/*********************************************************************** AudioScience HPI driver Functions for reading DSP code using hotplug firmware loader Copyright (C) 1997-2014 AudioScience Inc. This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as published by the Free Software Foundation; This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ***********************************************************************/ #define SOURCEFILE_NAME "hpidspcd.c" #include "hpidspcd.h" #include "hpidebug.h" #include "hpi_version.h" struct dsp_code_private { /** Firmware descriptor */ const struct firmware *firmware; struct pci_dev *dev; }; /*-------------------------------------------------------------------*/ short hpi_dsp_code_open(u32 adapter, void *os_data, struct dsp_code *dsp_code, u32 *os_error_code) { const struct firmware *firmware; struct pci_dev *dev = os_data; struct code_header header; char fw_name[20]; short err_ret = HPI_ERROR_DSP_FILE_NOT_FOUND; int err; sprintf(fw_name, "asihpi/dsp%04x.bin", adapter); err = request_firmware(&firmware, fw_name, &dev->dev); if (err || !firmware) { dev_err(&dev->dev, "%d, request_firmware failed for %s\n", err, fw_name); goto error1; } if (firmware->size < sizeof(header)) { dev_err(&dev->dev, "Header size too small %s\n", fw_name); goto error2; } memcpy(&header, firmware->data, sizeof(header)); if ((header.type != 0x45444F43) || /* "CODE" */ (header.adapter != adapter) || (header.size != firmware->size)) { dev_err(&dev->dev, "Invalid firmware header size %d != file %zd\n", header.size, firmware->size); goto error2; } if (HPI_VER_MAJOR(header.version) != HPI_VER_MAJOR(HPI_VER)) { /* Major version change probably means Host-DSP protocol change */ dev_err(&dev->dev, "Incompatible firmware version DSP image %X != Driver %X\n", header.version, HPI_VER); goto error2; } if (header.version != HPI_VER) { dev_warn(&dev->dev, "Firmware version mismatch: DSP image %X != Driver %X\n", header.version, HPI_VER); } HPI_DEBUG_LOG(DEBUG, "dsp code %s opened\n", fw_name); dsp_code->pvt = kmalloc(sizeof(*dsp_code->pvt), GFP_KERNEL); if (!dsp_code->pvt) { err_ret = HPI_ERROR_MEMORY_ALLOC; goto error2; } dsp_code->pvt->dev = dev; dsp_code->pvt->firmware = firmware; dsp_code->header = header; dsp_code->block_length = header.size / sizeof(u32); dsp_code->word_count = sizeof(header) / sizeof(u32); return 0; error2: release_firmware(firmware); error1: dsp_code->block_length = 0; return err_ret; } /*-------------------------------------------------------------------*/ void hpi_dsp_code_close(struct dsp_code *dsp_code) { HPI_DEBUG_LOG(DEBUG, "dsp code closed\n"); release_firmware(dsp_code->pvt->firmware); kfree(dsp_code->pvt); } /*-------------------------------------------------------------------*/ void hpi_dsp_code_rewind(struct dsp_code *dsp_code) { /* Go back to start of data, after header */ dsp_code->word_count = sizeof(struct code_header) / sizeof(u32); } /*-------------------------------------------------------------------*/ short hpi_dsp_code_read_word(struct dsp_code *dsp_code, u32 *pword) { if (dsp_code->word_count + 1 > dsp_code->block_length) return HPI_ERROR_DSP_FILE_FORMAT; *pword = ((u32 *)(dsp_code->pvt->firmware->data))[dsp_code-> word_count]; dsp_code->word_count++; return 0; } /*-------------------------------------------------------------------*/ short hpi_dsp_code_read_block(size_t words_requested, struct dsp_code *dsp_code, u32 **ppblock) { if (dsp_code->word_count + words_requested > dsp_code->block_length) return HPI_ERROR_DSP_FILE_FORMAT; *ppblock = ((u32 *)(dsp_code->pvt->firmware->data)) + dsp_code->word_count; dsp_code->word_count += words_requested; return 0; } on value='15'>15space:mode:
authorDouglas Miller <dougmill@linux.vnet.ibm.com>2017-01-28 06:42:20 -0600
committerTejun Heo <tj@kernel.org>2017-01-28 07:49:42 -0500
commit966d2b04e070bc040319aaebfec09e0144dc3341 (patch)
tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /drivers/usb/gadget/epautoconf.c
parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'drivers/usb/gadget/epautoconf.c')