/* * lms283gf05.c -- support for Samsung LMS283GF05 LCD * * Copyright (c) 2009 Marek Vasut * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ #include #include #include #include #include #include #include #include #include struct lms283gf05_state { struct spi_device *spi; struct lcd_device *ld; }; struct lms283gf05_seq { unsigned char reg; unsigned short value; unsigned char delay; }; /* Magic sequences supplied by manufacturer, for details refer to datasheet */ static const struct lms283gf05_seq disp_initseq[] = { /* REG, VALUE, DELAY */ { 0x07, 0x0000, 0 }, { 0x13, 0x0000, 10 }, { 0x11, 0x3004, 0 }, { 0x14, 0x200F, 0 }, { 0x10, 0x1a20, 0 }, { 0x13, 0x0040, 50 }, { 0x13, 0x0060, 0 }, { 0x13, 0x0070, 200 }, { 0x01, 0x0127, 0 }, { 0x02, 0x0700, 0 }, { 0x03, 0x1030, 0 }, { 0x08, 0x0208, 0 }, { 0x0B, 0x0620, 0 }, { 0x0C, 0x0110, 0 }, { 0x30, 0x0120, 0 }, { 0x31, 0x0127, 0 }, { 0x32, 0x0000, 0 }, { 0x33, 0x0503, 0 }, { 0x34, 0x0727, 0 }, { 0x35, 0x0124, 0 }, { 0x36, 0x0706, 0 }, { 0x37, 0x0701, 0 }, { 0x38, 0x0F00, 0 }, { 0x39, 0x0F00, 0 }, { 0x40, 0x0000, 0 }, { 0x41, 0x0000, 0 }, { 0x42, 0x013f, 0 }, { 0x43, 0x0000, 0 }, { 0x44, 0x013f, 0 }, { 0x45, 0x0000, 0 }, { 0x46, 0xef00, 0 }, { 0x47, 0x013f, 0 }, { 0x48, 0x0000, 0 }, { 0x07, 0x0015, 30 }, { 0x07, 0x0017, 0 }, { 0x20, 0x0000, 0 }, { 0x21, 0x0000, 0 }, { 0x22, 0x0000, 0 } }; static const struct lms283gf05_seq disp_pdwnseq[] = { { 0x07, 0x0016, 30 }, { 0x07, 0x0004, 0 }, { 0x10, 0x0220, 20 }, { 0x13, 0x0060, 50 }, { 0x13, 0x0040, 50 }, { 0x13, 0x0000, 0 }, { 0x10, 0x0000, 0 } }; static void lms283gf05_reset(unsigned long gpio, bool inverted) { gpio_set_value(gpio, !inverted); mdelay(100); gpio_set_value(gpio, inverted); mdelay(20); gpio_set_value(gpio, !inverted); mdelay(20); } static void lms283gf05_toggle(struct spi_device *spi, const struct lms283gf05_seq *seq, int sz) { char buf[3]; int i; for (i = 0; i < sz; i++) { buf[0] = 0x74; buf[1] = 0x00; buf[2] = seq[i].reg; spi_write(spi, buf, 3); buf[0] = 0x76; buf[1] = seq[i].value >> 8; buf[2] = seq[i].value & 0xff; spi_write(spi, buf, 3); mdelay(seq[i].delay); } } static int lms283gf05_power_set(struct lcd_device *ld, int power) { struct lms283gf05_state *st = lcd_get_data(ld); struct spi_device *spi = st->spi; struct lms283gf05_pdata *pdata = dev_get_platdata(&spi->dev); if (power <= FB_BLANK_NORMAL) { if (pdata) lms283gf05_reset(pdata->reset_gpio, pdata->reset_inverted); lms283gf05_toggle(spi, disp_initseq, ARRAY_SIZE(disp_initseq)); } else { lms283gf05_toggle(spi, disp_pdwnseq, ARRAY_SIZE(disp_pdwnseq)); if (pdata) gpio_set_value(pdata->reset_gpio, pdata->reset_inverted); } return 0; } static struct lcd_ops lms_ops = { .set_power = lms283gf05_power_set, .get_power = NULL, }; static int lms283gf05_probe(struct spi_device *spi) { struct lms283gf05_state *st; struct lms283gf05_pdata *pdata = dev_get_platdata(&spi->dev); struct lcd_device *ld; int ret = 0; if (pdata != NULL) { ret = devm_gpio_request_one(&spi->dev, pdata->reset_gpio, GPIOF_DIR_OUT | (!pdata->reset_inverted ? GPIOF_INIT_HIGH : GPIOF_INIT_LOW), "LMS285GF05 RESET"); if (ret) return ret; } st = devm_kzalloc(&spi->dev, sizeof(struct lms283gf05_state), GFP_KERNEL); if (st == NULL) return -ENOMEM; ld = devm_lcd_device_register(&spi->dev, "lms283gf05", &spi->dev, st, &lms_ops); if (IS_ERR(ld)) return PTR_ERR(ld); st->spi = spi; st->ld = ld; spi_set_drvdata(spi, st); /* kick in the LCD */ if (pdata) lms283gf05_reset(pdata->reset_gpio, pdata->reset_inverted); lms283gf05_toggle(spi, disp_initseq, ARRAY_SIZE(disp_initseq)); return 0; } static struct spi_driver lms283gf05_driver = { .driver = { .name = "lms283gf05", }, .probe = lms283gf05_probe, }; module_spi_driver(lms283gf05_driver); MODULE_AUTHOR("Marek Vasut "); MODULE_DESCRIPTION("LCD283GF05 LCD"); MODULE_LICENSE("GPL v2"); <bblock@linux.vnet.ibm.com>2016-12-09 17:16:31 +0100 committerMartin K. Petersen <martin.petersen@oracle.com>2016-12-14 15:14:04 -0500 commitdac37e15b7d511e026a9313c8c46794c144103cd (patch) tree1aac535ca7ab7a8931b12155499798b5635d7882 /drivers/usb parent165ae50e450bc7de6c741bf2c27ed0920a40a9af (diff)
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
When SCSI EH invokes zFCP's callbacks for eh_device_reset_handler() and eh_target_reset_handler(), it expects us to relent the ownership over the given scsi_cmnd and all other scsi_cmnds within the same scope - LUN or target - when returning with SUCCESS from the callback ('release' them). SCSI EH can then reuse those commands. We did not follow this rule to release commands upon SUCCESS; and if later a reply arrived for one of those supposed to be released commands, we would still make use of the scsi_cmnd in our ingress tasklet. This will at least result in undefined behavior or a kernel panic because of a wrong kernel pointer dereference. To fix this, we NULLify all pointers to scsi_cmnds (struct zfcp_fsf_req *)->data in the matching scope if a TMF was successful. This is done under the locks (struct zfcp_adapter *)->abort_lock and (struct zfcp_reqlist *)->lock to prevent the requests from being removed from the request-hashtable, and the ingress tasklet from making use of the scsi_cmnd-pointer in zfcp_fsf_fcp_cmnd_handler(). For cases where a reply arrives during SCSI EH, but before we get a chance to NULLify the pointer - but before we return from the callback -, we assume that the code is protected from races via the CAS operation in blk_complete_request() that is called in scsi_done(). The following stacktrace shows an example for a crash resulting from the previous behavior: Unable to handle kernel pointer dereference at virtual kernel address fffffee17a672000 Oops: 0038 [#1] SMP CPU: 2 PID: 0 Comm: swapper/2 Not tainted task: 00000003f7ff5be0 ti: 00000003f3d38000 task.ti: 00000003f3d38000 Krnl PSW : 0404d00180000000 00000000001156b0 (smp_vcpu_scheduled+0x18/0x40) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 EA:3 Krnl GPRS: 000000200000007e 0000000000000000 fffffee17a671fd8 0000000300000015 ffffffff80000000 00000000005dfde8 07000003f7f80e00 000000004fa4e800 000000036ce8d8f8 000000036ce8d9c0 00000003ece8fe00 ffffffff969c9e93 00000003fffffffd 000000036ce8da10 00000000003bf134 00000003f3b07918 Krnl Code: 00000000001156a2: a7190000 lghi %r1,0 00000000001156a6: a7380015 lhi %r3,21 #00000000001156aa: e32050000008 ag %r2,0(%r5) >00000000001156b0: 482022b0 lh %r2,688(%r2) 00000000001156b4: ae123000 sigp %r1,%r2,0(%r3) 00000000001156b8: b2220020 ipm %r2 00000000001156bc: 8820001c srl %r2,28 00000000001156c0: c02700000001 xilf %r2,1 Call Trace: ([<0000000000000000>] 0x0) [<000003ff807bdb8e>] zfcp_fsf_fcp_cmnd_handler+0x3de/0x490 [zfcp] [<000003ff807be30a>] zfcp_fsf_req_complete+0x252/0x800 [zfcp] [<000003ff807c0a48>] zfcp_fsf_reqid_check+0xe8/0x190 [zfcp] [<000003ff807c194e>] zfcp_qdio_int_resp+0x66/0x188 [zfcp] [<000003ff80440c64>] qdio_kick_handler+0xdc/0x310 [qdio] [<000003ff804463d0>] __tiqdio_inbound_processing+0xf8/0xcd8 [qdio] [<0000000000141fd4>] tasklet_action+0x9c/0x170 [<0000000000141550>] __do_softirq+0xe8/0x258 [<000000000010ce0a>] do_softirq+0xba/0xc0 [<000000000014187c>] irq_exit+0xc4/0xe8 [<000000000046b526>] do_IRQ+0x146/0x1d8 [<00000000005d6a3c>] io_return+0x0/0x8 [<00000000005d6422>] vtime_stop_cpu+0x4a/0xa0 ([<0000000000000000>] 0x0) [<0000000000103d8a>] arch_cpu_idle+0xa2/0xb0 [<0000000000197f94>] cpu_startup_entry+0x13c/0x1f8 [<0000000000114782>] smp_start_secondary+0xda/0xe8 [<00000000005d6efe>] restart_int_handler+0x56/0x6c [<0000000000000000>] 0x0 Last Breaking-Event-Address: [<00000000003bf12e>] arch_spin_lock_wait+0x56/0xb0 Suggested-by: Steffen Maier <maier@linux.vnet.ibm.com> Signed-off-by: Benjamin Block <bblock@linux.vnet.ibm.com> Fixes: ea127f9754 ("[PATCH] s390 (7/7): zfcp host adapter.") (tglx/history.git) Cc: <stable@vger.kernel.org> #2.6.32+ Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/usb')