * command will unconditionally indicate a controller error. + */ + return 1; +} + +static int i2cp_cmd_get_number_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * Reaching here means the controller wrote extra data in the command + * line after the initial command name. That is unexpected and + * indicates a controller bug. + */ + return -EPROTO; +} + +static int i2cp_cmd_get_number_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + ssize_t ret; + int i2c_adap_nr; + struct i2cp_rsp_buffer *rsp_buf; + struct i2cp_rsp *rsp_wrapper; + + /* Abort if there were errors processing this command. */ + if (receive_status) + return 0; + + /* + * Check the pseudo controller startstop_state. If it's running, get + * the I2C adapter number. + * + * Acquire pdata->startstop_lock manually instead of using + * i2cp_adap_get_state() in order to keep the lock while retrieving the + * I2C adapter number. + */ + mutex_lock(&pdata->startstop_lock); + if (pdata->startstop_state != I2CP_CTRLR_STATE_RUNNING) { + mutex_unlock(&pdata->startstop_lock); + return -ENOTCONN; + } + i2c_adap_nr = pdata->i2c_adapter.nr; + mutex_unlock(&pdata->startstop_lock); + + rsp_wrapper = kzalloc(sizeof(*rsp_wrapper), GFP_KERNEL); + if (!rsp_wrapper) + return -ENOMEM; + + rsp_buf = kzalloc(sizeof(*rsp_buf), GFP_KERNEL); + if (!rsp_buf) { + ret = -ENOMEM; + goto fail_after_rsp_wrapper_alloc; + } + + ret = anprintf(&rsp_buf->buf, I2CP_MAX_MSG_BUF_SIZE, GFP_KERNEL, + "%*s%c%d", + (int)strlen(I2CP_NUMBER_REPLY_CMD), I2CP_NUMBER_REPLY_CMD, + i2cp_ctrlr_header_sep_char, i2c_adap_nr); + if (ret < 0) { + goto fail_after_rsp_buf_alloc; + } else if (ret == 0) { + ret = -EINVAL; + goto fail_after_buf_alloc; + } + rsp_buf->size = ret; + + rsp_wrapper->data = rsp_buf; + rsp_wrapper->formatter = i2cp_rsp_buffer_formatter; + + mutex_lock(&pdata->read_rsp_queue_lock); + if (pdata->read_rsp_queue_length >= I2CP_CTRLR_RSP_QUEUE_LIMIT) { + ret = -ENOBUFS; + mutex_unlock(&pdata->read_rsp_queue_lock); + goto fail_after_buf_alloc; + } + + list_add_tail(&rsp_wrapper->queue, &pdata->read_rsp_queue_head); + ++pdata->read_rsp_queue_length; + complete(&pdata->read_rsp_queued); + + mutex_unlock(&pdata->read_rsp_queue_lock); + return 0; + + fail_after_buf_alloc: + kfree(rsp_buf->buf); + fail_after_rsp_buf_alloc: + kfree(rsp_buf); + fail_after_rsp_wrapper_alloc: + kfree(rsp_wrapper); + return ret; +} + +static int i2cp_cmd_get_pseudo_id_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * No more header fields or data are expected. This directs any further + * input in this command to the data_receiver, which for this write + * command will unconditionally indicate a controller error. + */ + return 1; +} + +static int i2cp_cmd_get_pseudo_id_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * Reaching here means the controller wrote extra data in the command + * line after the initial command name. That is unexpected and + * indicates a controller bug. + */ + return -EPROTO; +} + +static int i2cp_cmd_get_pseudo_id_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + ssize_t ret; + struct i2cp_rsp_buffer *rsp_buf; + struct i2cp_rsp *rsp_wrapper; + + /* Abort if there were errors processing this command. */ + if (receive_status) + return 0; + + rsp_wrapper = kzalloc(sizeof(*rsp_wrapper), GFP_KERNEL); + if (!rsp_wrapper) + return -ENOMEM; + + rsp_buf = kzalloc(sizeof(*rsp_buf), GFP_KERNEL); + if (!rsp_buf) { + ret = -ENOMEM; + goto fail_after_rsp_wrapper_alloc; + } + + ret = anprintf(&rsp_buf->buf, I2CP_MAX_MSG_BUF_SIZE, GFP_KERNEL, + "%*s%c%u", + (int)strlen(I2CP_PSEUDO_ID_REPLY_CMD), I2CP_PSEUDO_ID_REPLY_CMD, + i2cp_ctrlr_header_sep_char, pdata->id); + if (ret < 0) { + goto fail_after_rsp_buf_alloc; + } else if (ret == 0) { + ret = -EINVAL; + goto fail_after_buf_alloc; + } + rsp_buf->size = ret; + + rsp_wrapper->data = rsp_buf; + rsp_wrapper->formatter = i2cp_rsp_buffer_formatter; + + mutex_lock(&pdata->read_rsp_queue_lock); + if (pdata->read_rsp_queue_length >= I2CP_CTRLR_RSP_QUEUE_LIMIT) { + ret = -ENOBUFS; + mutex_unlock(&pdata->read_rsp_queue_lock); + goto fail_after_buf_alloc; + } + + list_add_tail(&rsp_wrapper->queue, &pdata->read_rsp_queue_head); + ++pdata->read_rsp_queue_length; + complete(&pdata->read_rsp_queued); + + mutex_unlock(&pdata->read_rsp_queue_lock); + return 0; + + fail_after_buf_alloc: + kfree(rsp_buf->buf); + fail_after_rsp_buf_alloc: + kfree(rsp_buf); + fail_after_rsp_wrapper_alloc: + kfree(rsp_wrapper); + return ret; +} + +static int i2cp_cmd_set_name_suffix_data_creator(void **data) +{ + struct i2cp_cmd_set_name_suffix_data *cmd_data; + + cmd_data = kzalloc(sizeof(*cmd_data), GFP_KERNEL); + if (!cmd_data) + return -ENOMEM; + *data = cmd_data; + return 0; +} + +static void i2cp_cmd_set_name_suffix_data_destroyer(void *data) +{ + kfree(data); +} + +static int i2cp_cmd_set_name_suffix_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + return 1; +} + +static int i2cp_cmd_set_name_suffix_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + size_t remaining; + struct i2cp_cmd_set_name_suffix_data *cmd_data; + + cmd_data = data; + remaining = sizeof(cmd_data->name_suffix) - cmd_data->name_suffix_len; + /* Quietly truncate the suffix if necessary. */ + /* The suffix may need to be further truncated later. */ + if (in_size > remaining) + in_size = remaining; + memcpy(&cmd_data->name_suffix[cmd_data->name_suffix_len], in, in_size); + cmd_data->name_suffix_len += in_size; + return 0; +} + +static int i2cp_cmd_set_name_suffix_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + int ret; + struct i2cp_cmd_set_name_suffix_data *cmd_data; + + /* Abort if there were errors processing this command. */ + if (receive_status) + return 0; + + /* + * Acquire pdata->startstop_lock manually instead of using + * i2cp_adap_get_state() in order to keep the lock while + * setting the I2C adapter name. + */ + mutex_lock(&pdata->startstop_lock); + + if (pdata->startstop_state != I2CP_CTRLR_STATE_NEW) { + ret = -EISCONN; + goto unlock; + } + + cmd_data = data; + ret = snprintf(pdata->i2c_adapter.name, sizeof(pdata->i2c_adapter.name), + "I2C pseudo ID %u %*s", pdata->id, + (int)cmd_data->name_suffix_len, cmd_data->name_suffix); + if (ret < 0) + goto unlock; + + ret = 0; + + unlock: + mutex_unlock(&pdata->startstop_lock); + return ret; +} + +static int i2cp_cmd_set_timeout_data_creator(void **data) +{ + struct i2cp_cmd_set_timeout_data *cmd_data; + + cmd_data = kzalloc(sizeof(*cmd_data), GFP_KERNEL); + if (!cmd_data) + return -ENOMEM; + *data = cmd_data; + return 0; +} + +static void i2cp_cmd_set_timeout_data_destroyer(void *data) +{ + kfree(data); +} + +static int i2cp_cmd_set_timeout_header_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + int ret; + struct i2cp_cmd_set_timeout_data *cmd_data; + + cmd_data = data; + switch (cmd_data->field_pos++) { + case 0: + return 0; + case 1: + ret = kstrtouint(in, 0, &cmd_data->timeout_ms); + if (ret < 0) + return ret; + return 1; + } + /* Reaching here is a bug. */ + return -EINVAL; +} + +static int i2cp_cmd_set_timeout_data_receiver(void *data, char *in, + size_t in_size, bool non_blocking) +{ + /* + * Reaching here means the controller wrote extra data in the command + * line. That is unexpected and indicates a controller bug. + */ + return -EPROTO; +} + +static int i2cp_cmd_set_timeout_cmd_completer(void *data, + struct i2cp_controller *pdata, int receive_status, bool non_blocking) +{ + int ret; + struct i2cp_cmd_set_timeout_data *cmd_data; + + /* Abort if there were errors processing this command. */ + if (receive_status) + return 0; + + /* + * Acquire pdata->startstop_lock manually instead of using + * i2cp_adap_get_state() in order to keep the lock while setting the + * I2C adapter name. + */ + mutex_lock(&pdata->startstop_lock); + + if (pdata->startstop_state != I2CP_CTRLR_STATE_NEW) { + ret = -EISCONN; + goto unlock; + } + + cmd_data = data; + if (cmd_data->timeout_ms < I2CP_TIMEOUT_MS_MIN || + cmd_data->timeout_ms > I2CP_TIMEOUT_MS_MAX) { + ret = -ERANGE; + goto unlock; + } + + pdata->i2c_adapter.timeout = msecs_to_jiffies(cmd_data->timeout_ms); + ret = 0; + + unlock: + mutex_unlock(&pdata->startstop_lock); + return ret; +} + +/* Command names are matched in this order, so sort by expected frequency. */ +/* All elements should be initialized in their I2CP_CMD_*_IDX position. */ +static const struct i2cp_cmd i2cp_cmds[] = { + [I2CP_CMD_MXFER_REPLY_IDX] = { + .cmd_string = I2CP_MXFER_REPLY_CMD, + .cmd_size = CONST_STRLEN(I2CP_MXFER_REPLY_CMD), + .data_creator = i2cp_cmd_mxfer_reply_data_creator, + .data_shutdown = i2cp_cmd_mxfer_reply_data_shutdown, + .data_destroyer = i2cp_cmd_mxfer_reply_data_destroyer, + .header_receiver = i2cp_cmd_mxfer_reply_header_receiver, + .data_receiver = i2cp_cmd_mxfer_reply_data_receiver, + .cmd_completer = i2cp_cmd_mxfer_reply_cmd_completer, + }, + [I2CP_CMD_ADAP_START_IDX] = { + .cmd_string = I2CP_ADAP_START_CMD, + .cmd_size = CONST_STRLEN(I2CP_ADAP_START_CMD), + .header_receiver = i2cp_cmd_adap_start_header_receiver, + .data_receiver = i2cp_cmd_adap_start_data_receiver, + .cmd_completer = i2cp_cmd_adap_start_cmd_completer, + }, + [I2CP_CMD_ADAP_SHUTDOWN_IDX] = { + .cmd_string = I2CP_ADAP_SHUTDOWN_CMD, + .cmd_size = CONST_STRLEN(I2CP_ADAP_SHUTDOWN_CMD), + .header_receiver = i2cp_cmd_adap_shutdown_header_receiver, + .data_receiver = i2cp_cmd_adap_shutdown_data_receiver, + .cmd_completer = i2cp_cmd_adap_shutdown_cmd_completer, + }, + [I2CP_CMD_GET_NUMBER_IDX] = { + .cmd_string = I2CP_GET_NUMBER_CMD, + .cmd_size = CONST_STRLEN(I2CP_GET_NUMBER_CMD), + .header_receiver = i2cp_cmd_get_number_header_receiver, + .data_receiver = i2cp_cmd_get_number_data_receiver, + .cmd_completer = i2cp_cmd_get_number_cmd_completer, + }, + [I2CP_CMD_GET_PSEUDO_ID_IDX] = { + .cmd_string = I2CP_GET_PSEUDO_ID_CMD, + .cmd_size = CONST_STRLEN(I2CP_GET_PSEUDO_ID_CMD), + .header_receiver = i2cp_cmd_get_pseudo_id_header_receiver, + .data_receiver = i2cp_cmd_get_pseudo_id_data_receiver, + .cmd_completer = i2cp_cmd_get_pseudo_id_cmd_completer, + }, + [I2CP_CMD_SET_NAME_SUFFIX_IDX] = { + .cmd_string = I2CP_SET_NAME_SUFFIX_CMD, + .cmd_size = CONST_STRLEN(I2CP_SET_NAME_SUFFIX_CMD), + .data_creator = i2cp_cmd_set_name_suffix_data_creator, + .data_destroyer = i2cp_cmd_set_name_suffix_data_destroyer, + .header_receiver = i2cp_cmd_set_name_suffix_header_receiver, + .data_receiver = i2cp_cmd_set_name_suffix_data_receiver, + .cmd_completer = i2cp_cmd_set_name_suffix_cmd_completer, + }, + [I2CP_CMD_SET_TIMEOUT_IDX] = { + .cmd_string = I2CP_SET_TIMEOUT_CMD, + .cmd_size = CONST_STRLEN(I2CP_SET_TIMEOUT_CMD), + .data_creator = i2cp_cmd_set_timeout_data_creator, + .data_destroyer = i2cp_cmd_set_timeout_data_destroyer, + .header_receiver = i2cp_cmd_set_timeout_header_receiver, + .data_receiver = i2cp_cmd_set_timeout_data_receiver, + .cmd_completer = i2cp_cmd_set_timeout_cmd_completer, + }, +}; + +/* Returns whether or not there is response queue data to read. */ +/* Must be called with pdata->rsp_lock held. */ +static inline bool i2cp_poll_in(struct i2cp_controller *pdata) +{ + return pdata->rsp_invalidated || pdata->rsp_buf_remaining != 0 || + !list_empty(&pdata->read_rsp_queue_head); +} + +static inline int i2cp_fill_rsp_buf(struct i2cp_rsp *rsp_wrapper, + struct i2cp_rsp_buffer *rsp_buf, char *contents, size_t size) +{ + rsp_buf->buf = kmemdup(contents, size, GFP_KERNEL); + if (!rsp_buf->buf) + return -ENOMEM; + rsp_buf->size = size; + rsp_wrapper->data = rsp_buf; + rsp_wrapper->formatter = i2cp_rsp_buffer_formatter; + return 0; +} + +#define I2CP_FILL_RSP_BUF_WITH_LITERAL(rsp_wrapper, rsp_buf, str_literal)\ + i2cp_fill_rsp_buf(\ + rsp_wrapper, rsp_buf, str_literal, strlen(str_literal)) + +static int i2cp_adapter_master_xfer(struct i2c_adapter *adap, + struct i2c_msg *msgs, int num) +{ + int i, ret = 0; + long wait_ret; + size_t wrappers_length, wrapper_idx = 0, rsp_bufs_idx = 0; + struct i2cp_controller *pdata; + struct i2cp_rsp **rsp_wrappers; + struct i2cp_rsp_buffer *rsp_bufs[2] = {0}; + struct i2cp_rsp_master_xfer *mxfer_rsp; + struct i2cp_cmd_mxfer_reply_data *cmd_data; + struct i2cp_cmd_mxfer_reply *mxfer_reply; + + if (num <= 0) { + if (num < 0) + return -EINVAL; + return ret; + } + + pdata = adap->algo_data; + cmd_data = pdata->cmd_data[I2CP_CMD_MXFER_REPLY_IDX]; + + switch (i2cp_adap_get_state(pdata)) { + case I2CP_CTRLR_STATE_RUNNING: + break; + case I2CP_CTRLR_STATE_SHUTDN_REQ: + return ret; + default: + /* Reaching here is a bug, even with a valid enum value. */ + return -EINVAL; + } + + wrappers_length = (size_t)num + ARRAY_SIZE(rsp_bufs); + rsp_wrappers = kcalloc(wrappers_length, sizeof(*rsp_wrappers), + GFP_KERNEL); + if (!rsp_wrappers) + return -ENOMEM; + + mxfer_reply = kzalloc(sizeof(*mxfer_reply), GFP_KERNEL); + if (!mxfer_reply) { + ret = -ENOMEM; + goto return_after_rsp_wrappers_ptrs_alloc; + } + + mxfer_reply->num_msgs = num; + init_completion(&mxfer_reply->data_filled); + mutex_init(&mxfer_reply->lock); + + mxfer_reply->msgs = kcalloc(num, sizeof(*mxfer_reply->msgs), + GFP_KERNEL); + if (!mxfer_reply->msgs) { + ret = -ENOMEM; + goto return_after_mxfer_reply_alloc; + } + + mxfer_reply->completed = kcalloc(num, sizeof(*mxfer_reply->completed), + GFP_KERNEL); + if (!mxfer_reply->completed) { + ret = -ENOMEM; + goto return_after_reply_msgs_alloc; + } + + for (i = 0; i < num; ++i) { + mxfer_reply->msgs[i].addr = msgs[i].addr; + mxfer_reply->msgs[i].flags = msgs[i].flags; + mxfer_reply->msgs[i].len = msgs[i].len; + if (msgs[i].flags & I2C_M_RD) + /* Copy the address, not the data. */ + mxfer_reply->msgs[i].buf = msgs[i].buf; + } + + for (i = 0; i < ARRAY_SIZE(rsp_bufs); ++i) { + rsp_bufs[i] = kzalloc(sizeof(*rsp_bufs[i]), GFP_KERNEL); + if (!rsp_bufs[i]) { + ret = -ENOMEM; + goto return_after_reply_completed_alloc; + } + } + + mxfer_rsp = kzalloc(sizeof(*mxfer_rsp), GFP_KERNEL); + if (!mxfer_rsp) { + ret = -ENOMEM; + goto fail_after_individual_rsp_bufs_alloc; + } + + mxfer_rsp->id = cmd_data->next_mxfer_id++; + mxfer_rsp->num = num; + + mxfer_rsp->msgs = kcalloc(num, sizeof(*mxfer_rsp->msgs), GFP_KERNEL); + if (!mxfer_rsp->msgs) { + ret = -ENOMEM; + goto fail_after_mxfer_rsp_alloc; + } + + for (i = 0; i < num; ++i) { + mxfer_rsp->msgs[i].addr = msgs[i].addr; + mxfer_rsp->msgs[i].flags = msgs[i].flags; + mxfer_rsp->msgs[i].len = msgs[i].len; + if (msgs[i].flags & I2C_M_RD) + continue; + /* Copy the data, not the address. */ + mxfer_rsp->msgs[i].buf = kmemdup(msgs[i].buf, msgs[i].len, + GFP_KERNEL); + if (!mxfer_rsp->msgs[i].buf) { + ret = -ENOMEM; + goto fail_after_rsp_msgs_alloc; + } + } + + for (i = 0; i < wrappers_length; ++i) { + rsp_wrappers[i] = kzalloc(sizeof(*rsp_wrappers[i]), GFP_KERNEL); + if (!rsp_wrappers[i]) { + ret = -ENOMEM; + goto fail_after_individual_rsp_wrappers_alloc; + } + } + + ret = I2CP_FILL_RSP_BUF_WITH_LITERAL(rsp_wrappers[wrapper_idx++], + rsp_bufs[rsp_bufs_idx++], I2CP_BEGIN_MXFER_REQ_CMD); + if (ret < 0) + goto fail_after_individual_rsp_wrappers_alloc; + + for (i = 0; i < num; ++i) { + rsp_wrappers[wrapper_idx]->data = mxfer_rsp; + rsp_wrappers[wrapper_idx++]->formatter = + i2cp_rsp_master_xfer_formatter; + } + + ret = I2CP_FILL_RSP_BUF_WITH_LITERAL(rsp_wrappers[wrapper_idx++], + rsp_bufs[rsp_bufs_idx++], I2CP_COMMIT_MXFER_REQ_CMD); + if (ret < 0) + goto fail_after_individual_rsp_wrappers_alloc; + + BUILD_BUG_ON(rsp_bufs_idx != ARRAY_SIZE(rsp_bufs)); + + mutex_lock(&pdata->read_rsp_queue_lock); + if (pdata->read_rsp_queue_length >= I2CP_CTRLR_RSP_QUEUE_LIMIT) { + ret = -ENOBUFS; + goto fail_with_read_rsp_queue_lock; + } + + mutex_lock(&cmd_data->reply_queue_lock); + if (cmd_data->reply_queue_length >= I2CP_CTRLR_RSP_QUEUE_LIMIT) { + ret = -ENOBUFS; + goto fail_with_reply_queue_lock; + } + + mxfer_reply->id = mxfer_rsp->id; + list_add_tail(&mxfer_reply->reply_queue_item, + &cmd_data->reply_queue_head); + ++cmd_data->reply_queue_length; + + for (i = 0; i < wrappers_length; ++i) { + list_add_tail(&rsp_wrappers[i]->queue, + &pdata->read_rsp_queue_head); + complete(&pdata->read_rsp_queued); + } + pdata->read_rsp_queue_length += wrappers_length; + + mutex_unlock(&cmd_data->reply_queue_lock); + mutex_unlock(&pdata->read_rsp_queue_lock); + + /* Wake up the userspace controller if it was polling. */ + wake_up_interruptible(&pdata->poll_wait_queue); + /* Wait for a response from the userspace controller. */ + wait_ret = wait_for_completion_killable_timeout( + &mxfer_reply->data_filled, adap->timeout); + + mutex_lock(&cmd_data->reply_queue_lock); + /* + * Ensure mxfer_reply is not in use before dequeuing and freeing it. + * This depends on the requirement that mxfer_reply->lock only be + * acquired while holding cmd_data->reply_queue_lock. + */ + mutex_lock(&mxfer_reply->lock); + + if (wait_ret == -ERESTARTSYS) + ret = -EINTR; + else if (wait_ret < 0) + ret = wait_ret; + else + ret = mxfer_reply->ret; + + /* + * This depends on other functions that might delete + * mxfer_reply->reply_queue_item from cmd_data->reply_queue_head using + * list_del_init(), never list_del(). + */ + if (!list_empty(&mxfer_reply->reply_queue_item)) { + list_del(&mxfer_reply->reply_queue_item); + --cmd_data->reply_queue_length; + if (mxfer_reply == cmd_data->reply_queue_current_item) + cmd_data->reply_queue_current_item = NULL; + } + + mutex_unlock(&mxfer_reply->lock); + mutex_unlock(&cmd_data->reply_queue_lock); + goto return_after_reply_msgs_alloc; + + fail_with_reply_queue_lock: + mutex_unlock(&cmd_data->reply_queue_lock); + fail_with_read_rsp_queue_lock: + mutex_unlock(&pdata->read_rsp_queue_lock); + fail_after_individual_rsp_wrappers_alloc: + for (i = 0; i < wrappers_length; ++i) + kfree(rsp_wrappers[i]); + fail_after_rsp_msgs_alloc: + for (i = 0; i < num; ++i) + kfree(mxfer_rsp->msgs[i].buf); + kfree(mxfer_rsp->msgs); + fail_after_mxfer_rsp_alloc: + kfree(mxfer_rsp); + fail_after_individual_rsp_bufs_alloc: + for (i = 0; i < ARRAY_SIZE(rsp_bufs); ++i) { + kfree(rsp_bufs[i]->buf); + kfree(rsp_bufs[i]); + } + return_after_reply_completed_alloc: + kfree(mxfer_reply->completed); + return_after_reply_msgs_alloc: + kfree(mxfer_reply->msgs); + return_after_mxfer_reply_alloc: + kfree(mxfer_reply); + return_after_rsp_wrappers_ptrs_alloc: + kfree(rsp_wrappers); + return ret; +} + +/* + * If more functionality than this needs to be supported, add a write command + * for the controller to specify its additional functionality prior to + * ADAPTER_START. Basic I2C functionality should remain implied and required. + * + * These functionalities in particular could be worth supporting: + * I2C_FUNC_10BIT_ADDR + * I2C_FUNC_NOSTART + * I2C_FUNC_PROTOCOL_MANGLING + */ +static u32 i2cp_adapter_functionality(struct i2c_adapter *adap) +{ + return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL; +} + +static const struct i2c_algorithm i2cp_algorithm = { + .master_xfer = i2cp_adapter_master_xfer, + .functionality = i2cp_adapter_functionality, +}; + +/* this_pseudo->counters.lock must _not_ be held when calling this. */ +static void i2cp_remove_from_counters(struct i2cp_controller *pdata, + struct i2cp_device *this_pseudo) +{ + + mutex_lock(&this_pseudo->counters.lock); + this_pseudo->counters.all_controllers[pdata->index] = NULL; + --this_pseudo->counters.count; + mutex_unlock(&this_pseudo->counters.lock); +} + +static int i2cp_cdev_open(struct inode *inodep, struct file *filep) +{ + int ret = 0; + unsigned int i, num_cmd_data_created = 0; + unsigned int ctrlr_id; + struct i2cp_controller *pdata; + struct i2cp_device *this_pseudo; + + /* Is there any way to find this through @inodep? */ + this_pseudo = i2cp_device; + + /* I2C pseudo adapter controllers are not seekable. */ + stream_open(inodep, filep); + /* Refuse fsnotify events. Modeled after /dev/ptmx implementation. */ + filep->f_mode |= FMODE_NONOTIFY; + + /* Allocate the I2C adapter. */ + pdata = kzalloc(sizeof(*pdata), GFP_KERNEL); + if (!pdata) + return -ENOMEM; + + INIT_LIST_HEAD(&pdata->read_rsp_queue_head); + init_waitqueue_head(&pdata->poll_wait_queue); + init_completion(&pdata->read_rsp_queued); + mutex_init(&pdata->startstop_lock); + mutex_init(&pdata->cmd_lock); + mutex_init(&pdata->rsp_lock); + mutex_init(&pdata->read_rsp_queue_lock); + + for (i = 0; i < ARRAY_SIZE(i2cp_cmds); ++i) { + if (!i2cp_cmds[i].data_creator) + continue; + ret = i2cp_cmds[i].data_creator(&pdata->cmd_data[i]); + if (ret < 0) + break; + } + num_cmd_data_created = i; + if (ret < 0) + goto fail_after_cmd_data_created; + + mutex_lock(&this_pseudo->counters.lock); + + for (i = 0; i < i2cp_limit; ++i) + if (!this_pseudo->counters.all_controllers[i]) + break; + if (i >= i2cp_limit) { + mutex_unlock(&this_pseudo->counters.lock); + ret = -ENOSPC; + goto fail_after_cmd_data_created; + } + pdata->index = i; + + for (ctrlr_id = this_pseudo->counters.next_ctrlr_id;;) { + /* Determine whether ctrlr_id is already in use. */ + for (i = 0; i < i2cp_limit; ++i) { + if (this_pseudo->counters.all_controllers[i] && + (this_pseudo->counters.all_controllers[i]->id == + ctrlr_id)) + break; + } + /* If ctrlr_id is available, use it. */ + if (i >= i2cp_limit) { + pdata->id = ctrlr_id; + this_pseudo->counters.next_ctrlr_id = ctrlr_id + 1; + ++this_pseudo->counters.count; + this_pseudo->counters.all_controllers[pdata->index] = + pdata; + break; + } + /* Increment ctrlr_id, and check for wrapping. */ + if (++ctrlr_id == this_pseudo->counters.next_ctrlr_id) { + mutex_unlock(&this_pseudo->counters.lock); + ret = -ENOSPC; + goto fail_after_cmd_data_created; + } + } + + mutex_unlock(&this_pseudo->counters.lock); + + /* Initialize the I2C adapter. */ + pdata->i2c_adapter.owner = THIS_MODULE; + pdata->i2c_adapter.class = I2C_CLASS_HWMON | I2C_CLASS_SPD; + pdata->i2c_adapter.algo = &i2cp_algorithm; + pdata->i2c_adapter.algo_data = pdata; + pdata->i2c_adapter.timeout = msecs_to_jiffies(i2cp_default_timeout_ms); + pdata->i2c_adapter.dev.parent = &this_pseudo->device; + ret = snprintf(pdata->i2c_adapter.name, sizeof(pdata->i2c_adapter.name), + "I2C pseudo ID %u", pdata->id); + if (ret < 0) + goto fail_after_counters_update; + + /* Return success. */ + filep->private_data = pdata; + return 0; + + fail_after_counters_update: + i2cp_remove_from_counters(pdata, this_pseudo); + fail_after_cmd_data_created: + for (i = 0; i < num_cmd_data_created; ++i) + if (i2cp_cmds[i].data_destroyer) + i2cp_cmds[i].data_destroyer(pdata->cmd_data[i]); + kfree(pdata); + return ret; +} + +static int i2cp_cdev_release(struct inode *inodep, struct file *filep) +{ + int i; + bool adapter_was_added = false; + struct i2cp_controller *pdata; + struct i2cp_device *this_pseudo; + + pdata = filep->private_data; + this_pseudo = container_of(pdata->i2c_adapter.dev.parent, + struct i2cp_device, device); + + /* + * The select(2) man page makes it clear that the behavior of pending + * select()/poll()/epoll_wait() on a fd that gets closed while waiting + * is undefined and should never be relied on. However since we are + * about to free pdata and therefore free pdata->poll_wait_queue, safest + * to wake up anyone waiting on it in an attempt to not leave them in a + * completely undefined state. + */ + wake_up_interruptible_all(&pdata->poll_wait_queue); + /* + * Linux guarantees there are no outstanding reads or writes when a + * struct file is released, so no further synchronization with the other + * struct file_operations callbacks should be needed. + */ + filep->private_data = NULL; + + mutex_lock(&pdata->startstop_lock); + if (pdata->startstop_state != I2CP_CTRLR_STATE_NEW) { + /* + * Defer deleting the adapter until after releasing + * pdata->startstop_state. This avoids deadlocking with any + * overlapping i2cp_adapter_master_xfer() calls, which also + * acquire the lock in order to check the state. + */ + adapter_was_added = true; + /* + * Instruct any overlapping i2cp_adapter_master_xfer() calls to + * return immediately. + */ + pdata->startstop_state = I2CP_CTRLR_STATE_SHUTDN_REQ; + } + mutex_unlock(&pdata->startstop_lock); + + /* + * Wake up blocked I2C requests. This is an optimization so that they + * don't need to wait for the I2C adapter timeout, since there is no + * possibility of any further I2C replies. + */ + for (i = 0; i < ARRAY_SIZE(i2cp_cmds); ++i) + if (i2cp_cmds[i].data_shutdown) + i2cp_cmds[i].data_shutdown(pdata->cmd_data[i]); + + if (adapter_was_added) + i2c_del_adapter(&pdata->i2c_adapter); + + for (i = 0; i < ARRAY_SIZE(i2cp_cmds); ++i) { + if (i2cp_cmds[i].data_destroyer) + i2cp_cmds[i].data_destroyer(pdata->cmd_data[i]); + pdata->cmd_data[i] = NULL; + } + + i2cp_remove_from_counters(pdata, this_pseudo); + kfree(pdata); + return 0; +} + +/* The caller must hold pdata->rsp_lock. */ +/* Return value is whether or not to continue in calling loop. */ +static bool i2cp_cdev_read_iteration(char __user **buf, size_t *count, + ssize_t *ret, bool non_blocking, struct i2cp_controller *pdata) +{ + long wait_ret; + ssize_t copy_size; + unsigned long copy_ret; + struct i2cp_rsp *rsp_wrapper = NULL; + + /* + * If a previous read response buffer has been exhausted, free + * it. + * + * This is done at the beginning of the while(count>0) loop + * because...? + */ + if (pdata->rsp_buf_start && !pdata->rsp_buf_remaining) { + kfree(pdata->rsp_buf_start); + pdata->rsp_buf_start = NULL; + pdata->rsp_buf_pos = NULL; + } + + /* + * If we have no formatter callback output queued (neither + * successful output nor error), go through the FIFO queue of + * read responses until a formatter returns non-zero (successful + * output or failure). + */ + while (pdata->rsp_buf_remaining == 0) { + /* + * If pdata->rsp_invalidated is true, it means the + * previous read() returned an error. Now that the + * error has already been propagated to userspace, we + * can write the end character for the invalidated read + * response. + */ + if (pdata->rsp_invalidated) { + pdata->rsp_invalidated = false; + goto write_end_char; + } + + /* If we have already read some bytes successfully, even + * if less than requested, we should return as much as + * we can without blocking further. Same if we have an + * error to return. + */ + if (non_blocking || *ret != 0) { + if (!try_wait_for_completion(&pdata->read_rsp_queued)) { + if (*ret == 0) + *ret = -EAGAIN; + /* + * If we are out of read responses, + * return whatever we have written to + * the userspace buffer so far, even if + * it's nothing. + */ + return false; + } + } else { + wait_ret = wait_for_completion_killable( + &pdata->read_rsp_queued); + if (wait_ret == -ERESTARTSYS) { + if (*ret == 0) + *ret = -EINTR; + return false; + } else if (wait_ret < 0) { + if (*ret == 0) + *ret = wait_ret; + return false; + } + } + + mutex_lock(&pdata->read_rsp_queue_lock); + if (!list_empty(&pdata->read_rsp_queue_head)) + rsp_wrapper = list_first_entry( + &pdata->read_rsp_queue_head, + struct i2cp_rsp, queue); + /* + * Avoid holding pdata->read_rsp_queue_lock while + * executing a formatter, allocating memory, or doing + * anything else that might block or take non-trivial + * time. This avoids blocking the enqueuing of new read + * responses for any significant time, even during large + * controller reads. + */ + mutex_unlock(&pdata->read_rsp_queue_lock); + + if (!rsp_wrapper) { + /* This should only happen if shutdown was requested. */ + if (i2cp_adap_get_state(pdata) != + I2CP_CTRLR_STATE_SHUTDN_REQ) + *ret = -EINVAL; + return false; + } + + pdata->rsp_buf_remaining = rsp_wrapper->formatter( + rsp_wrapper->data, &pdata->rsp_buf_start); + + if (pdata->rsp_buf_remaining > 0) { + pdata->rsp_buf_pos = pdata->rsp_buf_start; + /* + * We consumed a completion for this rsp_wrapper + * but we are leaving it in + * pdata->read_rsp_queue_head. Re-add a + * completion for it. + * + * Since overlapping reads are effectively + * serialized via use of pdata->rsp_lock, we + * could take shortcuts in how + * pdata->read_rsp_queued is used to avoid the + * need for re-incrementing it here. However by + * maintaining the invariant of consuming a + * completion each time an item from + * pdata->read_rsp_queue_head is consumed + * (whether or not it ends up being removed from + * the queue in that iteration), the completion + * logic is simpler to follow, and more easily + * lends itself to a future refactor of this + * read operation to not hold pdata->rsp_lock + * continuously. + */ + complete(&pdata->read_rsp_queued); + break; + } + + /* + * The formatter should not mutate pdata->rsp_buf_start + * if it returned non-positive. Just in case, we handle + * such a bug gracefully here. + */ + kfree(pdata->rsp_buf_start); + pdata->rsp_buf_start = NULL; + + mutex_lock(&pdata->read_rsp_queue_lock); + list_del(&rsp_wrapper->queue); + --pdata->read_rsp_queue_length; + mutex_unlock(&pdata->read_rsp_queue_lock); + + kfree(rsp_wrapper); + rsp_wrapper = NULL; + + /* Check if the formatter callback returned an error. + * + * If we have _not_ written any bytes to the userspace + * buffer yet, return now with the error code from the + * formatter. + * + * If we _have_ written bytes already, return now with + * the number of bytes written, and leave the error code + * from the formatter in pdata->rsp_buf_remaining so it + * can be returned on the next read, before any bytes + * are written. + * + * In either case, we deliberately return the error + * before writing the end character for the invalidated + * read response, so that the userspace controller knows + * to discard the response. + */ + if (pdata->rsp_buf_remaining < 0) { + if (*ret == 0) { + *ret = pdata->rsp_buf_remaining; + pdata->rsp_buf_remaining = 0; + } + pdata->rsp_invalidated = true; + return false; + } + + write_end_char: + copy_size = sizeof(i2cp_ctrlr_end_char); + /* + * This assertion is just in case someone changes + * i2cp_ctrlr_end_char to a string. Such a change would require + * handling it like a read response buffer, including ensuring + * that we not write more than *count. So long as it's a single + * character, we can avoid an extra check of *count in this code + * block, we already know it's greater than zero. + */ + BUILD_BUG_ON(copy_size != 1); + copy_ret = copy_to_user(*buf, &i2cp_ctrlr_end_char, + copy_size); + copy_size -= copy_ret; + /* + * After writing to the userspace buffer, we need to + * update various counters including the return value, + * then continue from the start of the outer while loop + * because it's possible *count has reached zero. + * + * Those exact same steps must be done after copying + * from a read response buffer to the userspace buffer, + * so jump to that code instead of duplicating it. + */ + goto after_copy_to_user; + } + + copy_size = max_t(ssize_t, 0, + min_t(ssize_t, *count, pdata->rsp_buf_remaining)); + copy_ret = copy_to_user(*buf, pdata->rsp_buf_pos, copy_size); + copy_size -= copy_ret; + pdata->rsp_buf_remaining -= copy_size; + + if (pdata->rsp_buf_remaining > 0) { + pdata->rsp_buf_pos += copy_size; + } else { + kfree(pdata->rsp_buf_start); + pdata->rsp_buf_start = NULL; + pdata->rsp_buf_pos = NULL; + } + + /* + * When jumping here, the following variables should be set: + * copy_ret: Return value from copy_to_user() (bytes not copied). + * copy_size: The number of bytes successfully copied by copy_to_user(). In + * other words, this should be the size arg to copy_to_user() minus its + * return value (bytes not copied). + */ + after_copy_to_user: + *ret += copy_size; + *count -= copy_size; + *buf += copy_size; + + return !copy_ret; +} + +static ssize_t i2cp_cdev_read(struct file *filep, char __user *buf, + size_t count, loff_t *f_ps) +{ + ssize_t ret = 0; + bool non_blocking; + struct i2cp_controller *pdata; + + /* + * Just in case this could change out from under us, best to keep a + * consistent view for the duration of this syscall. + */ + non_blocking = !!(filep->f_flags & O_NONBLOCK); + pdata = filep->private_data; + + if (count > (size_t)I2CP_RW_SIZE_LIMIT) + count = I2CP_RW_SIZE_LIMIT; + + /* + * Since read() calls are effectively serialized by way of + * pdata->rsp_lock, we MUST NOT block on obtaining that lock if in + * non-blocking mode, because it might be held by a blocking read(). + */ + if (!non_blocking) + mutex_lock(&pdata->rsp_lock); + else if (!mutex_trylock(&pdata->rsp_lock)) + return -EAGAIN; + + /* + * Check if a formatter callback returned an error that hasn't yet been + * returned to the controller. Do this before the while(count>0) loop + * because read(2) with zero count is allowed to report errors. + */ + if (pdata->rsp_buf_remaining < 0) { + BUILD_BUG_ON(ret != 0); + ret = pdata->rsp_buf_remaining; + pdata->rsp_buf_remaining = 0; + goto unlock; + } + + while (count > 0 && i2cp_cdev_read_iteration( + &buf, &count, &ret, non_blocking, pdata)) + ; + + unlock: + mutex_unlock(&pdata->rsp_lock); + return ret; +} + +/* Must be called with pdata->cmd_lock held. */ +/* Must never consume past first i2cp_ctrlr_end_char in @start. */ +static ssize_t i2cp_receive_ctrlr_cmd_header( + struct i2cp_controller *pdata, char *start, size_t remaining, + bool non_blocking) +{ + int found_deliminator_char = 0; + int i, cmd_idx; + ssize_t copy_size, ret = 0, stop, buf_remaining; + + buf_remaining = I2CP_CTRLR_CMD_LIMIT - pdata->cmd_size; + stop = min_t(ssize_t, remaining, buf_remaining + 1); + + for (i = 0; i < stop; ++i) + if (start[i] == i2cp_ctrlr_end_char || + start[i] == i2cp_ctrlr_header_sep_char) { + found_deliminator_char = 1; + break; + } + + if (i <= buf_remaining) { + copy_size = i; + } else { + copy_size = buf_remaining; + if (!pdata->cmd_receive_status) + /* + * Exceeded max size of I2C pseudo controller command + * buffer. The command currently being written will be + * ignored. + * + * Positive error number is deliberate here. + */ + pdata->cmd_receive_status = ENOBUFS; + } + + memcpy(&pdata->cmd_buf[pdata->cmd_size], start, copy_size); + pdata->cmd_size += copy_size; + + if (!found_deliminator_char || pdata->cmd_size <= 0) + return copy_size + found_deliminator_char; + + /* This may be negative. */ + cmd_idx = pdata->cmd_idx_plus_one - 1; + + if (cmd_idx < 0) { + for (i = 0; i < ARRAY_SIZE(i2cp_cmds); ++i) + if (i2cp_cmds[i].cmd_size == pdata->cmd_size && + !memcmp(i2cp_cmds[i].cmd_string, pdata->cmd_buf, + pdata->cmd_size)) + break; + if (i >= ARRAY_SIZE(i2cp_cmds)) { + /* unrecognized command */ + ret = -EIO; + goto clear_buffer; + } + cmd_idx = i; + pdata->cmd_idx_plus_one = cmd_idx + 1; + } + + /* + * If we have write bytes queued and we encountered i2cp_ctrlr_end_char + * or i2cp_ctrlr_header_sep_char, invoke the header_receiver callback. + */ + if (!pdata->cmd_receive_status) { + ret = i2cp_cmds[cmd_idx].header_receiver( + pdata->cmd_data[cmd_idx], pdata->cmd_buf, + pdata->cmd_size, non_blocking); + if (ret > 0) { + if (ret > I2CP_CTRLR_CMD_LIMIT) { + ret = -EINVAL; + goto clear_buffer; + } + pdata->cmd_data_increment = ret; + } else if (ret < 0) { + pdata->cmd_receive_status = ret; + } + } + + clear_buffer: + pdata->cmd_size = 0; + /* + * Ensure a trailing null character for the next header_receiver() or + * data_receiver() invocation. + */ + memset(pdata->cmd_buf, 0, sizeof(pdata->cmd_buf)); + + if (ret < 0) { + if (pdata->cmd_idx_plus_one >= 1 && !pdata->cmd_receive_status) + /* Negate to get a positive error number. */ + pdata->cmd_receive_status = -ret; + return ret; + } + return copy_size + found_deliminator_char; +} + +/* Must be called with pdata->cmd_lock held. */ +/* Must never consume past first i2cp_ctrlr_end_char in @start. */ +static ssize_t i2cp_receive_ctrlr_cmd_data(struct i2cp_controller *pdata, + char *start, size_t remaining, bool non_blocking) +{ + ssize_t i, ret, size_holder; + int cmd_idx; + + /* If cmd_idx ends up negative here, it is a bug. */ + cmd_idx = pdata->cmd_idx_plus_one - 1; + if (cmd_idx < 0) + return -EINVAL; + + size_holder = min_t(size_t, + (I2CP_CTRLR_CMD_LIMIT - + (I2CP_CTRLR_CMD_LIMIT % pdata->cmd_data_increment)) - + pdata->cmd_size, + (((pdata->cmd_size + remaining) / + pdata->cmd_data_increment) * + pdata->cmd_data_increment) - pdata->cmd_size); + + /* Size of current buffer plus all remaining write bytes. */ + size_holder = pdata->cmd_size + remaining; + /* + * Avoid rounding down to zero. If there are insufficient write + * bytes remaining to grow the buffer to 1x of the requested + * data byte increment, we'll copy what is available to the + * buffer, and just leave it queued without any further command + * handler invocations in this write() (unless i2cp_ctrlr_end_char is + * found, in which case we will always invoke the data_receiver for any + * remaining data bytes, and will always invoke the cmd_completer). + */ + if (size_holder > pdata->cmd_data_increment) + /* + * Round down to the nearest multiple of the requested + * data byte increment. + */ + size_holder -= size_holder % pdata->cmd_data_increment; + /* + * Take the smaller of: + * + * [A] 2nd min_t() arg: The number of bytes that we would want the + * buffer to end up with if it had unlimited space (computed + * above). + * + * [B] 3rd min_t() arg: The number of bytes that we would want the + * buffer to end up with if there were unlimited write bytes + * remaining (computed in-line below). + */ + size_holder = min_t(ssize_t, size_holder, (I2CP_CTRLR_CMD_LIMIT - ( + I2CP_CTRLR_CMD_LIMIT % pdata->cmd_data_increment))); + /* + * Subtract the existing buffer size to get the number of bytes we + * actually want to copy from the remaining write bytes in this loop + * iteration, assuming no i2cp_ctrlr_end_char. + */ + size_holder -= pdata->cmd_size; + + /* + * Look for i2cp_ctrlr_end_char. If we find it, we will copy up to but + * *not* including its position. + */ + for (i = 0; i < size_holder; ++i) + if (start[i] == i2cp_ctrlr_end_char) + break; + + /* Copy from the remaining write bytes to the command buffer. */ + memcpy(&pdata->cmd_buf[pdata->cmd_size], start, i); + pdata->cmd_size += i; + + /* + * If we have write bytes queued and *either* we encountered + * i2cp_ctrlr_end_char *or* we have a multiple of + * pdata->cmd_data_increment, invoke the data_receiver callback. + */ + if (pdata->cmd_size > 0 && + (i < size_holder || + pdata->cmd_size % pdata->cmd_data_increment == 0)) { + if (!pdata->cmd_receive_status) { + ret = i2cp_cmds[cmd_idx].data_receiver( + pdata->cmd_data[cmd_idx], pdata->cmd_buf, + pdata->cmd_size, non_blocking); + if (ret < 0) + pdata->cmd_receive_status = ret; + } + pdata->cmd_size = 0; + /* + * Ensure a trailing null character for the next + * header_receiver() or data_receiver() invocation. + */ + memset(pdata->cmd_buf, 0, sizeof(pdata->cmd_buf)); + } + + /* If i2cp_ctrlr_end_char was found, skip past it. */ + if (i < size_holder) + ++i; + return i; +} + +/* Must be called with pdata->cmd_lock held. */ +static int i2cp_receive_ctrlr_cmd_complete(struct i2cp_controller *pdata, + bool non_blocking) +{ + int ret = 0, cmd_idx; + + /* This may be negative. */ + cmd_idx = pdata->cmd_idx_plus_one - 1; + + if (cmd_idx >= 0 && i2cp_cmds[cmd_idx].cmd_completer) { + ret = i2cp_cmds[cmd_idx].cmd_completer(pdata->cmd_data[cmd_idx], + pdata, pdata->cmd_receive_status, non_blocking); + if (ret > 0) + ret = 0; + } + + pdata->cmd_idx_plus_one = 0; + pdata->cmd_receive_status = 0; + pdata->cmd_data_increment = 0; + + pdata->cmd_size = 0; + /* + * Ensure a trailing null character for the next header_receiver() or + * data_receiver() invocation. + */ + memset(pdata->cmd_buf, 0, sizeof(pdata->cmd_buf)); + + return ret; +} + +static ssize_t i2cp_cdev_write(struct file *filep, const char __user *buf, + size_t count, loff_t *f_ps) +{ + ssize_t ret = 0; + bool non_blocking; + size_t remaining; + char *kbuf, *start; + struct i2cp_controller *pdata; + + /* + * Just in case this could change out from under us, best to keep a + * consistent view for the duration of this syscall. + * + * Write command implementations, i.e. struct i2cp_cmd implementations, + * do NOT have to support blocking writes. For example, if a write of + * an I2C message reply is received for a message that the pseudo + * adapter never requested or expected, it makes more sense to indicate + * an error than to block until possibly receiving a master_xfer request + * for that I2C message, even if blocking is permitted. + * + * Furthermore, controller writes MUST NEVER block indefinitely, even + * when non_blocking is false. E.g. while non_blocking may be used to + * select between mutex_trylock and mutex_lock*, even in the + * latter case the lock should never be blocked on I/O, on userspace, or + * on anything else outside the control of this driver. It IS + * permissable for the lock to be blocked on processing of previous or + * concurrent write input, so long as that processing does not violate + * these rules. + */ + non_blocking = !!(filep->f_flags & O_NONBLOCK); + pdata = filep->private_data; + + if (count > (size_t)I2CP_RW_SIZE_LIMIT) + count = I2CP_RW_SIZE_LIMIT; + + kbuf = kzalloc(count, GFP_KERNEL); + if (!kbuf) { + ret = -ENOMEM; + goto free_kbuf; + } + if (copy_from_user(kbuf, buf, count)) { + ret = -EFAULT; + goto free_kbuf; + } + + start = kbuf; + remaining = count; + + /* + * Since write() calls are effectively serialized by way of + * pdata->cmd_lock, we MUST NOT block on obtaining that lock if in + * non-blocking mode, because it might be held by a blocking write(). + */ + if (!non_blocking) { + mutex_lock(&pdata->cmd_lock); + } else if (!mutex_trylock(&pdata->cmd_lock)) { + ret = -EAGAIN; + goto free_kbuf; + } + + while (remaining) { + if (pdata->cmd_data_increment <= 0) + ret = i2cp_receive_ctrlr_cmd_header( + pdata, start, remaining, non_blocking); + else + ret = i2cp_receive_ctrlr_cmd_data( + pdata, start, remaining, non_blocking); + if (ret < 0) + break; + if (ret == 0 || ret > remaining) { + ret = -EINVAL; + break; + } + + remaining -= ret; + start += ret; + + if (ret > 0 && start[-1] == i2cp_ctrlr_end_char) { + ret = i2cp_receive_ctrlr_cmd_complete( + pdata, non_blocking); + if (ret < 0) + break; + } + } + + mutex_unlock(&pdata->cmd_lock); + wake_up_interruptible_sync(&pdata->poll_wait_queue); + + if (ret >= 0) + /* If successful the whole write is always consumed. */ + ret = count; + + free_kbuf: + kfree(kbuf); + return ret; +} + +/* + * The select/poll/epoll implementation in this module is designed around these + * controller behavior assumptions: + * + * - If any reader of a given controller makes use of polling, all will. + * + * - Upon notification of available data to read, a reader will fully consume it + * in a read() loop until receiving EAGAIN, EWOULDBLOCK, or EOF. + * + * - Only one reader need be woken upon newly available data, however it is okay + * if more than one are sometimes woken. + * + * - If more than one reader is woken, or otherwise acts in parallel, it is the + * responsibility of the readers to either ensure that only one at a time + * consumes all input until EAGAIN/EWOULDBLOCK, or that they properly + * recombine any data that was split among them. + * + * - All of the above applies to writers as well. + * + * Notes: + * + * - If a reader does not read all available data until EAGAIN/EWOULDBLOCK after + * being woken from poll, there may be no wake event for the remaining + * available data, causing it to remain unread until further data becomes + * available and triggers another wake event. The same applies to writers - + * they are only guaranteed to be woken /once/ per blocked->unblocked + * transition, so after being woken they should continue writing until either + * the controller is out of data or EAGAIN/EWOULDBLOCK is encountered. + * + * - It is strongly suggested that controller implementations have only one + * reader (thread) and one writer (thread), which may or may not be the same + * thread. After all only one message can be active on an I2C bus at a time, + * and this driver implementation reflects that. Avoiding multiple readers + * and multiple writers greatly simplifies controller implementation, and + * there is likely nothing to be gained from performing any of their work in + * parallel. + * + * - Implementation detail: Reads are effectively serialized by a per controller + * read lock. From the perspective of other readers, the controller device + * will appear blocked, with appropriate behavior based on the O_NONBLOCK bit. + * THIS IS SUBJECT TO CHANGE! + * + * - Implementation detail: Writes are effectively serialized by a per + * controller write lock. From the perspective of other writers, the + * controller device will appear blocked, with appropriate behavior based on + * the O_NONBLOCK bit. THIS IS SUBJECT TO CHANGE! + * + * - Implementation detail: In the initial implementation, the only scenario + * where a controller will appear blocked for writes is if another write is in + * progress. Thus, a single writer should never see the device blocked. THIS + * IS SUBJECT TO CHANGE! When using O_NONBLOCK, a controller should correctly + * handle EAGAIN/EWOULDBLOCK even if it has only one writer. + */ +static __poll_t i2cp_cdev_poll(struct file *filep, poll_table *ptp) +{ + __poll_t poll_ret = 0; + struct i2cp_controller *pdata; + + pdata = filep->private_data; + + poll_wait(filep, &pdata->poll_wait_queue, ptp); + + if (mutex_trylock(&pdata->rsp_lock)) { + if (i2cp_poll_in(pdata)) + poll_ret |= POLLIN | POLLRDNORM; + mutex_unlock(&pdata->rsp_lock); + } + + if (!mutex_is_locked(&pdata->cmd_lock)) + poll_ret |= POLLOUT | POLLWRNORM; + + if (i2cp_adap_get_state(pdata) == I2CP_CTRLR_STATE_SHUTDN_REQ) + poll_ret |= POLLHUP; + + return poll_ret; +} + +static const struct file_operations i2cp_fileops = { + .owner = THIS_MODULE, + .open = i2cp_cdev_open, + .release = i2cp_cdev_release, + .read = i2cp_cdev_read, + .write = i2cp_cdev_write, + .poll = i2cp_cdev_poll, + .llseek = no_llseek, +}; + +static ssize_t i2cp_limit_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + int ret; + + ret = snprintf(buf, PAGE_SIZE, "%u\n", i2cp_limit); + if (ret >= PAGE_SIZE) + return -ERANGE; + return ret; +} + +static struct device_attribute i2cp_limit_dev_attr = { + .attr = { + .name = "limit", + .mode = 0444, + }, + .show = i2cp_limit_show, +}; + +static ssize_t i2cp_count_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + int count, ret; + struct i2cp_device *this_pseudo; + + this_pseudo = container_of(dev, struct i2cp_device, device); + + mutex_lock(&this_pseudo->counters.lock); + count = this_pseudo->counters.count; + mutex_unlock(&this_pseudo->counters.lock); + + ret = snprintf(buf, PAGE_SIZE, "%u\n", count); + if (ret >= PAGE_SIZE) + return -ERANGE; + return ret; +} + +static struct device_attribute i2cp_count_dev_attr = { + .attr = { + .name = "count", + .mode = 0444, + }, + .show = i2cp_count_show, +}; + +static struct attribute *i2cp_device_sysfs_attrs[] = { + &i2cp_limit_dev_attr.attr, + &i2cp_count_dev_attr.attr, + NULL, +}; + +static const struct attribute_group i2cp_device_sysfs_group = { + .attrs = i2cp_device_sysfs_attrs, +}; + +static const struct attribute_group *i2cp_device_sysfs_groups[] = { + &i2cp_device_sysfs_group, + NULL, +}; + +static void i2c_p_device_release(struct device *dev) +{ + struct i2cp_device *this_pseudo; + + this_pseudo = container_of(dev, struct i2cp_device, device); + kfree(this_pseudo->counters.all_controllers); + kfree(this_pseudo); +} + +static inline void i2c_p_class_destroy(void) +{ + struct class *class; + + class = i2cp_class; + i2cp_class = NULL; + class_destroy(class); +} + +static int __init i2cp_init(void) +{ + int ret = -1; + + if (i2cp_limit < I2CP_ADAPTERS_MIN || i2cp_limit > I2CP_ADAPTERS_MAX) { + pr_err("%s: i2cp_limit=%u, must be in range [" + STR(I2CP_ADAPTERS_MIN) ", " STR(I2CP_ADAPTERS_MAX) + "]\n", __func__, i2cp_limit); + return -EINVAL; + } + + i2cp_class = class_create(THIS_MODULE, I2CP_CLASS_NAME); + if (IS_ERR(i2cp_class)) + return PTR_ERR(i2cp_class); + + i2cp_class->dev_groups = i2cp_device_sysfs_groups; + + ret = alloc_chrdev_region(&i2cp_dev_num, I2CP_CDEV_BASEMINOR, + I2CP_CDEV_COUNT, I2CP_CHRDEV_NAME); + if (ret < 0) + goto fail_after_class_create; + + i2cp_device = kzalloc(sizeof(*i2cp_device), GFP_KERNEL); + if (!i2cp_device) { + ret = -ENOMEM; + goto fail_after_chrdev_register; + } + + i2cp_device->device.devt = i2cp_dev_num; + i2cp_device->device.class = i2cp_class; + i2cp_device->device.release = i2c_p_device_release; + device_initialize(&i2cp_device->device); + + ret = dev_set_name(&i2cp_device->device, "%s", I2CP_DEVICE_NAME); + if (ret < 0) + goto fail_after_device_init; + + mutex_init(&i2cp_device->counters.lock); + i2cp_device->counters.all_controllers = kcalloc(i2cp_limit, + sizeof(*i2cp_device->counters.all_controllers), GFP_KERNEL); + if (!i2cp_device->counters.all_controllers) { + ret = -ENOMEM; + goto fail_after_device_init; + } + + cdev_init(&i2cp_device->cdev, &i2cp_fileops); + i2cp_device->cdev.owner = THIS_MODULE; + + ret = cdev_device_add(&i2cp_device->cdev, &i2cp_device->device); + if (ret < 0) + goto fail_after_device_init; + + return 0; + + fail_after_device_init: + put_device(&i2cp_device->device); + fail_after_chrdev_register: + unregister_chrdev_region(i2cp_dev_num, I2CP_CDEV_COUNT); + fail_after_class_create: + i2c_p_class_destroy(); + return ret; +} + +static void __exit i2cp_exit(void) +{ + cdev_device_del(&i2cp_device->cdev, &i2cp_device->device); + put_device(&i2cp_device->device); + unregister_chrdev_region(i2cp_dev_num, I2CP_CDEV_COUNT); + i2c_p_class_destroy(); +} + +MODULE_AUTHOR("Matthew Blecker