/* * C-Media CMI8788 driver - helper functions * * Copyright (c) Clemens Ladisch * * * This driver is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License, version 2. * * This driver is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this driver; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include #include "oxygen.h" u8 oxygen_read8(struct oxygen *chip, unsigned int reg) { return inb(chip->addr + reg); } EXPORT_SYMBOL(oxygen_read8); u16 oxygen_read16(struct oxygen *chip, unsigned int reg) { return inw(chip->addr + reg); } EXPORT_SYMBOL(oxygen_read16); u32 oxygen_read32(struct oxygen *chip, unsigned int reg) { return inl(chip->addr + reg); } EXPORT_SYMBOL(oxygen_read32); void oxygen_write8(struct oxygen *chip, unsigned int reg, u8 value) { outb(value, chip->addr + reg); chip->saved_registers._8[reg] = value; } EXPORT_SYMBOL(oxygen_write8); void oxygen_write16(struct oxygen *chip, unsigned int reg, u16 value) { outw(value, chip->addr + reg); chip->saved_registers._16[reg / 2] = cpu_to_le16(value); } EXPORT_SYMBOL(oxygen_write16); void oxygen_write32(struct oxygen *chip, unsigned int reg, u32 value) { outl(value, chip->addr + reg); chip->saved_registers._32[reg / 4] = cpu_to_le32(value); } EXPORT_SYMBOL(oxygen_write32); void oxygen_write8_masked(struct oxygen *chip, unsigned int reg, u8 value, u8 mask) { u8 tmp = inb(chip->addr + reg); tmp &= ~mask; tmp |= value & mask; outb(tmp, chip->addr + reg); chip->saved_registers._8[reg] = tmp; } EXPORT_SYMBOL(oxygen_write8_masked); void oxygen_write16_masked(struct oxygen *chip, unsigned int reg, u16 value, u16 mask) { u16 tmp = inw(chip->addr + reg); tmp &= ~mask; tmp |= value & mask; outw(tmp, chip->addr + reg); chip->saved_registers._16[reg / 2] = cpu_to_le16(tmp); } EXPORT_SYMBOL(oxygen_write16_masked); void oxygen_write32_masked(struct oxygen *chip, unsigned int reg, u32 value, u32 mask) { u32 tmp = inl(chip->addr + reg); tmp &= ~mask; tmp |= value & mask; outl(tmp, chip->addr + reg); chip->saved_registers._32[reg / 4] = cpu_to_le32(tmp); } EXPORT_SYMBOL(oxygen_write32_masked); static int oxygen_ac97_wait(struct oxygen *chip, unsigned int mask) { u8 status = 0; /* * Reading the status register also clears the bits, so we have to save * the read bits in status. */ wait_event_timeout(chip->ac97_waitqueue, ({ status |= oxygen_read8(chip, OXYGEN_AC97_INTERRUPT_STATUS); status & mask; }), msecs_to_jiffies(1) + 1); /* * Check even after a timeout because this function should not require * the AC'97 interrupt to be enabled. */ status |= oxygen_read8(chip, OXYGEN_AC97_INTERRUPT_STATUS); return status & mask ? 0 : -EIO; } /* * About 10% of AC'97 register reads or writes fail to complete, but even those * where the controller indicates completion aren't guaranteed to have actually * happened. * * It's hard to assign blame to either the controller or the codec because both * were made by C-Media ... */ void oxygen_write_ac97(struct oxygen *chip, unsigned int codec, unsigned int index, u16 data) { unsigned int count, succeeded; u32 reg; reg = data; reg |= index << OXYGEN_AC97_REG_ADDR_SHIFT; reg |= OXYGEN_AC97_REG_DIR_WRITE; reg |= codec << OXYGEN_AC97_REG_CODEC_SHIFT; succeeded = 0; for (count = 5; count > 0; --count) { udelay(5); oxygen_write32(chip, OXYGEN_AC97_REGS, reg); /* require two "completed" writes, just to be sure */ if (oxygen_ac97_wait(chip, OXYGEN_AC97_INT_WRITE_DONE) >= 0 && ++succeeded >= 2) { chip->saved_ac97_registers[codec][index / 2] = data; return; } } dev_err(chip->card->dev, "AC'97 write timeout\n"); } EXPORT_SYMBOL(oxygen_write_ac97); u16 oxygen_read_ac97(struct oxygen *chip, unsigned int codec, unsigned int index) { unsigned int count; unsigned int last_read = UINT_MAX; u32 reg; reg = index << OXYGEN_AC97_REG_ADDR_SHIFT; reg |= OXYGEN_AC97_REG_DIR_READ; reg |= codec << OXYGEN_AC97_REG_CODEC_SHIFT; for (count = 5; count > 0; --count) { udelay(5); oxygen_write32(chip, OXYGEN_AC97_REGS, reg); udelay(10); if (oxygen_ac97_wait(chip, OXYGEN_AC97_INT_READ_DONE) >= 0) { u16 value = oxygen_read16(chip, OXYGEN_AC97_REGS); /* we require two consecutive reads of the same value */ if (value == last_read) return value; last_read = value; /* * Invert the register value bits to make sure that two * consecutive unsuccessful reads do not return the same * value. */ reg ^= 0xffff; } } dev_err(chip->card->dev, "AC'97 read timeout on codec %u\n", codec); return 0; } EXPORT_SYMBOL(oxygen_read_ac97); void oxygen_write_ac97_masked(struct oxygen *chip, unsigned int codec, unsigned int index, u16 data, u16 mask) { u16 value = oxygen_read_ac97(chip, codec, index); value &= ~mask; value |= data & mask; oxygen_write_ac97(chip, codec, index, value); } EXPORT_SYMBOL(oxygen_write_ac97_masked); static int oxygen_wait_spi(struct oxygen *chip) { unsigned int count; /* * Higher timeout to be sure: 200 us; * actual transaction should not need more than 40 us. */ for (count = 50; count > 0; count--) { udelay(4); if ((oxygen_read8(chip, OXYGEN_SPI_CONTROL) & OXYGEN_SPI_BUSY) == 0) return 0; } dev_err(chip->card->dev, "oxygen: SPI wait timeout\n"); return -EIO; } int oxygen_write_spi(struct oxygen *chip, u8 control, unsigned int data) { /* * We need to wait AFTER initiating the SPI transaction, * otherwise read operations will not work. */ oxygen_write8(chip, OXYGEN_SPI_DATA1, data); oxygen_write8(chip, OXYGEN_SPI_DATA2, data >> 8); if (control & OXYGEN_SPI_DATA_LENGTH_3) oxygen_write8(chip, OXYGEN_SPI_DATA3, data >> 16); oxygen_write8(chip, OXYGEN_SPI_CONTROL, control); return oxygen_wait_spi(chip); } EXPORT_SYMBOL(oxygen_write_spi); void oxygen_write_i2c(struct oxygen *chip, u8 device, u8 map, u8 data) { /* should not need more than about 300 us */ msleep(1); oxygen_write8(chip, OXYGEN_2WIRE_MAP, map); oxygen_write8(chip, OXYGEN_2WIRE_DATA, data); oxygen_write8(chip, OXYGEN_2WIRE_CONTROL, device | OXYGEN_2WIRE_DIR_WRITE); } EXPORT_SYMBOL(oxygen_write_i2c); static void _write_uart(struct oxygen *chip, unsigned int port, u8 data) { if (oxygen_read8(chip, OXYGEN_MPU401 + 1) & MPU401_TX_FULL) msleep(1); oxygen_write8(chip, OXYGEN_MPU401 + port, data); } void oxygen_reset_uart(struct oxygen *chip) { _write_uart(chip, 1, MPU401_RESET); msleep(1); /* wait for ACK */ _write_uart(chip, 1, MPU401_ENTER_UART); } EXPORT_SYMBOL(oxygen_reset_uart); void oxygen_write_uart(struct oxygen *chip, u8 data) { _write_uart(chip, 0, data); } EXPORT_SYMBOL(oxygen_write_uart); u16 oxygen_read_eeprom(struct oxygen *chip, unsigned int index) { unsigned int timeout; oxygen_write8(chip, OXYGEN_EEPROM_CONTROL, index | OXYGEN_EEPROM_DIR_READ); for (timeout = 0; timeout < 100; ++timeout) { udelay(1); if (!(oxygen_read8(chip, OXYGEN_EEPROM_STATUS) & OXYGEN_EEPROM_BUSY)) break; } return oxygen_read16(chip, OXYGEN_EEPROM_DATA); } void oxygen_write_eeprom(struct oxygen *chip, unsigned int index, u16 value) { unsigned int timeout; oxygen_write16(chip, OXYGEN_EEPROM_DATA, value); oxygen_write8(chip, OXYGEN_EEPROM_CONTROL, index | OXYGEN_EEPROM_DIR_WRITE); for (timeout = 0; timeout < 10; ++timeout) { msleep(1); if (!(oxygen_read8(chip, OXYGEN_EEPROM_STATUS) & OXYGEN_EEPROM_BUSY)) return; } dev_err(chip->card->dev, "EEPROM write timeout\n"); } gical issue in having a state machine used for the fallback mechanism and preventing access from it once we abort as its inside the buf (buf->fw_st). The firmware_class.c code is setting the buf to NULL to annotate an abort has occurred. Replace this mechanism by simply using the state check instead. All the other code in place already uses similar checks for aborting as well so no further changes are needed. An oops can be reproduced with the new fw_fallback.sh fallback mechanism cancellation test. Either cancelling the fallback mechanism or the custom fallback mechanism triggers a crash. mcgrof@piggy ~/linux-next/tools/testing/selftests/firmware (git::20170111-fw-fixes)$ sudo ./fw_fallback.sh ./fw_fallback.sh: timeout works ./fw_fallback.sh: firmware comparison works ./fw_fallback.sh: fallback mechanism works [ this then sits here when it is trying the cancellation test ] Kernel log: test_firmware: loading 'nope-test-firmware.bin' misc test_firmware: Direct firmware load for nope-test-firmware.bin failed with error -2 misc test_firmware: Falling back to user helper BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 IP: _request_firmware+0xa27/0xad0 PGD 0 Oops: 0000 [#1] SMP Modules linked in: test_firmware(E) ... etc ... CPU: 1 PID: 1396 Comm: fw_fallback.sh Tainted: G W E 4.10.0-rc3-next-20170111+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.1-0-g8891697-prebuilt.qemu-project.org 04/01/2014 task: ffff9740b27f4340 task.stack: ffffbb15c0bc8000 RIP: 0010:_request_firmware+0xa27/0xad0 RSP: 0018:ffffbb15c0bcbd10 EFLAGS: 00010246 RAX: 00000000fffffffe RBX: ffff9740afe5aa80 RCX: 0000000000000000 RDX: ffff9740b27f4340 RSI: 0000000000000283 RDI: 0000000000000000 RBP: ffffbb15c0bcbd90 R08: ffffbb15c0bcbcd8 R09: 0000000000000000 R10: 0000000894a0d4b1 R11: 000000000000008c R12: ffffffffc0312480 R13: 0000000000000005 R14: ffff9740b1c32400 R15: 00000000000003e8 FS: 00007f8604422700(0000) GS:ffff9740bfc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 000000012164c000 CR4: 00000000000006e0 Call Trace: request_firmware+0x37/0x50 trigger_request_store+0x79/0xd0 [test_firmware] dev_attr_store+0x18/0x30 sysfs_kf_write+0x37/0x40 kernfs_fop_write+0x110/0x1a0 __vfs_write+0x37/0x160 ? _cond_resched+0x1a/0x50 vfs_write+0xb5/0x1a0 SyS_write+0x55/0xc0 ? trace_do_page_fault+0x37/0xd0 entry_SYSCALL_64_fastpath+0x1e/0xad RIP: 0033:0x7f8603f49620 RSP: 002b:00007fff6287b788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055c307b110a0 RCX: 00007f8603f49620 RDX: 0000000000000016 RSI: 000055c3084d8a90 RDI: 0000000000000001 RBP: 0000000000000016 R08: 000000000000c0ff R09: 000055c3084d6336 R10: 000055c307b108b0 R11: 0000000000000246 R12: 000055c307b13c80 R13: 000055c3084d6320 R14: 0000000000000000 R15: 00007fff6287b950 Code: 9f 64 84 e8 9c 61 fe ff b8 f4 ff ff ff e9 6b f9 ff ff 48 c7 c7 40 6b 8d 84 89 45 a8 e8 43 84 18 00 49 8b be 00 03 00 00 8b 45 a8 <83> 7f 38 02 74 08 e8 6e ec ff ff 8b 45 a8 49 c7 86 00 03 00 00 RIP: _request_firmware+0xa27/0xad0 RSP: ffffbb15c0bcbd10 CR2: 0000000000000038 ---[ end trace 6d94ac339c133e6f ]--- Fixes: 5d47ec02c37e ("firmware: Correct handling of fw_state_wait() return value") Reported-and-Tested-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reported-and-Tested-by: Patrick Bruenn <p.bruenn@beckhoff.com> Reported-by: Chris Wilson <chris@chris-wilson.co.uk> CC: <stable@vger.kernel.org> [3.10+] Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security/tomoyo/group.c')