Showing error 786

User: Jiri Slaby
Error type: Memory Leak
Error type description: There the code omits to free some allocated memory
File location: drivers/uwb/neh.c
Line in file: 391
Project: Linux Kernel
Project version: 2.6.28
Tools: Stanse (1.2)
Entered: 2011-11-07 22:26:27 UTC

Source: 

  1/*
  2 * WUSB Wire Adapter: Radio Control Interface (WUSB[8])
  3 * Notification and Event Handling
  4 *
  5 * Copyright (C) 2005-2006 Intel Corporation
  6 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
  7 *
  8 * This program is free software; you can redistribute it and/or
  9 * modify it under the terms of the GNU General Public License version
 10 * 2 as published by the Free Software Foundation.
 11 *
 12 * This program is distributed in the hope that it will be useful,
 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 * GNU General Public License for more details.
 16 *
 17 * You should have received a copy of the GNU General Public License
 18 * along with this program; if not, write to the Free Software
 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 20 * 02110-1301, USA.
 21 *
 22 *
 23 * The RC interface of the Host Wire Adapter (USB dongle) or WHCI PCI
 24 * card delivers a stream of notifications and events to the
 25 * notification end event endpoint or area. This code takes care of
 26 * getting a buffer with that data, breaking it up in separate
 27 * notifications and events and then deliver those.
 28 *
 29 * Events are answers to commands and they carry a context ID that
 30 * associates them to the command. Notifications are that,
 31 * notifications, they come out of the blue and have a context ID of
 32 * zero. Think of the context ID kind of like a handler. The
 33 * uwb_rc_neh_* code deals with managing context IDs.
 34 *
 35 * This is why you require a handle to operate on a UWB host. When you
 36 * open a handle a context ID is assigned to you.
 37 *
 38 * So, as it is done is:
 39 *
 40 * 1. Add an event handler [uwb_rc_neh_add()] (assigns a ctx id)
 41 * 2. Issue command [rc->cmd(rc, ...)]
 42 * 3. Arm the timeout timer [uwb_rc_neh_arm()]
 43 * 4, Release the reference to the neh [uwb_rc_neh_put()]
 44 * 5. Wait for the callback
 45 * 6. Command result (RCEB) is passed to the callback
 46 *
 47 * If (2) fails, you should remove the handle [uwb_rc_neh_rm()]
 48 * instead of arming the timer.
 49 *
 50 * Handles are for using in *serialized* code, single thread.
 51 *
 52 * When the notification/event comes, the IRQ handler/endpoint
 53 * callback passes the data read to uwb_rc_neh_grok() which will break
 54 * it up in a discrete series of events, look up who is listening for
 55 * them and execute the pertinent callbacks.
 56 *
 57 * If the reader detects an error while reading the data stream, call
 58 * uwb_rc_neh_error().
 59 *
 60 * CONSTRAINTS/ASSUMPTIONS:
 61 *
 62 * - Most notifications/events are small (less thank .5k), copying
 63 *   around is ok.
 64 *
 65 * - Notifications/events are ALWAYS smaller than PAGE_SIZE
 66 *
 67 * - Notifications/events always come in a single piece (ie: a buffer
 68 *   will always contain entire notifications/events).
 69 *
 70 * - we cannot know in advance how long each event is (because they
 71 *   lack a length field in their header--smart move by the standards
 72 *   body, btw). So we need a facility to get the event size given the
 73 *   header. This is what the EST code does (notif/Event Size
 74 *   Tables), check nest.c--as well, you can associate the size to
 75 *   the handle [w/ neh->extra_size()].
 76 *
 77 * - Most notifications/events are fixed size; only a few are variable
 78 *   size (NEST takes care of that).
 79 *
 80 * - Listeners of events expect them, so they usually provide a
 81 *   buffer, as they know the size. Listeners to notifications don't,
 82 *   so we allocate their buffers dynamically.
 83 */
 84#include <linux/kernel.h>
 85#include <linux/timer.h>
 86#include <linux/err.h>
 87
 88#include "uwb-internal.h"
 89#define D_LOCAL 0
 90#include <linux/uwb/debug.h>
 91
 92/*
 93 * UWB Radio Controller Notification/Event Handle
 94 *
 95 * Represents an entity waiting for an event coming from the UWB Radio
 96 * Controller with a given context id (context) and type (evt_type and
 97 * evt). On reception of the notification/event, the callback (cb) is
 98 * called with the event.
 99 *
100 * If the timer expires before the event is received, the callback is
101 * called with -ETIMEDOUT as the event size.
102 */
103struct uwb_rc_neh {
104        struct kref kref;
105
106        struct uwb_rc *rc;
107        u8 evt_type;
108        __le16 evt;
109        u8 context;
110        uwb_rc_cmd_cb_f cb;
111        void *arg;
112
113        struct timer_list timer;
114        struct list_head list_node;
115};
116
117static void uwb_rc_neh_timer(unsigned long arg);
118
119static void uwb_rc_neh_release(struct kref *kref)
120{
121        struct uwb_rc_neh *neh = container_of(kref, struct uwb_rc_neh, kref);
122
123        kfree(neh);
124}
125
126static void uwb_rc_neh_get(struct uwb_rc_neh *neh)
127{
128        kref_get(&neh->kref);
129}
130
131/**
132 * uwb_rc_neh_put - release reference to a neh
133 * @neh: the neh
134 */
135void uwb_rc_neh_put(struct uwb_rc_neh *neh)
136{
137        kref_put(&neh->kref, uwb_rc_neh_release);
138}
139
140
141/**
142 * Assigns @neh a context id from @rc's pool
143 *
144 * @rc:            UWB Radio Controller descriptor; @rc->neh_lock taken
145 * @neh:    Notification/Event Handle
146 * @returns 0 if context id was assigned ok; < 0 errno on error (if
147 *            all the context IDs are taken).
148 *
149 * (assumes @wa is locked).
150 *
151 * NOTE: WUSB spec reserves context ids 0x00 for notifications and
152 *         0xff is invalid, so they must not be used. Initialization
153 *         fills up those two in the bitmap so they are not allocated.
154 *
155 * We spread the allocation around to reduce the posiblity of two
156 * consecutive opened @neh's getting the same context ID assigned (to
157 * avoid surprises with late events that timed out long time ago). So
158 * first we search from where @rc->ctx_roll is, if not found, we
159 * search from zero.
160 */
161static
162int __uwb_rc_ctx_get(struct uwb_rc *rc, struct uwb_rc_neh *neh)
163{
164        int result;
165        result = find_next_zero_bit(rc->ctx_bm, UWB_RC_CTX_MAX,
166                                    rc->ctx_roll++);
167        if (result < UWB_RC_CTX_MAX)
168                goto found;
169        result = find_first_zero_bit(rc->ctx_bm, UWB_RC_CTX_MAX);
170        if (result < UWB_RC_CTX_MAX)
171                goto found;
172        return -ENFILE;
173found:
174        set_bit(result, rc->ctx_bm);
175        neh->context = result;
176        return 0;
177}
178
179
180/** Releases @neh's context ID back to @rc (@rc->neh_lock is locked). */
181static
182void __uwb_rc_ctx_put(struct uwb_rc *rc, struct uwb_rc_neh *neh)
183{
184        struct device *dev = &rc->uwb_dev.dev;
185        if (neh->context == 0)
186                return;
187        if (test_bit(neh->context, rc->ctx_bm) == 0) {
188                dev_err(dev, "context %u not set in bitmap\n",
189                        neh->context);
190                WARN_ON(1);
191        }
192        clear_bit(neh->context, rc->ctx_bm);
193        neh->context = 0;
194}
195
196/**
197 * uwb_rc_neh_add - add a neh for a radio controller command
198 * @rc:             the radio controller
199 * @cmd:            the radio controller command
200 * @expected_type:  the type of the expected response event
201 * @expected_event: the expected event ID
202 * @cb:             callback for when the event is received
203 * @arg:            argument for the callback
204 *
205 * Creates a neh and adds it to the list of those waiting for an
206 * event.  A context ID will be assigned to the command.
207 */
208struct uwb_rc_neh *uwb_rc_neh_add(struct uwb_rc *rc, struct uwb_rccb *cmd,
209                                  u8 expected_type, u16 expected_event,
210                                  uwb_rc_cmd_cb_f cb, void *arg)
211{
212        int result;
213        unsigned long flags;
214        struct device *dev = &rc->uwb_dev.dev;
215        struct uwb_rc_neh *neh;
216
217        neh = kzalloc(sizeof(*neh), GFP_KERNEL);
218        if (neh == NULL) {
219                result = -ENOMEM;
220                goto error_kzalloc;
221        }
222
223        kref_init(&neh->kref);
224        INIT_LIST_HEAD(&neh->list_node);
225        init_timer(&neh->timer);
226        neh->timer.function = uwb_rc_neh_timer;
227        neh->timer.data     = (unsigned long)neh;
228
229        neh->rc = rc;
230        neh->evt_type = expected_type;
231        neh->evt = cpu_to_le16(expected_event);
232        neh->cb = cb;
233        neh->arg = arg;
234
235        spin_lock_irqsave(&rc->neh_lock, flags);
236        result = __uwb_rc_ctx_get(rc, neh);
237        if (result >= 0) {
238                cmd->bCommandContext = neh->context;
239                list_add_tail(&neh->list_node, &rc->neh_list);
240                uwb_rc_neh_get(neh);
241        }
242        spin_unlock_irqrestore(&rc->neh_lock, flags);
243        if (result < 0)
244                goto error_ctx_get;
245
246        return neh;
247
248error_ctx_get:
249        kfree(neh);
250error_kzalloc:
251        dev_err(dev, "cannot open handle to radio controller: %d\n", result);
252        return ERR_PTR(result);
253}
254
255static void __uwb_rc_neh_rm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
256{
257        del_timer(&neh->timer);
258        __uwb_rc_ctx_put(rc, neh);
259        list_del(&neh->list_node);
260}
261
262/**
263 * uwb_rc_neh_rm - remove a neh.
264 * @rc:  the radio controller
265 * @neh: the neh to remove
266 *
267 * Remove an active neh immediately instead of waiting for the event
268 * (or a time out).
269 */
270void uwb_rc_neh_rm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
271{
272        unsigned long flags;
273
274        spin_lock_irqsave(&rc->neh_lock, flags);
275        __uwb_rc_neh_rm(rc, neh);
276        spin_unlock_irqrestore(&rc->neh_lock, flags);
277
278        uwb_rc_neh_put(neh);
279}
280
281/**
282 * uwb_rc_neh_arm - arm an event handler timeout timer
283 *
284 * @rc:     UWB Radio Controller
285 * @neh:    Notification/event handler for @rc
286 *
287 * The timer is only armed if the neh is active.
288 */
289void uwb_rc_neh_arm(struct uwb_rc *rc, struct uwb_rc_neh *neh)
290{
291        unsigned long flags;
292
293        spin_lock_irqsave(&rc->neh_lock, flags);
294        if (neh->context)
295                mod_timer(&neh->timer,
296                          jiffies + msecs_to_jiffies(UWB_RC_CMD_TIMEOUT_MS));
297        spin_unlock_irqrestore(&rc->neh_lock, flags);
298}
299
300static void uwb_rc_neh_cb(struct uwb_rc_neh *neh, struct uwb_rceb *rceb, size_t size)
301{
302        (*neh->cb)(neh->rc, neh->arg, rceb, size);
303        uwb_rc_neh_put(neh);
304}
305
306static bool uwb_rc_neh_match(struct uwb_rc_neh *neh, const struct uwb_rceb *rceb)
307{
308        return neh->evt_type == rceb->bEventType
309                && neh->evt == rceb->wEvent
310                && neh->context == rceb->bEventContext;
311}
312
313/**
314 * Find the handle waiting for a RC Radio Control Event
315 *
316 * @rc:         UWB Radio Controller
317 * @rceb:       Pointer to the RCEB buffer
318 * @event_size: Pointer to the size of the RCEB buffer. Might be
319 *              adjusted to take into account the @neh->extra_size
320 *              settings.
321 *
322 * If the listener has no buffer (NULL buffer), one is allocated for
323 * the right size (the amount of data received). @neh->ptr will point
324 * to the event payload, which always starts with a 'struct
325 * uwb_rceb'. kfree() it when done.
326 */
327static
328struct uwb_rc_neh *uwb_rc_neh_lookup(struct uwb_rc *rc,
329                                     const struct uwb_rceb *rceb)
330{
331        struct uwb_rc_neh *neh = NULL, *h;
332        unsigned long flags;
333
334        spin_lock_irqsave(&rc->neh_lock, flags);
335
336        list_for_each_entry(h, &rc->neh_list, list_node) {
337                if (uwb_rc_neh_match(h, rceb)) {
338                        neh = h;
339                        break;
340                }
341        }
342
343        if (neh)
344                __uwb_rc_neh_rm(rc, neh);
345
346        spin_unlock_irqrestore(&rc->neh_lock, flags);
347
348        return neh;
349}
350
351
352/**
353 * Process notifications coming from the radio control interface
354 *
355 * @rc:    UWB Radio Control Interface descriptor
356 * @neh:   Notification/Event Handler @neh->ptr points to
357 *         @uwb_evt->buffer.
358 *
359 * This function is called by the event/notif handling subsystem when
360 * notifications arrive (hwarc_probe() arms a notification/event handle
361 * that calls back this function for every received notification; this
362 * function then will rearm itself).
363 *
364 * Notification data buffers are dynamically allocated by the NEH
365 * handling code in neh.c [uwb_rc_neh_lookup()]. What is actually
366 * allocated is space to contain the notification data.
367 *
368 * Buffers are prefixed with a Radio Control Event Block (RCEB) as
369 * defined by the WUSB Wired-Adapter Radio Control interface. We
370 * just use it for the notification code.
371 *
372 * On each case statement we just transcode endianess of the different
373 * fields. We declare a pointer to a RCI definition of an event, and
374 * then to a UWB definition of the same event (which are the same,
375 * remember). Event if we use different pointers
376 */
377static
378void uwb_rc_notif(struct uwb_rc *rc, struct uwb_rceb *rceb, ssize_t size)
379{
380        struct device *dev = &rc->uwb_dev.dev;
381        struct uwb_event *uwb_evt;
382
383        if (size == -ESHUTDOWN)
384                return;
385        if (size < 0) {
386                dev_err(dev, "ignoring event with error code %zu\n",
387                        size);
388                return;
389        }
390
391        uwb_evt = kzalloc(sizeof(*uwb_evt), GFP_ATOMIC);
392        if (unlikely(uwb_evt == NULL)) {
393                dev_err(dev, "no memory to queue event 0x%02x/%04x/%02x\n",
394                        rceb->bEventType, le16_to_cpu(rceb->wEvent),
395                        rceb->bEventContext);
396                return;
397        }
398        uwb_evt->rc = __uwb_rc_get(rc);        /* will be put by uwbd's uwbd_event_handle() */
399        uwb_evt->ts_jiffies = jiffies;
400        uwb_evt->type = UWB_EVT_TYPE_NOTIF;
401        uwb_evt->notif.size = size;
402        uwb_evt->notif.rceb = rceb;
403
404        switch (le16_to_cpu(rceb->wEvent)) {
405                /* Trap some vendor specific events
406                 *
407                 * FIXME: move this to handling in ptc-est, where we
408                 * register a NULL event handler for these two guys
409                 * using the Intel IDs.
410                 */
411        case 0x0103:
412                dev_info(dev, "FIXME: DEVICE ADD\n");
413                return;
414        case 0x0104:
415                dev_info(dev, "FIXME: DEVICE RM\n");
416                return;
417        default:
418                break;
419        }
420
421        uwbd_event_queue(uwb_evt);
422}
423
424static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size_t size)
425{
426        struct device *dev = &rc->uwb_dev.dev;
427        struct uwb_rc_neh *neh;
428        struct uwb_rceb *notif;
429
430        if (rceb->bEventContext == 0) {
431                notif = kmalloc(size, GFP_ATOMIC);
432                if (notif) {
433                        memcpy(notif, rceb, size);
434                        uwb_rc_notif(rc, notif, size);
435                } else
436                        dev_err(dev, "event 0x%02x/%04x/%02x (%zu bytes): no memory\n",
437                                rceb->bEventType, le16_to_cpu(rceb->wEvent),
438                                rceb->bEventContext, size);
439        } else {
440                neh = uwb_rc_neh_lookup(rc, rceb);
441                if (neh)
442                        uwb_rc_neh_cb(neh, rceb, size);
443                else
444                        dev_warn(dev, "event 0x%02x/%04x/%02x (%zu bytes): nobody cared\n",
445                                 rceb->bEventType, le16_to_cpu(rceb->wEvent),
446                                 rceb->bEventContext, size);
447        }
448}
449
450/**
451 * Given a buffer with one or more UWB RC events/notifications, break
452 * them up and dispatch them.
453 *
454 * @rc:              UWB Radio Controller
455 * @buf:      Buffer with the stream of notifications/events
456 * @buf_size: Amount of data in the buffer
457 *
458 * Note each notification/event starts always with a 'struct
459 * uwb_rceb', so the minimum size if 4 bytes.
460 *
461 * The device may pass us events formatted differently than expected.
462 * These are first filtered, potentially creating a new event in a new
463 * memory location. If a new event is created by the filter it is also
464 * freed here.
465 *
466 * For each notif/event, tries to guess the size looking at the EST
467 * tables, then looks for a neh that is waiting for that event and if
468 * found, copies the payload to the neh's buffer and calls it back. If
469 * not, the data is ignored.
470 *
471 * Note that if we can't find a size description in the EST tables, we
472 * still might find a size in the 'neh' handle in uwb_rc_neh_lookup().
473 *
474 * Assumptions:
475 *
476 *   @rc->neh_lock is NOT taken
477 *
478 * We keep track of various sizes here:
479 * size:      contains the size of the buffer that is processed for the
480 *            incoming event. this buffer may contain events that are not
481 *            formatted as WHCI.
482 * real_size: the actual space taken by this event in the buffer.
483 *            We need to keep track of the real size of an event to be able to
484 *            advance the buffer correctly.
485 * event_size: the size of the event as expected by the core layer
486 *            [OR] the size of the event after filtering. if the filtering
487 *            created a new event in a new memory location then this is
488 *            effectively the size of a new event buffer
489 */
490void uwb_rc_neh_grok(struct uwb_rc *rc, void *buf, size_t buf_size)
491{
492        struct device *dev = &rc->uwb_dev.dev;
493        void *itr;
494        struct uwb_rceb *rceb;
495        size_t size, real_size, event_size;
496        int needtofree;
497
498        d_fnstart(3, dev, "(rc %p buf %p %zu buf_size)\n", rc, buf, buf_size);
499        d_printf(2, dev, "groking event block: %zu bytes\n", buf_size);
500        itr = buf;
501        size = buf_size;
502        while (size > 0) {
503                if (size < sizeof(*rceb)) {
504                        dev_err(dev, "not enough data in event buffer to "
505                                "process incoming events (%zu left, minimum is "
506                                "%zu)\n", size, sizeof(*rceb));
507                        break;
508                }
509
510                rceb = itr;
511                if (rc->filter_event) {
512                        needtofree = rc->filter_event(rc, &rceb, size,
513                                                      &real_size, &event_size);
514                        if (needtofree < 0 && needtofree != -ENOANO) {
515                                dev_err(dev, "BUG: Unable to filter event "
516                                        "(0x%02x/%04x/%02x) from "
517                                        "device. \n", rceb->bEventType,
518                                        le16_to_cpu(rceb->wEvent),
519                                        rceb->bEventContext);
520                                break;
521                        }
522                } else
523                        needtofree = -ENOANO;
524                /* do real processing if there was no filtering or the
525                 * filtering didn't act */
526                if (needtofree == -ENOANO) {
527                        ssize_t ret = uwb_est_find_size(rc, rceb, size);
528                        if (ret < 0)
529                                break;
530                        if (ret > size) {
531                                dev_err(dev, "BUG: hw sent incomplete event "
532                                        "0x%02x/%04x/%02x (%zd bytes), only got "
533                                        "%zu bytes. We don't handle that.\n",
534                                        rceb->bEventType, le16_to_cpu(rceb->wEvent),
535                                        rceb->bEventContext, ret, size);
536                                break;
537                        }
538                        real_size = event_size = ret;
539                }
540                uwb_rc_neh_grok_event(rc, rceb, event_size);
541
542                if (needtofree == 1)
543                        kfree(rceb);
544
545                itr += real_size;
546                size -= real_size;
547                d_printf(2, dev, "consumed %zd bytes, %zu left\n",
548                         event_size, size);
549        }
550        d_fnend(3, dev, "(rc %p buf %p %zu buf_size) = void\n", rc, buf, buf_size);
551}
552EXPORT_SYMBOL_GPL(uwb_rc_neh_grok);
553
554
555/**
556 * The entity that reads from the device notification/event channel has
557 * detected an error.
558 *
559 * @rc:    UWB Radio Controller
560 * @error: Errno error code
561 *
562 */
563void uwb_rc_neh_error(struct uwb_rc *rc, int error)
564{
565        struct uwb_rc_neh *neh, *next;
566        unsigned long flags;
567
568        BUG_ON(error >= 0);
569        spin_lock_irqsave(&rc->neh_lock, flags);
570        list_for_each_entry_safe(neh, next, &rc->neh_list, list_node) {
571                __uwb_rc_neh_rm(rc, neh);
572                uwb_rc_neh_cb(neh, NULL, error);
573        }
574        spin_unlock_irqrestore(&rc->neh_lock, flags);
575}
576EXPORT_SYMBOL_GPL(uwb_rc_neh_error);
577
578
579static void uwb_rc_neh_timer(unsigned long arg)
580{
581        struct uwb_rc_neh *neh = (struct uwb_rc_neh *)arg;
582        struct uwb_rc *rc = neh->rc;
583        unsigned long flags;
584
585        spin_lock_irqsave(&rc->neh_lock, flags);
586        __uwb_rc_neh_rm(rc, neh);
587        spin_unlock_irqrestore(&rc->neh_lock, flags);
588
589        uwb_rc_neh_cb(neh, NULL, -ETIMEDOUT);
590}
591
592/** Initializes the @rc's neh subsystem
593 */
594void uwb_rc_neh_create(struct uwb_rc *rc)
595{
596        spin_lock_init(&rc->neh_lock);
597        INIT_LIST_HEAD(&rc->neh_list);
598        set_bit(0, rc->ctx_bm);                /* 0 is reserved (see [WUSB] table 8-65) */
599        set_bit(0xff, rc->ctx_bm);        /* and 0xff is invalid */
600        rc->ctx_roll = 1;
601}
602
603
604/** Release's the @rc's neh subsystem */
605void uwb_rc_neh_destroy(struct uwb_rc *rc)
606{
607        unsigned long flags;
608        struct uwb_rc_neh *neh, *next;
609
610        spin_lock_irqsave(&rc->neh_lock, flags);
611        list_for_each_entry_safe(neh, next, &rc->neh_list, list_node) {
612                __uwb_rc_neh_rm(rc, neh);
613                uwb_rc_neh_put(neh);
614        }
615        spin_unlock_irqrestore(&rc->neh_lock, flags);
616}