| Age | Commit message (Collapse) | Author |
|---|
|
In mei_cl_read_start(), if it fails to send flow control request, it
will release "cl->read_cb" but forget to set pointer to NULL, leaving
"cl->read_cb" still pointing to random memory, next time this client is
operated like mei_release(), it has chance to refer to this wrong pointer.
Fixes: PANIC at kfree in mei_release()
[228781.826904] Call Trace:
[228781.829737] [<c16249b8>] ? mei_cl_unlink+0x48/0xa0
[228781.835283] [<c1624487>] mei_io_cb_free+0x17/0x30
[228781.840733] [<c16265d8>] mei_release+0xa8/0x180
[228781.845989] [<c135c610>] ? __fsnotify_parent+0xa0/0xf0
[228781.851925] [<c1325a69>] __fput+0xd9/0x200
[228781.856696] [<c1325b9d>] ____fput+0xd/0x10
[228781.861467] [<c125cae1>] task_work_run+0x81/0xb0
[228781.866821] [<c1242e53>] do_exit+0x283/0xa00
[228781.871786] [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0
[228781.877722] [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0
[228781.883657] [<c124f072>] ? dequeue_signal+0x32/0x190
[228781.889397] [<c1243744>] do_group_exit+0x34/0xa0
[228781.894750] [<c12517b6>] get_signal_to_deliver+0x206/0x610
[228781.901075] [<c12018d8>] do_signal+0x38/0x100
[228781.906136] [<c1626d1c>] ? mei_read+0x42c/0x4e0
[228781.911393] [<c12600a0>] ? wake_up_bit+0x30/0x30
[228781.916745] [<c16268f0>] ? mei_poll+0x120/0x120
[228781.922001] [<c1324be9>] ? vfs_read+0x89/0x160
[228781.927158] [<c16268f0>] ? mei_poll+0x120/0x120
[228781.932414] [<c133ca34>] ? fget_light+0x44/0xe0
[228781.937670] [<c1324e58>] ? SyS_read+0x68/0x80
[228781.942730] [<c12019f5>] do_notify_resume+0x55/0x70
[228781.948376] [<c1a7de5d>] work_notifysig+0x29/0x30
[228781.953827] [<c1a70000>] ? bad_area+0x5/0x3e
Cc: stable <stable@vger.kernel.org> # 3.9+
Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Don't set read callback to NULL during reset as
this leads to memory leak of both cb and its buffer.
The memory is correctly freed during mei_release.
The memory leak is detectable by kmemleak if
application has open read call while system is going through
suspend/resume.
unreferenced object 0xecead780 (size 64):
comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s)
hex dump (first 32 bytes):
00 01 10 00 00 02 20 00 00 bf 30 f1 00 00 00 00 ...... ...0.....
00 00 00 00 00 00 00 00 36 01 00 00 00 70 da e2 ........6....p..
backtrace:
[<c1a60aec>] kmemleak_alloc+0x3c/0xa0
[<c131ed56>] kmem_cache_alloc_trace+0xc6/0x190
[<c16243c9>] mei_io_cb_init+0x29/0x50
[<c1625722>] mei_cl_read_start+0x102/0x360
[<c16268f3>] mei_read+0x103/0x4e0
[<c1324b09>] vfs_read+0x89/0x160
[<c1324d5f>] SyS_read+0x4f/0x80
[<c1a7b318>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff
unreferenced object 0xe2da7000 (size 512):
comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s)
hex dump (first 32 bytes):
00 6c da e2 7c 00 00 00 00 00 00 00 c0 eb 0c 59 .l..|..........Y
1b 00 00 00 01 00 00 00 02 10 00 00 01 00 00 00 ................
backtrace:
[<c1a60aec>] kmemleak_alloc+0x3c/0xa0
[<c131f127>] __kmalloc+0xe7/0x1d0
[<c162447e>] mei_io_cb_alloc_resp_buf+0x2e/0x60
[<c162574c>] mei_cl_read_start+0x12c/0x360
[<c16268f3>] mei_read+0x103/0x4e0
[<c1324b09>] vfs_read+0x89/0x160
[<c1324d5f>] SyS_read+0x4f/0x80
[<c1a7b318>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Clear write callbacks sitting in write_waiting list on reset.
Otherwise these callbacks are left dangling and cause memory leak.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
give up reseting after 3 unsuccessful tries
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. MEI_DEV_RESETTING device state spans only hardware reset flow
while starting dev state is saved into a local variable for further
reference, this let us to reduce big if statements in case we
are trying to avoid nested resets
2. During initializations if the reset ended in MEI_DEV_DISABLED device
state we bail out with -ENODEV
3. Remove redundant interrupts_enabled parameter as this
can be deduced from the starting dev_state
4. mei_reset propagates error code to the caller
5. Add mei_restart function to wrap the pci resume
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fix syntax errors in comments and debug strings
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
nfc_nfc_free unlink clients from the device list
and has to be called under mei mutex
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
When reset is caused by hbm protocol mismatch or timeout
we might end up in an endless reset loop and hbm protocol
will never sync
Cc: <stable@vger.kernel.org>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This fixes a potential deadlock in case of a firmware
initiated reset
mei_reset has a dialog with the interrupt thread hence
it has to be run from an another work item
Most of the mei_resets were called from mei_hbm_dispatch
which is called in interrupt thread context so this
function underwent major revamp. The error code is
propagated to the interrupt thread and if needed
the reset is scheduled from there.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
ME device is 64bit DMA capable
We assume both coherent and consistent memory to match
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Set hbm header bit 30 for internal commands
This mark commands that are generated by
the device driver
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
We want these fixes in here.
|
|
And Lynx Point H Refresh and Wildcat Point LP
device ids.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. Simplify function flow
2. Display errors in error or warnings level instead of debug.
3. Remove excessive debug messages
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
list_del_init appears twice in row in mei_cl_unlink, drop one.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Cancel each work properly and remove flash_work_queue.
Quoting documentation:
In most situations flushing the entire workqueue is overkill; you merely
need to know that a particular work item isn't queued and isn't running.
In such cases you should use cancel_delayed_work_sync() or
cancel_work_sync() instead.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Propagate error codes from called functions, they are correct.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Driver better use dev_dbg, not pr_debug.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
no need to change error code value returned by
mei_me_cl_by_id, just propagate it on
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Move the unexpected state print to the beginning of mei_reset,
thus printing right state.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The flow may reach the err label without freeing cl and cl_info
cl and cl_info weren't assigned to ndev->cl and cl_info
so they weren't freed in mei_nfc_free called on error path
Cc: <stable@vger.kernel.org> # 3.10+
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Move host_clients_map cleanup from host client init to device init.
This fixes bug where we cleaned up the bitmask that servers as pool for
host client ids while file descriptors are kept open during suspend.
On resume a new connection will be assigned id that is already taken
by opened file descriptor. Consequently read/write will fail due to
mismatched book keeping.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The mei_me driver prints "suspend" at error level at each suspend. It
also prints "stop" at error level at driver unload. Downgrade these
uninteresting messages to debug level.
Cc: Adam Jackson <ajax@redhat.com>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
add missing device id for LPT based work station
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
propagate error codes from called functions, they are correct.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Make open counter to be incremented and decremented
from mei_cl_link and mei_cl_unlik function respectively
Nfc was assuming symmetric linking API and thus open handler
count was never decreased. This patch fixes that.
We need to add separate open hander count for amthif which
is handled out of link/unlink functions and doesn't break
the symmetric API.
Last we do not waste clients slots if amthif or wd are not present
in the device. we don't need to allocates slots ahead
it is all covered by link/unlink before the devices is responding
to user space connection and thus not racing on allocation
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. Perform simple checks first and only then attempt to allocate cl structure.
2. Remove open_handler_count test, this is already checked in mei_cl_link function
3. return -EMFILE instead of -ENOENT as expected by user space
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
We need/want the mei fixes in here so we can apply other updates that
are depending on them.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Unset init_clients_timer and amthif_stall_timers
in mei_reset in order to cancel timer ticking and hence
avoid recursive reset calls.
Cc: <stable@vger.kernel.org> # 3.9+
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Bus layer omitted check for client state transition while waiting
for read completion
The client state transition may occur for example as result
of firmware initiated reset
Add mei_cl_is_transitioning wrapper to reduce the code
repetition.:
Cc: <stable@vger.kernel.org> # 3.9+
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. u8 counters are prone to hard to detect overflow:
make them unsigned long to match bit_ functions argument type
2. don't check me_clients_num for negativity, it is unsigned.
3. init all the me client counters from one place
Cc: <stable@vger.kernel.org> # 3.9+
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The driver core clears the driver data to NULL after device_release
or on probe failure. Thus, it is not needed to manually clear the
device driver data to NULL.
Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
we can call list_del_init regardless the client is
linked or not it is always properly initialized
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
this eventually allows as use a single write queue
both for control and data messages and removing possible
race
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
ENODEV will cause application to try to reconnect since
it assumes that device went through the reset
write errors are not always fatal it can happen due to
resource contention
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fix calling function names in debug prints.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
define cl_dbg and cl_err macros that add me and host id
prefix for debug and error log messages so we can track
for the client context of the flow.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
mei_io_cb_free follows kfree design and check for NULL internally
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. Return zero on zero length read and writes
2. For a too large write return -EFBIG as defined in man write(2)
EFBIG An attempt was made to write a file that
exceeds the implementation-defined maximum
file size or the process's file size limit,
or to write at a position past the maximum
allowed offset.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
hbm.c: In function mei_hbm_me_cl_allocate:
hbm.c:52:212: warning: format %zd expects argument of type signed size_t but argument 4 has type long unsigned
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. return -EFUALT when copy_from_user fails
2. display error message on failure in error level
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
To make static analyzers happy validated that
sizeof me_clients_map is larger than sizeof valid_addresses from the
enumeration response before memcpy
We can use BUILD_ON macro as both arrays are defined statically
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
mei_cl_link is called both from mei_open and also from
in-kernel drivers so we need to protect open_handle_count
from overflow
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull driver core patches from Greg KH:
"Here's the big driver core pull request for 3.12-rc1.
Lots of tiny changes here fixing up the way sysfs attributes are
created, to try to make drivers simpler, and fix a whole class race
conditions with creations of device attributes after the device was
announced to userspace.
All the various pieces are acked by the different subsystem
maintainers"
* tag 'driver-core-3.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (119 commits)
firmware loader: fix pending_fw_head list corruption
drivers/base/memory.c: introduce help macro to_memory_block
dynamic debug: line queries failing due to uninitialized local variable
sysfs: sysfs_create_groups returns a value.
debugfs: provide debugfs_create_x64() when disabled
rbd: convert bus code to use bus_groups
firmware: dcdbas: use binary attribute groups
sysfs: add sysfs_create/remove_groups for when SYSFS is not enabled
driver core: add #include <linux/sysfs.h> to core files.
HID: convert bus code to use dev_groups
Input: serio: convert bus code to use drv_groups
Input: gameport: convert bus code to use drv_groups
driver core: firmware: use __ATTR_RW()
driver core: core: use DEVICE_ATTR_RO
driver core: bus: use DRIVER_ATTR_WO()
driver core: create write-only attribute macros for devices and drivers
sysfs: create __ATTR_WO()
driver-core: platform: convert bus code to use dev_groups
workqueue: convert bus code to use dev_groups
MEI: convert bus code to use dev_groups
...
|
|
The dev_attrs field of struct bus_type is going away soon, dev_groups
should be used instead. This converts the MEI bus code to use
the correct field.
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Both H_IS and H_IE needs to be set to receive H_RDY
interrupt
1. Assert H_IS to clear the interrupts during hw reset
and use mei_me_reg_write instead of mei_hcsr_set as the later
strips down the H_IS
2. fix interrupt disablement embarrassing typo
hcsr |= ~H_IE -> hcsr &= ~H_IE;
this will remove the unwanted interrupt on power down
3. remove useless debug print outs
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This resolves a merge issue with:
drivers/misc/mei/init.c
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Clear pending connection after hw reset but before hw start
and wake up the waiting task in poll. Signal POLLERR in select
when device went through reset.
Add wrapper mei_cl_is_connected for checking if
the device and client are connected.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
1. use strncmp for comparsion strncpy was used for copying
which may omit the final %NUL terminator
2. id->name is statically defined so we can use sizeof
Acked-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
