24 Mar, 2019
2 commits
-
commit b5958faa34e2f99f3475ad89c52d98dfea079d33 upstream.
Fix unbalanced module reference counting during internal reset, which
prevents the drivers unloading.
Tracking mei_me/txe modules on mei client bus via
mei_cldev_enable/disable is error prone due to possible internal
reset flow, where clients are disconnected underneath.
Moving reference counting to probe and release of mei bus client
driver solves this issue in simplest way, as each client provides only
a single connection to a client bus driver.Cc:
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
commit 37fd0b623023484ef6df79ed46f21f06ecc611ff upstream.
The list of supported functions can be altered upon link reset,
clean the flags to allow correct selections of supported
features.Cc: v4.19+
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
15 Feb, 2019
1 commit
-
commit efe814e90b98aed6d655b5a4092b9114b8b26e42 upstream.
Add icelake mei device id.
Cc:
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
31 Jan, 2019
2 commits
-
commit f7ee8ead151f9d0b8dac6ab6c3ff49bbe809c564 upstream.
Add the Denverton innovation engine (IE) device ids.
The IE is an ME-like device which provides HW security
offloading.Cc:
Signed-off-by: Tomas Winkler
Signed-off-by: Alexander Usyskin
Signed-off-by: Greg Kroah-Hartman -
commit 173436ba800d01178a8b19e5de4a8cb02c0db760 upstream.
The LBG server platform sports DMA support.
Cc: #v5.0+
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
12 Sep, 2018
4 commits
-
In case a client fails to connect in mei_cldev_enable(), the
caller won't call the mei_cldev_disable leaving the client
in a linked stated. Upon driver unload the client structure
will be freed in mei_cl_bus_dev_release(), leaving a stale pointer
on a fail_list. This will eventually end up in crash
during power down flow in mei_cl_set_disonnected().RIP: mei_cl_set_disconnected+0x5/0x260[mei]
Call trace:
mei_cl_all_disconnect+0x22/0x30
mei_reset+0x194/0x250
__synchronize_hardirq+0x43/0x50
_cond_resched+0x15/0x30
mei_me_intr_clear+0x20/0x100
mei_stop+0x76/0xb0
mei_me_shutdown+0x3f/0x80
pci_device_shutdown+0x34/0x60
kernel_restart+0x0e/0x30Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
Fixes: 'c110cdb17148 ("mei: bus: make a client pointer always available")'
Cc: 4.10+
Tested-by: Georg Müller
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
In case the device is not connected it doesn't 'get'
hw module and hence should not 'put' it on disable.Cc: 4.16+
Fixes:'commit 257355a44b99 ("mei: make module referencing local to the bus.c")'
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
Tested-by: Georg Müller
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
KASAN reports a use-after-free during startup, in mei_cl_write:
BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
(drivers/misc/mei/client.c:1770)This is caused by commit 98e70866aacb ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.Fixes: 98e70866aacb ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann
CC: Greg Kroah-Hartman
Signed-off-by: John Hubbard
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Some of the ME clients are available only for BIOS operation and are
removed during hand off to an OS. However the removal is not instant.
A client may be visible on the client list when the mei driver requests
for enumeration, while the subsequent request for properties will be
answered with client not found error value. The default behavior
for an error is to perform client reset while this error is harmless and
the link reset should be prevented. This issue started to be visible due to
suspend/resume timing changes. Currently reported only on the Haswell
based system.Fixes:
[33.564957] mei_me 0000:00:16.0: hbm: properties response: wrong status = 1 CLIENT_NOT_FOUND
[33.564978] mei_me 0000:00:16.0: mei_irq_read_handler ret = -71.
[33.565270] mei_me 0000:00:16.0: unexpected reset: dev_state = INIT_CLIENTS fw status = 1E000255 60002306 00000200 00004401 00000000 00000010Cc:
Reported-by: Heiner Kallweit
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
02 Aug, 2018
5 commits
-
Define dma ring buffer sizes for PCH12 (CLN HW and newer)
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Only a firmware with version 2.1 and above supports dma ring feature.
Signed-off-by: Tomas Winkler
Signed-off-by: Alexander Usyskin
Signed-off-by: Greg Kroah-Hartman -
Add dma_ring bit in the mei message header for conveying
that the message data itself are on the dma ring.Signed-off-by: Tomas Winkler
Signed-off-by: Alexander Usyskin
Signed-off-by: Greg Kroah-Hartman -
The protocol defines how to setup an I/O ring on top of host
memory to utilize the device DMA engine for faster transport.Three memory buffers are allocated.
A Host circular buffer for from the Host to Device communication.
A Device circular buffer for from Device to the Host communication.
And finally a Control block where the pointers for the both
circular buffers are managed.Signed-off-by: Tomas Winkler
Signed-off-by: Alexander Usyskin
Signed-off-by: Greg Kroah-Hartman -
Remove header size knowledge from me and txe hw layers,
this requires to change the write handler to accept
header and its length as well as data and its length.HBM messages are fixed to use basic header, hence we add mei_hbm2slots()
that converts HBM message length and mei message header,
while mei_data2slots() converts data length directly to the slots.Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
24 Jul, 2018
3 commits
-
Wrap the mei header boilerplate initialization code in
mei_msg_hdr_init function. On the way remove 'completed'
field from mei_cl_cb structure as this information
is already included in the header and is local to particular
fragment.Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
The host buffer depth is hardware specific so it's better to
handle it inside the me and txe hw modules. In me the depth
is read from register in txe it's a constant number.
The value is now retrieved via mei_hbuf_depth accessor,
while it replaces mei_hbuf_max_len.Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Cleanup conversions between slots and data.
Define MEI_SLOT_SIZE instead of using 4 or sizeof(u32) across
the source code.Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
16 Jul, 2018
2 commits
-
Comparison between signed and unsigned warnings
and associated type promotion may cause error
condition not be detected.
The type promotion issue in mei bus was addressed by two patches:
commit b40b3e9358fb ("mei: bus: type promotion bug in mei_nfc_if_version()")
commit cf1ed2c59b98 ("mei: bus: type promotion bug in mei_fwver()")
Now it is possible to suppress the warning, by adding proper
casting to move out of radar.Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
We want the char-misc fixes in here as well.
Signed-off-by: Greg Kroah-Hartman
12 Jul, 2018
6 commits
-
Use ssize_t for rets variables in mei_write(), mei_read(), and
mei_cl_write() as well as change the return type of mei_cl_write()
to ssize_t, to prevent assignment of possible 64bit size_t
to int 32 bit variable.As by product also eliminate warning
drivers/misc/mei/client.c:1702:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
In for loops use same type for counter variable
as has the limiting variable.drivers/misc/mei/bus-fixup.c:489:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
drivers/misc/mei/hw-txe.c:725:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
drivers/misc/mei/hw-txe.c:744:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
mei_hbuf_empty_slots() may return with an error in case
of circular buffer overflow. This type of error may
be caused only by a bug. However currently, the error
won't be detected due signed type promotion in comparison to u32.
We add explicit check for less then zero and explicit cast
in comparison to suppress singn-compare warning.Reported-by: Dan Carpenter
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
MEI enables writes of complete messages only
while read can be performed in parts, hence
write should not update the file offset to
not break interleaving partial reads with writes.Cc:
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
if __mei_cl_recv() returns a negative then "bytes_recv"
type is promoted to a high positive value in comparison with
size_t evaluated by MKHI_FWVER_LEN(1). It results in error condition
not to be detected.Cc: Dan Carpenter
Fixes: 9078ad92ef86 ("mei: expose fw version to sysfs")
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
We accidentally removed the check for negative returns
without considering the issue of type promotion.
The "if_version_length" variable is type size_t so if __mei_cl_recv()
returns a negative then "bytes_recv" is type promoted
to a high positive value and treated as success.Cc:
Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
Signed-off-by: Dan Carpenter
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
03 Jul, 2018
4 commits
-
This fixes regression introduced by
commit 8d52af6795c0 ("mei: speed up the power down flow")In power down or suspend flow a message can still be received
from the FW because the clients fake disconnection.
In normal case we interpret messages w/o destination as corrupted
and link reset is performed in order to clean the channel,
but during power down link reset is already in progress resulting
in endless loop. To resolve the issue under power down flow we
discard messages silently.Cc: 4.16+
Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199541
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
The ME FW version is constantly used by detection and update tools.
To improve the reliability and simplify these tools provide
a sysfs interface to access version of the platform ME firmware
in the following format:
:....
There can be up to three such blocks for different FW components.Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Add optional timeout to internal bus recv function to
enable break out of internal flows in case of no answer from FW.Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
MEI_IAMTHIF_STALL_TIMER is unused now and can be safely removed.
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
15 Mar, 2018
3 commits
-
Currently the driver spams the kernel log on unsupported ioctls which is
unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
I suspect this was originally for debugging purposes but it really is not
required so remove it.Signed-off-by: Colin Ian King
Cc: stable
Signed-off-by: Greg Kroah-Hartman -
Limit the number of queued writes per client.
Writes above this threshold are blocked till place
in the transmit queue is available.
The limit is configurable via sysfs and defaults to 50.
The implementation should provide blocking I/O behavior.
Prior to this change one would end up in the hands of OOM.Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Module reference counting is relevant only to the
mei client devices. Make the implementation clean
and move it to bus.cSigned-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
20 Feb, 2018
2 commits
-
Add cannon point device ids for 4th (itouch) device.
Cc: 4.14+
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
Add CNP LP and CNP H device ids for cannon lake
and coffee lake platforms.Cc: 4.14+
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman
16 Feb, 2018
1 commit
-
This fixes regression introduced by
commit 8d52af6795c0 ("mei: speed up the power down flow")In mei_cldev_disable during device power down flow, such as
suspend or system power off, it jumps over disconnecting function
to speed up the power down process, however, because the client is
unlinked from the file_list (mei_cl_unlink) mei_cl_set_disconnected
is not called from mei_cl_all_disconnect leaving resource leaking.
The most visible is reference counter on underlying HW module is
not decreased preventing to remove modules after suspend/resume cycles.Signed-off-by: Tomas Winkler
Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
Signed-off-by: Greg Kroah-Hartman
12 Feb, 2018
1 commit
-
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
for f in $L; do sed -i "-es/^\([^\"]*\)\(\\)/\\1E\\2/" $f; done
donewith de-mangling cleanups yet to come.
NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do. But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.The next patch from Al will sort out the final differences, and we
should be all done.Scripted-by: Al Viro
Signed-off-by: Linus Torvalds
02 Feb, 2018
1 commit
-
Pull char/misc driver updates from Greg KH:
"Here is the big pull request for char/misc drivers for 4.16-rc1.There's a lot of stuff in here. Three new driver subsystems were added
for various types of hardware busses:- siox
- slimbus
- soundwireas well as a new vboxguest subsystem for the VirtualBox hypervisor
drivers.There's also big updates from the FPGA subsystem, lots of Android
binder fixes, the usual handful of hyper-v updates, and lots of other
smaller driver updates.All of these have been in linux-next for a long time, with no reported
issues"* tag 'char-misc-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (155 commits)
char: lp: use true or false for boolean values
android: binder: use VM_ALLOC to get vm area
android: binder: Use true and false for boolean values
lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
EISA: Delete error message for a failed memory allocation in eisa_probe()
EISA: Whitespace cleanup
misc: remove AVR32 dependencies
virt: vbox: Add error mapping for VERR_INVALID_NAME and VERR_NO_MORE_FILES
soundwire: Fix a signedness bug
uio_hv_generic: fix new type mismatch warnings
uio_hv_generic: fix type mismatch warnings
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
uio_hv_generic: add rescind support
uio_hv_generic: check that host supports monitor page
uio_hv_generic: create send and receive buffers
uio: document uio_hv_generic regions
doc: fix documentation about uio_hv_generic
vmbus: add monitor_id and subchannel_id to sysfs per channel
vmbus: fix ABI documentation
uio_hv_generic: use ISR callback method
...
10 Jan, 2018
1 commit
-
->dev_state can't be both MEI_DEV_RESETTING and MEI_DEV_POWER_DOWN at
the same time. && was clearing intended here.Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
Signed-off-by: Dan Carpenter
Signed-off-by: Greg Kroah-Hartman
03 Jan, 2018
2 commits
-
The current expression using the || operator is always true because
dev->dev_state cannot be equal to two different values at the same time.
Fix this by replacing the || with &&.Detected by CoverityScan, CID#1463042 ("Constant expression result")
Fixes: 8d52af6795c0 ("mei: speed up the power down flow")
Signed-off-by: Colin Ian King
Signed-off-by: Greg Kroah-Hartman -
>From the pci power documentation:
"The driver itself should not call pm_runtime_allow(), though. Instead,
it should let user space or some platform-specific code do that (user space
can do it via sysfs as stated above)..."However, the S0ix residency cannot be reached without MEI device getting
into low power state. Hence, for mei devices that support D0i3, it's better
to make runtime power management mandatory and not rely on the system
integration such as udev rules.
This policy cannot be applied globally as some older platforms
were found to have broken power management.Cc: v4.13+
Cc: Rafael J. Wysocki
Signed-off-by: Tomas Winkler
Reviewed-by: Alexander Usyskin
Signed-off-by: Greg Kroah-Hartman