Eric Lee / smarc-fsl-linux-kernel

24 Mar, 2019

2 commits

  • a253d1f3e   mei: bus: move hw module get/put to probe/release ... Browse Code »

    commit b5958faa34e2f99f3475ad89c52d98dfea079d33 upstream.

    Fix unbalanced module reference counting during internal reset, which
    prevents the drivers unloading.
    Tracking mei_me/txe modules on mei client bus via
    mei_cldev_enable/disable is error prone due to possible internal
    reset flow, where clients are disconnected underneath.
    Moving reference counting to probe and release of mei bus client
    driver solves this issue in simplest way, as each client provides only
    a single connection to a client bus driver.

    Cc:
    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • 02c0c70fb   mei: hbm: clean the feature flags on link reset ... Browse Code »

    commit 37fd0b623023484ef6df79ed46f21f06ecc611ff upstream.

    The list of supported functions can be altered upon link reset,
    clean the flags to allow correct selections of supported
    features.

    Cc: v4.19+
    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     

15 Feb, 2019

1 commit

31 Jan, 2019

2 commits

12 Sep, 2018

4 commits

  • 34f1166af   mei: bus: need to unlink client before freeing ... Browse Code »

    In case a client fails to connect in mei_cldev_enable(), the
    caller won't call the mei_cldev_disable leaving the client
    in a linked stated. Upon driver unload the client structure
    will be freed in mei_cl_bus_dev_release(), leaving a stale pointer
    on a fail_list. This will eventually end up in crash
    during power down flow in mei_cl_set_disonnected().

    RIP: mei_cl_set_disconnected+0x5/0x260[mei]
    Call trace:
    mei_cl_all_disconnect+0x22/0x30
    mei_reset+0x194/0x250
    __synchronize_hardirq+0x43/0x50
    _cond_resched+0x15/0x30
    mei_me_intr_clear+0x20/0x100
    mei_stop+0x76/0xb0
    mei_me_shutdown+0x3f/0x80
    pci_device_shutdown+0x34/0x60
    kernel_restart+0x0e/0x30

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
    Fixes: 'c110cdb17148 ("mei: bus: make a client pointer always available")'
    Cc: 4.10+
    Tested-by: Georg Müller
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • 69bf53130   mei: bus: fix hw module get/put balance ... Browse Code »

    In case the device is not connected it doesn't 'get'
    hw module and hence should not 'put' it on disable.

    Cc: 4.16+
    Fixes:'commit 257355a44b99 ("mei: make module referencing local to the bus.c")'
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
    Tested-by: Georg Müller
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • c1a214ad8   mei: fix use-after-free in mei_cl_write ... Browse Code »

    KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
    (drivers/misc/mei/client.c:1770)

    This is caused by commit 98e70866aacb ("mei: add support for variable
    length mei headers."), which changed the return value from len, to
    buf->size. That ends up using a stale buf pointer, because blocking
    call, the cb (callback) is deleted in me_cl_complete() function.

    However, fortunately, len remains unchanged throughout the function
    (and I don't see anything else that would require re-reading buf->size
    either), so the fix is to simply revert the change, and return len, as
    before.

    Fixes: 98e70866aacb ("mei: add support for variable length mei headers.")
    CC: Arnd Bergmann
    CC: Greg Kroah-Hartman
    Signed-off-by: John Hubbard
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    John Hubbard
     
  • 8d2d8935d   mei: ignore not found client in the enumeration ... Browse Code »

    Some of the ME clients are available only for BIOS operation and are
    removed during hand off to an OS. However the removal is not instant.
    A client may be visible on the client list when the mei driver requests
    for enumeration, while the subsequent request for properties will be
    answered with client not found error value. The default behavior
    for an error is to perform client reset while this error is harmless and
    the link reset should be prevented. This issue started to be visible due to
    suspend/resume timing changes. Currently reported only on the Haswell
    based system.

    Fixes:
    [33.564957] mei_me 0000:00:16.0: hbm: properties response: wrong status = 1 CLIENT_NOT_FOUND
    [33.564978] mei_me 0000:00:16.0: mei_irq_read_handler ret = -71.
    [33.565270] mei_me 0000:00:16.0: unexpected reset: dev_state = INIT_CLIENTS fw status = 1E000255 60002306 00000200 00004401 00000000 00000010

    Cc:
    Reported-by: Heiner Kallweit
    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     

02 Aug, 2018

5 commits

24 Jul, 2018

3 commits

  • a1c4d08b6   mei: add mei_msg_hdr_init wrapper. ... Browse Code »

    Wrap the mei header boilerplate initialization code in
    mei_msg_hdr_init function. On the way remove 'completed'
    field from mei_cl_cb structure as this information
    is already included in the header and is local to particular
    fragment.

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • 8c8d964ce   mei: move hbuf_depth from the mei device to the hw modules ... Browse Code »

    The host buffer depth is hardware specific so it's better to
    handle it inside the me and txe hw modules. In me the depth
    is read from register in txe it's a constant number.
    The value is now retrieved via mei_hbuf_depth accessor,
    while it replaces mei_hbuf_max_len.

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • 9fc5f0f8a   mei: cleanup slots to data conversions ... Browse Code »

    Cleanup conversions between slots and data.
    Define MEI_SLOT_SIZE instead of using 4 or sizeof(u32) across
    the source code.

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     

16 Jul, 2018

2 commits

  • 7f3838fb8   mei: bus: suppress sign-compare warnings ... Browse Code »

    Comparison between signed and unsigned warnings
    and associated type promotion may cause error
    condition not be detected.
    The type promotion issue in mei bus was addressed by two patches:
    commit b40b3e9358fb ("mei: bus: type promotion bug in mei_nfc_if_version()")
    commit cf1ed2c59b98 ("mei: bus: type promotion bug in mei_fwver()")
    Now it is possible to suppress the warning, by adding proper
    casting to move out of radar.

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • 83cf9cd6d   Merge 4.18-rc5 into char-misc-next ... Browse Code »

    We want the char-misc fixes in here as well.

    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

12 Jul, 2018

6 commits

  • 5151e2b57   mei: fix ssize_t to int assignment in read and write ops. ... Browse Code »

    Use ssize_t for rets variables in mei_write(), mei_read(), and
    mei_cl_write() as well as change the return type of mei_cl_write()
    to ssize_t, to prevent assignment of possible 64bit size_t
    to int 32 bit variable.

    As by product also eliminate warning
    drivers/misc/mei/client.c:1702:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • 44c98df01   mei: use correct type for counter variable in for loops ... Browse Code »

    In for loops use same type for counter variable
    as has the limiting variable.

    drivers/misc/mei/bus-fixup.c:489:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    drivers/misc/mei/hw-txe.c:725:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    drivers/misc/mei/hw-txe.c:744:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • de8774371   mei: check for error returned from mei_hbuf_empty_slots() ... Browse Code »

    mei_hbuf_empty_slots() may return with an error in case
    of circular buffer overflow. This type of error may
    be caused only by a bug. However currently, the error
    won't be detected due signed type promotion in comparison to u32.
    We add explicit check for less then zero and explicit cast
    in comparison to suppress singn-compare warning.

    Reported-by: Dan Carpenter
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • a103af1b6   mei: don't update offset in write ... Browse Code »

    MEI enables writes of complete messages only
    while read can be performed in parts, hence
    write should not update the file offset to
    not break interleaving partial reads with writes.

    Cc:
    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • cf1ed2c59   mei: bus: type promotion bug in mei_fwver() ... Browse Code »

    if __mei_cl_recv() returns a negative then "bytes_recv"
    type is promoted to a high positive value in comparison with
    size_t evaluated by MKHI_FWVER_LEN(1). It results in error condition
    not to be detected.

    Cc: Dan Carpenter
    Fixes: 9078ad92ef86 ("mei: expose fw version to sysfs")
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     
  • b40b3e935   mei: bus: type promotion bug in mei_nfc_if_version() ... Browse Code »

    We accidentally removed the check for negative returns
    without considering the issue of type promotion.
    The "if_version_length" variable is type size_t so if __mei_cl_recv()
    returns a negative then "bytes_recv" is type promoted
    to a high positive value and treated as success.

    Cc:
    Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
    Signed-off-by: Dan Carpenter
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Dan Carpenter
     

03 Jul, 2018

4 commits

  • b7a020bff   mei: discard messages from not connected client during power down. ... Browse Code »

    This fixes regression introduced by
    commit 8d52af6795c0 ("mei: speed up the power down flow")

    In power down or suspend flow a message can still be received
    from the FW because the clients fake disconnection.
    In normal case we interpret messages w/o destination as corrupted
    and link reset is performed in order to clean the channel,
    but during power down link reset is already in progress resulting
    in endless loop. To resolve the issue under power down flow we
    discard messages silently.

    Cc: 4.16+
    Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199541
    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • 3cfaeb335   mei: expose fw version to sysfs ... Browse Code »

    The ME FW version is constantly used by detection and update tools.
    To improve the reliability and simplify these tools provide
    a sysfs interface to access version of the platform ME firmware
    in the following format:
    :....
    There can be up to three such blocks for different FW components.

    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • 9a7c0b69b   mei: add optional timeout to internal bus recv ... Browse Code »

    Add optional timeout to internal bus recv function to
    enable break out of internal flows in case of no answer from FW.

    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • 3458657f9   mei: remove unused MEI_IAMTHIF_STALL_TIMER define ... Browse Code »

    MEI_IAMTHIF_STALL_TIMER is unused now and can be safely removed.

    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     

15 Mar, 2018

3 commits

  • bb0829a74   mei: remove dev_err message on an unsupported ioctl ... Browse Code »

    Currently the driver spams the kernel log on unsupported ioctls which is
    unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
    I suspect this was originally for debugging purposes but it really is not
    required so remove it.

    Signed-off-by: Colin Ian King
    Cc: stable
    Signed-off-by: Greg Kroah-Hartman

    Colin Ian King
     
  • af336cabe   mei: limit the number of queued writes ... Browse Code »

    Limit the number of queued writes per client.
    Writes above this threshold are blocked till place
    in the transmit queue is available.
    The limit is configurable via sysfs and defaults to 50.
    The implementation should provide blocking I/O behavior.
    Prior to this change one would end up in the hands of OOM.

    Signed-off-by: Alexander Usyskin
    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Alexander Usyskin
     
  • 257355a44   mei: make module referencing local to the bus.c ... Browse Code »

    Module reference counting is relevant only to the
    mei client devices. Make the implementation clean
    and move it to bus.c

    Signed-off-by: Tomas Winkler
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     

20 Feb, 2018

2 commits

16 Feb, 2018

1 commit

  • 7ae079aca   mei: set device client to the disconnected state upon suspend. ... Browse Code »

    This fixes regression introduced by
    commit 8d52af6795c0 ("mei: speed up the power down flow")

    In mei_cldev_disable during device power down flow, such as
    suspend or system power off, it jumps over disconnecting function
    to speed up the power down process, however, because the client is
    unlinked from the file_list (mei_cl_unlink) mei_cl_set_disconnected
    is not called from mei_cl_all_disconnect leaving resource leaking.
    The most visible is reference counter on underlying HW module is
    not decreased preventing to remove modules after suspend/resume cycles.

    Signed-off-by: Tomas Winkler
    Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler
     

12 Feb, 2018

1 commit

  • a9a08845e   vfs: do bulk POLL* -> EPOLL* replacement ... Browse Code »

    This is the mindless scripted replacement of kernel use of POLL*
    variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
    L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
    for f in $L; do sed -i "-es/^\([^\"]*\)\(\\)/\\1E\\2/" $f; done
    done

    with de-mangling cleanups yet to come.

    NOTE! On almost all architectures, the EPOLL* constants have the same
    values as the POLL* constants do. But they keyword here is "almost".
    For various bad reasons they aren't the same, and epoll() doesn't
    actually work quite correctly in some cases due to this on Sparc et al.

    The next patch from Al will sort out the final differences, and we
    should be all done.

    Scripted-by: Al Viro
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

02 Feb, 2018

1 commit

  • f6cff79f1   Merge tag 'char-misc-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc ... Browse Code »

    Pull char/misc driver updates from Greg KH:
    "Here is the big pull request for char/misc drivers for 4.16-rc1.

    There's a lot of stuff in here. Three new driver subsystems were added
    for various types of hardware busses:

    - siox
    - slimbus
    - soundwire

    as well as a new vboxguest subsystem for the VirtualBox hypervisor
    drivers.

    There's also big updates from the FPGA subsystem, lots of Android
    binder fixes, the usual handful of hyper-v updates, and lots of other
    smaller driver updates.

    All of these have been in linux-next for a long time, with no reported
    issues"

    * tag 'char-misc-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (155 commits)
    char: lp: use true or false for boolean values
    android: binder: use VM_ALLOC to get vm area
    android: binder: Use true and false for boolean values
    lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
    EISA: Delete error message for a failed memory allocation in eisa_probe()
    EISA: Whitespace cleanup
    misc: remove AVR32 dependencies
    virt: vbox: Add error mapping for VERR_INVALID_NAME and VERR_NO_MORE_FILES
    soundwire: Fix a signedness bug
    uio_hv_generic: fix new type mismatch warnings
    uio_hv_generic: fix type mismatch warnings
    auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
    uio_hv_generic: add rescind support
    uio_hv_generic: check that host supports monitor page
    uio_hv_generic: create send and receive buffers
    uio: document uio_hv_generic regions
    doc: fix documentation about uio_hv_generic
    vmbus: add monitor_id and subchannel_id to sysfs per channel
    vmbus: fix ABI documentation
    uio_hv_generic: use ISR callback method
    ...

    Linus Torvalds
     

10 Jan, 2018

1 commit

  • 16ae30ea1   mei: fix an && vs || typo ... Browse Code »

    ->dev_state can't be both MEI_DEV_RESETTING and MEI_DEV_POWER_DOWN at
    the same time. && was clearing intended here.

    Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
    Signed-off-by: Dan Carpenter
    Signed-off-by: Greg Kroah-Hartman

    Dan Carpenter
     

03 Jan, 2018

2 commits

  • 912ed8afd   mei: fix incorrect logical operator in if statement ... Browse Code »

    The current expression using the || operator is always true because
    dev->dev_state cannot be equal to two different values at the same time.
    Fix this by replacing the || with &&.

    Detected by CoverityScan, CID#1463042 ("Constant expression result")

    Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
    Signed-off-by: Colin Ian King
    Signed-off-by: Greg Kroah-Hartman

    Colin Ian King
     
  • cc365dcf0   mei: me: allow runtime pm for platform with D0i3 ... Browse Code »

    >From the pci power documentation:
    "The driver itself should not call pm_runtime_allow(), though. Instead,
    it should let user space or some platform-specific code do that (user space
    can do it via sysfs as stated above)..."

    However, the S0ix residency cannot be reached without MEI device getting
    into low power state. Hence, for mei devices that support D0i3, it's better
    to make runtime power management mandatory and not rely on the system
    integration such as udev rules.
    This policy cannot be applied globally as some older platforms
    were found to have broken power management.

    Cc: v4.13+
    Cc: Rafael J. Wysocki
    Signed-off-by: Tomas Winkler
    Reviewed-by: Alexander Usyskin
    Signed-off-by: Greg Kroah-Hartman

    Tomas Winkler