/* * NFC Digital Protocol stack * Copyright (c) 2013, Intel Corporation. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, * version 2, as published by the Free Software Foundation. * * This program is distributed in the hope it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * more details. * */ #ifndef __DIGITAL_H #define __DIGITAL_H #include #include #include #include #define PROTOCOL_ERR(req) pr_err("%d: NFC Digital Protocol error: %s\n", \ __LINE__, req) #define DIGITAL_CMD_IN_SEND 0 #define DIGITAL_CMD_TG_SEND 1 #define DIGITAL_CMD_TG_LISTEN 2 #define DIGITAL_CMD_TG_LISTEN_MDAA 3 #define DIGITAL_CMD_TG_LISTEN_MD 4 #define DIGITAL_MAX_HEADER_LEN 7 #define DIGITAL_CRC_LEN 2 #define DIGITAL_SENSF_NFCID2_NFC_DEP_B1 0x01 #define DIGITAL_SENSF_NFCID2_NFC_DEP_B2 0xFE #define DIGITAL_SENS_RES_NFC_DEP 0x0100 #define DIGITAL_SEL_RES_NFC_DEP 0x40 #define DIGITAL_SENSF_FELICA_SC 0xFFFF #define DIGITAL_DRV_CAPS_IN_CRC(ddev) \ ((ddev)->driver_capabilities & NFC_DIGITAL_DRV_CAPS_IN_CRC) #define DIGITAL_DRV_CAPS_TG_CRC(ddev) \ ((ddev)->driver_capabilities & NFC_DIGITAL_DRV_CAPS_TG_CRC) struct digital_data_exch { data_exchange_cb_t cb; void *cb_context; }; struct sk_buff *digital_skb_alloc(struct nfc_digital_dev *ddev, unsigned int len); int digital_send_cmd(struct nfc_digital_dev *ddev, u8 cmd_type, struct sk_buff *skb, struct digital_tg_mdaa_params *params, u16 timeout, nfc_digital_cmd_complete_t cmd_cb, void *cb_context); int digital_in_configure_hw(struct nfc_digital_dev *ddev, int type, int param); static inline int digital_in_send_cmd(struct nfc_digital_dev *ddev, struct sk_buff *skb, u16 timeout, nfc_digital_cmd_complete_t cmd_cb, void *cb_context) { return digital_send_cmd(ddev, DIGITAL_CMD_IN_SEND, skb, NULL, timeout, cmd_cb, cb_context); } void digital_poll_next_tech(struct nfc_digital_dev *ddev); int digital_in_send_sens_req(struct nfc_digital_dev *ddev, u8 rf_tech); int digital_in_send_sensb_req(struct nfc_digital_dev *ddev, u8 rf_tech); int digital_in_send_sensf_req(struct nfc_digital_dev *ddev, u8 rf_tech); int digital_in_send_iso15693_inv_req(struct nfc_digital_dev *ddev, u8 rf_tech); int digital_in_iso_dep_pull_sod(struct nfc_digital_dev *ddev, struct sk_buff *skb); int digital_in_iso_dep_push_sod(struct nfc_digital_dev *ddev, struct sk_buff *skb); int digital_target_found(struct nfc_digital_dev *ddev, struct nfc_target *target, u8 protocol); int digital_in_recv_mifare_res(struct sk_buff *resp); int digital_in_send_atr_req(struct nfc_digital_dev *ddev, struct nfc_target *target, __u8 comm_mode, __u8 *gb, size_t gb_len); int digital_in_send_dep_req(struct nfc_digital_dev *ddev, struct nfc_target *target, struct sk_buff *skb, struct digital_data_exch *data_exch); int digital_tg_configure_hw(struct nfc_digital_dev *ddev, int type, int param); static inline int digital_tg_send_cmd(struct nfc_digital_dev *ddev, struct sk_buff *skb, u16 timeout, nfc_digital_cmd_complete_t cmd_cb, void *cb_context) { return digital_send_cmd(ddev, DIGITAL_CMD_TG_SEND, skb, NULL, timeout, cmd_cb, cb_context); } void digital_tg_recv_sens_req(struct nfc_digital_dev *ddev, void *arg, struct sk_buff *resp); void digital_tg_recv_sensf_req(struct nfc_digital_dev *ddev, void *arg, struct sk_buff *resp); static inline int digital_tg_listen(struct nfc_digital_dev *ddev, u16 timeout, nfc_digital_cmd_complete_t cb, void *arg) { return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN, NULL, NULL, timeout, cb, arg); } void digital_tg_recv_atr_req(struct nfc_digital_dev *ddev, void *arg, struct sk_buff *resp); int digital_tg_send_dep_res(struct nfc_digital_dev *ddev, struct sk_buff *skb); int digital_tg_listen_nfca(struct nfc_digital_dev *ddev, u8 rf_tech); int digital_tg_listen_nfcf(struct nfc_digital_dev *ddev, u8 rf_tech); void digital_tg_recv_md_req(struct nfc_digital_dev *ddev, void *arg, struct sk_buff *resp); typedef u16 (*crc_func_t)(u16, const u8 *, size_t); #define CRC_A_INIT 0x6363 #define CRC_B_INIT 0xFFFF #define CRC_F_INIT 0x0000 void digital_skb_add_crc(struct sk_buff *skb, crc_func_t crc_func, u16 init, u8 bitwise_inv, u8 msb_first); static inline void digital_skb_add_crc_a(struct sk_buff *skb) { digital_skb_add_crc(skb, crc_ccitt, CRC_A_INIT, 0, 0); } static inline void digital_skb_add_crc_b(struct sk_buff *skb) { digital_skb_add_crc(skb, crc_ccitt, CRC_B_INIT, 1, 0); } static inline void digital_skb_add_crc_f(struct sk_buff *skb) { digital_skb_add_crc(skb, crc_itu_t, CRC_F_INIT, 0, 1); } static inline void digital_skb_add_crc_none(struct sk_buff *skb) { return; } int digital_skb_check_crc(struct sk_buff *skb, crc_func_t crc_func, u16 crc_init, u8 bitwise_inv, u8 msb_first); static inline int digital_skb_check_crc_a(struct sk_buff *skb) { return digital_skb_check_crc(skb, crc_ccitt, CRC_A_INIT, 0, 0); } static inline int digital_skb_check_crc_b(struct sk_buff *skb) { return digital_skb_check_crc(skb, crc_ccitt, CRC_B_INIT, 1, 0); } static inline int digital_skb_check_crc_f(struct sk_buff *skb) { return digital_skb_check_crc(skb, crc_itu_t, CRC_F_INIT, 0, 1); } static inline int digital_skb_check_crc_none(struct sk_buff *skb) { return 0; } #endif /* __DIGITAL_H */ ref='/cgit.cgi/linux/net-next.git/commit/sound/usb/6fire/control.h?id=2c5d9555d6d937966d79d4c6529a5f7b9206e405'>2c5d9555d6d937966d79d4c6529a5f7b9206e405 (diff)
drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj()
I've seen this trigger twice now, where the i915_gem_object_to_ggtt() call in intel_unpin_fb_obj() returns NULL, resulting in an oops immediately afterwards as the (inlined) call to i915_vma_unpin_fence() tries to dereference it. It seems to be some race condition where the object is going away at shutdown time, since both times happened when shutting down the X server. The call chains were different: - VT ioctl(KDSETMODE, KD_TEXT): intel_cleanup_plane_fb+0x5b/0xa0 [i915] drm_atomic_helper_cleanup_planes+0x6f/0x90 [drm_kms_helper] intel_atomic_commit_tail+0x749/0xfe0 [i915] intel_atomic_commit+0x3cb/0x4f0 [i915] drm_atomic_commit+0x4b/0x50 [drm] restore_fbdev_mode+0x14c/0x2a0 [drm_kms_helper] drm_fb_helper_restore_fbdev_mode_unlocked+0x34/0x80 [drm_kms_helper] drm_fb_helper_set_par+0x2d/0x60 [drm_kms_helper] intel_fbdev_set_par+0x18/0x70 [i915] fb_set_var+0x236/0x460 fbcon_blank+0x30f/0x350 do_unblank_screen+0xd2/0x1a0 vt_ioctl+0x507/0x12a0 tty_ioctl+0x355/0xc30 do_vfs_ioctl+0xa3/0x5e0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x13/0x94 - i915 unpin_work workqueue: intel_unpin_work_fn+0x58/0x140 [i915] process_one_work+0x1f1/0x480 worker_thread+0x48/0x4d0 kthread+0x101/0x140 and this patch purely papers over the issue by adding a NULL pointer check and a WARN_ON_ONCE() to avoid the oops that would then generally make the machine unresponsive. Other callers of i915_gem_object_to_ggtt() seem to also check for the returned pointer being NULL and warn about it, so this clearly has happened before in other places. [ Reported it originally to the i915 developers on Jan 8, applying the ugly workaround on my own now after triggering the problem for the second time with no feedback. This is likely to be the same bug reported as https://bugs.freedesktop.org/show_bug.cgi?id=98829 https://bugs.freedesktop.org/show_bug.cgi?id=99134 which has a patch for the underlying problem, but it hasn't gotten to me, so I'm applying the workaround. ] Cc: Daniel Vetter <daniel.vetter@intel.com> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Cc: Imre Deak <imre.deak@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'sound/usb/6fire/control.h')