[PATCH] brcmfmac: NULL pointer dereference on tx statistic update
by Marcel Hamer
On removal of the device or unloading of the kernel module a potential
NULL pointer dereference occurs.
The following sequence deletes the interface:
brcmf_detach()
brcmf_remove_interface()
brcmf_del_if()
Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to
BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.
After brcmf_remove_interface() call the brcmf_proto_detach() function is
called providing the following sequence:
brcmf_detach()
brcmf_proto_detach()
brcmf_proto_msgbuf_detach()
brcmf_flowring_detach()
brcmf_msgbuf_delete_flowring()
brcmf_msgbuf_remove_flowring()
brcmf_flowring_delete()
brcmf_get_ifp()
brcmf_txfinalize()
Since brcmf_get_ip() can and actually will return NULL in this case the
call to brcmf_txfinalize() will result in a NULL pointer dereference
inside brcmf_txfinalize() when trying to update
ifp->ndev->stats.tx_errors.
This will only happen if a flowring still has an skb.
Cc: stable(a)vger.kernel.org
Signed-off-by: Marcel Hamer <marcel.hamer(a)windriver.com>
Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index c3a57e30c855..cf731bc7ae24 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -549,7 +549,7 @@ void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success)
wake_up(&ifp->pend_8021x_wait);
}
- if (!success)
+ if (!success && ifp)
ifp->ndev->stats.tx_errors++;
brcmu_pkt_buf_free_skb(txp);
--
2.34.1
3 months, 3 weeks
- 2
- 2
Linux 6.6.71
by Greg Kroah-Hartman
I'm announcing the release of the 6.6.71 kernel.
It's only needed if you could not properly build 6.6.70 as there is a
configuration that is pretty common that would fail to build properly.
That is now resolved. If you did not have a problem building 6.6.70, no
need to upgrade at this point in time.
The updated 6.6.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2 +-
arch/x86/kernel/Makefile | 4 ++--
arch/x86/kernel/cpu/mshyperv.c | 10 ++--------
arch/x86/kernel/kexec-bzimage64.c | 4 ----
arch/x86/kernel/kvm.c | 4 ++--
arch/x86/kernel/machine_kexec_64.c | 3 ---
arch/x86/kernel/reboot.c | 4 ++--
arch/x86/kernel/setup.c | 2 +-
arch/x86/kernel/smp.c | 2 +-
arch/x86/xen/enlighten_hvm.c | 4 ----
arch/x86/xen/mmu_pv.c | 2 +-
11 files changed, 12 insertions(+), 29 deletions(-)
Greg Kroah-Hartman (3):
Revert "x86/hyperv: Fix hv tsc page based sched_clock for hibernation"
Revert "x86, crash: wrap crash dumping code into crash related ifdefs"
Linux 6.6.71
Naman Jain (1):
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
3 months, 3 weeks
- 1
- 1
[PATCH net v2 4/5] vsock: reset socket state when de-assigning the transport
by Stefano Garzarella
Transport's release() and destruct() are called when de-assigning the
vsock transport. These callbacks can touch some socket state like
sock flags, sk_state, and peer_shutdown.
Since we are reassigning the socket to a new transport during
vsock_connect(), let's reset these fields to have a clean state with
the new transport.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Cc: stable(a)vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare(a)redhat.com>
---
net/vmw_vsock/af_vsock.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 5cf8109f672a..74d35a871644 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -491,6 +491,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
*/
vsk->transport->release(vsk);
vsock_deassign_transport(vsk);
+
+ /* transport's release() and destruct() can touch some socket
+ * state, since we are reassigning the socket to a new transport
+ * during vsock_connect(), let's reset these fields to have a
+ * clean state.
+ */
+ sock_reset_flag(sk, SOCK_DONE);
+ sk->sk_state = TCP_CLOSE;
+ vsk->peer_shutdown = 0;
}
/* We increase the module refcnt to prevent the transport unloading
--
2.47.1
3 months, 3 weeks
- 2
- 2
[PATCH v2] samples/landlock: Fix possible NULL dereference in parse_path()
by Gax-c
From: Zichen Xie <zichenxie0106(a)gmail.com>
malloc() may return NULL, leading to NULL dereference.
Add a NULL check.
Fixes: ba84b0bf5a16 ("samples/landlock: Add a sandbox manager example")
Signed-off-by: Zichen Xie <zichenxie0106(a)gmail.com>
Cc: stable(a)vger.kernel.org
---
v2: Modify logic & Add Fixes tag.
---
samples/landlock/sandboxer.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 57565dfd74a2..ef2a34173d84 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -91,6 +91,9 @@ static int parse_path(char *env_path, const char ***const path_list)
}
}
*path_list = malloc(num_paths * sizeof(**path_list));
+ if (*path_list == NULL)
+ return -1;
+
for (i = 0; i < num_paths; i++)
(*path_list)[i] = strsep(&env_path, ENV_DELIMITER);
@@ -127,6 +130,11 @@ static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd,
env_path_name = strdup(env_path_name);
unsetenv(env_var);
num_paths = parse_path(env_path_name, &path_list);
+ if (num_paths == -1) {
+ fprintf(stderr, "Failed to allocate memory\n");
+ ret = 1;
+ goto out_free_name;
+ }
if (num_paths == 1 && path_list[0][0] == '\0') {
/*
* Allows to not use all possible restrictions (e.g. use
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH] drm/sched: Remove job submit/free race when using unordered workqueues
by Tvrtko Ursulin
After commit f7fe64ad0f22 ("drm/sched: Split free_job into own work item")
and with drivers who use the unordered workqueue sched_jobs can be freed
in parallel as soon as the complete_all(&entity->entity_idle) is called.
This makes all dereferencing in the lower part of the worker unsafe so
lets fix it by moving the complete_all() call to after the worker is done
touching the job.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: f7fe64ad0f22 ("drm/sched: Split free_job into own work item")
Cc: Christian König <christian.koenig(a)amd.com>
Cc: Danilo Krummrich <dakr(a)redhat.com>
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: Philipp Stanner <pstanner(a)redhat.com>
Cc: <stable(a)vger.kernel.org> # v6.8+
---
drivers/gpu/drm/scheduler/sched_main.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
index 57da84908752..f0d02c061c23 100644
--- a/drivers/gpu/drm/scheduler/sched_main.c
+++ b/drivers/gpu/drm/scheduler/sched_main.c
@@ -1188,7 +1188,6 @@ static void drm_sched_run_job_work(struct work_struct *w)
container_of(w, struct drm_gpu_scheduler, work_run_job);
struct drm_sched_entity *entity;
struct dma_fence *fence;
- struct drm_sched_fence *s_fence;
struct drm_sched_job *sched_job;
int r;
@@ -1207,15 +1206,12 @@ static void drm_sched_run_job_work(struct work_struct *w)
return;
}
- s_fence = sched_job->s_fence;
-
atomic_add(sched_job->credits, &sched->credit_count);
drm_sched_job_begin(sched_job);
trace_drm_run_job(sched_job, entity);
fence = sched->ops->run_job(sched_job);
- complete_all(&entity->entity_idle);
- drm_sched_fence_scheduled(s_fence, fence);
+ drm_sched_fence_scheduled(sched_job->s_fence, fence);
if (!IS_ERR_OR_NULL(fence)) {
/* Drop for original kref_init of the fence */
@@ -1232,6 +1228,7 @@ static void drm_sched_run_job_work(struct work_struct *w)
PTR_ERR(fence) : 0);
}
+ complete_all(&entity->entity_idle);
wake_up(&sched->job_scheduled);
drm_sched_run_job_queue(sched);
}
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH 1/2] Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates"
by Christian Hewitt
This reverts commit bfbc68e4d8695497f858a45a142665e22a512ea3.
The patch does permit the offending YUV420 @ 59.94 phy_freq and
vclk_freq mode to match in calculations. It also results in all
fractional rates being unavailable for use. This was unintended
and requires the patch to be reverted.
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Christian Hewitt <christianshewitt(a)gmail.com>
---
drivers/gpu/drm/meson/meson_vclk.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index 2a942dc6a6dc..2a82119eb58e 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -790,13 +790,13 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
FREQ_1000_1001(params[i].pixel_freq));
DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n",
i, params[i].phy_freq,
- FREQ_1000_1001(params[i].phy_freq/1000)*1000);
+ FREQ_1000_1001(params[i].phy_freq/10)*10);
/* Match strict frequency */
if (phy_freq == params[i].phy_freq &&
vclk_freq == params[i].vclk_freq)
return MODE_OK;
/* Match 1000/1001 variant */
- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/1000)*1000) &&
+ if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) &&
vclk_freq == FREQ_1000_1001(params[i].vclk_freq))
return MODE_OK;
}
@@ -1070,7 +1070,7 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
if ((phy_freq == params[freq].phy_freq ||
- phy_freq == FREQ_1000_1001(params[freq].phy_freq/1000)*1000) &&
+ phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) &&
(vclk_freq == params[freq].vclk_freq ||
vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) {
if (vclk_freq != params[freq].vclk_freq)
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH net v2 2/5] vsock/bpf: return early if transport is not assigned
by Stefano Garzarella
Some of the core functions can only be called if the transport
has been assigned.
As Michal reported, a socket might have the transport at NULL,
for example after a failed connect(), causing the following trace:
BUG: kernel NULL pointer dereference, address: 00000000000000a0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
RIP: 0010:vsock_connectible_has_data+0x1f/0x40
Call Trace:
vsock_bpf_recvmsg+0xca/0x5e0
sock_recvmsg+0xb9/0xc0
__sys_recvfrom+0xb3/0x130
__x64_sys_recvfrom+0x20/0x30
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
So we need to check the `vsk->transport` in vsock_bpf_recvmsg(),
especially for connected sockets (stream/seqpacket) as we already
do in __vsock_connectible_recvmsg().
Fixes: 634f1a7110b4 ("vsock: support sockmap")
Cc: stable(a)vger.kernel.org
Reported-by: Michal Luczaj <mhal(a)rbox.co>
Closes: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
Tested-by: Michal Luczaj <mhal(a)rbox.co>
Reported-by: syzbot+3affdbfc986ecd9200fd(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
Tested-by: syzbot+3affdbfc986ecd9200fd(a)syzkaller.appspotmail.com
Reviewed-by: Hyunwoo Kim <v4bel(a)theori.io>
Acked-by: Michael S. Tsirkin <mst(a)redhat.com>
Reviewed-by: Luigi Leonardi <leonardi(a)redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare(a)redhat.com>
---
net/vmw_vsock/vsock_bpf.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
index 4aa6e74ec295..f201d9eca1df 100644
--- a/net/vmw_vsock/vsock_bpf.c
+++ b/net/vmw_vsock/vsock_bpf.c
@@ -77,6 +77,7 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
size_t len, int flags, int *addr_len)
{
struct sk_psock *psock;
+ struct vsock_sock *vsk;
int copied;
psock = sk_psock_get(sk);
@@ -84,6 +85,13 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
return __vsock_recvmsg(sk, msg, len, flags);
lock_sock(sk);
+ vsk = vsock_sk(sk);
+
+ if (!vsk->transport) {
+ copied = -ENODEV;
+ goto out;
+ }
+
if (vsock_has_data(sk, psock) && sk_psock_queue_empty(psock)) {
release_sock(sk);
sk_psock_put(sk, psock);
@@ -108,6 +116,7 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
}
+out:
release_sock(sk);
sk_psock_put(sk, psock);
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH 5.10 000/138] 5.10.233-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 5.10.233 release.
There are 138 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.233-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.10.233-rc1
Seiji Nishikawa <snishika(a)redhat.com>
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Drop dsi single lane support
Nikolay Kuratov <kniv(a)yandex-team.ru>
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pascal Hambourg <pascal(a)plouf.fr.eu.org>
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Evgenii Shatokhin <e.shatokhin(a)yadro.com>
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Dan Carpenter <dan.carpenter(a)linaro.org>
RDMA/uverbs: Prevent integer overflow issue
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix the missed iteration for the max bit in do_input()
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
Zygo Blaxell <ce3g8jdj(a)umail.furryterror.org>
btrfs: don't set lock_owner when locking extent buffer for reading
Josef Bacik <josef(a)toxicpanda.com>
btrfs: locking: remove the recursion handling code
Leon Romanovsky <leon(a)kernel.org>
ARC: build: Try to guess GCC variant of cross compiler
Uros Bizjak <ubizjak(a)gmail.com>
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Daniele Palmas <dnlplm(a)gmail.com>
net: usb: qmi_wwan: add Telit FE910C04 compositions
Anton Protopopov <aspsk(a)isovalent.com>
bpf: fix potential error return
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: format: don't warn that raw DSD is unsupported
Filipe Manana <fdmanana(a)suse.com>
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: mac80211: wake the queues in case of failure in resume
Lizhi Xu <lizhi.xu(a)windriver.com>
tracing: Prevent bad count for tracing_cpumask_write
Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
kernel: Initialize cpumask before parsing
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
Filipe Manana <fdmanana(a)suse.com>
btrfs: rename and export __btrfs_cow_block()
Josef Bacik <josef(a)toxicpanda.com>
btrfs: locking: remove all the blocking helpers
Josef Bacik <josef(a)toxicpanda.com>
btrfs: switch extent buffer tree lock to rw_semaphore
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
dmaengine: dw: Select only supported masters for ACPI devices
Eric Dumazet <edumazet(a)google.com>
ila: serialize calls to nf_register_net_hooks()
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_tci() vs MSG_PEEK
Li Zhijian <lizhijian(a)fujitsu.com>
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Vitalii Mordan <mordan(a)ispras.ru>
eth: bcmsysport: fix call balance of priv->clk handling routines
Tanya Agarwal <tanyaagarwal25699(a)gmail.com>
ALSA: usb-audio: US16x08: Initialize array before use
Antonio Pastor <antonio.pastor(a)gmail.com>
net: llc: reset skb->transport_header
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Ilya Shchipletsov <rabbelkin(a)mail.ru>
netrom: check buffer length before accessing it
Stefan Ekenberg <stefan.ekenberg(a)axis.com>
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix the locking while accessing the QP table
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix max_qp_wrs reported
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
RDMA/bnxt_re: Add check for path mtu in modify_qp
Patrisious Haddad <phaddad(a)nvidia.com>
RDMA/mlx5: Enforce same type port association for multiport RoCE
Parav Pandit <parav(a)nvidia.com>
net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
Kairui Song <kasong(a)tencent.com>
zram: fix uninitialized ZRAM not releasing backing device
Sergey Senozhatsky <senozhatsky(a)chromium.org>
drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset
Christoph Hellwig <hch(a)lst.de>
zram: use set_capacity_and_notify
Christoph Hellwig <hch(a)lst.de>
block: remove the update_bdev parameter to set_capacity_revalidate_and_notify
Christoph Hellwig <hch(a)lst.de>
sd: update the bdev size in sd_revalidate_disk
Christoph Hellwig <hch(a)lst.de>
nvme: let set_capacity_revalidate_and_notify update the bdev size
Christoph Hellwig <hch(a)lst.de>
loop: let set_capacity_revalidate_and_notify update the bdev size
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Panther Lake-M/P
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Lunar Lake
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add Intel Barlow Ridge PCI ID
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Meteor Lake
George D Sworo <george.d.sworo(a)intel.com>
thunderbolt: Add support for Intel Raptor Lake
Azhar Shaikh <azhar.shaikh(a)intel.com>
thunderbolt: Add support for Intel Alder Lake
Thiébaud Weksteen <tweek(a)google.com>
selinux: ignore unknown extended permissions
Naman Jain <namjain(a)linux.microsoft.com>
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
Eric Dumazet <edumazet(a)google.com>
ipv6: prevent possible UAF in ip6_xmit()
Vasily Averin <vvs(a)virtuozzo.com>
skb_expand_head() adjust skb->truesize incorrectly
Yang Erkun <yangerkun(a)huaweicloud.com>
nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
Filipe Manana <fdmanana(a)suse.com>
btrfs: avoid monopolizing a core when activating a swap file
Dimitri Fedrau <dimitri.fedrau(a)liebherr.com>
power: supply: gpio-charger: Fix set charge current limits
Christian Göttsche <cgzones(a)googlemail.com>
tracing: Constify string literal data member in struct trace_event_call
Catalin Marinas <catalin.marinas(a)arm.com>
arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs
Yunfeng Ye <yeyunfeng(a)huawei.com>
arm64: mm: Rename asid2idx() to ctxid2asid()
Imre Deak <imre.deak(a)intel.com>
drm/dp_mst: Fix MST sideband message body length check
Jiayuan Chen <mrpre(a)163.com>
bpf: fix recursive lock when verdict program return SK_PASS
Hou Tao <houtao1(a)huawei.com>
bpf: Check validity of link->type in bpf_link_show_fdinfo()
Eric Dumazet <edumazet(a)google.com>
ipv6: fix possible UAF in ip6_finish_output2()
Vasily Averin <vvs(a)virtuozzo.com>
ipv6: use skb_expand_head in ip6_xmit
Vasily Averin <vvs(a)virtuozzo.com>
ipv6: use skb_expand_head in ip6_finish_output2
Vasily Averin <vvs(a)virtuozzo.com>
skbuff: introduce skb_expand_head()
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Probe toolchain support of -msym32
Ming Lei <ming.lei(a)redhat.com>
virtio-blk: don't keep queue frozen during system suspend
Cathy Avery <cavery(a)redhat.com>
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Armin Wolf <W_Armin(a)gmx.de>
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Mark Brown <broonie(a)kernel.org>
regmap: Use correct format specifier for logging range errors
bo liu <bo.liu(a)senarytech.com>
ALSA: hda/conexant: fix Z60MR100 startup pop issue
Tomas Henzl <thenzl(a)redhat.com>
scsi: megaraid_sas: Fix for a potential deadlock
Magnus Lindholm <linmag7(a)gmail.com>
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
James Hilliard <james.hilliard1(a)gmail.com>
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
Masami Hiramatsu (Google) <mhiramat(a)kernel.org>
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Dan Carpenter <dan.carpenter(a)linaro.org>
mtd: rawnand: fix double free in atmel_pmecc_create_user()
Chen Ridong <chenridong(a)huawei.com>
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Javier Carrasco <javier.carrasco.cruz(a)gmail.com>
dmaengine: mv_xor: fix child node refcount handling in early exit
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_put() fails to release the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in _of_phy_get()
Zichen Xie <zichenxie0106(a)gmail.com>
mtd: diskonchip: Cast an operand to prevent potential overflow
NeilBrown <neilb(a)suse.de>
nfsd: restore callback functionality for NFSv4.0
Cong Wang <cong.wang(a)bytedance.com>
bpf: Check negative offsets in __bpf_skb_min_len()
Cong Wang <cong.wang(a)bytedance.com>
tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
Bart Van Assche <bvanassche(a)acm.org>
mm/vmstat: fix a W=1 clang compiler warning
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Ilya Dryomov <idryomov(a)gmail.com>
ceph: validate snapdirname option length when mounting
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Geert Uytterhoeven <geert+renesas(a)glider.be>
sh: clk: Fix clk_enable() to return 0 on NULL clk
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Eric Dumazet <edumazet(a)google.com>
netdevsim: prevent bad user input in nsim_dev_health_break_write()
Wei Yongjun <weiyongjun1(a)huawei.com>
netdevsim: switch to memdup_user_nul()
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check return value of sock_recvmsg when draining clc data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Gao Xiang <hsiangkao(a)linux.alibaba.com>
erofs: fix incorrect symlink detection in fast symlink
Gao Xiang <hsiangkao(a)linux.alibaba.com>
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Peng Hongchi <hongchi.peng(a)siengine.com>
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Roger Quadros <rogerq(a)kernel.org>
usb: cdns3: Add quirk flag to enable suspend residency
Ajit Khaparde <ajit.khaparde(a)broadcom.com>
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Loongson64: DTS: Fix msi node for ls7a
Vidya Sagar <vidyas(a)nvidia.com>
PCI: Use preserve_config in place of pci_flags
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
PCI/AER: Disable AER service on suspend
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
Makefile | 4 +-
arch/arc/Makefile | 2 +-
arch/arm64/mm/context.c | 22 +-
arch/mips/Makefile | 2 +-
.../boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 +
arch/x86/kernel/cpu/mshyperv.c | 58 +++
block/genhd.c | 13 +-
drivers/base/regmap/regmap.c | 4 +-
drivers/block/loop.c | 8 +-
drivers/block/virtio_blk.c | 9 +-
drivers/block/xen-blkfront.c | 2 +-
drivers/block/zram/zram_drv.c | 35 +-
drivers/clocksource/hyperv_timer.c | 14 +-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/dma/at_xdmac.c | 2 +
drivers/dma/dw/acpi.c | 6 +-
drivers/dma/dw/internal.h | 6 +
drivers/dma/dw/pci.c | 4 +-
drivers/dma/mv_xor.c | 2 +
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +-
drivers/gpu/drm/drm_dp_mst_topology.c | 3 +
drivers/gpu/drm/drm_modes.c | 11 +-
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 +
drivers/hv/hyperv_vmbus.h | 2 +
drivers/hwmon/tmp513.c | 2 +-
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 16 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 +-
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
drivers/infiniband/hw/mlx5/main.c | 6 +-
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
drivers/media/dvb-frontends/dib3000mb.c | 2 +-
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/mtd/nand/raw/atmel/pmecc.c | 4 +-
drivers/mtd/nand/raw/diskonchip.c | 2 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 21 +-
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
.../chelsio/inline_crypto/chtls/chtls_main.c | 5 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/marvell/sky2.c | 1 +
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/netdevsim/health.c | 13 +-
drivers/net/usb/qmi_wwan.c | 3 +
drivers/nvme/host/core.c | 5 +-
drivers/of/address.c | 2 +-
drivers/of/base.c | 15 +-
drivers/of/irq.c | 1 +
drivers/pci/controller/pci-host-common.c | 4 -
drivers/pci/pcie/aer.c | 18 +
drivers/pci/probe.c | 22 +-
drivers/pci/quirks.c | 4 +
drivers/phy/phy-core.c | 21 +-
drivers/pinctrl/pinctrl-mcp23s08.c | 6 +
drivers/platform/x86/asus-nb-wmi.c | 1 +
drivers/power/supply/gpio-charger.c | 8 +
drivers/scsi/megaraid/megaraid_sas_base.c | 5 +-
drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +-
drivers/scsi/qla1280.h | 12 +-
drivers/scsi/sd.c | 9 +-
drivers/scsi/storvsc_drv.c | 7 +-
drivers/sh/clk/core.c | 2 +-
drivers/thunderbolt/icm.c | 7 +
drivers/thunderbolt/nhi.c | 28 ++
drivers/thunderbolt/nhi.h | 15 +
drivers/usb/cdns3/core.h | 1 +
drivers/usb/cdns3/drd.c | 10 +-
drivers/usb/cdns3/drd.h | 3 +
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/serial/option.c | 27 ++
drivers/watchdog/it87_wdt.c | 39 ++
fs/btrfs/backref.c | 10 +-
fs/btrfs/ctree.c | 128 ++----
fs/btrfs/ctree.h | 7 +
fs/btrfs/delayed-inode.c | 7 -
fs/btrfs/disk-io.c | 17 +-
fs/btrfs/extent-tree.c | 19 +-
fs/btrfs/extent_io.c | 13 +-
fs/btrfs/extent_io.h | 21 +-
fs/btrfs/file.c | 3 +-
fs/btrfs/inode.c | 3 +-
fs/btrfs/locking.c | 447 ++-------------------
fs/btrfs/locking.h | 13 +-
fs/btrfs/print-tree.c | 11 +-
fs/btrfs/qgroup.c | 9 +-
fs/btrfs/ref-verify.c | 6 +-
fs/btrfs/relocation.c | 4 -
fs/btrfs/transaction.c | 2 -
fs/btrfs/tree-checker.c | 27 +-
fs/btrfs/tree-defrag.c | 1 -
fs/btrfs/tree-log.c | 3 -
fs/ceph/super.c | 2 +
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/erofs/inode.c | 20 +-
fs/eventpoll.c | 5 +-
fs/nfs/pnfs.c | 2 +-
fs/nfsd/nfs4callback.c | 4 +-
fs/nfsd/nfs4state.c | 2 +-
fs/nilfs2/inode.c | 8 +-
fs/nilfs2/namei.c | 5 +
include/clocksource/hyperv_timer.h | 2 +
include/linux/genhd.h | 3 +-
include/linux/hyperv.h | 1 +
include/linux/if_vlan.h | 16 +-
include/linux/mlx5/driver.h | 8 +-
include/linux/skbuff.h | 1 +
include/linux/trace_events.h | 2 +-
include/linux/vmstat.h | 2 +-
include/linux/wait.h | 1 +
include/net/netfilter/nf_tables.h | 7 +-
include/net/sock.h | 10 +-
kernel/bpf/core.c | 6 +-
kernel/bpf/syscall.c | 13 +-
kernel/irq/proc.c | 4 +-
kernel/profile.c | 2 +-
kernel/trace/trace.c | 5 +-
kernel/trace/trace_kprobe.c | 2 +-
mm/vmscan.c | 9 +-
net/core/filter.c | 21 +-
net/core/skbuff.c | 52 +++
net/core/skmsg.c | 4 +-
net/ipv4/tcp_bpf.c | 2 +-
net/ipv6/ila/ila_xlat.c | 16 +-
net/ipv6/ip6_output.c | 86 ++--
net/llc/llc_input.c | 2 +-
net/mac80211/util.c | 3 +
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/netrom/nr_route.c | 6 +
net/packet/af_packet.c | 28 +-
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/sctp/associola.c | 3 +-
net/smc/af_smc.c | 13 +-
net/smc/smc_clc.c | 9 +
net/smc/smc_clc.h | 6 +-
scripts/mod/file2alias.c | 4 +-
security/selinux/ss/services.c | 8 +-
sound/pci/hda/patch_conexant.c | 28 ++
sound/usb/format.c | 7 +-
sound/usb/mixer.c | 7 +
sound/usb/mixer_us16x08.c | 2 +-
148 files changed, 934 insertions(+), 940 deletions(-)
3 months, 3 weeks
- 11
- 155
[PATCH v3 05/10] btrfs: do proper folio cleanup when run_delalloc_nocow() failed
by Qu Wenruo
[BUG]
With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash
with the following VM_BUG_ON_FOLIO():
BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28
BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28
page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664
aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774"
flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)
page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
------------[ cut here ]------------
kernel BUG at mm/page-writeback.c:2992!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : folio_clear_dirty_for_io+0x128/0x258
lr : folio_clear_dirty_for_io+0x128/0x258
Call trace:
folio_clear_dirty_for_io+0x128/0x258
btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]
__process_folios_contig+0x154/0x268 [btrfs]
extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]
run_delalloc_nocow+0x5f8/0x760 [btrfs]
btrfs_run_delalloc_range+0xa8/0x220 [btrfs]
writepage_delalloc+0x230/0x4c8 [btrfs]
extent_writepage+0xb8/0x358 [btrfs]
extent_write_cache_pages+0x21c/0x4e8 [btrfs]
btrfs_writepages+0x94/0x150 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x88/0xc8
start_delalloc_inodes+0x178/0x3a8 [btrfs]
btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
shrink_delalloc+0x114/0x280 [btrfs]
flush_space+0x250/0x2f8 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x164/0x408
worker_thread+0x25c/0x388
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)
---[ end trace 0000000000000000 ]---
[CAUSE]
The first two lines of extra debug messages show the problem is caused
by the error handling of run_delalloc_nocow().
E.g. we have the following dirtied range (4K blocksize 4K page size):
0 16K 32K
|//////////////////////////////////////|
| Pre-allocated |
And the range [0, 16K) has a preallocated extent.
- Enter run_delalloc_nocow() for range [0, 16K)
Which found range [0, 16K) is preallocated, can do the proper NOCOW
write.
- Enter fallback_to_fow() for range [16K, 32K)
Since the range [16K, 32K) is not backed by preallocated extent, we
have to go COW.
- cow_file_range() failed for range [16K, 32K)
So cow_file_range() will do the clean up by clearing folio dirty,
unlock the folios.
Now the folios in range [16K, 32K) is unlocked.
- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()
Which is called with PAGE_START_WRITEBACK to start page writeback.
But folios can only be marked writeback when it's properly locked,
thus this triggered the VM_BUG_ON_FOLIO().
Furthermore there is another hidden but common bug that
run_delalloc_nocow() is not clearing the folio dirty flags in its error
handling path.
This is the common bug shared between run_delalloc_nocow() and
cow_file_range().
[FIX]
- Clear folio dirty for range [@start, @cur_offset)
Introduce a helper, cleanup_dirty_folios(), which
will find and lock the folio in the range, clear the dirty flag and
start/end the writeback, with the extra handling for the
@locked_folio.
- Introduce a helper to clear folio dirty, start and end writeback
- Introduce a helper to record the last failed COW range end
This is to trace which range we should skip, to avoid double
unlocking.
- Skip the failed COW range for the error handling
Cc: stable(a)vger.kernel.org
Reviewed-by: Boris Burkov <boris(a)bur.io>
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/inode.c | 98 ++++++++++++++++++++++++++++++++++++++++++----
fs/btrfs/subpage.h | 13 ++++++
2 files changed, 104 insertions(+), 7 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 1afbeaf3cf4c..a450fc080ca3 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1958,6 +1958,54 @@ static int can_nocow_file_extent(struct btrfs_path *path,
return ret < 0 ? ret : can_nocow;
}
+/*
+ * To cleanup the dirty folios which will never be submitted due to
+ * error.
+ *
+ * When running a delalloc range, we may need to split the ranges (due to
+ * fragmentation or NOCOW limit). If we hit an error in the later part,
+ * we will error out and previously successfully executed range will never
+ * be submitted, thus we have to cleanup those folios by clear their
+ * dirty flag, start and finish the writeback.
+ */
+static void cleanup_dirty_folios(struct btrfs_inode *inode,
+ struct folio *locked_folio,
+ u64 start, u64 end, int error)
+{
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ struct address_space *mapping = inode->vfs_inode.i_mapping;
+ pgoff_t start_index = start >> PAGE_SHIFT;
+ pgoff_t end_index = end >> PAGE_SHIFT;
+ u32 len;
+
+ ASSERT(end + 1 - start < U32_MAX);
+ ASSERT(IS_ALIGNED(start, fs_info->sectorsize) &&
+ IS_ALIGNED(end + 1, fs_info->sectorsize));
+ len = end + 1 - start;
+
+ /*
+ * Handle the locked folio first.
+ * btrfs_folio_clamp_*() helpers can handle range out of the folio case.
+ */
+ btrfs_folio_clamp_finish_io(fs_info, locked_folio, start, len);
+
+ for (pgoff_t index = start_index; index <= end_index; index++) {
+ struct folio *folio;
+
+ /* Already handled at the beginning. */
+ if (index == locked_folio->index)
+ continue;
+ folio = __filemap_get_folio(mapping, index, FGP_LOCK, GFP_NOFS);
+ /* Cache already dropped, no need to do any cleanup. */
+ if (IS_ERR(folio))
+ continue;
+ btrfs_folio_clamp_finish_io(fs_info, locked_folio, start, len);
+ folio_unlock(folio);
+ folio_put(folio);
+ }
+ mapping_set_error(mapping, error);
+}
+
/*
* when nowcow writeback call back. This checks for snapshots or COW copies
* of the extents that exist in the file, and COWs the file as required.
@@ -1973,6 +2021,11 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
struct btrfs_root *root = inode->root;
struct btrfs_path *path;
u64 cow_start = (u64)-1;
+ /*
+ * If not 0, represents the inclusive end of the last fallback_to_cow()
+ * range. Only for error handling.
+ */
+ u64 cow_end = 0;
u64 cur_offset = start;
int ret;
bool check_prev = true;
@@ -2133,6 +2186,7 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
found_key.offset - 1);
cow_start = (u64)-1;
if (ret) {
+ cow_end = found_key.offset - 1;
btrfs_dec_nocow_writers(nocow_bg);
goto error;
}
@@ -2206,11 +2260,12 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
cow_start = cur_offset;
if (cow_start != (u64)-1) {
- cur_offset = end;
ret = fallback_to_cow(inode, locked_folio, cow_start, end);
cow_start = (u64)-1;
- if (ret)
+ if (ret) {
+ cow_end = end;
goto error;
+ }
}
btrfs_free_path(path);
@@ -2218,12 +2273,41 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
error:
/*
- * If an error happened while a COW region is outstanding, cur_offset
- * needs to be reset to cow_start to ensure the COW region is unlocked
- * as well.
+ * There are several error cases:
+ *
+ * 1) Failed without falling back to COW
+ * start cur_offset end
+ * |/////////////| |
+ *
+ * For range [start, cur_offset) the folios are already unlocked (except
+ * @locked_folio), EXTENT_DELALLOC already removed.
+ * Only need to clear the dirty flag as they will never be submitted.
+ * Ordered extent and extent maps are handled by
+ * btrfs_mark_ordered_io_finished() inside run_delalloc_range().
+ *
+ * 2) Failed with error from fallback_to_cow()
+ * start cur_offset cow_end end
+ * |/////////////|-----------| |
+ *
+ * For range [start, cur_offset) it's the same as case 1).
+ * But for range [cur_offset, cow_end), the folios have dirty flag
+ * cleared and unlocked, EXTENT_DEALLLOC cleared by cow_file_range().
+ *
+ * Thus we should not call extent_clear_unlock_delalloc() on range
+ * [cur_offset, cow_end), as the folios are already unlocked.
+ *
+ * So clear the folio dirty flags for [start, cur_offset) first.
*/
- if (cow_start != (u64)-1)
- cur_offset = cow_start;
+ if (cur_offset > start)
+ cleanup_dirty_folios(inode, locked_folio, start, cur_offset - 1, ret);
+
+ /*
+ * If an error happened while a COW region is outstanding, cur_offset
+ * needs to be reset to @cow_end + 1 to skip the COW range, as
+ * cow_file_range() will do the proper cleanup at error.
+ */
+ if (cow_end)
+ cur_offset = cow_end + 1;
/*
* We need to lock the extent here because we're clearing DELALLOC and
diff --git a/fs/btrfs/subpage.h b/fs/btrfs/subpage.h
index 428fa9389fd4..44fff1f4eac4 100644
--- a/fs/btrfs/subpage.h
+++ b/fs/btrfs/subpage.h
@@ -137,6 +137,19 @@ DECLARE_BTRFS_SUBPAGE_OPS(writeback);
DECLARE_BTRFS_SUBPAGE_OPS(ordered);
DECLARE_BTRFS_SUBPAGE_OPS(checked);
+/*
+ * Helper for error cleanup, where a folio will have its dirty flag cleared,
+ * with writeback started and finished.
+ */
+static inline void btrfs_folio_clamp_finish_io(struct btrfs_fs_info *fs_info,
+ struct folio *locked_folio,
+ u64 start, u32 len)
+{
+ btrfs_folio_clamp_clear_dirty(fs_info, locked_folio, start, len);
+ btrfs_folio_clamp_set_writeback(fs_info, locked_folio, start, len);
+ btrfs_folio_clamp_clear_writeback(fs_info, locked_folio, start, len);
+}
+
bool btrfs_subpage_clear_and_test_dirty(const struct btrfs_fs_info *fs_info,
struct folio *folio, u64 start, u32 len);
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH v3 04/10] btrfs: do proper folio cleanup when cow_file_range() failed
by Qu Wenruo
[BUG]
When testing with COW fixup marked as BUG_ON() (this is involved with the
new pin_user_pages*() change, which should not result new out-of-band
dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW
fixup path.
This BUG_ON() happens just after a failed btrfs_run_delalloc_range():
BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent_io.c:1444!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : extent_writepage_io+0x2d4/0x308 [btrfs]
lr : extent_writepage_io+0x2d4/0x308 [btrfs]
Call trace:
extent_writepage_io+0x2d4/0x308 [btrfs]
extent_writepage+0x218/0x330 [btrfs]
extent_write_cache_pages+0x1d4/0x4b0 [btrfs]
btrfs_writepages+0x94/0x150 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x88/0xc8
start_delalloc_inodes+0x180/0x3b0 [btrfs]
btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
shrink_delalloc+0x114/0x280 [btrfs]
flush_space+0x250/0x2f8 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x164/0x408
worker_thread+0x25c/0x388
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)
---[ end trace 0000000000000000 ]---
[CAUSE]
That failure is mostly from cow_file_range(), where we can hit -ENOSPC.
Although the -ENOSPC is already a bug related to our space reservation
code, let's just focus on the error handling.
For example, we have the following dirty range [0, 64K) of an inode,
with 4K sector size and 4K page size:
0 16K 32K 48K 64K
|///////////////////////////////////////|
|#######################################|
Where |///| means page are still dirty, and |###| means the extent io
tree has EXTENT_DELALLOC flag.
- Enter extent_writepage() for page 0
- Enter btrfs_run_delalloc_range() for range [0, 64K)
- Enter cow_file_range() for range [0, 64K)
- Function btrfs_reserve_extent() only reserved one 16K extent
So we created extent map and ordered extent for range [0, 16K)
0 16K 32K 48K 64K
|////////|//////////////////////////////|
|<- OE ->|##############################|
And range [0, 16K) has its delalloc flag cleared.
But since we haven't yet submit any bio, involved 4 pages are still
dirty.
- Function btrfs_reserve_extent() return with -ENOSPC
Now we have to run error cleanup, which will clear all
EXTENT_DELALLOC* flags and clear the dirty flags for the remaining
ranges:
0 16K 32K 48K 64K
|////////| |
| | |
Note that range [0, 16K) still has their pages dirty.
- Some time later, writeback are triggered again for the range [0, 16K)
since the page range still have dirty flags.
- btrfs_run_delalloc_range() will do nothing because there is no
EXTENT_DELALLOC flag.
- extent_writepage_io() find page 0 has no ordered flag
Which falls into the COW fixup path, triggering the BUG_ON().
Unfortunately this error handling bug dates back to the introduction of btrfs.
Thankfully with the abuse of cow fixup, at least it won't crash the
kernel.
[FIX]
Instead of immediately unlock the extent and folios, we keep the extent
and folios locked until either erroring out or the whole delalloc range
finished.
When the whole delalloc range finished without error, we just unlock the
whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked
cases), with EXTENT_DELALLOC and EXTENT_LOCKED cleared.
And those involved folios will be properly submitted, with their dirty
flags cleared during submission.
For the error path, it will be a little more complex:
- The range with ordered extent allocated (range (1))
We only clear the EXTENT_DELALLOC and EXTENT_LOCKED, as the remaining
flags are cleaned up by
btrfs_mark_ordered_io_finished()->btrfs_finish_one_ordered().
For folios we finish the IO (clear dirty, start writeback and
immediately finish the writeback) and unlock the folios.
- The range with reserved extent but no ordered extent (range(2))
- The range we never touched (range(3))
For both range (2) and range(3) the behavior is not changed.
Now even if cow_file_range() failed halfway with some successfully
reserved extents/ordered extents, we will keep all folios clean, so
there will be no future writeback triggered on them.
Cc: stable(a)vger.kernel.org
Reviewed-by: Boris Burkov <boris(a)bur.io>
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/inode.c | 65 ++++++++++++++++++++++++------------------------
1 file changed, 32 insertions(+), 33 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index e1c9bd673118..1afbeaf3cf4c 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1364,6 +1364,17 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
alloc_hint = btrfs_get_extent_allocation_hint(inode, start, num_bytes);
+ /*
+ * We're not doing compressed IO, don't unlock the first page
+ * (which the caller expects to stay locked), don't clear any
+ * dirty bits and don't set any writeback bits
+ *
+ * Do set the Ordered (Private2) bit so we know this page was
+ * properly setup for writepage.
+ */
+ page_ops = (keep_locked ? 0 : PAGE_UNLOCK);
+ page_ops |= PAGE_SET_ORDERED;
+
/*
* Relocation relies on the relocated extents to have exactly the same
* size as the original extents. Normally writeback for relocation data
@@ -1423,6 +1434,10 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
file_extent.offset = 0;
file_extent.compression = BTRFS_COMPRESS_NONE;
+ /*
+ * Locked range will be released either during error clean up or
+ * after the whole range is finished.
+ */
lock_extent(&inode->io_tree, start, start + cur_alloc_size - 1,
&cached);
@@ -1468,21 +1483,6 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
btrfs_dec_block_group_reservations(fs_info, ins.objectid);
- /*
- * We're not doing compressed IO, don't unlock the first page
- * (which the caller expects to stay locked), don't clear any
- * dirty bits and don't set any writeback bits
- *
- * Do set the Ordered flag so we know this page was
- * properly setup for writepage.
- */
- page_ops = (keep_locked ? 0 : PAGE_UNLOCK);
- page_ops |= PAGE_SET_ORDERED;
-
- extent_clear_unlock_delalloc(inode, start, start + cur_alloc_size - 1,
- locked_folio, &cached,
- EXTENT_LOCKED | EXTENT_DELALLOC,
- page_ops);
if (num_bytes < cur_alloc_size)
num_bytes = 0;
else
@@ -1499,6 +1499,9 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
if (ret)
goto out_unlock;
}
+ extent_clear_unlock_delalloc(inode, orig_start, end, locked_folio, &cached,
+ EXTENT_LOCKED | EXTENT_DELALLOC,
+ page_ops);
done:
if (done_offset)
*done_offset = end;
@@ -1519,35 +1522,31 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
* We process each region below.
*/
- clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW |
- EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV;
- page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
-
/*
* For the range (1). We have already instantiated the ordered extents
* for this region. They are cleaned up by
* btrfs_cleanup_ordered_extents() in e.g,
- * btrfs_run_delalloc_range(). EXTENT_LOCKED | EXTENT_DELALLOC are
- * already cleared in the above loop. And, EXTENT_DELALLOC_NEW |
- * EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV are handled by the cleanup
- * function.
+ * btrfs_run_delalloc_range().
+ * EXTENT_DELALLOC_NEW | EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV
+ * are also handled by the cleanup function.
*
- * However, in case of @keep_locked, we still need to unlock the pages
- * (except @locked_folio) to ensure all the pages are unlocked.
+ * So here we only clear EXTENT_LOCKED and EXTENT_DELALLOC flag,
+ * and finish the writeback of the involved folios, which will be
+ * never submitted.
*/
- if (keep_locked && orig_start < start) {
+ if (orig_start < start) {
+ clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC;
+ page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
+
if (!locked_folio)
mapping_set_error(inode->vfs_inode.i_mapping, ret);
extent_clear_unlock_delalloc(inode, orig_start, start - 1,
- locked_folio, NULL, 0, page_ops);
+ locked_folio, NULL, clear_bits, page_ops);
}
- /*
- * At this point we're unlocked, we want to make sure we're only
- * clearing these flags under the extent lock, so lock the rest of the
- * range and clear everything up.
- */
- lock_extent(&inode->io_tree, start, end, NULL);
+ clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW |
+ EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV;
+ page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
/*
* For the range (2). If we reserved an extent for our delalloc range
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH v3 02/10] btrfs: fix double accounting race when extent_writepage_io() failed
by Qu Wenruo
[BUG]
If submit_one_sector() failed inside extent_writepage_io() for sector
size < page size cases (e.g. 4K sector size and 64K page size), then
we can hit double ordered extent accounting error.
This should be very rare, as submit_one_sector() only fails when we
failed to grab the extent map, and such extent map should exist inside
the memory and have been pinned.
[CAUSE]
For example we have the following folio layout:
0 4K 32K 48K 60K 64K
|//| |//////| |///|
Where |///| is the dirty range we need to writeback. The 3 different
dirty ranges are submitted for regular COW.
Now we hit the following sequence:
- submit_one_sector() returned 0 for [0, 4K)
- submit_one_sector() returned 0 for [32K, 48K)
- submit_one_sector() returned error for [60K, 64K)
- btrfs_mark_ordered_io_finished() called for the whole folio
This will mark the following ranges as finished:
* [0, 4K)
* [32K, 48K)
Both ranges have their IO already submitted, this cleanup will
lead to double accounting.
* [60K, 64K)
That's the correct cleanup.
The only good news is, this error is only theoretical, as the target
extent map is always pinned, thus we should directly grab it from
memory, other than reading it from the disk.
[FIX]
Instead of calling btrfs_mark_ordered_io_finished() for the whole folio
range, which can touch ranges we should not touch, instead
move the error handling inside extent_writepage_io().
So that we can cleanup exact sectors that are ought to be submitted but
failed.
This provide much more accurate cleanup, avoiding the double accounting.
Cc: stable(a)vger.kernel.org # 5.15+
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/extent_io.c | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index d1e263f56171..54081b1783fc 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1428,6 +1428,7 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
struct btrfs_fs_info *fs_info = inode->root->fs_info;
unsigned long range_bitmap = 0;
bool submitted_io = false;
+ bool error = false;
const u64 folio_start = folio_pos(folio);
u64 cur;
int bit;
@@ -1470,11 +1471,26 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
break;
}
ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size);
- if (ret < 0)
- goto out;
+ if (unlikely(ret < 0)) {
+ /*
+ * bio_ctrl may contain a bio crossing several folios.
+ * Submit it immediately so that the bio has a chance
+ * to finish normally, other than marked as error.
+ */
+ submit_one_bio(bio_ctrl);
+ /*
+ * Failed to grab the extent map which should be very rare.
+ * Since there is no bio submitted to finish the ordered
+ * extent, we have to manually finish this sector.
+ */
+ btrfs_mark_ordered_io_finished(inode, folio, cur,
+ fs_info->sectorsize, false);
+ error = true;
+ continue;
+ }
submitted_io = true;
}
-out:
+
/*
* If we didn't submitted any sector (>= i_size), folio dirty get
* cleared but PAGECACHE_TAG_DIRTY is not cleared (only cleared
@@ -1482,8 +1498,11 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
*
* Here we set writeback and clear for the range. If the full folio
* is no longer dirty then we clear the PAGECACHE_TAG_DIRTY tag.
+ *
+ * If we hit any error, the corresponding sector will still be dirty
+ * thus no need to clear PAGECACHE_TAG_DIRTY.
*/
- if (!submitted_io) {
+ if (!submitted_io && !error) {
btrfs_folio_set_writeback(fs_info, folio, start, len);
btrfs_folio_clear_writeback(fs_info, folio, start, len);
}
@@ -1503,7 +1522,6 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
{
struct inode *inode = folio->mapping->host;
struct btrfs_fs_info *fs_info = inode_to_fs_info(inode);
- const u64 page_start = folio_pos(folio);
int ret;
size_t pg_offset;
loff_t i_size = i_size_read(inode);
@@ -1546,10 +1564,6 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
bio_ctrl->wbc->nr_to_write--;
- if (ret)
- btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
- page_start, PAGE_SIZE, !ret);
-
done:
if (ret < 0)
mapping_set_error(folio->mapping, ret);
@@ -2329,11 +2343,8 @@ void extent_write_locked_range(struct inode *inode, const struct folio *locked_f
if (ret == 1)
goto next_page;
- if (ret) {
- btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
- cur, cur_len, !ret);
+ if (ret)
mapping_set_error(mapping, ret);
- }
btrfs_folio_end_lock(fs_info, folio, cur, cur_len);
if (ret < 0)
found_error = true;
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH v3 01/10] btrfs: fix double accounting race when btrfs_run_delalloc_range() failed
by Qu Wenruo
[BUG]
When running btrfs with block size (4K) smaller than page size (64K,
aarch64), there is a very high chance to crash the kernel at
generic/750, with the following messages:
(before the call traces, there are 3 extra debug messages added)
BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental
BTRFS info (device dm-3): checking UUID tree
hrtimer: interrupt took 5451385 ns
BTRFS error (device dm-3): cow_file_range failed, root=4957 inode=257 start=1605632 len=69632: -28
BTRFS error (device dm-3): run_delalloc_nocow failed, root=4957 inode=257 start=1605632 len=69632: -28
BTRFS error (device dm-3): failed to run delalloc range, root=4957 ino=257 folio=1572864 submit_bitmap=8-15 start=1605632 len=69632: -28
------------[ cut here ]------------
WARNING: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs]
CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs]
lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs]
Call trace:
can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P)
can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L)
btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs]
extent_writepage+0x10c/0x3b8 [btrfs]
extent_write_cache_pages+0x21c/0x4e8 [btrfs]
btrfs_writepages+0x94/0x160 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x74/0xa0
start_delalloc_inodes+0x17c/0x3b0 [btrfs]
btrfs_start_delalloc_roots+0x17c/0x288 [btrfs]
shrink_delalloc+0x11c/0x280 [btrfs]
flush_space+0x288/0x328 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x228/0x680
worker_thread+0x1bc/0x360
kthread+0x100/0x118
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0
CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write)
pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : process_one_work+0x110/0x680
lr : worker_thread+0x1bc/0x360
Call trace:
process_one_work+0x110/0x680 (P)
worker_thread+0x1bc/0x360 (L)
worker_thread+0x1bc/0x360
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception
SMP: stopping secondary CPUs
SMP: failed to stop secondary CPUs 2-3
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: 0x275bb9540000 from 0xffff800080000000
PHYS_OFFSET: 0xffff8fbba0000000
CPU features: 0x100,00000070,00801250,8201720b
[CAUSE]
The above warning is triggered immediately after the delalloc range
failure, this happens in the following sequence:
- Range [1568K, 1636K) is dirty
1536K 1568K 1600K 1636K 1664K
| |/////////|////////| |
Where 1536K, 1600K and 1664K are page boundaries (64K page size)
- Enter extent_writepage() for page 1536K
- Enter run_delalloc_nocow() with locked page 1536K and range
[1568K, 1636K)
This is due to the inode has preallocated extents.
- Enter cow_file_range() with locked page 1536K and range
[1568K, 1636K)
- btrfs_reserve_extent() only reserved two extents
The main loop of cow_file_range() only reserved two data extents,
Now we have:
1536K 1568K 1600K 1636K 1664K
| |<-->|<--->|/|///////| |
1584K 1596K
Range [1568K, 1596K) has ordered extent reserved.
- btrfs_reserve_extent() failed inside cow_file_range() for file offset
1596K
This is already a bug in our space reservation code, but for now let's
focus on the error handling path.
Now cow_file_range() returned -ENOSPC.
- btrfs_run_delalloc_range() do error cleanup <<< ROOT CAUSE
Call btrfs_cleanup_ordered_extents() with locked folio 1536K and range
[1568K, 1636K)
Function btrfs_cleanup_ordered_extents() normally needs to skip the
ranges inside the folio, as it will normally be cleaned up by
extent_writepage().
Such split error handling is already problematic in the first place.
What's worse is the folio range skipping itself, which is not taking
subpage cases into consideration at all, it will only skip the range
if the page start >= the range start.
In our case, the page start < the range start, since for subpage cases
we can have delalloc ranges inside the folio but not covering the
folio.
So it doesn't skip the page range at all.
This means all the ordered extents, both [1568K, 1584K) and
[1584K, 1596K) will be marked as IOERR.
And those two ordered extents have no more pending ios, it is marked
finished, and *QUEUED* to be deleted from the io tree.
- extent_writepage() do error cleanup
Call btrfs_mark_ordered_io_finished() for the range [1536K, 1600K).
Although ranges [1568K, 1584K) and [1584K, 1596K) are finished, the
deletion from io tree is async, it may or may not happen at this
timing.
If the ranges are not yet removed, we will do double cleaning on those
ranges, triggers the above ordered extent warnings.
In theory there are other bugs, like the cleanup in extent_writepage()
can cause double accounting on ranges that are submitted async
(compression for example).
But that's much harder to trigger because normally we do not mix regular
and compression delalloc ranges.
[FIX]
The folio range split is already buggy and not subpage compatible, it's
introduced a long time ago where subpage support is not even considered.
So instead of splitting the ordered extents cleanup into the folio range
and out of folio range, do all the cleanup inside writepage_delalloc().
- Pass @NULL as locked_folio for btrfs_cleanup_ordered_extents() in
btrfs_run_delalloc_range()
- Skip the btrfs_cleanup_ordered_extents() if writepage_delalloc()
failed
So all ordered extents are only cleaned up by
btrfs_run_delalloc_range().
- Handle the ranges that already have ordered extents allocated
If part of the folio already has ordered extent allocated, and
btrfs_run_delalloc_range() failed, we also need to cleanup that range.
Now we have a concentrated error handling for ordered extents during
btrfs_run_delalloc_range().
Cc: stable(a)vger.kernel.org # 5.15+
Fixes: d1051d6ebf8e ("btrfs: Fix error handling in btrfs_cleanup_ordered_extents")
Reviewed-by: Boris Burkov <boris(a)bur.io>
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/extent_io.c | 57 ++++++++++++++++++++++++++++++++++++--------
fs/btrfs/inode.c | 2 +-
2 files changed, 48 insertions(+), 11 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 9725ff7f274d..d1e263f56171 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1144,12 +1144,17 @@ static bool find_next_delalloc_bitmap(struct folio *folio,
/*
* helper for extent_writepage(), doing all of the delayed allocation setup.
*
- * This returns 1 if btrfs_run_delalloc_range function did all the work required
- * to write the page (copy into inline extent). In this case the IO has
- * been started and the page is already unlocked.
+ * Return >0 if all the dirty blocks are submitted async (compression) or inlined.
+ * The @folio should no longer be touched (treat it as already unlocked).
*
- * This returns 0 if all went well (page still locked)
- * This returns < 0 if there were errors (page still locked)
+ * Return 0 if there is still dirty block that needs to be submitted through
+ * extent_writepage_io().
+ * bio_ctrl->submit_bitmap will indicate which blocks of the folio should be
+ * submitted, and @folio is still kept locked.
+ *
+ * Return <0 if there is any error hit.
+ * Any allocated ordered extent range covering this folio will be marked
+ * finished (IOERR), and @folio is still kept locked.
*/
static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
struct folio *folio,
@@ -1167,6 +1172,16 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
* last delalloc end.
*/
u64 last_delalloc_end = 0;
+ /*
+ * The range end (exclusive) of the last successfully finished delalloc
+ * range.
+ * Any range covered by ordered extent must either be manually marked
+ * finished (error handling), or has IO submitted (and finish the
+ * ordered extent normally).
+ *
+ * This records where our ordered extent cleanup should start.
+ */
+ u64 last_finished_delalloc_end = page_start;
u64 delalloc_start = page_start;
u64 delalloc_end = page_end;
u64 delalloc_to_write = 0;
@@ -1235,11 +1250,19 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
found_len = last_delalloc_end + 1 - found_start;
if (ret >= 0) {
+ /*
+ * Some delalloc range may be created by previous folios.
+ * Thus we still need to clean those range up during error
+ * handling.
+ */
+ last_finished_delalloc_end = found_start;
/* No errors hit so far, run the current delalloc range. */
ret = btrfs_run_delalloc_range(inode, folio,
found_start,
found_start + found_len - 1,
wbc);
+ if (ret >= 0)
+ last_finished_delalloc_end = found_start + found_len;
} else {
/*
* We've hit an error during previous delalloc range,
@@ -1274,8 +1297,22 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
delalloc_start = found_start + found_len;
}
- if (ret < 0)
+ /*
+ * It's possible we have some ordered extents created before we hit
+ * an error, cleanup non-async successfully created delalloc ranges.
+ */
+ if (unlikely(ret < 0)) {
+ unsigned int bitmap_size = min(
+ (last_finished_delalloc_end - page_start) >>
+ fs_info->sectorsize_bits,
+ fs_info->sectors_per_page);
+
+ for_each_set_bit(bit, &bio_ctrl->submit_bitmap, bitmap_size)
+ btrfs_mark_ordered_io_finished(inode, folio,
+ page_start + (bit << fs_info->sectorsize_bits),
+ fs_info->sectorsize, false);
return ret;
+ }
out:
if (last_delalloc_end)
delalloc_end = last_delalloc_end;
@@ -1509,13 +1546,13 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
bio_ctrl->wbc->nr_to_write--;
-done:
- if (ret) {
+ if (ret)
btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
page_start, PAGE_SIZE, !ret);
- mapping_set_error(folio->mapping, ret);
- }
+done:
+ if (ret < 0)
+ mapping_set_error(folio->mapping, ret);
/*
* Only unlock ranges that are submitted. As there can be some async
* submitted ranges inside the folio.
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 8a173a24ac05..0a15473655ed 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -2302,7 +2302,7 @@ int btrfs_run_delalloc_range(struct btrfs_inode *inode, struct folio *locked_fol
out:
if (ret < 0)
- btrfs_cleanup_ordered_extents(inode, locked_folio, start,
+ btrfs_cleanup_ordered_extents(inode, NULL, start,
end - start + 1);
return ret;
}
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH v4] arm64: mm: Populate vmemmap/linear at the page level for hotplugged sections
by Zhenhua Huang
On the arm64 platform with 4K base page config, SECTION_SIZE_BITS is set
to 27, making one section 128M. The related page struct which vmemmap
points to is 2M then.
Commit c1cc1552616d ("arm64: MMU initialisation") optimizes the
vmemmap to populate at the PMD section level which was suitable
initially since hot plug granule is always one section(128M). However,
commit ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug")
introduced a 2M(SUBSECTION_SIZE) hot plug granule, which disrupted the
existing arm64 assumptions.
Considering the vmemmap_free -> unmap_hotplug_pmd_range path, when
pmd_sect() is true, the entire PMD section is cleared, even if there is
other effective subsection. For example page_struct_map1 and
page_strcut_map2 are part of a single PMD entry and they are hot-added
sequentially. Then page_struct_map1 is removed, vmemmap_free() will clear
the entire PMD entry freeing the struct page map for the whole section,
even though page_struct_map2 is still active. Similar problem exists
with linear mapping as well, for 16K base page(PMD size = 32M) or 64K
base page(PMD = 512M), their block mappings exceed SUBSECTION_SIZE.
Tearing down the entire PMD mapping too will leave other subsections
unmapped in the linear mapping.
To address the issue, we need to prevent PMD/PUD/CONT mappings for both
linear and vmemmap for non-boot sections if corresponding size on the
given base page exceeds 2MB(SUBSECTION_SIZE). We only permit 2MB PMD block
linear mapping in 4K page size config as its PMD_SIZE matches the
SUBSECTION_SIZE.
Cc: stable(a)vger.kernel.org # v5.4+
Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug")
Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com>
---
arch/arm64/mm/mmu.c | 43 +++++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index e2739b69e11b..5e0f514de870 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -42,9 +42,11 @@
#include <asm/pgalloc.h>
#include <asm/kfence.h>
-#define NO_BLOCK_MAPPINGS BIT(0)
-#define NO_CONT_MAPPINGS BIT(1)
-#define NO_EXEC_MAPPINGS BIT(2) /* assumes FEAT_HPDS is not used */
+#define NO_PMD_BLOCK_MAPPINGS BIT(0)
+#define NO_PUD_BLOCK_MAPPINGS BIT(1) /* Hotplug case: do not want block mapping for PUD */
+#define NO_BLOCK_MAPPINGS (NO_PMD_BLOCK_MAPPINGS | NO_PUD_BLOCK_MAPPINGS)
+#define NO_CONT_MAPPINGS BIT(2)
+#define NO_EXEC_MAPPINGS BIT(3) /* assumes FEAT_HPDS is not used */
u64 kimage_voffset __ro_after_init;
EXPORT_SYMBOL(kimage_voffset);
@@ -254,7 +256,7 @@ static void init_pmd(pmd_t *pmdp, unsigned long addr, unsigned long end,
/* try section mapping first */
if (((addr | next | phys) & ~PMD_MASK) == 0 &&
- (flags & NO_BLOCK_MAPPINGS) == 0) {
+ (flags & NO_PMD_BLOCK_MAPPINGS) == 0) {
pmd_set_huge(pmdp, phys, prot);
/*
@@ -356,10 +358,11 @@ static void alloc_init_pud(p4d_t *p4dp, unsigned long addr, unsigned long end,
/*
* For 4K granule only, attempt to put down a 1GB block
+ * Hotplug case: do not attempt 1GB block
*/
if (pud_sect_supported() &&
((addr | next | phys) & ~PUD_MASK) == 0 &&
- (flags & NO_BLOCK_MAPPINGS) == 0) {
+ (flags & NO_PUD_BLOCK_MAPPINGS) == 0) {
pud_set_huge(pudp, phys, prot);
/*
@@ -1175,9 +1178,21 @@ int __meminit vmemmap_check_pmd(pmd_t *pmdp, int node,
int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node,
struct vmem_altmap *altmap)
{
+ unsigned long start_pfn;
+ struct mem_section *ms;
+
WARN_ON((start < VMEMMAP_START) || (end > VMEMMAP_END));
- if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES))
+ start_pfn = page_to_pfn((struct page *)start);
+ ms = __pfn_to_section(start_pfn);
+
+ /*
+ * Hotplugged section does not support hugepages as
+ * PMD_SIZE (hence PUD_SIZE) section mapping covers
+ * struct page range that exceeds a SUBSECTION_SIZE
+ * i.e 2MB - for all available base page sizes.
+ */
+ if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES) || !early_section(ms))
return vmemmap_populate_basepages(start, end, node, altmap);
else
return vmemmap_populate_hugepages(start, end, node, altmap);
@@ -1339,9 +1354,25 @@ int arch_add_memory(int nid, u64 start, u64 size,
struct mhp_params *params)
{
int ret, flags = NO_EXEC_MAPPINGS;
+ unsigned long start_pfn = page_to_pfn((struct page *)start);
+ struct mem_section *ms = __pfn_to_section(start_pfn);
VM_BUG_ON(!mhp_range_allowed(start, size, true));
+ /* should not be invoked by early section */
+ WARN_ON(early_section(ms));
+
+ /*
+ * 4K base page's PMD_SIZE matches SUBSECTION_SIZE i.e 2MB. Hence
+ * PMD section mapping can be allowed, but only for 4K base pages.
+ * Where as PMD_SIZE (hence PUD_SIZE) for other page sizes exceed
+ * SUBSECTION_SIZE.
+ */
+ if (IS_ENABLED(CONFIG_ARM64_4K_PAGES))
+ flags |= NO_PUD_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
+ else
+ flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
+
if (can_set_direct_map())
flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
--
2.25.1
3 months, 3 weeks
- 3
- 9
[PATCH v2] usb: dwc3-am62: Fix an OF node leak in phy_syscon_pll_refclk()
by Joe Hattori
phy_syscon_pll_refclk() leaks an OF node obtained by
of_parse_phandle_with_fixed_args(), thus add an of_node_put() call.
Cc: stable(a)vger.kernel.org
Fixes: e8784c0aec03 ("drivers: usb: dwc3: Add AM62 USB wrapper driver")
Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
---
Changes in v2:
- Add the stable tag.
---
drivers/usb/dwc3/dwc3-am62.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/dwc3/dwc3-am62.c b/drivers/usb/dwc3/dwc3-am62.c
index 5e3d1741701f..0a33ed958ebb 100644
--- a/drivers/usb/dwc3/dwc3-am62.c
+++ b/drivers/usb/dwc3/dwc3-am62.c
@@ -166,6 +166,7 @@ static int phy_syscon_pll_refclk(struct dwc3_am62 *am62)
if (ret)
return ret;
+ of_node_put(args.np);
am62->offset = args.args[0];
/* Core voltage. PHY_CORE_VOLTAGE bit Recommended to be 0 always */
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH v2] phy: Fix error handling in tegra_xusb_port_init
by Ma Ke
If device_add() fails, do not use device_unregister() for error
handling. device_unregister() consists two functions: device_del() and
put_device(). device_unregister() should only be called after
device_add() succeeded because device_del() undoes what device_add()
does if successful. Change device_unregister() to put_device() call
before returning from the function.
As comment of device_add() says, 'if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v2:
- modified the bug description as suggestions.
---
drivers/phy/tegra/xusb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index 79d4814d758d..c89df95aa6ca 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -548,16 +548,16 @@ static int tegra_xusb_port_init(struct tegra_xusb_port *port,
err = dev_set_name(&port->dev, "%s-%u", name, index);
if (err < 0)
- goto unregister;
+ goto put_device;
err = device_add(&port->dev);
if (err < 0)
- goto unregister;
+ goto put_device;
return 0;
-unregister:
- device_unregister(&port->dev);
+put_device:
+ put_device(&port->dev);
return err;
}
--
2.25.1
3 months, 3 weeks
- 1
- 0
+ mm-vmscan-pgdemote-vmstat-is-not-getting-updated-when-mglru-is-enabled.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled.
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-vmscan-pgdemote-vmstat-is-not-getting-updated-when-mglru-is-enabled.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Donet Tom <donettom(a)linux.ibm.com>
Subject: mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled.
Date: Thu, 9 Jan 2025 00:05:39 -0600
When MGLRU is enabled, the pgdemote_kswapd, pgdemote_direct, and
pgdemote_khugepaged stats in vmstat are not being updated.
Commit f77f0c751478 ("mm,memcg: provide per-cgroup counters for NUMA
balancing operations") moved the pgdemote vmstat update from
demote_folio_list() to shrink_inactive_list(), which is in the normal LRU
path. As a result, the pgdemote stats are updated correctly for the
normal LRU but not for MGLRU.
To address this, we have added the pgdemote stat update in the
evict_folios() function, which is in the MGLRU path. With this patch, the
pgdemote stats will now be updated correctly when MGLRU is enabled.
Without this patch vmstat output when MGLRU is enabled
======================================================
pgdemote_kswapd 0
pgdemote_direct 0
pgdemote_khugepaged 0
With this patch vmstat output when MGLRU is enabled
===================================================
pgdemote_kswapd 43234
pgdemote_direct 4691
pgdemote_khugepaged 0
Link: https://lkml.kernel.org/r/20250109060540.451261-1-donettom@linux.ibm.com
Fixes: f77f0c751478 ("mm,memcg: provide per-cgroup counters for NUMA balancing operations")
Signed-off-by: Donet Tom <donettom(a)linux.ibm.com>
Acked-by: Yu Zhao <yuzhao(a)google.com>
Cc: Aneesh Kumar K.V (Arm) <aneesh.kumar(a)kernel.org>
Cc: David Rientjes <rientjes(a)google.com>
Cc: Johannes Weiner <hannes(a)cmpxchg.org>
Cc: Kaiyang Zhao <kaiyang2(a)cs.cmu.edu>
Cc: Michal Hocko <mhocko(a)kernel.org>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com>
Cc: Roman Gushchin <roman.gushchin(a)linux.dev>
Cc: Shakeel Butt <shakeel.butt(a)linux.dev>
Cc: Wei Xu <weixugc(a)google.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/vmscan.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/vmscan.c~mm-vmscan-pgdemote-vmstat-is-not-getting-updated-when-mglru-is-enabled
+++ a/mm/vmscan.c
@@ -4646,6 +4646,9 @@ retry:
reset_batch_size(walk);
}
+ __mod_lruvec_state(lruvec, PGDEMOTE_KSWAPD + reclaimer_offset(),
+ stat.nr_demoted);
+
item = PGSTEAL_KSWAPD + reclaimer_offset();
if (!cgroup_reclaim(sc))
__count_vm_events(item, reclaimed);
_
Patches currently in -mm which might be from donettom(a)linux.ibm.com are
mm-vmscan-pgdemote-vmstat-is-not-getting-updated-when-mglru-is-enabled.patch
mm-migrate-removed-unused-argument-vma-from-migrate_misplaced_folio.patch
selftests-mm-added-new-test-cases-to-the-migration-test.patch
3 months, 3 weeks
- 1
- 0
[PATCH v2 5/9] btrfs: do proper folio cleanup when run_delalloc_nocow() failed
by Qu Wenruo
[BUG]
With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash
with the following VM_BUG_ON_FOLIO():
BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28
BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28
page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664
aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774"
flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)
page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
------------[ cut here ]------------
kernel BUG at mm/page-writeback.c:2992!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : folio_clear_dirty_for_io+0x128/0x258
lr : folio_clear_dirty_for_io+0x128/0x258
Call trace:
folio_clear_dirty_for_io+0x128/0x258
btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]
__process_folios_contig+0x154/0x268 [btrfs]
extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]
run_delalloc_nocow+0x5f8/0x760 [btrfs]
btrfs_run_delalloc_range+0xa8/0x220 [btrfs]
writepage_delalloc+0x230/0x4c8 [btrfs]
extent_writepage+0xb8/0x358 [btrfs]
extent_write_cache_pages+0x21c/0x4e8 [btrfs]
btrfs_writepages+0x94/0x150 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x88/0xc8
start_delalloc_inodes+0x178/0x3a8 [btrfs]
btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
shrink_delalloc+0x114/0x280 [btrfs]
flush_space+0x250/0x2f8 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x164/0x408
worker_thread+0x25c/0x388
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)
---[ end trace 0000000000000000 ]---
[CAUSE]
The first two lines of extra debug messages show the problem is caused
by the error handling of run_delalloc_nocow().
E.g. we have the following dirtied range (4K blocksize 4K page size):
0 16K 32K
|//////////////////////////////////////|
| Pre-allocated |
And the range [0, 16K) has a preallocated extent.
- Enter run_delalloc_nocow() for range [0, 16K)
Which found range [0, 16K) is preallocated, can do the proper NOCOW
write.
- Enter fallback_to_fow() for range [16K, 32K)
Since the range [16K, 32K) is not backed by preallocated extent, we
have to go COW.
- cow_file_range() failed for range [16K, 32K)
So cow_file_range() will do the clean up by clearing folio dirty,
unlock the folios.
Now the folios in range [16K, 32K) is unlocked.
- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()
Which is called with PAGE_START_WRITEBACK to start page writeback.
But folios can only be marked writeback when it's properly locked,
thus this triggered the VM_BUG_ON_FOLIO().
Furthermore there is another hidden but common bug that
run_delalloc_nocow() is not clearing the folio dirty flags in its error
handling path.
This is the common bug shared between run_delalloc_nocow() and
cow_file_range().
[FIX]
- Clear folio dirty for range [@start, @cur_offset)
Introduce a helper, cleanup_dirty_folios(), which
will find and lock the folio in the range, clear the dirty flag and
start/end the writeback, with the extra handling for the
@locked_folio.
- Introduce a helper to record the last failed COW range end
This is to trace which range we should skip, to avoid double
unlocking.
- Skip the failed COW range for the error handling
Cc: stable(a)vger.kernel.org
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/inode.c | 93 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 86 insertions(+), 7 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 19c88b7d0363..bae8aceb3eae 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1961,6 +1961,48 @@ static int can_nocow_file_extent(struct btrfs_path *path,
return ret < 0 ? ret : can_nocow;
}
+static void cleanup_dirty_folios(struct btrfs_inode *inode,
+ struct folio *locked_folio,
+ u64 start, u64 end, int error)
+{
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ struct address_space *mapping = inode->vfs_inode.i_mapping;
+ pgoff_t start_index = start >> PAGE_SHIFT;
+ pgoff_t end_index = end >> PAGE_SHIFT;
+ u32 len;
+
+ ASSERT(end + 1 - start < U32_MAX);
+ ASSERT(IS_ALIGNED(start, fs_info->sectorsize) &&
+ IS_ALIGNED(end + 1, fs_info->sectorsize));
+ len = end + 1 - start;
+
+ /*
+ * Handle the locked folio first.
+ * btrfs_folio_clamp_*() helpers can handle range out of the folio case.
+ */
+ btrfs_folio_clamp_clear_dirty(fs_info, locked_folio, start, len);
+ btrfs_folio_clamp_set_writeback(fs_info, locked_folio, start, len);
+ btrfs_folio_clamp_clear_writeback(fs_info, locked_folio, start, len);
+
+ for (pgoff_t index = start_index; index <= end_index; index++) {
+ struct folio *folio;
+
+ /* Already handled at the beginning. */
+ if (index == locked_folio->index)
+ continue;
+ folio = __filemap_get_folio(mapping, index, FGP_LOCK, GFP_NOFS);
+ /* Cache already dropped, no need to do any cleanup. */
+ if (IS_ERR(folio))
+ continue;
+ btrfs_folio_clamp_clear_dirty(fs_info, folio, start, len);
+ btrfs_folio_clamp_set_writeback(fs_info, folio, start, len);
+ btrfs_folio_clamp_clear_writeback(fs_info, folio, start, len);
+ folio_unlock(folio);
+ folio_put(folio);
+ }
+ mapping_set_error(mapping, error);
+}
+
/*
* when nowcow writeback call back. This checks for snapshots or COW copies
* of the extents that exist in the file, and COWs the file as required.
@@ -1976,6 +2018,11 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
struct btrfs_root *root = inode->root;
struct btrfs_path *path;
u64 cow_start = (u64)-1;
+ /*
+ * If not 0, represents the inclusive end of the last fallback_to_cow()
+ * range. Only for error handling.
+ */
+ u64 cow_end = 0;
u64 cur_offset = start;
int ret;
bool check_prev = true;
@@ -2136,6 +2183,7 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
found_key.offset - 1);
cow_start = (u64)-1;
if (ret) {
+ cow_end = found_key.offset - 1;
btrfs_dec_nocow_writers(nocow_bg);
goto error;
}
@@ -2209,11 +2257,12 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
cow_start = cur_offset;
if (cow_start != (u64)-1) {
- cur_offset = end;
ret = fallback_to_cow(inode, locked_folio, cow_start, end);
cow_start = (u64)-1;
- if (ret)
+ if (ret) {
+ cow_end = end;
goto error;
+ }
}
btrfs_free_path(path);
@@ -2221,12 +2270,42 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
error:
/*
- * If an error happened while a COW region is outstanding, cur_offset
- * needs to be reset to cow_start to ensure the COW region is unlocked
- * as well.
+ * There are several error cases:
+ *
+ * 1) Failed without falling back to COW
+ * start cur_start end
+ * |/////////////| |
+ *
+ * For range [start, cur_start) the folios are already unlocked (except
+ * @locked_folio), EXTENT_DELALLOC already removed.
+ * Only need to clear the dirty flag as they will never be submitted.
+ * Ordered extent and extent maps are handled by
+ * btrfs_mark_ordered_io_finished() inside run_delalloc_range().
+ *
+ * 2) Failed with error from fallback_to_cow()
+ * start cur_start cow_end end
+ * |/////////////|-----------| |
+ *
+ * For range [start, cur_start) it's the same as case 1).
+ * But for range [cur_start, cow_end), the folios have dirty flag
+ * cleared and unlocked, EXTENT_DEALLLOC cleared.
+ * There may or may not be any ordered extents/extent maps allocated.
+ *
+ * We should not call extent_clear_unlock_delalloc() on range [cur_start,
+ * cow_end), as the folios are already unlocked.
+ *
+ * So clear the folio dirty flags for [start, cur_offset) first.
*/
- if (cow_start != (u64)-1)
- cur_offset = cow_start;
+ if (cur_offset > start)
+ cleanup_dirty_folios(inode, locked_folio, start, cur_offset - 1, ret);
+
+ /*
+ * If an error happened while a COW region is outstanding, cur_offset
+ * needs to be reset to @cow_end + 1 to skip the COW range, as
+ * cow_file_range() will do the proper cleanup at error.
+ */
+ if (cow_end)
+ cur_offset = cow_end + 1;
/*
* We need to lock the extent here because we're clearing DELALLOC and
--
2.47.1
3 months, 3 weeks
- 3
- 2
[PATCH v2 4/9] btrfs: do proper folio cleanup when cow_file_range() failed
by Qu Wenruo
[BUG]
When testing with COW fixup marked as BUG_ON() (this is involved with the
new pin_user_pages*() change, which should not result new out-of-band
dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW
fixup path.
This BUG_ON() happens just after a failed btrfs_run_delalloc_range():
BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent_io.c:1444!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : extent_writepage_io+0x2d4/0x308 [btrfs]
lr : extent_writepage_io+0x2d4/0x308 [btrfs]
Call trace:
extent_writepage_io+0x2d4/0x308 [btrfs]
extent_writepage+0x218/0x330 [btrfs]
extent_write_cache_pages+0x1d4/0x4b0 [btrfs]
btrfs_writepages+0x94/0x150 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x88/0xc8
start_delalloc_inodes+0x180/0x3b0 [btrfs]
btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
shrink_delalloc+0x114/0x280 [btrfs]
flush_space+0x250/0x2f8 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x164/0x408
worker_thread+0x25c/0x388
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)
---[ end trace 0000000000000000 ]---
[CAUSE]
That failure is mostly from cow_file_range(), where we can hit -ENOSPC.
Although the -ENOSPC is already a bug related to our space reservation
code, let's just focus on the error handling.
For example, we have the following dirty range [0, 64K) of an inode,
with 4K sector size and 4K page size:
0 16K 32K 48K 64K
|///////////////////////////////////////|
|#######################################|
Where |///| means page are still dirty, and |###| means the extent io
tree has EXTENT_DELALLOC flag.
- Enter extent_writepage() for page 0
- Enter btrfs_run_delalloc_range() for range [0, 64K)
- Enter cow_file_range() for range [0, 64K)
- Function btrfs_reserve_extent() only reserved one 16K extent
So we created extent map and ordered extent for range [0, 16K)
0 16K 32K 48K 64K
|////////|//////////////////////////////|
|<- OE ->|##############################|
And range [0, 16K) has its delalloc flag cleared.
But since we haven't yet submit any bio, involved 4 pages are still
dirty.
- Function btrfs_reserve_extent() return with -ENOSPC
Now we have to run error cleanup, which will clear all
EXTENT_DELALLOC* flags and clear the dirty flags for the remaining
ranges:
0 16K 32K 48K 64K
|////////| |
| | |
Note that range [0, 16K) still has their pages dirty.
- Some time later, writeback are triggered again for the range [0, 16K)
since the page range still have dirty flags.
- btrfs_run_delalloc_range() will do nothing because there is no
EXTENT_DELALLOC flag.
- extent_writepage_io() find page 0 has no ordered flag
Which falls into the COW fixup path, triggering the BUG_ON().
Unfortunately this error handling bug dates back to the introduction of btrfs.
Thankfully with the abuse of cow fixup, at least it won't crash the
kernel.
[FIX]
Instead of immediately unlock the extent and folios, we keep the extent
and folios locked until either erroring out or the whole delalloc range
finished.
When the whole delalloc range finished without error, we just unlock the
whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked
cases), with EXTENT_DELALLOC and EXTENT_LOCKED cleared.
And those involved folios will be properly submitted, with their dirty
flags cleared during submission.
For the error path, it will be a little more complex:
- The range with ordered extent allocated (range (1))
We only clear the EXTENT_DELALLOC and EXTENT_LOCKED, as the remaining
flags are cleaned up by
btrfs_mark_ordered_io_finished()->btrfs_finish_one_ordered().
For folios we finish the IO (clear dirty, start writeback and
immediately finish the writeback) and unlock the folios.
- The range with reserved extent but no ordered extent (range(2))
- The range we never touched (range(3))
For both range (2) and range(3) the behavior is not changed.
Now even if cow_file_range() failed halfway with some successfully
reserved extents/ordered extents, we will keep all folios clean, so
there will be no future writeback triggered on them.
Cc: stable(a)vger.kernel.org
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/inode.c | 65 ++++++++++++++++++++++++------------------------
1 file changed, 32 insertions(+), 33 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 5ba8d044757b..19c88b7d0363 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1364,6 +1364,17 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
alloc_hint = btrfs_get_extent_allocation_hint(inode, start, num_bytes);
+ /*
+ * We're not doing compressed IO, don't unlock the first page
+ * (which the caller expects to stay locked), don't clear any
+ * dirty bits and don't set any writeback bits
+ *
+ * Do set the Ordered (Private2) bit so we know this page was
+ * properly setup for writepage.
+ */
+ page_ops = (keep_locked ? 0 : PAGE_UNLOCK);
+ page_ops |= PAGE_SET_ORDERED;
+
/*
* Relocation relies on the relocated extents to have exactly the same
* size as the original extents. Normally writeback for relocation data
@@ -1423,6 +1434,10 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
file_extent.offset = 0;
file_extent.compression = BTRFS_COMPRESS_NONE;
+ /*
+ * Locked range will be released either during error clean up or
+ * after the whole range is finished.
+ */
lock_extent(&inode->io_tree, start, start + cur_alloc_size - 1,
&cached);
@@ -1468,21 +1483,6 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
btrfs_dec_block_group_reservations(fs_info, ins.objectid);
- /*
- * We're not doing compressed IO, don't unlock the first page
- * (which the caller expects to stay locked), don't clear any
- * dirty bits and don't set any writeback bits
- *
- * Do set the Ordered flag so we know this page was
- * properly setup for writepage.
- */
- page_ops = (keep_locked ? 0 : PAGE_UNLOCK);
- page_ops |= PAGE_SET_ORDERED;
-
- extent_clear_unlock_delalloc(inode, start, start + cur_alloc_size - 1,
- locked_folio, &cached,
- EXTENT_LOCKED | EXTENT_DELALLOC,
- page_ops);
if (num_bytes < cur_alloc_size)
num_bytes = 0;
else
@@ -1499,6 +1499,9 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
if (ret)
goto out_unlock;
}
+ extent_clear_unlock_delalloc(inode, orig_start, end, locked_folio, &cached,
+ EXTENT_LOCKED | EXTENT_DELALLOC,
+ page_ops);
done:
if (done_offset)
*done_offset = end;
@@ -1519,35 +1522,31 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
* We process each region below.
*/
- clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW |
- EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV;
- page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
-
/*
* For the range (1). We have already instantiated the ordered extents
* for this region. They are cleaned up by
* btrfs_cleanup_ordered_extents() in e.g,
- * btrfs_run_delalloc_range(). EXTENT_LOCKED | EXTENT_DELALLOC are
- * already cleared in the above loop. And, EXTENT_DELALLOC_NEW |
- * EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV are handled by the cleanup
- * function.
+ * btrfs_run_delalloc_range().
+ * EXTENT_DELALLOC_NEW | EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV
+ * are also handled by the cleanup function.
*
- * However, in case of @keep_locked, we still need to unlock the pages
- * (except @locked_folio) to ensure all the pages are unlocked.
+ * So here we only clear EXTENT_LOCKED and EXTENT_DELALLOC flag,
+ * and finish the writeback of the involved folios, which will be
+ * never submitted.
*/
- if (keep_locked && orig_start < start) {
+ if (orig_start < start) {
+ clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC;
+ page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
+
if (!locked_folio)
mapping_set_error(inode->vfs_inode.i_mapping, ret);
extent_clear_unlock_delalloc(inode, orig_start, start - 1,
- locked_folio, NULL, 0, page_ops);
+ locked_folio, NULL, clear_bits, page_ops);
}
- /*
- * At this point we're unlocked, we want to make sure we're only
- * clearing these flags under the extent lock, so lock the rest of the
- * range and clear everything up.
- */
- lock_extent(&inode->io_tree, start, end, NULL);
+ clear_bits = EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW |
+ EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV;
+ page_ops = PAGE_UNLOCK | PAGE_START_WRITEBACK | PAGE_END_WRITEBACK;
/*
* For the range (2). If we reserved an extent for our delalloc range
--
2.47.1
3 months, 3 weeks
- 2
- 2
[PATCH v2 2/9] btrfs: fix double accounting race when extent_writepage_io() failed
by Qu Wenruo
[BUG]
If submit_one_sector() failed inside extent_writepage_io() for sector
size < page size cases (e.g. 4K sector size and 64K page size), then
we can hit double ordered extent accounting error.
This should be very rare, as submit_one_sector() only fails when we
failed to grab the extent map, and such extent map should exist inside
the memory and have been pinned.
[CAUSE]
For example we have the following folio layout:
0 4K 32K 48K 60K 64K
|//| |//////| |///|
Where |///| is the dirty range we need to writeback. The 3 different
dirty ranges are submitted for regular COW.
Now we hit the following sequence:
- submit_one_sector() returned 0 for [0, 4K)
- submit_one_sector() returned 0 for [32K, 48K)
- submit_one_sector() returned error for [60K, 64K)
- btrfs_mark_ordered_io_finished() called for the whole folio
This will mark the following ranges as finished:
* [0, 4K)
* [32K, 48K)
Both ranges have their IO already submitted, this cleanup will
lead to double accounting.
* [60K, 64K)
That's the correct cleanup.
The only good news is, this error is only theoretical, as the target
extent map is always pinned, thus we should directly grab it from
memory, other than reading it from the disk.
[FIX]
Instead of calling btrfs_mark_ordered_io_finished() for the whole folio
range, which can touch ranges we should not touch, instead
move the error handling inside extent_writepage_io().
So that we can cleanup exact sectors that are ought to be submitted but
failed.
This provide much more accurate cleanup, avoiding the double accounting.
Cc: stable(a)vger.kernel.org # 5.15+
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/extent_io.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 417c710c55ca..b6a4f1765b4c 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1418,6 +1418,7 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
struct btrfs_fs_info *fs_info = inode->root->fs_info;
unsigned long range_bitmap = 0;
bool submitted_io = false;
+ bool error = false;
const u64 folio_start = folio_pos(folio);
u64 cur;
int bit;
@@ -1460,11 +1461,21 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
break;
}
ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size);
- if (ret < 0)
- goto out;
+ if (unlikely(ret < 0)) {
+ submit_one_bio(bio_ctrl);
+ /*
+ * Failed to grab the extent map which should be very rare.
+ * Since there is no bio submitted to finish the ordered
+ * extent, we have to manually finish this sector.
+ */
+ btrfs_mark_ordered_io_finished(inode, folio, cur,
+ fs_info->sectorsize, false);
+ error = true;
+ continue;
+ }
submitted_io = true;
}
-out:
+
/*
* If we didn't submitted any sector (>= i_size), folio dirty get
* cleared but PAGECACHE_TAG_DIRTY is not cleared (only cleared
@@ -1472,8 +1483,11 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
*
* Here we set writeback and clear for the range. If the full folio
* is no longer dirty then we clear the PAGECACHE_TAG_DIRTY tag.
+ *
+ * If we hit any error, the corresponding sector will still be dirty
+ * thus no need to clear PAGECACHE_TAG_DIRTY.
*/
- if (!submitted_io) {
+ if (!submitted_io && !error) {
btrfs_folio_set_writeback(fs_info, folio, start, len);
btrfs_folio_clear_writeback(fs_info, folio, start, len);
}
@@ -1493,7 +1507,6 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
{
struct inode *inode = folio->mapping->host;
struct btrfs_fs_info *fs_info = inode_to_fs_info(inode);
- const u64 page_start = folio_pos(folio);
int ret;
size_t pg_offset;
loff_t i_size = i_size_read(inode);
@@ -1536,10 +1549,6 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
bio_ctrl->wbc->nr_to_write--;
- if (ret)
- btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
- page_start, PAGE_SIZE, !ret);
-
done:
if (ret < 0)
mapping_set_error(folio->mapping, ret);
@@ -2319,11 +2328,8 @@ void extent_write_locked_range(struct inode *inode, const struct folio *locked_f
if (ret == 1)
goto next_page;
- if (ret) {
- btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
- cur, cur_len, !ret);
+ if (ret)
mapping_set_error(mapping, ret);
- }
btrfs_folio_end_lock(fs_info, folio, cur, cur_len);
if (ret < 0)
found_error = true;
--
2.47.1
3 months, 3 weeks
- 3
- 5
[PATCH] drm/xe/client: Better correlate exec_queue and GT timestamps
by Lucas De Marchi
This partially reverts commit fe4f5d4b6616 ("drm/xe: Clean up VM / exec
queue file lock usage."). While it's desired to have the mutex to
protect only the reference to the exec queue, getting and dropping each
mutex and then later getting the GPU timestamp, doesn't produce a
correct result: it introduces multiple opportunities for the task to be
scheduled out and thus wrecking havoc the deltas reported to userspace.
Also, to better correlate the timestamp from the exec queues with the
GPU, disable preemption so they can be updated without allowing the task
to be scheduled out. We leave interrupts enabled as that shouldn't be
enough disturbance for the deltas to matter to userspace.
Test scenario:
* IGT'S `xe_drm_fdinfo --r --r utilization-single-full-load`
* Platform: LNL, where CI occasionally reports failures
* `stress -c $(nproc)` running in parallel to disturb the
system
This brings a first failure from "after ~150 executions" to "never
occurs after 1000 attempts".
Cc: stable(a)vger.kernel.org # v6.11+
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3512
Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com>
---
drivers/gpu/drm/xe/xe_drm_client.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_drm_client.c b/drivers/gpu/drm/xe/xe_drm_client.c
index 298a587da7f17..e307b4d6bab5a 100644
--- a/drivers/gpu/drm/xe/xe_drm_client.c
+++ b/drivers/gpu/drm/xe/xe_drm_client.c
@@ -338,15 +338,12 @@ static void show_run_ticks(struct drm_printer *p, struct drm_file *file)
/* Accumulate all the exec queues from this client */
mutex_lock(&xef->exec_queue.lock);
- xa_for_each(&xef->exec_queue.xa, i, q) {
- xe_exec_queue_get(q);
- mutex_unlock(&xef->exec_queue.lock);
+ preempt_disable();
+ xa_for_each(&xef->exec_queue.xa, i, q)
xe_exec_queue_update_run_ticks(q);
- mutex_lock(&xef->exec_queue.lock);
- xe_exec_queue_put(q);
- }
+ preempt_enable();
mutex_unlock(&xef->exec_queue.lock);
gpu_timestamp = xe_hw_engine_read_timestamp(hwe);
--
2.47.0
3 months, 3 weeks
- 3
- 12
[PATCH 1/5] KVM: e500: retry if no memslot is found
by Paolo Bonzini
Avoid a NULL pointer dereference if the memslot table changes between the
exit and the call to kvmppc_e500_shadow_map().
Cc: stable(a)vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com>
---
arch/powerpc/kvm/e500_mmu_host.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c
index e5a145b578a4..732335444d68 100644
--- a/arch/powerpc/kvm/e500_mmu_host.c
+++ b/arch/powerpc/kvm/e500_mmu_host.c
@@ -349,6 +349,11 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
* pointer through from the first lookup.
*/
slot = gfn_to_memslot(vcpu_e500->vcpu.kvm, gfn);
+ if (!slot) {
+ ret = -EAGAIN;
+ goto out;
+ }
+
hva = gfn_to_hva_memslot(slot, gfn);
if (tlbsel == 1) {
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH v2 0/6] arm64/sme: Collected SME fixes
by Mark Brown
This series collects the various SME related fixes that were previously
posted separately. These should address all the issues I am aware of so
a patch which reenables the SME configuration option is also included.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
---
Changes in v2:
- Pull simplification of the signal restore code after the SME
reenablement, it's not a fix but there's some code overlap.
- Comment updates.
- Link to v1: https://lore.kernel.org/r/20241203-arm64-sme-reenable-v1-0-d853479d1b77@ker…
---
Mark Brown (6):
arm64/sme: Flush foreign register state in do_sme_acc()
arm64/fp: Don't corrupt FPMR when streaming mode changes
arm64/ptrace: Zero FPMR on streaming mode entry/exit
arm64/signal: Avoid corruption of SME state when entering signal handler
arm64/sme: Reenable SME
arm64/signal: Consistently invalidate the in register FP state in restore
arch/arm64/Kconfig | 1 -
arch/arm64/include/asm/fpsimd.h | 1 +
arch/arm64/kernel/fpsimd.c | 57 ++++++++++++++++++++++----
arch/arm64/kernel/ptrace.c | 12 +++++-
arch/arm64/kernel/signal.c | 89 +++++++++++------------------------------
5 files changed, 84 insertions(+), 76 deletions(-)
---
base-commit: 40384c840ea1944d7c5a392e8975ed088ecf0b37
change-id: 20241202-arm64-sme-reenable-98e64c161a8e
Best regards,
--
Mark Brown <broonie(a)kernel.org>
3 months, 3 weeks
- 3
- 5
[PATCH net 0/9] net: sysctl: avoid using current->nsproxy
by Matthieu Baerts (NGI0)
As pointed out by Al Viro and Eric Dumazet in [1], using the 'net'
structure via 'current' is not recommended for different reasons:
- Inconsistency: getting info from the reader's/writer's netns vs only
from the opener's netns as it is usually done. This could cause
unexpected issues when other operations are done on the wrong netns.
- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
(null-ptr-deref), e.g. when the current task is exiting, as spotted by
syzbot [1] using acct(2).
The 'net' or 'pernet' structure can be obtained from the table->data
using container_of().
Note that table->data could also be used directly in more places, but
that would increase the size of this fix to replace all accesses via
'net'. Probably best to avoid that for fixes.
Patches 2-9 remove access of net via current->nsproxy in sysfs handlers
in MPTCP, SCTP and RDS. There are multiple patches doing almost the same
thing, but the reason is to ease the backports.
Patch 1 is not directly linked to this, but it is a small fix for MPTCP
available_schedulers sysctl knob to explicitly mark it as read-only.
Please note that this series does not address Al's comment [2]. In SCTP,
some sysctl knobs set other sysfs-exposed variables for the min/max: two
processes could then write two linked values at the same time, resulting
in new values being outside the new boundaries. It would be great if
SCTP developers can look at this problem.
Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
Link: https://lore.kernel.org/netdev/20250105211158.GL1977892@ZenIV/ [2]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org>
---
Matthieu Baerts (NGI0) (9):
mptcp: sysctl: avail sched: remove write access
mptcp: sysctl: sched: avoid using current->nsproxy
mptcp: sysctl: blackhole timeout: avoid using current->nsproxy
sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
sctp: sysctl: rto_min/max: avoid using current->nsproxy
sctp: sysctl: auth_enable: avoid using current->nsproxy
sctp: sysctl: udp_port: avoid using current->nsproxy
sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy
net/mptcp/ctrl.c | 17 +++++++++--------
net/rds/tcp.c | 39 ++++++++++++++++++++++++++++++++-------
net/sctp/sysctl.c | 14 ++++++++------
3 files changed, 49 insertions(+), 21 deletions(-)
---
base-commit: db78475ba0d3c66d430f7ded2388cc041078a542
change-id: 20250108-net-sysctl-current-nsproxy-672ae21a873f
Best regards,
--
Matthieu Baerts (NGI0) <matttbe(a)kernel.org>
3 months, 3 weeks
- 3
- 11
[PATCH v4] arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma
by Jakob Unterwurzacher
During mass manufacturing, we noticed the mmc_rx_crc_error counter,
as reported by "ethtool -S eth0 | grep mmc_rx_crc_error", to increase
above zero during nuttcp speedtests. Most of the time, this did not
affect the achieved speed, but it prompted this investigation.
Cycling through the rx_delay range on six boards (see table below) of
various ages shows that there is a large good region from 0x12 to 0x35
where we see zero crc errors on all tested boards.
The old rx_delay value (0x10) seems to have always been on the edge for
the KSZ9031RNX that is usually placed on Puma.
Choose "rx_delay = 0x23" to put us smack in the middle of the good
region. This works fine as well with the KSZ9131RNX PHY that was used
for a small number of boards during the COVID chip shortages.
Board S/N PHY rx_delay good region
--------- --- --------------------
Puma TT0069903 KSZ9031RNX 0x11 0x35
Puma TT0157733 KSZ9031RNX 0x11 0x35
Puma TT0681551 KSZ9031RNX 0x12 0x37
Puma TT0681156 KSZ9031RNX 0x10 0x38
Puma 17496030079 KSZ9031RNX 0x10 0x37 (Puma v1.2 from 2017)
Puma TT0681720 KSZ9131RNX 0x02 0x39 (alternative PHY used in very few boards)
Intersection of good regions = 0x12 0x35
Middle of good region = 0x23
Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
Cc: stable(a)vger.kernel.org
Reviewed-by: Quentin Schulz <quentin.schulz(a)cherry.de>
Tested-by: Quentin Schulz <quentin.schulz(a)cherry.de> # Puma v2.1 and v2.3 with KSZ9031
Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de>
---
v4: drop internal Relates-to tag, add Tested-by, rebase to Linus master, send with b4
v3: use rx_delay = 0x23 instead of 0x11, which was not enough.
v2: cc stable, add "Fixes:", add omitted "there" to commit msg,
v1: initial submission
---
arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
index d12e661dfd9917f820284477a215389c16205f46..995b30a7aae01a0326e9f80d6be930f227968539 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
@@ -182,7 +182,7 @@ &gmac {
snps,reset-active-low;
snps,reset-delays-us = <0 10000 50000>;
tx_delay = <0x10>;
- rx_delay = <0x10>;
+ rx_delay = <0x23>;
status = "okay";
};
---
base-commit: f932fb9b40749d1c9a539d89bb3e288c077aafe5
change-id: 20241213-puma_rx_delay-fadbcdf09783
Best regards,
--
Jakob Unterwurzacher <jakob.unterwurzacher(a)cherry.de>
3 months, 3 weeks
- 2
- 1
Taking a look at the NRF Retail Show 2025
by Rachel Taylor
Hi ,
Hope this email finds you well
I am reaching out to let you know that we have a list of attendees in NRF 2025 Retail's Big Show
Attendees count: 20,000 Leads
Contact Information: Company Name, Web URL, Contact Name, Title, Direct Email, Phone Number, FAX Number, Mailing Address, Industry, Employee Size, Annual Sales.
Please let me know if you are interested in acquiring this list, I can share pricing information for you review
I would like to thank you for never keeping me waiting for your reply
Regards
Rachel Taylor
Demand Generation Manager
Apollo Leads Hub Inc.,
Please reply with REMOVE if you don't wish to receive further emails
3 months, 3 weeks
- 1
- 2
[PATCH] Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
by Fedor Pchelkin
A NULL sock pointer is passed into l2cap_sock_alloc() when it is called
from l2cap_sock_new_connection_cb() and the error handling paths should
also be aware of it.
Seemingly a more elegant solution would be to swap bt_sock_alloc() and
l2cap_chan_create() calls since they are not interdependent to that moment
but then l2cap_chan_create() adds the soon to be deallocated and still
dummy-initialized channel to the global list accessible by many L2CAP
paths. The channel would be removed from the list in short period of time
but be a bit more straight-forward here and just check for NULL instead of
changing the order of function calls.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Fixes: 7c4f78cdb8e7 ("Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()")
Cc: stable(a)vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru>
---
net/bluetooth/l2cap_sock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 3d2553dcdb1b..49f97d4138ea 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1888,7 +1888,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
chan = l2cap_chan_create();
if (!chan) {
sk_free(sk);
- sock->sk = NULL;
+ if (sock)
+ sock->sk = NULL;
return NULL;
}
--
2.39.5
3 months, 3 weeks
- 4
- 5
[PATCH] riscv: kprobes: Fix incorrect address calculation
by Nam Cao
p->ainsn.api.insn is a pointer to u32, therefore arithmetic operations are
multiplied by four. This is clearly undesirable for this case.
Cast it to (void *) first before any calculation.
Below is a sample before/after. The dumped memory is two kprobe slots, the
first slot has
- c.addiw a0, 0x1c (0x7125)
- ebreak (0x00100073)
and the second slot has:
- c.addiw a0, -4 (0x7135)
- ebreak (0x00100073)
Before this patch:
(gdb) x/16xh 0xff20000000135000
0xff20000000135000: 0x7125 0x0000 0x0000 0x0000 0x7135 0x0010 0x0000 0x0000
0xff20000000135010: 0x0073 0x0010 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000
After this patch:
(gdb) x/16xh 0xff20000000125000
0xff20000000125000: 0x7125 0x0073 0x0010 0x0000 0x7135 0x0073 0x0010 0x0000
0xff20000000125010: 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000
Fixes: b1756750a397 ("riscv: kprobes: Use patch_text_nosync() for insn slots")
Signed-off-by: Nam Cao <namcao(a)linutronix.de>
Cc: stable(a)vger.kernel.org
---
arch/riscv/kernel/probes/kprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c
index 474a65213657..d2dacea1aedd 100644
--- a/arch/riscv/kernel/probes/kprobes.c
+++ b/arch/riscv/kernel/probes/kprobes.c
@@ -30,7 +30,7 @@ static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
p->ainsn.api.restore = (unsigned long)p->addr + len;
patch_text_nosync(p->ainsn.api.insn, &p->opcode, len);
- patch_text_nosync(p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn));
+ patch_text_nosync((void *)p->ainsn.api.insn + len, &insn, GET_INSN_LENGTH(insn));
}
static void __kprobes arch_prepare_simulate(struct kprobe *p)
--
2.39.5
3 months, 3 weeks
- 3
- 3
[PATCH] riscv: Fix sleeping in invalid context in die()
by Nam Cao
die() can be called in exception handler, and therefore cannot sleep.
However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.
That causes the following warning:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex
preempt_count: 110001, expected: 0
RCU nest depth: 0, expected: 0
CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
dump_backtrace+0x1c/0x24
show_stack+0x2c/0x38
dump_stack_lvl+0x5a/0x72
dump_stack+0x14/0x1c
__might_resched+0x130/0x13a
rt_spin_lock+0x2a/0x5c
die+0x24/0x112
do_trap_insn_illegal+0xa0/0xea
_new_vmalloc_restore_context_a0+0xcc/0xd8
Oops - illegal instruction [#1]
Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT
enabled.
Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code")
Signed-off-by: Nam Cao <namcao(a)linutronix.de>
Cc: stable(a)vger.kernel.org
---
stable backport is probably not needed for versions earlier than 6.12
because PREEMPT_RT is not enabled. But it doesn't hurt..
---
arch/riscv/kernel/traps.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 51ebfd23e007..8ff8e8b36524 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -35,7 +35,7 @@
int show_unhandled_signals = 1;
-static DEFINE_SPINLOCK(die_lock);
+static DEFINE_RAW_SPINLOCK(die_lock);
static int copy_code(struct pt_regs *regs, u16 *val, const u16 *insns)
{
@@ -81,7 +81,7 @@ void die(struct pt_regs *regs, const char *str)
oops_enter();
- spin_lock_irqsave(&die_lock, flags);
+ raw_spin_lock_irqsave(&die_lock, flags);
console_verbose();
bust_spinlocks(1);
@@ -100,7 +100,7 @@ void die(struct pt_regs *regs, const char *str)
bust_spinlocks(0);
add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE);
- spin_unlock_irqrestore(&die_lock, flags);
+ raw_spin_unlock_irqrestore(&die_lock, flags);
oops_exit();
if (in_interrupt())
--
2.39.5
3 months, 3 weeks
- 4
- 3
[PATCH -stable,5.10 0/1] Netfilter fix for -stable
by Pablo Neira Ayuso
Hi Greg, Sasha,
This batch contains a backport fix for 5.10-stable.
The following list shows the backported patches, I am using original commit
IDs for reference:
1) fca05d4d61e6 ("netfilter: nft_dynset: honor stateful expressions in set definition")
without this fix, the default set expression is silently ignored when
used from dynamic sets.
Please, apply,
Thanks
Pablo Neira Ayuso (1):
netfilter: nft_dynset: honor stateful expressions in set definition
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 23 +++++++++++++++++++++++
net/netfilter/nft_dynset.c | 7 ++++++-
3 files changed, 31 insertions(+), 1 deletion(-)
--
2.30.2
3 months, 3 weeks
- 1
- 0
[PATCH 6.1.y] bpf, sockmap: Fix race between element replace and close()
by Alva Lan
From: Michal Luczaj <mhal(a)rbox.co>
[ Upstream commit ed1fc5d76b81a4d681211333c026202cad4d5649 ]
Element replace (with a socket different from the one stored) may race
with socket's close() link popping & unlinking. __sock_map_delete()
unconditionally unrefs the (wrong) element:
// set map[0] = s0
map_update_elem(map, 0, s0)
// drop fd of s0
close(s0)
sock_map_close()
lock_sock(sk) (s0!)
sock_map_remove_links(sk)
link = sk_psock_link_pop()
sock_map_unlink(sk, link)
sock_map_delete_from_link
// replace map[0] with s1
map_update_elem(map, 0, s1)
sock_map_update_elem
(s1!) lock_sock(sk)
sock_map_update_common
psock = sk_psock(sk)
spin_lock(&stab->lock)
osk = stab->sks[idx]
sock_map_add_link(..., &stab->sks[idx])
sock_map_unref(osk, &stab->sks[idx])
psock = sk_psock(osk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test(&psock))
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
unlock_sock(sk)
__sock_map_delete
spin_lock(&stab->lock)
sk = *psk // s1 replaced s0; sk == s1
if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch
sk = xchg(psk, NULL)
if (sk)
sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle
psock = sk_psock(sk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test())
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
release_sock(sk)
Then close(map) enqueues bpf_map_free_deferred, which finally calls
sock_map_free(). This results in some refcount_t warnings along with
a KASAN splat [1].
Fix __sock_map_delete(), do not allow sock_map_unref() on elements that
may have been replaced.
[1]:
BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330
Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
kasan_check_range+0x10f/0x1e0
sock_map_free+0x10e/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1202:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
unix_create1+0x88/0x8a0
unix_create+0xc5/0x180
__sock_create+0x241/0x650
__sys_socketpair+0x1ce/0x420
__x64_sys_socketpair+0x92/0x100
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 46:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
sk_psock_destroy+0x73e/0xa50
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff88811f5b9080
which belongs to the cache UNIX-STREAM of size 1984
The buggy address is located 128 bytes inside of
freed 1984-byte region [ffff88811f5b9080, ffff88811f5b9840)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f5b8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888127d49401
flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401
head: 0017ffffc0000040 ffff8881042e4500 dead000000000122 0000000000000000
head: 0000000000000000 00000000800f000f 00000001f5000000 ffff888127d49401
head: 0017ffffc0000003 ffffea00047d6e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88811f5b9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88811f5b9080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88811f5b9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88811f5b9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Disabling lock debugging due to kernel taint
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 14 PID: 1063 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B 6.12.0+ #125
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0xce/0x150
Code: 34 73 eb 03 01 e8 82 53 ad fe 0f 0b eb b1 80 3d 27 73 eb 03 00 75 a8 48 c7 c7 80 bd 95 84 c6 05 17 73 eb 03 01 e8 62 53 ad fe <0f> 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05
RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed10bcde6349
R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000
R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024
FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
? __warn.cold+0x5f/0x1ff
? refcount_warn_saturate+0xce/0x150
? report_bug+0x1ec/0x390
? handle_bug+0x58/0x90
? exc_invalid_op+0x13/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xce/0x150
sock_map_free+0x2e5/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 10741
hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20
hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770
softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
refcount_t: underflow; use-after-free.
WARNING: CPU: 14 PID: 1063 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Tainted: G B W 6.12.0+ #125
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0xee/0x150
Code: 17 73 eb 03 01 e8 62 53 ad fe 0f 0b eb 91 80 3d 06 73 eb 03 00 75 88 48 c7 c7 e0 bd 95 84 c6 05 f6 72 eb 03 01 e8 42 53 ad fe <0f> 0b e9 6e ff ff ff 80 3d e6 72 eb 03 00 0f 85 61 ff ff ff 48 c7
RSP: 0018:ffff88815c49fc70 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811f5b9100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed10bcde6349
R10: ffff8885e6f31a4b R11: 0000000000000000 R12: ffff88813be0b000
R13: ffff88811f5b9100 R14: ffff88811f5b9080 R15: ffff88813be0b024
FS: 0000000000000000(0000) GS:ffff8885e6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055dda99b0250 CR3: 000000015dbac000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
? __warn.cold+0x5f/0x1ff
? refcount_warn_saturate+0xee/0x150
? report_bug+0x1ec/0x390
? handle_bug+0x58/0x90
? exc_invalid_op+0x13/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xee/0x150
sock_map_free+0x2d3/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 10741
hardirqs last enabled at (10741): [<ffffffff84400ec6>] asm_sysvec_apic_timer_interrupt+0x16/0x20
hardirqs last disabled at (10740): [<ffffffff811e532d>] handle_softirqs+0x60d/0x770
softirqs last enabled at (10506): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
softirqs last disabled at (10301): [<ffffffff811e55a9>] __irq_exit_rcu+0x109/0x210
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Michal Luczaj <mhal(a)rbox.co>
Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend(a)gmail.com>
Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox…
Signed-off-by: Alva Lan <alvalan9(a)foxmail.com>
---
net/core/sock_map.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index e674a686ff71..f4cca477b047 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -411,15 +411,15 @@ static void *sock_map_lookup_sys(struct bpf_map *map, void *key)
static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test,
struct sock **psk)
{
- struct sock *sk;
+ struct sock *sk = NULL;
int err = 0;
if (irqs_disabled())
return -EOPNOTSUPP; /* locks here are hardirq-unsafe */
raw_spin_lock_bh(&stab->lock);
- sk = *psk;
- if (!sk_test || sk_test == sk)
+
+ if (!sk_test || sk_test == *psk)
sk = xchg(psk, NULL);
if (likely(sk))
--
2.43.0
3 months, 3 weeks
- 2
- 1
[PATCH 5.4 00/93] 5.4.289-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 5.4.289 release.
There are 93 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.289-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.4.289-rc1
Seiji Nishikawa <snishika(a)redhat.com>
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Drop dsi single lane support
Nikolay Kuratov <kniv(a)yandex-team.ru>
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pascal Hambourg <pascal(a)plouf.fr.eu.org>
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Evgenii Shatokhin <e.shatokhin(a)yadro.com>
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Dan Carpenter <dan.carpenter(a)linaro.org>
RDMA/uverbs: Prevent integer overflow issue
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix the missed iteration for the max bit in do_input()
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
Leon Romanovsky <leonro(a)nvidia.com>
ARC: build: Try to guess GCC variant of cross compiler
Uros Bizjak <ubizjak(a)gmail.com>
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Daniele Palmas <dnlplm(a)gmail.com>
net: usb: qmi_wwan: add Telit FE910C04 compositions
Anton Protopopov <aspsk(a)isovalent.com>
bpf: fix potential error return
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: format: don't warn that raw DSD is unsupported
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: mac80211: wake the queues in case of failure in resume
Eric Dumazet <edumazet(a)google.com>
ila: serialize calls to nf_register_net_hooks()
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_tci() vs MSG_PEEK
Tanya Agarwal <tanyaagarwal25699(a)gmail.com>
ALSA: usb-audio: US16x08: Initialize array before use
Antonio Pastor <antonio.pastor(a)gmail.com>
net: llc: reset skb->transport_header
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Gustavo A. R. Silva <gustavo(a)embeddedor.com>
netfilter: Replace zero-length array with flexible-array member
Ilya Shchipletsov <rabbelkin(a)mail.ru>
netrom: check buffer length before accessing it
Stefan Ekenberg <stefan.ekenberg(a)axis.com>
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Bogdan Togorean <bogdan.togorean(a)analog.com>
drm: bridge: adv7511: Enable SPDIF DAI
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix max_qp_wrs reported
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
RDMA/bnxt_re: Add check for path mtu in modify_qp
Patrisious Haddad <phaddad(a)nvidia.com>
RDMA/mlx5: Enforce same type port association for multiport RoCE
Parav Pandit <parav(a)nvidia.com>
net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
Parav Pandit <parav(a)mellanox.com>
IB/mlx5: Introduce and use mlx5_core_is_vf()
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Thiébaud Weksteen <tweek(a)google.com>
selinux: ignore unknown extended permissions
Eric Dumazet <edumazet(a)google.com>
ipv6: prevent possible UAF in ip6_xmit()
Vasily Averin <vvs(a)virtuozzo.com>
skb_expand_head() adjust skb->truesize incorrectly
Filipe Manana <fdmanana(a)suse.com>
btrfs: avoid monopolizing a core when activating a swap file
Christian Göttsche <cgzones(a)googlemail.com>
tracing: Constify string literal data member in struct trace_event_call
Jiayuan Chen <mrpre(a)163.com>
bpf: fix recursive lock when verdict program return SK_PASS
Eric Dumazet <edumazet(a)google.com>
ipv6: fix possible UAF in ip6_finish_output2()
Vasily Averin <vvs(a)virtuozzo.com>
ipv6: use skb_expand_head in ip6_xmit
Vasily Averin <vvs(a)virtuozzo.com>
ipv6: use skb_expand_head in ip6_finish_output2
Vasily Averin <vvs(a)virtuozzo.com>
skbuff: introduce skb_expand_head()
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Probe toolchain support of -msym32
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Ming Lei <ming.lei(a)redhat.com>
virtio-blk: don't keep queue frozen during system suspend
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Armin Wolf <W_Armin(a)gmx.de>
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Mark Brown <broonie(a)kernel.org>
regmap: Use correct format specifier for logging range errors
Tomas Henzl <thenzl(a)redhat.com>
scsi: megaraid_sas: Fix for a potential deadlock
Magnus Lindholm <linmag7(a)gmail.com>
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
Masami Hiramatsu (Google) <mhiramat(a)kernel.org>
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Dan Carpenter <dan.carpenter(a)linaro.org>
mtd: rawnand: fix double free in atmel_pmecc_create_user()
Chen Ridong <chenridong(a)huawei.com>
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Javier Carrasco <javier.carrasco.cruz(a)gmail.com>
dmaengine: mv_xor: fix child node refcount handling in early exit
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_put() fails to release the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in _of_phy_get()
Zichen Xie <zichenxie0106(a)gmail.com>
mtd: diskonchip: Cast an operand to prevent potential overflow
NeilBrown <neilb(a)suse.de>
nfsd: restore callback functionality for NFSv4.0
Cong Wang <cong.wang(a)bytedance.com>
bpf: Check negative offsets in __bpf_skb_min_len()
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Geert Uytterhoeven <geert+renesas(a)glider.be>
sh: clk: Fix clk_enable() to return 0 on NULL clk
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Gao Xiang <hsiangkao(a)linux.alibaba.com>
erofs: fix incorrect symlink detection in fast symlink
Gao Xiang <hsiangkao(a)linux.alibaba.com>
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
Jiasheng Jiang <jiashengjiangcool(a)gmail.com>
drm/i915: Fix memory leak by correcting cache object name in error handler
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Ajit Khaparde <ajit.khaparde(a)broadcom.com>
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
PCI/AER: Disable AER service on suspend
Peng Hongchi <hongchi.peng(a)siengine.com>
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
Makefile | 4 +-
arch/arc/Makefile | 2 +-
arch/mips/Makefile | 2 +-
drivers/base/regmap/regmap.c | 4 +-
drivers/block/virtio_blk.c | 7 +-
drivers/block/zram/zram_drv.c | 6 ++
drivers/crypto/chelsio/chtls/chtls_main.c | 5 +-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/dma/at_xdmac.c | 2 +
drivers/dma/mv_xor.c | 2 +
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 28 ++++++-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +-
drivers/gpu/drm/i915/i915_scheduler.c | 2 +-
drivers/hv/hv_kvp.c | 6 ++
drivers/hv/hv_snapshot.c | 6 ++
drivers/hv/hv_util.c | 9 +++
drivers/hv/hyperv_vmbus.h | 2 +
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 16 ++--
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 +++----
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
drivers/infiniband/hw/mlx5/main.c | 8 +-
drivers/irqchip/irq-gic.c | 2 +-
drivers/media/dvb-frontends/dib3000mb.c | 2 +-
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/mtd/nand/raw/atmel/pmecc.c | 4 +-
drivers/mtd/nand/raw/diskonchip.c | 2 +-
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/marvell/sky2.c | 1 +
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/usb/qmi_wwan.c | 3 +
drivers/of/address.c | 2 +-
drivers/of/base.c | 15 ++--
drivers/of/irq.c | 1 +
drivers/pci/pcie/aer.c | 18 +++++
drivers/pci/quirks.c | 4 +
drivers/phy/phy-core.c | 15 ++--
drivers/pinctrl/pinctrl-mcp23s08.c | 6 ++
drivers/platform/x86/asus-nb-wmi.c | 1 +
drivers/scsi/megaraid/megaraid_sas_base.c | 5 +-
drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +-
drivers/scsi/qla1280.h | 12 +--
drivers/sh/clk/core.c | 2 +-
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/serial/option.c | 27 +++++++
fs/btrfs/inode.c | 2 +
fs/btrfs/tree-checker.c | 27 ++++++-
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/erofs/inode.c | 20 ++---
fs/eventpoll.c | 5 +-
fs/nfs/pnfs.c | 2 +-
fs/nfsd/nfs4callback.c | 4 +-
fs/nilfs2/inode.c | 8 +-
fs/nilfs2/namei.c | 5 ++
include/linux/hyperv.h | 1 +
include/linux/if_vlan.h | 16 +++-
include/linux/mlx5/driver.h | 13 +++-
include/linux/netfilter/ipset/ip_set.h | 2 +-
include/linux/netfilter/x_tables.h | 8 +-
include/linux/netfilter_arp/arp_tables.h | 2 +-
include/linux/netfilter_bridge/ebtables.h | 2 +-
include/linux/netfilter_ipv4/ip_tables.h | 2 +-
include/linux/netfilter_ipv6/ip6_tables.h | 2 +-
include/linux/skbuff.h | 1 +
include/linux/trace_events.h | 2 +-
include/linux/wait.h | 1 +
include/net/netfilter/nf_conntrack_extend.h | 2 +-
include/net/netfilter/nf_conntrack_timeout.h | 2 +-
include/net/netfilter/nf_tables.h | 13 ++--
include/uapi/linux/netfilter_bridge/ebt_among.h | 2 +-
kernel/bpf/core.c | 6 +-
kernel/trace/trace_kprobe.c | 2 +-
mm/vmscan.c | 9 ++-
net/bridge/netfilter/ebtables.c | 2 +-
net/core/filter.c | 21 ++++--
net/core/skbuff.c | 52 +++++++++++++
net/core/skmsg.c | 4 +-
net/ipv4/netfilter/arp_tables.c | 4 +-
net/ipv4/netfilter/ip_tables.c | 4 +-
net/ipv6/ila/ila_xlat.c | 16 ++--
net/ipv6/ip6_output.c | 86 +++++++++-------------
net/ipv6/netfilter/ip6_tables.c | 4 +-
net/llc/llc_input.c | 2 +-
net/mac80211/util.c | 3 +
net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
net/netfilter/ipset/ip_set_bitmap_port.c | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h | 4 +-
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/netfilter/nfnetlink_acct.c | 2 +-
net/netfilter/xt_hashlimit.c | 2 +-
net/netfilter/xt_recent.c | 4 +-
net/netrom/nr_route.c | 6 ++
net/packet/af_packet.c | 28 ++-----
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/sctp/associola.c | 3 +-
net/smc/af_smc.c | 7 ++
scripts/mod/file2alias.c | 4 +-
security/selinux/ss/services.c | 8 +-
sound/usb/format.c | 7 +-
sound/usb/mixer.c | 7 ++
sound/usb/mixer_us16x08.c | 2 +-
107 files changed, 522 insertions(+), 236 deletions(-)
3 months, 3 weeks
- 8
- 102
[PATCH] clk: qcom: clk-rpmh: add explicit casting in clk_rpmh_bcm_recalc_rate
by Anastasia Belova
The result of multiplication of aggr_state and unit fields (rate
value) may not fit u32 type. Add explicit casting to a larger
type to prevent overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support")
Cc: stable(a)vger.kernel.org # v5.4+
Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru>
---
drivers/clk/qcom/clk-rpmh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c
index eefc322ce367..e6c33010cfbf 100644
--- a/drivers/clk/qcom/clk-rpmh.c
+++ b/drivers/clk/qcom/clk-rpmh.c
@@ -329,7 +329,7 @@ static unsigned long clk_rpmh_bcm_recalc_rate(struct clk_hw *hw,
{
struct clk_rpmh *c = to_clk_rpmh(hw);
- return c->aggr_state * c->unit;
+ return (unsigned long)c->aggr_state * c->unit;
}
static const struct clk_ops clk_rpmh_bcm_ops = {
--
2.43.0
3 months, 3 weeks
- 2
- 2
[PATCH 0/3] selftests/mm: virtual_address_range: Two bugfixes and a cleanup
by Thomas Weißschuh
The selftest started failing since commit e93d2521b27f
("x86/vdso: Split virtual clock pages into dedicated mapping")
was merged. While debugging I stumbled upon another bug and potential
cleanup.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>
---
Thomas Weißschuh (3):
selftests/mm: virtual_address_range: Fix error when CommitLimit < 1GiB
selftests/mm: virtual_address_range: Avoid reading VVAR mappings
selftests/mm: virtual_address_range: Dump to /dev/null
tools/testing/selftests/mm/virtual_address_range.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
---
base-commit: fbfd64d25c7af3b8695201ebc85efe90be28c5a3
change-id: 20250107-virtual_address_range-tests-95843766fa97
Best regards,
--
Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>
3 months, 3 weeks
- 3
- 12
[PATCH] phy: Fix error handling in tegra_xusb_port_init
by Ma Ke
The reference count of the device incremented in device_initialize()
is not decremented properly when device_add() fails. Change
device_unregister() to a put_device() call before returning from the
function to decrement reference count for cleanup. Or it could cause
memory leak.
As comment of device_add() says, 'if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/phy/tegra/xusb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
index 79d4814d758d..c89df95aa6ca 100644
--- a/drivers/phy/tegra/xusb.c
+++ b/drivers/phy/tegra/xusb.c
@@ -548,16 +548,16 @@ static int tegra_xusb_port_init(struct tegra_xusb_port *port,
err = dev_set_name(&port->dev, "%s-%u", name, index);
if (err < 0)
- goto unregister;
+ goto put_device;
err = device_add(&port->dev);
if (err < 0)
- goto unregister;
+ goto put_device;
return 0;
-unregister:
- device_unregister(&port->dev);
+put_device:
+ put_device(&port->dev);
return err;
}
--
2.25.1
3 months, 3 weeks
- 2
- 1
Re: [syzbot] [overlayfs?] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (3)
by syzbot
syzbot suspects this issue was fixed by commit:
commit c8b359dddb418c60df1a69beea01d1b3322bfe83
Author: Vasiliy Kovalev <kovalev(a)altlinux.org>
Date: Tue Nov 19 15:58:17 2024 +0000
ovl: Filter invalid inodes with missing lookup function
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14ef4dc4580000
start commit: 20371ba12063 Merge tag 'drm-fixes-2024-08-30' of https://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=d806687521800cad
dashboard link: https://syzkaller.appspot.com/bug?extid=94891a5155abdf6821b7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1673fcb7980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15223467980000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ovl: Filter invalid inodes with missing lookup function
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
3 months, 3 weeks
- 2
- 3
Linux 6.12.9
by Greg Kroah-Hartman
I'm announcing the release of the 6.12.9 kernel.
All users of the 6.12 kernel series must upgrade.
The updated 6.12.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/admin-guide/laptops/thinkpad-acpi.rst | 10
Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml | 2
Makefile | 2
arch/arc/Kconfig | 4
arch/arc/Makefile | 2
arch/arc/include/asm/cmpxchg.h | 2
arch/arc/net/bpf_jit_arcv2.c | 2
arch/x86/events/intel/core.c | 1
block/blk.h | 9
drivers/clk/imx/clk-imx8mp-audiomix.c | 3
drivers/clk/thead/clk-th1520-ap.c | 13
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 10
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 10
drivers/gpu/drm/bridge/adv7511/adv7533.c | 4
drivers/gpu/drm/i915/display/intel_cx0_phy.c | 12
drivers/gpu/drm/i915/gt/intel_rc6.c | 2
drivers/gpu/drm/xe/xe_bo.c | 12
drivers/gpu/drm/xe/xe_devcoredump.c | 15
drivers/gpu/drm/xe/xe_exec_queue.c | 9
drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 2
drivers/infiniband/core/cma.c | 16
drivers/infiniband/core/nldev.c | 2
drivers/infiniband/core/uverbs_cmd.c | 16
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 34 -
drivers/infiniband/hw/bnxt_re/main.c | 8
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 65 +-
drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 5
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 18
drivers/infiniband/hw/hns/hns_roce_hem.c | 43 +
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11
drivers/infiniband/hw/hns/hns_roce_mr.c | 5
drivers/infiniband/hw/mlx5/main.c | 8
drivers/infiniband/sw/rxe/rxe.c | 23
drivers/infiniband/sw/rxe/rxe.h | 3
drivers/infiniband/sw/rxe/rxe_mcast.c | 22
drivers/infiniband/sw/rxe/rxe_net.c | 24
drivers/infiniband/sw/rxe/rxe_verbs.c | 26
drivers/infiniband/sw/rxe/rxe_verbs.h | 11
drivers/infiniband/sw/siw/siw.h | 7
drivers/infiniband/sw/siw/siw_cm.c | 27 -
drivers/infiniband/sw/siw/siw_main.c | 15
drivers/infiniband/sw/siw/siw_verbs.c | 35 -
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2
drivers/irqchip/irq-gic.c | 2
drivers/mmc/host/sdhci-msm.c | 16
drivers/net/dsa/microchip/ksz9477.c | 47 +
drivers/net/dsa/microchip/ksz9477_reg.h | 4
drivers/net/dsa/microchip/lan937x_main.c | 62 ++
drivers/net/dsa/microchip/lan937x_reg.h | 9
drivers/net/ethernet/broadcom/bcmsysport.c | 21
drivers/net/ethernet/google/gve/gve.h | 1
drivers/net/ethernet/google/gve/gve_main.c | 63 +-
drivers/net/ethernet/google/gve/gve_tx.c | 46 +
drivers/net/ethernet/marvell/mv643xx_eth.c | 14
drivers/net/ethernet/marvell/sky2.c | 1
drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 15
drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 6
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3
drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c | 4
drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c | 3
drivers/net/ethernet/sfc/tc_conntrack.c | 2
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 43 -
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2
drivers/net/ethernet/ti/icssg/icss_iep.c | 8
drivers/net/ethernet/ti/icssg/icssg_common.c | 25
drivers/net/ethernet/ti/icssg/icssg_config.c | 41 +
drivers/net/ethernet/ti/icssg/icssg_config.h | 1
drivers/net/ethernet/ti/icssg/icssg_prueth.c | 261 ++++++----
drivers/net/ethernet/ti/icssg/icssg_prueth.h | 5
drivers/net/ethernet/ti/icssg/icssg_prueth_sr1.c | 24
drivers/net/phy/micrel.c | 114 +++-
drivers/net/pse-pd/tps23881.c | 16
drivers/net/usb/qmi_wwan.c | 3
drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 1
drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 14
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 37 +
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2
drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26
drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5
drivers/nvme/host/nvme.h | 5
drivers/nvme/host/pci.c | 9
drivers/nvme/target/configfs.c | 11
drivers/pinctrl/pinctrl-mcp23s08.c | 6
drivers/platform/x86/hp/hp-wmi.c | 4
drivers/platform/x86/mlx-platform.c | 2
drivers/platform/x86/thinkpad_acpi.c | 4
drivers/pmdomain/core.c | 6
drivers/pmdomain/imx/gpcv2.c | 4
drivers/spi/spi-cadence-quadspi.c | 10
fs/btrfs/bio.c | 23
fs/btrfs/disk-io.c | 9
fs/btrfs/inode.c | 5
fs/ocfs2/quota_global.c | 2
fs/ocfs2/quota_local.c | 1
fs/proc/task_mmu.c | 2
fs/smb/client/cifsfs.c | 1
fs/smb/server/smb2pdu.c | 22
fs/smb/server/vfs.h | 1
include/linux/bio.h | 17
include/linux/filter.h | 2
include/linux/if_vlan.h | 16
include/linux/memfd.h | 14
include/linux/mlx5/driver.h | 7
include/linux/mlx5/mlx5_ifc.h | 4
include/linux/mm.h | 59 +-
include/linux/mm_types.h | 30 +
include/net/bluetooth/hci_core.h | 108 ++--
include/net/netfilter/nf_tables.h | 7
include/sound/cs35l56.h | 6
io_uring/kbuf.c | 4
io_uring/net.c | 1
io_uring/rw.c | 2
kernel/bpf/core.c | 8
kernel/bpf/verifier.c | 2
kernel/kcov.c | 2
kernel/sched/ext.c | 4
kernel/trace/fgraph.c | 2
kernel/trace/ftrace.c | 8
kernel/trace/trace_events.c | 12
kernel/workqueue.c | 23
lib/maple_tree.c | 1
mm/damon/core.c | 10
mm/hugetlb.c | 16
mm/kmemleak.c | 2
mm/memfd.c | 2
mm/mmap.c | 4
mm/readahead.c | 6
mm/shmem.c | 7
mm/vmscan.c | 9
net/bluetooth/hci_core.c | 10
net/bluetooth/iso.c | 6
net/bluetooth/l2cap_core.c | 12
net/bluetooth/rfcomm/core.c | 6
net/bluetooth/sco.c | 12
net/core/dev.c | 4
net/core/filter.c | 65 +-
net/core/netdev-genl.c | 6
net/core/sock.c | 5
net/ipv4/ip_tunnel.c | 6
net/ipv4/tcp_input.c | 1
net/ipv6/ila/ila_xlat.c | 16
net/llc/llc_input.c | 2
net/mac80211/cfg.c | 8
net/mac80211/mesh.c | 6
net/mac80211/util.c | 3
net/mptcp/options.c | 7
net/mptcp/protocol.c | 22
net/netrom/nr_route.c | 6
net/packet/af_packet.c | 28 -
net/sctp/associola.c | 3
net/wireless/util.c | 3
scripts/mksysmap | 4
scripts/mod/file2alias.c | 2
scripts/package/PKGBUILD | 2
scripts/sorttable.h | 5
security/selinux/ss/services.c | 8
sound/core/seq/oss/seq_oss_synth.c | 2
sound/core/seq/seq_clientmgr.c | 14
sound/core/ump.c | 2
sound/pci/hda/cs35l56_hda.c | 8
sound/pci/hda/patch_ca0132.c | 37 -
sound/pci/hda/patch_realtek.c | 24
sound/soc/generic/audio-graph-card2.c | 2
sound/usb/format.c | 7
sound/usb/mixer_us16x08.c | 2
sound/usb/quirks.c | 2
tools/sched_ext/scx_central.c | 2
tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2
tools/testing/selftests/net/forwarding/local_termination.sh | 1
177 files changed, 1687 insertions(+), 753 deletions(-)
Aditya Kumar Singh (1):
wifi: cfg80211: clear link ID from bitmap during link delete after clean up
Adrian Ratiu (2):
sound: usb: enable DSD output for ddHiFi TC44C
sound: usb: format: don't warn that raw DSD is unsupported
Alessandro Carminati (1):
mm/kmemleak: fix sleeping function called from invalid context at print message
Alex Deucher (1):
drm/amdgpu: fix backport of commit 73dae652dcac
Anton Protopopov (1):
bpf: fix potential error return
Antonio Pastor (1):
net: llc: reset skb->transport_header
Anumula Murali Mohan Reddy (1):
RDMA/core: Fix ENODEV error for iWARP test over vlan
Arnd Bergmann (1):
kcov: mark in_softirq_really() as __always_inline
Baolin Wang (2):
mm: shmem: fix the update of 'shmem_falloc->nr_unswapped'
mm: shmem: fix incorrect index alignment for within_size policy
Bernard Metzler (1):
RDMA/siw: Remove direct link to net_device
Biju Das (3):
drm: adv7511: Drop dsi single lane support
dt-bindings: display: adi,adv7533: Drop single lane support
drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
Chengchang Tang (3):
RDMA/hns: Fix accessing invalid dip_ctx during destroying QP
RDMA/hns: Fix warning storm caused by invalid input in IO path
RDMA/hns: Fix missing flush CQE for DWQE
Chiara Meiohas (1):
RDMA/nldev: Set error code in rdma_nl_notify_event
Christoph Hellwig (2):
block: lift bio_is_zone_append to bio.h
btrfs: use bio_is_zone_append() in the completion handler
Damodharam Ammepalli (2):
RDMA/bnxt_re: Add send queue size check for variable wqe
RDMA/bnxt_re: Fix MSN table size for variable wqe mode
Dan Carpenter (1):
RDMA/uverbs: Prevent integer overflow issue
Daniel Schaefer (1):
ALSA hda/realtek: Add quirk for Framework F111:000C
Daniele Palmas (1):
net: usb: qmi_wwan: add Telit FE910C04 compositions
David Hildenbrand (1):
fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit
Dennis Lam (1):
ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
Dragos Tatulea (1):
net/mlx5e: macsec: Maintain TX SA from encoding_sa
Eduard Zingerman (2):
bpf: refactor bpf_helper_changes_pkt_data to use helper number
bpf: consider that tail calls invalidate packet pointers
Emmanuel Grumbach (2):
wifi: iwlwifi: fix CRF name for Bz
wifi: mac80211: wake the queues in case of failure in resume
Enzo Matsumiya (1):
smb: client: destroy cfid_put_wq on module exit
Eric Biggers (1):
mmc: sdhci-msm: fix crypto key eviction
Eric Dumazet (4):
net: restrict SO_REUSEPORT to inet sockets
af_packet: fix vlan_get_tci() vs MSG_PEEK
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
ila: serialize calls to nf_register_net_hooks()
Evgenii Shatokhin (1):
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Filipe Manana (2):
btrfs: allow swap activation to be interruptible
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Greg Kroah-Hartman (1):
Linux 6.12.9
Hardevsinh Palaniya (1):
ARC: bpf: Correct conditional check in 'check_jmp_32'
Henry Huang (1):
sched_ext: initialize kit->cursor.flags
Hobin Woo (1):
ksmbd: retry iterate_dir in smb2_query_dir
Ilya Shchipletsov (1):
netrom: check buffer length before accessing it
Issam Hamdi (1):
wifi: mac80211: fix mbss changed flags corruption on 32 bit systems
Jakub Kicinski (1):
netdev-genl: avoid empty messages in napi get
Jens Axboe (2):
io_uring/net: always initialize kmsg->msg.msg_inq upfront
io_uring/kbuf: use pre-committed buffer address for non-pollable file
Jianbo Liu (2):
net/mlx5e: Skip restore TC rules for vport rep without loaded flag
net/mlx5e: Keep netdev when leave switchdev for devlink set legacy only
Jinjian Song (1):
net: wwan: t7xx: Fix FSM command timeout issue
Joe Hattori (4):
platform/x86: mlx-platform: call pci_dev_put() to balance the refcount
pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe()
net: stmmac: restructure the error path of stmmac_probe_config_dt()
net: mv643xx_eth: fix an OF node reference leak
Johannes Thumshirn (1):
btrfs: handle bio_split() errors
John Harrison (1):
drm/xe: Revert some changes that break a mesa debug tool
Joshua Washington (6):
gve: process XSK TX descriptors as part of RX NAPI
gve: clean XDP queues in gve_tx_stop_ring_gqi
gve: guard XSK operations on the existence of queues
gve: fix XDP allocation path in edge cases
gve: guard XDP xmit NDO on existence of xdp queues
gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup
Kalesh AP (4):
RDMA/bnxt_re: Fix the check for 9060 condition
RDMA/bnxt_re: Fix reporting hw_ver in query_device
RDMA/bnxt_re: Disable use of reserved wqes
RDMA/bnxt_re: Fix error recovery sequence
Kan Liang (1):
perf/x86/intel: Add Arrow Lake U support
Kashyap Desai (2):
RDMA/bnxt_re: Fix max SGEs for the Work Request
RDMA/bnxt_re: Avoid sending the modify QP workaround for latest adapters
Kees Cook (1):
wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_*
Kohei Enju (1):
ftrace: Fix function profiler's filtering functionality
Kory Maincent (1):
net: pse-pd: tps23881: Fix power on/off issue
Kuan-Wei Chiu (1):
scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
Leo Stone (1):
nvmet: Don't overflow subsysnqn
Leon Romanovsky (2):
RDMA/bnxt_re: Remove always true dattr validity check
ARC: build: Try to guess GCC variant of cross compiler
Li Zhijian (1):
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Liang Jie (1):
net: sfc: Correct key_len for efx_tc_ct_zone_ht_params
Liu Shixin (1):
mm: hugetlb: independent PMD page table shared count
Lorenzo Stoakes (1):
mm: reinstate ability to map write-sealed memfd mappings read-only
Lucas De Marchi (1):
drm/xe: Fix fault on fd close after unbind
Lucas Stach (1):
pmdomain: core: add dummy release function to genpd device
Luiz Augusto von Dentz (1):
Bluetooth: hci_core: Fix sleeping function called from invalid context
MD Danish Anwar (1):
net: ti: icssg-prueth: Fix firmware load sequence.
Maciej S. Szmigiero (1):
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Maksim Kiselev (1):
clk: thead: Fix TH1520 emmc and shdci clock rate
Mark Zhang (1):
RDMA/mlx5: Enable multiplane mode only when it is supported
Masahiro Yamada (1):
modpost: fix the missed iteration for the max bit in do_input()
Meghana Malladi (1):
net: ti: icssg-prueth: Fix clearing of IEP_CMP_CFG registers during iep_init
Michal Wajdeczko (1):
drm/xe/pf: Use correct function to check LMEM provisioning
Mingcong Bai (1):
platform/x86: hp-wmi: mark 8A15 board for timed OMEN thermal profile
Mostafa Saleh (1):
scripts/mksysmap: Fix escape chars '$'
Namjae Jeon (1):
ksmbd: set ATTR_CTIME flags when setting mtime
Nikolaus Voss (1):
clk: clk-imx8mp-audiomix: fix function signature
Nikolay Kuratov (1):
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Niravkumar L Rabara (1):
spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA.
Nirmoy Das (2):
drm/xe: Use non-interruptible wait when moving BO to system
drm/xe: Wait for migration job before unmapping pages
Pablo Neira Ayuso (1):
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Paolo Abeni (3):
mptcp: fix TCP options overflow.
mptcp: fix recvbuffer adjust on sleeping rcvmsg
mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
Pascal Hambourg (1):
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Patrisious Haddad (1):
RDMA/mlx5: Enforce same type port association for multiport RoCE
Paul E. McKenney (1):
ARC: build: Use __force to suppress per-CPU cmpxchg warnings
Pavel Begunkov (1):
io_uring/rw: fix downgraded mshot read
Prike Liang (1):
drm/amdkfd: Correct the migration DMA map direction
Robert Beckett (1):
nvme-pci: 512 byte aligned dma pool segment quirk
Rodrigo Vivi (1):
drm/i915/dg1: Fix power gate sequence.
Saravanan Vajravel (1):
RDMA/bnxt_re: Add check for path mtu in modify_qp
Seiji Nishikawa (1):
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Selvin Xavier (3):
RDMA/bnxt_re: Avoid initializing the software queue for user queues
RDMA/bnxt_re: Fix max_qp_wrs reported
RDMA/bnxt_re: Fix the locking while accessing the QP table
SeongJae Park (2):
mm/damon/core: fix ignored quota goals and filters of newly committed schemes
mm/damon/core: fix new damon_target objects leaks on damon_commit_targets()
Shahar Shitrit (1):
net/mlx5: DR, select MSIX vector 0 for completion queue creation
Siddharth Vadapalli (1):
net: ethernet: ti: am65-cpsw: default to round-robin for host port receive
Simon Trimmer (1):
ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache()
Stefan Ekenberg (1):
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Stephen Gordon (1):
ASoC: audio-graph-card: Call of_node_put() on correct node
Steven Rostedt (1):
tracing: Have process_string() also allow arrays
Su Hui (1):
workqueue: add printf attribute to __alloc_workqueue()
Suraj Kandpal (1):
drm/i915/cx0_phy: Fix C10 pll programming sequence
Takashi Iwai (4):
ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers
Revert "ALSA: ump: Don't enumeration invalid groups for legacy rawmidi"
ALSA: seq: Check UMP support for midi_version change
ALSA: seq: oss: Fix races at processing SysEx messages
Tanya Agarwal (1):
ALSA: usb-audio: US16x08: Initialize array before use
Tejun Heo (1):
sched_ext: Fix invalid irq restore in scx_ops_bypass()
Thiébaud Weksteen (1):
selinux: ignore unknown extended permissions
Thomas Weißschuh (1):
kbuild: pacman-pkg: provide versioned linux-api-headers package
Tristram Ha (2):
net: dsa: microchip: Fix KSZ9477 set_ageing_time function
net: dsa: microchip: Fix LAN937X set_ageing_time function
Tvrtko Ursulin (1):
workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker
Uros Bizjak (1):
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Vasiliy Kovalev (2):
ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio
ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
Victor Zhao (1):
drm/amdgpu: use sjt mec fw on gfx943 for sriov
Vineet Gupta (1):
ARC: build: disallow invalid PAE40 + 4K page config
Vishnu Sankar (1):
platform/x86: thinkpad-acpi: Add support for hotkey 0x1401
Vitalii Mordan (1):
eth: bcmsysport: fix call balance of priv->clk handling routines
Vladimir Oltean (1):
selftests: net: local_termination: require mausezahn
Wang Liang (1):
net: fix memory leak in tcp_conn_request()
Wei Fang (1):
net: phy: micrel: Dynamically control external clock of KSZ PHY
Willem de Bruijn (1):
net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets
Xiao Liang (1):
net: Fix netns for ip_tunnel_init_flow()
Yafang Shao (1):
mm/readahead: fix large folio support in async readahead
Yang Erkun (1):
maple_tree: reload mas before the second call for mas_empty_area
Zhu Yanjun (1):
RDMA/rxe: Remove the direct link to net_device
Zilin Guan (1):
fgraph: Add READ_ONCE() when accessing fgraph_array[]
guanjing (1):
sched_ext: fix application of sizeof to pointer
wenglianfa (1):
RDMA/hns: Fix mapping error of zero-hop WQE buffer
3 months, 3 weeks
- 1
- 1
Linux 6.1.124
by Greg Kroah-Hartman
I'm announcing the release of the 6.1.124 kernel.
All users of the 6.1 kernel series must upgrade.
The updated 6.1.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml | 2
Makefile | 2
arch/arc/Makefile | 2
arch/x86/kernel/cpu/mshyperv.c | 58 +++
drivers/block/zram/zram_drv.c | 3
drivers/clocksource/hyperv_timer.c | 14
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2
drivers/gpu/drm/i915/gt/intel_rc6.c | 2
drivers/infiniband/core/uverbs_cmd.c | 16 -
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 -
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2
drivers/infiniband/hw/hns/hns_roce_alloc.c | 3
drivers/infiniband/hw/hns/hns_roce_cq.c | 11
drivers/infiniband/hw/hns/hns_roce_device.h | 12
drivers/infiniband/hw/hns/hns_roce_hem.c | 54 ++-
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 130 ++++----
drivers/infiniband/hw/hns/hns_roce_mr.c | 95 +++---
drivers/infiniband/hw/hns/hns_roce_qp.c | 4
drivers/infiniband/hw/hns/hns_roce_srq.c | 4
drivers/infiniband/hw/mlx5/main.c | 6
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2
drivers/irqchip/irq-gic.c | 2
drivers/net/dsa/microchip/ksz9477.c | 47 ++-
drivers/net/dsa/microchip/ksz9477_reg.h | 4
drivers/net/dsa/microchip/ksz_common.h | 5
drivers/net/dsa/microchip/lan937x_main.c | 62 +++-
drivers/net/dsa/microchip/lan937x_reg.h | 9
drivers/net/ethernet/broadcom/bcmsysport.c | 21 +
drivers/net/ethernet/marvell/mv643xx_eth.c | 14
drivers/net/ethernet/marvell/sky2.c | 1
drivers/net/ethernet/mellanox/mlxsw/spectrum_span.c | 3
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 151 +++++++---
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h | 2
drivers/net/usb/qmi_wwan.c | 3
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2
drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26 +
drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5
drivers/pinctrl/pinctrl-mcp23s08.c | 6
drivers/thunderbolt/nhi.c | 12
drivers/thunderbolt/nhi.h | 6
drivers/thunderbolt/retimer.c | 17 -
drivers/usb/host/xhci-ring.c | 42 ++
drivers/usb/host/xhci.c | 21 +
drivers/usb/host/xhci.h | 2
fs/btrfs/ctree.c | 37 +-
fs/btrfs/ctree.h | 7
fs/btrfs/disk-io.c | 9
fs/btrfs/inode.c | 2
fs/smb/server/smb2pdu.c | 12
fs/smb/server/vfs.h | 1
include/clocksource/hyperv_timer.h | 2
include/linux/if_vlan.h | 16 -
include/linux/mlx5/driver.h | 6
include/net/bluetooth/hci_core.h | 108 ++++---
include/net/ip_tunnels.h | 28 -
include/net/netfilter/nf_tables.h | 7
kernel/bpf/core.c | 6
kernel/kcov.c | 2
kernel/trace/trace_events.c | 12
mm/readahead.c | 6
mm/vmscan.c | 9
net/bluetooth/hci_core.c | 10
net/bluetooth/iso.c | 6
net/bluetooth/l2cap_core.c | 12
net/bluetooth/rfcomm/core.c | 6
net/bluetooth/sco.c | 12
net/core/dev.c | 4
net/core/sock.c | 5
net/ipv4/ip_tunnel.c | 60 ++-
net/ipv4/ipip.c | 1
net/ipv4/tcp_input.c | 1
net/ipv6/ila/ila_xlat.c | 16 -
net/ipv6/sit.c | 2
net/llc/llc_input.c | 2
net/mac80211/util.c | 3
net/mctp/route.c | 36 +-
net/mptcp/options.c | 7
net/mptcp/protocol.c | 22 -
net/netrom/nr_route.c | 6
net/packet/af_packet.c | 28 -
net/sctp/associola.c | 3
scripts/mod/file2alias.c | 4
security/selinux/ss/services.c | 8
sound/core/seq/oss/seq_oss_synth.c | 2
sound/pci/hda/patch_realtek.c | 2
sound/usb/format.c | 7
sound/usb/mixer_us16x08.c | 2
sound/usb/quirks.c | 2
91 files changed, 1031 insertions(+), 443 deletions(-)
Adrian Ratiu (2):
sound: usb: enable DSD output for ddHiFi TC44C
sound: usb: format: don't warn that raw DSD is unsupported
Andrew Halaney (1):
net: stmmac: don't create a MDIO bus if unnecessary
Anton Protopopov (1):
bpf: fix potential error return
Antonio Pastor (1):
net: llc: reset skb->transport_header
Arnd Bergmann (1):
kcov: mark in_softirq_really() as __always_inline
Bartosz Golaszewski (1):
net: stmmac: platform: provide devm_stmmac_probe_config_dt()
Biju Das (2):
drm: adv7511: Drop dsi single lane support
dt-bindings: display: adi,adv7533: Drop single lane support
Chengchang Tang (4):
RDMA/hns: Refactor mtr find
RDMA/hns: Remove unused parameters and variables
RDMA/hns: Fix warning storm caused by invalid input in IO path
RDMA/hns: Fix missing flush CQE for DWQE
Christian Ehrig (1):
ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices
Dan Carpenter (1):
RDMA/uverbs: Prevent integer overflow issue
Daniel Schaefer (1):
ALSA hda/realtek: Add quirk for Framework F111:000C
Daniele Palmas (1):
net: usb: qmi_wwan: add Telit FE910C04 compositions
Dominique Martinet (1):
zram: check comp is non-NULL before calling comp_destroy
Emmanuel Grumbach (1):
wifi: mac80211: wake the queues in case of failure in resume
Eric Dumazet (5):
ip_tunnel: annotate data-races around t->parms.link
net: restrict SO_REUSEPORT to inet sockets
af_packet: fix vlan_get_tci() vs MSG_PEEK
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
ila: serialize calls to nf_register_net_hooks()
Evgenii Shatokhin (1):
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Filipe Manana (3):
btrfs: rename and export __btrfs_cow_block()
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Greg Kroah-Hartman (1):
Linux 6.1.124
Hobin Woo (1):
ksmbd: retry iterate_dir in smb2_query_dir
Ido Schimmel (3):
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev()
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit()
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit()
Ilya Shchipletsov (1):
netrom: check buffer length before accessing it
Jeremy Kerr (1):
net: mctp: handle skb cleanup on sock_queue failures
Jinjian Song (1):
net: wwan: t7xx: Fix FSM command timeout issue
Joe Hattori (2):
net: stmmac: restructure the error path of stmmac_probe_config_dt()
net: mv643xx_eth: fix an OF node reference leak
Johannes Thumshirn (1):
btrfs: fix use-after-free in btrfs_encoded_read_endio()
Kalesh AP (1):
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Leon Romanovsky (1):
ARC: build: Try to guess GCC variant of cross compiler
Li Zhijian (1):
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Luiz Augusto von Dentz (1):
Bluetooth: hci_core: Fix sleeping function called from invalid context
Maciej S. Szmigiero (1):
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Mario Limonciello (1):
thunderbolt: Don't display nvm_version unless upgrade supported
Masahiro Yamada (2):
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
modpost: fix the missed iteration for the max bit in do_input()
Mathias Nyman (1):
xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic
Michal Pecio (3):
xhci: retry Stop Endpoint on buggy NEC controllers
usb: xhci: Limit Stop Endpoint retries
usb: xhci: Avoid queuing redundant Stop Endpoint commands
Mika Westerberg (2):
thunderbolt: Add support for Intel Lunar Lake
thunderbolt: Add support for Intel Panther Lake-M/P
Naman Jain (1):
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
Nikolay Kuratov (1):
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Oleksij Rempel (1):
net: dsa: microchip: add ksz_rmw8() function
Pablo Neira Ayuso (1):
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Paolo Abeni (3):
mptcp: fix TCP options overflow.
mptcp: fix recvbuffer adjust on sleeping rcvmsg
mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
Pascal Hambourg (1):
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Patrisious Haddad (1):
RDMA/mlx5: Enforce same type port association for multiport RoCE
Prike Liang (1):
drm/amdkfd: Correct the migration DMA map direction
Rodrigo Vivi (1):
drm/i915/dg1: Fix power gate sequence.
Saravanan Vajravel (1):
RDMA/bnxt_re: Add check for path mtu in modify_qp
Seiji Nishikawa (1):
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Selvin Xavier (2):
RDMA/bnxt_re: Fix max_qp_wrs reported
RDMA/bnxt_re: Fix the locking while accessing the QP table
Stefan Ekenberg (1):
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Steven Rostedt (1):
tracing: Have process_string() also allow arrays
Takashi Iwai (1):
ALSA: seq: oss: Fix races at processing SysEx messages
Tanya Agarwal (1):
ALSA: usb-audio: US16x08: Initialize array before use
Thiébaud Weksteen (1):
selinux: ignore unknown extended permissions
Tristram Ha (2):
net: dsa: microchip: Fix KSZ9477 set_ageing_time function
net: dsa: microchip: Fix LAN937X set_ageing_time function
Uros Bizjak (1):
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Vasiliy Kovalev (1):
ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
Vitalii Mordan (1):
eth: bcmsysport: fix call balance of priv->clk handling routines
Wang Liang (1):
net: fix memory leak in tcp_conn_request()
Willem de Bruijn (1):
net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets
Xiao Liang (1):
net: Fix netns for ip_tunnel_init_flow()
Yafang Shao (1):
mm/readahead: fix large folio support in async readahead
wenglianfa (1):
RDMA/hns: Fix mapping error of zero-hop WQE buffer
3 months, 3 weeks
- 1
- 1
Linux 5.15.176
by Greg Kroah-Hartman
I'm announcing the release of the 5.15.176 kernel.
All users of the 5.15 kernel series must upgrade.
The updated 5.15.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml | 2
Makefile | 2
arch/arc/Makefile | 2
arch/arm64/mm/context.c | 22 -
arch/mips/Makefile | 2
arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dts | 1
arch/x86/kernel/cpu/mshyperv.c | 58 ++
arch/x86/kvm/x86.c | 2
drivers/base/regmap/regmap.c | 4
drivers/block/virtio_blk.c | 7
drivers/block/zram/zram_drv.c | 6
drivers/clocksource/hyperv_timer.c | 14
drivers/dma-buf/udmabuf.c | 2
drivers/dma/at_xdmac.c | 2
drivers/dma/dw/acpi.c | 6
drivers/dma/dw/internal.h | 8
drivers/dma/dw/pci.c | 4
drivers/dma/mv_xor.c | 2
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2
drivers/gpu/drm/drm_dp_mst_topology.c | 34 +
drivers/gpu/drm/drm_modes.c | 11
drivers/gpu/drm/i915/gt/intel_rc6.c | 2
drivers/hv/hv_kvp.c | 6
drivers/hv/hv_snapshot.c | 6
drivers/hv/hv_util.c | 9
drivers/hv/hyperv_vmbus.h | 2
drivers/hwmon/tmp513.c | 74 +--
drivers/i2c/busses/i2c-pnx.c | 4
drivers/i2c/busses/i2c-riic.c | 2
drivers/infiniband/core/uverbs_cmd.c | 16
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 -
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2
drivers/infiniband/hw/hns/hns_roce_hem.c | 49 +-
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 17
drivers/infiniband/hw/hns/hns_roce_mr.c | 5
drivers/infiniband/hw/mlx5/main.c | 6
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2
drivers/irqchip/irq-gic.c | 2
drivers/media/dvb-frontends/dib3000mb.c | 2
drivers/mmc/host/sdhci-tegra.c | 1
drivers/mtd/nand/raw/arasan-nand-controller.c | 11
drivers/mtd/nand/raw/atmel/pmecc.c | 4
drivers/mtd/nand/raw/diskonchip.c | 2
drivers/net/ethernet/broadcom/bcmsysport.c | 21
drivers/net/ethernet/broadcom/bgmac-platform.c | 5
drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c | 5
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2
drivers/net/ethernet/marvell/mv643xx_eth.c | 14
drivers/net/ethernet/marvell/sky2.c | 1
drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 151 +++++--
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h | 2
drivers/net/mdio/fwnode_mdio.c | 13
drivers/net/netdevsim/health.c | 2
drivers/net/usb/qmi_wwan.c | 3
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2
drivers/of/address.c | 2
drivers/of/base.c | 15
drivers/of/irq.c | 1
drivers/pci/controller/pci-host-common.c | 4
drivers/pci/controller/vmd.c | 8
drivers/pci/pcie/aer.c | 18
drivers/pci/probe.c | 20
drivers/pci/quirks.c | 4
drivers/phy/phy-core.c | 21
drivers/pinctrl/pinctrl-mcp23s08.c | 6
drivers/platform/x86/asus-nb-wmi.c | 1
drivers/power/supply/gpio-charger.c | 8
drivers/scsi/megaraid/megaraid_sas_base.c | 5
drivers/scsi/mpt3sas/mpt3sas_base.c | 7
drivers/scsi/qla1280.h | 12
drivers/scsi/storvsc_drv.c | 7
drivers/sh/clk/core.c | 2
drivers/thunderbolt/icm.c | 5
drivers/thunderbolt/nhi.c | 24 +
drivers/thunderbolt/nhi.h | 13
drivers/usb/cdns3/core.h | 1
drivers/usb/cdns3/drd.c | 10
drivers/usb/cdns3/drd.h | 3
drivers/usb/dwc2/gadget.c | 4
drivers/usb/host/xhci-ring.c | 42 +
drivers/usb/host/xhci.c | 21
drivers/usb/host/xhci.h | 2
drivers/usb/serial/option.c | 27 +
drivers/watchdog/it87_wdt.c | 39 +
fs/btrfs/ctree.c | 37 -
fs/btrfs/ctree.h | 7
fs/btrfs/disk-io.c | 9
fs/btrfs/inode.c | 2
fs/btrfs/sysfs.c | 93 ++--
fs/btrfs/tree-checker.c | 27 +
fs/ceph/super.c | 2
fs/efivarfs/inode.c | 2
fs/efivarfs/internal.h | 1
fs/efivarfs/super.c | 3
fs/erofs/inode.c | 20
fs/eventpoll.c | 5
fs/ksmbd/auth.c | 2
fs/ksmbd/mgmt/user_session.c | 6
fs/ksmbd/server.c | 4
fs/ksmbd/smb2pdu.c | 33 -
fs/nfs/pnfs.c | 2
fs/nfsd/nfs4callback.c | 4
fs/nfsd/nfs4state.c | 2
fs/nilfs2/inode.c | 8
fs/nilfs2/namei.c | 5
include/clocksource/hyperv_timer.h | 2
include/linux/hyperv.h | 1
include/linux/if_vlan.h | 16
include/linux/mlx5/driver.h | 6
include/linux/skmsg.h | 11
include/linux/trace_events.h | 2
include/linux/vmstat.h | 2
include/linux/wait.h | 1
include/net/netfilter/nf_tables.h | 7
include/net/sock.h | 10
kernel/bpf/core.c | 6
kernel/bpf/syscall.c | 13
kernel/kcov.c | 2
kernel/trace/trace.c | 3
kernel/trace/trace_events.c | 211 ++++++++--
kernel/trace/trace_kprobe.c | 2
lib/test_stackinit.c | 1
mm/vmalloc.c | 3
mm/vmscan.c | 9
net/core/filter.c | 21
net/core/skmsg.c | 6
net/core/sock.c | 5
net/dsa/dsa2.c | 7
net/ipv4/tcp_bpf.c | 6
net/ipv4/tcp_input.c | 1
net/ipv6/ila/ila_xlat.c | 16
net/llc/llc_input.c | 2
net/mac80211/util.c | 3
net/netfilter/ipset/ip_set_list_set.c | 3
net/netrom/nr_route.c | 6
net/packet/af_packet.c | 28 -
net/sched/sch_cake.c | 2
net/sched/sch_choke.c | 2
net/sctp/associola.c | 3
net/smc/af_smc.c | 13
net/smc/smc_clc.c | 9
net/smc/smc_clc.h | 14
scripts/mod/file2alias.c | 4
security/selinux/ss/services.c | 8
sound/pci/hda/patch_conexant.c | 28 +
sound/soc/intel/boards/sof_sdw.c | 9
sound/usb/format.c | 7
sound/usb/mixer.c | 7
sound/usb/mixer_us16x08.c | 2
sound/usb/quirks.c | 2
156 files changed, 1353 insertions(+), 476 deletions(-)
Adrian Ratiu (2):
sound: usb: enable DSD output for ddHiFi TC44C
sound: usb: format: don't warn that raw DSD is unsupported
Ajit Khaparde (1):
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Anand Jain (1):
btrfs: sysfs: convert scnprintf and snprintf to sysfs_emit
Andrew Halaney (1):
net: stmmac: don't create a MDIO bus if unnecessary
Andy Shevchenko (4):
hwmon: (tmp513) Don't use "proxy" headers
hwmon: (tmp513) Simplify with dev_err_probe()
hwmon: (tmp513) Use SI constants from units.h
dmaengine: dw: Select only supported masters for ACPI devices
Anton Protopopov (1):
bpf: fix potential error return
Antonio Pastor (1):
net: llc: reset skb->transport_header
Armin Wolf (1):
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Arnd Bergmann (1):
kcov: mark in_softirq_really() as __always_inline
Bart Van Assche (1):
mm/vmstat: fix a W=1 clang compiler warning
Bartosz Golaszewski (1):
net: stmmac: platform: provide devm_stmmac_probe_config_dt()
Biju Das (2):
drm: adv7511: Drop dsi single lane support
dt-bindings: display: adi,adv7533: Drop single lane support
Brett Creeley (1):
ionic: Fix netdev notifier unregister on failure
Catalin Marinas (1):
arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs
Cathy Avery (1):
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
Chen Ridong (1):
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Chengchang Tang (2):
RDMA/hns: Fix warning storm caused by invalid input in IO path
RDMA/hns: Fix missing flush CQE for DWQE
Christian Göttsche (1):
tracing: Constify string literal data member in struct trace_event_call
Cong Wang (2):
tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
bpf: Check negative offsets in __bpf_skb_min_len()
Dan Carpenter (4):
net: hinic: Fix cleanup in create_rxqs/txqs()
chelsio/chtls: prevent potential integer overflow on 32bit
mtd: rawnand: fix double free in atmel_pmecc_create_user()
RDMA/uverbs: Prevent integer overflow issue
Daniel Swanemar (1):
USB: serial: option: add TCL IK512 MBIM & ECM
Daniele Palmas (2):
USB: serial: option: add Telit FE910C04 rmnet compositions
net: usb: qmi_wwan: add Telit FE910C04 compositions
Dimitri Fedrau (1):
power: supply: gpio-charger: Fix set charge current limits
Edward Adam Davis (1):
nilfs2: prevent use of deleted inode
Emmanuel Grumbach (1):
wifi: mac80211: wake the queues in case of failure in resume
Eric Dumazet (5):
netdevsim: prevent bad user input in nsim_dev_health_break_write()
net: restrict SO_REUSEPORT to inet sockets
af_packet: fix vlan_get_tci() vs MSG_PEEK
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
ila: serialize calls to nf_register_net_hooks()
Evgenii Shatokhin (1):
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Filipe Manana (4):
btrfs: avoid monopolizing a core when activating a swap file
btrfs: rename and export __btrfs_cow_block()
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Gao Xiang (1):
erofs: fix incorrect symlink detection in fast symlink
Geert Uytterhoeven (2):
i2c: riic: Always round-up when calculating bus period
sh: clk: Fix clk_enable() to return 0 on NULL clk
George D Sworo (1):
thunderbolt: Add support for Intel Raptor Lake
Greg Kroah-Hartman (1):
Linux 5.15.176
Guangguan Wang (4):
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
net/smc: check smcd_v2_ext_offset when receiving proposal msg
net/smc: check return value of sock_recvmsg when draining clc data
Herve Codina (1):
of: Fix error path in of_parse_phandle_with_args_map()
Hou Tao (1):
bpf: Check validity of link->type in bpf_link_show_fdinfo()
Ilya Dryomov (1):
ceph: validate snapdirname option length when mounting
Ilya Shchipletsov (1):
netrom: check buffer length before accessing it
Imre Deak (2):
drm/dp_mst: Fix MST sideband message body length check
drm/dp_mst: Verify request type in the corresponding down message reply
Jack Wu (1):
USB: serial: option: add MediaTek T7XX compositions
James Bottomley (1):
efivarfs: Fix error on non-existent file
James Hilliard (1):
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
Jann Horn (1):
udmabuf: also check for F_SEAL_FUTURE_WRITE
Javier Carrasco (1):
dmaengine: mv_xor: fix child node refcount handling in early exit
Jiaxun Yang (2):
MIPS: Loongson64: DTS: Fix msi node for ls7a
MIPS: Probe toolchain support of -msym32
Jiwei Sun (1):
PCI: vmd: Create domain symlink before pci_bus_add_devices()
Joe Hattori (4):
net: ethernet: bgmac-platform: fix an OF node reference leak
net: mdiobus: fix an OF node reference leak
net: stmmac: restructure the error path of stmmac_probe_config_dt()
net: mv643xx_eth: fix an OF node reference leak
Jordy Zomer (2):
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
Kai-Heng Feng (1):
PCI/AER: Disable AER service on suspend
Kairui Song (1):
zram: refuse to use zero sized block device as backing device
Kalesh AP (1):
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Kees Cook (1):
lib: stackinit: hide never-taken branch from compiler
Leon Romanovsky (1):
ARC: build: Try to guess GCC variant of cross compiler
Li Zhijian (1):
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Lion Ackermann (1):
net: sched: fix ordering of qlen adjustment
Lizhi Xu (1):
tracing: Prevent bad count for tracing_cpumask_write
Maciej Andrzejewski (2):
mtd: rawnand: arasan: Fix double assertion of chip-select
mtd: rawnand: arasan: Fix missing de-registration of NAND
Maciej S. Szmigiero (1):
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Magnus Lindholm (1):
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
Mank Wang (1):
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Mark Brown (1):
regmap: Use correct format specifier for logging range errors
Masahiro Yamada (2):
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
modpost: fix the missed iteration for the max bit in do_input()
Masami Hiramatsu (Google) (1):
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Mathias Nyman (1):
xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic
Matthew Wilcox (Oracle) (1):
vmalloc: fix accounting with i915
Michael Kelley (1):
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Michal Hrusecky (1):
USB: serial: option: add MeiG Smart SLM770A
Michal Pecio (3):
xhci: retry Stop Endpoint on buggy NEC controllers
usb: xhci: Limit Stop Endpoint retries
usb: xhci: Avoid queuing redundant Stop Endpoint commands
Michel Dänzer (1):
drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update
Mika Westerberg (4):
thunderbolt: Add support for Intel Meteor Lake
thunderbolt: Add Intel Barlow Ridge PCI ID
thunderbolt: Add support for Intel Lunar Lake
thunderbolt: Add support for Intel Panther Lake-M/P
Ming Lei (1):
virtio-blk: don't keep queue frozen during system suspend
Murad Masimov (3):
hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers
hwmon: (tmp513) Fix Current Register value interpretation
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Naman Jain (1):
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
Namjae Jeon (1):
ksmbd: fix racy issue from session lookup and expire
NeilBrown (1):
nfsd: restore callback functionality for NFSv4.0
Nikita Zhandarovich (1):
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Nikolay Kuratov (1):
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pablo Neira Ayuso (1):
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Pascal Hambourg (1):
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Patrisious Haddad (1):
RDMA/mlx5: Enforce same type port association for multiport RoCE
Peng Hongchi (1):
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Phil Sutter (1):
netfilter: ipset: Fix for recursive locking warning
Pierre-Louis Bossart (1):
ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP
Prathamesh Shete (1):
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Prike Liang (1):
drm/amdkfd: Correct the migration DMA map direction
Qu Wenruo (2):
btrfs: tree-checker: reject inline extent items with 0 ref count
btrfs: sysfs: fix direct super block member reads
Ranjan Kumar (1):
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Rodrigo Vivi (1):
drm/i915/dg1: Fix power gate sequence.
Roger Quadros (1):
usb: cdns3: Add quirk flag to enable suspend residency
Saravanan Vajravel (1):
RDMA/bnxt_re: Add check for path mtu in modify_qp
Sean Christopherson (1):
KVM: x86: Play nice with protected guests in complete_hypercall_exit()
Seiji Nishikawa (1):
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Selvin Xavier (2):
RDMA/bnxt_re: Fix max_qp_wrs reported
RDMA/bnxt_re: Fix the locking while accessing the QP table
Shannon Nelson (1):
ionic: use ee->offset when returning sprom data
Stefan Ekenberg (1):
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Steven Rostedt (4):
tracing: Fix test_event_printk() to process entire print argument
tracing: Add missing helper functions in event pointer dereference check
tracing: Add "%s" check in test_event_printk()
tracing: Have process_string() also allow arrays
Takashi Iwai (1):
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Tanya Agarwal (1):
ALSA: usb-audio: US16x08: Initialize array before use
Thiébaud Weksteen (1):
selinux: ignore unknown extended permissions
Tomas Henzl (1):
scsi: megaraid_sas: Fix for a potential deadlock
Trond Myklebust (1):
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Uros Bizjak (1):
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Vidya Sagar (1):
PCI: Use preserve_config in place of pci_flags
Ville Syrjälä (1):
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Vitalii Mordan (1):
eth: bcmsysport: fix call balance of priv->clk handling routines
Vladimir Oltean (1):
net: dsa: improve shutdown sequence
Vladimir Riabchun (1):
i2c: pnx: Fix timeout in wait functions
Wang Liang (1):
net: fix memory leak in tcp_conn_request()
Xuewen Yan (1):
epoll: Add synchronous wakeup support for ep_poll_callback
Yang Erkun (1):
nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
Yixing Liu (1):
RDMA/hns: Remove redundant 'attr_mask' in modify_qp_init_to_init()
Yunfeng Ye (1):
arm64: mm: Rename asid2idx() to ctxid2asid()
Yunsheng Lin (1):
RDMA/hns: Remove redundant 'bt_level' for hem_list_alloc_item()
Zichen Xie (1):
mtd: diskonchip: Cast an operand to prevent potential overflow
Zijian Zhang (1):
tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection
Zijun Hu (7):
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
phy: core: Fix an OF node refcount leakage in _of_phy_get()
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
phy: core: Fix that API devm_phy_put() fails to release the phy
phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
bo liu (1):
ALSA: hda/conexant: fix Z60MR100 startup pop issue
wenglianfa (1):
RDMA/hns: Fix mapping error of zero-hop WQE buffer
3 months, 3 weeks
- 1
- 1
Linux 5.10.233
by Greg Kroah-Hartman
I'm announcing the release of the 5.10.233 kernel.
All users of the 5.10 kernel series must upgrade.
The updated 5.10.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2
arch/arc/Makefile | 2
arch/arm64/mm/context.c | 22
arch/mips/Makefile | 2
arch/mips/boot/dts/loongson/loongson64g_4core_ls7a.dts | 1
arch/x86/kernel/cpu/mshyperv.c | 58 +
drivers/base/regmap/regmap.c | 4
drivers/block/virtio_blk.c | 7
drivers/block/zram/zram_drv.c | 6
drivers/clocksource/hyperv_timer.c | 14
drivers/dma-buf/udmabuf.c | 2
drivers/dma/at_xdmac.c | 2
drivers/dma/dw/acpi.c | 6
drivers/dma/dw/internal.h | 6
drivers/dma/dw/pci.c | 4
drivers/dma/mv_xor.c | 2
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2
drivers/gpu/drm/drm_dp_mst_topology.c | 3
drivers/hv/hv_kvp.c | 6
drivers/hv/hv_snapshot.c | 6
drivers/hv/hv_util.c | 9
drivers/hv/hyperv_vmbus.h | 2
drivers/hwmon/tmp513.c | 2
drivers/i2c/busses/i2c-pnx.c | 4
drivers/i2c/busses/i2c-riic.c | 2
drivers/infiniband/core/uverbs_cmd.c | 16
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2
drivers/infiniband/hw/mlx5/main.c | 6
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2
drivers/irqchip/irq-gic.c | 2
drivers/media/dvb-frontends/dib3000mb.c | 2
drivers/mmc/host/sdhci-tegra.c | 1
drivers/mtd/nand/raw/atmel/pmecc.c | 4
drivers/mtd/nand/raw/diskonchip.c | 2
drivers/net/ethernet/broadcom/bcmsysport.c | 21
drivers/net/ethernet/broadcom/bgmac-platform.c | 5
drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c | 5
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2
drivers/net/ethernet/marvell/sky2.c | 1
drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4
drivers/net/netdevsim/health.c | 13
drivers/net/usb/qmi_wwan.c | 3
drivers/of/address.c | 2
drivers/of/base.c | 15
drivers/of/irq.c | 1
drivers/pci/controller/pci-host-common.c | 4
drivers/pci/pcie/aer.c | 18
drivers/pci/probe.c | 20
drivers/pci/quirks.c | 4
drivers/phy/phy-core.c | 21
drivers/pinctrl/pinctrl-mcp23s08.c | 6
drivers/platform/x86/asus-nb-wmi.c | 1
drivers/power/supply/gpio-charger.c | 8
drivers/scsi/megaraid/megaraid_sas_base.c | 5
drivers/scsi/mpt3sas/mpt3sas_base.c | 7
drivers/scsi/qla1280.h | 12
drivers/scsi/storvsc_drv.c | 7
drivers/sh/clk/core.c | 2
drivers/thunderbolt/icm.c | 7
drivers/thunderbolt/nhi.c | 28
drivers/thunderbolt/nhi.h | 15
drivers/usb/cdns3/core.h | 1
drivers/usb/cdns3/drd.c | 10
drivers/usb/cdns3/drd.h | 3
drivers/usb/dwc2/gadget.c | 4
drivers/usb/serial/option.c | 27
drivers/watchdog/it87_wdt.c | 39
fs/btrfs/backref.c | 10
fs/btrfs/ctree.c | 128 --
fs/btrfs/ctree.h | 7
fs/btrfs/delayed-inode.c | 7
fs/btrfs/disk-io.c | 17
fs/btrfs/extent-tree.c | 19
fs/btrfs/extent_io.c | 13
fs/btrfs/extent_io.h | 21
fs/btrfs/file.c | 3
fs/btrfs/inode.c | 3
fs/btrfs/locking.c | 447 ----------
fs/btrfs/locking.h | 13
fs/btrfs/print-tree.c | 11
fs/btrfs/qgroup.c | 9
fs/btrfs/ref-verify.c | 6
fs/btrfs/relocation.c | 4
fs/btrfs/transaction.c | 2
fs/btrfs/tree-checker.c | 27
fs/btrfs/tree-defrag.c | 1
fs/btrfs/tree-log.c | 3
fs/ceph/super.c | 2
fs/efivarfs/inode.c | 2
fs/efivarfs/internal.h | 1
fs/efivarfs/super.c | 3
fs/erofs/inode.c | 20
fs/eventpoll.c | 5
fs/nfs/pnfs.c | 2
fs/nfsd/nfs4callback.c | 4
fs/nfsd/nfs4state.c | 2
fs/nilfs2/inode.c | 8
fs/nilfs2/namei.c | 5
include/clocksource/hyperv_timer.h | 2
include/linux/hyperv.h | 1
include/linux/if_vlan.h | 16
include/linux/mlx5/driver.h | 8
include/linux/skbuff.h | 1
include/linux/trace_events.h | 2
include/linux/vmstat.h | 2
include/linux/wait.h | 1
include/net/netfilter/nf_tables.h | 7
include/net/sock.h | 10
kernel/bpf/core.c | 6
kernel/bpf/syscall.c | 13
kernel/irq/proc.c | 4
kernel/profile.c | 2
kernel/trace/trace.c | 5
kernel/trace/trace_kprobe.c | 2
mm/vmscan.c | 9
net/core/filter.c | 21
net/core/skbuff.c | 52 +
net/core/skmsg.c | 4
net/ipv4/tcp_bpf.c | 2
net/ipv6/ila/ila_xlat.c | 16
net/ipv6/ip6_output.c | 86 -
net/llc/llc_input.c | 2
net/mac80211/util.c | 3
net/netfilter/ipset/ip_set_list_set.c | 3
net/netrom/nr_route.c | 6
net/packet/af_packet.c | 28
net/sched/sch_cake.c | 2
net/sched/sch_choke.c | 2
net/sctp/associola.c | 3
net/smc/af_smc.c | 13
net/smc/smc_clc.c | 9
net/smc/smc_clc.h | 6
scripts/mod/file2alias.c | 4
security/selinux/ss/services.c | 8
sound/pci/hda/patch_conexant.c | 28
sound/usb/format.c | 7
sound/usb/mixer.c | 7
sound/usb/mixer_us16x08.c | 2
141 files changed, 901 insertions(+), 887 deletions(-)
Adrian Ratiu (1):
sound: usb: format: don't warn that raw DSD is unsupported
Ajit Khaparde (1):
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Andy Shevchenko (1):
dmaengine: dw: Select only supported masters for ACPI devices
Anton Protopopov (1):
bpf: fix potential error return
Antonio Pastor (1):
net: llc: reset skb->transport_header
Armin Wolf (1):
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Azhar Shaikh (1):
thunderbolt: Add support for Intel Alder Lake
Bart Van Assche (1):
mm/vmstat: fix a W=1 clang compiler warning
Biju Das (1):
drm: adv7511: Drop dsi single lane support
Catalin Marinas (1):
arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs
Cathy Avery (1):
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
Chen Ridong (1):
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Christian Göttsche (1):
tracing: Constify string literal data member in struct trace_event_call
Cong Wang (2):
tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
bpf: Check negative offsets in __bpf_skb_min_len()
Dan Carpenter (4):
net: hinic: Fix cleanup in create_rxqs/txqs()
chelsio/chtls: prevent potential integer overflow on 32bit
mtd: rawnand: fix double free in atmel_pmecc_create_user()
RDMA/uverbs: Prevent integer overflow issue
Daniel Swanemar (1):
USB: serial: option: add TCL IK512 MBIM & ECM
Daniele Palmas (2):
USB: serial: option: add Telit FE910C04 rmnet compositions
net: usb: qmi_wwan: add Telit FE910C04 compositions
Dimitri Fedrau (1):
power: supply: gpio-charger: Fix set charge current limits
Edward Adam Davis (1):
nilfs2: prevent use of deleted inode
Emmanuel Grumbach (1):
wifi: mac80211: wake the queues in case of failure in resume
Eric Dumazet (6):
netdevsim: prevent bad user input in nsim_dev_health_break_write()
ipv6: fix possible UAF in ip6_finish_output2()
ipv6: prevent possible UAF in ip6_xmit()
af_packet: fix vlan_get_tci() vs MSG_PEEK
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
ila: serialize calls to nf_register_net_hooks()
Evgenii Shatokhin (1):
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Filipe Manana (4):
btrfs: avoid monopolizing a core when activating a swap file
btrfs: rename and export __btrfs_cow_block()
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Gao Xiang (2):
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
erofs: fix incorrect symlink detection in fast symlink
Geert Uytterhoeven (2):
i2c: riic: Always round-up when calculating bus period
sh: clk: Fix clk_enable() to return 0 on NULL clk
George D Sworo (1):
thunderbolt: Add support for Intel Raptor Lake
Greg Kroah-Hartman (1):
Linux 5.10.233
Guangguan Wang (3):
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
net/smc: check return value of sock_recvmsg when draining clc data
Herve Codina (1):
of: Fix error path in of_parse_phandle_with_args_map()
Hou Tao (1):
bpf: Check validity of link->type in bpf_link_show_fdinfo()
Ilya Dryomov (1):
ceph: validate snapdirname option length when mounting
Ilya Shchipletsov (1):
netrom: check buffer length before accessing it
Imre Deak (1):
drm/dp_mst: Fix MST sideband message body length check
Jack Wu (1):
USB: serial: option: add MediaTek T7XX compositions
James Bottomley (1):
efivarfs: Fix error on non-existent file
James Hilliard (1):
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
Jann Horn (1):
udmabuf: also check for F_SEAL_FUTURE_WRITE
Javier Carrasco (1):
dmaengine: mv_xor: fix child node refcount handling in early exit
Jiaxun Yang (2):
MIPS: Loongson64: DTS: Fix msi node for ls7a
MIPS: Probe toolchain support of -msym32
Jiayuan Chen (1):
bpf: fix recursive lock when verdict program return SK_PASS
Joe Hattori (1):
net: ethernet: bgmac-platform: fix an OF node reference leak
Josef Bacik (3):
btrfs: switch extent buffer tree lock to rw_semaphore
btrfs: locking: remove all the blocking helpers
btrfs: locking: remove the recursion handling code
Kai-Heng Feng (1):
PCI/AER: Disable AER service on suspend
Kairui Song (1):
zram: refuse to use zero sized block device as backing device
Kalesh AP (1):
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Leon Romanovsky (1):
ARC: build: Try to guess GCC variant of cross compiler
Li Zhijian (1):
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Lion Ackermann (1):
net: sched: fix ordering of qlen adjustment
Lizhi Xu (1):
tracing: Prevent bad count for tracing_cpumask_write
Magnus Lindholm (1):
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
Mank Wang (1):
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Mark Brown (1):
regmap: Use correct format specifier for logging range errors
Masahiro Yamada (2):
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
modpost: fix the missed iteration for the max bit in do_input()
Masami Hiramatsu (Google) (1):
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Michael Kelley (1):
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Michal Hrusecky (1):
USB: serial: option: add MeiG Smart SLM770A
Mika Westerberg (4):
thunderbolt: Add support for Intel Meteor Lake
thunderbolt: Add Intel Barlow Ridge PCI ID
thunderbolt: Add support for Intel Lunar Lake
thunderbolt: Add support for Intel Panther Lake-M/P
Ming Lei (1):
virtio-blk: don't keep queue frozen during system suspend
Murad Masimov (1):
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Naman Jain (1):
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
NeilBrown (1):
nfsd: restore callback functionality for NFSv4.0
Nikita Zhandarovich (1):
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Nikolay Kuratov (1):
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pablo Neira Ayuso (1):
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Parav Pandit (1):
net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
Pascal Hambourg (1):
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Patrisious Haddad (1):
RDMA/mlx5: Enforce same type port association for multiport RoCE
Peng Hongchi (1):
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Phil Sutter (1):
netfilter: ipset: Fix for recursive locking warning
Prathamesh Shete (1):
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Qu Wenruo (1):
btrfs: tree-checker: reject inline extent items with 0 ref count
Ranjan Kumar (1):
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Roger Quadros (1):
usb: cdns3: Add quirk flag to enable suspend residency
Saravanan Vajravel (1):
RDMA/bnxt_re: Add check for path mtu in modify_qp
Seiji Nishikawa (1):
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Selvin Xavier (2):
RDMA/bnxt_re: Fix max_qp_wrs reported
RDMA/bnxt_re: Fix the locking while accessing the QP table
Shannon Nelson (1):
ionic: use ee->offset when returning sprom data
Stefan Ekenberg (1):
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Takashi Iwai (1):
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Tanya Agarwal (1):
ALSA: usb-audio: US16x08: Initialize array before use
Tetsuo Handa (1):
kernel: Initialize cpumask before parsing
Thiébaud Weksteen (1):
selinux: ignore unknown extended permissions
Tomas Henzl (1):
scsi: megaraid_sas: Fix for a potential deadlock
Trond Myklebust (1):
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Uros Bizjak (1):
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Vasily Averin (4):
skbuff: introduce skb_expand_head()
ipv6: use skb_expand_head in ip6_finish_output2
ipv6: use skb_expand_head in ip6_xmit
skb_expand_head() adjust skb->truesize incorrectly
Vidya Sagar (1):
PCI: Use preserve_config in place of pci_flags
Vitalii Mordan (1):
eth: bcmsysport: fix call balance of priv->clk handling routines
Vladimir Riabchun (1):
i2c: pnx: Fix timeout in wait functions
Wei Yongjun (1):
netdevsim: switch to memdup_user_nul()
Xuewen Yan (1):
epoll: Add synchronous wakeup support for ep_poll_callback
Yang Erkun (1):
nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
Yunfeng Ye (1):
arm64: mm: Rename asid2idx() to ctxid2asid()
Zichen Xie (1):
mtd: diskonchip: Cast an operand to prevent potential overflow
Zijun Hu (7):
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
phy: core: Fix an OF node refcount leakage in _of_phy_get()
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
phy: core: Fix that API devm_phy_put() fails to release the phy
phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
Zygo Blaxell (1):
btrfs: don't set lock_owner when locking extent buffer for reading
bo liu (1):
ALSA: hda/conexant: fix Z60MR100 startup pop issue
3 months, 3 weeks
- 1
- 1
Linux 5.4.289
by Greg Kroah-Hartman
I'm announcing the release of the 5.4.289 kernel.
All users of the 5.4 kernel series must upgrade.
The updated 5.4.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y
and can be browsed at the normal kernel.org git web browser:
https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2
arch/arc/Makefile | 2
arch/mips/Makefile | 2
drivers/base/regmap/regmap.c | 4
drivers/block/virtio_blk.c | 7 +
drivers/block/zram/zram_drv.c | 6 +
drivers/crypto/chelsio/chtls/chtls_main.c | 5 -
drivers/dma-buf/udmabuf.c | 2
drivers/dma/at_xdmac.c | 2
drivers/dma/mv_xor.c | 2
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 28 ++++++
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2
drivers/gpu/drm/i915/i915_scheduler.c | 2
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 ++
drivers/hv/hyperv_vmbus.h | 2
drivers/i2c/busses/i2c-pnx.c | 4
drivers/i2c/busses/i2c-riic.c | 2
drivers/infiniband/core/uverbs_cmd.c | 16 ++-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 +++---
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2
drivers/infiniband/hw/mlx5/main.c | 8 +
drivers/irqchip/irq-gic.c | 2
drivers/media/dvb-frontends/dib3000mb.c | 2
drivers/mmc/host/sdhci-tegra.c | 1
drivers/mtd/nand/raw/atmel/pmecc.c | 4
drivers/mtd/nand/raw/diskonchip.c | 2
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 -
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2
drivers/net/ethernet/marvell/sky2.c | 1
drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4
drivers/net/usb/qmi_wwan.c | 3
drivers/of/address.c | 2
drivers/of/base.c | 15 ++-
drivers/of/irq.c | 1
drivers/pci/pcie/aer.c | 18 ++++
drivers/pci/quirks.c | 4
drivers/phy/phy-core.c | 15 ++-
drivers/pinctrl/pinctrl-mcp23s08.c | 6 +
drivers/platform/x86/asus-nb-wmi.c | 1
drivers/scsi/megaraid/megaraid_sas_base.c | 5 -
drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +
drivers/scsi/qla1280.h | 12 +-
drivers/sh/clk/core.c | 2
drivers/usb/dwc2/gadget.c | 4
drivers/usb/serial/option.c | 27 ++++++
fs/btrfs/inode.c | 2
fs/btrfs/tree-checker.c | 27 ++++++
fs/efivarfs/inode.c | 2
fs/efivarfs/internal.h | 1
fs/efivarfs/super.c | 3
fs/erofs/inode.c | 20 +---
fs/eventpoll.c | 5 -
fs/nfs/pnfs.c | 2
fs/nfsd/nfs4callback.c | 4
fs/nilfs2/inode.c | 8 +
fs/nilfs2/namei.c | 5 +
include/linux/hyperv.h | 1
include/linux/if_vlan.h | 16 +++
include/linux/mlx5/driver.h | 13 ++-
include/linux/netfilter/ipset/ip_set.h | 2
include/linux/netfilter/x_tables.h | 8 -
include/linux/netfilter_arp/arp_tables.h | 2
include/linux/netfilter_bridge/ebtables.h | 2
include/linux/netfilter_ipv4/ip_tables.h | 2
include/linux/netfilter_ipv6/ip6_tables.h | 2
include/linux/skbuff.h | 1
include/linux/trace_events.h | 2
include/linux/wait.h | 1
include/net/netfilter/nf_conntrack_extend.h | 2
include/net/netfilter/nf_conntrack_timeout.h | 2
include/net/netfilter/nf_tables.h | 13 +--
include/uapi/linux/netfilter_bridge/ebt_among.h | 2
kernel/bpf/core.c | 6 +
kernel/trace/ftrace.c | 4
kernel/trace/trace_kprobe.c | 2
mm/vmscan.c | 9 +-
net/bridge/netfilter/ebtables.c | 2
net/core/filter.c | 23 +++--
net/core/skbuff.c | 52 ++++++++++++
net/core/skmsg.c | 4
net/ipv4/netfilter/arp_tables.c | 4
net/ipv4/netfilter/ip_tables.c | 4
net/ipv6/ila/ila_xlat.c | 16 ++-
net/ipv6/ip6_output.c | 86 ++++++++------------
net/ipv6/netfilter/ip6_tables.c | 4
net/llc/llc_input.c | 2
net/mac80211/util.c | 3
net/netfilter/ipset/ip_set_bitmap_ip.c | 2
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2
net/netfilter/ipset/ip_set_bitmap_port.c | 2
net/netfilter/ipset/ip_set_hash_gen.h | 4
net/netfilter/ipset/ip_set_list_set.c | 3
net/netfilter/nfnetlink_acct.c | 2
net/netfilter/xt_hashlimit.c | 2
net/netfilter/xt_recent.c | 4
net/netrom/nr_route.c | 6 +
net/packet/af_packet.c | 28 +-----
net/sched/sch_cake.c | 2
net/sched/sch_choke.c | 2
net/sctp/associola.c | 3
net/smc/af_smc.c | 7 +
scripts/mod/file2alias.c | 4
security/selinux/ss/services.c | 8 +
sound/usb/format.c | 7 +
sound/usb/mixer.c | 7 +
sound/usb/mixer_us16x08.c | 2
108 files changed, 524 insertions(+), 238 deletions(-)
Adrian Ratiu (1):
sound: usb: format: don't warn that raw DSD is unsupported
Ajit Khaparde (1):
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Anton Protopopov (1):
bpf: fix potential error return
Antonio Pastor (1):
net: llc: reset skb->transport_header
Armin Wolf (1):
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Biju Das (1):
drm: adv7511: Drop dsi single lane support
Bogdan Togorean (1):
drm: bridge: adv7511: Enable SPDIF DAI
Chen Ridong (1):
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Christian Göttsche (1):
tracing: Constify string literal data member in struct trace_event_call
Cong Wang (1):
bpf: Check negative offsets in __bpf_skb_min_len()
Dan Carpenter (4):
net: hinic: Fix cleanup in create_rxqs/txqs()
chelsio/chtls: prevent potential integer overflow on 32bit
mtd: rawnand: fix double free in atmel_pmecc_create_user()
RDMA/uverbs: Prevent integer overflow issue
Daniel Swanemar (1):
USB: serial: option: add TCL IK512 MBIM & ECM
Daniele Palmas (2):
USB: serial: option: add Telit FE910C04 rmnet compositions
net: usb: qmi_wwan: add Telit FE910C04 compositions
Edward Adam Davis (1):
nilfs2: prevent use of deleted inode
Emmanuel Grumbach (1):
wifi: mac80211: wake the queues in case of failure in resume
Eric Dumazet (5):
ipv6: fix possible UAF in ip6_finish_output2()
ipv6: prevent possible UAF in ip6_xmit()
af_packet: fix vlan_get_tci() vs MSG_PEEK
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
ila: serialize calls to nf_register_net_hooks()
Evgenii Shatokhin (1):
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Filipe Manana (1):
btrfs: avoid monopolizing a core when activating a swap file
Gao Xiang (2):
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
erofs: fix incorrect symlink detection in fast symlink
Geert Uytterhoeven (2):
i2c: riic: Always round-up when calculating bus period
sh: clk: Fix clk_enable() to return 0 on NULL clk
Greg Kroah-Hartman (1):
Linux 5.4.289
Guangguan Wang (1):
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Gustavo A. R. Silva (1):
netfilter: Replace zero-length array with flexible-array member
Herve Codina (1):
of: Fix error path in of_parse_phandle_with_args_map()
Ilya Shchipletsov (1):
netrom: check buffer length before accessing it
Jack Wu (1):
USB: serial: option: add MediaTek T7XX compositions
James Bottomley (1):
efivarfs: Fix error on non-existent file
Jann Horn (1):
udmabuf: also check for F_SEAL_FUTURE_WRITE
Javier Carrasco (1):
dmaengine: mv_xor: fix child node refcount handling in early exit
Jiasheng Jiang (1):
drm/i915: Fix memory leak by correcting cache object name in error handler
Jiaxun Yang (1):
MIPS: Probe toolchain support of -msym32
Jiayuan Chen (1):
bpf: fix recursive lock when verdict program return SK_PASS
Joe Hattori (1):
net: ethernet: bgmac-platform: fix an OF node reference leak
Kai-Heng Feng (1):
PCI/AER: Disable AER service on suspend
Kairui Song (1):
zram: refuse to use zero sized block device as backing device
Kalesh AP (1):
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Koichiro Den (1):
ftrace: use preempt_enable/disable notrace macros to avoid double fault
Leon Romanovsky (1):
ARC: build: Try to guess GCC variant of cross compiler
Lion Ackermann (1):
net: sched: fix ordering of qlen adjustment
Magnus Lindholm (1):
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
Mank Wang (1):
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Mark Brown (1):
regmap: Use correct format specifier for logging range errors
Masahiro Yamada (2):
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
modpost: fix the missed iteration for the max bit in do_input()
Masami Hiramatsu (Google) (1):
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Michael Kelley (1):
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Michal Hrusecky (1):
USB: serial: option: add MeiG Smart SLM770A
Ming Lei (1):
virtio-blk: don't keep queue frozen during system suspend
NeilBrown (1):
nfsd: restore callback functionality for NFSv4.0
Nikita Zhandarovich (1):
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Nikolay Kuratov (1):
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pablo Neira Ayuso (1):
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Parav Pandit (2):
IB/mlx5: Introduce and use mlx5_core_is_vf()
net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
Pascal Hambourg (1):
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Patrisious Haddad (1):
RDMA/mlx5: Enforce same type port association for multiport RoCE
Peng Hongchi (1):
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Phil Sutter (1):
netfilter: ipset: Fix for recursive locking warning
Prathamesh Shete (1):
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Qu Wenruo (1):
btrfs: tree-checker: reject inline extent items with 0 ref count
Ranjan Kumar (1):
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Saravanan Vajravel (1):
RDMA/bnxt_re: Add check for path mtu in modify_qp
Seiji Nishikawa (1):
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Selvin Xavier (1):
RDMA/bnxt_re: Fix max_qp_wrs reported
Shannon Nelson (1):
ionic: use ee->offset when returning sprom data
Stefan Ekenberg (1):
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Takashi Iwai (1):
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Tanya Agarwal (1):
ALSA: usb-audio: US16x08: Initialize array before use
Thiébaud Weksteen (1):
selinux: ignore unknown extended permissions
Tomas Henzl (1):
scsi: megaraid_sas: Fix for a potential deadlock
Trond Myklebust (1):
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Uros Bizjak (1):
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Vasily Averin (4):
skbuff: introduce skb_expand_head()
ipv6: use skb_expand_head in ip6_finish_output2
ipv6: use skb_expand_head in ip6_xmit
skb_expand_head() adjust skb->truesize incorrectly
Vladimir Riabchun (1):
i2c: pnx: Fix timeout in wait functions
Xuewen Yan (1):
epoll: Add synchronous wakeup support for ep_poll_callback
Zichen Xie (1):
mtd: diskonchip: Cast an operand to prevent potential overflow
Zijun Hu (6):
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
phy: core: Fix an OF node refcount leakage in _of_phy_get()
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
phy: core: Fix that API devm_phy_put() fails to release the phy
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
3 months, 3 weeks
- 1
- 1
[PATCH] nvmem: mtk-efuse: Enable GPU speed bin post-processing for MT8188
by Chen-Yu Tsai
Like the MT8186, the MT8188 stores GPU speed binning data in its efuse.
The data needs post-processing into a format that the OPP framework can
use.
Add a compatible match for MT8188 efuse with post-processing enabled.
Cc: <stable(a)vger.kernel.org>
Fixes: ff1df1886f43 ("dt-bindings: nvmem: mediatek: efuse: Add support for MT8188")
Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org>
---
I'm not exactly sure about pointing to the dt bindings commit for the
fixes tag.
---
drivers/nvmem/mtk-efuse.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvmem/mtk-efuse.c b/drivers/nvmem/mtk-efuse.c
index af953e1d9230..e8409e1e7fac 100644
--- a/drivers/nvmem/mtk-efuse.c
+++ b/drivers/nvmem/mtk-efuse.c
@@ -112,6 +112,7 @@ static const struct mtk_efuse_pdata mtk_efuse_pdata = {
static const struct of_device_id mtk_efuse_of_match[] = {
{ .compatible = "mediatek,mt8173-efuse", .data = &mtk_efuse_pdata },
{ .compatible = "mediatek,mt8186-efuse", .data = &mtk_mt8186_efuse_pdata },
+ { .compatible = "mediatek,mt8188-efuse", .data = &mtk_mt8186_efuse_pdata },
{ .compatible = "mediatek,efuse", .data = &mtk_efuse_pdata },
{/* sentinel */},
};
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 2
- 9
[PATCH 6.6] ceph: give up on paths longer than PATH_MAX
by Ilya Dryomov
From: Max Kellermann <max.kellermann(a)ionos.com>
commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream.
If the full path to be built by ceph_mdsc_build_path() happens to be
longer than PATH_MAX, then this function will enter an endless (retry)
loop, effectively blocking the whole task. Most of the machine
becomes unusable, making this a very simple and effective DoS
vulnerability.
I cannot imagine why this retry was ever implemented, but it seems
rather useless and harmful to me. Let's remove it and fail with
ENAMETOOLONG instead.
Cc: stable(a)vger.kernel.org
Reported-by: Dario Weißer <dario(a)cure53.de>
Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com>
Reviewed-by: Alex Markuze <amarkuze(a)redhat.com>
Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com>
[idryomov(a)gmail.com: backport to 6.6: pr_warn() is still in use]
---
fs/ceph/mds_client.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 11289ce8a8cc..dfa1b3c82b53 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2713,12 +2713,11 @@ char *ceph_mdsc_build_path(struct ceph_mds_client *mdsc, struct dentry *dentry,
if (pos < 0) {
/*
- * A rename didn't occur, but somehow we didn't end up where
- * we thought we would. Throw a warning and try again.
+ * The path is longer than PATH_MAX and this function
+ * cannot ever succeed. Creating paths that long is
+ * possible with Ceph, but Linux cannot use them.
*/
- pr_warn("build_path did not end path lookup where expected (pos = %d)\n",
- pos);
- goto retry;
+ return ERR_PTR(-ENAMETOOLONG);
}
*pbase = base;
--
2.46.1
3 months, 3 weeks
- 3
- 2
[PATCH 2/3] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
by Chen-Yu Tsai
The MT8173 disp-pwm device should have only one compatible string, based
on the following DT validation error:
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
Drop the extra "mediatek,mt6595-disp-pwm" compatible string.
Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node")
Cc: YH Huang <yh.huang(a)mediatek.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org>
---
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8173.dtsi b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
index 3458be7f7f61..f49ec7495906 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
@@ -1255,8 +1255,7 @@ dpi0_out: endpoint {
};
pwm0: pwm@1401e000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401e000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM026M>,
@@ -1266,8 +1265,7 @@ pwm0: pwm@1401e000 {
};
pwm1: pwm@1401f000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401f000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM126M>,
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 2
- 1
[PATCH 5.15 000/168] 5.15.176-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 5.15.176 release.
There are 168 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.176-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.15.176-rc1
Seiji Nishikawa <snishika(a)redhat.com>
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Biju Das <biju.das.jz(a)bp.renesas.com>
dt-bindings: display: adi,adv7533: Drop single lane support
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Drop dsi single lane support
Nikolay Kuratov <kniv(a)yandex-team.ru>
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pascal Hambourg <pascal(a)plouf.fr.eu.org>
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Evgenii Shatokhin <e.shatokhin(a)yadro.com>
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Dan Carpenter <dan.carpenter(a)linaro.org>
RDMA/uverbs: Prevent integer overflow issue
Arnd Bergmann <arnd(a)arndb.de>
kcov: mark in_softirq_really() as __always_inline
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix the missed iteration for the max bit in do_input()
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
Michal Pecio <michal.pecio(a)gmail.com>
usb: xhci: Avoid queuing redundant Stop Endpoint commands
Leon Romanovsky <leon(a)kernel.org>
ARC: build: Try to guess GCC variant of cross compiler
Uros Bizjak <ubizjak(a)gmail.com>
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Daniele Palmas <dnlplm(a)gmail.com>
net: usb: qmi_wwan: add Telit FE910C04 compositions
Anton Protopopov <aspsk(a)isovalent.com>
bpf: fix potential error return
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: format: don't warn that raw DSD is unsupported
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: enable DSD output for ddHiFi TC44C
Filipe Manana <fdmanana(a)suse.com>
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Prike Liang <Prike.Liang(a)amd.com>
drm/amdkfd: Correct the migration DMA map direction
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: mac80211: wake the queues in case of failure in resume
Qu Wenruo <wqu(a)suse.com>
btrfs: sysfs: fix direct super block member reads
Anand Jain <anand.jain(a)oracle.com>
btrfs: sysfs: convert scnprintf and snprintf to sysfs_emit
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
Filipe Manana <fdmanana(a)suse.com>
btrfs: rename and export __btrfs_cow_block()
Eric Dumazet <edumazet(a)google.com>
ila: serialize calls to nf_register_net_hooks()
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_tci() vs MSG_PEEK
Maciej S. Szmigiero <mail(a)maciej.szmigiero.name>
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Eric Dumazet <edumazet(a)google.com>
net: restrict SO_REUSEPORT to inet sockets
Li Zhijian <lizhijian(a)fujitsu.com>
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mv643xx_eth: fix an OF node reference leak
Vitalii Mordan <mordan(a)ispras.ru>
eth: bcmsysport: fix call balance of priv->clk handling routines
Tanya Agarwal <tanyaagarwal25699(a)gmail.com>
ALSA: usb-audio: US16x08: Initialize array before use
Antonio Pastor <antonio.pastor(a)gmail.com>
net: llc: reset skb->transport_header
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Rodrigo Vivi <rodrigo.vivi(a)intel.com>
drm/i915/dg1: Fix power gate sequence.
Ilya Shchipletsov <rabbelkin(a)mail.ru>
netrom: check buffer length before accessing it
Wang Liang <wangliang74(a)huawei.com>
net: fix memory leak in tcp_conn_request()
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: stmmac: restructure the error path of stmmac_probe_config_dt()
Andrew Halaney <ahalaney(a)redhat.com>
net: stmmac: don't create a MDIO bus if unnecessary
Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org>
net: stmmac: platform: provide devm_stmmac_probe_config_dt()
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix missing flush CQE for DWQE
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix warning storm caused by invalid input in IO path
wenglianfa <wenglianfa(a)huawei.com>
RDMA/hns: Fix mapping error of zero-hop WQE buffer
Yunsheng Lin <linyunsheng(a)huawei.com>
RDMA/hns: Remove redundant 'bt_level' for hem_list_alloc_item()
Yixing Liu <liuyixing1(a)huawei.com>
RDMA/hns: Remove redundant 'attr_mask' in modify_qp_init_to_init()
Stefan Ekenberg <stefan.ekenberg(a)axis.com>
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix the locking while accessing the QP table
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix max_qp_wrs reported
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
RDMA/bnxt_re: Add check for path mtu in modify_qp
Patrisious Haddad <phaddad(a)nvidia.com>
RDMA/mlx5: Enforce same type port association for multiport RoCE
Kairui Song <kasong(a)tencent.com>
zram: fix uninitialized ZRAM not releasing backing device
Sergey Senozhatsky <senozhatsky(a)chromium.org>
drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset
Mathias Nyman <mathias.nyman(a)linux.intel.com>
xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic
Michal Pecio <michal.pecio(a)gmail.com>
usb: xhci: Limit Stop Endpoint retries
Michal Pecio <michal.pecio(a)gmail.com>
xhci: retry Stop Endpoint on buggy NEC controllers
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Panther Lake-M/P
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Lunar Lake
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add Intel Barlow Ridge PCI ID
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Meteor Lake
George D Sworo <george.d.sworo(a)intel.com>
thunderbolt: Add support for Intel Raptor Lake
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Have process_string() also allow arrays
Thiébaud Weksteen <tweek(a)google.com>
selinux: ignore unknown extended permissions
Naman Jain <namjain(a)linux.microsoft.com>
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
Vladimir Oltean <vladimir.oltean(a)nxp.com>
net: dsa: improve shutdown sequence
Yang Erkun <yangerkun(a)huaweicloud.com>
nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
Filipe Manana <fdmanana(a)suse.com>
btrfs: avoid monopolizing a core when activating a swap file
Dimitri Fedrau <dimitri.fedrau(a)liebherr.com>
power: supply: gpio-charger: Fix set charge current limits
Lizhi Xu <lizhi.xu(a)windriver.com>
tracing: Prevent bad count for tracing_cpumask_write
Christian Göttsche <cgzones(a)googlemail.com>
tracing: Constify string literal data member in struct trace_event_call
Alexandre Ghiti <alexghiti(a)rivosinc.com>
riscv: Fix IPIs usage in kfence_protect_page()
Namjae Jeon <linkinjeon(a)kernel.org>
ksmbd: fix racy issue from session lookup and expire
Kees Cook <kees(a)kernel.org>
lib: stackinit: hide never-taken branch from compiler
Imre Deak <imre.deak(a)intel.com>
drm/dp_mst: Verify request type in the corresponding down message reply
Catalin Marinas <catalin.marinas(a)arm.com>
arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs
Yunfeng Ye <yeyunfeng(a)huawei.com>
arm64: mm: Rename asid2idx() to ctxid2asid()
Peterson Guo <peterson.guo(a)amd.com>
drm/amd/display: Add a left edge pixel if in YCbCr422 or YCbCr420 and odm
Jordy Zomer <jordyzomer(a)google.com>
ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
Jordy Zomer <jordyzomer(a)google.com>
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
Imre Deak <imre.deak(a)intel.com>
drm/dp_mst: Fix MST sideband message body length check
Hou Tao <houtao1(a)huawei.com>
bpf: Check validity of link->type in bpf_link_show_fdinfo()
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Probe toolchain support of -msym32
Matthew Wilcox (Oracle) <willy(a)infradead.org>
vmalloc: fix accounting with i915
Ming Lei <ming.lei(a)redhat.com>
virtio-blk: don't keep queue frozen during system suspend
Cathy Avery <cavery(a)redhat.com>
scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error
Ranjan Kumar <ranjan.kumar(a)broadcom.com>
scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time
Armin Wolf <W_Armin(a)gmx.de>
platform/x86: asus-nb-wmi: Ignore unknown event 0xCF
Mark Brown <broonie(a)kernel.org>
regmap: Use correct format specifier for logging range errors
bo liu <bo.liu(a)senarytech.com>
ALSA: hda/conexant: fix Z60MR100 startup pop issue
Tomas Henzl <thenzl(a)redhat.com>
scsi: megaraid_sas: Fix for a potential deadlock
Magnus Lindholm <linmag7(a)gmail.com>
scsi: qla1280: Fix hw revision numbering for ISP1020/1040
James Hilliard <james.hilliard1(a)gmail.com>
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
Masami Hiramatsu (Google) <mhiramat(a)kernel.org>
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
Dan Carpenter <dan.carpenter(a)linaro.org>
mtd: rawnand: fix double free in atmel_pmecc_create_user()
Chen Ridong <chenridong(a)huawei.com>
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
dmaengine: dw: Select only supported masters for ACPI devices
Javier Carrasco <javier.carrasco.cruz(a)gmail.com>
dmaengine: mv_xor: fix child node refcount handling in early exit
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_destroy() fails to destroy the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix that API devm_phy_put() fails to release the phy
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
Zijun Hu <quic_zijuhu(a)quicinc.com>
phy: core: Fix an OF node refcount leakage in _of_phy_get()
Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net>
mtd: rawnand: arasan: Fix missing de-registration of NAND
Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net>
mtd: rawnand: arasan: Fix double assertion of chip-select
Zichen Xie <zichenxie0106(a)gmail.com>
mtd: diskonchip: Cast an operand to prevent potential overflow
NeilBrown <neilb(a)suse.de>
nfsd: restore callback functionality for NFSv4.0
Cong Wang <cong.wang(a)bytedance.com>
bpf: Check negative offsets in __bpf_skb_min_len()
Zijian Zhang <zijianzhang(a)bytedance.com>
tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection
Cong Wang <cong.wang(a)bytedance.com>
tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
Bart Van Assche <bvanassche(a)acm.org>
mm/vmstat: fix a W=1 clang compiler warning
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Michel Dänzer <mdaenzer(a)redhat.com>
drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Ilya Dryomov <idryomov(a)gmail.com>
ceph: validate snapdirname option length when mounting
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add "%s" check in test_event_printk()
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add missing helper functions in event pointer dereference check
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Fix test_event_printk() to process entire print argument
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Play nice with protected guests in complete_hypercall_exit()
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Geert Uytterhoeven <geert+renesas(a)glider.be>
sh: clk: Fix clk_enable() to return 0 on NULL clk
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix Current Register value interpretation
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Use SI constants from units.h
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Simplify with dev_err_probe()
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Don't use "proxy" headers
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mdiobus: fix an OF node reference leak
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Brett Creeley <brett.creeley(a)amd.com>
ionic: Fix netdev notifier unregister on failure
Eric Dumazet <edumazet(a)google.com>
netdevsim: prevent bad user input in nsim_dev_health_break_write()
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check return value of sock_recvmsg when draining clc data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check smcd_v2_ext_offset when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Gao Xiang <hsiangkao(a)linux.alibaba.com>
erofs: fix incorrect symlink detection in fast symlink
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Peng Hongchi <hongchi.peng(a)siengine.com>
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Loongson64: DTS: Fix msi node for ls7a
Ajit Khaparde <ajit.khaparde(a)broadcom.com>
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Jiwei Sun <sunjw10(a)lenovo.com>
PCI: vmd: Create domain symlink before pci_bus_add_devices()
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP
Roger Quadros <rogerq(a)kernel.org>
usb: cdns3: Add quirk flag to enable suspend residency
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
PCI/AER: Disable AER service on suspend
Vidya Sagar <vidyas(a)nvidia.com>
PCI: Use preserve_config in place of pci_flags
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
.../bindings/display/bridge/adi,adv7533.yaml | 2 +-
Makefile | 4 +-
arch/arc/Makefile | 2 +-
arch/arm64/mm/context.c | 22 +--
arch/mips/Makefile | 2 +-
.../boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 +
arch/riscv/include/asm/kfence.h | 4 +-
arch/x86/kernel/cpu/mshyperv.c | 58 ++++++
arch/x86/kvm/x86.c | 2 +-
drivers/base/regmap/regmap.c | 4 +-
drivers/block/virtio_blk.c | 7 +-
drivers/block/zram/zram_drv.c | 28 +--
drivers/clocksource/hyperv_timer.c | 14 +-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/dma/at_xdmac.c | 2 +
drivers/dma/dw/acpi.c | 6 +-
drivers/dma/dw/internal.h | 8 +
drivers/dma/dw/pci.c | 4 +-
drivers/dma/mv_xor.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 +-
.../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 23 +++
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +-
drivers/gpu/drm/drm_dp_mst_topology.c | 34 ++++
drivers/gpu/drm/drm_modes.c | 11 +-
drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +-
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 +
drivers/hv/hyperv_vmbus.h | 2 +
drivers/hwmon/tmp513.c | 74 +++----
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 16 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 +--
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_hem.c | 49 +++--
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 17 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 5 -
drivers/infiniband/hw/mlx5/main.c | 6 +-
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
drivers/media/dvb-frontends/dib3000mb.c | 2 +-
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/mtd/nand/raw/arasan-nand-controller.c | 11 +-
drivers/mtd/nand/raw/atmel/pmecc.c | 4 +-
drivers/mtd/nand/raw/diskonchip.c | 2 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 21 +-
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
.../chelsio/inline_crypto/chtls/chtls_main.c | 5 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/marvell/mv643xx_eth.c | 14 +-
drivers/net/ethernet/marvell/sky2.c | 1 +
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +-
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 153 ++++++++++-----
.../net/ethernet/stmicro/stmmac/stmmac_platform.h | 2 +
drivers/net/mdio/fwnode_mdio.c | 13 +-
drivers/net/netdevsim/health.c | 2 +
drivers/net/usb/qmi_wwan.c | 3 +
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +-
drivers/of/address.c | 2 +-
drivers/of/base.c | 15 +-
drivers/of/irq.c | 1 +
drivers/pci/controller/pci-host-common.c | 4 -
drivers/pci/controller/vmd.c | 8 +-
drivers/pci/pcie/aer.c | 18 ++
drivers/pci/probe.c | 22 +--
drivers/pci/quirks.c | 4 +
drivers/phy/phy-core.c | 21 +-
drivers/pinctrl/pinctrl-mcp23s08.c | 6 +
drivers/platform/x86/asus-nb-wmi.c | 1 +
drivers/power/supply/gpio-charger.c | 8 +
drivers/scsi/megaraid/megaraid_sas_base.c | 5 +-
drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +-
drivers/scsi/qla1280.h | 12 +-
drivers/scsi/storvsc_drv.c | 7 +-
drivers/sh/clk/core.c | 2 +-
drivers/thunderbolt/icm.c | 5 +
drivers/thunderbolt/nhi.c | 24 +++
drivers/thunderbolt/nhi.h | 13 ++
drivers/usb/cdns3/core.h | 1 +
drivers/usb/cdns3/drd.c | 10 +-
drivers/usb/cdns3/drd.h | 3 +
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/host/xhci-ring.c | 42 +++-
drivers/usb/host/xhci.c | 21 +-
drivers/usb/host/xhci.h | 2 +
drivers/usb/serial/option.c | 27 +++
drivers/watchdog/it87_wdt.c | 39 ++++
fs/btrfs/ctree.c | 37 ++--
fs/btrfs/ctree.h | 7 +
fs/btrfs/disk-io.c | 9 +
fs/btrfs/inode.c | 2 +
fs/btrfs/sysfs.c | 93 +++++----
fs/btrfs/tree-checker.c | 27 ++-
fs/ceph/super.c | 2 +
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/erofs/inode.c | 20 +-
fs/eventpoll.c | 5 +-
fs/ksmbd/auth.c | 2 +
fs/ksmbd/mgmt/user_session.c | 6 +-
fs/ksmbd/server.c | 4 +-
fs/ksmbd/smb2pdu.c | 33 ++--
fs/nfs/pnfs.c | 2 +-
fs/nfsd/nfs4callback.c | 4 +-
fs/nfsd/nfs4state.c | 2 +-
fs/nilfs2/inode.c | 8 +-
fs/nilfs2/namei.c | 5 +
include/clocksource/hyperv_timer.h | 2 +
include/linux/hyperv.h | 1 +
include/linux/if_vlan.h | 16 +-
include/linux/mlx5/driver.h | 6 +
include/linux/skmsg.h | 11 +-
include/linux/trace_events.h | 2 +-
include/linux/vmstat.h | 2 +-
include/linux/wait.h | 1 +
include/net/netfilter/nf_tables.h | 7 +-
include/net/sock.h | 10 +-
kernel/bpf/core.c | 6 +-
kernel/bpf/syscall.c | 13 +-
kernel/kcov.c | 2 +-
kernel/trace/trace.c | 3 +
kernel/trace/trace_events.c | 213 +++++++++++++++++----
kernel/trace/trace_kprobe.c | 2 +-
lib/test_stackinit.c | 1 +
mm/vmalloc.c | 3 +-
mm/vmscan.c | 9 +-
net/core/filter.c | 21 +-
net/core/skmsg.c | 6 +-
net/core/sock.c | 5 +-
net/dsa/dsa2.c | 7 +
net/ipv4/tcp_bpf.c | 6 +-
net/ipv4/tcp_input.c | 1 +
net/ipv6/ila/ila_xlat.c | 16 +-
net/llc/llc_input.c | 2 +-
net/mac80211/util.c | 3 +
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/netrom/nr_route.c | 6 +
net/packet/af_packet.c | 28 +--
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/sctp/associola.c | 3 +-
net/smc/af_smc.c | 13 +-
net/smc/smc_clc.c | 9 +
net/smc/smc_clc.h | 14 +-
scripts/mod/file2alias.c | 4 +-
security/selinux/ss/services.c | 8 +-
sound/pci/hda/patch_conexant.c | 28 +++
sound/soc/intel/boards/sof_sdw.c | 9 +
sound/usb/format.c | 7 +-
sound/usb/mixer.c | 7 +
sound/usb/mixer_us16x08.c | 2 +-
sound/usb/quirks.c | 2 +
158 files changed, 1391 insertions(+), 495 deletions(-)
3 months, 3 weeks
- 11
- 183
[PATCH v2 0/3] i2c: atr: A few i2c-atr fixes
by Tomi Valkeinen
The last two are perhaps not strictly fixes, as they essentially add
support for nested ATRs. The first one is a fix, thus stable is in cc.
Tomi
Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>
---
Changes in v2:
- Use mutext_init_with_key()
- Rearrange the series so that the fix is the first patch
- Link to v1: https://lore.kernel.org/r/20241122-i2c-atr-fixes-v1-0-62c51ce790be@ideasonb…
---
Cosmin Tanislav (1):
i2c: atr: Allow unmapped addresses from nested ATRs
Tomi Valkeinen (2):
i2c: atr: Fix client detach
i2c: atr: Fix lockdep for nested ATRs
drivers/i2c/i2c-atr.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
---
base-commit: adc218676eef25575469234709c2d87185ca223a
change-id: 20241121-i2c-atr-fixes-6d52b9f5f0c1
Best regards,
--
Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>
3 months, 3 weeks
- 5
- 10
[PATCH 5.4] ftrace: use preempt_enable/disable notrace macros to avoid double fault
by Koichiro Den
Since the backport commit eea46baf1451 ("ftrace: Fix possible
use-after-free issue in ftrace_location()") on linux-5.4.y branch, the
old ftrace_int3_handler()->ftrace_location() path has included
rcu_read_lock(), which has mcount location inside and leads to potential
double fault.
Replace rcu_read_lock/unlock with preempt_enable/disable notrace macros
so that the mcount location does not appear on the int3 handler path.
This fix is specific to linux-5.4.y branch, the only branch still using
ftrace_int3_handler with commit e60b613df8b6 ("ftrace: Fix possible
use-after-free issue in ftrace_location()") backported. It also avoids
the need to backport the code conversion to text_poke() on this branch.
Reported-by: Koichiro Den <koichiro.den(a)canonical.com>
Closes: https://lore.kernel.org/all/74gjhwxupvozwop7ndhrh7t5qeckomt7yqvkkbm5j2tlx6d…
Fixes: eea46baf1451 ("ftrace: Fix possible use-after-free issue in ftrace_location()") # linux-5.4.y
Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org>
Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com>
---
kernel/trace/ftrace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 380032a27f98..2eb1a8ec5755 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1554,7 +1554,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
struct dyn_ftrace key;
unsigned long ip = 0;
- rcu_read_lock();
+ preempt_disable_notrace();
key.ip = start;
key.flags = end; /* overload flags, as it is unsigned long */
@@ -1572,7 +1572,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
break;
}
}
- rcu_read_unlock();
+ preempt_enable_notrace();
return ip;
}
--
2.43.0
3 months, 3 weeks
- 4
- 3
[PATCH] replace free hugepage folios after migration
by yangge1116@126.com
From: yangge <yangge1116(a)126.com>
My machine has 4 NUMA nodes, each equipped with 32GB of memory. I
have configured each NUMA node with 16GB of CMA and 16GB of in-use
hugetlb pages. The allocation of contiguous memory via the
cma_alloc() function can fail probabilistically.
The cma_alloc() function may fail if it sees an in-use hugetlb page
within the allocation range, even if that page has already been
migrated. When in-use hugetlb pages are migrated, they may simply
be released back into the free hugepage pool instead of being
returned to the buddy system. This can cause the
test_pages_isolated() function check to fail, ultimately leading
to the failure of the cma_alloc() function:
cma_alloc()
__alloc_contig_migrate_range() // migrate in-use hugepage
test_pages_isolated()
__test_page_isolated_in_pageblock()
PageBuddy(page) // check if the page is in buddy
To address this issue, we will add a function named
replace_free_hugepage_folios(). This function will replace the
hugepage in the free hugepage pool with a new one and release the
old one to the buddy system. After the migration of in-use hugetlb
pages is completed, we will invoke the replace_free_hugepage_folios()
function to ensure that these hugepages are properly released to
the buddy system. Following this step, when the test_pages_isolated()
function is executed for inspection, it will successfully pass.
Signed-off-by: yangge <yangge1116(a)126.com>
---
include/linux/hugetlb.h | 6 ++++++
mm/hugetlb.c | 37 +++++++++++++++++++++++++++++++++++++
mm/page_alloc.c | 13 ++++++++++++-
3 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
index ae4fe86..7d36ac8 100644
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -681,6 +681,7 @@ struct huge_bootmem_page {
};
int isolate_or_dissolve_huge_page(struct page *page, struct list_head *list);
+int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn);
struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma,
unsigned long addr, int avoid_reserve);
struct folio *alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid,
@@ -1059,6 +1060,11 @@ static inline int isolate_or_dissolve_huge_page(struct page *page,
return -ENOMEM;
}
+int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn)
+{
+ return 0;
+}
+
static inline struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma,
unsigned long addr,
int avoid_reserve)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 8e1db80..a099c54 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2975,6 +2975,43 @@ int isolate_or_dissolve_huge_page(struct page *page, struct list_head *list)
return ret;
}
+/*
+ * replace_free_hugepage_folios - Replace free hugepage folios in a given pfn
+ * range with new folios.
+ * @stat_pfn: start pfn of the given pfn range
+ * @end_pfn: end pfn of the given pfn range
+ * Returns 0 on success, otherwise negated error.
+ */
+int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn)
+{
+ struct hstate *h;
+ struct folio *folio;
+ int ret = 0;
+
+ LIST_HEAD(isolate_list);
+
+ while (start_pfn < end_pfn) {
+ folio = pfn_folio(start_pfn);
+ if (folio_test_hugetlb(folio)) {
+ h = folio_hstate(folio);
+ } else {
+ start_pfn++;
+ continue;
+ }
+
+ if (!folio_ref_count(folio)) {
+ ret = alloc_and_dissolve_hugetlb_folio(h, folio, &isolate_list);
+ if (ret)
+ break;
+
+ putback_movable_pages(&isolate_list);
+ }
+ start_pfn++;
+ }
+
+ return ret;
+}
+
struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma,
unsigned long addr, int avoid_reserve)
{
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index dde19db..1dcea28 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6504,7 +6504,18 @@ int alloc_contig_range_noprof(unsigned long start, unsigned long end,
ret = __alloc_contig_migrate_range(&cc, start, end, migratetype);
if (ret && ret != -EBUSY)
goto done;
- ret = 0;
+
+ /*
+ * When in-use hugetlb pages are migrated, they may simply be
+ * released back into the free hugepage pool instead of being
+ * returned to the buddy system. After the migration of in-use
+ * huge pages is completed, we will invoke the
+ * replace_free_hugepage_folios() function to ensure that
+ * these hugepages are properly released to the buddy system.
+ */
+ ret = replace_free_hugepage_folios(start, end);
+ if (ret)
+ goto done;
/*
* Pages from [start, end) are within a pageblock_nr_pages
--
2.7.4
3 months, 3 weeks
- 5
- 13
[PATCH v4 resend] drm/meson: switch to a managed drm device
by Anastasia Belova
Switch to a managed drm device to cleanup some error handling
and make future work easier.
Fix dereference of NULL in meson_drv_bind_master by removing
drm_dev_put(drm) before meson_encoder_*_remove and
component_unbind_all where drm is dereferenced.
Co-developed by Linux Verification Center (linuxtesting.org).
Cc: stable(a)vger.kernel.org
Fixes: 6a044642988b ("drm/meson: fix unbind path if HDMI fails to bind")
Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru>
---
v2: fix commit message and add Cc: stable(a)vger.kernel.org
v3: cleanup error paths
v4: fix build errors
drivers/gpu/drm/meson/meson_crtc.c | 10 +--
drivers/gpu/drm/meson/meson_drv.c | 93 ++++++++++------------
drivers/gpu/drm/meson/meson_drv.h | 3 +-
drivers/gpu/drm/meson/meson_encoder_cvbs.c | 8 +-
drivers/gpu/drm/meson/meson_encoder_dsi.c | 2 +-
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 4 +-
drivers/gpu/drm/meson/meson_overlay.c | 8 +-
drivers/gpu/drm/meson/meson_plane.c | 10 +--
8 files changed, 63 insertions(+), 75 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_crtc.c b/drivers/gpu/drm/meson/meson_crtc.c
index d70616da8ce2..e1c0bf3baeea 100644
--- a/drivers/gpu/drm/meson/meson_crtc.c
+++ b/drivers/gpu/drm/meson/meson_crtc.c
@@ -662,13 +662,13 @@ void meson_crtc_irq(struct meson_drm *priv)
drm_crtc_handle_vblank(priv->crtc);
- spin_lock_irqsave(&priv->drm->event_lock, flags);
+ spin_lock_irqsave(&priv->drm.event_lock, flags);
if (meson_crtc->event) {
drm_crtc_send_vblank_event(priv->crtc, meson_crtc->event);
drm_crtc_vblank_put(priv->crtc);
meson_crtc->event = NULL;
}
- spin_unlock_irqrestore(&priv->drm->event_lock, flags);
+ spin_unlock_irqrestore(&priv->drm.event_lock, flags);
}
int meson_crtc_create(struct meson_drm *priv)
@@ -677,18 +677,18 @@ int meson_crtc_create(struct meson_drm *priv)
struct drm_crtc *crtc;
int ret;
- meson_crtc = devm_kzalloc(priv->drm->dev, sizeof(*meson_crtc),
+ meson_crtc = devm_kzalloc(priv->drm.dev, sizeof(*meson_crtc),
GFP_KERNEL);
if (!meson_crtc)
return -ENOMEM;
meson_crtc->priv = priv;
crtc = &meson_crtc->base;
- ret = drm_crtc_init_with_planes(priv->drm, crtc,
+ ret = drm_crtc_init_with_planes(&priv->drm, crtc,
priv->primary_plane, NULL,
&meson_crtc_funcs, "meson_crtc");
if (ret) {
- dev_err(priv->drm->dev, "Failed to init CRTC\n");
+ dev_err(priv->drm.dev, "Failed to init CRTC\n");
return ret;
}
diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
index 4bd0baa2a4f5..dd87c6b61e9e 100644
--- a/drivers/gpu/drm/meson/meson_drv.c
+++ b/drivers/gpu/drm/meson/meson_drv.c
@@ -182,7 +182,6 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
struct platform_device *pdev = to_platform_device(dev);
const struct meson_drm_match_data *match;
struct meson_drm *priv;
- struct drm_device *drm;
struct resource *res;
void __iomem *regs;
int ret, i;
@@ -197,58 +196,49 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
if (!match)
return -ENODEV;
- drm = drm_dev_alloc(&meson_driver, dev);
- if (IS_ERR(drm))
- return PTR_ERR(drm);
+ priv = devm_drm_dev_alloc(dev, &meson_driver,
+ struct meson_drm, drm);
- priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
- if (!priv) {
- ret = -ENOMEM;
- goto free_drm;
- }
- drm->dev_private = priv;
- priv->drm = drm;
+ if (IS_ERR(priv))
+ return PTR_ERR(priv);
+
+ priv->drm.dev_private = priv;
priv->dev = dev;
priv->compat = match->compat;
priv->afbcd.ops = match->afbcd_ops;
regs = devm_platform_ioremap_resource_byname(pdev, "vpu");
if (IS_ERR(regs)) {
- ret = PTR_ERR(regs);
- goto free_drm;
+ return PTR_ERR(regs);
}
priv->io_base = regs;
res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi");
if (!res) {
- ret = -EINVAL;
- goto free_drm;
+ return -EINVAL;
}
/* Simply ioremap since it may be a shared register zone */
regs = devm_ioremap(dev, res->start, resource_size(res));
if (!regs) {
- ret = -EADDRNOTAVAIL;
- goto free_drm;
+ return -EADDRNOTAVAIL;
}
priv->hhi = devm_regmap_init_mmio(dev, regs,
&meson_regmap_config);
if (IS_ERR(priv->hhi)) {
dev_err(&pdev->dev, "Couldn't create the HHI regmap\n");
- ret = PTR_ERR(priv->hhi);
- goto free_drm;
+ return PTR_ERR(priv->hhi);
}
priv->canvas = meson_canvas_get(dev);
if (IS_ERR(priv->canvas)) {
- ret = PTR_ERR(priv->canvas);
- goto free_drm;
+ return PTR_ERR(priv->canvas);
}
ret = meson_canvas_alloc(priv->canvas, &priv->canvas_id_osd1);
if (ret)
- goto free_drm;
+ return ret;
ret = meson_canvas_alloc(priv->canvas, &priv->canvas_id_vd1_0);
if (ret)
goto free_canvas_osd1;
@@ -261,7 +251,7 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
priv->vsync_irq = platform_get_irq(pdev, 0);
- ret = drm_vblank_init(drm, 1);
+ ret = drm_vblank_init(&priv->drm, 1);
if (ret)
goto free_canvas_vd1_2;
@@ -281,13 +271,13 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
if (ret)
goto free_canvas_vd1_2;
- ret = drmm_mode_config_init(drm);
+ ret = drmm_mode_config_init(&priv->drm);
if (ret)
goto free_canvas_vd1_2;
- drm->mode_config.max_width = 3840;
- drm->mode_config.max_height = 2160;
- drm->mode_config.funcs = &meson_mode_config_funcs;
- drm->mode_config.helper_private = &meson_mode_config_helpers;
+ priv->drm.mode_config.max_width = 3840;
+ priv->drm.mode_config.max_height = 2160;
+ priv->drm.mode_config.funcs = &meson_mode_config_funcs;
+ priv->drm.mode_config.helper_private = &meson_mode_config_helpers;
/* Hardware Initialization */
@@ -308,9 +298,9 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
goto exit_afbcd;
if (has_components) {
- ret = component_bind_all(dev, drm);
+ ret = component_bind_all(dev, &priv->drm);
if (ret) {
- dev_err(drm->dev, "Couldn't bind all components\n");
+ dev_err(priv->drm.dev, "Couldn't bind all components\n");
/* Do not try to unbind */
has_components = false;
goto exit_afbcd;
@@ -319,46 +309,49 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
ret = meson_encoder_hdmi_probe(priv);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
ret = meson_encoder_dsi_probe(priv);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
}
ret = meson_plane_create(priv);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
ret = meson_overlay_create(priv);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
ret = meson_crtc_create(priv);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
- ret = request_irq(priv->vsync_irq, meson_irq, 0, drm->driver->name, drm);
+ ret = request_irq(priv->vsync_irq, meson_irq, 0, priv->drm.driver->name, &priv->drm);
if (ret)
- goto exit_afbcd;
+ goto unbind_components;
- drm_mode_config_reset(drm);
+ drm_mode_config_reset(&priv->drm);
- drm_kms_helper_poll_init(drm);
+ drm_kms_helper_poll_init(&priv->drm);
platform_set_drvdata(pdev, priv);
- ret = drm_dev_register(drm, 0);
+ ret = drm_dev_register(&priv->drm, 0);
if (ret)
goto uninstall_irq;
- drm_fbdev_dma_setup(drm, 32);
+ drm_fbdev_dma_setup(&priv->drm, 32);
return 0;
uninstall_irq:
- free_irq(priv->vsync_irq, drm);
+ free_irq(priv->vsync_irq, &priv->drm);
+unbind_components:
+ if (has_components)
+ component_unbind_all(dev, &priv->drm);
exit_afbcd:
if (priv->afbcd.ops)
priv->afbcd.ops->exit(priv);
@@ -370,16 +363,11 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
meson_canvas_free(priv->canvas, priv->canvas_id_vd1_0);
free_canvas_osd1:
meson_canvas_free(priv->canvas, priv->canvas_id_osd1);
-free_drm:
- drm_dev_put(drm);
meson_encoder_dsi_remove(priv);
meson_encoder_hdmi_remove(priv);
meson_encoder_cvbs_remove(priv);
- if (has_components)
- component_unbind_all(dev, drm);
-
return ret;
}
@@ -391,7 +379,7 @@ static int meson_drv_bind(struct device *dev)
static void meson_drv_unbind(struct device *dev)
{
struct meson_drm *priv = dev_get_drvdata(dev);
- struct drm_device *drm = priv->drm;
+ struct drm_device *drm = &priv->drm;
if (priv->canvas) {
meson_canvas_free(priv->canvas, priv->canvas_id_osd1);
@@ -404,7 +392,6 @@ static void meson_drv_unbind(struct device *dev)
drm_kms_helper_poll_fini(drm);
drm_atomic_helper_shutdown(drm);
free_irq(priv->vsync_irq, drm);
- drm_dev_put(drm);
meson_encoder_dsi_remove(priv);
meson_encoder_hdmi_remove(priv);
@@ -428,7 +415,7 @@ static int __maybe_unused meson_drv_pm_suspend(struct device *dev)
if (!priv)
return 0;
- return drm_mode_config_helper_suspend(priv->drm);
+ return drm_mode_config_helper_suspend(&priv->drm);
}
static int __maybe_unused meson_drv_pm_resume(struct device *dev)
@@ -445,7 +432,7 @@ static int __maybe_unused meson_drv_pm_resume(struct device *dev)
if (priv->afbcd.ops)
priv->afbcd.ops->init(priv);
- return drm_mode_config_helper_resume(priv->drm);
+ return drm_mode_config_helper_resume(&priv->drm);
}
static void meson_drv_shutdown(struct platform_device *pdev)
@@ -455,8 +442,8 @@ static void meson_drv_shutdown(struct platform_device *pdev)
if (!priv)
return;
- drm_kms_helper_poll_fini(priv->drm);
- drm_atomic_helper_shutdown(priv->drm);
+ drm_kms_helper_poll_fini(&priv->drm);
+ drm_atomic_helper_shutdown(&priv->drm);
}
/*
diff --git a/drivers/gpu/drm/meson/meson_drv.h b/drivers/gpu/drm/meson/meson_drv.h
index 3f9345c14f31..45554c701322 100644
--- a/drivers/gpu/drm/meson/meson_drv.h
+++ b/drivers/gpu/drm/meson/meson_drv.h
@@ -8,6 +8,7 @@
#define __MESON_DRV_H
#include <linux/device.h>
+#include <drm/drm_device.h>
#include <linux/of.h>
#include <linux/regmap.h>
@@ -53,7 +54,7 @@ struct meson_drm {
u8 canvas_id_vd1_1;
u8 canvas_id_vd1_2;
- struct drm_device *drm;
+ struct drm_device drm;
struct drm_crtc *crtc;
struct drm_plane *primary_plane;
struct drm_plane *overlay_plane;
diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
index d1191de855d9..ddca22c8c1ff 100644
--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
@@ -104,7 +104,7 @@ static int meson_encoder_cvbs_get_modes(struct drm_bridge *bridge,
for (i = 0; i < MESON_CVBS_MODES_COUNT; ++i) {
struct meson_cvbs_mode *meson_mode = &meson_cvbs_modes[i];
- mode = drm_mode_duplicate(priv->drm, &meson_mode->mode);
+ mode = drm_mode_duplicate(&priv->drm, &meson_mode->mode);
if (!mode) {
dev_err(priv->dev, "Failed to create a new display mode\n");
return 0;
@@ -221,7 +221,7 @@ static const struct drm_bridge_funcs meson_encoder_cvbs_bridge_funcs = {
int meson_encoder_cvbs_probe(struct meson_drm *priv)
{
- struct drm_device *drm = priv->drm;
+ struct drm_device *drm = &priv->drm;
struct meson_encoder_cvbs *meson_encoder_cvbs;
struct drm_connector *connector;
struct device_node *remote;
@@ -256,7 +256,7 @@ int meson_encoder_cvbs_probe(struct meson_drm *priv)
meson_encoder_cvbs->priv = priv;
/* Encoder */
- ret = drm_simple_encoder_init(priv->drm, &meson_encoder_cvbs->encoder,
+ ret = drm_simple_encoder_init(&priv->drm, &meson_encoder_cvbs->encoder,
DRM_MODE_ENCODER_TVDAC);
if (ret)
return dev_err_probe(priv->dev, ret,
@@ -273,7 +273,7 @@ int meson_encoder_cvbs_probe(struct meson_drm *priv)
}
/* Initialize & attach Bridge Connector */
- connector = drm_bridge_connector_init(priv->drm, &meson_encoder_cvbs->encoder);
+ connector = drm_bridge_connector_init(&priv->drm, &meson_encoder_cvbs->encoder);
if (IS_ERR(connector))
return dev_err_probe(priv->dev, PTR_ERR(connector),
"Unable to create CVBS bridge connector\n");
diff --git a/drivers/gpu/drm/meson/meson_encoder_dsi.c b/drivers/gpu/drm/meson/meson_encoder_dsi.c
index 7816902f5907..03bb12c69863 100644
--- a/drivers/gpu/drm/meson/meson_encoder_dsi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_dsi.c
@@ -132,7 +132,7 @@ int meson_encoder_dsi_probe(struct meson_drm *priv)
meson_encoder_dsi->priv = priv;
/* Encoder */
- ret = drm_simple_encoder_init(priv->drm, &meson_encoder_dsi->encoder,
+ ret = drm_simple_encoder_init(&priv->drm, &meson_encoder_dsi->encoder,
DRM_MODE_ENCODER_DSI);
if (ret)
return dev_err_probe(priv->dev, ret,
diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
index 0593a1cde906..4465d987f85b 100644
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -402,7 +402,7 @@ int meson_encoder_hdmi_probe(struct meson_drm *priv)
meson_encoder_hdmi->priv = priv;
/* Encoder */
- ret = drm_simple_encoder_init(priv->drm, &meson_encoder_hdmi->encoder,
+ ret = drm_simple_encoder_init(&priv->drm, &meson_encoder_hdmi->encoder,
DRM_MODE_ENCODER_TMDS);
if (ret) {
dev_err_probe(priv->dev, ret, "Failed to init HDMI encoder\n");
@@ -420,7 +420,7 @@ int meson_encoder_hdmi_probe(struct meson_drm *priv)
}
/* Initialize & attach Bridge Connector */
- meson_encoder_hdmi->connector = drm_bridge_connector_init(priv->drm,
+ meson_encoder_hdmi->connector = drm_bridge_connector_init(&priv->drm,
&meson_encoder_hdmi->encoder);
if (IS_ERR(meson_encoder_hdmi->connector)) {
ret = dev_err_probe(priv->dev,
diff --git a/drivers/gpu/drm/meson/meson_overlay.c b/drivers/gpu/drm/meson/meson_overlay.c
index 7f98de38842b..60ee7f758723 100644
--- a/drivers/gpu/drm/meson/meson_overlay.c
+++ b/drivers/gpu/drm/meson/meson_overlay.c
@@ -484,7 +484,7 @@ static void meson_overlay_atomic_update(struct drm_plane *plane,
interlace_mode = new_state->crtc->mode.flags & DRM_MODE_FLAG_INTERLACE;
- spin_lock_irqsave(&priv->drm->event_lock, flags);
+ spin_lock_irqsave(&priv->drm.event_lock, flags);
if ((fb->modifier & DRM_FORMAT_MOD_AMLOGIC_FBC(0, 0)) ==
DRM_FORMAT_MOD_AMLOGIC_FBC(0, 0)) {
@@ -717,7 +717,7 @@ static void meson_overlay_atomic_update(struct drm_plane *plane,
priv->viu.vd1_enabled = true;
- spin_unlock_irqrestore(&priv->drm->event_lock, flags);
+ spin_unlock_irqrestore(&priv->drm.event_lock, flags);
DRM_DEBUG_DRIVER("\n");
}
@@ -838,7 +838,7 @@ int meson_overlay_create(struct meson_drm *priv)
DRM_DEBUG_DRIVER("\n");
- meson_overlay = devm_kzalloc(priv->drm->dev, sizeof(*meson_overlay),
+ meson_overlay = devm_kzalloc(priv->drm.dev, sizeof(*meson_overlay),
GFP_KERNEL);
if (!meson_overlay)
return -ENOMEM;
@@ -846,7 +846,7 @@ int meson_overlay_create(struct meson_drm *priv)
meson_overlay->priv = priv;
plane = &meson_overlay->base;
- drm_universal_plane_init(priv->drm, plane, 0xFF,
+ drm_universal_plane_init(&priv->drm, plane, 0xFF,
&meson_overlay_funcs,
supported_drm_formats,
ARRAY_SIZE(supported_drm_formats),
diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c
index b43ac61201f3..13be94309bf4 100644
--- a/drivers/gpu/drm/meson/meson_plane.c
+++ b/drivers/gpu/drm/meson/meson_plane.c
@@ -157,7 +157,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane,
* Update Buffer
* Enable Plane
*/
- spin_lock_irqsave(&priv->drm->event_lock, flags);
+ spin_lock_irqsave(&priv->drm.event_lock, flags);
/* Check if AFBC decoder is required for this buffer */
if ((meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
@@ -393,7 +393,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane,
priv->viu.osd1_enabled = true;
- spin_unlock_irqrestore(&priv->drm->event_lock, flags);
+ spin_unlock_irqrestore(&priv->drm.event_lock, flags);
}
static void meson_plane_atomic_disable(struct drm_plane *plane,
@@ -536,7 +536,7 @@ int meson_plane_create(struct meson_drm *priv)
const uint64_t *format_modifiers = format_modifiers_default;
int ret;
- meson_plane = devm_kzalloc(priv->drm->dev, sizeof(*meson_plane),
+ meson_plane = devm_kzalloc(priv->drm.dev, sizeof(*meson_plane),
GFP_KERNEL);
if (!meson_plane)
return -ENOMEM;
@@ -549,14 +549,14 @@ int meson_plane_create(struct meson_drm *priv)
else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
format_modifiers = format_modifiers_afbc_g12a;
- ret = drm_universal_plane_init(priv->drm, plane, 0xFF,
+ ret = drm_universal_plane_init(&priv->drm, plane, 0xFF,
&meson_plane_funcs,
supported_drm_formats,
ARRAY_SIZE(supported_drm_formats),
format_modifiers,
DRM_PLANE_TYPE_PRIMARY, "meson_primary_plane");
if (ret) {
- devm_kfree(priv->drm->dev, meson_plane);
+ devm_kfree(priv->drm.dev, meson_plane);
return ret;
}
--
2.43.0
3 months, 3 weeks
- 1
- 2
[PATCH v1 1/1] scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions
by Bao D. Nguyen
According to the UFS Device Specification, the bUFSFeaturesSupport
defines the support for TOO_HIGH_TEMPERATURE as bit[4] and the
TOO_LOW_TEMPERATURE as bit[5]. Correct the code to match with
the UFS device specification definition.
Fixes: e88e2d322 ("scsi: ufs: core: Probe for temperature notification support")
Cc: stable(a)vger.kernel.org
Signed-off-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com>
---
include/ufs/ufs.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/ufs/ufs.h b/include/ufs/ufs.h
index e594abe..f0c6111 100644
--- a/include/ufs/ufs.h
+++ b/include/ufs/ufs.h
@@ -386,8 +386,8 @@ enum {
/* Possible values for dExtendedUFSFeaturesSupport */
enum {
- UFS_DEV_LOW_TEMP_NOTIF = BIT(4),
- UFS_DEV_HIGH_TEMP_NOTIF = BIT(5),
+ UFS_DEV_HIGH_TEMP_NOTIF = BIT(4),
+ UFS_DEV_LOW_TEMP_NOTIF = BIT(5),
UFS_DEV_EXT_TEMP_NOTIF = BIT(6),
UFS_DEV_HPB_SUPPORT = BIT(7),
UFS_DEV_WRITE_BOOSTER_SUP = BIT(8),
--
2.7.4
3 months, 3 weeks
- 2
- 2
[PATCH v2 1/9] btrfs: fix double accounting race when btrfs_run_delalloc_range() failed
by Qu Wenruo
[BUG]
When running btrfs with block size (4K) smaller than page size (64K,
aarch64), there is a very high chance to crash the kernel at
generic/750, with the following messages:
(before the call traces, there are 3 extra debug messages added)
BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental
BTRFS info (device dm-3): checking UUID tree
hrtimer: interrupt took 5451385 ns
BTRFS error (device dm-3): cow_file_range failed, root=4957 inode=257 start=1605632 len=69632: -28
BTRFS error (device dm-3): run_delalloc_nocow failed, root=4957 inode=257 start=1605632 len=69632: -28
BTRFS error (device dm-3): failed to run delalloc range, root=4957 ino=257 folio=1572864 submit_bitmap=8-15 start=1605632 len=69632: -28
------------[ cut here ]------------
WARNING: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs]
CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs]
lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs]
Call trace:
can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P)
can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L)
btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs]
extent_writepage+0x10c/0x3b8 [btrfs]
extent_write_cache_pages+0x21c/0x4e8 [btrfs]
btrfs_writepages+0x94/0x160 [btrfs]
do_writepages+0x74/0x190
filemap_fdatawrite_wbc+0x74/0xa0
start_delalloc_inodes+0x17c/0x3b0 [btrfs]
btrfs_start_delalloc_roots+0x17c/0x288 [btrfs]
shrink_delalloc+0x11c/0x280 [btrfs]
flush_space+0x288/0x328 [btrfs]
btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
process_one_work+0x228/0x680
worker_thread+0x1bc/0x360
kthread+0x100/0x118
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0
CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write)
pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : process_one_work+0x110/0x680
lr : worker_thread+0x1bc/0x360
Call trace:
process_one_work+0x110/0x680 (P)
worker_thread+0x1bc/0x360 (L)
worker_thread+0x1bc/0x360
kthread+0x100/0x118
ret_from_fork+0x10/0x20
Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception
SMP: stopping secondary CPUs
SMP: failed to stop secondary CPUs 2-3
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: 0x275bb9540000 from 0xffff800080000000
PHYS_OFFSET: 0xffff8fbba0000000
CPU features: 0x100,00000070,00801250,8201720b
[CAUSE]
The above warning is triggered immediately after the delalloc range
failure, this happens in the following sequence:
- Range [1568K, 1636K) is dirty
1536K 1568K 1600K 1636K 1664K
| |/////////|////////| |
Where 1536K, 1600K and 1664K are page boundaries (64K page size)
- Enter extent_writepage() for page 1536K
- Enter run_delalloc_nocow() with locked page 1536K and range
[1568K, 1636K)
This is due to the inode has preallocated extents.
- Enter cow_file_range() with locked page 1536K and range
[1568K, 1636K)
- btrfs_reserve_extent() only reserved two extents
The main loop of cow_file_range() only reserved two data extents,
Now we have:
1536K 1568K 1600K 1636K 1664K
| |<-->|<--->|/|///////| |
1584K 1596K
Range [1568K, 1596K) has ordered extent reserved.
- btrfs_reserve_extent() failed inside cow_file_range() for file offset
1596K
This is already a bug in our space reservation code, but for now let's
focus on the error handling path.
Now cow_file_range() returned -ENOSPC.
- btrfs_run_delalloc_range() do error cleanup <<< ROOT CAUSE
Call btrfs_cleanup_ordered_extents() with locked folio 1536K and range
[1568K, 1636K)
Function btrfs_cleanup_ordered_extents() normally needs to skip the
ranges inside the folio, as it will normally be cleaned up by
extent_writepage().
Such split error handling is already problematic in the first place.
What's worse is the folio range skipping itself, which is not taking
subpage cases into consideration at all, it will only skip the range
if the page start >= the range start.
In our case, the page start < the range start, since for subpage cases
we can have delalloc ranges inside the folio but not covering the
folio.
So it doesn't skip the page range at all.
This means all the ordered extents, both [1568K, 1584K) and
[1584K, 1596K) will be marked as IOERR.
And those two ordered extents have no more pending ios, it is marked
finished, and *QUEUED* to be deleted from the io tree.
- extent_writepage() do error cleanup
Call btrfs_mark_ordered_io_finished() for the range [1536K, 1600K).
Although ranges [1568K, 1584K) and [1584K, 1596K) are finished, the
deletion from io tree is async, it may or may not happen at this
timing.
If the ranges are not yet removed, we will do double cleaning on those
ranges, triggers the above ordered extent warnings.
In theory there are other bugs, like the cleanup in extent_writepage()
can cause double accounting on ranges that are submitted async
(compression for example).
But that's much harder to trigger because normally we do not mix regular
and compression delalloc ranges.
[FIX]
The folio range split is already buggy and not subpage compatible, it's
introduced a long time ago where subpage support is not even considered.
So instead of splitting the ordered extents cleanup into the folio range
and out of folio range, do all the cleanup inside writepage_delalloc().
- Pass @NULL as locked_folio for btrfs_cleanup_ordered_extents() in
btrfs_run_delalloc_range()
- Skip the btrfs_cleanup_ordered_extents() if writepage_delalloc()
failed
So all ordered extents are only cleaned up by
btrfs_run_delalloc_range().
- Handle the ranges that already have ordered extents allocated
If part of the folio already has ordered extent allocated, and
btrfs_run_delalloc_range() failed, we also need to cleanup that range.
Now we have a concentrated error handling for ordered extents during
btrfs_run_delalloc_range().
Cc: stable(a)vger.kernel.org # 5.15+
Fixes: d1051d6ebf8e ("btrfs: Fix error handling in btrfs_cleanup_ordered_extents")
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/extent_io.c | 37 ++++++++++++++++++++++++++++++++-----
fs/btrfs/inode.c | 2 +-
2 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 9725ff7f274d..417c710c55ca 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1167,6 +1167,12 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
* last delalloc end.
*/
u64 last_delalloc_end = 0;
+ /*
+ * Save the last successfully ran delalloc range end (exclusive).
+ * This is for error handling to avoid ranges with ordered extent created
+ * but no IO will be submitted due to error.
+ */
+ u64 last_finished = page_start;
u64 delalloc_start = page_start;
u64 delalloc_end = page_end;
u64 delalloc_to_write = 0;
@@ -1235,11 +1241,19 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
found_len = last_delalloc_end + 1 - found_start;
if (ret >= 0) {
+ /*
+ * Some delalloc range may be created by previous folios.
+ * Thus we still need to clean those range up during error
+ * handling.
+ */
+ last_finished = found_start;
/* No errors hit so far, run the current delalloc range. */
ret = btrfs_run_delalloc_range(inode, folio,
found_start,
found_start + found_len - 1,
wbc);
+ if (ret >= 0)
+ last_finished = found_start + found_len;
} else {
/*
* We've hit an error during previous delalloc range,
@@ -1274,8 +1288,21 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode,
delalloc_start = found_start + found_len;
}
- if (ret < 0)
+ /*
+ * It's possible we have some ordered extents created before we hit
+ * an error, cleanup non-async successfully created delalloc ranges.
+ */
+ if (unlikely(ret < 0)) {
+ unsigned int bitmap_size = min(
+ (last_finished - page_start) >> fs_info->sectorsize_bits,
+ fs_info->sectors_per_page);
+
+ for_each_set_bit(bit, &bio_ctrl->submit_bitmap, bitmap_size)
+ btrfs_mark_ordered_io_finished(inode, folio,
+ page_start + (bit << fs_info->sectorsize_bits),
+ fs_info->sectorsize, false);
return ret;
+ }
out:
if (last_delalloc_end)
delalloc_end = last_delalloc_end;
@@ -1509,13 +1536,13 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl
bio_ctrl->wbc->nr_to_write--;
-done:
- if (ret) {
+ if (ret)
btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio,
page_start, PAGE_SIZE, !ret);
- mapping_set_error(folio->mapping, ret);
- }
+done:
+ if (ret < 0)
+ mapping_set_error(folio->mapping, ret);
/*
* Only unlock ranges that are submitted. As there can be some async
* submitted ranges inside the folio.
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index c4997200dbb2..d41bb47d59fb 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -2305,7 +2305,7 @@ int btrfs_run_delalloc_range(struct btrfs_inode *inode, struct folio *locked_fol
out:
if (ret < 0)
- btrfs_cleanup_ordered_extents(inode, locked_folio, start,
+ btrfs_cleanup_ordered_extents(inode, NULL, start,
end - start + 1);
return ret;
}
--
2.47.1
3 months, 3 weeks
- 3
- 3
[PATCH] clk: clk-loongson2: Fix the number count of clk provider
by Binbin Zhou
Since commit 02fb4f008433 ("clk: clk-loongson2: Fix potential buffer
overflow in flexible-array member access"), the clk provider register is
failed.
The count of `clks_num` is shown below:
for (p = data; p->name; p++)
clks_num++;
In fact, `clks_num` represents the number of SoC clocks and should be
expressed as the maximum value of the clock binding id in use (p->id + 1).
Now we fix it to avoid the following error when trying to register a clk
provider:
[ 13.409595] of_clk_hw_onecell_get: invalid index 17
Fixes: 02fb4f008433 ("clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access")
Cc: stable(a)vger.kernel.org
Signed-off-by: Binbin Zhou <zhoubinbin(a)loongson.cn>
---
drivers/clk/clk-loongson2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/clk-loongson2.c b/drivers/clk/clk-loongson2.c
index 6bf51d5a49a1..b1b2038acd0b 100644
--- a/drivers/clk/clk-loongson2.c
+++ b/drivers/clk/clk-loongson2.c
@@ -294,7 +294,7 @@ static int loongson2_clk_probe(struct platform_device *pdev)
return -EINVAL;
for (p = data; p->name; p++)
- clks_num++;
+ clks_num = max(clks_num, p->id + 1);
clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num),
GFP_KERNEL);
--
2.43.5
3 months, 3 weeks
- 3
- 4
+ mm-zswap-properly-synchronize-freeing-resources-during-cpu-hotunplug.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: mm: zswap: properly synchronize freeing resources during CPU hotunplug
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-zswap-properly-synchronize-freeing-resources-during-cpu-hotunplug.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Yosry Ahmed <yosryahmed(a)google.com>
Subject: mm: zswap: properly synchronize freeing resources during CPU hotunplug
Date: Wed, 8 Jan 2025 22:24:41 +0000
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as some of the resources attached to the acomp_ctx
are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
and freeing resources with compression/decompression paths. Make sure
that acomp_ctx.req is NULL when the resources are freed. In the
compression/decompression paths, check if acomp_ctx.req is NULL after
acquiring the mutex (meaning the CPU was offlined) and retry on the new
CPU.
The initialization of acomp_ctx.mutex is moved from the CPU hotplug
callback to the pool initialization where it belongs (where the mutex is
allocated). In addition to adding clarity, this makes sure that CPU
hotplug cannot reinitialize a mutex that is already locked by
compression/decompression.
Previously a fix was attempted by holding cpus_read_lock() [1]. This
would have caused a potential deadlock as it is possible for code already
holding the lock to fall into reclaim and enter zswap (causing a
deadlock). A fix was also attempted using SRCU for synchronization, but
Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug
notifiers [2].
Alternative fixes that were considered/attempted and could have worked:
- Refcounting the per-CPU acomp_ctx. This involves complexity in
handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the
CPU is onlined.
- Disabling migration before getting the per-CPU acomp_ctx [3], but
that's discouraged and is a much bigger hammer than needed, and could
result in subtle performance issues.
[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/
Link: https://lkml.kernel.org/r/20250108222441.3622031-1-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Cc: Barry Song <baohua(a)kernel.org>
Cc: Chengming Zhou <chengming.zhou(a)linux.dev>
Cc: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com>
Cc: Nhat Pham <nphamcs(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/zswap.c | 60 +++++++++++++++++++++++++++++++++++++++------------
1 file changed, 46 insertions(+), 14 deletions(-)
--- a/mm/zswap.c~mm-zswap-properly-synchronize-freeing-resources-during-cpu-hotunplug
+++ a/mm/zswap.c
@@ -251,7 +251,7 @@ static struct zswap_pool *zswap_pool_cre
struct zswap_pool *pool;
char name[38]; /* 'zswap' + 32 char (max) num + \0 */
gfp_t gfp = __GFP_NORETRY | __GFP_NOWARN | __GFP_KSWAPD_RECLAIM;
- int ret;
+ int ret, cpu;
if (!zswap_has_pool) {
/* if either are unset, pool initialization failed, and we
@@ -285,6 +285,9 @@ static struct zswap_pool *zswap_pool_cre
goto error;
}
+ for_each_possible_cpu(cpu)
+ mutex_init(&per_cpu_ptr(pool->acomp_ctx, cpu)->mutex);
+
ret = cpuhp_state_add_instance(CPUHP_MM_ZSWP_POOL_PREPARE,
&pool->node);
if (ret)
@@ -821,11 +824,12 @@ static int zswap_cpu_comp_prepare(unsign
struct acomp_req *req;
int ret;
- mutex_init(&acomp_ctx->mutex);
-
+ mutex_lock(&acomp_ctx->mutex);
acomp_ctx->buffer = kmalloc_node(PAGE_SIZE * 2, GFP_KERNEL, cpu_to_node(cpu));
- if (!acomp_ctx->buffer)
- return -ENOMEM;
+ if (!acomp_ctx->buffer) {
+ ret = -ENOMEM;
+ goto buffer_fail;
+ }
acomp = crypto_alloc_acomp_node(pool->tfm_name, 0, 0, cpu_to_node(cpu));
if (IS_ERR(acomp)) {
@@ -844,6 +848,8 @@ static int zswap_cpu_comp_prepare(unsign
ret = -ENOMEM;
goto req_fail;
}
+
+ /* acomp_ctx->req must be NULL if the acomp_ctx is not fully initialized */
acomp_ctx->req = req;
crypto_init_wait(&acomp_ctx->wait);
@@ -855,12 +861,15 @@ static int zswap_cpu_comp_prepare(unsign
acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
crypto_req_done, &acomp_ctx->wait);
+ mutex_unlock(&acomp_ctx->mutex);
return 0;
req_fail:
crypto_free_acomp(acomp_ctx->acomp);
acomp_fail:
kfree(acomp_ctx->buffer);
+buffer_fail:
+ mutex_unlock(&acomp_ctx->mutex);
return ret;
}
@@ -869,17 +878,45 @@ static int zswap_cpu_comp_dead(unsigned
struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
+ mutex_lock(&acomp_ctx->mutex);
if (!IS_ERR_OR_NULL(acomp_ctx)) {
if (!IS_ERR_OR_NULL(acomp_ctx->req))
acomp_request_free(acomp_ctx->req);
+ acomp_ctx->req = NULL;
if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
crypto_free_acomp(acomp_ctx->acomp);
kfree(acomp_ctx->buffer);
}
+ mutex_unlock(&acomp_ctx->mutex);
return 0;
}
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu_lock(struct zswap_pool *pool)
+{
+ struct crypto_acomp_ctx *acomp_ctx;
+
+ for (;;) {
+ acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
+ mutex_lock(&acomp_ctx->mutex);
+ if (likely(acomp_ctx->req))
+ return acomp_ctx;
+ /*
+ * It is possible that we were migrated to a different CPU after
+ * getting the per-CPU ctx but before the mutex was acquired. If
+ * the old CPU got offlined, zswap_cpu_comp_dead() could have
+ * already freed ctx->req (among other things) and set it to
+ * NULL. Just try again on the new CPU that we ended up on.
+ */
+ mutex_unlock(&acomp_ctx->mutex);
+ }
+}
+
+static void acomp_ctx_put_unlock(struct crypto_acomp_ctx *acomp_ctx)
+{
+ mutex_unlock(&acomp_ctx->mutex);
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,10 +930,7 @@ static bool zswap_compress(struct page *
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(pool);
dst = acomp_ctx->buffer;
sg_init_table(&input, 1);
sg_set_page(&input, page, PAGE_SIZE, 0);
@@ -949,7 +983,7 @@ unlock:
else if (alloc_ret)
zswap_reject_alloc_fail++;
- mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_unlock(acomp_ctx);
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,9 +994,7 @@ static void zswap_decompress(struct zswa
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(entry->pool);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
/*
* If zpool_map_handle is atomic, we cannot reliably utilize its mapped buffer
@@ -986,10 +1018,10 @@ static void zswap_decompress(struct zswa
acomp_request_set_params(acomp_ctx->req, &input, &output, entry->length, PAGE_SIZE);
BUG_ON(crypto_wait_req(crypto_acomp_decompress(acomp_ctx->req), &acomp_ctx->wait));
BUG_ON(acomp_ctx->req->dlen != PAGE_SIZE);
- mutex_unlock(&acomp_ctx->mutex);
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_unlock(acomp_ctx);
}
/*********************************
_
Patches currently in -mm which might be from yosryahmed(a)google.com are
revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch
mm-zswap-properly-synchronize-freeing-resources-during-cpu-hotunplug.patch
mm-zswap-properly-synchronize-freeing-resources-during-cpu-hotunplug-fix.patch
3 months, 3 weeks
- 1
- 0
[PATCH v2] mm: zswap: properly synchronize freeing resources during CPU hotunplug
by Yosry Ahmed
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are
disabled, it is possible that the operation continues on a different
CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as some of the resources attached to the acomp_ctx
are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to
use crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure
the CPU cannot go away from under us. Preemption cannot be disabled
with the crypto_acomp API as a sleepable context is needed.
Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
and freeing resources with compression/decompression paths. Make sure
that acomp_ctx.req is NULL when the resources are freed. In the
compression/decompression paths, check if acomp_ctx.req is NULL after
acquiring the mutex (meaning the CPU was offlined) and retry on the new
CPU.
The initialization of acomp_ctx.mutex is moved from the CPU hotplug
callback to the pool initialization where it belongs (where the mutex is
allocated). In addition to adding clarity, this makes sure that CPU
hotplug cannot reinitialize a mutex that is already locked by
compression/decompression.
Previously a fix was attempted by holding cpus_read_lock() [1]. This
would have caused a potential deadlock as it is possible for code
already holding the lock to fall into reclaim and enter zswap (causing a
deadlock). A fix was also attempted using SRCU for synchronization, but
Johannes pointed out that synchronize_srcu() cannot be used in CPU
hotplug notifiers [2].
Alternative fixes that were considered/attempted and could have worked:
- Refcounting the per-CPU acomp_ctx. This involves complexity in
handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the
CPU is onlined.
- Disabling migration before getting the per-CPU acomp_ctx [3], but
that's discouraged and is a much bigger hammer than needed, and could
result in subtle performance issues.
[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
---
This applies on top of the latest mm-hotfixes-unstable on top of 'Revert
"mm: zswap: fix race between [de]compression and CPU hotunplug"' and
after 'mm: zswap: disable migration while using per-CPU acomp_ctx' was
dropped.
v1 -> v2:
- Move the initialization of the mutex to pool initialization.
- Use the mutex to also synchronize with the CPU hotplug callback (i.e.
zswap_cpu_comp_prep()).
- Naming cleanups.
---
mm/zswap.c | 60 +++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..4d7e564732267 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -251,7 +251,7 @@ static struct zswap_pool *zswap_pool_create(char *type, char *compressor)
struct zswap_pool *pool;
char name[38]; /* 'zswap' + 32 char (max) num + \0 */
gfp_t gfp = __GFP_NORETRY | __GFP_NOWARN | __GFP_KSWAPD_RECLAIM;
- int ret;
+ int ret, cpu;
if (!zswap_has_pool) {
/* if either are unset, pool initialization failed, and we
@@ -285,6 +285,9 @@ static struct zswap_pool *zswap_pool_create(char *type, char *compressor)
goto error;
}
+ for_each_possible_cpu(cpu)
+ mutex_init(&per_cpu_ptr(pool->acomp_ctx, cpu)->mutex);
+
ret = cpuhp_state_add_instance(CPUHP_MM_ZSWP_POOL_PREPARE,
&pool->node);
if (ret)
@@ -821,11 +824,12 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node)
struct acomp_req *req;
int ret;
- mutex_init(&acomp_ctx->mutex);
-
+ mutex_lock(&acomp_ctx->mutex);
acomp_ctx->buffer = kmalloc_node(PAGE_SIZE * 2, GFP_KERNEL, cpu_to_node(cpu));
- if (!acomp_ctx->buffer)
- return -ENOMEM;
+ if (!acomp_ctx->buffer) {
+ ret = -ENOMEM;
+ goto buffer_fail;
+ }
acomp = crypto_alloc_acomp_node(pool->tfm_name, 0, 0, cpu_to_node(cpu));
if (IS_ERR(acomp)) {
@@ -844,6 +848,8 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node)
ret = -ENOMEM;
goto req_fail;
}
+
+ /* acomp_ctx->req must be NULL if the acomp_ctx is not fully initialized */
acomp_ctx->req = req;
crypto_init_wait(&acomp_ctx->wait);
@@ -855,12 +861,15 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node)
acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
crypto_req_done, &acomp_ctx->wait);
+ mutex_unlock(&acomp_ctx->mutex);
return 0;
req_fail:
crypto_free_acomp(acomp_ctx->acomp);
acomp_fail:
kfree(acomp_ctx->buffer);
+buffer_fail:
+ mutex_unlock(&acomp_ctx->mutex);
return ret;
}
@@ -869,17 +878,45 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
+ mutex_lock(&acomp_ctx->mutex);
if (!IS_ERR_OR_NULL(acomp_ctx)) {
if (!IS_ERR_OR_NULL(acomp_ctx->req))
acomp_request_free(acomp_ctx->req);
+ acomp_ctx->req = NULL;
if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
crypto_free_acomp(acomp_ctx->acomp);
kfree(acomp_ctx->buffer);
}
+ mutex_unlock(&acomp_ctx->mutex);
return 0;
}
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu_lock(struct zswap_pool *pool)
+{
+ struct crypto_acomp_ctx *acomp_ctx;
+
+ for (;;) {
+ acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
+ mutex_lock(&acomp_ctx->mutex);
+ if (likely(acomp_ctx->req))
+ return acomp_ctx;
+ /*
+ * It is possible that we were migrated to a different CPU after
+ * getting the per-CPU ctx but before the mutex was acquired. If
+ * the old CPU got offlined, zswap_cpu_comp_dead() could have
+ * already freed ctx->req (among other things) and set it to
+ * NULL. Just try again on the new CPU that we ended up on.
+ */
+ mutex_unlock(&acomp_ctx->mutex);
+ }
+}
+
+static void acomp_ctx_put_unlock(struct crypto_acomp_ctx *acomp_ctx)
+{
+ mutex_unlock(&acomp_ctx->mutex);
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,10 +930,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(pool);
dst = acomp_ctx->buffer;
sg_init_table(&input, 1);
sg_set_page(&input, page, PAGE_SIZE, 0);
@@ -949,7 +983,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
else if (alloc_ret)
zswap_reject_alloc_fail++;
- mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_unlock(acomp_ctx);
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,9 +994,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(entry->pool);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
/*
* If zpool_map_handle is atomic, we cannot reliably utilize its mapped buffer
@@ -986,10 +1018,10 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
acomp_request_set_params(acomp_ctx->req, &input, &output, entry->length, PAGE_SIZE);
BUG_ON(crypto_wait_req(crypto_acomp_decompress(acomp_ctx->req), &acomp_ctx->wait));
BUG_ON(acomp_ctx->req->dlen != PAGE_SIZE);
- mutex_unlock(&acomp_ctx->mutex);
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_unlock(acomp_ctx);
}
/*********************************
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 2
- 2
[PATCH] mm: zswap: properly synchronize freeing resources during CPU hotunplug
by Yosry Ahmed
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are
disabled, it is possible that the operation continues on a different
CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as some of the resources attached to the acomp_ctx
are freed during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to
use crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure
the CPU cannot go away from under us. Preemption cannot be disabled
with the crypto_acomp API as a sleepable context is needed.
During CPU hotunplug, hold the acomp_ctx.mutex before freeing any
resources, and set acomp_ctx.req to NULL when it is freed. In the
compress/decompress paths, after acquiring the acomp_ctx.mutex make sure
that acomp_ctx.req is not NULL (i.e. acomp_ctx resources were not freed
by CPU hotunplug). Otherwise, retry with the acomp_ctx from the new CPU.
This adds proper synchronization to ensure that the acomp_ctx resources
are not freed from under compress/decompress paths.
Note that the per-CPU acomp_ctx itself (including the mutex) is not
freed during CPU hotunplug, only acomp_ctx.req, acomp_ctx.buffer, and
acomp_ctx.acomp. So it is safe to acquire the acomp_ctx.mutex of a CPU
after it is hotunplugged.
Previously a fix was attempted by holding cpus_read_lock() [1]. This
would have caused a potential deadlock as it is possible for code
already holding the lock to fall into reclaim and enter zswap (causing a
deadlock). A fix was also attempted using SRCU for synchronization, but
Johannes pointed out that synchronize_srcu() cannot be used in CPU
hotplug notifiers [2].
Alternative fixes that were considered/attempted and could have worked:
- Refcounting the per-CPU acomp_ctx. This involves complexity in
handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the
CPU is onlined.
- Disabling migration before getting the per-CPU acomp_ctx [3], but
that's discouraged and is a much bigger hammer than needed, and could
result in subtle performance issues.
[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
---
This applies on top of the latest mm-hotfixes-unstable on top of 'Revert
"mm: zswap: fix race between [de]compression and CPU hotunplug"' and
after 'mm: zswap: disable migration while using per-CPU acomp_ctx' was
dropped.
---
mm/zswap.c | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..4e3148050e093 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -869,17 +869,46 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
+ mutex_lock(&acomp_ctx->mutex);
if (!IS_ERR_OR_NULL(acomp_ctx)) {
if (!IS_ERR_OR_NULL(acomp_ctx->req))
acomp_request_free(acomp_ctx->req);
+ acomp_ctx->req = NULL;
if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
crypto_free_acomp(acomp_ctx->acomp);
kfree(acomp_ctx->buffer);
}
+ mutex_unlock(&acomp_ctx->mutex);
return 0;
}
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu_lock(
+ struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ struct crypto_acomp_ctx *ctx;
+
+ for (;;) {
+ ctx = raw_cpu_ptr(acomp_ctx);
+ mutex_lock(&ctx->mutex);
+ if (likely(ctx->req))
+ return ctx;
+ /*
+ * It is possible that we were migrated to a different CPU after
+ * getting the per-CPU ctx but before the mutex was acquired. If
+ * the old CPU got offlined, zswap_cpu_comp_dead() could have
+ * already freed ctx->req (among other things) and set it to
+ * NULL. Just try again on the new CPU that we ended up on.
+ */
+ mutex_unlock(&ctx->mutex);
+ }
+}
+
+static void acomp_ctx_put_unlock(struct crypto_acomp_ctx *ctx)
+{
+ mutex_unlock(&ctx->mutex);
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,10 +922,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(pool->acomp_ctx);
dst = acomp_ctx->buffer;
sg_init_table(&input, 1);
sg_set_page(&input, page, PAGE_SIZE, 0);
@@ -949,7 +975,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
else if (alloc_ret)
zswap_reject_alloc_fail++;
- mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_unlock(acomp_ctx);
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,9 +986,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
- mutex_lock(&acomp_ctx->mutex);
-
+ acomp_ctx = acomp_ctx_get_cpu_lock(entry->pool->acomp_ctx);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
/*
* If zpool_map_handle is atomic, we cannot reliably utilize its mapped buffer
@@ -986,10 +1010,10 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
acomp_request_set_params(acomp_ctx->req, &input, &output, entry->length, PAGE_SIZE);
BUG_ON(crypto_wait_req(crypto_acomp_decompress(acomp_ctx->req), &acomp_ctx->wait));
BUG_ON(acomp_ctx->req->dlen != PAGE_SIZE);
- mutex_unlock(&acomp_ctx->mutex);
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_unlock(acomp_ctx);
}
/*********************************
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 3
- 3
[PATCH 6.6.y 1/2] erofs: handle overlapped pclusters out of crafted images properly
by Gao Xiang
commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 upstream.
syzbot reported a task hang issue due to a deadlock case where it is
waiting for the folio lock of a cached folio that will be used for
cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with
several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length
0: 0.. 16384 | 16384 : 151552.. 167936 | 16384
1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384
2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384
...
Here, extent 0/1 are physically overlapped although it's entirely
_impossible_ for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as
up-to-date and then unlocked immediately (unlike in-place folios) when
compressed I/Os are complete. If physical blocks are not submitted in
the incremental order, there should be separate BIOs to avoid dependency
issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for
efficient inter-queries. However, this is somewhat hard to implement
easily if overlapped big pclusters exist. Again, these only appear in
fuzzed images so let's simply fall back to temporary short-lived pages
for correctness.
Additionally, it justifies that referenced managed folios cannot be
truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
difference.
Reported-by: syzbot+4fc98ed414ae63d1ada2(a)syzkaller.appspotmail.com
Reported-by: syzbot+de04e06b28cfecf2281c(a)syzkaller.appspotmail.com
Reported-by: syzbot+c8c8238b394be4a1087d(a)syzkaller.appspotmail.com
Tested-by: syzbot+4fc98ed414ae63d1ada2(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com
Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature")
Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.alibaba.…
Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com>
---
fs/erofs/zdata.c | 59 +++++++++++++++++++++++++-----------------------
1 file changed, 31 insertions(+), 28 deletions(-)
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 1c0e6167d8e7..9fa07436a4da 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1483,14 +1483,13 @@ static struct page *pickup_page_for_submission(struct z_erofs_pcluster *pcl,
goto out;
lock_page(page);
-
- /* only true if page reclaim goes wrong, should never happen */
- DBG_BUGON(justfound && PagePrivate(page));
-
- /* the page is still in manage cache */
- if (page->mapping == mc) {
+ if (likely(page->mapping == mc)) {
WRITE_ONCE(pcl->compressed_bvecs[nr].page, page);
+ /*
+ * The cached folio is still in managed cache but without
+ * a valid `->private` pcluster hint. Let's reconnect them.
+ */
if (!PagePrivate(page)) {
/*
* impossible to be !PagePrivate(page) for
@@ -1504,22 +1503,24 @@ static struct page *pickup_page_for_submission(struct z_erofs_pcluster *pcl,
SetPagePrivate(page);
}
- /* no need to submit io if it is already up-to-date */
- if (PageUptodate(page)) {
- unlock_page(page);
- page = NULL;
+ if (likely(page->private == (unsigned long)pcl)) {
+ /* don't submit cache I/Os again if already uptodate */
+ if (PageUptodate(page)) {
+ unlock_page(page);
+ page = NULL;
+
+ }
+ goto out;
}
- goto out;
+ /*
+ * Already linked with another pcluster, which only appears in
+ * crafted images by fuzzers for now. But handle this anyway.
+ */
+ tocache = false; /* use temporary short-lived pages */
+ } else {
+ DBG_BUGON(1); /* referenced managed folios can't be truncated */
+ tocache = true;
}
-
- /*
- * the managed page has been truncated, it's unsafe to
- * reuse this one, let's allocate a new cache-managed page.
- */
- DBG_BUGON(page->mapping);
- DBG_BUGON(!justfound);
-
- tocache = true;
unlock_page(page);
put_page(page);
out_allocpage:
@@ -1677,16 +1678,11 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
end = cur + pcl->pclusterpages;
do {
- struct page *page;
-
- page = pickup_page_for_submission(pcl, i++,
- &f->pagepool, mc);
- if (!page)
- continue;
+ struct page *page = NULL;
if (bio && (cur != last_index + 1 ||
last_bdev != mdev.m_bdev)) {
-submit_bio_retry:
+drain_io:
submit_bio(bio);
if (memstall) {
psi_memstall_leave(&pflags);
@@ -1695,6 +1691,13 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
bio = NULL;
}
+ if (!page) {
+ page = pickup_page_for_submission(pcl, i++,
+ &f->pagepool, mc);
+ if (!page)
+ continue;
+ }
+
if (unlikely(PageWorkingset(page)) && !memstall) {
psi_memstall_enter(&pflags);
memstall = 1;
@@ -1715,7 +1718,7 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
}
if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE)
- goto submit_bio_retry;
+ goto drain_io;
last_index = cur;
bypass = false;
--
2.43.5
3 months, 3 weeks
- 2
- 2
[PATCH 5.10-6.1] ceph: give up on paths longer than PATH_MAX
by Ilya Dryomov
From: Max Kellermann <max.kellermann(a)ionos.com>
commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream.
If the full path to be built by ceph_mdsc_build_path() happens to be
longer than PATH_MAX, then this function will enter an endless (retry)
loop, effectively blocking the whole task. Most of the machine
becomes unusable, making this a very simple and effective DoS
vulnerability.
I cannot imagine why this retry was ever implemented, but it seems
rather useless and harmful to me. Let's remove it and fail with
ENAMETOOLONG instead.
Cc: stable(a)vger.kernel.org
Reported-by: Dario Weißer <dario(a)cure53.de>
Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com>
Reviewed-by: Alex Markuze <amarkuze(a)redhat.com>
Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com>
[idryomov(a)gmail.com: backport to 6.1: pr_warn() is still in use]
---
fs/ceph/mds_client.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index da9fcf48ab6c..741ca7d10032 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2447,12 +2447,11 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *pbase,
if (pos < 0) {
/*
- * A rename didn't occur, but somehow we didn't end up where
- * we thought we would. Throw a warning and try again.
+ * The path is longer than PATH_MAX and this function
+ * cannot ever succeed. Creating paths that long is
+ * possible with Ceph, but Linux cannot use them.
*/
- pr_warn("build_path did not end path lookup where "
- "expected, pos is %d\n", pos);
- goto retry;
+ return ERR_PTR(-ENAMETOOLONG);
}
*pbase = base;
--
2.46.1
3 months, 3 weeks
- 2
- 1
[PATCH net] netdev: prevent accessing NAPI instances from another namespace
by Jakub Kicinski
The NAPI IDs were not fully exposed to user space prior to the netlink
API, so they were never namespaced. The netlink API must ensure that
at the very least NAPI instance belongs to the same netns as the owner
of the genl sock.
napi_by_id() can become static now, but it needs to move because of
dev_get_by_napi_id().
Cc: stable(a)vger.kernel.org
Fixes: 1287c1ae0fc2 ("netdev-genl: Support setting per-NAPI config values")
Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi")
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
---
Splitting this into fix per-version is a bit tricky, because we need
to replace the napi_by_id() helper with a better one. I'll send the
stable versions manually.
CC: jdamato(a)fastly.com
CC: almasrymina(a)google.com
CC: amritha.nambiar(a)intel.com
CC: sridhar.samudrala(a)intel.com
---
net/core/dev.c | 43 +++++++++++++++++++++++++++++-------------
net/core/dev.h | 3 ++-
net/core/netdev-genl.c | 6 ++----
3 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 7c63d97b13c1..e001df4cb486 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -753,6 +753,36 @@ int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,
}
EXPORT_SYMBOL_GPL(dev_fill_forward_path);
+/* must be called under rcu_read_lock(), as we dont take a reference */
+static struct napi_struct *napi_by_id(unsigned int napi_id)
+{
+ unsigned int hash = napi_id % HASH_SIZE(napi_hash);
+ struct napi_struct *napi;
+
+ hlist_for_each_entry_rcu(napi, &napi_hash[hash], napi_hash_node)
+ if (napi->napi_id == napi_id)
+ return napi;
+
+ return NULL;
+}
+
+/* must be called under rcu_read_lock(), as we dont take a reference */
+struct napi_struct *netdev_napi_by_id(struct net *net, unsigned int napi_id)
+{
+ struct napi_struct *napi;
+
+ napi = napi_by_id(napi_id);
+ if (!napi)
+ return NULL;
+
+ if (WARN_ON_ONCE(!napi->dev))
+ return NULL;
+ if (!net_eq(net, dev_net(napi->dev)))
+ return NULL;
+
+ return napi;
+}
+
/**
* __dev_get_by_name - find a device by its name
* @net: the applicable net namespace
@@ -6293,19 +6323,6 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
}
EXPORT_SYMBOL(napi_complete_done);
-/* must be called under rcu_read_lock(), as we dont take a reference */
-struct napi_struct *napi_by_id(unsigned int napi_id)
-{
- unsigned int hash = napi_id % HASH_SIZE(napi_hash);
- struct napi_struct *napi;
-
- hlist_for_each_entry_rcu(napi, &napi_hash[hash], napi_hash_node)
- if (napi->napi_id == napi_id)
- return napi;
-
- return NULL;
-}
-
static void skb_defer_free_flush(struct softnet_data *sd)
{
struct sk_buff *skb, *next;
diff --git a/net/core/dev.h b/net/core/dev.h
index aa91eed55a40..08812a025a9b 100644
--- a/net/core/dev.h
+++ b/net/core/dev.h
@@ -22,6 +22,8 @@ struct sd_flow_limit {
extern int netdev_flow_limit_table_len;
+struct napi_struct *netdev_napi_by_id(struct net *net, unsigned int napi_id);
+
#ifdef CONFIG_PROC_FS
int __init dev_proc_init(void);
#else
@@ -269,7 +271,6 @@ void xdp_do_check_flushed(struct napi_struct *napi);
static inline void xdp_do_check_flushed(struct napi_struct *napi) { }
#endif
-struct napi_struct *napi_by_id(unsigned int napi_id);
void kick_defer_list_purge(struct softnet_data *sd, unsigned int cpu);
#define XMIT_RECURSION_LIMIT 8
diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c
index 125b660004d3..a3bdaf075b6b 100644
--- a/net/core/netdev-genl.c
+++ b/net/core/netdev-genl.c
@@ -167,8 +167,6 @@ netdev_nl_napi_fill_one(struct sk_buff *rsp, struct napi_struct *napi,
void *hdr;
pid_t pid;
- if (WARN_ON_ONCE(!napi->dev))
- return -EINVAL;
if (!(napi->dev->flags & IFF_UP))
return 0;
@@ -234,7 +232,7 @@ int netdev_nl_napi_get_doit(struct sk_buff *skb, struct genl_info *info)
rtnl_lock();
rcu_read_lock();
- napi = napi_by_id(napi_id);
+ napi = netdev_napi_by_id(genl_info_net(info), napi_id);
if (napi) {
err = netdev_nl_napi_fill_one(rsp, napi, info);
} else {
@@ -355,7 +353,7 @@ int netdev_nl_napi_set_doit(struct sk_buff *skb, struct genl_info *info)
rtnl_lock();
rcu_read_lock();
- napi = napi_by_id(napi_id);
+ napi = netdev_napi_by_id(genl_info_net(info), napi_id);
if (napi) {
err = netdev_nl_napi_set_config(napi, info);
} else {
--
2.47.1
3 months, 3 weeks
- 5
- 6
[PATCH v5 0/5] arm64: Support 2024 dpISA extensions
by Mark Brown
The 2024 architecture release includes a number of data processing
extensions, mostly SVE and SME additions with a few others. These are
all very straightforward extensions which add instructions but no
architectural state so only need hwcaps and exposing of the ID registers
to KVM guests and userspace.
Signed-off-by: Mark Brown <broonie(a)kernel.org>
---
Changes in v5:
- Rebase onto arm64/for-next/cpufeature, which incorporates most of the
sysreg updates from earlier versions.
- Remove SF8MM8 and SF8MM4 register defintitions which were removed from
the ISA in the 2024-12 XML release, along with their associated hwcaps.
- Incorporate Marc's fix for SVE hwcaps on SME only systems and update
the hwcaps for the newly added features to follow the same pattern.
- Link to v4: https://lore.kernel.org/r/20241211-arm64-2024-dpisa-v4-0-0fd403876df2@kerne…
Changes in v4:
- Fix encodings for ID_AA64ISAR3_EL1.
- Link to v3: https://lore.kernel.org/r/20241203-arm64-2024-dpisa-v3-0-a6c78b1aa297@kerne…
Changes in v3:
- Commit log update for the hwcap test.
- Link to v2: https://lore.kernel.org/r/20241030-arm64-2024-dpisa-v2-0-b6601a15d2a5@kerne…
Changes in v2:
- Filter KVM guest visible bitfields in ID_AA64ISAR3_EL1 to only those
we make writeable.
- Link to v1: https://lore.kernel.org/r/20241028-arm64-2024-dpisa-v1-0-a38d08b008a8@kerne…
---
Marc Zyngier (1):
arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented
Mark Brown (4):
arm64/sysreg: Update ID_AA64SMFR0_EL1 to DDI0601 2024-12
arm64/hwcap: Describe 2024 dpISA extensions to userspace
KVM: arm64: Allow control of dpISA extensions in ID_AA64ISAR3_EL1
kselftest/arm64: Add 2024 dpISA extensions to hwcap test
Documentation/arch/arm64/elf_hwcaps.rst | 89 +++++++++--
arch/arm64/include/asm/hwcap.h | 15 ++
arch/arm64/include/uapi/asm/hwcap.h | 15 ++
arch/arm64/kernel/cpufeature.c | 71 +++++++--
arch/arm64/kernel/cpuinfo.c | 15 ++
arch/arm64/kvm/sys_regs.c | 6 +-
arch/arm64/tools/sysreg | 26 +++-
tools/testing/selftests/arm64/abi/hwcap.c | 235 +++++++++++++++++++++++++++++-
8 files changed, 441 insertions(+), 31 deletions(-)
---
base-commit: d66e21d59ed0e043e68ef8c6541c1e9f1a962614
change-id: 20241008-arm64-2024-dpisa-8091074a7f48
Best regards,
--
Mark Brown <broonie(a)kernel.org>
3 months, 3 weeks
- 3
- 3
[PATCH v3] arm64/sme: Move storage of reg_smidr to __cpuinfo_store_cpu()
by Mark Brown
In commit 892f7237b3ff ("arm64: Delay initialisation of
cpuinfo_arm64::reg_{zcr,smcr}") we moved access to ZCR, SMCR and SMIDR
later in the boot process in order to ensure that we don't attempt to
interact with them if SVE or SME is disabled on the command line.
Unfortunately when initialising the boot CPU in init_cpu_features() we work
on a copy of the struct cpuinfo_arm64 for the boot CPU used only during
boot, not the percpu copy used by the sysfs code. The expectation of the
feature identification code was that the ID registers would be read in
__cpuinfo_store_cpu() and the values not modified by init_cpu_features().
The main reason for the original change was to avoid early accesses to
ZCR on practical systems that were seen shipping with SVE reported in ID
registers but traps enabled at EL3 and handled as fatal errors, SME was
rolled in due to the similarity with SVE. Since then we have removed the
early accesses to ZCR and SMCR in commits:
abef0695f9665c3d ("arm64/sve: Remove ZCR pseudo register from cpufeature code")
391208485c3ad50f ("arm64/sve: Remove SMCR pseudo register from cpufeature code")
so only the SMIDR_EL1 part of the change remains. Since SMIDR_EL1 is
only trapped via FEAT_IDST and not the SME trap it is less likely to be
affected by similar issues, and the factors that lead to issues with SVE
are less likely to apply to SME.
Since we have not yet seen practical SME systems that need to use a
command line override (and are only just beginning to see SME systems at
all) and the ID register read is much more likely to be safe let's just
store SMIDR_EL1 along with all the other ID register reads in
__cpuinfo_store_cpu().
This issue wasn't apparent when testing on emulated platforms that do not
report values in SMIDR_EL1.
Fixes: 892f7237b3ff ("arm64: Delay initialisation of cpuinfo_arm64::reg_{zcr,smcr}")
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
Changes in v3:
- Leave the override in place.
- Link to v2: https://lore.kernel.org/r/20241216-arm64-fix-boot-cpu-smidr-v2-1-a99ffba2c3…
Changes in v2:
- Move the ID register read back to __cpuinfo_store_cpu().
- Remove the command line option for SME ID register override.
- Link to v1: https://lore.kernel.org/r/20241214-arm64-fix-boot-cpu-smidr-v1-1-0745c40772…
---
arch/arm64/kernel/cpufeature.c | 13 -------------
arch/arm64/kernel/cpuinfo.c | 10 ++++++++++
2 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 6ce71f444ed84f9056196bb21bbfac61c9687e30..818aca922ca6066eb4bdf79e153cccb24246c61b 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1167,12 +1167,6 @@ void __init init_cpu_features(struct cpuinfo_arm64 *info)
id_aa64pfr1_sme(read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1))) {
unsigned long cpacr = cpacr_save_enable_kernel_sme();
- /*
- * We mask out SMPS since even if the hardware
- * supports priorities the kernel does not at present
- * and we block access to them.
- */
- info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS;
vec_init_vq_map(ARM64_VEC_SME);
cpacr_restore(cpacr);
@@ -1423,13 +1417,6 @@ void update_cpu_features(int cpu,
id_aa64pfr1_sme(read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1))) {
unsigned long cpacr = cpacr_save_enable_kernel_sme();
- /*
- * We mask out SMPS since even if the hardware
- * supports priorities the kernel does not at present
- * and we block access to them.
- */
- info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS;
-
/* Probe vector lengths */
if (!system_capabilities_finalized())
vec_update_vq_map(ARM64_VEC_SME);
diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c
index d79e88fccdfce427507e7a34c5959ce6309cbd12..c45633b5ae233fe78607fce3d623efb28a9f341a 100644
--- a/arch/arm64/kernel/cpuinfo.c
+++ b/arch/arm64/kernel/cpuinfo.c
@@ -482,6 +482,16 @@ static void __cpuinfo_store_cpu(struct cpuinfo_arm64 *info)
if (id_aa64pfr0_mpam(info->reg_id_aa64pfr0))
info->reg_mpamidr = read_cpuid(MPAMIDR_EL1);
+ if (IS_ENABLED(CONFIG_ARM64_SME) &&
+ id_aa64pfr1_sme(info->reg_id_aa64pfr1)) {
+ /*
+ * We mask out SMPS since even if the hardware
+ * supports priorities the kernel does not at present
+ * and we block access to them.
+ */
+ info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS;
+ }
+
cpuinfo_detect_icache_policy(info);
}
---
base-commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4
change-id: 20241213-arm64-fix-boot-cpu-smidr-386b8db292b2
Best regards,
--
Mark Brown <broonie(a)kernel.org>
3 months, 3 weeks
- 2
- 1
[PATCH] m68k: Fix VGA I/O defines
by Thomas Zimmermann
Including m86k's <asm/raw_io.h> in vga.h on nommu platforms results
in conflicting defines with io_no.h for various I/O macros from the
__raw_read and __raw_write families. An example error is
In file included from arch/m68k/include/asm/vga.h:12,
from include/video/vga.h:22,
from include/linux/vgaarb.h:34,
from drivers/video/aperture.c:12:
>> arch/m68k/include/asm/raw_io.h:39: warning: "__raw_readb" redefined
39 | #define __raw_readb in_8
|
In file included from arch/m68k/include/asm/io.h:6,
from include/linux/io.h:13,
from include/linux/irq.h:20,
from include/asm-generic/hardirq.h:17,
from ./arch/m68k/include/generated/asm/hardirq.h:1,
from include/linux/hardirq.h:11,
from include/linux/interrupt.h:11,
from include/linux/trace_recursion.h:5,
from include/linux/ftrace.h:10,
from include/linux/kprobes.h:28,
from include/linux/kgdb.h:19,
from include/linux/fb.h:6,
from drivers/video/aperture.c:5:
arch/m68k/include/asm/io_no.h:16: note: this is the location of the previous definition
16 | #define __raw_readb(addr) \
|
Include <asm/io.h>, which avoid raw_io.h on nommu platforms. Also change
the defined values of some of the read/write symbols in vga.h to
__raw_read/__raw_write as the raw_in/raw_out symbols are not generally
available.
Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de>
Reported-by: kernel test robot <lkp(a)intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501071629.DNEswlm8-lkp@intel.com/
Fixes: 5c3f968712ce ("m68k/video: Create <asm/vga.h>")
Cc: Geert Uytterhoeven <geert(a)linux-m68k.org>
Cc: linux-fbdev(a)vger.kernel.org
Cc: dri-devel(a)lists.freedesktop.org
Cc: Helge Deller <deller(a)gmx.de>
Cc: <stable(a)vger.kernel.org> # v3.5+
---
arch/m68k/include/asm/vga.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/m68k/include/asm/vga.h b/arch/m68k/include/asm/vga.h
index 4742e6bc3ab8..cdd414fa8710 100644
--- a/arch/m68k/include/asm/vga.h
+++ b/arch/m68k/include/asm/vga.h
@@ -9,7 +9,7 @@
*/
#ifndef CONFIG_PCI
-#include <asm/raw_io.h>
+#include <asm/io.h>
#include <asm/kmap.h>
/*
@@ -29,9 +29,9 @@
#define inw_p(port) 0
#define outb_p(port, val) do { } while (0)
#define outw(port, val) do { } while (0)
-#define readb raw_inb
-#define writeb raw_outb
-#define writew raw_outw
+#define readb __raw_readb
+#define writeb __raw_writeb
+#define writew __raw_writew
#endif /* CONFIG_PCI */
#endif /* _ASM_M68K_VGA_H */
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH v2 2/2] mm: zswap: disable migration while using per-CPU acomp_ctx
by Yosry Ahmed
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
This cannot be fixed by holding cpus_read_lock(), as it is possible for
code already holding the lock to fall into reclaim and enter zswap
(causing a deadlock). It also cannot be fixed by wrapping the usage of
acomp_ctx in an SRCU critical section and using synchronize_srcu() in
zswap_cpu_comp_dead(), because synchronize_srcu() is not allowed in
CPU-hotplug notifiers (see
Documentation/RCU/Design/Requirements/Requirements.rst).
This can be fixed by refcounting the acomp_ctx, but it involves
complexity in handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the CPU
is onlined.
Keep things simple for now and just disable migration while using the
per-CPU acomp_ctx to block CPU hotunplug until the usage is over.
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
---
mm/zswap.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..ecd86153e8a32 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Remain on the CPU while using its acomp_ctx to stop it from going offline */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ migrate_disable();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ migrate_enable();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 6
- 23
[PATCH 1/1] usb: pd: fix the SenderResponseTimer conform to specification
by joswang
From: Jos Wang <joswang(a)lenovo.com>
According to the USB PD3 CTS specification
(https://usb.org/document-library/
usb-power-delivery-compliance-test-specification-0/
USB_PD3_CTS_Q4_2024_OR.zip), the requirements for
tSenderResponse are different in PD2 and PD3 modes, see
Table 19 Timing Table & Calculations. For PD2 mode, the
tSenderResponse min 24ms and max 30ms; for PD3 mode, the
tSenderResponse min 27ms and max 33ms.
For the "TEST.PD.PROT.SRC.2 Get_Source_Cap No Request" test
item, after receiving the Source_Capabilities Message sent by
the UUT, the tester deliberately does not send a Request Message
in order to force the SenderResponse timer on the Source UUT to
timeout. The Tester checks that a Hard Reset is detected between
tSenderResponse min and max,the delay is between the last bit of
the GoodCRC Message EOP has been sent and the first bit of Hard
Reset SOP has been received. The current code does not distinguish
between PD2 and PD3 modes, and tSenderResponse defaults to 60ms.
This will cause this test item and the following tests to fail:
TEST.PD.PROT.SRC3.2 SenderResponseTimer Timeout
TEST.PD.PROT.SNK.6 SenderResponseTimer Timeout
Set the SenderResponseTimer timeout to 27ms to meet the PD2
and PD3 mode requirements.
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable(a)vger.kernel.org
Signed-off-by: Jos Wang <joswang(a)lenovo.com>
---
include/linux/usb/pd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h
index 3068c3084eb6..99ca49bbf376 100644
--- a/include/linux/usb/pd.h
+++ b/include/linux/usb/pd.h
@@ -475,7 +475,7 @@ static inline unsigned int rdo_max_power(u32 rdo)
#define PD_T_NO_RESPONSE 5000 /* 4.5 - 5.5 seconds */
#define PD_T_DB_DETECT 10000 /* 10 - 15 seconds */
#define PD_T_SEND_SOURCE_CAP 150 /* 100 - 200 ms */
-#define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */
+#define PD_T_SENDER_RESPONSE 27 /* 24 - 30 ms */
#define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */
#define PD_T_SOURCE_ACTIVITY 45
#define PD_T_SINK_ACTIVITY 135
--
2.17.1
3 months, 3 weeks
- 3
- 4
[PATCH 6.1 00/81] 6.1.124-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 6.1.124 release.
There are 81 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.124-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.1.124-rc1
Paolo Abeni <pabeni(a)redhat.com>
mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
Paolo Abeni <pabeni(a)redhat.com>
mptcp: fix recvbuffer adjust on sleeping rcvmsg
Paolo Abeni <pabeni(a)redhat.com>
mptcp: fix TCP options overflow.
Seiji Nishikawa <snishika(a)redhat.com>
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Yafang Shao <laoar.shao(a)gmail.com>
mm/readahead: fix large folio support in async readahead
Biju Das <biju.das.jz(a)bp.renesas.com>
dt-bindings: display: adi,adv7533: Drop single lane support
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Drop dsi single lane support
Nikolay Kuratov <kniv(a)yandex-team.ru>
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Pascal Hambourg <pascal(a)plouf.fr.eu.org>
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Evgenii Shatokhin <e.shatokhin(a)yadro.com>
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Dan Carpenter <dan.carpenter(a)linaro.org>
RDMA/uverbs: Prevent integer overflow issue
Arnd Bergmann <arnd(a)arndb.de>
kcov: mark in_softirq_really() as __always_inline
Takashi Iwai <tiwai(a)suse.de>
ALSA: seq: oss: Fix races at processing SysEx messages
Daniel Schaefer <dhs(a)frame.work>
ALSA hda/realtek: Add quirk for Framework F111:000C
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix the missed iteration for the max bit in do_input()
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host
Michal Pecio <michal.pecio(a)gmail.com>
usb: xhci: Avoid queuing redundant Stop Endpoint commands
Leon Romanovsky <leon(a)kernel.org>
ARC: build: Try to guess GCC variant of cross compiler
Uros Bizjak <ubizjak(a)gmail.com>
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com>
Bluetooth: hci_core: Fix sleeping function called from invalid context
Daniele Palmas <dnlplm(a)gmail.com>
net: usb: qmi_wwan: add Telit FE910C04 compositions
Hobin Woo <hobin.woo(a)samsung.com>
ksmbd: retry iterate_dir in smb2_query_dir
Anton Protopopov <aspsk(a)isovalent.com>
bpf: fix potential error return
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: format: don't warn that raw DSD is unsupported
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: enable DSD output for ddHiFi TC44C
Vasiliy Kovalev <kovalev(a)altlinux.org>
ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
Filipe Manana <fdmanana(a)suse.com>
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Prike Liang <Prike.Liang(a)amd.com>
drm/amdkfd: Correct the migration DMA map direction
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: mac80211: wake the queues in case of failure in resume
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix use-after-free when COWing tree bock and tracing is enabled
Filipe Manana <fdmanana(a)suse.com>
btrfs: rename and export __btrfs_cow_block()
Eric Dumazet <edumazet(a)google.com>
ila: serialize calls to nf_register_net_hooks()
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_tci() vs MSG_PEEK
Maciej S. Szmigiero <mail(a)maciej.szmigiero.name>
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Eric Dumazet <edumazet(a)google.com>
net: restrict SO_REUSEPORT to inet sockets
Willem de Bruijn <willemb(a)google.com>
net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets
Li Zhijian <lizhijian(a)fujitsu.com>
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Jinjian Song <jinjian.song(a)fibocom.com>
net: wwan: t7xx: Fix FSM command timeout issue
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mv643xx_eth: fix an OF node reference leak
Vitalii Mordan <mordan(a)ispras.ru>
eth: bcmsysport: fix call balance of priv->clk handling routines
Tanya Agarwal <tanyaagarwal25699(a)gmail.com>
ALSA: usb-audio: US16x08: Initialize array before use
Antonio Pastor <antonio.pastor(a)gmail.com>
net: llc: reset skb->transport_header
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Rodrigo Vivi <rodrigo.vivi(a)intel.com>
drm/i915/dg1: Fix power gate sequence.
Ilya Shchipletsov <rabbelkin(a)mail.ru>
netrom: check buffer length before accessing it
Xiao Liang <shaw.leon(a)gmail.com>
net: Fix netns for ip_tunnel_init_flow()
Ido Schimmel <idosch(a)nvidia.com>
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit()
Ido Schimmel <idosch(a)nvidia.com>
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit()
Ido Schimmel <idosch(a)nvidia.com>
ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev()
Eric Dumazet <edumazet(a)google.com>
ip_tunnel: annotate data-races around t->parms.link
Christian Ehrig <cehrig(a)cloudflare.com>
ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices
Wang Liang <wangliang74(a)huawei.com>
net: fix memory leak in tcp_conn_request()
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: stmmac: restructure the error path of stmmac_probe_config_dt()
Andrew Halaney <ahalaney(a)redhat.com>
net: stmmac: don't create a MDIO bus if unnecessary
Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org>
net: stmmac: platform: provide devm_stmmac_probe_config_dt()
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix missing flush CQE for DWQE
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix warning storm caused by invalid input in IO path
wenglianfa <wenglianfa(a)huawei.com>
RDMA/hns: Fix mapping error of zero-hop WQE buffer
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Remove unused parameters and variables
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Refactor mtr find
Tristram Ha <tristram.ha(a)microchip.com>
net: dsa: microchip: Fix LAN937X set_ageing_time function
Oleksij Rempel <linux(a)rempel-privat.de>
net: dsa: microchip: add ksz_rmw8() function
Tristram Ha <tristram.ha(a)microchip.com>
net: dsa: microchip: Fix KSZ9477 set_ageing_time function
Stefan Ekenberg <stefan.ekenberg(a)axis.com>
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix the locking while accessing the QP table
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix max_qp_wrs reported
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
RDMA/bnxt_re: Add check for path mtu in modify_qp
Patrisious Haddad <phaddad(a)nvidia.com>
RDMA/mlx5: Enforce same type port association for multiport RoCE
Jeremy Kerr <jk(a)codeconstruct.com.au>
net: mctp: handle skb cleanup on sock_queue failures
Mathias Nyman <mathias.nyman(a)linux.intel.com>
xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic
Michal Pecio <michal.pecio(a)gmail.com>
usb: xhci: Limit Stop Endpoint retries
Michal Pecio <michal.pecio(a)gmail.com>
xhci: retry Stop Endpoint on buggy NEC controllers
Mario Limonciello <mario.limonciello(a)amd.com>
thunderbolt: Don't display nvm_version unless upgrade supported
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Panther Lake-M/P
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Lunar Lake
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Have process_string() also allow arrays
Johannes Thumshirn <johannes.thumshirn(a)wdc.com>
btrfs: fix use-after-free in btrfs_encoded_read_endio()
Thiébaud Weksteen <tweek(a)google.com>
selinux: ignore unknown extended permissions
Naman Jain <namjain(a)linux.microsoft.com>
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
-------------
Diffstat:
.../bindings/display/bridge/adi,adv7533.yaml | 2 +-
Makefile | 4 +-
arch/arc/Makefile | 2 +-
arch/x86/kernel/cpu/mshyperv.c | 58 ++++++++
drivers/clocksource/hyperv_timer.c | 14 +-
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 +-
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +-
drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 16 ++-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 28 ++--
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_alloc.c | 3 +-
drivers/infiniband/hw/hns/hns_roce_cq.c | 11 +-
drivers/infiniband/hw/hns/hns_roce_device.h | 12 +-
drivers/infiniband/hw/hns/hns_roce_hem.c | 54 +++++---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 130 ++++++++---------
drivers/infiniband/hw/hns/hns_roce_mr.c | 95 ++++++++-----
drivers/infiniband/hw/hns/hns_roce_qp.c | 4 +-
drivers/infiniband/hw/hns/hns_roce_srq.c | 4 +-
drivers/infiniband/hw/mlx5/main.c | 6 +-
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
drivers/net/dsa/microchip/ksz9477.c | 47 +++++--
drivers/net/dsa/microchip/ksz9477_reg.h | 4 +-
drivers/net/dsa/microchip/ksz_common.h | 5 +
drivers/net/dsa/microchip/lan937x_main.c | 62 ++++++++-
drivers/net/dsa/microchip/lan937x_reg.h | 9 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 21 ++-
drivers/net/ethernet/marvell/mv643xx_eth.c | 14 +-
drivers/net/ethernet/marvell/sky2.c | 1 +
.../net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 +-
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 153 +++++++++++++++------
.../net/ethernet/stmicro/stmmac/stmmac_platform.h | 2 +
drivers/net/usb/qmi_wwan.c | 3 +
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +-
drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26 ++--
drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5 +-
drivers/pinctrl/pinctrl-mcp23s08.c | 6 +
drivers/thunderbolt/nhi.c | 12 ++
drivers/thunderbolt/nhi.h | 6 +
drivers/thunderbolt/retimer.c | 17 ++-
drivers/usb/host/xhci-ring.c | 42 +++++-
drivers/usb/host/xhci.c | 21 ++-
drivers/usb/host/xhci.h | 2 +
fs/btrfs/ctree.c | 37 +++--
fs/btrfs/ctree.h | 7 +
fs/btrfs/disk-io.c | 9 ++
fs/btrfs/inode.c | 2 +-
fs/smb/server/smb2pdu.c | 12 +-
fs/smb/server/vfs.h | 1 +
include/clocksource/hyperv_timer.h | 2 +
include/linux/if_vlan.h | 16 ++-
include/linux/mlx5/driver.h | 6 +
include/net/bluetooth/hci_core.h | 108 ++++++++++-----
include/net/ip_tunnels.h | 28 ++--
include/net/netfilter/nf_tables.h | 7 +-
kernel/bpf/core.c | 6 +-
kernel/kcov.c | 2 +-
kernel/trace/trace_events.c | 12 ++
mm/readahead.c | 6 +-
mm/vmscan.c | 9 +-
net/bluetooth/hci_core.c | 10 +-
net/bluetooth/iso.c | 6 +
net/bluetooth/l2cap_core.c | 12 +-
net/bluetooth/rfcomm/core.c | 6 +
net/bluetooth/sco.c | 12 +-
net/core/dev.c | 4 +-
net/core/sock.c | 5 +-
net/ipv4/ip_tunnel.c | 60 +++++---
net/ipv4/ipip.c | 1 +
net/ipv4/tcp_input.c | 1 +
net/ipv6/ila/ila_xlat.c | 16 ++-
net/ipv6/sit.c | 2 +-
net/llc/llc_input.c | 2 +-
net/mac80211/util.c | 3 +
net/mctp/route.c | 36 +++--
net/mptcp/options.c | 7 +
net/mptcp/protocol.c | 22 +--
net/netrom/nr_route.c | 6 +
net/packet/af_packet.c | 28 +---
net/sctp/associola.c | 3 +-
scripts/mod/file2alias.c | 4 +-
security/selinux/ss/services.c | 8 +-
sound/core/seq/oss/seq_oss_synth.c | 2 +
sound/pci/hda/patch_realtek.c | 2 +
sound/usb/format.c | 7 +-
sound/usb/mixer_us16x08.c | 2 +-
sound/usb/quirks.c | 2 +
90 files changed, 1031 insertions(+), 444 deletions(-)
3 months, 3 weeks
- 12
- 92
[PATCH 6.12 000/156] 6.12.9-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 6.12.9 release.
There are 156 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Jan 2025 15:11:04 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.9-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.12.9-rc1
Paolo Abeni <pabeni(a)redhat.com>
mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
Paolo Abeni <pabeni(a)redhat.com>
mptcp: fix recvbuffer adjust on sleeping rcvmsg
Paolo Abeni <pabeni(a)redhat.com>
mptcp: fix TCP options overflow.
Liu Shixin <liushixin2(a)huawei.com>
mm: hugetlb: independent PMD page table shared count
Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
mm: reinstate ability to map write-sealed memfd mappings read-only
Seiji Nishikawa <snishika(a)redhat.com>
mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()
Alessandro Carminati <acarmina(a)redhat.com>
mm/kmemleak: fix sleeping function called from invalid context at print message
Yafang Shao <laoar.shao(a)gmail.com>
mm/readahead: fix large folio support in async readahead
Joshua Washington <joshwash(a)google.com>
gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup
Joshua Washington <joshwash(a)google.com>
gve: guard XDP xmit NDO on existence of xdp queues
Joshua Washington <joshwash(a)google.com>
gve: fix XDP allocation path in edge cases
Joshua Washington <joshwash(a)google.com>
gve: guard XSK operations on the existence of queues
Joshua Washington <joshwash(a)google.com>
gve: clean XDP queues in gve_tx_stop_ring_gqi
Joshua Washington <joshwash(a)google.com>
gve: process XSK TX descriptors as part of RX NAPI
David Hildenbrand <david(a)redhat.com>
fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit
Baolin Wang <baolin.wang(a)linux.alibaba.com>
mm: shmem: fix incorrect index alignment for within_size policy
Baolin Wang <baolin.wang(a)linux.alibaba.com>
mm: shmem: fix the update of 'shmem_falloc->nr_unswapped'
SeongJae Park <sj(a)kernel.org>
mm/damon/core: fix new damon_target objects leaks on damon_commit_targets()
SeongJae Park <sj(a)kernel.org>
mm/damon/core: fix ignored quota goals and filters of newly committed schemes
Siddharth Vadapalli <s-vadapalli(a)ti.com>
net: ethernet: ti: am65-cpsw: default to round-robin for host port receive
Zilin Guan <zilin(a)seu.edu.cn>
fgraph: Add READ_ONCE() when accessing fgraph_array[]
Kees Cook <kees(a)kernel.org>
wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_*
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
Biju Das <biju.das.jz(a)bp.renesas.com>
dt-bindings: display: adi,adv7533: Drop single lane support
Biju Das <biju.das.jz(a)bp.renesas.com>
drm: adv7511: Drop dsi single lane support
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring/rw: fix downgraded mshot read
Nikolay Kuratov <kniv(a)yandex-team.ru>
net/sctp: Prevent autoclose integer overflow in sctp_association_init()
Henry Huang <henry.hj(a)antgroup.com>
sched_ext: initialize kit->cursor.flags
Pascal Hambourg <pascal(a)plouf.fr.eu.org>
sky2: Add device ID 11ab:4373 for Marvell 88E8075
Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker
Evgenii Shatokhin <e.shatokhin(a)yadro.com>
pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
Dan Carpenter <dan.carpenter(a)linaro.org>
RDMA/uverbs: Prevent integer overflow issue
Tejun Heo <tj(a)kernel.org>
sched_ext: Fix invalid irq restore in scx_ops_bypass()
Kuan-Wei Chiu <visitorckw(a)gmail.com>
scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
Nikolaus Voss <nv(a)vosn.de>
clk: clk-imx8mp-audiomix: fix function signature
Yang Erkun <yangerkun(a)huawei.com>
maple_tree: reload mas before the second call for mas_empty_area
Arnd Bergmann <arnd(a)arndb.de>
kcov: mark in_softirq_really() as __always_inline
Dennis Lam <dennis.lamerice(a)gmail.com>
ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
Takashi Iwai <tiwai(a)suse.de>
ALSA: seq: oss: Fix races at processing SysEx messages
Daniel Schaefer <dhs(a)frame.work>
ALSA hda/realtek: Add quirk for Framework F111:000C
Nirmoy Das <nirmoy.das(a)intel.com>
drm/xe: Wait for migration job before unmapping pages
Nirmoy Das <nirmoy.das(a)intel.com>
drm/xe: Use non-interruptible wait when moving BO to system
Kohei Enju <enjuk(a)amazon.com>
ftrace: Fix function profiler's filtering functionality
Takashi Iwai <tiwai(a)suse.de>
ALSA: seq: Check UMP support for midi_version change
Jens Axboe <axboe(a)kernel.dk>
io_uring/kbuf: use pre-committed buffer address for non-pollable file
Mark Zhang <markzhang(a)nvidia.com>
RDMA/mlx5: Enable multiplane mode only when it is supported
Takashi Iwai <tiwai(a)suse.de>
Revert "ALSA: ump: Don't enumeration invalid groups for legacy rawmidi"
Thomas Weißschuh <linux(a)weissschuh.net>
kbuild: pacman-pkg: provide versioned linux-api-headers package
Masahiro Yamada <masahiroy(a)kernel.org>
modpost: fix the missed iteration for the max bit in do_input()
Mostafa Saleh <smostafa(a)google.com>
scripts/mksysmap: Fix escape chars '$'
Maksim Kiselev <bigunclemax(a)gmail.com>
clk: thead: Fix TH1520 emmc and shdci clock rate
Eduard Zingerman <eddyz87(a)gmail.com>
bpf: consider that tail calls invalidate packet pointers
Eduard Zingerman <eddyz87(a)gmail.com>
bpf: refactor bpf_helper_changes_pkt_data to use helper number
Leon Romanovsky <leon(a)kernel.org>
ARC: build: Try to guess GCC variant of cross compiler
Uros Bizjak <ubizjak(a)gmail.com>
irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base
Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com>
Bluetooth: hci_core: Fix sleeping function called from invalid context
Daniele Palmas <dnlplm(a)gmail.com>
net: usb: qmi_wwan: add Telit FE910C04 compositions
Enzo Matsumiya <ematsumiya(a)suse.de>
smb: client: destroy cfid_put_wq on module exit
Namjae Jeon <linkinjeon(a)kernel.org>
ksmbd: set ATTR_CTIME flags when setting mtime
Hobin Woo <hobin.woo(a)samsung.com>
ksmbd: retry iterate_dir in smb2_query_dir
Anton Protopopov <aspsk(a)isovalent.com>
bpf: fix potential error return
Hardevsinh Palaniya <hardevsinh.palaniya(a)siliconsignals.io>
ARC: bpf: Correct conditional check in 'check_jmp_32'
Paul E. McKenney <paulmck(a)kernel.org>
ARC: build: Use __force to suppress per-CPU cmpxchg warnings
Vineet Gupta <vgupta(a)kernel.org>
ARC: build: disallow invalid PAE40 + 4K page config
Stephen Gordon <gordoste(a)iinet.net.au>
ASoC: audio-graph-card: Call of_node_put() on correct node
Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com>
spi: spi-cadence-qspi: Disable STIG mode for Altera SoCFPGA.
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: format: don't warn that raw DSD is unsupported
Adrian Ratiu <adrian.ratiu(a)collabora.com>
sound: usb: enable DSD output for ddHiFi TC44C
Vasiliy Kovalev <kovalev(a)altlinux.org>
ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
Takashi Iwai <tiwai(a)suse.de>
ALSA: hda/ca0132: Use standard HD-audio quirk matching helpers
Filipe Manana <fdmanana(a)suse.com>
btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
Johannes Thumshirn <johannes.thumshirn(a)wdc.com>
btrfs: handle bio_split() errors
Vasiliy Kovalev <kovalev(a)altlinux.org>
ALSA: hda/realtek - Add support for ASUS Zen AIO 27 Z272SD_A272SD audio
Simon Trimmer <simont(a)opensource.cirrus.com>
ALSA: hda: cs35l56: Remove calls to cs35l56_force_sync_asp1_registers_from_cache()
Prike Liang <Prike.Liang(a)amd.com>
drm/amdkfd: Correct the migration DMA map direction
Victor Zhao <Victor.Zhao(a)amd.com>
drm/amdgpu: use sjt mec fw on gfx943 for sriov
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: mac80211: wake the queues in case of failure in resume
Aditya Kumar Singh <quic_adisi(a)quicinc.com>
wifi: cfg80211: clear link ID from bitmap during link delete after clean up
Issam Hamdi <ih(a)simonwunderlich.de>
wifi: mac80211: fix mbss changed flags corruption on 32 bit systems
Kan Liang <kan.liang(a)linux.intel.com>
perf/x86/intel: Add Arrow Lake U support
Filipe Manana <fdmanana(a)suse.com>
btrfs: allow swap activation to be interruptible
Meghana Malladi <m-malladi(a)ti.com>
net: ti: icssg-prueth: Fix clearing of IEP_CMP_CFG registers during iep_init
MD Danish Anwar <danishanwar(a)ti.com>
net: ti: icssg-prueth: Fix firmware load sequence.
Eric Dumazet <edumazet(a)google.com>
ila: serialize calls to nf_register_net_hooks()
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Eric Dumazet <edumazet(a)google.com>
af_packet: fix vlan_get_tci() vs MSG_PEEK
Maciej S. Szmigiero <mail(a)maciej.szmigiero.name>
net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init()
Eric Dumazet <edumazet(a)google.com>
net: restrict SO_REUSEPORT to inet sockets
Willem de Bruijn <willemb(a)google.com>
net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets
Liang Jie <liangjie(a)lixiang.com>
net: sfc: Correct key_len for efx_tc_ct_zone_ht_params
Jens Axboe <axboe(a)kernel.dk>
io_uring/net: always initialize kmsg->msg.msg_inq upfront
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix error recovery sequence
Li Zhijian <lizhijian(a)fujitsu.com>
RDMA/rtrs: Ensure 'ib_sge list' is accessible
Jinjian Song <jinjian.song(a)fibocom.com>
net: wwan: t7xx: Fix FSM command timeout issue
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mv643xx_eth: fix an OF node reference leak
Vitalii Mordan <mordan(a)ispras.ru>
eth: bcmsysport: fix call balance of priv->clk handling routines
Tanya Agarwal <tanyaagarwal25699(a)gmail.com>
ALSA: usb-audio: US16x08: Initialize array before use
Leo Stone <leocstone(a)gmail.com>
nvmet: Don't overflow subsysnqn
Antonio Pastor <antonio.pastor(a)gmail.com>
net: llc: reset skb->transport_header
Pablo Neira Ayuso <pablo(a)netfilter.org>
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Su Hui <suhui(a)nfschina.com>
workqueue: add printf attribute to __alloc_workqueue()
Rodrigo Vivi <rodrigo.vivi(a)intel.com>
drm/i915/dg1: Fix power gate sequence.
Suraj Kandpal <suraj.kandpal(a)intel.com>
drm/i915/cx0_phy: Fix C10 pll programming sequence
Zhu Yanjun <yanjun.zhu(a)linux.dev>
RDMA/rxe: Remove the direct link to net_device
Jianbo Liu <jianbol(a)nvidia.com>
net/mlx5e: Keep netdev when leave switchdev for devlink set legacy only
Jianbo Liu <jianbol(a)nvidia.com>
net/mlx5e: Skip restore TC rules for vport rep without loaded flag
Dragos Tatulea <dtatulea(a)nvidia.com>
net/mlx5e: macsec: Maintain TX SA from encoding_sa
Shahar Shitrit <shshitrit(a)nvidia.com>
net/mlx5: DR, select MSIX vector 0 for completion queue creation
Kory Maincent <kory.maincent(a)bootlin.com>
net: pse-pd: tps23881: Fix power on/off issue
Ilya Shchipletsov <rabbelkin(a)mail.ru>
netrom: check buffer length before accessing it
Xiao Liang <shaw.leon(a)gmail.com>
net: Fix netns for ip_tunnel_init_flow()
Wang Liang <wangliang74(a)huawei.com>
net: fix memory leak in tcp_conn_request()
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: stmmac: restructure the error path of stmmac_probe_config_dt()
Lucas De Marchi <lucas.demarchi(a)intel.com>
drm/xe: Fix fault on fd close after unbind
Michal Wajdeczko <michal.wajdeczko(a)intel.com>
drm/xe/pf: Use correct function to check LMEM provisioning
John Harrison <John.C.Harrison(a)Intel.com>
drm/xe: Revert some changes that break a mesa debug tool
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix missing flush CQE for DWQE
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix warning storm caused by invalid input in IO path
Chengchang Tang <tangchengchang(a)huawei.com>
RDMA/hns: Fix accessing invalid dip_ctx during destroying QP
wenglianfa <wenglianfa(a)huawei.com>
RDMA/hns: Fix mapping error of zero-hop WQE buffer
Jakub Kicinski <kuba(a)kernel.org>
netdev-genl: avoid empty messages in napi get
Vladimir Oltean <vladimir.oltean(a)nxp.com>
selftests: net: local_termination: require mausezahn
Tristram Ha <tristram.ha(a)microchip.com>
net: dsa: microchip: Fix LAN937X set_ageing_time function
Tristram Ha <tristram.ha(a)microchip.com>
net: dsa: microchip: Fix KSZ9477 set_ageing_time function
Stefan Ekenberg <stefan.ekenberg(a)axis.com>
drm/bridge: adv7511_audio: Update Audio InfoFrame properly
Wei Fang <wei.fang(a)nxp.com>
net: phy: micrel: Dynamically control external clock of KSZ PHY
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix the locking while accessing the QP table
Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com>
RDMA/bnxt_re: Fix MSN table size for variable wqe mode
Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com>
RDMA/bnxt_re: Add send queue size check for variable wqe
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Disable use of reserved wqes
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Fix max_qp_wrs reported
Bernard Metzler <bmt(a)zurich.ibm.com>
RDMA/siw: Remove direct link to net_device
Chiara Meiohas <cmeiohas(a)nvidia.com>
RDMA/nldev: Set error code in rdma_nl_notify_event
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix reporting hw_ver in query_device
Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
RDMA/bnxt_re: Add check for path mtu in modify_qp
Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
RDMA/bnxt_re: Fix the check for 9060 condition
Emmanuel Grumbach <emmanuel.grumbach(a)intel.com>
wifi: iwlwifi: fix CRF name for Bz
Robert Beckett <bob.beckett(a)collabora.com>
nvme-pci: 512 byte aligned dma pool segment quirk
Anumula Murali Mohan Reddy <anumula(a)chelsio.com>
RDMA/core: Fix ENODEV error for iWARP test over vlan
Kashyap Desai <kashyap.desai(a)broadcom.com>
RDMA/bnxt_re: Avoid sending the modify QP workaround for latest adapters
Selvin Xavier <selvin.xavier(a)broadcom.com>
RDMA/bnxt_re: Avoid initializing the software queue for user queues
Kashyap Desai <kashyap.desai(a)broadcom.com>
RDMA/bnxt_re: Fix max SGEs for the Work Request
Patrisious Haddad <phaddad(a)nvidia.com>
RDMA/mlx5: Enforce same type port association for multiport RoCE
guanjing <guanjing(a)cmss.chinamobile.com>
sched_ext: fix application of sizeof to pointer
Leon Romanovsky <leon(a)kernel.org>
RDMA/bnxt_re: Remove always true dattr validity check
Christoph Hellwig <hch(a)lst.de>
btrfs: use bio_is_zone_append() in the completion handler
Christoph Hellwig <hch(a)lst.de>
block: lift bio_is_zone_append to bio.h
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Have process_string() also allow arrays
Lucas Stach <l.stach(a)pengutronix.de>
pmdomain: core: add dummy release function to genpd device
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe()
Eric Biggers <ebiggers(a)google.com>
mmc: sdhci-msm: fix crypto key eviction
Thiébaud Weksteen <tweek(a)google.com>
selinux: ignore unknown extended permissions
Mingcong Bai <jeffbai(a)aosc.io>
platform/x86: hp-wmi: mark 8A15 board for timed OMEN thermal profile
Vishnu Sankar <vishnuocv(a)gmail.com>
platform/x86: thinkpad-acpi: Add support for hotkey 0x1401
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu: fix backport of commit 73dae652dcac
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
platform/x86: mlx-platform: call pci_dev_put() to balance the refcount
-------------
Diffstat:
.../admin-guide/laptops/thinkpad-acpi.rst | 10 +-
.../bindings/display/bridge/adi,adv7533.yaml | 2 +-
Makefile | 4 +-
arch/arc/Kconfig | 4 +-
arch/arc/Makefile | 2 +-
arch/arc/include/asm/cmpxchg.h | 2 +-
arch/arc/net/bpf_jit_arcv2.c | 2 +-
arch/x86/events/intel/core.c | 1 +
block/blk.h | 9 -
drivers/clk/imx/clk-imx8mp-audiomix.c | 3 +-
drivers/clk/thead/clk-th1520-ap.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 +-
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 10 +-
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 +-
drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 +-
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 10 +-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 4 +-
drivers/gpu/drm/i915/display/intel_cx0_phy.c | 12 +-
drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +-
drivers/gpu/drm/xe/xe_bo.c | 12 +-
drivers/gpu/drm/xe/xe_devcoredump.c | 15 +-
drivers/gpu/drm/xe/xe_exec_queue.c | 9 +
drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 2 +-
drivers/infiniband/core/cma.c | 16 ++
drivers/infiniband/core/nldev.c | 2 +-
drivers/infiniband/core/uverbs_cmd.c | 16 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 34 +--
drivers/infiniband/hw/bnxt_re/main.c | 8 +-
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 65 +++--
drivers/infiniband/hw/bnxt_re/qplib_fp.h | 3 +-
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 5 +-
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 18 +-
drivers/infiniband/hw/hns/hns_roce_hem.c | 43 +++-
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 5 -
drivers/infiniband/hw/mlx5/main.c | 8 +-
drivers/infiniband/sw/rxe/rxe.c | 23 +-
drivers/infiniband/sw/rxe/rxe.h | 3 +-
drivers/infiniband/sw/rxe/rxe_mcast.c | 22 +-
drivers/infiniband/sw/rxe/rxe_net.c | 24 +-
drivers/infiniband/sw/rxe/rxe_verbs.c | 26 +-
drivers/infiniband/sw/rxe/rxe_verbs.h | 11 +-
drivers/infiniband/sw/siw/siw.h | 7 +-
drivers/infiniband/sw/siw/siw_cm.c | 27 +-
drivers/infiniband/sw/siw/siw_main.c | 15 +-
drivers/infiniband/sw/siw/siw_verbs.c | 35 ++-
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
drivers/mmc/host/sdhci-msm.c | 16 +-
drivers/net/dsa/microchip/ksz9477.c | 47 +++-
drivers/net/dsa/microchip/ksz9477_reg.h | 4 +-
drivers/net/dsa/microchip/lan937x_main.c | 62 ++++-
drivers/net/dsa/microchip/lan937x_reg.h | 9 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 21 +-
drivers/net/ethernet/google/gve/gve.h | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 63 +++--
drivers/net/ethernet/google/gve/gve_tx.c | 46 ++--
drivers/net/ethernet/marvell/mv643xx_eth.c | 14 +-
drivers/net/ethernet/marvell/sky2.c | 1 +
.../ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 +
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 15 ++
.../net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 6 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 3 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +-
.../ethernet/mellanox/mlx5/core/steering/dr_send.c | 4 +-
.../net/ethernet/mellanox/mlxsw/spectrum_span.c | 3 +-
drivers/net/ethernet/sfc/tc_conntrack.c | 2 +-
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 43 ++--
drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
drivers/net/ethernet/ti/icssg/icss_iep.c | 8 +
drivers/net/ethernet/ti/icssg/icssg_common.c | 25 --
drivers/net/ethernet/ti/icssg/icssg_config.c | 41 ++-
drivers/net/ethernet/ti/icssg/icssg_config.h | 1 +
drivers/net/ethernet/ti/icssg/icssg_prueth.c | 281 ++++++++++++++-------
drivers/net/ethernet/ti/icssg/icssg_prueth.h | 5 +-
drivers/net/ethernet/ti/icssg/icssg_prueth_sr1.c | 24 +-
drivers/net/phy/micrel.c | 114 ++++++++-
drivers/net/pse-pd/tps23881.c | 16 +-
drivers/net/usb/qmi_wwan.c | 3 +
drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 1 +
drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 +
drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 14 +-
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 41 ++-
drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +-
drivers/net/wwan/t7xx/t7xx_state_monitor.c | 26 +-
drivers/net/wwan/t7xx/t7xx_state_monitor.h | 5 +-
drivers/nvme/host/nvme.h | 5 +
drivers/nvme/host/pci.c | 9 +-
drivers/nvme/target/configfs.c | 11 +-
drivers/pinctrl/pinctrl-mcp23s08.c | 6 +
drivers/platform/x86/hp/hp-wmi.c | 4 +-
drivers/platform/x86/mlx-platform.c | 2 +
drivers/platform/x86/thinkpad_acpi.c | 4 +-
drivers/pmdomain/core.c | 6 +
drivers/pmdomain/imx/gpcv2.c | 4 +-
drivers/spi/spi-cadence-quadspi.c | 10 +-
fs/btrfs/bio.c | 23 +-
fs/btrfs/disk-io.c | 9 +
fs/btrfs/inode.c | 5 +
fs/ocfs2/quota_global.c | 2 +-
fs/ocfs2/quota_local.c | 1 +
fs/proc/task_mmu.c | 2 +-
fs/smb/client/cifsfs.c | 1 +
fs/smb/server/smb2pdu.c | 22 +-
fs/smb/server/vfs.h | 1 +
include/linux/bio.h | 17 ++
include/linux/filter.h | 2 +-
include/linux/if_vlan.h | 16 +-
include/linux/memfd.h | 14 +
include/linux/mlx5/driver.h | 7 +
include/linux/mlx5/mlx5_ifc.h | 4 +-
include/linux/mm.h | 57 +++--
include/linux/mm_types.h | 30 +++
include/net/bluetooth/hci_core.h | 108 +++++---
include/net/netfilter/nf_tables.h | 7 +-
include/sound/cs35l56.h | 6 -
io_uring/kbuf.c | 4 +-
io_uring/net.c | 1 +
io_uring/rw.c | 2 +
kernel/bpf/core.c | 8 +-
kernel/bpf/verifier.c | 2 +-
kernel/kcov.c | 2 +-
kernel/sched/ext.c | 4 +-
kernel/trace/fgraph.c | 2 +-
kernel/trace/ftrace.c | 8 +-
kernel/trace/trace_events.c | 12 +
kernel/workqueue.c | 23 +-
lib/maple_tree.c | 1 +
mm/damon/core.c | 10 +-
mm/hugetlb.c | 16 +-
mm/kmemleak.c | 2 +-
mm/memfd.c | 2 +-
mm/mmap.c | 4 +
mm/readahead.c | 6 +-
mm/shmem.c | 7 +-
mm/vmscan.c | 9 +-
net/bluetooth/hci_core.c | 10 +-
net/bluetooth/iso.c | 6 +
net/bluetooth/l2cap_core.c | 12 +-
net/bluetooth/rfcomm/core.c | 6 +
net/bluetooth/sco.c | 12 +-
net/core/dev.c | 4 +-
net/core/filter.c | 63 +++--
net/core/netdev-genl.c | 6 +-
net/core/sock.c | 5 +-
net/ipv4/ip_tunnel.c | 6 +-
net/ipv4/tcp_input.c | 1 +
net/ipv6/ila/ila_xlat.c | 16 +-
net/llc/llc_input.c | 2 +-
net/mac80211/cfg.c | 8 +-
net/mac80211/mesh.c | 6 +-
net/mac80211/util.c | 3 +
net/mptcp/options.c | 7 +
net/mptcp/protocol.c | 22 +-
net/netrom/nr_route.c | 6 +
net/packet/af_packet.c | 28 +-
net/sctp/associola.c | 3 +-
net/wireless/util.c | 3 +-
scripts/mksysmap | 4 +-
scripts/mod/file2alias.c | 2 +-
scripts/package/PKGBUILD | 2 +-
scripts/sorttable.h | 5 +-
security/selinux/ss/services.c | 8 +-
sound/core/seq/oss/seq_oss_synth.c | 2 +
sound/core/seq/seq_clientmgr.c | 14 +-
sound/core/ump.c | 2 +-
sound/pci/hda/cs35l56_hda.c | 8 -
sound/pci/hda/patch_ca0132.c | 37 +--
sound/pci/hda/patch_realtek.c | 24 ++
sound/soc/generic/audio-graph-card2.c | 2 +-
sound/usb/format.c | 7 +-
sound/usb/mixer_us16x08.c | 2 +-
sound/usb/quirks.c | 2 +
tools/sched_ext/scx_central.c | 2 +-
tools/testing/selftests/bpf/progs/tc_bpf2bpf.c | 2 +
.../selftests/net/forwarding/local_termination.sh | 1 -
177 files changed, 1698 insertions(+), 764 deletions(-)
3 months, 3 weeks
- 19
- 175
[PATCH] clk: mmp2: call pm_genpd_init() only after genpd.name is set
by Lubomir Rintel
Setting the genpd's struct device's name with dev_set_name() is
happening within pm_genpd_init(). If it remains NULL, things can blow up
later, such as when crafting the devfs hierarchy for the power domain:
8<--- cut here --- [please do not actually cut, you'll ruin your display]
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
...
Call trace:
strlen from start_creating+0x90/0x138
start_creating from debugfs_create_dir+0x20/0x178
debugfs_create_dir from genpd_debug_add.part.0+0x4c/0x144
genpd_debug_add.part.0 from genpd_debug_init+0x74/0x90
genpd_debug_init from do_one_initcall+0x5c/0x244
do_one_initcall from kernel_init_freeable+0x19c/0x1f4
kernel_init_freeable from kernel_init+0x1c/0x12c
kernel_init from ret_from_fork+0x14/0x28
Bisecting tracks this crash back to commit 899f44531fe6 ("pmdomain: core:
Add GENPD_FLAG_DEV_NAME_FW flag"), which exchanges use of genpd->name
with dev_name(&genpd->dev) in genpd_debug_add.part().
Fixes: 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag")
Signed-off-by: Lubomir Rintel <lkundrak(a)v3.sk>
Cc: stable(a)vger.kernel.org # v6.12+
---
drivers/clk/mmp/pwr-island.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/mmp/pwr-island.c b/drivers/clk/mmp/pwr-island.c
index edaa2433a472..eaf5d2c5e593 100644
--- a/drivers/clk/mmp/pwr-island.c
+++ b/drivers/clk/mmp/pwr-island.c
@@ -106,10 +106,10 @@ struct generic_pm_domain *mmp_pm_domain_register(const char *name,
pm_domain->flags = flags;
pm_domain->lock = lock;
- pm_genpd_init(&pm_domain->genpd, NULL, true);
pm_domain->genpd.name = name;
pm_domain->genpd.power_on = mmp_pm_domain_power_on;
pm_domain->genpd.power_off = mmp_pm_domain_power_off;
+ pm_genpd_init(&pm_domain->genpd, NULL, true);
return &pm_domain->genpd;
}
--
2.47.1
3 months, 3 weeks
- 2
- 3
[PATCH] USB: serial: cp210x: add Phoenix Contact UPS Device
by Johan Hovold
Phoenix Contact sells UPS Quint devices [1] with a custom datacable [2]
that embeds a Silicon Labs converter:
Bus 001 Device 003: ID 1b93:1013 Silicon Labs Phoenix Contact UPS Device
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x1b93
idProduct 0x1013
bcdDevice 1.00
iManufacturer 1 Silicon Labs
iProduct 2 Phoenix Contact UPS Device
iSerial 3 <redacted>
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 2 Phoenix Contact UPS Device
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
[1] https://www.phoenixcontact.com/en-pc/products/power-supply-unit-quint-ps-1a…
[2] https://www.phoenixcontact.com/en-il/products/data-cable-preassembled-ifs-u…
Reported-by: Giuseppe Corbelli <giuseppe.corbelli(a)antaresvision.com>
Cc: stable(a)vger.kernel.org
Signed-off-by: Johan Hovold <johan(a)kernel.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index c24101f0a07a..9960ac2b10b7 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -223,6 +223,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
+ { USB_DEVICE(0x1B93, 0x1013) }, /* Phoenix Contact UPS Device */
{ USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */
{ USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
{ USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */
--
2.45.2
3 months, 3 weeks
- 1
- 0
[PATCH] gpio: loongson: Fix Loongson-2K2000 ACPI GPIO register offset
by Binbin Zhou
Since commit 3feb70a61740 ("gpio: loongson: add more gpio chip
support"), the Loongson-2K2000 GPIO is supported.
However, according to the firmware development specification, the
Loongson-2K2000 ACPI GPIO register offsets in the driver do not match
the register base addresses in the firmware, resulting in the registers
not being accessed properly.
Now, we fix it to ensure the GPIO function works properly.
Cc: stable(a)vger.kernel.org
Cc: Yinbo Zhu <zhuyinbo(a)loongson.cn>
Fixes: 3feb70a61740 ("gpio: loongson: add more gpio chip support")
Co-developed-by: Hongliang Wang <wanghongliang(a)loongson.cn>
Signed-off-by: Hongliang Wang <wanghongliang(a)loongson.cn>
Signed-off-by: Binbin Zhou <zhoubinbin(a)loongson.cn>
---
drivers/gpio/gpio-loongson-64bit.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpio/gpio-loongson-64bit.c b/drivers/gpio/gpio-loongson-64bit.c
index 6749d4dd6d64..7f4d78fd800e 100644
--- a/drivers/gpio/gpio-loongson-64bit.c
+++ b/drivers/gpio/gpio-loongson-64bit.c
@@ -237,9 +237,9 @@ static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data1 = {
static const struct loongson_gpio_chip_data loongson_gpio_ls2k2000_data2 = {
.label = "ls2k2000_gpio",
.mode = BIT_CTRL_MODE,
- .conf_offset = 0x84,
- .in_offset = 0x88,
- .out_offset = 0x80,
+ .conf_offset = 0x4,
+ .in_offset = 0x8,
+ .out_offset = 0x0,
};
static const struct loongson_gpio_chip_data loongson_gpio_ls3a5000_data = {
--
2.43.5
3 months, 3 weeks
- 2
- 1
[withdrawn] mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch removed from -mm tree
by Andrew Morton
The quilt patch titled
Subject: mm: zswap: disable migration while using per-CPU acomp_ctx
has been removed from the -mm tree. Its filename was
mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch
This patch was dropped because it was withdrawn
------------------------------------------------------
From: Yosry Ahmed <yosryahmed(a)google.com>
Subject: mm: zswap: disable migration while using per-CPU acomp_ctx
Date: Tue, 7 Jan 2025 22:22:35 +0000
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
This cannot be fixed by holding cpus_read_lock(), as it is possible for
code already holding the lock to fall into reclaim and enter zswap
(causing a deadlock). It also cannot be fixed by wrapping the usage of
acomp_ctx in an SRCU critical section and using synchronize_srcu() in
zswap_cpu_comp_dead(), because synchronize_srcu() is not allowed in
CPU-hotplug notifiers (see
Documentation/RCU/Design/Requirements/Requirements.rst).
This can be fixed by refcounting the acomp_ctx, but it involves complexity
in handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the CPU is
onlined.
Keep things simple for now and just disable migration while using the
per-CPU acomp_ctx to block CPU hotunplug until the usage is over.
Link: https://lkml.kernel.org/r/20250107222236.2715883-2-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Cc: Barry Song <baohua(a)kernel.org>
Cc: Chengming Zhou <chengming.zhou(a)linux.dev>
Cc: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com>
Cc: Nhat Pham <nphamcs(a)gmail.com>
Cc: syzbot <syzkaller(a)googlegroups.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/zswap.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/mm/zswap.c~mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx
+++ a/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned
return 0;
}
+/* Remain on the CPU while using its acomp_ctx to stop it from going offline */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ migrate_disable();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ migrate_enable();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ unlock:
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswa
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswa
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
_
Patches currently in -mm which might be from yosryahmed(a)google.com are
revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch
3 months, 3 weeks
- 1
- 0
[PATCH RESEND 2/2] mm: zswap: use SRCU to synchronize with CPU hotunplug
by Yosry Ahmed
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Use SRCU to wait for other CPUs using the acomp_ctx of the CPU being
hotunplugged. Normal RCU cannot be used as a sleepable context is
required.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
---
mm/zswap.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..add1406d693b8 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -864,12 +864,22 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node)
return ret;
}
+DEFINE_STATIC_SRCU(acomp_srcu);
+
static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
{
struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
if (!IS_ERR_OR_NULL(acomp_ctx)) {
+ /*
+ * Even though the acomp_ctx should not be currently in use on
+ * @cpu, it may still be used by compress/decompress operations
+ * that started on @cpu and migrated to a different CPU. Wait
+ * for such usages to complete, any news usages would be a bug.
+ */
+ synchronize_srcu(&acomp_srcu);
+
if (!IS_ERR_OR_NULL(acomp_ctx->req))
acomp_request_free(acomp_ctx->req);
if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
@@ -880,6 +890,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx,
+ int *srcu_idx)
+{
+ *srcu_idx = srcu_read_lock(&acomp_srcu);
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(int srcu_idx)
+{
+ srcu_read_unlock(&acomp_srcu, srcu_idx);
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -889,12 +911,12 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
unsigned int dlen = PAGE_SIZE;
unsigned long handle;
struct zpool *zpool;
+ int srcu_idx;
char *buf;
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx, &srcu_idx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +972,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu(srcu_idx);
return comp_ret == 0 && alloc_ret == 0;
}
@@ -958,9 +981,10 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct zpool *zpool = entry->pool->zpool;
struct scatterlist input, output;
struct crypto_acomp_ctx *acomp_ctx;
+ int srcu_idx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx, &srcu_idx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1014,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu(srcu_idx);
}
/*********************************
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 4
- 10
+ zram-fix-potential-uaf-of-zram-table.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: zram: fix potential UAF of zram table
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
zram-fix-potential-uaf-of-zram-table.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Kairui Song <kasong(a)tencent.com>
Subject: zram: fix potential UAF of zram table
Date: Tue, 7 Jan 2025 14:54:46 +0800
If zram_meta_alloc failed early, it frees allocated zram->table without
setting it NULL. Which will potentially cause zram_meta_free to access
the table if user reset an failed and uninitialized device.
Link: https://lkml.kernel.org/r/20250107065446.86928-1-ryncsn@gmail.com
Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device")
Signed-off-by: Kairui Song <kasong(a)tencent.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
drivers/block/zram/zram_drv.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/block/zram/zram_drv.c~zram-fix-potential-uaf-of-zram-table
+++ a/drivers/block/zram/zram_drv.c
@@ -1468,6 +1468,7 @@ static bool zram_meta_alloc(struct zram
zram->mem_pool = zs_create_pool(zram->disk->disk_name);
if (!zram->mem_pool) {
vfree(zram->table);
+ zram->table = NULL;
return false;
}
_
Patches currently in -mm which might be from kasong(a)tencent.com are
zram-fix-potential-uaf-of-zram-table.patch
mm-memcontrol-avoid-duplicated-memcg-enable-check.patch
mm-swap_cgroup-remove-swap_cgroup_cmpxchg.patch
mm-swap_cgroup-remove-global-swap-cgroup-lock.patch
mm-swap_cgroup-decouple-swap-cgroup-recording-and-clearing.patch
mm-swap-minor-clean-up-for-swap-entry-allocation.patch
mm-swap-fold-swap_info_get_cont-in-the-only-caller.patch
mm-swap-remove-old-allocation-path-for-hdd.patch
mm-swap-use-cluster-lock-for-hdd.patch
mm-swap-clean-up-device-availability-check.patch
mm-swap-clean-up-plist-removal-and-adding.patch
mm-swap-hold-a-reference-during-scan-and-cleanup-flag-usage.patch
mm-swap-use-an-enum-to-define-all-cluster-flags-and-wrap-flags-changes.patch
mm-swap-reduce-contention-on-device-lock.patch
mm-swap-simplify-percpu-cluster-updating.patch
mm-swap-introduce-a-helper-for-retrieving-cluster-from-offset.patch
mm-swap-use-a-global-swap-cluster-for-non-rotation-devices.patch
mm-swap_slots-remove-slot-cache-for-freeing-path.patch
3 months, 3 weeks
- 1
- 0
+ selftests-mm-set-allocated-memory-to-non-zero-content-in-cow-test.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: selftests/mm: set allocated memory to non-zero content in cow test
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
selftests-mm-set-allocated-memory-to-non-zero-content-in-cow-test.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Ryan Roberts <ryan.roberts(a)arm.com>
Subject: selftests/mm: set allocated memory to non-zero content in cow test
Date: Tue, 7 Jan 2025 14:25:53 +0000
After commit b1f202060afe ("mm: remap unused subpages to shared zeropage
when splitting isolated thp"), cow test cases involving swapping out THPs
via madvise(MADV_PAGEOUT) started to be skipped due to the subsequent
check via pagemap determining that the memory was not actually swapped
out. Logs similar to this were emitted:
...
# [RUN] Basic COW after fork() ... with swapped-out, PTE-mapped THP (16 kB)
ok 2 # SKIP MADV_PAGEOUT did not work, is swap enabled?
# [RUN] Basic COW after fork() ... with single PTE of swapped-out THP (16 kB)
ok 3 # SKIP MADV_PAGEOUT did not work, is swap enabled?
# [RUN] Basic COW after fork() ... with swapped-out, PTE-mapped THP (32 kB)
ok 4 # SKIP MADV_PAGEOUT did not work, is swap enabled?
...
The commit in question introduces the behaviour of scanning THPs and if
their content is predominantly zero, it splits them and replaces the pages
which are wholly zero with the zero page. These cow test cases were
getting caught up in this.
So let's avoid that by filling the contents of all allocated memory with
a non-zero value. With this in place, the tests are passing again.
Link: https://lkml.kernel.org/r/20250107142555.1870101-1-ryan.roberts@arm.com
Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp")
Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com>
Acked-by: David Hildenbrand <david(a)redhat.com>
Cc: Usama Arif <usamaarif642(a)gmail.com>
Cc: Yu Zhao <yuzhao(a)google.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
tools/testing/selftests/mm/cow.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/tools/testing/selftests/mm/cow.c~selftests-mm-set-allocated-memory-to-non-zero-content-in-cow-test
+++ a/tools/testing/selftests/mm/cow.c
@@ -758,7 +758,7 @@ static void do_run_with_base_page(test_f
}
/* Populate a base page. */
- memset(mem, 0, pagesize);
+ memset(mem, 1, pagesize);
if (swapout) {
madvise(mem, pagesize, MADV_PAGEOUT);
@@ -824,12 +824,12 @@ static void do_run_with_thp(test_fn fn,
* Try to populate a THP. Touch the first sub-page and test if
* we get the last sub-page populated automatically.
*/
- mem[0] = 0;
+ mem[0] = 1;
if (!pagemap_is_populated(pagemap_fd, mem + thpsize - pagesize)) {
ksft_test_result_skip("Did not get a THP populated\n");
goto munmap;
}
- memset(mem, 0, thpsize);
+ memset(mem, 1, thpsize);
size = thpsize;
switch (thp_run) {
@@ -1012,7 +1012,7 @@ static void run_with_hugetlb(test_fn fn,
}
/* Populate an huge page. */
- memset(mem, 0, hugetlbsize);
+ memset(mem, 1, hugetlbsize);
/*
* We need a total of two hugetlb pages to handle COW/unsharing
_
Patches currently in -mm which might be from ryan.roberts(a)arm.com are
mm-clear-uffd-wp-pte-pmd-state-on-mremap.patch
selftests-mm-set-allocated-memory-to-non-zero-content-in-cow-test.patch
selftests-mm-add-fork-cow-guard-page-test-fix.patch
selftests-mm-introduce-uffd-wp-mremap-regression-test.patch
3 months, 3 weeks
- 1
- 0
+ revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: Revert "mm: zswap: fix race between [de]compression and CPU hotunplug"
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Yosry Ahmed <yosryahmed(a)google.com>
Subject: Revert "mm: zswap: fix race between [de]compression and CPU hotunplug"
Date: Tue, 7 Jan 2025 22:22:34 +0000
This reverts commit eaebeb93922ca6ab0dd92027b73d0112701706ef.
Commit eaebeb93922c ("mm: zswap: fix race between [de]compression and CPU
hotunplug") used the CPU hotplug lock in zswap compress/decompress
operations to protect against a race with CPU hotunplug making some
per-CPU resources go away.
However, zswap compress/decompress can be reached through reclaim while
the lock is held, resulting in a potential deadlock as reported by syzbot:
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc6-syzkaller-00006-g5428dc1906dd #0 Not tainted
------------------------------------------------------
kswapd0/89 is trying to acquire lock:
ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: acomp_ctx_get_cpu mm/zswap.c:886 [inline]
ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_compress mm/zswap.c:908 [inline]
ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_store_page mm/zswap.c:1439 [inline]
ffffffff8e7d2ed0 (cpu_hotplug_lock){++++}-{0:0}, at: zswap_store+0xa74/0x1ba0 mm/zswap.c:1546
but task is already holding lock:
ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:6871 [inline]
ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0xb58/0x2f30 mm/vmscan.c:7253
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (fs_reclaim){+.+.}-{0:0}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__fs_reclaim_acquire mm/page_alloc.c:3853 [inline]
fs_reclaim_acquire+0x88/0x130 mm/page_alloc.c:3867
might_alloc include/linux/sched/mm.h:318 [inline]
slab_pre_alloc_hook mm/slub.c:4070 [inline]
slab_alloc_node mm/slub.c:4148 [inline]
__kmalloc_cache_node_noprof+0x40/0x3a0 mm/slub.c:4337
kmalloc_node_noprof include/linux/slab.h:924 [inline]
alloc_worker kernel/workqueue.c:2638 [inline]
create_worker+0x11b/0x720 kernel/workqueue.c:2781
workqueue_prepare_cpu+0xe3/0x170 kernel/workqueue.c:6628
cpuhp_invoke_callback+0x48d/0x830 kernel/cpu.c:194
__cpuhp_invoke_callback_range kernel/cpu.c:965 [inline]
cpuhp_invoke_callback_range kernel/cpu.c:989 [inline]
cpuhp_up_callbacks kernel/cpu.c:1020 [inline]
_cpu_up+0x2b3/0x580 kernel/cpu.c:1690
cpu_up+0x184/0x230 kernel/cpu.c:1722
cpuhp_bringup_mask+0xdf/0x260 kernel/cpu.c:1788
cpuhp_bringup_cpus_parallel+0xf9/0x160 kernel/cpu.c:1878
bringup_nonboot_cpus+0x2b/0x50 kernel/cpu.c:1892
smp_init+0x34/0x150 kernel/smp.c:1009
kernel_init_freeable+0x417/0x5d0 init/main.c:1569
kernel_init+0x1d/0x2b0 init/main.c:1466
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (cpu_hotplug_lock){++++}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
cpus_read_lock+0x42/0x150 kernel/cpu.c:490
acomp_ctx_get_cpu mm/zswap.c:886 [inline]
zswap_compress mm/zswap.c:908 [inline]
zswap_store_page mm/zswap.c:1439 [inline]
zswap_store+0xa74/0x1ba0 mm/zswap.c:1546
swap_writepage+0x647/0xce0 mm/page_io.c:279
shmem_writepage+0x1248/0x1610 mm/shmem.c:1579
pageout mm/vmscan.c:696 [inline]
shrink_folio_list+0x35ee/0x57e0 mm/vmscan.c:1374
shrink_inactive_list mm/vmscan.c:1967 [inline]
shrink_list mm/vmscan.c:2205 [inline]
shrink_lruvec+0x16db/0x2f30 mm/vmscan.c:5734
mem_cgroup_shrink_node+0x385/0x8e0 mm/vmscan.c:6575
mem_cgroup_soft_reclaim mm/memcontrol-v1.c:312 [inline]
memcg1_soft_limit_reclaim+0x346/0x810 mm/memcontrol-v1.c:362
balance_pgdat mm/vmscan.c:6975 [inline]
kswapd+0x17b3/0x2f30 mm/vmscan.c:7253
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(fs_reclaim);
lock(cpu_hotplug_lock);
lock(fs_reclaim);
rlock(cpu_hotplug_lock);
*** DEADLOCK ***
1 lock held by kswapd0/89:
#0: ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:6871 [inline]
#0: ffffffff8ea355a0 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0xb58/0x2f30 mm/vmscan.c:7253
stack backtrace:
CPU: 0 UID: 0 PID: 89 Comm: kswapd0 Not tainted 6.13.0-rc6-syzkaller-00006-g5428dc1906dd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
cpus_read_lock+0x42/0x150 kernel/cpu.c:490
acomp_ctx_get_cpu mm/zswap.c:886 [inline]
zswap_compress mm/zswap.c:908 [inline]
zswap_store_page mm/zswap.c:1439 [inline]
zswap_store+0xa74/0x1ba0 mm/zswap.c:1546
swap_writepage+0x647/0xce0 mm/page_io.c:279
shmem_writepage+0x1248/0x1610 mm/shmem.c:1579
pageout mm/vmscan.c:696 [inline]
shrink_folio_list+0x35ee/0x57e0 mm/vmscan.c:1374
shrink_inactive_list mm/vmscan.c:1967 [inline]
shrink_list mm/vmscan.c:2205 [inline]
shrink_lruvec+0x16db/0x2f30 mm/vmscan.c:5734
mem_cgroup_shrink_node+0x385/0x8e0 mm/vmscan.c:6575
mem_cgroup_soft_reclaim mm/memcontrol-v1.c:312 [inline]
memcg1_soft_limit_reclaim+0x346/0x810 mm/memcontrol-v1.c:362
balance_pgdat mm/vmscan.c:6975 [inline]
kswapd+0x17b3/0x2f30 mm/vmscan.c:7253
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Revert the change. A different fix for the race with CPU hotunplug will
follow.
Link: https://lkml.kernel.org/r/20250107222236.2715883-1-yosryahmed@google.com
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: syzbot <syzkaller(a)googlegroups.com>
Cc: Barry Song <baohua(a)kernel.org>
Cc: Chengming Zhou <chengming.zhou(a)linux.dev>
Cc: Johannes Weiner <hannes(a)cmpxchg.org>
Cc: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com>
Cc: Nhat Pham <nphamcs(a)gmail.com>
Cc: Sam Sun <samsun1006219(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/zswap.c | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
--- a/mm/zswap.c~revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug
+++ a/mm/zswap.c
@@ -880,18 +880,6 @@ static int zswap_cpu_comp_dead(unsigned
return 0;
}
-/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
-static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
-{
- cpus_read_lock();
- return raw_cpu_ptr(acomp_ctx);
-}
-
-static void acomp_ctx_put_cpu(void)
-{
- cpus_read_unlock();
-}
-
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -905,7 +893,8 @@ static bool zswap_compress(struct page *
gfp_t gfp;
u8 *dst;
- acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
+ acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
+
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -961,7 +950,6 @@ unlock:
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
- acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -972,7 +960,7 @@ static void zswap_decompress(struct zswa
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
+ acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -1002,7 +990,6 @@ static void zswap_decompress(struct zswa
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
- acomp_ctx_put_cpu();
}
/*********************************
_
Patches currently in -mm which might be from yosryahmed(a)google.com are
revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch
mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch
3 months, 3 weeks
- 1
- 0
+ mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: mm: zswap: disable migration while using per-CPU acomp_ctx
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Yosry Ahmed <yosryahmed(a)google.com>
Subject: mm: zswap: disable migration while using per-CPU acomp_ctx
Date: Tue, 7 Jan 2025 22:22:35 +0000
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
This cannot be fixed by holding cpus_read_lock(), as it is possible for
code already holding the lock to fall into reclaim and enter zswap
(causing a deadlock). It also cannot be fixed by wrapping the usage of
acomp_ctx in an SRCU critical section and using synchronize_srcu() in
zswap_cpu_comp_dead(), because synchronize_srcu() is not allowed in
CPU-hotplug notifiers (see
Documentation/RCU/Design/Requirements/Requirements.rst).
This can be fixed by refcounting the acomp_ctx, but it involves complexity
in handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the CPU is
onlined.
Keep things simple for now and just disable migration while using the
per-CPU acomp_ctx to block CPU hotunplug until the usage is over.
Link: https://lkml.kernel.org/r/20250107222236.2715883-2-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Cc: Barry Song <baohua(a)kernel.org>
Cc: Chengming Zhou <chengming.zhou(a)linux.dev>
Cc: Kanchana P Sridhar <kanchana.p.sridhar(a)intel.com>
Cc: Nhat Pham <nphamcs(a)gmail.com>
Cc: syzbot <syzkaller(a)googlegroups.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/zswap.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/mm/zswap.c~mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx
+++ a/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned
return 0;
}
+/* Remain on the CPU while using its acomp_ctx to stop it from going offline */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ migrate_disable();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ migrate_enable();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ unlock:
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswa
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswa
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
_
Patches currently in -mm which might be from yosryahmed(a)google.com are
revert-mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch
mm-zswap-disable-migration-while-using-per-cpu-acomp_ctx.patch
3 months, 3 weeks
- 1
- 0
+ mm-clear-uffd-wp-pte-pmd-state-on-mremap.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: mm: clear uffd-wp PTE/PMD state on mremap()
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-clear-uffd-wp-pte-pmd-state-on-mremap.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Ryan Roberts <ryan.roberts(a)arm.com>
Subject: mm: clear uffd-wp PTE/PMD state on mremap()
Date: Tue, 7 Jan 2025 14:47:52 +0000
When mremap()ing a memory region previously registered with userfaultfd as
write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in
flag clearing leads to a mismatch between the vma flags (which have
uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp
cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to
trigger a warning in page_table_check_pte_flags() due to setting the pte
to writable while uffd-wp is still set.
Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any
such mremap() so that the values are consistent with the existing clearing
of VM_UFFD_WP. Be careful to clear the logical flag regardless of its
physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE,
huge PMD and hugetlb paths.
Link: https://lkml.kernel.org/r/20250107144755.1871363-2-ryan.roberts@arm.com
Co-developed-by: Miko��aj Lenczewski <miko.lenczewski(a)arm.com>
Signed-off-by: Miko��aj Lenczewski <miko.lenczewski(a)arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com>
Closes: https://lore.kernel.org/linux-mm/810b44a8-d2ae-4107-b665-5a42eae2d948@arm.c…
Fixes: 63b2d4174c4a ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
Cc: David Hildenbrand <david(a)redhat.com>
Cc: Jann Horn <jannh(a)google.com>
Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Cc: Mark Rutland <mark.rutland(a)arm.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Peter Xu <peterx(a)redhat.com>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Vlastimil Babka <vbabka(a)suse.cz>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
include/linux/userfaultfd_k.h | 12 ++++++++++++
mm/huge_memory.c | 12 ++++++++++++
mm/hugetlb.c | 14 +++++++++++++-
mm/mremap.c | 32 +++++++++++++++++++++++++++++++-
4 files changed, 68 insertions(+), 2 deletions(-)
--- a/include/linux/userfaultfd_k.h~mm-clear-uffd-wp-pte-pmd-state-on-mremap
+++ a/include/linux/userfaultfd_k.h
@@ -247,6 +247,13 @@ static inline bool vma_can_userfault(str
vma_is_shmem(vma);
}
+static inline bool vma_has_uffd_without_event_remap(struct vm_area_struct *vma)
+{
+ struct userfaultfd_ctx *uffd_ctx = vma->vm_userfaultfd_ctx.ctx;
+
+ return uffd_ctx && (uffd_ctx->features & UFFD_FEATURE_EVENT_REMAP) == 0;
+}
+
extern int dup_userfaultfd(struct vm_area_struct *, struct list_head *);
extern void dup_userfaultfd_complete(struct list_head *);
void dup_userfaultfd_fail(struct list_head *);
@@ -401,6 +408,11 @@ static inline bool userfaultfd_wp_async(
{
return false;
}
+
+static inline bool vma_has_uffd_without_event_remap(struct vm_area_struct *vma)
+{
+ return false;
+}
#endif /* CONFIG_USERFAULTFD */
--- a/mm/huge_memory.c~mm-clear-uffd-wp-pte-pmd-state-on-mremap
+++ a/mm/huge_memory.c
@@ -2206,6 +2206,16 @@ static pmd_t move_soft_dirty_pmd(pmd_t p
return pmd;
}
+static pmd_t clear_uffd_wp_pmd(pmd_t pmd)
+{
+ if (pmd_present(pmd))
+ pmd = pmd_clear_uffd_wp(pmd);
+ else if (is_swap_pmd(pmd))
+ pmd = pmd_swp_clear_uffd_wp(pmd);
+
+ return pmd;
+}
+
bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd)
{
@@ -2244,6 +2254,8 @@ bool move_huge_pmd(struct vm_area_struct
pgtable_trans_huge_deposit(mm, new_pmd, pgtable);
}
pmd = move_soft_dirty_pmd(pmd);
+ if (vma_has_uffd_without_event_remap(vma))
+ pmd = clear_uffd_wp_pmd(pmd);
set_pmd_at(mm, new_addr, new_pmd, pmd);
if (force_flush)
flush_pmd_tlb_range(vma, old_addr, old_addr + PMD_SIZE);
--- a/mm/hugetlb.c~mm-clear-uffd-wp-pte-pmd-state-on-mremap
+++ a/mm/hugetlb.c
@@ -5402,6 +5402,7 @@ static void move_huge_pte(struct vm_area
unsigned long new_addr, pte_t *src_pte, pte_t *dst_pte,
unsigned long sz)
{
+ bool need_clear_uffd_wp = vma_has_uffd_without_event_remap(vma);
struct hstate *h = hstate_vma(vma);
struct mm_struct *mm = vma->vm_mm;
spinlock_t *src_ptl, *dst_ptl;
@@ -5418,7 +5419,18 @@ static void move_huge_pte(struct vm_area
spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
pte = huge_ptep_get_and_clear(mm, old_addr, src_pte);
- set_huge_pte_at(mm, new_addr, dst_pte, pte, sz);
+
+ if (need_clear_uffd_wp && pte_marker_uffd_wp(pte))
+ huge_pte_clear(mm, new_addr, dst_pte, sz);
+ else {
+ if (need_clear_uffd_wp) {
+ if (pte_present(pte))
+ pte = huge_pte_clear_uffd_wp(pte);
+ else if (is_swap_pte(pte))
+ pte = pte_swp_clear_uffd_wp(pte);
+ }
+ set_huge_pte_at(mm, new_addr, dst_pte, pte, sz);
+ }
if (src_ptl != dst_ptl)
spin_unlock(src_ptl);
--- a/mm/mremap.c~mm-clear-uffd-wp-pte-pmd-state-on-mremap
+++ a/mm/mremap.c
@@ -138,6 +138,7 @@ static int move_ptes(struct vm_area_stru
struct vm_area_struct *new_vma, pmd_t *new_pmd,
unsigned long new_addr, bool need_rmap_locks)
{
+ bool need_clear_uffd_wp = vma_has_uffd_without_event_remap(vma);
struct mm_struct *mm = vma->vm_mm;
pte_t *old_pte, *new_pte, pte;
pmd_t dummy_pmdval;
@@ -216,7 +217,18 @@ static int move_ptes(struct vm_area_stru
force_flush = true;
pte = move_pte(pte, old_addr, new_addr);
pte = move_soft_dirty_pte(pte);
- set_pte_at(mm, new_addr, new_pte, pte);
+
+ if (need_clear_uffd_wp && pte_marker_uffd_wp(pte))
+ pte_clear(mm, new_addr, new_pte);
+ else {
+ if (need_clear_uffd_wp) {
+ if (pte_present(pte))
+ pte = pte_clear_uffd_wp(pte);
+ else if (is_swap_pte(pte))
+ pte = pte_swp_clear_uffd_wp(pte);
+ }
+ set_pte_at(mm, new_addr, new_pte, pte);
+ }
}
arch_leave_lazy_mmu_mode();
@@ -278,6 +290,15 @@ static bool move_normal_pmd(struct vm_ar
if (WARN_ON_ONCE(!pmd_none(*new_pmd)))
return false;
+ /* If this pmd belongs to a uffd vma with remap events disabled, we need
+ * to ensure that the uffd-wp state is cleared from all pgtables. This
+ * means recursing into lower page tables in move_page_tables(), and we
+ * can reuse the existing code if we simply treat the entry as "not
+ * moved".
+ */
+ if (vma_has_uffd_without_event_remap(vma))
+ return false;
+
/*
* We don't have to worry about the ordering of src and dst
* ptlocks because exclusive mmap_lock prevents deadlock.
@@ -333,6 +354,15 @@ static bool move_normal_pud(struct vm_ar
if (WARN_ON_ONCE(!pud_none(*new_pud)))
return false;
+ /* If this pud belongs to a uffd vma with remap events disabled, we need
+ * to ensure that the uffd-wp state is cleared from all pgtables. This
+ * means recursing into lower page tables in move_page_tables(), and we
+ * can reuse the existing code if we simply treat the entry as "not
+ * moved".
+ */
+ if (vma_has_uffd_without_event_remap(vma))
+ return false;
+
/*
* We don't have to worry about the ordering of src and dst
* ptlocks because exclusive mmap_lock prevents deadlock.
_
Patches currently in -mm which might be from ryan.roberts(a)arm.com are
mm-clear-uffd-wp-pte-pmd-state-on-mremap.patch
3 months, 3 weeks
- 1
- 0
+ selftests-mm-virtual_address_range-avoid-reading-vvar-mappings.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: selftests/mm: virtual_address_range: avoid reading VVAR mappings
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
selftests-mm-virtual_address_range-avoid-reading-vvar-mappings.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de>
Subject: selftests/mm: virtual_address_range: avoid reading VVAR mappings
Date: Tue, 07 Jan 2025 16:14:46 +0100
The virtual_address_range selftest reads from the start of each mapping
listed in /proc/self/maps.
However not all mappings are valid to be arbitrarily accessed. For
example the vvar data used for virtual clocks on x86 can only be accessed
if 1) the kernel configuration enables virtual clocks and 2) the
hypervisor provided the data for it, which can only determined by the VDSO
code itself.
Since commit e93d2521b27f ("x86/vdso: Split virtual clock pages into
dedicated mapping") the virtual clock data was split out into its own
mapping, triggering faulting accesses by virtual_address_range.
Skip the various vvar mappings in virtual_address_range to avoid errors.
Link: https://lkml.kernel.org/r/20250107-virtual_address_range-tests-v1-2-3834a2f…
Fixes: e93d2521b27f ("x86/vdso: Split virtual clock pages into dedicated mapping")
Fixes: 010409649885 ("selftests/mm: confirm VA exhaustion without reliance on correctness of mmap()")
Signed-off-by: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de>
Reported-by: kernel test robot <oliver.sang(a)intel.com>
Closes: https://lore.kernel.org/oe-lkp/202412271148.2656e485-lkp@intel.com
Cc: Dev Jain <dev.jain(a)arm.com>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
tools/testing/selftests/mm/virtual_address_range.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/mm/virtual_address_range.c~selftests-mm-virtual_address_range-avoid-reading-vvar-mappings
+++ a/tools/testing/selftests/mm/virtual_address_range.c
@@ -116,10 +116,11 @@ static int validate_complete_va_space(vo
prev_end_addr = 0;
while (fgets(line, sizeof(line), file)) {
+ int path_offset = 0;
unsigned long hop;
- if (sscanf(line, "%lx-%lx %s[rwxp-]",
- &start_addr, &end_addr, prot) != 3)
+ if (sscanf(line, "%lx-%lx %4s %*s %*s %*s %n",
+ &start_addr, &end_addr, prot, &path_offset) != 3)
ksft_exit_fail_msg("cannot parse /proc/self/maps\n");
/* end of userspace mappings; ignore vsyscall mapping */
@@ -135,6 +136,10 @@ static int validate_complete_va_space(vo
if (prot[0] != 'r')
continue;
+ /* Only the VDSO can know if a VVAR mapping is really readable */
+ if (path_offset && !strncmp(line + path_offset, "[vvar", 5))
+ continue;
+
/*
* Confirm whether MAP_CHUNK_SIZE chunk can be found or not.
* If write succeeds, no need to check MAP_CHUNK_SIZE - 1
_
Patches currently in -mm which might be from thomas.weissschuh(a)linutronix.de are
selftests-mm-virtual_address_range-fix-error-when-commitlimit-1gib.patch
selftests-mm-virtual_address_range-avoid-reading-vvar-mappings.patch
3 months, 3 weeks
- 1
- 0
+ selftests-mm-virtual_address_range-fix-error-when-commitlimit-1gib.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: selftests/mm: virtual_address_range: fix error when CommitLimit < 1GiB
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
selftests-mm-virtual_address_range-fix-error-when-commitlimit-1gib.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de>
Subject: selftests/mm: virtual_address_range: fix error when CommitLimit < 1GiB
Date: Tue, 07 Jan 2025 16:14:45 +0100
If not enough physical memory is available the kernel may fail mmap(); see
__vm_enough_memory() and vm_commit_limit(). In that case the logic in
validate_complete_va_space() does not make sense and will even incorrectly
fail. Instead skip the test if no mmap() succeeded.
Link: https://lkml.kernel.org/r/20250107-virtual_address_range-tests-v1-1-3834a2f…
Fixes: 010409649885 ("selftests/mm: confirm VA exhaustion without reliance on correctness of mmap()")
Signed-off-by: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de>
Cc: <stable(a)vger.kernel.org>
Cc: Dev Jain <dev.jain(a)arm.com>
Cc: kernel test robot <oliver.sang(a)intel.com>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
tools/testing/selftests/mm/virtual_address_range.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/tools/testing/selftests/mm/virtual_address_range.c~selftests-mm-virtual_address_range-fix-error-when-commitlimit-1gib
+++ a/tools/testing/selftests/mm/virtual_address_range.c
@@ -178,6 +178,12 @@ int main(int argc, char *argv[])
validate_addr(ptr[i], 0);
}
lchunks = i;
+
+ if (!lchunks) {
+ ksft_test_result_skip("Not enough memory for a single chunk\n");
+ ksft_finished();
+ }
+
hptr = (char **) calloc(NR_CHUNKS_HIGH, sizeof(char *));
if (hptr == NULL) {
ksft_test_result_skip("Memory constraint not fulfilled\n");
_
Patches currently in -mm which might be from thomas.weissschuh(a)linutronix.de are
selftests-mm-virtual_address_range-fix-error-when-commitlimit-1gib.patch
selftests-mm-virtual_address_range-avoid-reading-vvar-mappings.patch
3 months, 3 weeks
- 1
- 0
[PATCH v9 0/4] clk: qcom: Add support for multiple power-domains for a clock controller.
by Bryan O'Donoghue
Changes in v9:
- Added patch to unwind pm subdomains in reverse order.
It would also be possible to squash this patch into patch#2 but,
my own preference is for more granular patches like this instead of
"slipping in" functional changes in larger patches like #2. - bod
- Unwinding pm subdomain on error in patch #2.
To facilitate this change patch #1 was created - Vlad
- Drops Bjorn's RB on patch #2. There is a small churn in this patch
but enough that a reviewer might reasonably expect RB to be given again.
- Amends commit log for patch #3 further.
v8 added a lot to the commit log to provide further information but, it
is clear from the comments I received on the commit log that the added
verbiage was occlusive not elucidative.
Reduce down the commit log of patch #3 - especially Q&A item #1.
Sometimes less is more.
- Link to v8: https://lore.kernel.org/r/20241211-b4-linux-next-24-11-18-clock-multiple-po…
Changes in v8:
- Picks up change I agreed with Vlad but failed to cherry-pick into my b4
tree - Vlad/Bod
- Rewords the commit log for patch #3. As I read it I decided I might
translate bits of it from thought-stream into English - Bod
- Link to v7: https://lore.kernel.org/r/20241211-b4-linux-next-24-11-18-clock-multiple-po…
Changes in v7:
- Expand commit log in patch #3
I've discussed with Bjorn on IRC and video what to put into the log here
and captured most of what we discussed.
Mostly the point here is voting for voltages in the power-domain list
is up to the drivers to do with performance states/opp-tables not for the
GDSC code. - Bjorn/Bryan
- Link to v6: https://lore.kernel.org/r/20241129-b4-linux-next-24-11-18-clock-multiple-po…
Changes in v6:
- Passes NULL to second parameter of devm_pm_domain_attach_list - Vlad
- Link to v5: https://lore.kernel.org/r/20241128-b4-linux-next-24-11-18-clock-multiple-po…
Changes in v5:
- In-lines devm_pm_domain_attach_list() in probe() directly - Vlad
- Link to v4: https://lore.kernel.org/r/20241127-b4-linux-next-24-11-18-clock-multiple-po…
v4:
- Adds Bjorn's RB to first patch - Bjorn
- Drops the 'd' in "and int" - Bjorn
- Amends commit log of patch 3 to capture a number of open questions -
Bjorn
- Link to v3: https://lore.kernel.org/r/20241126-b4-linux-next-24-11-18-clock-multiple-po…
v3:
- Fixes commit log "per which" - Bryan
- Link to v2: https://lore.kernel.org/r/20241125-b4-linux-next-24-11-18-clock-multiple-po…
v2:
The main change in this version is Bjorn's pointing out that pm_runtime_*
inside of the gdsc_enable/gdsc_disable path would be recursive and cause a
lockdep splat. Dmitry alluded to this too.
Bjorn pointed to stuff being done lower in the gdsc_register() routine that
might be a starting point.
I iterated around that idea and came up with patch #3. When a gdsc has no
parent and the pd_list is non-NULL then attach that orphan GDSC to the
clock controller power-domain list.
Existing subdomain code in gdsc_register() will connect the parent GDSCs in
the clock-controller to the clock-controller subdomain, the new code here
does that same job for a list of power-domains the clock controller depends
on.
To Dmitry's point about MMCX and MCX dependencies for the registers inside
of the clock controller, I have switched off all references in a test dtsi
and confirmed that accessing the clock-controller regs themselves isn't
required.
On the second point I also verified my test branch with lockdep on which
was a concern with the pm_domain version of this solution but I wanted to
cover it anyway with the new approach for completeness sake.
Here's the item-by-item list of changes:
- Adds a patch to capture pm_genpd_add_subdomain() result code - Bryan
- Changes changelog of second patch to remove singleton and generally
to make the commit log easier to understand - Bjorn
- Uses demv_pm_domain_attach_list - Vlad
- Changes error check to if (ret < 0 && ret != -EEXIST) - Vlad
- Retains passing &pd_data instead of NULL - because NULL doesn't do
the same thing - Bryan/Vlad
- Retains standalone function qcom_cc_pds_attach() because the pd_data
enumeration looks neater in a standalone function - Bryan/Vlad
- Drops pm_runtime in favour of gdsc_add_subdomain_list() for each
power-domain in the pd_list.
The pd_list will be whatever is pointed to by power-domains = <>
in the dtsi - Bjorn
- Link to v1: https://lore.kernel.org/r/20241118-b4-linux-next-24-11-18-clock-multiple-po…
v1:
On x1e80100 and it's SKUs the Camera Clock Controller - CAMCC has
multiple power-domains which power it. Usually with a single power-domain
the core platform code will automatically switch on the singleton
power-domain for you. If you have multiple power-domains for a device, in
this case the clock controller, you need to switch those power-domains
on/off yourself.
The clock controllers can also contain Global Distributed
Switch Controllers - GDSCs which themselves can be referenced from dtsi
nodes ultimately triggering a gdsc_en() in drivers/clk/qcom/gdsc.c.
As an example:
cci0: cci@ac4a000 {
power-domains = <&camcc TITAN_TOP_GDSC>;
};
This series adds the support to attach a power-domain list to the
clock-controllers and the GDSCs those controllers provide so that in the
case of the above example gdsc_toggle_logic() will trigger the power-domain
list with pm_runtime_resume_and_get() and pm_runtime_put_sync()
respectively.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>
---
Bryan O'Donoghue (4):
clk: qcom: gdsc: Release pm subdomains in reverse add order
clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
clk: qcom: common: Add support for power-domain attachment
clk: qcom: Support attaching GDSCs to multiple parents
drivers/clk/qcom/common.c | 6 ++++
drivers/clk/qcom/gdsc.c | 75 +++++++++++++++++++++++++++++++++++++++--------
drivers/clk/qcom/gdsc.h | 1 +
3 files changed, 69 insertions(+), 13 deletions(-)
---
base-commit: 8155b4ef3466f0e289e8fcc9e6e62f3f4dceeac2
change-id: 20241118-b4-linux-next-24-11-18-clock-multiple-power-domains-a5f994dc452a
Best regards,
--
Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>
3 months, 3 weeks
- 2
- 5
[PATCH 6.12 000/160] 6.12.7-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 6.12.7 release.
There are 160 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 27 Dec 2024 15:53:30 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.7-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.12.7-rc1
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Usama Arif <usamaarif642(a)gmail.com>
mm: convert partially_mapped set/clear operations to be atomic
Hugh Dickins <hughd(a)google.com>
mm: shmem: fix ShmemHugePages at swapout
Kefeng Wang <wangkefeng.wang(a)huawei.com>
mm: use aligned address in copy_user_gigantic_page()
Kefeng Wang <wangkefeng.wang(a)huawei.com>
mm: use aligned address in clear_gigantic_page()
Ilya Dryomov <idryomov(a)gmail.com>
ceph: fix memory leak in ceph_direct_read_write()
Max Kellermann <max.kellermann(a)ionos.com>
ceph: fix memory leaks in __ceph_sync_read()
Alex Markuze <amarkuze(a)redhat.com>
ceph: improve error handling and short/overflow-read logic in __ceph_sync_read()
Ilya Dryomov <idryomov(a)gmail.com>
ceph: validate snapdirname option length when mounting
Max Kellermann <max.kellermann(a)ionos.com>
ceph: give up on paths longer than PATH_MAX
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Andrea della Porta <andrea.porta(a)suse.com>
of: address: Preserve the flags portion on 1:1 dma-ranges mapping
Samuel Holland <samuel.holland(a)sifive.com>
of: property: fw_devlink: Do not use interrupt-parent directly
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Jann Horn <jannh(a)google.com>
udmabuf: fix racy memfd sealing check
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
Heming Zhao <heming.zhao(a)suse.com>
ocfs2: fix the space leak in LA when releasing LA
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent()
Sean Christopherson <seanjc(a)google.com>
KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring: check if iowq is killed before queuing
Jann Horn <jannh(a)google.com>
io_uring: Fix registered ring file refcount leak
Tiezhu Yang <yangtiezhu(a)loongson.cn>
selftests/bpf: Use asm constraint "m" for LoongArch
Isaac J. Manjarres <isaacmanjarres(a)google.com>
selftests/memfd: run sysctl tests when PID namespace support is enabled
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Check "%s" dereference via the field and not the TP_printk format
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add "%s" check in test_event_printk()
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add missing helper functions in event pointer dereference check
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Fix test_event_printk() to process entire print argument
Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com>
accel/ivpu: Fix WARN in ivpu_ipc_send_receive_internal()
Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com>
accel/ivpu: Fix general protection fault in ivpu_bo_list()
Enzo Matsumiya <ematsumiya(a)suse.de>
smb: client: fix TCP timers deadlock after rmmod
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Play nice with protected guests in complete_hypercall_exit()
Naman Jain <namjain(a)linux.microsoft.com>
x86/hyperv: Fix hv tsc page based sched_clock for hibernation
Dexuan Cui <decui(a)microsoft.com>
tools: hv: Fix a complier warning in the fcopy uio daemon
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Steven Rostedt <rostedt(a)goodmis.org>
fgraph: Still initialize idle shadow stacks when starting
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/mmhub4.1: fix IP version check
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/gfx12: fix IP version check
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/nbio7.0: fix IP version check
Heiko Carstens <hca(a)linux.ibm.com>
s390/mm: Fix DirectMap accounting
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Josef Bacik <josef(a)toxicpanda.com>
btrfs: fix improper generation check in snapshot delete
Christoph Hellwig <hch(a)lst.de>
btrfs: split bios to the fs sector size boundary
Suren Baghdasaryan <surenb(a)google.com>
alloc_tag: fix set_codetag_empty() when !CONFIG_MEM_ALLOC_PROFILING_DEBUG
Edward Adam Davis <eadavis(a)qq.com>
ring-buffer: Fix overflow in __rb_map_vma
David Hildenbrand <david(a)redhat.com>
mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy()
Matthew Wilcox (Oracle) <willy(a)infradead.org>
vmalloc: fix accounting with i915
Kairui Song <kasong(a)tencent.com>
zram: fix uninitialized ZRAM not releasing backing device
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/smu14.0.2: fix IP version check
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/nbio7.7: fix IP version check
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu/nbio7.11: fix IP version check
Steven Rostedt <rostedt(a)goodmis.org>
trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers
Ming Lei <ming.lei(a)redhat.com>
block: avoid to reuse `hctx` not removed from cpuhp callback list
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix Current Register value interpretation
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com>
drm/amdgpu: don't access invalid sched
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Accumulate active runtime on gt reset
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Ensure busyness counter increases motonically
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Reset engine utilization buffer before registration
Michael Trimarchi <michael(a)amarulasolutions.com>
drm/panel: synaptics-r63353: Fix regulator unbalance
Marek Vasut <marex(a)denx.de>
drm/panel: st7701: Add prepare_prev_first flag to drm_panel
Yang Yingliang <yangyingliang(a)huawei.com>
drm/panel: novatek-nt35950: fix return value check in nt35950_probe()
Zhang Zekun <zhangzekun11(a)huawei.com>
drm/panel: himax-hx83102: Add a check to prevent NULL pointer dereference
T.J. Mercier <tjmercier(a)google.com>
dma-buf: Fix __dma_buf_debugfs_list_del argument for !CONFIG_DEBUG_FS
Jann Horn <jannh(a)google.com>
udmabuf: fix memory leak on last export_udmabuf() error path
Huan Yang <link(a)vivo.com>
udmabuf: udmabuf_create pin folio codestyle cleanup
Michel Dänzer <mdaenzer(a)redhat.com>
drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update
Christian König <christian.koenig(a)amd.com>
drm/amdgpu: fix amdgpu_coredump
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Mario Limonciello <mario.limonciello(a)amd.com>
drm/amd: Update strapping for NBIO 2.5.0
Krzysztof Karas <krzysztof.karas(a)intel.com>
drm/display: use ERR_PTR on DP tunnel manager creation fail
Mario Limonciello <mario.limonciello(a)amd.com>
thunderbolt: Don't display nvm_version unless upgrade supported
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Improve redrive mode handling
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Add support for Intel Panther Lake-M/P
Mathias Nyman <mathias.nyman(a)linux.intel.com>
xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
Nathan Chancellor <nathan(a)kernel.org>
hexagon: Disable constant extender optimization for LLVM prior to 19.1.0
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Ming Lei <ming.lei(a)redhat.com>
block: Revert "block: Fix potential deadlock while freezing queue and acquiring sysfs_lock"
Jeremy Kerr <jk(a)codeconstruct.com.au>
net: mctp: handle skb cleanup on sock_queue failures
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Eric Dumazet <edumazet(a)google.com>
net: tun: fix tun_napi_alloc_frags()
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init
Marc Zyngier <maz(a)kernel.org>
KVM: arm64: Do not allow ID_AA64MMFR0_EL1.ASIDbits to be overridden
Borislav Petkov (AMD) <bp(a)alien8.de>
EDAC/amd64: Simplify ECC check on unified memory controllers
Marc Zyngier <maz(a)kernel.org>
irqchip/gic-v3: Work around insecure GIC integrations
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe()
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mdiobus: fix an OF node reference leak
Adrian Moreno <amorenoz(a)redhat.com>
psample: adjust size if rate_as_probability is set
Jakub Kicinski <kuba(a)kernel.org>
netdev-genl: avoid empty messages in queue dump
Vladimir Oltean <vladimir.oltean(a)nxp.com>
net: dsa: restore dsa_software_vlan_untag() ability to operate on VLAN-untagged traffic
Adrian Moreno <amorenoz(a)redhat.com>
selftests: openvswitch: fix tcpdump execution
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
David Laight <David.Laight(a)ACULAB.COM>
ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems
Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com>
can: m_can: fix missed interrupts with m_can_pci
Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com>
can: m_can: set init flag earlier in probe
Eric Dumazet <edumazet(a)google.com>
net: netdevsim: fix nsim_pp_hold_write()
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com>
net: ethernet: oa_tc6: fix tx skb race condition between reference pointers
Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com>
net: ethernet: oa_tc6: fix infinite loop error when tx credits becomes 0
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Daniel Borkmann <daniel(a)iogearbox.net>
team: Fix feature exposure when no ports are present
Jakub Kicinski <kuba(a)kernel.org>
netdev: fix repeated netlink messages in queue stats
Jakub Kicinski <kuba(a)kernel.org>
netdev: fix repeated netlink messages in queue dump
Marios Makassikis <mmakassikis(a)freebox.fr>
ksmbd: fix broken transfers when exceeding max simultaneous operations
Marios Makassikis <mmakassikis(a)freebox.fr>
ksmbd: count all requests in req_running counter
Nikita Yushchenko <nikita.yoush(a)cogentembedded.com>
net: renesas: rswitch: rework ts tags management
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: no double destroy workqueue
Brett Creeley <brett.creeley(a)amd.com>
ionic: Fix netdev notifier unregister on failure
Donald Hunter <donald.hunter(a)gmail.com>
tools/net/ynl: fix sub-message key lookup for nested attributes
Eric Dumazet <edumazet(a)google.com>
netdevsim: prevent bad user input in nsim_dev_health_break_write()
Vladimir Oltean <vladimir.oltean(a)nxp.com>
net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check return value of sock_recvmsg when draining clc data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check smcd_v2_ext_offset when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: protect link down work from execute after lgr freed
Huaisheng Ye <huaisheng.ye(a)intel.com>
cxl/region: Fix region creation for greater than x2 switches
Davidlohr Bueso <dave(a)stgolabs.net>
cxl/pci: Fix potential bogus return value upon successful probing
Olaf Hering <olaf(a)aepfle.de>
tools: hv: change permissions of NetworkManager configuration file
Darrick J. Wong <djwong(a)kernel.org>
xfs: fix zero byte checking in the superblock scrubber
Darrick J. Wong <djwong(a)kernel.org>
xfs: fix sb_spino_align checks for large fsblock sizes
Darrick J. Wong <djwong(a)kernel.org>
xfs: fix off-by-one error in fsmap's end_daddr usage
Dave Chinner <dchinner(a)redhat.com>
xfs: fix sparse inode limits on runt AG
Dave Chinner <dchinner(a)redhat.com>
xfs: sb_spino_align is not verified
Gao Xiang <xiang(a)kernel.org>
erofs: use buffered I/O for file-backed mounts by default
Gao Xiang <xiang(a)kernel.org>
erofs: reference `struct erofs_device_info` for erofs_map_dev
Gao Xiang <xiang(a)kernel.org>
erofs: use `struct erofs_device_info` for the primary device
Gao Xiang <xiang(a)kernel.org>
erofs: add erofs_sb_free() helper
Vasily Gorbik <gor(a)linux.ibm.com>
s390/mm: Consider KMSAN modules metadata for paging levels
Vineeth Pillai (Google) <vineeth(a)bitbyteword.org>
sched/dlserver: Fix dlserver time accounting
Vineeth Pillai (Google) <vineeth(a)bitbyteword.org>
sched/dlserver: Fix dlserver double enqueue
Gao Xiang <xiang(a)kernel.org>
erofs: fix PSI memstall accounting
Alexander Gordeev <agordeev(a)linux.ibm.com>
s390/ipl: Fix never less than zero warning
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Do not scan and remove the P2SB device when it is unhidden
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache()
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Introduce the global flag p2sb_hidden_by_bios
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Factor out p2sb_read_from_cache()
Peter Zijlstra <peterz(a)infradead.org>
sched/eevdf: More PELT vs DELAYED_DEQUEUE
Vincent Guittot <vincent.guittot(a)linaro.org>
sched/fair: Fix sched_can_stop_tick() for fair tasks
K Prateek Nayak <kprateek.nayak(a)amd.com>
sched/fair: Fix NEXT_BUDDY
Michael Neuling <michaelneuling(a)tenstorrent.com>
RISC-V: KVM: Fix csr_write -> csr_set for HVIEN PMU overflow bit
Levi Yun <yeoreum.yun(a)arm.com>
firmware: arm_ffa: Fix the race around setting ffa_dev->properties
Arnd Bergmann <arnd(a)arndb.de>
firmware: arm_scmi: Fix i.MX build dependency
Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk>
net: stmmac: fix TSO DMA API usage causing oops
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/kvm/sys_regs.c | 3 +-
arch/hexagon/Makefile | 6 +
arch/riscv/kvm/aia.c | 2 +-
arch/s390/boot/startup.c | 2 +
arch/s390/boot/vmem.c | 6 +-
arch/s390/kernel/ipl.c | 2 +-
arch/x86/kernel/cpu/mshyperv.c | 58 +++++
arch/x86/kvm/cpuid.c | 31 ++-
arch/x86/kvm/cpuid.h | 1 +
arch/x86/kvm/svm/svm.c | 9 -
arch/x86/kvm/x86.c | 4 +-
block/blk-mq-sysfs.c | 16 +-
block/blk-mq.c | 40 ++--
block/blk-sysfs.c | 4 +-
drivers/accel/ivpu/ivpu_gem.c | 2 +-
drivers/accel/ivpu/ivpu_pm.c | 2 +-
drivers/block/zram/zram_drv.c | 15 +-
drivers/clocksource/hyperv_timer.c | 14 +-
drivers/cxl/core/region.c | 25 +-
drivers/cxl/pci.c | 3 +-
drivers/dma-buf/dma-buf.c | 2 +-
drivers/dma-buf/udmabuf.c | 180 ++++++++------
drivers/edac/amd64_edac.c | 32 +--
drivers/firmware/arm_ffa/bus.c | 15 +-
drivers/firmware/arm_ffa/driver.c | 7 +-
drivers/firmware/arm_scmi/vendors/imx/Kconfig | 1 +
drivers/firmware/imx/Kconfig | 1 -
drivers/gpu/drm/amd/amdgpu/amdgpu_dev_coredump.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/nbio_v7_0.c | 11 +
drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 +-
drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 2 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 2 +-
drivers/gpu/drm/display/drm_dp_tunnel.c | 10 +-
drivers/gpu/drm/drm_modes.c | 11 +-
drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 +
drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 +++-
drivers/gpu/drm/panel/panel-himax-hx83102.c | 2 +
drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 +-
drivers/gpu/drm/panel/panel-sitronix-st7701.c | 1 +
drivers/gpu/drm/panel/panel-synaptics-r63353.c | 2 +-
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 +
drivers/hv/hyperv_vmbus.h | 2 +
drivers/hwmon/tmp513.c | 10 +-
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/irqchip/irq-gic-v3.c | 17 +-
drivers/mmc/host/mtk-sd.c | 2 +
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/net/can/m_can/m_can.c | 36 ++-
drivers/net/can/m_can/m_can.h | 1 +
drivers/net/can/m_can/m_can_pci.c | 1 +
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
.../chelsio/inline_crypto/chtls/chtls_main.c | 5 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/mscc/ocelot.c | 2 +-
drivers/net/ethernet/oa_tc6.c | 11 +-
drivers/net/ethernet/pensando/ionic/ionic_dev.c | 5 +-
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +-
drivers/net/ethernet/renesas/rswitch.c | 68 +++---
drivers/net/ethernet/renesas/rswitch.h | 13 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +-
drivers/net/mdio/fwnode_mdio.c | 13 +-
drivers/net/netdevsim/health.c | 2 +
drivers/net/netdevsim/netdev.c | 4 +-
drivers/net/team/team_core.c | 10 +-
drivers/net/tun.c | 2 +-
drivers/of/address.c | 5 +-
drivers/of/base.c | 15 +-
drivers/of/irq.c | 2 +
drivers/of/property.c | 2 -
drivers/platform/x86/p2sb.c | 79 ++++--
drivers/thunderbolt/nhi.c | 8 +
drivers/thunderbolt/nhi.h | 4 +
drivers/thunderbolt/retimer.c | 19 +-
drivers/thunderbolt/tb.c | 41 ++++
drivers/usb/host/xhci-ring.c | 2 -
drivers/usb/serial/option.c | 27 +++
fs/btrfs/bio.c | 10 +-
fs/btrfs/ctree.h | 19 ++
fs/btrfs/extent-tree.c | 6 +-
fs/btrfs/tree-checker.c | 27 ++-
fs/ceph/file.c | 77 +++---
fs/ceph/mds_client.c | 9 +-
fs/ceph/super.c | 2 +
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/erofs/data.c | 36 +--
fs/erofs/fileio.c | 9 +-
fs/erofs/fscache.c | 10 +-
fs/erofs/internal.h | 15 +-
fs/erofs/super.c | 80 ++++---
fs/erofs/zdata.c | 4 +-
fs/eventpoll.c | 5 +-
fs/hugetlbfs/inode.c | 2 +-
fs/nfs/pnfs.c | 2 +-
fs/nilfs2/btnode.c | 1 +
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/inode.c | 13 +-
fs/nilfs2/namei.c | 5 +
fs/nilfs2/nilfs.h | 1 +
fs/ocfs2/localalloc.c | 8 +-
fs/smb/client/connect.c | 36 ++-
fs/smb/server/connection.c | 18 +-
fs/smb/server/connection.h | 1 -
fs/smb/server/server.c | 7 +-
fs/smb/server/server.h | 1 +
fs/smb/server/transport_ipc.c | 5 +-
fs/xfs/libxfs/xfs_ialloc.c | 16 +-
fs/xfs/libxfs/xfs_sb.c | 15 ++
fs/xfs/scrub/agheader.c | 29 ++-
fs/xfs/xfs_fsmap.c | 29 ++-
include/clocksource/hyperv_timer.h | 2 +
include/linux/alloc_tag.h | 7 +-
include/linux/arm_ffa.h | 13 +-
include/linux/hyperv.h | 1 +
include/linux/io_uring.h | 4 +-
include/linux/page-flags.h | 12 +-
include/linux/sched.h | 7 +
include/linux/trace_events.h | 6 +-
include/linux/wait.h | 1 +
io_uring/io_uring.c | 7 +-
kernel/sched/core.c | 2 +-
kernel/sched/deadline.c | 8 +-
kernel/sched/debug.c | 1 +
kernel/sched/fair.c | 73 ++++--
kernel/sched/pelt.c | 2 +-
kernel/sched/sched.h | 13 +-
kernel/trace/fgraph.c | 8 +-
kernel/trace/ring_buffer.c | 6 +-
kernel/trace/trace.c | 264 +++++----------------
kernel/trace/trace.h | 6 +-
kernel/trace/trace_events.c | 227 ++++++++++++++----
kernel/trace/trace_output.c | 6 +-
mm/huge_memory.c | 8 +-
mm/hugetlb.c | 5 +-
mm/memory.c | 8 +-
mm/page_alloc.c | 6 +-
mm/shmem.c | 22 +-
mm/vmalloc.c | 6 +-
net/core/netdev-genl.c | 19 +-
net/dsa/tag.h | 16 +-
net/mctp/route.c | 36 ++-
net/mctp/test/route-test.c | 86 +++++++
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/netfilter/ipvs/ip_vs_conn.c | 4 +-
net/psample/psample.c | 9 +-
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/smc/af_smc.c | 18 +-
net/smc/smc_clc.c | 17 +-
net/smc/smc_clc.h | 22 +-
net/smc/smc_core.c | 9 +-
sound/soc/fsl/Kconfig | 1 +
tools/hv/hv_fcopy_uio_daemon.c | 8 +-
tools/hv/hv_set_ifconfig.sh | 2 +-
tools/net/ynl/lib/ynl.py | 6 +-
tools/testing/selftests/bpf/sdt.h | 2 +
tools/testing/selftests/memfd/memfd_test.c | 14 +-
.../selftests/net/openvswitch/openvswitch.sh | 6 +-
168 files changed, 1685 insertions(+), 891 deletions(-)
3 months, 3 weeks
- 19
- 183
[PATCH 6.6 000/116] 6.6.68-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 6.6.68 release.
There are 116 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 27 Dec 2024 15:53:30 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.68-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.6.68-rc1
Michel Dänzer <mdaenzer(a)redhat.com>
drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update
Francesco Dolcini <francesco.dolcini(a)toradex.com>
net: fec: make PPS channel configurable
Francesco Dolcini <francesco.dolcini(a)toradex.com>
net: fec: refactor PPS channel configuration
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring/rw: avoid punting to io-wq directly
Jens Axboe <axboe(a)kernel.dk>
io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN
Jens Axboe <axboe(a)kernel.dk>
io_uring/rw: split io_read() into a helper
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Max Kellermann <max.kellermann(a)ionos.com>
ceph: fix memory leaks in __ceph_sync_read()
Alex Markuze <amarkuze(a)redhat.com>
ceph: improve error handling and short/overflow-read logic in __ceph_sync_read()
Ilya Dryomov <idryomov(a)gmail.com>
ceph: validate snapdirname option length when mounting
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring: check if iowq is killed before queuing
Jann Horn <jannh(a)google.com>
io_uring: Fix registered ring file refcount leak
Tiezhu Yang <yangtiezhu(a)loongson.cn>
selftests/bpf: Use asm constraint "m" for LoongArch
Isaac J. Manjarres <isaacmanjarres(a)google.com>
selftests/memfd: run sysctl tests when PID namespace support is enabled
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add "%s" check in test_event_printk()
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add missing helper functions in event pointer dereference check
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Fix test_event_printk() to process entire print argument
Enzo Matsumiya <ematsumiya(a)suse.de>
smb: client: fix TCP timers deadlock after rmmod
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Play nice with protected guests in complete_hypercall_exit()
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Matthew Wilcox (Oracle) <willy(a)infradead.org>
vmalloc: fix accounting with i915
Kairui Song <kasong(a)tencent.com>
zram: fix uninitialized ZRAM not releasing backing device
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix Current Register value interpretation
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Use SI constants from units.h
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Simplify with dev_err_probe()
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Don't use "proxy" headers
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com>
drm/amdgpu: don't access invalid sched
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Accumulate active runtime on gt reset
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Ensure busyness counter increases motonically
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Reset engine utilization buffer before registration
Yang Yingliang <yangyingliang(a)huawei.com>
drm/panel: novatek-nt35950: fix return value check in nt35950_probe()
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Improve redrive mode handling
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
Nathan Chancellor <nathan(a)kernel.org>
hexagon: Disable constant extender optimization for LLVM prior to 19.1.0
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Eric Dumazet <edumazet(a)google.com>
net: tun: fix tun_napi_alloc_frags()
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init
Borislav Petkov (AMD) <bp(a)alien8.de>
EDAC/amd64: Simplify ECC check on unified memory controllers
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
mmc: mtk-sd: disable wakeup in .remove() and in the error path of .probe()
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mdiobus: fix an OF node reference leak
Adrian Moreno <amorenoz(a)redhat.com>
selftests: openvswitch: fix tcpdump execution
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
David Laight <David.Laight(a)ACULAB.COM>
ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Marios Makassikis <mmakassikis(a)freebox.fr>
ksmbd: fix broken transfers when exceeding max simultaneous operations
Marios Makassikis <mmakassikis(a)freebox.fr>
ksmbd: count all requests in req_running counter
Nikita Yushchenko <nikita.yoush(a)cogentembedded.com>
net: renesas: rswitch: rework ts tags management
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Brett Creeley <brett.creeley(a)amd.com>
ionic: Fix netdev notifier unregister on failure
Eric Dumazet <edumazet(a)google.com>
netdevsim: prevent bad user input in nsim_dev_health_break_write()
Vladimir Oltean <vladimir.oltean(a)nxp.com>
net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check return value of sock_recvmsg when draining clc data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check smcd_v2_ext_offset when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: protect link down work from execute after lgr freed
Huaisheng Ye <huaisheng.ye(a)intel.com>
cxl/region: Fix region creation for greater than x2 switches
Davidlohr Bueso <dave(a)stgolabs.net>
cxl/pci: Fix potential bogus return value upon successful probing
Olaf Hering <olaf(a)aepfle.de>
tools: hv: change permissions of NetworkManager configuration file
Darrick J. Wong <djwong(a)kernel.org>
xfs: reset rootdir extent size hint after growfsrt
Darrick J. Wong <djwong(a)kernel.org>
xfs: take m_growlock when running growfsrt
Darrick J. Wong <djwong(a)kernel.org>
xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code
Zizhi Wo <wozizhi(a)huawei.com>
xfs: Fix the owner setting issue for rmap query in xfs fsmap
Darrick J. Wong <djwong(a)kernel.org>
xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set
Darrick J. Wong <djwong(a)kernel.org>
xfs: attr forks require attr, not attr2
Julian Sun <sunjunchao2870(a)gmail.com>
xfs: remove unused parameter in macro XFS_DQUOT_LOGRES
Darrick J. Wong <djwong(a)kernel.org>
xfs: fix file_path handling in tracepoints
Chen Ni <nichen(a)iscas.ac.cn>
xfs: convert comma to semicolon
lei lu <llfamsec(a)gmail.com>
xfs: don't walk off the end of a directory data block
John Garry <john.g.garry(a)oracle.com>
xfs: Fix xfs_prepare_shift() range for RT
John Garry <john.g.garry(a)oracle.com>
xfs: Fix xfs_flush_unmap_range() range for RT
Darrick J. Wong <djwong(a)kernel.org>
xfs: create a new helper to return a file's allocation unit
Darrick J. Wong <djwong(a)kernel.org>
xfs: declare xfs_file.c symbols in xfs_file.h
Darrick J. Wong <djwong(a)kernel.org>
xfs: use consistent uid/gid when grabbing dquots for inodes
Darrick J. Wong <djwong(a)kernel.org>
xfs: verify buffer, inode, and dquot items every tx commit
Christoph Hellwig <hch(a)lst.de>
xfs: fix the contact address for the sysfs ABI documentation
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Do not scan and remove the P2SB device when it is unhidden
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache()
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Introduce the global flag p2sb_hidden_by_bios
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Factor out p2sb_read_from_cache()
Hans de Goede <hdegoede(a)redhat.com>
platform/x86: p2sb: Make p2sb_get_devfn() return void
Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk>
net: stmmac: fix TSO DMA API usage causing oops
Roger Quadros <rogerq(a)kernel.org>
usb: cdns3: Add quirk flag to enable suspend residency
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
PCI/AER: Disable AER service on suspend
Vidya Sagar <vidyas(a)nvidia.com>
PCI: Use preserve_config in place of pci_flags
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: Intel: sof_sdw: add quirk for Dell SKU 0B8C
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Loongson64: DTS: Fix msi node for ls7a
Roger Quadros <rogerq(a)kernel.org>
usb: cdns3-ti: Add workaround for Errata i2409
Ajit Khaparde <ajit.khaparde(a)broadcom.com>
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Jiwei Sun <sunjw10(a)lenovo.com>
PCI: vmd: Create domain symlink before pci_bus_add_devices()
Peng Hongchi <hongchi.peng(a)siengine.com>
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
Documentation/ABI/testing/sysfs-fs-xfs | 8 +-
Makefile | 4 +-
arch/hexagon/Makefile | 6 +
.../boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 +
arch/x86/kvm/cpuid.c | 31 +++-
arch/x86/kvm/cpuid.h | 1 +
arch/x86/kvm/x86.c | 4 +-
drivers/block/zram/zram_drv.c | 15 +-
drivers/cxl/core/region.c | 25 ++-
drivers/cxl/pci.c | 3 +-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/edac/amd64_edac.c | 32 ++--
drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
drivers/gpu/drm/drm_modes.c | 11 +-
drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 +
drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 ++++-
drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 +-
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 +
drivers/hv/hyperv_vmbus.h | 2 +
drivers/hwmon/tmp513.c | 74 ++++----
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/mmc/host/mtk-sd.c | 2 +
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
.../chelsio/inline_crypto/chtls/chtls_main.c | 5 +-
drivers/net/ethernet/freescale/fec_ptp.c | 11 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/mscc/ocelot.c | 2 +-
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +-
drivers/net/ethernet/renesas/rswitch.c | 68 +++----
drivers/net/ethernet/renesas/rswitch.h | 13 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +-
drivers/net/mdio/fwnode_mdio.c | 13 +-
drivers/net/netdevsim/health.c | 2 +
drivers/net/tun.c | 2 +-
drivers/of/address.c | 2 +-
drivers/of/base.c | 15 +-
drivers/of/irq.c | 2 +
drivers/pci/controller/pci-host-common.c | 4 -
drivers/pci/controller/vmd.c | 8 +-
drivers/pci/pcie/aer.c | 18 ++
drivers/pci/probe.c | 22 ++-
drivers/pci/quirks.c | 4 +
drivers/platform/x86/p2sb.c | 94 ++++++----
drivers/thunderbolt/tb.c | 41 +++++
drivers/usb/cdns3/cdns3-ti.c | 15 +-
drivers/usb/cdns3/core.h | 1 +
drivers/usb/cdns3/drd.c | 10 +-
drivers/usb/cdns3/drd.h | 3 +
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/serial/option.c | 27 +++
fs/btrfs/tree-checker.c | 27 ++-
fs/ceph/file.c | 34 ++--
fs/ceph/super.c | 2 +
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/eventpoll.c | 5 +-
fs/nfs/pnfs.c | 2 +-
fs/nilfs2/btnode.c | 1 +
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/inode.c | 13 +-
fs/nilfs2/namei.c | 5 +
fs/nilfs2/nilfs.h | 1 +
fs/smb/client/connect.c | 36 ++--
fs/smb/server/connection.c | 18 +-
fs/smb/server/connection.h | 1 -
fs/smb/server/server.c | 7 +-
fs/smb/server/server.h | 1 +
fs/smb/server/transport_ipc.c | 5 +-
fs/xfs/Kconfig | 12 ++
fs/xfs/libxfs/xfs_dir2_data.c | 31 +++-
fs/xfs/libxfs/xfs_dir2_priv.h | 7 +
fs/xfs/libxfs/xfs_quota_defs.h | 2 +-
fs/xfs/libxfs/xfs_trans_resv.c | 28 +--
fs/xfs/scrub/agheader_repair.c | 2 +-
fs/xfs/scrub/bmap.c | 8 +-
fs/xfs/scrub/trace.h | 10 +-
fs/xfs/xfs.h | 4 +
fs/xfs/xfs_bmap_util.c | 22 ++-
fs/xfs/xfs_buf_item.c | 32 ++++
fs/xfs/xfs_dquot_item.c | 31 ++++
fs/xfs/xfs_file.c | 29 ++-
fs/xfs/xfs_file.h | 15 ++
fs/xfs/xfs_fsmap.c | 6 +-
fs/xfs/xfs_inode.c | 29 ++-
fs/xfs/xfs_inode.h | 2 +
fs/xfs/xfs_inode_item.c | 32 ++++
fs/xfs/xfs_ioctl.c | 12 ++
fs/xfs/xfs_iops.c | 1 +
fs/xfs/xfs_iops.h | 3 -
fs/xfs/xfs_rtalloc.c | 78 ++++++--
fs/xfs/xfs_symlink.c | 8 +-
include/linux/hyperv.h | 1 +
include/linux/io_uring.h | 4 +-
include/linux/wait.h | 1 +
io_uring/io_uring.c | 15 +-
io_uring/io_uring.h | 1 -
io_uring/rw.c | 31 +++-
kernel/trace/trace_events.c | 199 ++++++++++++++++-----
mm/vmalloc.c | 6 +-
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/netfilter/ipvs/ip_vs_conn.c | 4 +-
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/smc/af_smc.c | 18 +-
net/smc/smc_clc.c | 17 +-
net/smc/smc_clc.h | 22 ++-
net/smc/smc_core.c | 9 +-
sound/soc/intel/boards/sof_sdw.c | 18 ++
tools/hv/hv_set_ifconfig.sh | 2 +-
tools/testing/selftests/bpf/sdt.h | 2 +
tools/testing/selftests/memfd/memfd_test.c | 14 +-
.../selftests/net/openvswitch/openvswitch.sh | 6 +-
119 files changed, 1223 insertions(+), 441 deletions(-)
3 months, 3 weeks
- 12
- 127
[PATCH 6.1 00/83] 6.1.122-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 6.1.122 release.
There are 83 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 27 Dec 2024 15:53:30 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.122-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.1.122-rc1
Michel Dänzer <mdaenzer(a)redhat.com>
drm/amdgpu: Handle NULL bo->tbo.resource (again) in amdgpu_vm_bo_update
Francesco Dolcini <francesco.dolcini(a)toradex.com>
dt-bindings: net: fec: add pps channel property
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring/rw: avoid punting to io-wq directly
Jens Axboe <axboe(a)kernel.dk>
io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN
Jens Axboe <axboe(a)kernel.dk>
io_uring/rw: split io_read() into a helper
Xuewen Yan <xuewen.yan(a)unisoc.com>
epoll: Add synchronous wakeup support for ep_poll_callback
Jan Kara <jack(a)suse.cz>
udf: Fix directory iteration for longer tail extents
Ilya Dryomov <idryomov(a)gmail.com>
ceph: validate snapdirname option length when mounting
Zijun Hu <quic_zijuhu(a)quicinc.com>
of: Fix refcount leakage for OF node returned by __of_get_dma_parent()
Herve Codina <herve.codina(a)bootlin.com>
of: Fix error path in of_parse_phandle_with_args_map()
Jann Horn <jannh(a)google.com>
udmabuf: also check for F_SEAL_FUTURE_WRITE
Edward Adam Davis <eadavis(a)qq.com>
nilfs2: prevent use of deleted inode
Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()
Zijun Hu <quic_zijuhu(a)quicinc.com>
of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent()
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS/pnfs: Fix a live lock between recalled layouts and layoutget
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring: check if iowq is killed before queuing
Jann Horn <jannh(a)google.com>
io_uring: Fix registered ring file refcount leak
Tiezhu Yang <yangtiezhu(a)loongson.cn>
selftests/bpf: Use asm constraint "m" for LoongArch
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add "%s" check in test_event_printk()
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Add missing helper functions in event pointer dereference check
Steven Rostedt <rostedt(a)goodmis.org>
tracing: Fix test_event_printk() to process entire print argument
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Play nice with protected guests in complete_hypercall_exit()
Michael Kelley <mhklinux(a)outlook.com>
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
Qu Wenruo <wqu(a)suse.com>
btrfs: tree-checker: reject inline extent items with 0 ref count
Kairui Song <kasong(a)tencent.com>
zram: fix uninitialized ZRAM not releasing backing device
Kairui Song <kasong(a)tencent.com>
zram: refuse to use zero sized block device as backing device
Geert Uytterhoeven <geert+renesas(a)glider.be>
sh: clk: Fix clk_enable() to return 0 on NULL clk
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix Current Register value interpretation
Murad Masimov <m.masimov(a)maxima.ru>
hwmon: (tmp513) Fix interpretation of values of Shunt Voltage and Limit Registers
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Use SI constants from units.h
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Simplify with dev_err_probe()
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
hwmon: (tmp513) Don't use "proxy" headers
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com>
drm/amdgpu: don't access invalid sched
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Accumulate active runtime on gt reset
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Ensure busyness counter increases motonically
Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com>
i915/guc: Reset engine utilization buffer before registration
Yang Yingliang <yangyingliang(a)huawei.com>
drm/panel: novatek-nt35950: fix return value check in nt35950_probe()
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
Mika Westerberg <mika.westerberg(a)linux.intel.com>
thunderbolt: Improve redrive mode handling
Daniele Palmas <dnlplm(a)gmail.com>
USB: serial: option: add Telit FE910C04 rmnet compositions
Jack Wu <wojackbb(a)gmail.com>
USB: serial: option: add MediaTek T7XX compositions
Mank Wang <mank.wang(a)netprisma.com>
USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready
Michal Hrusecky <michal.hrusecky(a)turris.com>
USB: serial: option: add MeiG Smart SLM770A
Daniel Swanemar <d.swanemar(a)gmail.com>
USB: serial: option: add TCL IK512 MBIM & ECM
Nathan Chancellor <nathan(a)kernel.org>
hexagon: Disable constant extender optimization for LLVM prior to 19.1.0
James Bottomley <James.Bottomley(a)HansenPartnership.com>
efivarfs: Fix error on non-existent file
Geert Uytterhoeven <geert+renesas(a)glider.be>
i2c: riic: Always round-up when calculating bus period
Dan Carpenter <dan.carpenter(a)linaro.org>
chelsio/chtls: prevent potential integer overflow on 32bit
Sean Christopherson <seanjc(a)google.com>
KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init
Prathamesh Shete <pshete(a)nvidia.com>
mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: mdiobus: fix an OF node reference leak
Phil Sutter <phil(a)nwl.cc>
netfilter: ipset: Fix for recursive locking warning
Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
net: ethernet: bgmac-platform: fix an OF node reference leak
Dan Carpenter <dan.carpenter(a)linaro.org>
net: hinic: Fix cleanup in create_rxqs/txqs()
Shannon Nelson <shannon.nelson(a)amd.com>
ionic: use ee->offset when returning sprom data
Brett Creeley <brett.creeley(a)amd.com>
ionic: Fix netdev notifier unregister on failure
Eric Dumazet <edumazet(a)google.com>
netdevsim: prevent bad user input in nsim_dev_health_break_write()
Vladimir Oltean <vladimir.oltean(a)nxp.com>
net: mscc: ocelot: fix incorrect IFH SRC_PORT field in ocelot_ifh_set_basic()
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check return value of sock_recvmsg when draining clc data
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check smcd_v2_ext_offset when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll
Guangguan Wang <guangguan.wang(a)linux.alibaba.com>
net/smc: protect link down work from execute after lgr freed
Huaisheng Ye <huaisheng.ye(a)intel.com>
cxl/region: Fix region creation for greater than x2 switches
Vladimir Riabchun <ferr.lambarginio(a)gmail.com>
i2c: pnx: Fix timeout in wait functions
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Do not scan and remove the P2SB device when it is unhidden
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Move P2SB hide and unhide code to p2sb_scan_and_cache()
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Introduce the global flag p2sb_hidden_by_bios
Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com>
p2sb: Factor out p2sb_read_from_cache()
Hans de Goede <hdegoede(a)redhat.com>
platform/x86: p2sb: Make p2sb_get_devfn() return void
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
PCI: Introduce pci_resource_n()
Peng Hongchi <hongchi.peng(a)siengine.com>
usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled
Jiaxun Yang <jiaxun.yang(a)flygoat.com>
MIPS: Loongson64: DTS: Fix msi node for ls7a
Ajit Khaparde <ajit.khaparde(a)broadcom.com>
PCI: Add ACS quirk for Broadcom BCM5760X NIC
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: Intel: sof_sdw: add quirk for Dell SKU 0B8C
Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com>
ASoC: Intel: sof_sdw: fix jack detection on ADL-N variant RVP
Roger Quadros <rogerq(a)kernel.org>
usb: cdns3: Add quirk flag to enable suspend residency
Jiwei Sun <sunjw10(a)lenovo.com>
PCI: vmd: Create domain symlink before pci_bus_add_devices()
Vidya Sagar <vidyas(a)nvidia.com>
PCI: Use preserve_config in place of pci_flags
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
PCI/AER: Disable AER service on suspend
Lion Ackermann <nnamrec(a)gmail.com>
net: sched: fix ordering of qlen adjustment
-------------
Diffstat:
Documentation/devicetree/bindings/net/fsl,fec.yaml | 7 +
Makefile | 4 +-
arch/hexagon/Makefile | 6 +
.../boot/dts/loongson/loongson64g_4core_ls7a.dts | 1 +
arch/x86/kvm/cpuid.c | 31 +++-
arch/x86/kvm/cpuid.h | 1 +
arch/x86/kvm/x86.c | 4 +-
drivers/block/zram/zram_drv.c | 15 +-
drivers/cxl/core/region.c | 25 ++-
drivers/dma-buf/udmabuf.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
drivers/gpu/drm/drm_modes.c | 11 +-
drivers/gpu/drm/i915/gt/intel_engine_types.h | 5 +
drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 41 ++++-
drivers/gpu/drm/panel/panel-novatek-nt35950.c | 4 +-
drivers/hv/hv_kvp.c | 6 +
drivers/hv/hv_snapshot.c | 6 +
drivers/hv/hv_util.c | 9 +
drivers/hv/hyperv_vmbus.h | 2 +
drivers/hwmon/tmp513.c | 74 ++++----
drivers/i2c/busses/i2c-pnx.c | 4 +-
drivers/i2c/busses/i2c-riic.c | 2 +-
drivers/mmc/host/sdhci-tegra.c | 1 -
drivers/net/ethernet/broadcom/bgmac-platform.c | 5 +-
.../chelsio/inline_crypto/chtls/chtls_main.c | 5 +-
drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 +
drivers/net/ethernet/mscc/ocelot.c | 2 +-
.../net/ethernet/pensando/ionic/ionic_ethtool.c | 4 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +-
drivers/net/mdio/fwnode_mdio.c | 13 +-
drivers/net/netdevsim/health.c | 2 +
drivers/of/address.c | 2 +-
drivers/of/base.c | 15 +-
drivers/of/irq.c | 2 +
drivers/pci/controller/pci-host-common.c | 4 -
drivers/pci/controller/vmd.c | 8 +-
drivers/pci/pcie/aer.c | 18 ++
drivers/pci/probe.c | 22 ++-
drivers/pci/quirks.c | 4 +
drivers/platform/x86/p2sb.c | 94 ++++++----
drivers/sh/clk/core.c | 2 +-
drivers/thunderbolt/tb.c | 41 +++++
drivers/usb/cdns3/core.h | 1 +
drivers/usb/cdns3/drd.c | 10 +-
drivers/usb/cdns3/drd.h | 3 +
drivers/usb/dwc2/gadget.c | 4 +-
drivers/usb/serial/option.c | 27 +++
fs/btrfs/tree-checker.c | 27 ++-
fs/ceph/super.c | 2 +
fs/efivarfs/inode.c | 2 +-
fs/efivarfs/internal.h | 1 -
fs/efivarfs/super.c | 3 -
fs/eventpoll.c | 5 +-
fs/nfs/pnfs.c | 2 +-
fs/nilfs2/btnode.c | 1 +
fs/nilfs2/gcinode.c | 2 +-
fs/nilfs2/inode.c | 13 +-
fs/nilfs2/namei.c | 5 +
fs/nilfs2/nilfs.h | 1 +
fs/udf/directory.c | 2 +-
include/linux/hyperv.h | 1 +
include/linux/io_uring.h | 4 +-
include/linux/pci.h | 15 +-
include/linux/wait.h | 1 +
io_uring/io_uring.c | 13 +-
io_uring/io_uring.h | 1 -
io_uring/rw.c | 31 +++-
kernel/trace/trace_events.c | 199 ++++++++++++++++-----
net/netfilter/ipset/ip_set_list_set.c | 3 +
net/sched/sch_cake.c | 2 +-
net/sched/sch_choke.c | 2 +-
net/smc/af_smc.c | 15 +-
net/smc/smc_clc.c | 9 +
net/smc/smc_clc.h | 14 +-
net/smc/smc_core.c | 9 +-
sound/soc/intel/boards/sof_sdw.c | 18 ++
tools/testing/selftests/bpf/sdt.h | 2 +
78 files changed, 734 insertions(+), 236 deletions(-)
3 months, 3 weeks
- 13
- 95
zram: Regression in at least linux-6.1.y tree
by Kenneth Van Alstyne
Greetings and apologies if this isn't the proper process for reporting an issue in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html. Happy to follow another process if more appropriate.
Kernel 6.1.122 introduced a regression via commit ac3b5366b9b7c9d97b606532ceab43d2329a22f3 (backport of upstream commit 74363ec674cb172d8856de25776c8f3103f05e2f) in drivers/block/zram/zram_drv.c where attempting to set the size of /dev/zram0 after loading the zram kernel module results in a kernel NULL pointer dereference.
That patch removed the following block from zram_reset_device():
- if (!init_done(zram)) {
- up_write(&zram->init_lock);
- return;
- }
However, without that, zram_reset_device subsequently calls zcomp_destroy on a device that has not been initialized, leading to the OOPS. Adding that block back does resolve the issue. In addition, the latest mainline kernel does not appear to exhibit these symptoms, but zram_drv.c seems to have been changed fairly substantially since kernel 6.1.
Steps to reproduce:
modprobe zram
zramctl /dev/zram0 --algorithm zstd --size 83886080k
Kernel log:
[ 184.410082] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 184.416305] #PF: supervisor read access in kernel mode
[ 184.418201] #PF: error_code(0x0000) - not-present page
[ 184.418201] PGD 170d0b067 P4D 170d0b067 PUD 1718af067 PMD 0
[ 184.418201] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 184.418201] CPU: 2 PID: 3584 Comm: zramctl Tainted: G O K 6.1.122 #1
[ 184.418201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
[ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
[ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
[ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
[ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
[ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
[ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
[ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
[ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
[ 184.418201] Call Trace:
[ 184.418201] <TASK>
[ 184.418201] ? __die_body+0x1a/0x60
[ 184.418201] ? page_fault_oops+0xae/0x260
[ 184.418201] ? exc_page_fault+0x67/0x140
[ 184.418201] ? asm_exc_page_fault+0x22/0x30
[ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[ 184.418201] ? zcomp_cpu_dead+0x7/0x30 [zram]
[ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[ 184.418201] cpuhp_invoke_callback+0xb4/0x4c0
[ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[ 184.418201] cpuhp_issue_call+0xeb/0x140
[ 184.418201] __cpuhp_state_remove_instance+0xdb/0x1a0
[ 184.418201] zcomp_destroy+0x1c/0x30 [zram]
[ 184.418201] zram_reset_device+0xf3/0x120 [zram]
[ 184.418201] reset_store+0x9d/0x100 [zram]
[ 184.418201] kernfs_fop_write_iter+0x11e/0x1b0
[ 184.418201] vfs_write+0x2ae/0x3c0
[ 184.418201] ksys_write+0x5c/0xe0
[ 184.418201] do_syscall_64+0x32/0x80
[ 184.552119] python3 (3612) used greatest stack depth: 11736 bytes left
[ 184.418201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 184.418201] RIP: 0033:0x7fa6d2506d00
[ 184.418201] Code: 40 00 48 8b 15 29 91 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb af 0f 1f 00 80 3d e1 18 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
[ 184.418201] RSP: 002b:00007ffec8315ec8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 184.418201] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fa6d2506d00
[ 184.418201] RDX: 0000000000000001 RSI: 00007ffec8315ee0 RDI: 0000000000000003
[ 184.418201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
[ 184.418201] R10: 0000000000000004 R11: 0000000000000202 R12: 00007fa6d240d6c0
[ 184.418201] R13: 00007ffec8315ee0 R14: 0000000000000003 R15: 00007ffec8315ed0
[ 184.418201] </TASK>
[ 184.418201] Modules linked in: zram zsmalloc bcache crc64 ip6table_filter ip6_tables iptable_filter xt_conntrack iptable_mangle xt_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables x_tables vfat fat btrfs blake2b_generic xor raid6_pq libcrc32c dm_multipath dm_mod bridge stp llc bonding nfs lockd grace sunrpc fscache torch(O) ipmi_devintf ipmi_msghandler sr_mod kvm_amd mousedev cdrom virtio_blk kvm ata_generic pata_acpi irqbypass crc32c_intel aesni_intel ata_piix crypto_simd virtio_pci virtio_pci_legacy_dev psmouse virtio_pci_modern_dev i6300esb e1000 libata cryptd i2c_piix4 evdev procmemro(OK) noptrace(OK)
[ 184.418201] CR2: 0000000000000000
[ 184.418201] ---[ end trace 0000000000000000 ]---
[ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
[ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
[ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
[ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
[ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
[ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
[ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
[ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
[ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
[ 184.418201] Kernel panic - not syncing: Fatal exception
[ 184.418201] Kernel Offset: 0x2c800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 184.418201] Rebooting in 120 seconds..
Thanks,
--
Kenneth Van Alstyne, Jr.
3 months, 3 weeks
- 2
- 1
+ mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch added to mm-unstable branch
by Andrew Morton
The patch titled
Subject: mm/hugetlb: fix avoid_reserve to allow taking folio from subpool
has been added to the -mm mm-unstable branch. Its filename is
mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Peter Xu <peterx(a)redhat.com>
Subject: mm/hugetlb: fix avoid_reserve to allow taking folio from subpool
Date: Tue, 7 Jan 2025 15:39:56 -0500
Patch series "mm/hugetlb: Refactor hugetlb allocation resv accounting",
v2.
This is a follow up on Ackerley's series here as replacement:
https://lore.kernel.org/r/cover.1728684491.git.ackerleytng@google.com
The goal of this series is to cleanup hugetlb resv accounting, especially
during folio allocation, to decouple a few things:
- Hugetlb folios v.s. Hugetlbfs: IOW, the hope is in the future hugetlb
folios can be allocated completely without hugetlbfs.
- Decouple VMA v.s. hugetlb folio allocations: allocating a hugetlb folio
should not always require a hugetlbfs VMA. For example, either it got
allocated from the inode level (see hugetlbfs_fallocate() where it used
a pesudo VMA for allocation), or it can be allocated by other kernel
subsystems.
It paves way for other users to allocate hugetlb folios out of either
system reservations, or subpools (instead of hugetlbfs, as a file system).
For longer term, this prepares hugetlb as a separate concept versus
hugetlbfs, so that hugetlb folios can be allocated by not only hugetlbfs
and other things.
Tests I've done:
- I had a reproducer in patch 1 for the bug I found, this will start to
work after patch 1 or the whole set applied.
- Hugetlb regression tests (on x86_64 2MBs), includes:
- All vmtests on hugetlbfs
- libhugetlbfs test suite (which may fail some tests, but no new failures
will be introduced by this series, so all such failures happen before
this series so shouldn't be relevant).
This patch (of 7):
Since commit 04f2cbe35699 ("hugetlb: guarantee that COW faults for a
process that called mmap(MAP_PRIVATE) on hugetlbfs will succeed"),
avoid_reserve was introduced for a special case of CoW on hugetlb private
mappings, and only if the owner VMA is trying to allocate yet another
hugetlb folio that is not reserved within the private vma reserved map.
Later on, in commit d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle
areas hole punched by fallocate"), alloc_huge_page() enforced to not
consume any global reservation as long as avoid_reserve=true. This
operation doesn't look correct, because even if it will enforce the
allocation to not use global reservation at all, it will still try to take
one reservation from the spool (if the subpool existed). Then since the
spool reserved pages take from global reservation, it'll also take one
reservation globally.
Logically it can cause global reservation to go wrong.
I wrote a reproducer below, trigger this special path, and every run of
such program will cause global reservation count to increment by one, until
it hits the number of free pages:
#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
#define MSIZE (2UL << 20)
int main(int argc, char *argv[])
{
const char *path;
int *buf;
int fd, ret;
pid_t child;
if (argc < 2) {
printf("usage: %s <hugetlb_file>\n", argv[0]);
return -1;
}
path = argv[1];
fd = open(path, O_RDWR | O_CREAT, 0666);
if (fd < 0) {
perror("open failed");
return -1;
}
ret = fallocate(fd, 0, 0, MSIZE);
if (ret != 0) {
perror("fallocate");
return -1;
}
buf = mmap(NULL, MSIZE, PROT_READ|PROT_WRITE,
MAP_PRIVATE, fd, 0);
if (buf == MAP_FAILED) {
perror("mmap() failed");
return -1;
}
/* Allocate a page */
*buf = 1;
child = fork();
if (child == 0) {
/* child doesn't need to do anything */
exit(0);
}
/* Trigger CoW from owner */
*buf = 2;
munmap(buf, MSIZE);
close(fd);
unlink(path);
return 0;
}
It can only reproduce with a sub-mount when there're reserved pages on the
spool, like:
# sysctl vm.nr_hugepages=128
# mkdir ./hugetlb-pool
# mount -t hugetlbfs -o min_size=8M,pagesize=2M none ./hugetlb-pool
Then run the reproducer on the mountpoint:
# ./reproducer ./hugetlb-pool/test
Fix it by taking the reservation from spool if available. In general,
avoid_reserve is IMHO more about "avoid vma resv map", not spool's.
I copied stable, however I have no intention for backporting if it's not a
clean cherry-pick, because private hugetlb mapping, and then fork() on top
is too rare to hit.
Link: https://lkml.kernel.org/r/20250107204002.2683356-1-peterx@redhat.com
Link: https://lkml.kernel.org/r/20250107204002.2683356-2-peterx@redhat.com
Fixes: d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate")
Signed-off-by: Peter Xu <peterx(a)redhat.com>
Reviewed-by: Ackerley Tng <ackerleytng(a)google.com>
Tested-by: Ackerley Tng <ackerleytng(a)google.com>
Cc: Breno Leitao <leitao(a)debian.org>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com>
Cc: Oscar Salvador <osalvador(a)suse.de>
Cc: Rik van Riel <riel(a)surriel.com>
Cc: Roman Gushchin <roman.gushchin(a)linux.dev>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/hugetlb.c | 22 +++-------------------
1 file changed, 3 insertions(+), 19 deletions(-)
--- a/mm/hugetlb.c~mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool
+++ a/mm/hugetlb.c
@@ -1394,8 +1394,7 @@ static unsigned long available_huge_page
static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h,
struct vm_area_struct *vma,
- unsigned long address, int avoid_reserve,
- long chg)
+ unsigned long address, long chg)
{
struct folio *folio = NULL;
struct mempolicy *mpol;
@@ -1411,10 +1410,6 @@ static struct folio *dequeue_hugetlb_fol
if (!vma_has_reserves(vma, chg) && !available_huge_pages(h))
goto err;
- /* If reserves cannot be used, ensure enough pages are in the pool */
- if (avoid_reserve && !available_huge_pages(h))
- goto err;
-
gfp_mask = htlb_alloc_mask(h);
nid = huge_node(vma, address, gfp_mask, &mpol, &nodemask);
@@ -1430,7 +1425,7 @@ static struct folio *dequeue_hugetlb_fol
folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask,
nid, nodemask);
- if (folio && !avoid_reserve && vma_has_reserves(vma, chg)) {
+ if (folio && vma_has_reserves(vma, chg)) {
folio_set_hugetlb_restore_reserve(folio);
h->resv_huge_pages--;
}
@@ -3047,17 +3042,6 @@ struct folio *alloc_hugetlb_folio(struct
gbl_chg = hugepage_subpool_get_pages(spool, 1);
if (gbl_chg < 0)
goto out_end_reservation;
-
- /*
- * Even though there was no reservation in the region/reserve
- * map, there could be reservations associated with the
- * subpool that can be used. This would be indicated if the
- * return value of hugepage_subpool_get_pages() is zero.
- * However, if avoid_reserve is specified we still avoid even
- * the subpool reservations.
- */
- if (avoid_reserve)
- gbl_chg = 1;
}
/* If this allocation is not consuming a reservation, charge it now.
@@ -3080,7 +3064,7 @@ struct folio *alloc_hugetlb_folio(struct
* from the global free pool (global change). gbl_chg == 0 indicates
* a reservation exists for the allocation.
*/
- folio = dequeue_hugetlb_folio_vma(h, vma, addr, avoid_reserve, gbl_chg);
+ folio = dequeue_hugetlb_folio_vma(h, vma, addr, gbl_chg);
if (!folio) {
spin_unlock_irq(&hugetlb_lock);
folio = alloc_buddy_hugetlb_folio_with_mpol(h, vma, addr);
_
Patches currently in -mm which might be from peterx(a)redhat.com are
mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch
mm-hugetlb-stop-using-avoid_reserve-flag-in-fork.patch
mm-hugetlb-rename-avoid_reserve-to-cow_from_owner.patch
mm-hugetlb-clean-up-map-global-resv-accounting-when-allocate.patch
mm-hugetlb-simplify-vma_has_reserves.patch
mm-hugetlb-drop-vma_has_reserves.patch
mm-hugetlb-unify-restore-reserve-accounting-for-new-allocations.patch
3 months, 3 weeks
- 1
- 0
[PATCH v2] PCI: fix reference leak in pci_alloc_child_bus()
by Ma Ke
When device_register(&child->dev) failed, calling put_device() to
explicitly release child->dev. Otherwise, it could cause double free
problem.
device_register() includes device_add(). As comment of device_add()
says, 'if device_add() succeeds, you should call device_del() when you
want to get rid of it. If device_add() has not succeeded, use only
put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v2:
- added the bug description about the comment of device_add();
- fixed the patch as suggestions;
- added Cc and Fixes table.
---
drivers/pci/probe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 2e81ab0f5a25..51b78fcda4eb 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1174,7 +1174,10 @@ static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent,
add_dev:
pci_set_bus_msi_domain(child);
ret = device_register(&child->dev);
- WARN_ON(ret < 0);
+ if (WARN_ON(ret < 0)) {
+ put_device(&child->dev);
+ return NULL;
+ }
pcibios_add_bus(child);
--
2.25.1
3 months, 3 weeks
- 1
- 0
[PATCH 5.4 00/66] 5.4.286-rc1 review
by Greg Kroah-Hartman
This is the start of the stable review cycle for the 5.4.286 release.
There are 66 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 17 Nov 2024 06:37:07 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.286-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.4.286-rc1
Linus Torvalds <torvalds(a)linux-foundation.org>
9p: fix slab cache name creation for real
Christoph Hellwig <hch(a)lst.de>
mm: add remap_pfn_range_notrack
Alex Zhang <zhangalex(a)google.com>
mm/memory.c: make remap_pfn_range() reject unaligned addr
chenqiwu <chenqiwu(a)xiaomi.com>
mm: fix ambiguous comments for better code readability
WANG Wenhu <wenhu.wang(a)vivo.com>
mm: clarify a confusing comment for remap_pfn_range()
Li Nan <linan122(a)huawei.com>
md/raid10: improve code of mrdev in raid10_sync_request
Reinhard Speyerer <rspmn(a)arcor.de>
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
Alessandro Zanni <alessandro.zanni87(a)gmail.com>
fs: Fix uninitialized value issue in from_kuid and from_kgid
Michael Ellerman <mpe(a)ellerman.id.au>
powerpc/powernv: Free name on error in opal_event_init()
Julian Vetter <jvetter(a)kalrayinc.com>
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
Rik van Riel <riel(a)surriel.com>
bpf: use kvzmalloc to allocate BPF verifier environment
WangYuli <wangyuli(a)uniontech.com>
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
Pedro Falcato <pedro.falcato(a)gmail.com>
9p: Avoid creating multiple slab caches with the same name
Jan Schär <jan(a)jschaer.ch>
ALSA: usb-audio: Add endianness annotations
Hyunwoo Kim <v4bel(a)theori.io>
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
Hyunwoo Kim <v4bel(a)theori.io>
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
Zheng Yejian <zhengyejian1(a)huawei.com>
ftrace: Fix possible use-after-free issue in ftrace_location()
Chuck Lever <chuck.lever(a)oracle.com>
NFSD: Fix NFSv4's PUTPUBFH operation
Jan Schär <jan(a)jschaer.ch>
ALSA: usb-audio: Add quirks for Dell WD19 dock
Jan Schär <jan(a)jschaer.ch>
ALSA: usb-audio: Support jack detection on Dell dock
Andrew Kanner <andrew.kanner(a)gmail.com>
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
Marc Zyngier <maz(a)kernel.org>
irqchip/gic-v3: Force propagation of the active state with a read-back
Benoît Monin <benoit.monin(a)gmx.fr>
USB: serial: option: add Quectel RG650V
Reinhard Speyerer <rspmn(a)arcor.de>
USB: serial: option: add Fibocom FG132 0x0112 composition
Jack Wu <wojackbb(a)gmail.com>
USB: serial: qcserial: add support for Sierra Wireless EM86xx
Dan Carpenter <dan.carpenter(a)linaro.org>
USB: serial: io_edgeport: fix use after free in debug printk
Zijun Hu <quic_zijuhu(a)quicinc.com>
usb: musb: sunxi: Fix accessing an released usb phy
Qi Xi <xiqi2(a)huawei.com>
fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
Benoit Sevens <bsevens(a)google.com>
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
Nikolay Aleksandrov <razor(a)blackwall.org>
net: bridge: xmit: make sure we have at least eth header len bytes
Michael Walle <michael(a)walle.cc>
spi: fix use-after-free of the add_lock mutex
Mark Brown <broonie(a)kernel.org>
spi: Fix deadlock when adding SPI controllers on SPI buses
Sean Nyekjaer <sean(a)geanix.com>
mtd: rawnand: protect access to rawnand devices while in suspend
Filipe Manana <fdmanana(a)suse.com>
btrfs: reinitialize delayed ref list after deleting it from the list
Roberto Sassu <roberto.sassu(a)huawei.com>
nfs: Fix KMSAN warning in decode_getfattr_attrs()
Zichen Xie <zichenxie0106(a)gmail.com>
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
Ming-Hung Tsai <mtsai(a)redhat.com>
dm cache: fix potential out-of-bounds access on the first resume
Ming-Hung Tsai <mtsai(a)redhat.com>
dm cache: optimize dirty bit checking with find_next_bit when resizing
Ming-Hung Tsai <mtsai(a)redhat.com>
dm cache: fix out-of-bounds access to the dirty bitset when resizing
Ming-Hung Tsai <mtsai(a)redhat.com>
dm cache: correct the number of origin blocks to match the target length
Antonio Quartulli <antonio(a)mandelbit.com>
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
Erik Schumacher <erik.schumacher(a)iris-sensing.com>
pwm: imx-tpm: Use correct MODULO value for EPWM mode
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: v4l2-tpg: prevent the risk of a division by zero
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: cx24116: prevent overflows on SNR calculus
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: s5p-jpeg: prevent buffer overflows
Murad Masimov <m.masimov(a)maxima.ru>
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: adv7604: prevent underflow condition when reporting colorspace
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: dvb_frontend: don't play tricks with underflow values
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: dvbdev: prevent the risk of out of memory access
Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org>
media: stb0899_algo: initialize cfr before using it
Peiyang Wang <wangpeiyang1(a)huawei.com>
net: hns3: fix kernel crash when uninstalling driver
Dario Binacchi <dario.binacchi(a)amarulasolutions.com>
can: c_can: fix {rx,tx}_errors statistics
Xin Long <lucien.xin(a)gmail.com>
sctp: properly validate chunk size in sctp_sf_ootb()
Wei Fang <wei.fang(a)nxp.com>
net: enetc: set MAC address to the VF net_device
Qinglang Miao <miaoqinglang(a)huawei.com>
enetc: simplify the return expression of enetc_vf_set_mac_addr()
Chen Ridong <chenridong(a)huawei.com>
security/keys: fix slab-out-of-bounds in key_task_permission
Jiri Kosina <jkosina(a)suse.com>
HID: core: zero-initialize the report buffer
Heiko Stuebner <heiko(a)sntech.de>
ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
Heiko Stuebner <heiko(a)sntech.de>
ARM: dts: rockchip: Fix the spi controller on rk3036
Heiko Stuebner <heiko(a)sntech.de>
ARM: dts: rockchip: drop grf reference from rk3036 hdmi
Heiko Stuebner <heiko(a)sntech.de>
ARM: dts: rockchip: fix rk3036 acodec node
Heiko Stuebner <heiko(a)sntech.de>
arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
Heiko Stuebner <heiko(a)sntech.de>
arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
Diederik de Haas <didi.debian(a)cknow.org>
arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
Geert Uytterhoeven <geert+renesas(a)glider.be>
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/rk3036-kylin.dts | 4 +-
arch/arm/boot/dts/rk3036.dtsi | 14 +-
arch/arm64/boot/dts/rockchip/rk3328.dtsi | 3 +-
arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 1 -
arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi | 2 +-
.../dts/rockchip/rk3399-sapphire-excavator.dts | 2 +-
arch/powerpc/platforms/powernv/opal-irqchip.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
drivers/hid/hid-core.c | 2 +-
drivers/hid/hid-multitouch.c | 5 +
drivers/irqchip/irq-gic-v3.c | 7 +
drivers/md/dm-cache-target.c | 35 ++---
drivers/md/dm-unstripe.c | 4 +-
drivers/md/raid10.c | 23 +--
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +
drivers/media/dvb-core/dvb_frontend.c | 4 +-
drivers/media/dvb-core/dvbdev.c | 17 ++-
drivers/media/dvb-frontends/cx24116.c | 7 +-
drivers/media/dvb-frontends/stb0899_algo.c | 2 +-
drivers/media/i2c/adv7604.c | 26 ++--
drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 ++-
drivers/media/usb/uvc/uvc_driver.c | 2 +-
drivers/mtd/nand/raw/nand_base.c | 44 +++---
drivers/net/can/c_can/c_can.c | 7 +-
drivers/net/ethernet/freescale/enetc/enetc_vf.c | 2 +
drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 +-
drivers/net/usb/qmi_wwan.c | 1 +
drivers/pwm/pwm-imx-tpm.c | 4 +-
drivers/spi/spi.c | 27 ++--
drivers/usb/musb/sunxi.c | 2 -
drivers/usb/serial/io_edgeport.c | 8 +-
drivers/usb/serial/option.c | 6 +
drivers/usb/serial/qcserial.c | 2 +
fs/btrfs/delayed-ref.c | 2 +-
fs/nfs/inode.c | 1 +
fs/nfsd/nfs4xdr.c | 10 +-
fs/ocfs2/file.c | 9 +-
fs/ocfs2/xattr.c | 3 +-
fs/proc/vmcore.c | 9 +-
include/linux/mm.h | 2 +
include/linux/mm_types.h | 4 +-
include/linux/mtd/rawnand.h | 2 +
include/linux/spi/spi.h | 3 +
kernel/bpf/verifier.c | 4 +-
kernel/trace/ftrace.c | 30 ++--
mm/memory.c | 56 ++++---
net/9p/client.c | 12 +-
net/bridge/br_device.c | 5 +
net/sctp/sm_statefuns.c | 2 +-
net/vmw_vsock/hyperv_transport.c | 1 +
net/vmw_vsock/virtio_transport_common.c | 1 +
security/keys/keyring.c | 7 +-
sound/Kconfig | 2 +-
sound/firewire/tascam/amdtp-tascam.c | 2 +-
sound/usb/mixer_quirks.c | 170 +++++++++++++++++++++
57 files changed, 453 insertions(+), 183 deletions(-)
3 months, 3 weeks
- 5
- 76
[PATCH] clk: qcom: gcc-x1e80100: Do not turn off usb_2 controller GDSC
by Abel Vesa
Allowing the usb_2 controller GDSC to be turned off during system suspend
renders the controller unable to resume.
So use PWRSTS_RET_ON instead in order to make sure this the GDSC doesn't
go down.
Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100")
Cc: stable(a)vger.kernel.org # 6.8
Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org>
---
drivers/clk/qcom/gcc-x1e80100.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c
index 8ea25aa25dff043ab4a81fee78b6173139f871b6..7288af845434d824eb91489ab97be25d665cad3a 100644
--- a/drivers/clk/qcom/gcc-x1e80100.c
+++ b/drivers/clk/qcom/gcc-x1e80100.c
@@ -6083,7 +6083,7 @@ static struct gdsc gcc_usb20_prim_gdsc = {
.pd = {
.name = "gcc_usb20_prim_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE,
};
---
base-commit: 7b4b9bf203da94fbeac75ed3116c84aa03e74578
change-id: 20250107-x1e80100-clk-gcc-fix-usb2-gdsc-pwrsts-a8eae668c7d2
Best regards,
--
Abel Vesa <abel.vesa(a)linaro.org>
3 months, 3 weeks
- 3
- 2
[PATCH] arm64: dts: qcom: x1e80100: Fix usb_2 controller interrupts
by Abel Vesa
Back when the CRD support was brought up, the usb_2 controller didn't
have anything connected to it in order to test it properly, so it was
never enabled.
On the Lenovo ThinkPad T14s, the usb_2 controller has the fingerprint
controller connected to it. So enabling it, proved that the interrupts
lines were wrong from the start.
Fix both the pwr_event and the DWC ctrl_irq lines, according to
documentation.
Fixes: 4af46b7bd66f ("arm64: dts: qcom: x1e80100: Add USB nodes")
Cc: stable(a)vger.kernel.org # 6.9
Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org>
---
arch/arm64/boot/dts/qcom/x1e80100.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
index e2f1873296ec7b7ffdb4c57b5c9d5b09368de168..1c3ad5ae0a41ea235cb176095cd49de7fa89ae4a 100644
--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
@@ -4631,7 +4631,7 @@ usb_2: usb@a2f8800 {
<&gcc GCC_USB20_MASTER_CLK>;
assigned-clock-rates = <19200000>, <200000000>;
- interrupts-extended = <&intc GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>,
+ interrupts-extended = <&intc GIC_SPI 245 IRQ_TYPE_LEVEL_HIGH>,
<&pdc 50 IRQ_TYPE_EDGE_BOTH>,
<&pdc 49 IRQ_TYPE_EDGE_BOTH>;
interrupt-names = "pwr_event",
@@ -4657,7 +4657,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>,
usb_2_dwc3: usb@a200000 {
compatible = "snps,dwc3";
reg = <0 0x0a200000 0 0xcd00>;
- interrupts = <GIC_SPI 241 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts = <GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>;
iommus = <&apps_smmu 0x14e0 0x0>;
phys = <&usb_2_hsphy>;
phy-names = "usb2-phy";
---
base-commit: 7b4b9bf203da94fbeac75ed3116c84aa03e74578
change-id: 20250107-x1e80100-fix-usb2-controller-irqs-b226a747f73a
Best regards,
--
Abel Vesa <abel.vesa(a)linaro.org>
3 months, 3 weeks
- 3
- 2
[PATCH] usb: dwc3: Skip resume if pm_runtime_set_active() fails
by Ray Chi
When the system begins to enter suspend mode, dwc3_suspend() is called
by PM suspend. There is a problem that if someone interrupt the system
suspend process between dwc3_suspend() and pm_suspend() of its parent
device, PM suspend will be canceled and attempt to resume suspended
devices so that dwc3_resume() will be called. However, dwc3 and its
parent device (like the power domain or glue driver) may already be
suspended by runtime PM in fact. If this sutiation happened, the
pm_runtime_set_active() in dwc3_resume() will return an error since
parent device was suspended. This can lead to unexpected behavior if
DWC3 proceeds to execute dwc3_resume_common().
EX.
RPM suspend: ... -> dwc3_runtime_suspend()
-> rpm_suspend() of parent device
...
PM suspend: ... -> dwc3_suspend() -> pm_suspend of parent device
^ interrupt, so resume suspended device
... <- dwc3_resume() <-/
^ pm_runtime_set_active() returns error
To prevent the problem, this commit will skip dwc3_resume_common() and
return the error if pm_runtime_set_active() fails.
Fixes: 68c26fe58182 ("usb: dwc3: set pm runtime active before resume common")
Cc: stable(a)vger.kernel.org
Signed-off-by: Ray Chi <raychi(a)google.com>
---
drivers/usb/dwc3/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
index c22b8678e02e..7578c5133568 100644
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -2609,12 +2609,15 @@ static int dwc3_resume(struct device *dev)
pinctrl_pm_select_default_state(dev);
pm_runtime_disable(dev);
- pm_runtime_set_active(dev);
+ ret = pm_runtime_set_active(dev);
+ if (ret)
+ goto out;
ret = dwc3_resume_common(dwc, PMSG_RESUME);
if (ret)
pm_runtime_set_suspended(dev);
+out:
pm_runtime_enable(dev);
return ret;
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 2
- 2
[tip: x86/urgent] x86/fpu: Ensure shadow stack is active before "getting" registers
by tip-bot2 for Rick Edgecombe
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: a9d9c33132d49329ada647e4514d210d15e31d81
Gitweb: https://git.kernel.org/tip/a9d9c33132d49329ada647e4514d210d15e31d81
Author: Rick Edgecombe <rick.p.edgecombe(a)intel.com>
AuthorDate: Tue, 07 Jan 2025 15:30:56 -08:00
Committer: Dave Hansen <dave.hansen(a)linux.intel.com>
CommitterDate: Tue, 07 Jan 2025 15:55:51 -08:00
x86/fpu: Ensure shadow stack is active before "getting" registers
The x86 shadow stack support has its own set of registers. Those registers
are XSAVE-managed, but they are "supervisor state components" which means
that userspace can not touch them with XSAVE/XRSTOR. It also means that
they are not accessible from the existing ptrace ABI for XSAVE state.
Thus, there is a new ptrace get/set interface for it.
The regset code that ptrace uses provides an ->active() handler in
addition to the get/set ones. For shadow stack this ->active() handler
verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the
thread struct. The ->active() handler is checked from some call sites of
the regset get/set handlers, but not the ptrace ones. This was not
understood when shadow stack support was put in place.
As a result, both the set/get handlers can be called with
XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to
return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an
ssp_active() check to avoid surprising the kernel with shadow stack
behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That
check just happened to avoid the warning.
But the ->get() side wasn't so lucky. It can be called with shadow stacks
disabled, triggering the warning in practice, as reported by Christina
Schimpe:
WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0
[...]
Call Trace:
<TASK>
? show_regs+0x6e/0x80
? ssp_get+0x89/0xa0
? __warn+0x91/0x150
? ssp_get+0x89/0xa0
? report_bug+0x19d/0x1b0
? handle_bug+0x46/0x80
? exc_invalid_op+0x1d/0x80
? asm_exc_invalid_op+0x1f/0x30
? __pfx_ssp_get+0x10/0x10
? ssp_get+0x89/0xa0
? ssp_get+0x52/0xa0
__regset_get+0xad/0xf0
copy_regset_to_user+0x52/0xc0
ptrace_regset+0x119/0x140
ptrace_request+0x13c/0x850
? wait_task_inactive+0x142/0x1d0
? do_syscall_64+0x6d/0x90
arch_ptrace+0x102/0x300
[...]
Ensure that shadow stacks are active in a thread before looking them up
in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are
set at the same time, the active check ensures that there will be
something to find in the XSAVE buffer.
[ dhansen: changelog/subject tweaks ]
Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack")
Reported-by: Christina Schimpe <christina.schimpe(a)intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com>
Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com>
Tested-by: Christina Schimpe <christina.schimpe(a)intel.com>
Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250107233056.235536-1-rick.p.edgecombe%40inte…
---
arch/x86/kernel/fpu/regset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
index 6bc1eb2..887b0b8 100644
--- a/arch/x86/kernel/fpu/regset.c
+++ b/arch/x86/kernel/fpu/regset.c
@@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, const struct user_regset *regset,
struct fpu *fpu = &target->thread.fpu;
struct cet_user_state *cetregs;
- if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+ if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) ||
+ !ssp_active(target, regset))
return -ENODEV;
sync_fpstate(fpu);
3 months, 3 weeks
- 1
- 0
[PATCH v2] x86: Check if shadow stack is active for ssp_get()
by Rick Edgecombe
The x86 shadow stack support has its own set of registers. Those registers
are XSAVE-managed, but they are "supervisor state components" which means
that userspace can't touch them with XSAVE/XRSTOR. It also means that
they are not accessible from the existing ptrace ABI like the FPU register
or GPRs. Thus, there is a new ptrace get/set interface for it.
The regset code that ptrace uses provides an ->active() handler in
addition to the get/set ones. For shadow stack this ->active() handler
verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the
thread struct. The ->active() handler is checked from some callsites of
the regset get/set handlers, but not the ptrace ones. This was not
understood when shadow stack support was put in place.
As a result, both the set/get handlers can be called with
XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to
return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an
ssp_active() check to avoid surprising the kernel with shadow stack
behavior when the kernel is not read for it (ARCH_SHSTK_SHSTK==0). That
check just happened to avoid the warning.
But the ->get() side wasn't so lucky. It can be called with shadow stacks
disabled, triggering the warning in practice, as reported by Christina
Schimpe:
WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0
[...]
Call Trace:
<TASK>
? show_regs+0x6e/0x80
? ssp_get+0x89/0xa0
? __warn+0x91/0x150
? ssp_get+0x89/0xa0
? report_bug+0x19d/0x1b0
? handle_bug+0x46/0x80
? exc_invalid_op+0x1d/0x80
? asm_exc_invalid_op+0x1f/0x30
? __pfx_ssp_get+0x10/0x10
? ssp_get+0x89/0xa0
? ssp_get+0x52/0xa0
__regset_get+0xad/0xf0
copy_regset_to_user+0x52/0xc0
ptrace_regset+0x119/0x140
ptrace_request+0x13c/0x850
? wait_task_inactive+0x142/0x1d0
? do_syscall_64+0x6d/0x90
arch_ptrace+0x102/0x300
[...]
Ensure that shadow stacks are active in a thread before looking them up
in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are
set at the same time, the active check ensures that there will be
something to find in the XSAVE buffer.
Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack")
Reported-by: Christina Schimpe <christina.schimpe(a)intel.com>
Tested-by: Christina Schimpe <christina.schimpe(a)intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com>
Cc: stable(a)vger.kernel.org
---
v2:
- Incorporate log feedback from Dave here:
https://lore.kernel.org/lkml/81d3af8f-bad8-4559-8a0f-3271dd7f0abc@intel.com/
arch/x86/kernel/fpu/regset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
index 6bc1eb2a21bd..887b0b8e21e3 100644
--- a/arch/x86/kernel/fpu/regset.c
+++ b/arch/x86/kernel/fpu/regset.c
@@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, const struct user_regset *regset,
struct fpu *fpu = &target->thread.fpu;
struct cet_user_state *cetregs;
- if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK))
+ if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) ||
+ !ssp_active(target, regset))
return -ENODEV;
sync_fpstate(fpu);
--
2.47.1
3 months, 3 weeks
- 1
- 0
Re: zram: Regression in at least linux-6.1.y tree
by Kenneth Van Alstyne
Somehow I missed this on my first search through lore.kernel.org, but this appears to be the same issue:
https://lore.kernel.org/stable/Z3ytcILx4S1v_ueJ@codewreck.org/T/#u
Thanks,
--
Kenneth Van Alstyne, Jr.
> On Jan 7, 2025, at 15:48, Kenneth Van Alstyne <kvanals(a)kvanals.org> wrote:
>
> Greetings and apologies if this isn't the proper process for reporting an issue in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html. Happy to follow another process if more appropriate.
>
> Kernel 6.1.122 introduced a regression via commit ac3b5366b9b7c9d97b606532ceab43d2329a22f3 (backport of upstream commit 74363ec674cb172d8856de25776c8f3103f05e2f) in drivers/block/zram/zram_drv.c where attempting to set the size of /dev/zram0 after loading the zram kernel module results in a kernel NULL pointer dereference.
>
> That patch removed the following block from zram_reset_device():
> - if (!init_done(zram)) {
> - up_write(&zram->init_lock);
> - return;
> - }
>
> However, without that, zram_reset_device subsequently calls zcomp_destroy on a device that has not been initialized, leading to the OOPS. Adding that block back does resolve the issue. In addition, the latest mainline kernel does not appear to exhibit these symptoms, but zram_drv.c seems to have been changed fairly substantially since kernel 6.1.
>
> Steps to reproduce:
>
> modprobe zram
> zramctl /dev/zram0 --algorithm zstd --size 83886080k
>
> Kernel log:
>
> [ 184.410082] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [ 184.416305] #PF: supervisor read access in kernel mode
> [ 184.418201] #PF: error_code(0x0000) - not-present page
> [ 184.418201] PGD 170d0b067 P4D 170d0b067 PUD 1718af067 PMD 0
> [ 184.418201] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [ 184.418201] CPU: 2 PID: 3584 Comm: zramctl Tainted: G O K 6.1.122 #1
> [ 184.418201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
> [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
> [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
> [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
> [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
> [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
> [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
> [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
> [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
> [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
> [ 184.418201] Call Trace:
> [ 184.418201] <TASK>
> [ 184.418201] ? __die_body+0x1a/0x60
> [ 184.418201] ? page_fault_oops+0xae/0x260
> [ 184.418201] ? exc_page_fault+0x67/0x140
> [ 184.418201] ? asm_exc_page_fault+0x22/0x30
> [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
> [ 184.418201] ? zcomp_cpu_dead+0x7/0x30 [zram]
> [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
> [ 184.418201] cpuhp_invoke_callback+0xb4/0x4c0
> [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
> [ 184.418201] cpuhp_issue_call+0xeb/0x140
> [ 184.418201] __cpuhp_state_remove_instance+0xdb/0x1a0
> [ 184.418201] zcomp_destroy+0x1c/0x30 [zram]
> [ 184.418201] zram_reset_device+0xf3/0x120 [zram]
> [ 184.418201] reset_store+0x9d/0x100 [zram]
> [ 184.418201] kernfs_fop_write_iter+0x11e/0x1b0
> [ 184.418201] vfs_write+0x2ae/0x3c0
> [ 184.418201] ksys_write+0x5c/0xe0
> [ 184.418201] do_syscall_64+0x32/0x80
> [ 184.552119] python3 (3612) used greatest stack depth: 11736 bytes left
> [ 184.418201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> [ 184.418201] RIP: 0033:0x7fa6d2506d00
> [ 184.418201] Code: 40 00 48 8b 15 29 91 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb af 0f 1f 00 80 3d e1 18 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
> [ 184.418201] RSP: 002b:00007ffec8315ec8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
> [ 184.418201] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fa6d2506d00
> [ 184.418201] RDX: 0000000000000001 RSI: 00007ffec8315ee0 RDI: 0000000000000003
> [ 184.418201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
> [ 184.418201] R10: 0000000000000004 R11: 0000000000000202 R12: 00007fa6d240d6c0
> [ 184.418201] R13: 00007ffec8315ee0 R14: 0000000000000003 R15: 00007ffec8315ed0
> [ 184.418201] </TASK>
> [ 184.418201] Modules linked in: zram zsmalloc bcache crc64 ip6table_filter ip6_tables iptable_filter xt_conntrack iptable_mangle xt_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables x_tables vfat fat btrfs blake2b_generic xor raid6_pq libcrc32c dm_multipath dm_mod bridge stp llc bonding nfs lockd grace sunrpc fscache torch(O) ipmi_devintf ipmi_msghandler sr_mod kvm_amd mousedev cdrom virtio_blk kvm ata_generic pata_acpi irqbypass crc32c_intel aesni_intel ata_piix crypto_simd virtio_pci virtio_pci_legacy_dev psmouse virtio_pci_modern_dev i6300esb e1000 libata cryptd i2c_piix4 evdev procmemro(OK) noptrace(OK)
> [ 184.418201] CR2: 0000000000000000
> [ 184.418201] ---[ end trace 0000000000000000 ]---
> [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
> [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
> [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
> [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
> [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
> [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
> [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
> [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
> [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
> [ 184.418201] Kernel panic - not syncing: Fatal exception
> [ 184.418201] Kernel Offset: 0x2c800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [ 184.418201] Rebooting in 120 seconds..
>
> Thanks,
>
> --
> Kenneth Van Alstyne, Jr.
3 months, 3 weeks
- 1
- 0
[PATCH v4 4/5] arm64: cputype: Add MIDR_CORTEX_A76AE
by Douglas Anderson
From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
implementor of 0x41 (ARM). Add the values.
Cc: stable(a)vger.kernel.org # dependency of the next fix in the series
Signed-off-by: Douglas Anderson <dianders(a)chromium.org>
---
(no changes since v3)
Changes in v3:
- New
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 488f8e751349..a345628fce51 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -75,6 +75,7 @@
#define ARM_CPU_PART_CORTEX_A76 0xD0B
#define ARM_CPU_PART_NEOVERSE_N1 0xD0C
#define ARM_CPU_PART_CORTEX_A77 0xD0D
+#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
#define ARM_CPU_PART_NEOVERSE_V1 0xD40
#define ARM_CPU_PART_CORTEX_A78 0xD41
#define ARM_CPU_PART_CORTEX_A78AE 0xD42
@@ -158,6 +159,7 @@
#define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
#define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
+#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
#define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 1
- 0
[PATCH] nfs: Make NFS_FSCACHE select NETFS_SUPPORT instead of depending on it
by Dragan Simic
Having the NFS_FSCACHE option depend on the NETFS_SUPPORT options makes
selecting NFS_FSCACHE impossible unless another option that additionally
selects NETFS_SUPPORT is already selected.
As a result, for example, being able to reach and select the NFS_FSCACHE
option requires the CEPH_FS or CIFS option to be selected beforehand, which
obviously doesn't make much sense.
Let's correct this by making the NFS_FSCACHE option actually select the
NETFS_SUPPORT option, instead of depending on it.
Fixes: 915cd30cdea8 ("netfs, fscache: Combine fscache with netfs")
Cc: stable(a)vger.kernel.org
Reported-by: Diederik de Haas <didi.debian(a)cknow.org>
Signed-off-by: Dragan Simic <dsimic(a)manjaro.org>
---
fs/nfs/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 0eb20012792f..d3f76101ad4b 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -170,7 +170,8 @@ config ROOT_NFS
config NFS_FSCACHE
bool "Provide NFS client caching support"
- depends on NFS_FS=m && NETFS_SUPPORT || NFS_FS=y && NETFS_SUPPORT=y
+ depends on NFS_FS
+ select NETFS_SUPPORT
select FSCACHE
help
Say Y here if you want NFS data to be cached locally on disc through
3 months, 3 weeks
- 1
- 1
[PATCH] KEYS: trusted: dcp: fix improper sg use with CONFIG_VMAP_STACK=y
by David Gstir
With vmalloc stack addresses enabled (CONFIG_VMAP_STACK=y) DCP trusted
keys can crash during en- and decryption of the blob encryption key via
the DCP crypto driver. This is caused by improperly using sg_init_one()
with vmalloc'd stack buffers (plain_key_blob).
Fix this by always using kmalloc() for buffers we give to the DCP crypto
driver.
Cc: stable(a)vger.kernel.org # v6.10+
Fixes: 0e28bf61a5f9 ("KEYS: trusted: dcp: fix leak of blob encryption key")
Signed-off-by: David Gstir <david(a)sigma-star.at>
---
security/keys/trusted-keys/trusted_dcp.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c
index e908c53a803c..7b6eb655df0c 100644
--- a/security/keys/trusted-keys/trusted_dcp.c
+++ b/security/keys/trusted-keys/trusted_dcp.c
@@ -201,12 +201,16 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
{
struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
int blen, ret;
- u8 plain_blob_key[AES_KEYSIZE_128];
+ u8 *plain_blob_key;
blen = calc_blob_len(p->key_len);
if (blen > MAX_BLOB_SIZE)
return -E2BIG;
+ plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL);
+ if (!plain_blob_key)
+ return -ENOMEM;
+
b->fmt_version = DCP_BLOB_VERSION;
get_random_bytes(b->nonce, AES_KEYSIZE_128);
get_random_bytes(plain_blob_key, AES_KEYSIZE_128);
@@ -229,7 +233,8 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
ret = 0;
out:
- memzero_explicit(plain_blob_key, sizeof(plain_blob_key));
+ memzero_explicit(plain_blob_key, AES_KEYSIZE_128);
+ kfree(plain_blob_key);
return ret;
}
@@ -238,7 +243,7 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
{
struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
int blen, ret;
- u8 plain_blob_key[AES_KEYSIZE_128];
+ u8 *plain_blob_key = NULL;
if (b->fmt_version != DCP_BLOB_VERSION) {
pr_err("DCP blob has bad version: %i, expected %i\n",
@@ -256,6 +261,12 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
goto out;
}
+ plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL);
+ if (!plain_blob_key) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
ret = decrypt_blob_key(b->blob_key, plain_blob_key);
if (ret) {
pr_err("Unable to decrypt blob key: %i\n", ret);
@@ -271,7 +282,10 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
ret = 0;
out:
- memzero_explicit(plain_blob_key, sizeof(plain_blob_key));
+ if (plain_blob_key) {
+ memzero_explicit(plain_blob_key, AES_KEYSIZE_128);
+ kfree(plain_blob_key);
+ }
return ret;
}
--
2.47.0
3 months, 3 weeks
- 2
- 3
[PATCH] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
by Hans de Goede
The TongFang GM5HG0A is a TongFang barebone design which is sold under
various brand names.
The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen
laptops in order for the IRQ to work.
At least on the SKIKK Vanaheim variant the DMI product- and board-name
strings have been replaced by the OEM with "Vanaheim" so checking that
board-name contains "GM5HG0A" as is usually done for TongFang barebones
quirks does not work.
The DMI OEM strings do contain "GM5HG0A". I have looked at the dmidecode
for a few other TongFang devices and the TongFang code-name string being
in the OEM strings seems to be something which is consistently true.
Add a quirk checking one of the DMI_OEM_STRING(s) is "GM5HG0A" in the hope
that this will work for other OEM versions of the "GM5HG0A" too.
Link: https://www.skikk.eu/en/laptops/vanaheim-15-rtx-4060
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219614
Cc: stable(a)vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede(a)redhat.com>
---
drivers/acpi/resource.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 7d6537ea176f..90aaec923889 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -653,6 +653,17 @@ static const struct dmi_system_id irq1_edge_low_force_override[] = {
DMI_MATCH(DMI_BOARD_NAME, "GMxHGxx"),
},
},
+ {
+ /*
+ * TongFang GM5HG0A in case of the SKIKK Vanaheim relabel the
+ * board-name is changed, so check OEM strings instead. Note
+ * OEM string matches are always exact matches.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=219614
+ */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_OEM_STRING, "GM5HG0A"),
+ },
+ },
{ }
};
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
by Hans de Goede
Like the Vivobook X1704VAP the X1504VAP has its keyboard IRQ (1) described
as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which
breaks the keyboard.
Add the X1504VAP to the irq1_level_low_skip_override[] quirk table to fix
this.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224
Cc: stable(a)vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede(a)redhat.com>
---
drivers/acpi/resource.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 821867de43be..ab4c0e0b6b8e 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -440,6 +440,13 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = {
DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"),
},
},
+ {
+ /* Asus Vivobook X1504VAP */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "X1504VAP"),
+ },
+ },
{
/* Asus Vivobook X1704VAP */
.matches = {
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH 6.1.y] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers
by Alva Lan
From: Qun-Wei Lin <qun-wei.lin(a)mediatek.com>
[ Upstream commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58 ]
When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
object_is_on_stack() function may produce incorrect results due to the
presence of tags in the obj pointer, while the stack pointer does not have
tags. This discrepancy can lead to incorrect stack object detection and
subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.
Example of the warning:
ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
Hardware name: linux,dummy-virt (DT)
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __debug_object_init+0x330/0x364
lr : __debug_object_init+0x330/0x364
sp : ffff800082ea7b40
x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
Call trace:
__debug_object_init+0x330/0x364
debug_object_init_on_stack+0x30/0x3c
schedule_hrtimeout_range_clock+0xac/0x26c
schedule_hrtimeout+0x1c/0x30
wait_task_inactive+0x1d4/0x25c
kthread_bind_mask+0x28/0x98
init_rescuer+0x1e8/0x280
workqueue_init+0x1a0/0x3cc
kernel_init_freeable+0x118/0x200
kernel_init+0x28/0x1f0
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------
Link: https://lkml.kernel.org/r/20241113042544.19095-1-qun-wei.lin@mediatek.com
Signed-off-by: Qun-Wei Lin <qun-wei.lin(a)mediatek.com>
Cc: Andrew Yang <andrew.yang(a)mediatek.com>
Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com>
Cc: Casper Li <casper.li(a)mediatek.com>
Cc: Catalin Marinas <catalin.marinas(a)arm.com>
Cc: Chinwen Chang <chinwen.chang(a)mediatek.com>
Cc: Kent Overstreet <kent.overstreet(a)linux.dev>
Cc: Matthias Brugger <matthias.bgg(a)gmail.com>
Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com>
Cc: Shakeel Butt <shakeel.butt(a)linux.dev>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
Signed-off-by: Alva Lan <alvalan9(a)foxmail.com>
---
include/linux/sched/task_stack.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h
index f158b025c175..d2117e1c8fa5 100644
--- a/include/linux/sched/task_stack.h
+++ b/include/linux/sched/task_stack.h
@@ -8,6 +8,7 @@
#include <linux/sched.h>
#include <linux/magic.h>
+#include <linux/kasan.h>
#ifdef CONFIG_THREAD_INFO_IN_TASK
@@ -88,6 +89,7 @@ static inline int object_is_on_stack(const void *obj)
{
void *stack = task_stack_page(current);
+ obj = kasan_reset_tag(obj);
return (obj >= stack) && (obj < (stack + THREAD_SIZE));
}
--
2.39.4
3 months, 3 weeks
- 2
- 1
[PATCH 5.10.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
by Kuan-Wei Chiu
The orc_sort_cmp() function, used with qsort(), previously violated the
symmetry and transitivity rules required by the C standard. Specifically,
when both entries are ORC_REG_UNDEFINED, it could result in both a < b
and b < a, which breaks the required symmetry and transitivity. This can
lead to undefined behavior and incorrect sorting results, potentially
causing memory corruption in glibc implementations [1].
Symmetry: If x < y, then y > x.
Transitivity: If x < y and y < z, then x < z.
Fix the comparison logic to return 0 when both entries are
ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements.
Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com
Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting")
Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two")
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw>
Cc: <chuang(a)cs.nycu.edu.tw>
Cc: Ingo Molnar <mingo(a)kernel.org>
Cc: Josh Poimboeuf <jpoimboe(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com>
Cc: Steven Rostedt <rostedt(a)goodmis.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
(cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90)
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
---
scripts/sorttable.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/scripts/sorttable.h b/scripts/sorttable.h
index a2baa2fefb13..fb385d0f3cc2 100644
--- a/scripts/sorttable.h
+++ b/scripts/sorttable.h
@@ -103,7 +103,7 @@ static inline unsigned long orc_ip(const int *ip)
static int orc_sort_cmp(const void *_a, const void *_b)
{
- struct orc_entry *orc_a;
+ struct orc_entry *orc_a, *orc_b;
const int *a = g_orc_ip_table + *(int *)_a;
const int *b = g_orc_ip_table + *(int *)_b;
unsigned long a_val = orc_ip(a);
@@ -120,8 +120,12 @@ static int orc_sort_cmp(const void *_a, const void *_b)
* These terminator entries exist to handle any gaps created by
* whitelisted .o files which didn't get objtool generation.
*/
- orc_a = g_orc_table + (a - g_orc_ip_table);
- return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1;
+ orc_a = g_orc_table + (a - g_orc_ip_table);
+ orc_b = g_orc_table + (b - g_orc_ip_table);
+ if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end &&
+ orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end)
+ return 0;
+ return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1;
}
static void *sort_orctable(void *arg)
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH 6.1.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
by Kuan-Wei Chiu
The orc_sort_cmp() function, used with qsort(), previously violated the
symmetry and transitivity rules required by the C standard. Specifically,
when both entries are ORC_REG_UNDEFINED, it could result in both a < b
and b < a, which breaks the required symmetry and transitivity. This can
lead to undefined behavior and incorrect sorting results, potentially
causing memory corruption in glibc implementations [1].
Symmetry: If x < y, then y > x.
Transitivity: If x < y and y < z, then x < z.
Fix the comparison logic to return 0 when both entries are
ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements.
Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com
Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting")
Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two")
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw>
Cc: <chuang(a)cs.nycu.edu.tw>
Cc: Ingo Molnar <mingo(a)kernel.org>
Cc: Josh Poimboeuf <jpoimboe(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com>
Cc: Steven Rostedt <rostedt(a)goodmis.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
(cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90)
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
---
scripts/sorttable.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/sorttable.h b/scripts/sorttable.h
index deb7c1d3e979..f0ba2bf5a886 100644
--- a/scripts/sorttable.h
+++ b/scripts/sorttable.h
@@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const int *ip)
static int orc_sort_cmp(const void *_a, const void *_b)
{
- struct orc_entry *orc_a;
+ struct orc_entry *orc_a, *orc_b;
const int *a = g_orc_ip_table + *(int *)_a;
const int *b = g_orc_ip_table + *(int *)_b;
unsigned long a_val = orc_ip(a);
@@ -128,6 +128,10 @@ static int orc_sort_cmp(const void *_a, const void *_b)
* whitelisted .o files which didn't get objtool generation.
*/
orc_a = g_orc_table + (a - g_orc_ip_table);
+ orc_b = g_orc_table + (b - g_orc_ip_table);
+ if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end &&
+ orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end)
+ return 0;
return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1;
}
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH stable 6.6 1/1] Revert "bpf: support non-r10 register spill/fill to/from stack in precision tracking"
by Shung-Hsi Yu
Levi reported that commit ecc2aeeaa08a ("bpf: support non-r10 register
spill/fill to/from stack in precision tracking") cause eBPF program that
previously loads successfully in stable 6.6 now fails to load, when the
same program also loads successfully in v6.13-rc5.
Revert ecc2aeeaa08a until the problem has been probably figured out and
resolved.
Fixes: ecc2aeeaa08a ("bpf: support non-r10 register spill/fill to/from stack in precision tracking")
Reported-by: Levi Zim <rsworktech(a)outlook.com>
Link: https://lore.kernel.org/stable/MEYP282MB2312C3C8801476C4F262D6E1C6162@MEYP2…
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com>
---
include/linux/bpf_verifier.h | 31 +---
kernel/bpf/verifier.c | 175 ++++++++----------
.../bpf/progs/verifier_subprog_precision.c | 23 +--
.../testing/selftests/bpf/verifier/precise.c | 38 ++--
4 files changed, 98 insertions(+), 169 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index cb8e97665eaa..92919d52f7e1 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -319,34 +319,12 @@ struct bpf_func_state {
struct bpf_stack_state *stack;
};
-#define MAX_CALL_FRAMES 8
-
-/* instruction history flags, used in bpf_jmp_history_entry.flags field */
-enum {
- /* instruction references stack slot through PTR_TO_STACK register;
- * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8)
- * and accessed stack slot's index in next 6 bits (MAX_BPF_STACK is 512,
- * 8 bytes per slot, so slot index (spi) is [0, 63])
- */
- INSN_F_FRAMENO_MASK = 0x7, /* 3 bits */
-
- INSN_F_SPI_MASK = 0x3f, /* 6 bits */
- INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */
-
- INSN_F_STACK_ACCESS = BIT(9), /* we need 10 bits total */
-};
-
-static_assert(INSN_F_FRAMENO_MASK + 1 >= MAX_CALL_FRAMES);
-static_assert(INSN_F_SPI_MASK + 1 >= MAX_BPF_STACK / 8);
-
-struct bpf_jmp_history_entry {
+struct bpf_idx_pair {
+ u32 prev_idx;
u32 idx;
- /* insn idx can't be bigger than 1 million */
- u32 prev_idx : 22;
- /* special flags, e.g., whether insn is doing register stack spill/load */
- u32 flags : 10;
};
+#define MAX_CALL_FRAMES 8
/* Maximum number of register states that can exist at once */
#define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES)
struct bpf_verifier_state {
@@ -429,7 +407,7 @@ struct bpf_verifier_state {
* For most states jmp_history_cnt is [0-3].
* For loops can go up to ~40.
*/
- struct bpf_jmp_history_entry *jmp_history;
+ struct bpf_idx_pair *jmp_history;
u32 jmp_history_cnt;
u32 dfs_depth;
u32 callback_unroll_depth;
@@ -662,7 +640,6 @@ struct bpf_verifier_env {
int cur_stack;
} cfg;
struct backtrack_state bt;
- struct bpf_jmp_history_entry *cur_hist_ent;
u32 pass_cnt; /* number of times do_check() was called */
u32 subprog_cnt;
/* number of instructions analyzed by the verifier */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a3c3c66ca047..d6a4102312fa 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1762,8 +1762,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
int i, err;
dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history,
- src->jmp_history_cnt, sizeof(*dst_state->jmp_history),
- GFP_USER);
+ src->jmp_history_cnt, sizeof(struct bpf_idx_pair),
+ GFP_USER);
if (!dst_state->jmp_history)
return -ENOMEM;
dst_state->jmp_history_cnt = src->jmp_history_cnt;
@@ -3397,21 +3397,6 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
return __check_reg_arg(env, state->regs, regno, t);
}
-static int insn_stack_access_flags(int frameno, int spi)
-{
- return INSN_F_STACK_ACCESS | (spi << INSN_F_SPI_SHIFT) | frameno;
-}
-
-static int insn_stack_access_spi(int insn_flags)
-{
- return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK;
-}
-
-static int insn_stack_access_frameno(int insn_flags)
-{
- return insn_flags & INSN_F_FRAMENO_MASK;
-}
-
static void mark_jmp_point(struct bpf_verifier_env *env, int idx)
{
env->insn_aux_data[idx].jmp_point = true;
@@ -3423,51 +3408,28 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx)
}
/* for any branch, call, exit record the history of jmps in the given state */
-static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur,
- int insn_flags)
+static int push_jmp_history(struct bpf_verifier_env *env,
+ struct bpf_verifier_state *cur)
{
u32 cnt = cur->jmp_history_cnt;
- struct bpf_jmp_history_entry *p;
+ struct bpf_idx_pair *p;
size_t alloc_size;
- /* combine instruction flags if we already recorded this instruction */
- if (env->cur_hist_ent) {
- /* atomic instructions push insn_flags twice, for READ and
- * WRITE sides, but they should agree on stack slot
- */
- WARN_ONCE((env->cur_hist_ent->flags & insn_flags) &&
- (env->cur_hist_ent->flags & insn_flags) != insn_flags,
- "verifier insn history bug: insn_idx %d cur flags %x new flags %x\n",
- env->insn_idx, env->cur_hist_ent->flags, insn_flags);
- env->cur_hist_ent->flags |= insn_flags;
+ if (!is_jmp_point(env, env->insn_idx))
return 0;
- }
cnt++;
alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));
p = krealloc(cur->jmp_history, alloc_size, GFP_USER);
if (!p)
return -ENOMEM;
+ p[cnt - 1].idx = env->insn_idx;
+ p[cnt - 1].prev_idx = env->prev_insn_idx;
cur->jmp_history = p;
-
- p = &cur->jmp_history[cnt - 1];
- p->idx = env->insn_idx;
- p->prev_idx = env->prev_insn_idx;
- p->flags = insn_flags;
cur->jmp_history_cnt = cnt;
- env->cur_hist_ent = p;
-
return 0;
}
-static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st,
- u32 hist_end, int insn_idx)
-{
- if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx)
- return &st->jmp_history[hist_end - 1];
- return NULL;
-}
-
/* Backtrack one insn at a time. If idx is not at the top of recorded
* history then previous instruction came from straight line execution.
* Return -ENOENT if we exhausted all instructions within given state.
@@ -3629,14 +3591,9 @@ static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg)
return bt->reg_masks[bt->frame] & (1 << reg);
}
-static inline bool bt_is_frame_slot_set(struct backtrack_state *bt, u32 frame, u32 slot)
-{
- return bt->stack_masks[frame] & (1ull << slot);
-}
-
static inline bool bt_is_slot_set(struct backtrack_state *bt, u32 slot)
{
- return bt_is_frame_slot_set(bt, bt->frame, slot);
+ return bt->stack_masks[bt->frame] & (1ull << slot);
}
/* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */
@@ -3690,7 +3647,7 @@ static bool calls_callback(struct bpf_verifier_env *env, int insn_idx);
* - *was* processed previously during backtracking.
*/
static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
- struct bpf_jmp_history_entry *hist, struct backtrack_state *bt)
+ struct backtrack_state *bt)
{
const struct bpf_insn_cbs cbs = {
.cb_call = disasm_kfunc_name,
@@ -3703,7 +3660,7 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
u8 mode = BPF_MODE(insn->code);
u32 dreg = insn->dst_reg;
u32 sreg = insn->src_reg;
- u32 spi, i, fr;
+ u32 spi, i;
if (insn->code == 0)
return 0;
@@ -3766,15 +3723,20 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
* by 'precise' mark in corresponding register of this state.
* No further tracking necessary.
*/
- if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
+ if (insn->src_reg != BPF_REG_FP)
return 0;
+
/* dreg = *(u64 *)[fp - off] was a fill from the stack.
* that [fp - off] slot contains scalar that needs to be
* tracked with precision
*/
- spi = insn_stack_access_spi(hist->flags);
- fr = insn_stack_access_frameno(hist->flags);
- bt_set_frame_slot(bt, fr, spi);
+ spi = (-insn->off - 1) / BPF_REG_SIZE;
+ if (spi >= 64) {
+ verbose(env, "BUG spi %d\n", spi);
+ WARN_ONCE(1, "verifier backtracking bug");
+ return -EFAULT;
+ }
+ bt_set_slot(bt, spi);
} else if (class == BPF_STX || class == BPF_ST) {
if (bt_is_reg_set(bt, dreg))
/* stx & st shouldn't be using _scalar_ dst_reg
@@ -3783,13 +3745,17 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
*/
return -ENOTSUPP;
/* scalars can only be spilled into stack */
- if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
+ if (insn->dst_reg != BPF_REG_FP)
return 0;
- spi = insn_stack_access_spi(hist->flags);
- fr = insn_stack_access_frameno(hist->flags);
- if (!bt_is_frame_slot_set(bt, fr, spi))
+ spi = (-insn->off - 1) / BPF_REG_SIZE;
+ if (spi >= 64) {
+ verbose(env, "BUG spi %d\n", spi);
+ WARN_ONCE(1, "verifier backtracking bug");
+ return -EFAULT;
+ }
+ if (!bt_is_slot_set(bt, spi))
return 0;
- bt_clear_frame_slot(bt, fr, spi);
+ bt_clear_slot(bt, spi);
if (class == BPF_STX)
bt_set_reg(bt, sreg);
} else if (class == BPF_JMP || class == BPF_JMP32) {
@@ -3833,14 +3799,10 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- /* we are now tracking register spills correctly,
- * so any instance of leftover slots is a bug
- */
- if (bt_stack_mask(bt) != 0) {
- verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
- WARN_ONCE(1, "verifier backtracking bug (subprog leftover stack slots)");
- return -EFAULT;
- }
+ /* we don't track register spills perfectly,
+ * so fallback to force-precise instead of failing */
+ if (bt_stack_mask(bt) != 0)
+ return -ENOTSUPP;
/* propagate r1-r5 to the caller */
for (i = BPF_REG_1; i <= BPF_REG_5; i++) {
if (bt_is_reg_set(bt, i)) {
@@ -3865,11 +3827,8 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- if (bt_stack_mask(bt) != 0) {
- verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
- WARN_ONCE(1, "verifier backtracking bug (callback leftover stack slots)");
- return -EFAULT;
- }
+ if (bt_stack_mask(bt) != 0)
+ return -ENOTSUPP;
/* clear r1-r5 in callback subprog's mask */
for (i = BPF_REG_1; i <= BPF_REG_5; i++)
bt_clear_reg(bt, i);
@@ -4306,7 +4265,6 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
for (;;) {
DECLARE_BITMAP(mask, 64);
u32 history = st->jmp_history_cnt;
- struct bpf_jmp_history_entry *hist;
if (env->log.level & BPF_LOG_LEVEL2) {
verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n",
@@ -4370,8 +4328,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
err = 0;
skip_first = false;
} else {
- hist = get_jmp_hist_entry(st, history, i);
- err = backtrack_insn(env, i, subseq_idx, hist, bt);
+ err = backtrack_insn(env, i, subseq_idx, bt);
}
if (err == -ENOTSUPP) {
mark_all_scalars_precise(env, env->cur_state);
@@ -4424,10 +4381,22 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr));
for_each_set_bit(i, mask, 64) {
if (i >= func->allocated_stack / BPF_REG_SIZE) {
- verbose(env, "BUG backtracking (stack slot %d, total slots %d)\n",
- i, func->allocated_stack / BPF_REG_SIZE);
- WARN_ONCE(1, "verifier backtracking bug (stack slot out of bounds)");
- return -EFAULT;
+ /* the sequence of instructions:
+ * 2: (bf) r3 = r10
+ * 3: (7b) *(u64 *)(r3 -8) = r0
+ * 4: (79) r4 = *(u64 *)(r10 -8)
+ * doesn't contain jmps. It's backtracked
+ * as a single block.
+ * During backtracking insn 3 is not recognized as
+ * stack access, so at the end of backtracking
+ * stack slot fp-8 is still marked in stack_mask.
+ * However the parent state may not have accessed
+ * fp-8 and it's "unallocated" stack space.
+ * In such case fallback to conservative.
+ */
+ mark_all_scalars_precise(env, env->cur_state);
+ bt_reset(bt);
+ return 0;
}
if (!is_spilled_scalar_reg(&func->stack[i])) {
@@ -4592,7 +4561,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
struct bpf_insn *insn = &env->prog->insnsi[insn_idx];
struct bpf_reg_state *reg = NULL;
- int insn_flags = insn_stack_access_flags(state->frameno, spi);
+ u32 dst_reg = insn->dst_reg;
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
* so it's aligned access and [off, off + size) are within stack limits
@@ -4631,6 +4600,17 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
mark_stack_slot_scratched(env, spi);
if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
!register_is_null(reg) && env->bpf_capable) {
+ if (dst_reg != BPF_REG_FP) {
+ /* The backtracking logic can only recognize explicit
+ * stack slot address like [fp - 8]. Other spill of
+ * scalar via different register has to be conservative.
+ * Backtrack from here and mark all registers as precise
+ * that contributed into 'reg' being a constant.
+ */
+ err = mark_chain_precision(env, value_regno);
+ if (err)
+ return err;
+ }
save_register_state(state, spi, reg, size);
/* Break the relation on a narrowing spill. */
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
@@ -4642,7 +4622,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
__mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(state, spi, &fake_reg, size);
- insn_flags = 0; /* not a register spill */
} else if (reg && is_spillable_regtype(reg->type)) {
/* register containing pointer is being spilled into stack */
if (size != BPF_REG_SIZE) {
@@ -4688,12 +4667,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
/* Mark slots affected by this stack write. */
for (i = 0; i < size; i++)
- state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type;
- insn_flags = 0; /* not a register spill */
+ state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
+ type;
}
-
- if (insn_flags)
- return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -4882,7 +4858,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
struct bpf_reg_state *reg;
u8 *stype, type;
- int insn_flags = insn_stack_access_flags(reg_state->frameno, spi);
stype = reg_state->stack[spi].slot_type;
reg = ®_state->stack[spi].spilled_ptr;
@@ -4928,10 +4903,12 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
return -EACCES;
}
mark_reg_unknown(env, state->regs, dst_regno);
- insn_flags = 0; /* not restoring original register state */
}
state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
- } else if (dst_regno >= 0) {
+ return 0;
+ }
+
+ if (dst_regno >= 0) {
/* restore register state from stack */
copy_register_state(&state->regs[dst_regno], reg);
/* mark reg as written since spilled pointer state likely
@@ -4967,10 +4944,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
if (dst_regno >= 0)
mark_reg_stack_read(env, reg_state, off, off + size, dst_regno);
- insn_flags = 0; /* we are not restoring spilled register */
}
- if (insn_flags)
- return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -7054,6 +7028,7 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
BPF_SIZE(insn->code), BPF_WRITE, -1, true, false);
if (err)
return err;
+
return 0;
}
@@ -16802,8 +16777,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
* the precision needs to be propagated back in
* the current state.
*/
- if (is_jmp_point(env, env->insn_idx))
- err = err ? : push_jmp_history(env, cur, 0);
+ err = err ? : push_jmp_history(env, cur);
err = err ? : propagate_precision(env, &sl->state);
if (err)
return err;
@@ -17027,9 +17001,6 @@ static int do_check(struct bpf_verifier_env *env)
u8 class;
int err;
- /* reset current history entry on each new instruction */
- env->cur_hist_ent = NULL;
-
env->prev_insn_idx = prev_insn_idx;
if (env->insn_idx >= insn_cnt) {
verbose(env, "invalid insn idx %d insn_cnt %d\n",
@@ -17069,7 +17040,7 @@ static int do_check(struct bpf_verifier_env *env)
}
if (is_jmp_point(env, env->insn_idx)) {
- err = push_jmp_history(env, state, 0);
+ err = push_jmp_history(env, state);
if (err)
return err;
}
diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
index f87365f7599b..f61d623b1ce8 100644
--- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
@@ -541,24 +541,11 @@ static __u64 subprog_spill_reg_precise(void)
SEC("?raw_tp")
__success __log_level(2)
-__msg("10: (0f) r1 += r7")
-__msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1")
-__msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8")
-__msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4")
-__msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)")
-__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(map=.data.vals,ks=4,vs=16) R10=fp0 fp-8_rw=P1")
-__msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7")
-__msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit")
-__msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2")
-__msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)")
-__msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)")
-__msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2")
-__msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2")
-__msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6")
-__msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6")
-__msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8")
-__msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10")
-__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1")
+/* precision backtracking can't currently handle stack access not through r10,
+ * so we won't be able to mark stack slot fp-8 as precise, and so will
+ * fallback to forcing all as precise
+ */
+__msg("mark_precise: frame0: falling back to forcing all scalars precise")
__naked int subprog_spill_into_parent_stack_slot_precise(void)
{
asm volatile (
diff --git a/tools/testing/selftests/bpf/verifier/precise.c b/tools/testing/selftests/bpf/verifier/precise.c
index 8a2ff81d8350..0d84dd1f38b6 100644
--- a/tools/testing/selftests/bpf/verifier/precise.c
+++ b/tools/testing/selftests/bpf/verifier/precise.c
@@ -140,11 +140,10 @@
.result = REJECT,
},
{
- "precise: ST zero to stack insn is supported",
+ "precise: ST insn causing spi > allocated_stack",
.insns = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
- /* not a register spill, so we stop precision propagation for R4 here */
BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
BPF_MOV64_IMM(BPF_REG_0, -1),
@@ -158,11 +157,11 @@
mark_precise: frame0: last_idx 4 first_idx 2\
mark_precise: frame0: regs=r4 stack= before 4\
mark_precise: frame0: regs=r4 stack= before 3\
+ mark_precise: frame0: regs= stack=-8 before 2\
+ mark_precise: frame0: falling back to forcing all scalars precise\
+ force_precise: frame0: forcing r0 to be precise\
mark_precise: frame0: last_idx 5 first_idx 5\
- mark_precise: frame0: parent state regs=r0 stack=:\
- mark_precise: frame0: last_idx 4 first_idx 2\
- mark_precise: frame0: regs=r0 stack= before 4\
- 5: R0=-1 R4=0",
+ mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT,
.retval = -1,
},
@@ -170,8 +169,6 @@
"precise: STX insn causing spi > allocated_stack",
.insns = {
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
- /* make later reg spill more interesting by having somewhat known scalar */
- BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
@@ -182,21 +179,18 @@
},
.prog_type = BPF_PROG_TYPE_XDP,
.flags = BPF_F_TEST_STATE_FREQ,
- .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\
+ .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\
mark_precise: frame0: parent state regs=r4 stack=:\
- mark_precise: frame0: last_idx 6 first_idx 4\
- mark_precise: frame0: regs=r4 stack= before 6: (b7) r0 = -1\
- mark_precise: frame0: regs=r4 stack= before 5: (79) r4 = *(u64 *)(r10 -8)\
- mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\
- mark_precise: frame0: parent state regs=r0 stack=:\
- mark_precise: frame0: last_idx 3 first_idx 3\
- mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\
- mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\
- mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\
- mark_precise: frame0: parent state regs=r0 stack=:\
- mark_precise: frame0: last_idx 0 first_idx 0\
- mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\
- mark_precise: frame0: last_idx 7 first_idx 7\
+ mark_precise: frame0: last_idx 5 first_idx 3\
+ mark_precise: frame0: regs=r4 stack= before 5\
+ mark_precise: frame0: regs=r4 stack= before 4\
+ mark_precise: frame0: regs= stack=-8 before 3\
+ mark_precise: frame0: falling back to forcing all scalars precise\
+ force_precise: frame0: forcing r0 to be precise\
+ force_precise: frame0: forcing r0 to be precise\
+ force_precise: frame0: forcing r0 to be precise\
+ force_precise: frame0: forcing r0 to be precise\
+ mark_precise: frame0: last_idx 6 first_idx 6\
mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT,
.retval = -1,
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH 5.15.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
by Kuan-Wei Chiu
The orc_sort_cmp() function, used with qsort(), previously violated the
symmetry and transitivity rules required by the C standard. Specifically,
when both entries are ORC_REG_UNDEFINED, it could result in both a < b
and b < a, which breaks the required symmetry and transitivity. This can
lead to undefined behavior and incorrect sorting results, potentially
causing memory corruption in glibc implementations [1].
Symmetry: If x < y, then y > x.
Transitivity: If x < y and y < z, then x < z.
Fix the comparison logic to return 0 when both entries are
ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements.
Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com
Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting")
Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two")
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw>
Cc: <chuang(a)cs.nycu.edu.tw>
Cc: Ingo Molnar <mingo(a)kernel.org>
Cc: Josh Poimboeuf <jpoimboe(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com>
Cc: Steven Rostedt <rostedt(a)goodmis.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
(cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90)
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
---
scripts/sorttable.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/sorttable.h b/scripts/sorttable.h
index a2baa2fefb13..9013b6984d68 100644
--- a/scripts/sorttable.h
+++ b/scripts/sorttable.h
@@ -103,7 +103,7 @@ static inline unsigned long orc_ip(const int *ip)
static int orc_sort_cmp(const void *_a, const void *_b)
{
- struct orc_entry *orc_a;
+ struct orc_entry *orc_a, *orc_b;
const int *a = g_orc_ip_table + *(int *)_a;
const int *b = g_orc_ip_table + *(int *)_b;
unsigned long a_val = orc_ip(a);
@@ -121,6 +121,10 @@ static int orc_sort_cmp(const void *_a, const void *_b)
* whitelisted .o files which didn't get objtool generation.
*/
orc_a = g_orc_table + (a - g_orc_ip_table);
+ orc_b = g_orc_table + (b - g_orc_ip_table);
+ if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end &&
+ orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end)
+ return 0;
return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1;
}
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH] misc: microchip: pci1xxxx: Fix possible double free in error handling path
by Ma Ke
When auxiliary_device_add() returns error and then calls
auxiliary_device_uninit(), the callback function
gp_auxiliary_device_release() calls kfree() to free memory. Do not
call kfree() again in the error handling path.
Fix this by skipping the redundant kfree().
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
index 32af2b14ff34..fbd712938bdc 100644
--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
+++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
@@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
err_aux_dev_add_1:
auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev);
+ goto err_aux_dev_add_0;
err_aux_dev_init_1:
ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id);
@@ -120,6 +121,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
err_aux_dev_add_0:
auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev);
+ goto err_ret;
err_aux_dev_init_0:
ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id);
--
2.25.1
3 months, 3 weeks
- 2
- 3
[PATCH v3] [ARM] fix reference leak in locomo_init_one_child()
by Ma Ke
Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add()
says, 'if device_add() succeeds, you should call device_del() when you
want to get rid of it. If device_add() has not succeeded, use only
put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v3:
- modified the patch as suggestions;
Changes in v2:
- modified the patch as suggestions.
---
arch/arm/common/locomo.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c
index cb6ef449b987..9e275b2105c2 100644
--- a/arch/arm/common/locomo.c
+++ b/arch/arm/common/locomo.c
@@ -220,13 +220,11 @@ static int
locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info)
{
struct locomo_dev *dev;
- int ret;
+ int ret = 0;
dev = kzalloc(sizeof(struct locomo_dev), GFP_KERNEL);
- if (!dev) {
- ret = -ENOMEM;
- goto out;
- }
+ if (!dev)
+ return -ENOMEM;
/*
* If the parent device has a DMA mask associated with it,
@@ -254,10 +252,9 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info)
NO_IRQ : lchip->irq_base + info->irq[0];
ret = device_register(&dev->dev);
- if (ret) {
- out:
- kfree(dev);
- }
+ if (ret)
+ put_device(&dev->dev);
+
return ret;
}
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH v3 00/23] arm64: dts: qcom: Fix remoteproc memory base and length
by Krzysztof Kozlowski
Changes in v3:
- Add Rb tags
- Add four new patches (at the end) for sdx75 and sm6115
- Link to v2: https://lore.kernel.org/r/20241209-dts-qcom-cdsp-mpss-base-address-v2-0-d85…
Changes in v2:
- arm64: dts: qcom: x1e80100: Fix ADSP...:
Commit msg corrections, second paragraph (Johan)
- Add tags
- Link to v1: https://lore.kernel.org/r/20241206-dts-qcom-cdsp-mpss-base-address-v1-0-2f3…
Konrad pointed out during SM8750 review, that numbers are odd, so I
looked at datasheets and downstream DTS for all previous platforms.
Most numbers are odd.
Older platforms like SM8150, SM8250, SC7280, SC8180X seem fine. I could
not check few like SDX75 or SM6115, due to lack of access to datasheets.
SM8350, SM8450, SM8550 tested on hardware. Others not, but I don't
expect any failures because PAS drivers do not use the address space.
Which also explains why odd numbers did not result in any failures.
Best regards,
Krzysztof
---
Krzysztof Kozlowski (23):
arm64: dts: qcom: sm8350: Fix ADSP memory base and length
arm64: dts: qcom: sm8350: Fix CDSP memory base and length
arm64: dts: qcom: sm8350: Fix MPSS memory length
arm64: dts: qcom: sm8450: Fix ADSP memory base and length
arm64: dts: qcom: sm8450: Fix CDSP memory length
arm64: dts: qcom: sm8450: Fix MPSS memory length
arm64: dts: qcom: sm8550: Fix ADSP memory base and length
arm64: dts: qcom: sm8550: Fix CDSP memory length
arm64: dts: qcom: sm8550: Fix MPSS memory length
arm64: dts: qcom: sm8650: Fix ADSP memory base and length
arm64: dts: qcom: sm8650: Fix CDSP memory length
arm64: dts: qcom: sm8650: Fix MPSS memory length
arm64: dts: qcom: x1e80100: Fix ADSP memory base and length
arm64: dts: qcom: x1e80100: Fix CDSP memory length
arm64: dts: qcom: sm6350: Fix ADSP memory length
arm64: dts: qcom: sm6350: Fix MPSS memory length
[RFT] arm64: dts: qcom: sm6375: Fix ADSP memory length
[RFT] arm64: dts: qcom: sm6375: Fix CDSP memory base and length
[RFT] arm64: dts: qcom: sm6375: Fix MPSS memory base and length
arm64: dts: qcom: sdx75: Fix MPSS memory length
arm64: dts: qcom: sm6115: Fix MPSS memory length
arm64: dts: qcom: sm6115: Fix CDSP memory length
arm64: dts: qcom: sm6115: Fix ADSP memory base and length
arch/arm64/boot/dts/qcom/sdx75.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sm6115.dtsi | 8 +-
arch/arm64/boot/dts/qcom/sm6350.dtsi | 4 +-
arch/arm64/boot/dts/qcom/sm6375.dtsi | 10 +-
arch/arm64/boot/dts/qcom/sm8350.dtsi | 492 ++++++++++++++++-----------------
arch/arm64/boot/dts/qcom/sm8450.dtsi | 216 +++++++--------
arch/arm64/boot/dts/qcom/sm8550.dtsi | 266 +++++++++---------
arch/arm64/boot/dts/qcom/sm8650.dtsi | 300 ++++++++++----------
arch/arm64/boot/dts/qcom/x1e80100.dtsi | 276 +++++++++---------
9 files changed, 787 insertions(+), 787 deletions(-)
---
base-commit: c245a7a79602ccbee780c004c1e4abcda66aec32
change-id: 20241206-dts-qcom-cdsp-mpss-base-address-ae7c406ac9ac
Best regards,
--
Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>
3 months, 3 weeks
- 5
- 40
[PATCH v2 0/6] firmware: qcom: scm: Fixes for concurrency
by Krzysztof Kozlowski
Changes in v2:
- Patch #2: Extend commit msg
- Patch #4: Store NULL
- Add Rb tags
- Link to v1: https://lore.kernel.org/r/20241119-qcom-scm-missing-barriers-and-all-sort-o…
Description
===========
SCM driver looks messy in terms of handling concurrency of probe. The
driver exports interface which is guarded by global '__scm' variable
but:
1. Lacks proper read barrier (commit adding write barriers mixed up
READ_ONCE with a read barrier).
2. Lacks barriers or checks for '__scm' in multiple places.
3. Lacks probe error cleanup.
All the issues here are non-urgent, IOW, they were here for some time
(v6.10-rc1 and earlier).
Best regards,
Krzysztof
---
Krzysztof Kozlowski (6):
firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available()
firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()
firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()
firmware: qcom: scm: Cleanup global '__scm' on probe failures
firmware: qcom: scm: smc: Handle missing SCM device
firmware: qcom: scm: smc: Narrow 'mempool' variable scope
drivers/firmware/qcom/qcom_scm-smc.c | 6 +++-
drivers/firmware/qcom/qcom_scm.c | 55 +++++++++++++++++++++++++-----------
2 files changed, 44 insertions(+), 17 deletions(-)
---
base-commit: d1486dca38afd08ca279ae94eb3a397f10737824
change-id: 20241119-qcom-scm-missing-barriers-and-all-sort-of-srap-a25d59074882
Best regards,
--
Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>
3 months, 3 weeks
- 2
- 3
[PATCH v1 1/4] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages
by David Hildenbrand
We try to reuse the same vsie page when re-executing the vsie with a
given SCB address. The result is that we use the same shadow SCB --
residing in the vsie page -- and can avoid flushing the TLB when
re-running the vsie on a CPU.
So, when we allocate a fresh vsie page, or when we reuse a vsie page for
a different SCB address -- reusing the shadow SCB in different context --
we set ihcpu=0xffff to trigger the flush.
However, after we looked up the SCB address in the radix tree, but before
we grabbed the vsie page by raising the refcount to 2, someone could reuse
the vsie page for a different SCB address, adjusting page->index and the
radix tree. In that case, we would be reusing the vsie page with a
wrong page->index.
Another corner case is that we might set the SCB address for a vsie
page, but fail the insertion into the radix tree. Whoever would reuse
that page would remove the corresponding radix tree entry -- which might
now be a valid entry pointing at another page, resulting in the wrong
vsie page getting removed from the radix tree.
Let's handle such races better, by validating that the SCB address of a
vsie page didn't change after we grabbed it (not reuse for a different
SCB; the alternative would be performing another tree lookup), and by
setting the SCB address to invalid until the insertion in the tree
succeeded (SCB addresses are aligned to 512, so ULONG_MAX is invalid).
These scenarios are rare, the effects a bit unclear, and these issues were
only found by code inspection. Let's CC stable to be safe.
Fixes: a3508fbe9dc6 ("KVM: s390: vsie: initial support for nested virtualization")
Cc: stable(a)vger.kernel.org
Signed-off-by: David Hildenbrand <david(a)redhat.com>
---
arch/s390/kvm/vsie.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
index 150b9387860ad..0fb527b33734c 100644
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -1362,8 +1362,14 @@ static struct vsie_page *get_vsie_page(struct kvm *kvm, unsigned long addr)
page = radix_tree_lookup(&kvm->arch.vsie.addr_to_page, addr >> 9);
rcu_read_unlock();
if (page) {
- if (page_ref_inc_return(page) == 2)
- return page_to_virt(page);
+ if (page_ref_inc_return(page) == 2) {
+ if (page->index == addr)
+ return page_to_virt(page);
+ /*
+ * We raced with someone reusing + putting this vsie
+ * page before we grabbed it.
+ */
+ }
page_ref_dec(page);
}
@@ -1393,15 +1399,20 @@ static struct vsie_page *get_vsie_page(struct kvm *kvm, unsigned long addr)
kvm->arch.vsie.next++;
kvm->arch.vsie.next %= nr_vcpus;
}
- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9);
+ if (page->index != ULONG_MAX)
+ radix_tree_delete(&kvm->arch.vsie.addr_to_page,
+ page->index >> 9);
}
- page->index = addr;
- /* double use of the same address */
+ /* Mark it as invalid until it resides in the tree. */
+ page->index = ULONG_MAX;
+
+ /* Double use of the same address or allocation failure. */
if (radix_tree_insert(&kvm->arch.vsie.addr_to_page, addr >> 9, page)) {
page_ref_dec(page);
mutex_unlock(&kvm->arch.vsie.mutex);
return NULL;
}
+ page->index = addr;
mutex_unlock(&kvm->arch.vsie.mutex);
vsie_page = page_to_virt(page);
@@ -1496,7 +1507,9 @@ void kvm_s390_vsie_destroy(struct kvm *kvm)
vsie_page = page_to_virt(page);
release_gmap_shadow(vsie_page);
/* free the radix tree entry */
- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9);
+ if (page->index != ULONG_MAX)
+ radix_tree_delete(&kvm->arch.vsie.addr_to_page,
+ page->index >> 9);
__free_page(page);
}
kvm->arch.vsie.page_count = 0;
--
2.47.1
3 months, 3 weeks
- 1
- 0
[PATCH 08/24] drm/amd/display: Reduce accessing remote DPCD overhead
by Tom Chung
From: Wayne Lin <Wayne.Lin(a)amd.com>
[Why]
Observed frame rate get dropped by tool like glxgear. Even though the
output to monitor is 60Hz, the rendered frame rate drops to 30Hz lower.
It's due to code path in some cases will trigger
dm_dp_mst_is_port_support_mode() to read out remote Link status to
assess the available bandwidth for dsc maniplation. Overhead of keep
reading remote DPCD is considerable.
[How]
Store the remote link BW in mst_local_bw and use end-to-end full_pbn
as an indicator to decide whether update the remote link bw or not.
Whenever we need the info to assess the BW, visit the stored one first.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3720
Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()")
Cc: Mario Limonciello <mario.limonciello(a)amd.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: stable(a)vger.kernel.org
Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com>
Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com>
---
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 ++
.../display/amdgpu_dm/amdgpu_dm_mst_types.c | 34 ++++++++++++++-----
2 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
index e46e1365fe91..e7963158a147 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
@@ -697,6 +697,8 @@ struct amdgpu_dm_connector {
struct drm_dp_mst_port *mst_output_port;
struct amdgpu_dm_connector *mst_root;
struct drm_dp_aux *dsc_aux;
+ uint32_t mst_local_bw;
+ uint16_t vc_full_pbn;
struct mutex handle_mst_msg_ready;
/* TODO see if we can merge with ddc_bus or make a dm_connector */
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
index a504aa1243e9..e096fb562122 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -155,6 +155,17 @@ amdgpu_dm_mst_connector_late_register(struct drm_connector *connector)
return 0;
}
+
+static inline void
+amdgpu_dm_mst_reset_mst_connector_setting(struct amdgpu_dm_connector *aconnector)
+{
+ aconnector->drm_edid = NULL;
+ aconnector->dsc_aux = NULL;
+ aconnector->mst_output_port->passthrough_aux = NULL;
+ aconnector->mst_local_bw = 0;
+ aconnector->vc_full_pbn = 0;
+}
+
static void
amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector)
{
@@ -182,9 +193,7 @@ amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector)
dc_sink_release(dc_sink);
aconnector->dc_sink = NULL;
- aconnector->drm_edid = NULL;
- aconnector->dsc_aux = NULL;
- port->passthrough_aux = NULL;
+ amdgpu_dm_mst_reset_mst_connector_setting(aconnector);
}
aconnector->mst_status = MST_STATUS_DEFAULT;
@@ -504,9 +513,7 @@ dm_dp_mst_detect(struct drm_connector *connector,
dc_sink_release(aconnector->dc_sink);
aconnector->dc_sink = NULL;
- aconnector->drm_edid = NULL;
- aconnector->dsc_aux = NULL;
- port->passthrough_aux = NULL;
+ amdgpu_dm_mst_reset_mst_connector_setting(aconnector);
amdgpu_dm_set_mst_status(&aconnector->mst_status,
MST_REMOTE_EDID | MST_ALLOCATE_NEW_PAYLOAD | MST_CLEAR_ALLOCATED_PAYLOAD,
@@ -1819,9 +1826,18 @@ enum dc_status dm_dp_mst_is_port_support_mode(
struct drm_dp_mst_port *immediate_upstream_port = NULL;
uint32_t end_link_bw = 0;
- /*Get last DP link BW capability*/
- if (dp_get_link_current_set_bw(&aconnector->mst_output_port->aux, &end_link_bw)) {
- if (stream_kbps > end_link_bw) {
+ /*Get last DP link BW capability. Mode shall be supported by Legacy peer*/
+ if (aconnector->mst_output_port->pdt != DP_PEER_DEVICE_DP_LEGACY_CONV &&
+ aconnector->mst_output_port->pdt != DP_PEER_DEVICE_NONE) {
+ if (aconnector->vc_full_pbn != aconnector->mst_output_port->full_pbn) {
+ dp_get_link_current_set_bw(&aconnector->mst_output_port->aux, &end_link_bw);
+ aconnector->vc_full_pbn = aconnector->mst_output_port->full_pbn;
+ aconnector->mst_local_bw = end_link_bw;
+ } else {
+ end_link_bw = aconnector->mst_local_bw;
+ }
+
+ if (end_link_bw > 0 && stream_kbps > end_link_bw) {
DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link."
"Mode required bw can't fit into last link\n");
return DC_FAIL_BANDWIDTH_VALIDATE;
--
2.34.1
3 months, 3 weeks
- 1
- 0
[PATCH 07/24] drm/amd/display: Validate mdoe under MST LCT=1 case as well
by Tom Chung
From: Wayne Lin <Wayne.Lin(a)amd.com>
[Why & How]
Currently in dm_dp_mst_is_port_support_mode(), when valdidating mode
under dsc decoding at the last DP link config, we only validate the
case when there is an UFP. However, if the MSTB LCT=1, there is no
UFP.
Under this case, use root_link_bw_in_kbps as the available bw to
compare.
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3720
Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()")
Cc: Mario Limonciello <mario.limonciello(a)amd.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: stable(a)vger.kernel.org
Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com>
Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com>
---
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
index ca864f71ae66..a504aa1243e9 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1835,11 +1835,15 @@ enum dc_status dm_dp_mst_is_port_support_mode(
if (immediate_upstream_port) {
virtual_channel_bw_in_kbps = kbps_from_pbn(immediate_upstream_port->full_pbn);
virtual_channel_bw_in_kbps = min(root_link_bw_in_kbps, virtual_channel_bw_in_kbps);
- if (bw_range.min_kbps > virtual_channel_bw_in_kbps) {
- DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link."
- "Max dsc compression can't fit into MST available bw\n");
- return DC_FAIL_BANDWIDTH_VALIDATE;
- }
+ } else {
+ /* For topology LCT 1 case - only one mstb*/
+ virtual_channel_bw_in_kbps = root_link_bw_in_kbps;
+ }
+
+ if (bw_range.min_kbps > virtual_channel_bw_in_kbps) {
+ DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link."
+ "Max dsc compression can't fit into MST available bw\n");
+ return DC_FAIL_BANDWIDTH_VALIDATE;
}
}
--
2.34.1
3 months, 3 weeks
- 1
- 0
[PATCH 1/3] Revert "staging: remove rts5139 driver code"
by Sean Rhodes
This reverts commit 00d8521dcd236d1b8f664f54a0309e96bfdcb4f9.
The staging driver that was removed, `rts5139`, worked well with multiple
Realtek card readers and provided more comprehensive functionality than
`rtsx_usb`. It supported features like interrupts, SSC, speed modes,
suspend, secure erase, TRIM, and more. Additionally, its error recovery
mechanisms were superior.
Notable issues with the `rtsx_usb` driver include delayed S3 entry until
`mmc_rescan` was frozen and data corruption on SDR104 cards. Over 100 bugs
related to the `rtsx_usb` driver are reported on Bugzilla, with additional
reports downstream. As a result, several forks of `rts5139` exist on
GitHub and other repositories, which users rely on to mitigate these
problems.
Reintroducing `rts5139` addresses these deficiencies until the current
`rtsx_usb` driver achieves feature parity and stability.
Fixes: 00d8521dcd23 ("staging: remove rts5139 driver code")
Cc: stable(a)vger.kernel.org
Cc: Arnd Bergmann <arnd(a)arndb.de>
Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Sean Rhodes <sean(a)starlabs.systems>
---
drivers/staging/Kconfig | 2 +
drivers/staging/Makefile | 1 +
drivers/staging/rts5139/Kconfig | 16 +
drivers/staging/rts5139/Makefile | 43 +
drivers/staging/rts5139/TODO | 9 +
drivers/staging/rts5139/debug.h | 46 +
drivers/staging/rts5139/ms.c | 4182 ++++++++++++++++++++
drivers/staging/rts5139/ms.h | 261 ++
drivers/staging/rts5139/ms_mg.c | 643 +++
drivers/staging/rts5139/ms_mg.h | 42 +
drivers/staging/rts5139/rts51x.c | 846 ++++
drivers/staging/rts5139/rts51x.h | 194 +
drivers/staging/rts5139/rts51x_card.c | 940 +++++
drivers/staging/rts5139/rts51x_card.h | 870 ++++
drivers/staging/rts5139/rts51x_chip.c | 1014 +++++
drivers/staging/rts5139/rts51x_chip.h | 821 ++++
drivers/staging/rts5139/rts51x_fop.c | 295 ++
drivers/staging/rts5139/rts51x_fop.h | 57 +
drivers/staging/rts5139/rts51x_scsi.c | 2135 ++++++++++
drivers/staging/rts5139/rts51x_scsi.h | 154 +
drivers/staging/rts5139/rts51x_transport.c | 738 ++++
drivers/staging/rts5139/rts51x_transport.h | 67 +
drivers/staging/rts5139/sd.c | 3274 +++++++++++++++
drivers/staging/rts5139/sd.h | 275 ++
drivers/staging/rts5139/sd_cprm.c | 1056 +++++
drivers/staging/rts5139/sd_cprm.h | 54 +
drivers/staging/rts5139/trace.h | 95 +
drivers/staging/rts5139/xd.c | 2145 ++++++++++
drivers/staging/rts5139/xd.h | 191 +
29 files changed, 20466 insertions(+)
create mode 100644 drivers/staging/rts5139/Kconfig
create mode 100644 drivers/staging/rts5139/Makefile
create mode 100644 drivers/staging/rts5139/TODO
create mode 100644 drivers/staging/rts5139/debug.h
create mode 100644 drivers/staging/rts5139/ms.c
create mode 100644 drivers/staging/rts5139/ms.h
create mode 100644 drivers/staging/rts5139/ms_mg.c
create mode 100644 drivers/staging/rts5139/ms_mg.h
create mode 100644 drivers/staging/rts5139/rts51x.c
create mode 100644 drivers/staging/rts5139/rts51x.h
create mode 100644 drivers/staging/rts5139/rts51x_card.c
create mode 100644 drivers/staging/rts5139/rts51x_card.h
create mode 100644 drivers/staging/rts5139/rts51x_chip.c
create mode 100644 drivers/staging/rts5139/rts51x_chip.h
create mode 100644 drivers/staging/rts5139/rts51x_fop.c
create mode 100644 drivers/staging/rts5139/rts51x_fop.h
create mode 100644 drivers/staging/rts5139/rts51x_scsi.c
create mode 100644 drivers/staging/rts5139/rts51x_scsi.h
create mode 100644 drivers/staging/rts5139/rts51x_transport.c
create mode 100644 drivers/staging/rts5139/rts51x_transport.h
create mode 100644 drivers/staging/rts5139/sd.c
create mode 100644 drivers/staging/rts5139/sd.h
create mode 100644 drivers/staging/rts5139/sd_cprm.c
create mode 100644 drivers/staging/rts5139/sd_cprm.h
create mode 100644 drivers/staging/rts5139/trace.h
create mode 100644 drivers/staging/rts5139/xd.c
create mode 100644 drivers/staging/rts5139/xd.h
diff --git a/drivers/staging/Kconfig b/drivers/staging/Kconfig
index 3fb68d60dfc1..732afa01a31e 100644
--- a/drivers/staging/Kconfig
+++ b/drivers/staging/Kconfig
@@ -32,6 +32,8 @@ source "drivers/staging/rtl8723bs/Kconfig"
source "drivers/staging/rtl8712/Kconfig"
+source "drivers/staging/rts5139/Kconfig"
+
source "drivers/staging/rts5208/Kconfig"
source "drivers/staging/octeon/Kconfig"
diff --git a/drivers/staging/Makefile b/drivers/staging/Makefile
index c977aa13fad4..9212c4a003f8 100644
--- a/drivers/staging/Makefile
+++ b/drivers/staging/Makefile
@@ -6,6 +6,7 @@ obj-$(CONFIG_FB_OLPC_DCON) += olpc_dcon/
obj-$(CONFIG_RTL8192E) += rtl8192e/
obj-$(CONFIG_RTL8723BS) += rtl8723bs/
obj-$(CONFIG_R8712U) += rtl8712/
+obj-$(CONFIG_RTS5139) += rts5139/
obj-$(CONFIG_RTS5208) += rts5208/
obj-$(CONFIG_OCTEON_ETHERNET) += octeon/
obj-$(CONFIG_VT6655) += vt6655/
diff --git a/drivers/staging/rts5139/Kconfig b/drivers/staging/rts5139/Kconfig
new file mode 100644
index 000000000000..afd526bf422a
--- /dev/null
+++ b/drivers/staging/rts5139/Kconfig
@@ -0,0 +1,16 @@
+config RTS5139
+ tristate "Realtek RTS5139 USB card reader support"
+ depends on USB && SCSI
+ help
+ Say Y here to include driver code to support the Realtek
+ RTS5139 USB card readers.
+
+ If this driver is compiled as a module, it will be named rts5139.
+
+config RTS5139_DEBUG
+ bool "Realtek RTS5139 Card Reader verbose debug"
+ depends on RTS5139
+ help
+ Say Y here in order to have the rts5139 code generate
+ verbose debugging messages.
+
diff --git a/drivers/staging/rts5139/Makefile b/drivers/staging/rts5139/Makefile
new file mode 100644
index 000000000000..75dd31224e62
--- /dev/null
+++ b/drivers/staging/rts5139/Makefile
@@ -0,0 +1,43 @@
+# Driver for Realtek RTS51xx USB card reader
+#
+# Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any
+# later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# Author:
+# wwang (wei_wang(a)realsil.com.cn)
+# No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+# Maintainer:
+# Edwin Rong (edwin_rong(a)realsil.com.cn)
+# No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+#
+# Makefile for the RTS51xx USB Card Reader drivers.
+#
+
+obj-$(CONFIG_RTS5139) := rts5139.o
+
+ccflags-y := -Idrivers/scsi
+
+rts5139-y := \
+ rts51x_transport.o \
+ rts51x_scsi.o \
+ rts51x_fop.o \
+ rts51x.o \
+ rts51x_chip.o \
+ rts51x_card.o \
+ xd.o \
+ sd.o \
+ ms.o \
+ sd_cprm.o \
+ ms_mg.o
diff --git a/drivers/staging/rts5139/TODO b/drivers/staging/rts5139/TODO
new file mode 100644
index 000000000000..dd5fabb8ea70
--- /dev/null
+++ b/drivers/staging/rts5139/TODO
@@ -0,0 +1,9 @@
+TODO:
+- support more USB card reader of Realtek family
+- use kernel coding style
+- checkpatch.pl fixes
+- stop having thousands of lines of code duplicated with staging/rts_pstor
+- This driver contains an entire SD/MMC stack -- it should use the stack in
+ drivers/mmc instead, as a host driver e.g. drivers/mmc/host/realtek-usb.c;
+ see drivers/mmc/host/ushc.c as an example.
+- This driver presents cards as SCSI devices, but they should be MMC devices.
diff --git a/drivers/staging/rts5139/debug.h b/drivers/staging/rts5139/debug.h
new file mode 100644
index 000000000000..73dec133a1bf
--- /dev/null
+++ b/drivers/staging/rts5139/debug.h
@@ -0,0 +1,46 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_DEBUG_H
+#define __RTS51X_DEBUG_H
+
+#include <linux/kernel.h>
+
+#define RTS51X_TIP "rts51x: "
+
+#ifdef CONFIG_RTS5139_DEBUG
+#define RTS51X_DEBUGP(x...) printk(KERN_DEBUG RTS51X_TIP x)
+#define RTS51X_DEBUGPN(x...) printk(KERN_DEBUG x)
+#define RTS51X_DEBUGPX(x...) printk(x)
+#define RTS51X_DEBUG(x) x
+#else
+#define RTS51X_DEBUGP(x...)
+#define RTS51X_DEBUGPN(x...)
+#define RTS51X_DEBUGPX(x...)
+#define RTS51X_DEBUG(x)
+#endif
+
+#endif /* __RTS51X_DEBUG_H */
diff --git a/drivers/staging/rts5139/ms.c b/drivers/staging/rts5139/ms.c
new file mode 100644
index 000000000000..a843a2f4392b
--- /dev/null
+++ b/drivers/staging/rts5139/ms.c
@@ -0,0 +1,4182 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_transport.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "ms.h"
+#include "ms_mg.h"
+
+static inline void ms_set_err_code(struct rts51x_chip *chip, u8 err_code)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ ms_card->err_code = err_code;
+}
+
+static inline int ms_check_err_code(struct rts51x_chip *chip, u8 err_code)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ return ms_card->err_code == err_code;
+}
+
+static int ms_parse_err_code(struct rts51x_chip *chip)
+{
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int ms_transfer_tpc(struct rts51x_chip *chip, u8 trans_mode, u8 tpc,
+ u8 cnt, u8 cfg)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ RTS51X_DEBUGP("ms_transfer_tpc: tpc = 0x%x\n", tpc);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | trans_mode);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, MS_TRANS_CFG, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 2, 5000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_ms_error(chip);
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ if (!(tpc & 0x08)) { /* Read Packet */
+ /* Check CRC16 & Ready Timeout */
+ if (chip->rsp_buf[1] & MS_CRC16_ERR) {
+ ms_set_err_code(chip, MS_CRC16_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+ } else { /* Write Packet */
+ if (CHK_MSPRO(ms_card) && !(chip->rsp_buf[1] & 0x80)) {
+ if (chip->rsp_buf[1] & (MS_INT_ERR | MS_INT_CMDNK)) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+ }
+ }
+
+ /* Check Timeout of Ready Signal */
+ if (chip->rsp_buf[1] & MS_RDY_TIMEOUT) {
+ rts51x_clear_ms_error(chip);
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int ms_transfer_data(struct rts51x_chip *chip, u8 trans_mode, u8 tpc,
+ u16 sec_cnt, u8 cfg, int mode_2k, int use_sg, void *buf,
+ int buf_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 val, err_code = 0, flag = 0;
+ enum dma_data_direction dir;
+ unsigned int pipe;
+
+ if (!buf || !buf_len)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (trans_mode == MS_TM_AUTO_READ) {
+ pipe = RCV_BULK_PIPE(chip);
+ dir = DMA_FROM_DEVICE;
+ flag = MODE_CDIR;
+ err_code = MS_FLASH_READ_ERROR;
+ } else if (trans_mode == MS_TM_AUTO_WRITE) {
+ pipe = SND_BULK_PIPE(chip);
+ dir = DMA_TO_DEVICE;
+ flag = MODE_CDOR;
+ err_code = MS_FLASH_WRITE_ERROR;
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF,
+ (u8) (sec_cnt >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF,
+ (u8) sec_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+
+ if (mode_2k)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, MS_2K_SECTOR_MODE,
+ MS_2K_SECTOR_MODE);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, MS_2K_SECTOR_MODE,
+ 0);
+
+ rts51x_trans_dma_enable(dir, chip, sec_cnt * 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | trans_mode);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, flag | STAGE_MS_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_rcc(chip, pipe, buf, buf_len, use_sg, NULL,
+ 15000, flag);
+ if (retval != STATUS_SUCCESS) {
+ ms_set_err_code(chip, err_code);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval = rts51x_get_rsp(chip, 3, 15000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ ms_set_err_code(chip, err_code);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ ms_card->last_rw_int = val = chip->rsp_buf[1];
+ if (val & (MS_INT_CMDNK | MS_INT_ERR | MS_CRC16_ERR | MS_RDY_TIMEOUT))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+int ms_write_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data,
+ int data_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+
+ if (!data || (data_len < cnt))
+ TRACE_RET(chip, STATUS_ERROR);
+
+ rts51x_init_cmd(chip);
+
+ for (i = 0; i < cnt; i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i, 0xFF,
+ data[i]);
+ }
+ if (cnt % 2)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i,
+ 0xFF, 0xFF);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_WRITE_BYTES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, 5000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ u8 val = 0;
+
+ rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val);
+ RTS51X_DEBUGP("MS_TRANS_CFG: 0x%02x\n", val);
+
+ rts51x_clear_ms_error(chip);
+
+ if (!(tpc & 0x08)) { /* Read Packet */
+ /* Check CRC16 & Ready Timeout */
+ if (val & MS_CRC16_ERR) {
+ ms_set_err_code(chip, MS_CRC16_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+ } else { /* Write Packet */
+ if (CHK_MSPRO(ms_card) && !(val & 0x80)) {
+ if (val & (MS_INT_ERR | MS_INT_CMDNK)) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip,
+ ms_parse_err_code(chip));
+ }
+ }
+ }
+
+ /* Check Timeout of Ready Signal */
+ if (val & MS_RDY_TIMEOUT) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int ms_read_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data,
+ int data_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+
+ if (!data)
+ TRACE_RET(chip, STATUS_ERROR);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_READ_BYTES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ for (i = 0; i < data_len - 1; i++)
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + i, 0, 0);
+
+ if (data_len % 2)
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + data_len, 0,
+ 0);
+ else
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + data_len - 1,
+ 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, data_len + 1, 5000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ u8 val = 0;
+
+ rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val);
+ RTS51X_DEBUGP("MS_TRANS_CFG: 0x%02x\n", val);
+
+ rts51x_clear_ms_error(chip);
+
+ if (!(tpc & 0x08)) { /* Read Packet */
+ /* Check CRC16 & Ready Timeout */
+ if (val & MS_CRC16_ERR) {
+ ms_set_err_code(chip, MS_CRC16_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+ } else { /* Write Packet */
+ if (CHK_MSPRO(ms_card) && !(val & 0x80)) {
+ if (val & (MS_INT_ERR | MS_INT_CMDNK)) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip,
+ ms_parse_err_code(chip));
+ }
+ }
+ }
+
+ /* Check Timeout of Ready Signal */
+ if (val & MS_RDY_TIMEOUT) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ ms_set_err_code(chip, MS_TO_ERROR);
+ TRACE_RET(chip, ms_parse_err_code(chip));
+ }
+
+ rts51x_read_rsp_buf(chip, 1, data, data_len);
+
+ return STATUS_SUCCESS;
+}
+
+int ms_set_rw_reg_addr(struct rts51x_chip *chip,
+ u8 read_start, u8 read_cnt, u8 write_start, u8 write_cnt)
+{
+ int retval, i;
+ u8 data[4];
+
+ data[0] = read_start;
+ data[1] = read_cnt;
+ data[2] = write_start;
+ data[3] = write_cnt;
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, SET_RW_REG_ADRS, 4, NO_WAIT_INT, data,
+ 4);
+ if (retval == STATUS_SUCCESS)
+ return STATUS_SUCCESS;
+ rts51x_clear_ms_error(chip);
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int ms_send_cmd(struct rts51x_chip *chip, u8 cmd, u8 cfg)
+{
+ u8 data[2];
+
+ data[0] = cmd;
+ data[1] = 0;
+
+ return ms_write_bytes(chip, PRO_SET_CMD, 1, cfg, data, 1);
+}
+
+static int ms_set_cmd(struct rts51x_chip *chip,
+ u8 read_start, u8 read_count,
+ u8 write_start, u8 write_count,
+ u8 cmd, u8 cfg, u8 *data, int data_len, u8 *int_stat)
+{
+ int retval, i;
+ u8 val;
+
+ if (!data || (data_len <= 0) || (data_len > 128)) {
+ RTS51X_DEBUGP("ms_set_cmd (data_len = %d)\n", data_len);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval =
+ ms_set_rw_reg_addr(chip, read_start, read_count, write_start,
+ write_count);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, WRITE_REG, write_count, NO_WAIT_INT,
+ data, data_len);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval = ms_send_cmd(chip, cmd, WAIT_INT);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+ /* GET_INT Register */
+ ms_set_err_code(chip, MS_NO_ERROR);
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (int_stat)
+ *int_stat = val;
+
+ return STATUS_SUCCESS;
+}
+
+#ifdef MS_SPEEDUP
+static int ms_auto_set_cmd(struct rts51x_chip *chip,
+ u8 read_start, u8 read_count,
+ u8 write_start, u8 write_count,
+ u8 cmd, u8 cfg, u8 *data, int data_len,
+ u8 *int_stat)
+{
+ int retval;
+ int i;
+
+ if (!data || (data_len <= 0) || (data_len > 128)) {
+ RTS51X_DEBUGP("ms_auto_set_cmd (data_len = %d)\n", data_len);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_READ_START, 0xFF, read_start);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_READ_COUNT, 0xFF, read_count);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_WRITE_START, 0xFF, write_start);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_WRITE_COUNT, 0xFF, write_count);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_COMMAND, 0xFF, cmd);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+
+ for (i = 0; i < data_len; i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i, 0xFF,
+ data[i]);
+ }
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_SET_CMD);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR | STAGE_MS_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 3, 5000);
+
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (int_stat)
+ *int_stat = chip->rsp_buf[2];
+
+ return STATUS_SUCCESS;
+}
+#endif
+
+static int ms_set_init_para(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ if (CHK_HG8BIT(ms_card)) {
+ if (chip->asic_code)
+ ms_card->ms_clock = chip->option.asic_ms_hg_clk;
+ else
+ ms_card->ms_clock = chip->option.fpga_ms_hg_clk;
+ } else if (CHK_MSPRO(ms_card) || CHK_MS4BIT(ms_card)) {
+ if (chip->asic_code)
+ ms_card->ms_clock = chip->option.asic_ms_4bit_clk;
+ else
+ ms_card->ms_clock = chip->option.fpga_ms_4bit_clk;
+ } else {
+ if (chip->asic_code)
+ ms_card->ms_clock = 38;
+ else
+ ms_card->ms_clock = CLK_40;
+ }
+
+ retval = switch_clock(chip, ms_card->ms_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_select_card(chip, MS_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int ms_switch_clock(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ retval = rts51x_select_card(chip, MS_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = switch_clock(chip, ms_card->ms_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static void ms_pull_ctl_disable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);
+ }
+}
+
+static void ms_pull_ctl_enable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);
+ }
+}
+
+static int ms_prepare_reset(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ ms_card->ms_type = 0;
+ ms_card->check_ms_flow = 0;
+ ms_card->switch_8bit_fail = 0;
+ ms_card->delay_write.delay_write_flag = 0;
+
+ ms_card->pro_under_formatting = 0;
+
+ rts51x_init_cmd(chip);
+
+ if (chip->asic_code) {
+ ms_pull_ctl_enable(chip);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL,
+ FPGA_MS_PULL_CTL_BIT | 0x20, 0);
+ }
+ /* Tri-state MS output */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0);
+
+ if (!chip->option.FT2_fast_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!chip->option.FT2_fast_mode) {
+ wait_timeout(250);
+
+ rts51x_card_power_on(chip, MS_CARD);
+ wait_timeout(150);
+
+#ifdef SUPPORT_OCP
+ rts51x_get_card_status(chip, &(chip->card_status));
+ /* get OCP status */
+ chip->ocp_stat = (chip->card_status >> 4) & 0x03;
+
+ if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) {
+ RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n",
+ chip->ocp_stat);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#endif
+ }
+
+ rts51x_init_cmd(chip);
+
+ /* Enable MS Output */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN,
+ MS_OUTPUT_EN);
+
+ /* Reset Registers */
+ if (chip->asic_code)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, 0xFF,
+ SAMPLE_TIME_RISING | PUSH_TIME_DEFAULT |
+ NO_EXTEND_TOGGLE | MS_BUS_WIDTH_1);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, 0xFF,
+ SAMPLE_TIME_FALLING | PUSH_TIME_DEFAULT |
+ NO_EXTEND_TOGGLE | MS_BUS_WIDTH_1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF,
+ NO_WAIT_INT | NO_AUTO_READ_INT_REG);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return ms_set_init_para(chip);
+}
+
+static int ms_identify_media_type(struct rts51x_chip *chip, int switch_8bit_bus)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 val;
+
+ retval = ms_set_rw_reg_addr(chip, Pro_StatusReg, 6, SystemParm, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* Get Register form MS-PRO card */
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_transfer_tpc(chip, MS_TM_READ_BYTES, READ_REG, 6,
+ NO_WAIT_INT);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_READ_REG(chip, PPBUF_BASE2 + 2, &val);
+ RTS51X_DEBUGP("Type register: 0x%x\n", val);
+ if (val != 0x01) {
+ if (val != 0x02)
+ ms_card->check_ms_flow = 1;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ /* Category Register */
+ RTS51X_READ_REG(chip, PPBUF_BASE2 + 4, &val);
+ RTS51X_DEBUGP("Category register: 0x%x\n", val);
+ if (val != 0) {
+ ms_card->check_ms_flow = 1;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ /* Class Register */
+ RTS51X_READ_REG(chip, PPBUF_BASE2 + 5, &val);
+ RTS51X_DEBUGP("Class register: 0x%x\n", val);
+ if (val == 0) {
+ RTS51X_READ_REG(chip, PPBUF_BASE2, &val);
+ if (val & WRT_PRTCT)
+ chip->card_wp |= MS_CARD;
+ else
+ chip->card_wp &= ~MS_CARD;
+ } else if ((val == 0x01) || (val == 0x02) || (val == 0x03)) {
+ chip->card_wp |= MS_CARD;
+ } else {
+ ms_card->check_ms_flow = 1;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ ms_card->ms_type |= TYPE_MSPRO;
+
+ /* Check MSPro-HG Card, use IF Mode Register to distinguish */
+ RTS51X_READ_REG(chip, PPBUF_BASE2 + 3, &val);
+ RTS51X_DEBUGP("IF Mode register: 0x%x\n", val);
+ if (val == 0) {
+ ms_card->ms_type &= 0x0F;
+ } else if (val == 7) {
+ if (switch_8bit_bus)
+ ms_card->ms_type |= MS_HG;
+ else
+ ms_card->ms_type &= 0x0F;
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ /* end Procedure to identify Media Type */
+ return STATUS_SUCCESS;
+}
+
+static int ms_confirm_cpu_startup(struct rts51x_chip *chip)
+{
+ int retval, i, k;
+ u8 val;
+
+ /* Confirm CPU StartUp */
+ k = 0;
+ do {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val,
+ 1);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (k > 100)
+ TRACE_RET(chip, STATUS_FAIL);
+ k++;
+ wait_timeout(100);
+ } while (!(val & INT_REG_CED));
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (val & INT_REG_ERR) {
+ if (val & INT_REG_CMDNK) { /* CMDNK = 1 */
+ chip->card_wp |= (MS_CARD);
+ } else { /* CMDNK = 0 */
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ /*-- end confirm CPU startup */
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_switch_parallel_bus(struct rts51x_chip *chip)
+{
+ int retval, i;
+ u8 data[2];
+
+ data[0] = PARALLEL_4BIT_IF;
+ data[1] = 0;
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 1, NO_WAIT_INT, data, 2);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_switch_8bit_bus(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 data[2];
+
+ data[0] = PARALLEL_8BIT_IF;
+ data[1] = 0;
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 1, NO_WAIT_INT, data, 2);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_WRITE_REG(chip, MS_CFG, 0x98,
+ MS_BUS_WIDTH_8 | SAMPLE_TIME_FALLING);
+ ms_card->ms_type |= MS_8BIT;
+
+ retval = ms_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_transfer_tpc(chip, MS_TM_READ_BYTES, GET_INT, 1,
+ NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_pro_reset_flow(struct rts51x_chip *chip, int switch_8bit_bus)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+
+ for (i = 0; i < 3; i++) {
+ retval = ms_prepare_reset(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_identify_media_type(chip, switch_8bit_bus);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_confirm_cpu_startup(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_switch_parallel_bus(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+ continue;
+ } else {
+ break;
+ }
+ }
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_WRITE_REG(chip, MS_CFG, 0x18, MS_BUS_WIDTH_4);
+
+ RTS51X_WRITE_REG(chip, MS_CFG, PUSH_TIME_ODD, PUSH_TIME_ODD);
+
+ retval = ms_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_MSHG(ms_card) && switch_8bit_bus) {
+ retval = ms_switch_8bit_bus(chip);
+ if (retval != STATUS_SUCCESS) {
+ ms_card->switch_8bit_fail = 1;
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+#ifdef XC_POWERCLASS
+static int msxc_change_power(struct rts51x_chip *chip, u8 mode)
+{
+ int retval;
+ u8 buf[6];
+
+ rts51x_ms_cleanup_work(chip);
+
+ /* Set Parameter Register */
+ retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_DataCount1, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf[0] = 0;
+ buf[1] = mode;
+ buf[2] = 0;
+ buf[3] = 0;
+ buf[4] = 0;
+ buf[5] = 0;
+
+ retval = ms_write_bytes(chip, PRO_WRITE_REG, 6, NO_WAIT_INT, buf, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_send_cmd(chip, XC_CHG_POWER, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, buf);
+ if (buf[0] & (MS_INT_CMDNK | MS_INT_ERR))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+#endif
+
+static int ms_read_attribute_info(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 val, *buf, class_code, device_type, sub_class, data[16];
+ u16 total_blk = 0, blk_size = 0;
+#ifdef SUPPORT_MSXC
+ u32 xc_total_blk = 0, xc_blk_size = 0;
+#endif
+ u32 sys_info_addr = 0, sys_info_size;
+#ifdef SUPPORT_PCGL_1P18
+ u32 model_name_addr = 0, model_name_size;
+ int found_sys_info = 0, found_model_name = 0;
+#endif
+
+ retval = ms_set_rw_reg_addr(chip, Pro_IntReg, 2, Pro_SystemParm, 7);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_MS8BIT(ms_card))
+ data[0] = PARALLEL_8BIT_IF;
+ else
+ data[0] = PARALLEL_4BIT_IF;
+ data[1] = 0;
+
+ data[2] = 0x40;
+ data[3] = 0;
+ data[4] = 0;
+ data[5] = 0;
+ /* Start address 0 */
+ data[6] = 0;
+ data[7] = 0;
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_REG, 7, NO_WAIT_INT, data,
+ 8);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf = kmalloc(64 * 512, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval = ms_send_cmd(chip, PRO_READ_ATRB, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ continue;
+
+ retval = rts51x_read_register(chip, MS_TRANS_CFG, &val);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (!(val & MS_INT_BREQ)) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval =
+ ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA,
+ 0x40, WAIT_INT, 0, 0, buf, 64 * 512);
+ if (retval == STATUS_SUCCESS)
+ break;
+ else
+ rts51x_clear_ms_error(chip);
+ }
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_RET(chip, retval);
+ }
+
+ i = 0;
+ do {
+ retval = rts51x_read_register(chip, MS_TRANS_CFG, &val);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_RET(chip, retval);
+ }
+
+ if ((val & MS_INT_CED) || !(val & MS_INT_BREQ))
+ break;
+
+ retval =
+ ms_transfer_tpc(chip, MS_TM_NORMAL_READ, PRO_READ_LONG_DATA,
+ 0, WAIT_INT);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_RET(chip, retval);
+ }
+
+ i++;
+ } while (i < 1024);
+
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_RET(chip, retval);
+ }
+
+ if ((buf[0] != 0xa5) && (buf[1] != 0xc3)) {
+ /* Signature code is wrong */
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if ((buf[4] < 1) || (buf[4] > 12)) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ for (i = 0; i < buf[4]; i++) {
+ int cur_addr_off = 16 + i * 12;
+
+#ifdef SUPPORT_MSXC
+ if ((buf[cur_addr_off + 8] == 0x10)
+ || (buf[cur_addr_off + 8] == 0x13)) {
+#else
+ if (buf[cur_addr_off + 8] == 0x10) {
+#endif
+ sys_info_addr = ((u32) buf[cur_addr_off + 0] << 24) |
+ ((u32) buf[cur_addr_off + 1] << 16) |
+ ((u32) buf[cur_addr_off + 2] << 8) |
+ buf[cur_addr_off + 3];
+ sys_info_size =
+ ((u32) buf[cur_addr_off + 4] << 24) |
+ ((u32) buf[cur_addr_off + 5] << 16) |
+ ((u32) buf[cur_addr_off + 6] << 8) |
+ buf[cur_addr_off + 7];
+ RTS51X_DEBUGP("sys_info_addr = 0x%x, sys_info_size = 0x%x\n",
+ sys_info_addr, sys_info_size);
+ if (sys_info_size != 96) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (sys_info_addr < 0x1A0) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if ((sys_info_size + sys_info_addr) > 0x8000) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#ifdef SUPPORT_MSXC
+ if (buf[cur_addr_off + 8] == 0x13)
+ ms_card->ms_type |= MS_XC;
+#endif
+#ifdef SUPPORT_PCGL_1P18
+ found_sys_info = 1;
+#else
+ break;
+#endif
+ }
+#ifdef SUPPORT_PCGL_1P18
+ if (buf[cur_addr_off + 8] == 0x15) {
+ model_name_addr = ((u32) buf[cur_addr_off + 0] << 24) |
+ ((u32) buf[cur_addr_off + 1] << 16) |
+ ((u32) buf[cur_addr_off + 2] << 8) |
+ buf[cur_addr_off + 3];
+ model_name_size =
+ ((u32) buf[cur_addr_off + 4] << 24) |
+ ((u32) buf[cur_addr_off + 5] << 16) |
+ ((u32) buf[cur_addr_off + 6] << 8) |
+ buf[cur_addr_off + 7];
+ RTS51X_DEBUGP("model_name_addr = 0x%x, model_name_size = 0x%x\n",
+ model_name_addr, model_name_size);
+ if (model_name_size != 48) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (model_name_addr < 0x1A0) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if ((model_name_size + model_name_addr) > 0x8000) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ found_model_name = 1;
+ }
+
+ if (found_sys_info && found_model_name)
+ break;
+#endif
+ }
+
+ if (i == buf[4]) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ class_code = buf[sys_info_addr + 0];
+ device_type = buf[sys_info_addr + 56];
+ sub_class = buf[sys_info_addr + 46];
+#ifdef SUPPORT_MSXC
+ if (CHK_MSXC(ms_card)) {
+ xc_total_blk = ((u32) buf[sys_info_addr + 6] << 24) |
+ ((u32) buf[sys_info_addr + 7] << 16) |
+ ((u32) buf[sys_info_addr + 8] << 8) |
+ buf[sys_info_addr + 9];
+ xc_blk_size = ((u32) buf[sys_info_addr + 32] << 24) |
+ ((u32) buf[sys_info_addr + 33] << 16) |
+ ((u32) buf[sys_info_addr + 34] << 8) |
+ buf[sys_info_addr + 35];
+ RTS51X_DEBUGP("xc_total_blk = 0x%x, xc_blk_size = 0x%x\n",
+ xc_total_blk, xc_blk_size);
+ } else {
+ total_blk =
+ ((u16) buf[sys_info_addr + 6] << 8) | buf[sys_info_addr +
+ 7];
+ blk_size =
+ ((u16) buf[sys_info_addr + 2] << 8) | buf[sys_info_addr +
+ 3];
+ RTS51X_DEBUGP("total_blk = 0x%x, blk_size = 0x%x\n", total_blk,
+ blk_size);
+ }
+#else
+ total_blk =
+ ((u16) buf[sys_info_addr + 6] << 8) | buf[sys_info_addr + 7];
+ blk_size = ((u16) buf[sys_info_addr + 2] << 8) | buf[sys_info_addr + 3];
+ RTS51X_DEBUGP("total_blk = 0x%x, blk_size = 0x%x\n", total_blk,
+ blk_size);
+#endif
+
+ RTS51X_DEBUGP("class_code = 0x%x, device_type = 0x%x,"
+ "sub_class = 0x%x\n",
+ class_code, device_type, sub_class);
+
+ memcpy(ms_card->raw_sys_info, buf + sys_info_addr, 96);
+#ifdef SUPPORT_PCGL_1P18
+ memcpy(ms_card->raw_model_name, buf + model_name_addr, 48);
+#endif
+
+ kfree(buf);
+
+ /* Confirm System Information */
+#ifdef SUPPORT_MSXC
+ if (CHK_MSXC(ms_card)) {
+ if (class_code != 0x03)
+ TRACE_RET(chip, STATUS_FAIL);
+ } else {
+ if (class_code != 0x02)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#else
+ if (class_code != 0x02)
+ TRACE_RET(chip, STATUS_FAIL);
+#endif
+
+ if (device_type != 0x00) {
+ if ((device_type == 0x01) || (device_type == 0x02)
+ || (device_type == 0x03))
+ chip->card_wp |= MS_CARD;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (sub_class & 0xC0)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_DEBUGP("class_code: 0x%x, device_type: 0x%x, sub_class: 0x%x\n",
+ class_code, device_type, sub_class);
+
+#ifdef SUPPORT_MSXC
+ if (CHK_MSXC(ms_card)) {
+ chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity =
+ xc_total_blk * xc_blk_size;
+ } else {
+ chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity =
+ total_blk * blk_size;
+ }
+#else
+ chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity =
+ total_blk * blk_size;
+#endif
+
+ return STATUS_SUCCESS;
+}
+
+static int reset_ms_pro(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+#ifdef XC_POWERCLASS
+ u8 change_power_class = 2;
+#endif
+
+#ifdef XC_POWERCLASS
+Retry:
+#endif
+ retval = ms_pro_reset_flow(chip, 1);
+ if (retval != STATUS_SUCCESS) {
+ if (ms_card->switch_8bit_fail) {
+ retval = ms_pro_reset_flow(chip, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ retval = ms_read_attribute_info(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#ifdef XC_POWERCLASS
+ if (CHK_HG8BIT(ms_card))
+ change_power_class = 0;
+
+ if (change_power_class && CHK_MSXC(ms_card)) {
+ u8 power_class_mode = (ms_card->raw_sys_info[46] & 0x18) >> 3;
+ RTS51X_DEBUGP("power_class_mode = 0x%x", power_class_mode);
+ if (change_power_class > power_class_mode)
+ change_power_class = power_class_mode;
+ if (change_power_class) {
+ retval = msxc_change_power(chip, change_power_class);
+ if (retval != STATUS_SUCCESS) {
+ change_power_class--;
+ goto Retry;
+ }
+ }
+ }
+#endif
+
+#ifdef SUPPORT_MAGIC_GATE
+ retval = rts51x_mg_set_tpc_para_sub(chip, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#endif
+
+ if (CHK_HG8BIT(ms_card))
+ chip->card_bus_width[chip->card2lun[MS_CARD]] = 8;
+ else
+ chip->card_bus_width[chip->card2lun[MS_CARD]] = 4;
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_read_status_reg(struct rts51x_chip *chip)
+{
+ int retval;
+ u8 val[2];
+
+ retval = ms_set_rw_reg_addr(chip, StatusReg0, 2, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_read_bytes(chip, READ_REG, 2, NO_WAIT_INT, val, 2);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (val[1] & (STS_UCDT | STS_UCEX | STS_UCFG)) {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_check_boot_block(struct rts51x_chip *chip, u16 block_addr)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 extra[MS_EXTRA_SIZE], data[10], val = 0;
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (block_addr >> 8);
+ data[3] = (u8) block_addr;
+ /* Page Number
+ * Extra data access mode */
+ data[4] = 0x40;
+ data[5] = 0;
+
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_READ, WAIT_INT, data, 6, &val);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag,
+ MS_EXTRA_SIZE, SystemParm, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ retval =
+ ms_read_bytes(chip, READ_REG, MS_EXTRA_SIZE, NO_WAIT_INT, extra,
+ MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!(extra[0] & BLOCK_OK) || (extra[1] & NOT_BOOT_BLOCK))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_read_extra_data(struct rts51x_chip *chip,
+ u16 block_addr, u8 page_num, u8 *buf,
+ int buf_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 val = 0, data[10];
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (block_addr >> 8);
+ data[3] = (u8) block_addr;
+ /* Page Number
+ * Extra data access mode */
+ data[4] = 0x40;
+ data[5] = page_num;
+
+#ifdef MS_SPEEDUP
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_READ, WAIT_INT, data, 6, &val);
+#else
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_READ, WAIT_INT, data, 6, &val);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag,
+ MS_EXTRA_SIZE, SystemParm, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ retval =
+ ms_read_bytes(chip, READ_REG, MS_EXTRA_SIZE, NO_WAIT_INT, data,
+ MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (buf && buf_len) {
+ if (buf_len > MS_EXTRA_SIZE)
+ buf_len = MS_EXTRA_SIZE;
+ memcpy(buf, data, buf_len);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_write_extra_data(struct rts51x_chip *chip,
+ u16 block_addr, u8 page_num, u8 *buf,
+ int buf_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 val = 0, data[16];
+
+ if (!buf || (buf_len < MS_EXTRA_SIZE))
+ TRACE_RET(chip, STATUS_FAIL);
+ /* Write REG */
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (block_addr >> 8);
+ data[3] = (u8) block_addr;
+ /* Page Number
+ * Extra data access mode */
+ data[4] = 0x40;
+ data[5] = page_num;
+
+ for (i = 6; i < MS_EXTRA_SIZE + 6; i++)
+ data[i] = buf[i - 6];
+
+#ifdef MS_SPEEDUP
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ 6 + MS_EXTRA_SIZE, BLOCK_WRITE, WAIT_INT, data, 16,
+ &val);
+#else
+ retval =
+ ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ 6 + MS_EXTRA_SIZE, BLOCK_WRITE, WAIT_INT, data, 16,
+ &val);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_read_page(struct rts51x_chip *chip, u16 block_addr, u8 page_num)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 val = 0, data[6];
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (block_addr >> 8);
+ data[3] = (u8) block_addr;
+ /* Page Number
+ * Single page access mode */
+ data[4] = 0x20;
+ data[5] = page_num;
+
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_READ, WAIT_INT, data, 6, &val);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ if (!(val & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ } else {
+ if (!(val & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ retval =
+ ms_transfer_tpc(chip, MS_TM_NORMAL_READ, READ_PAGE_DATA, 0,
+ NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (ms_check_err_code(chip, MS_FLASH_WRITE_ERROR))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_set_bad_block(struct rts51x_chip *chip, u16 phy_blk)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 val = 0, data[8], extra[MS_EXTRA_SIZE];
+
+ retval = ms_read_extra_data(chip, phy_blk, 0, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (phy_blk >> 8);
+ data[3] = (u8) phy_blk;
+ data[4] = 0x80;
+ data[5] = 0;
+ data[6] = extra[0] & 0x7F;
+ data[7] = 0xFF;
+
+#ifdef MS_SPEEDUP
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 7,
+ BLOCK_WRITE, WAIT_INT, data, 7, &val);
+#else
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 7,
+ BLOCK_WRITE, WAIT_INT, data, 7, &val);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_erase_block(struct rts51x_chip *chip, u16 phy_blk)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i = 0;
+ u8 val = 0, data[6];
+
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (phy_blk >> 8);
+ data[3] = (u8) phy_blk;
+ data[4] = 0;
+ data[5] = 0;
+
+ERASE_RTY:
+#ifdef MS_SPEEDUP
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_ERASE, WAIT_INT, data, 6, &val);
+#else
+ retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_ERASE, WAIT_INT, data, 6, &val);
+#endif
+
+ if (val & INT_REG_CMDNK) {
+ if (i < 3) {
+ i++;
+ goto ERASE_RTY;
+ }
+ ms_set_err_code(chip, MS_CMD_NK);
+ ms_set_bad_block(chip, phy_blk);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static void ms_set_page_status(u16 log_blk, u8 type, u8 *extra, int extra_len)
+{
+ if (!extra || (extra_len < MS_EXTRA_SIZE))
+ return;
+
+ memset(extra, 0xFF, MS_EXTRA_SIZE);
+
+ if (type == setPS_NG)
+ extra[0] = 0xB8;
+ else
+ extra[0] = 0x98;
+
+ extra[2] = (u8) (log_blk >> 8);
+ extra[3] = (u8) log_blk;
+}
+
+static int ms_init_page(struct rts51x_chip *chip, u16 phy_blk, u16 log_blk,
+ u8 start_page, u8 end_page)
+{
+ int retval;
+ u8 extra[MS_EXTRA_SIZE], i;
+
+ memset(extra, 0xff, MS_EXTRA_SIZE);
+
+ extra[0] = 0xf8; /* Block, page OK, data erased */
+ extra[1] = 0xff;
+ extra[2] = (u8) (log_blk >> 8);
+ extra[3] = (u8) log_blk;
+
+ for (i = start_page; i < end_page; i++) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval =
+ ms_write_extra_data(chip, phy_blk, i, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_copy_page(struct rts51x_chip *chip, u16 old_blk, u16 new_blk,
+ u16 log_blk, u8 start_page, u8 end_page)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, rty_cnt, uncorrect_flag = 0;
+ u8 extra[MS_EXTRA_SIZE], val, i, j, data[16];
+
+ RTS51X_DEBUGP("Copy page from 0x%x to 0x%x, logical block is 0x%x\n",
+ old_blk, new_blk, log_blk);
+ RTS51X_DEBUGP("start_page = %d, end_page = %d\n", start_page,
+ end_page);
+
+ retval = ms_read_extra_data(chip, new_blk, 0, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, PPBUF_BASE2, &val);
+
+ if (val & BUF_FULL) {
+ /* Clear Buffer */
+ retval = ms_send_cmd(chip, CLEAR_BUF, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* GET_INT Register */
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!(val & INT_REG_CED)) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ for (i = start_page; i < end_page; i++) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ ms_read_extra_data(chip, old_blk, i, extra, MS_EXTRA_SIZE);
+
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE,
+ SystemParm, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Write REG */
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (old_blk >> 8);
+ data[3] = (u8) old_blk;
+ data[4] = 0x20;
+ data[5] = i;
+
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 6, NO_WAIT_INT, data, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_send_cmd(chip, BLOCK_READ, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS) {
+ uncorrect_flag = 1;
+ RTS51X_DEBUGP("Uncorrectable error\n");
+ } else {
+ uncorrect_flag = 0;
+ }
+
+ retval =
+ ms_transfer_tpc(chip, MS_TM_NORMAL_READ,
+ READ_PAGE_DATA, 0, NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (uncorrect_flag) {
+ ms_set_page_status(log_blk, setPS_NG,
+ extra, MS_EXTRA_SIZE);
+ if (i == 0)
+ extra[0] &= 0xEF;
+ ms_write_extra_data(chip, old_blk, i,
+ extra,
+ MS_EXTRA_SIZE);
+ RTS51X_DEBUGP("page %d : extra[0] = 0x%x\n",
+ i, extra[0]);
+ MS_SET_BAD_BLOCK_FLG(ms_card);
+
+ ms_set_page_status(log_blk, setPS_Error,
+ extra, MS_EXTRA_SIZE);
+ ms_write_extra_data(chip, new_blk, i,
+ extra, MS_EXTRA_SIZE);
+ continue;
+ }
+
+ for (rty_cnt = 0; rty_cnt < MS_MAX_RETRY_COUNT;
+ rty_cnt++) {
+ retval =
+ ms_transfer_tpc(chip,
+ MS_TM_NORMAL_WRITE,
+ WRITE_PAGE_DATA, 0,
+ NO_WAIT_INT);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (rty_cnt == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (!(val & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ retval = ms_set_rw_reg_addr(chip, OverwriteFlag,
+ MS_EXTRA_SIZE, SystemParm,
+ (6 + MS_EXTRA_SIZE));
+
+ /* Write REG */
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (new_blk >> 8);
+ data[3] = (u8) new_blk;
+ data[4] = 0x20;
+ data[5] = i;
+
+ /* for MS check procedure */
+ if ((extra[0] & 0x60) != 0x60)
+ data[6] = extra[0];
+ else
+ data[6] = 0xF8;
+
+ data[6 + 1] = 0xFF;
+ data[6 + 2] = (u8) (log_blk >> 8);
+ data[6 + 3] = (u8) log_blk;
+
+ for (j = 4; j <= MS_EXTRA_SIZE; j++)
+ data[6 + j] = 0xFF;
+
+ retval =
+ ms_write_bytes(chip, WRITE_REG, (6 + MS_EXTRA_SIZE),
+ NO_WAIT_INT, data, 16);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* GET_INT Register */
+ ms_set_err_code(chip, MS_NO_ERROR);
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ if (i == 0) {
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag,
+ MS_EXTRA_SIZE, SystemParm, 7);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (old_blk >> 8);
+ data[3] = (u8) old_blk;
+ data[4] = 0x80;
+ data[5] = 0;
+ data[6] = 0xEF;
+ data[7] = 0xFF;
+
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 7, NO_WAIT_INT,
+ data, 8);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+ retval =
+ ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val,
+ 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CED) {
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip,
+ MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+#ifdef MS_SPEEDUP
+static int ms_auto_copy_page(struct rts51x_chip *chip, u16 old_blk, u16 new_blk,
+ u16 log_blk, u8 start_page, u8 end_page)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 page_len, bus_width, val = 0;
+ u8 extra[MS_EXTRA_SIZE];
+
+ RTS51X_DEBUGP("Auto copy page from 0x%x to 0x%x, logical block is 0x%x\n",
+ old_blk, new_blk, log_blk);
+ RTS51X_DEBUGP("start_page = %d, end_page = %d\n", start_page,
+ end_page);
+
+ page_len = end_page - start_page;
+
+ retval = ms_read_extra_data(chip, new_blk, 0, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, PPBUF_BASE2, &val);
+
+ if (val & BUF_FULL) {
+ retval = ms_send_cmd(chip, CLEAR_BUF, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!(val & INT_REG_CED)) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ bus_width = 0x88;
+ } else {
+ /* Serial interface */
+ bus_width = 0x80;
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_OLD_BLOCK_0, 0xFF, (u8) old_blk);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_OLD_BLOCK_1, 0xFF,
+ (u8) (old_blk >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_NEW_BLOCK_0, 0xFF, (u8) new_blk);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_NEW_BLOCK_1, 0xFF,
+ (u8) (new_blk >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_LOG_BLOCK_0, 0xFF, (u8) log_blk);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_LOG_BLOCK_1, 0xFF,
+ (u8) (log_blk >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_PAGE_START, 0xFF, start_page);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_PAGE_LENGTH, 0xFF, page_len);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BUS_WIDTH, 0xFF, bus_width);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_COPY_PAGE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval = rts51x_get_rsp(chip, 1, 5000);
+
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_ms_error(chip);
+ if (retval == STATUS_TIMEDOUT)
+ TRACE_RET(chip, retval);
+ TRACE_GOTO(chip, Fail);
+ }
+
+ return STATUS_SUCCESS;
+
+Fail:
+ retval = ms_erase_block(chip, new_blk);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ ms_copy_page(chip, old_blk, new_blk, log_blk, start_page, end_page);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+#endif
+
+static int reset_ms(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u16 i, reg_addr, block_size;
+ u8 val, j, *ptr;
+#ifndef SUPPORT_MAGIC_GATE
+ u16 eblock_cnt;
+#endif
+
+ retval = ms_prepare_reset(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_card->ms_type |= TYPE_MS;
+
+ retval = ms_send_cmd(chip, MS_RESET, NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, PPBUF_BASE2, &val);
+ if (val & WRT_PRTCT)
+ chip->card_wp |= MS_CARD;
+ else
+ chip->card_wp &= ~MS_CARD;
+
+ i = 0;
+
+RE_SEARCH:
+ /* Search For Boot Block */
+ while (i < (MAX_DEFECTIVE_BLOCK + 2)) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = ms_check_boot_block(chip, i);
+ if (retval != STATUS_SUCCESS) {
+ i++;
+ continue;
+ }
+
+ ms_card->boot_block = i;
+ break;
+ }
+
+ if (i == (MAX_DEFECTIVE_BLOCK + 2)) {
+ RTS51X_DEBUGP("No boot block found!");
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ for (j = 0; j < 3; j++) {
+ retval = ms_read_page(chip, ms_card->boot_block, j);
+ if (retval != STATUS_SUCCESS) {
+ if (ms_check_err_code(chip, MS_FLASH_WRITE_ERROR)) {
+ i = ms_card->boot_block + 1;
+ ms_set_err_code(chip, MS_NO_ERROR);
+ goto RE_SEARCH;
+ }
+ }
+ }
+
+ /* Read boot block contents */
+ retval = ms_read_page(chip, ms_card->boot_block, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Read MS system information as sys_info */
+ retval =
+ rts51x_seq_read_register(chip, PPBUF_BASE2 + 0x1A0, 96,
+ ms_card->raw_sys_info);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Read useful block contents */
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, HEADER_ID0, 0, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, HEADER_ID1, 0, 0);
+
+ for (reg_addr = DISABLED_BLOCK0; reg_addr <= DISABLED_BLOCK3;
+ reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, 0);
+ }
+
+ for (reg_addr = BLOCK_SIZE_0; reg_addr <= PAGE_SIZE_1; reg_addr++)
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, 0);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, MS_Device_Type, 0, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, MS_4bit_Support, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 16, 100);
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ptr = rts51x_get_rsp_data(chip);
+
+ RTS51X_DEBUGP("Boot block data:\n");
+ RTS51X_DUMP(ptr, 16);
+
+ if (ptr[0] != 0x00 || ptr[1] != 0x01) {
+ i = ms_card->boot_block + 1;
+ goto RE_SEARCH;
+ }
+ if (ptr[12] != 0x02 || ptr[13] != 0x00) {
+ i = ms_card->boot_block + 1;
+ goto RE_SEARCH;
+ }
+ if ((ptr[14] == 1) || (ptr[14] == 3))
+ chip->card_wp |= MS_CARD;
+ block_size = ((u16) ptr[6] << 8) | ptr[7];
+ if (block_size == 0x0010) {
+ ms_card->block_shift = 5;
+ ms_card->page_off = 0x1F;
+ } else if (block_size == 0x0008) {
+ ms_card->block_shift = 4;
+ ms_card->page_off = 0x0F;
+ }
+ ms_card->total_block = ((u16) ptr[8] << 8) | ptr[9];
+
+#ifdef SUPPORT_MAGIC_GATE
+ j = ptr[10];
+
+ if (ms_card->block_shift == 4) {
+ if (j < 2)
+ ms_card->capacity = 0x1EE0;
+ else
+ ms_card->capacity = 0x3DE0;
+ } else {
+ if (j < 5)
+ ms_card->capacity = 0x7BC0;
+ else if (j < 0xA)
+ ms_card->capacity = 0xF7C0;
+ else if (j < 0x11)
+ ms_card->capacity = 0x1EF80;
+ else
+ ms_card->capacity = 0x3DF00;
+ }
+#else
+ eblock_cnt = ((u16) ptr[10] << 8) | ptr[11];
+
+ ms_card->capacity = ((u32) eblock_cnt - 2) << ms_card->block_shift;
+#endif
+
+ chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity;
+
+ if (ptr[15]) {
+ retval = ms_set_rw_reg_addr(chip, 0, 0, SystemParm, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ RTS51X_WRITE_REG(chip, PPBUF_BASE2, 0xFF, 0x88);
+ RTS51X_WRITE_REG(chip, PPBUF_BASE2 + 1, 0xFF, 0);
+
+ retval =
+ ms_transfer_tpc(chip, MS_TM_WRITE_BYTES, WRITE_REG, 1,
+ NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ RTS51X_WRITE_REG(chip, MS_CFG, 0x58 | MS_NO_CHECK_INT,
+ MS_BUS_WIDTH_4 | PUSH_TIME_ODD |
+ MS_NO_CHECK_INT);
+
+ ms_card->ms_type |= MS_4BIT;
+ }
+
+ if (CHK_MS4BIT(ms_card))
+ chip->card_bus_width[chip->card2lun[MS_CARD]] = 4;
+ else
+ chip->card_bus_width[chip->card2lun[MS_CARD]] = 1;
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_init_l2p_tbl(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int size, i, seg_no, retval;
+ u16 defect_block, reg_addr;
+ u8 val1, val2;
+
+ ms_card->segment_cnt = ms_card->total_block >> 9;
+ RTS51X_DEBUGP("ms_card->segment_cnt = %d\n", ms_card->segment_cnt);
+
+ size = ms_card->segment_cnt * sizeof(struct zone_entry);
+ ms_card->segment = vmalloc(size);
+ if (ms_card->segment == NULL)
+ TRACE_RET(chip, STATUS_FAIL);
+ memset(ms_card->segment, 0, size);
+
+ retval = ms_read_page(chip, ms_card->boot_block, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, INIT_FAIL);
+
+ reg_addr = PPBUF_BASE2;
+ for (i = 0; i < (((ms_card->total_block >> 9) * 10) + 1); i++) {
+ retval = rts51x_read_register(chip, reg_addr++, &val1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, INIT_FAIL);
+ retval = rts51x_read_register(chip, reg_addr++, &val2);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, INIT_FAIL);
+
+ defect_block = ((u16) val1 << 8) | val2;
+ if (defect_block == 0xFFFF)
+ break;
+ seg_no = defect_block / 512;
+ ms_card->segment[seg_no].defect_list[ms_card->segment[seg_no].
+ disable_count++] =
+ defect_block;
+ }
+
+ for (i = 0; i < ms_card->segment_cnt; i++) {
+ ms_card->segment[i].build_flag = 0;
+ ms_card->segment[i].l2p_table = NULL;
+ ms_card->segment[i].free_table = NULL;
+ ms_card->segment[i].get_index = 0;
+ ms_card->segment[i].set_index = 0;
+ ms_card->segment[i].unused_blk_cnt = 0;
+
+ RTS51X_DEBUGP("defective block count of segment %d is %d\n",
+ i, ms_card->segment[i].disable_count);
+ }
+
+ return STATUS_SUCCESS;
+
+INIT_FAIL:
+ if (ms_card->segment) {
+ vfree(ms_card->segment);
+ ms_card->segment = NULL;
+ }
+
+ return STATUS_FAIL;
+}
+
+static u16 ms_get_l2p_tbl(struct rts51x_chip *chip, int seg_no, u16 log_off)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+
+ if (ms_card->segment == NULL)
+ return 0xFFFF;
+
+ segment = &(ms_card->segment[seg_no]);
+
+ if (segment->l2p_table)
+ return segment->l2p_table[log_off];
+
+ return 0xFFFF;
+}
+
+static void ms_set_l2p_tbl(struct rts51x_chip *chip, int seg_no, u16 log_off,
+ u16 phy_blk)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+
+ if (ms_card->segment == NULL)
+ return;
+
+ segment = &(ms_card->segment[seg_no]);
+ if (segment->l2p_table)
+ segment->l2p_table[log_off] = phy_blk;
+}
+
+static void ms_set_unused_block(struct rts51x_chip *chip, u16 phy_blk)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+ int seg_no;
+
+ seg_no = (int)phy_blk >> 9;
+ segment = &(ms_card->segment[seg_no]);
+
+ segment->free_table[segment->set_index++] = phy_blk;
+ if (segment->set_index >= MS_FREE_TABLE_CNT)
+ segment->set_index = 0;
+ segment->unused_blk_cnt++;
+}
+
+static u16 ms_get_unused_block(struct rts51x_chip *chip, int seg_no)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+ u16 phy_blk;
+
+ segment = &(ms_card->segment[seg_no]);
+
+ if (segment->unused_blk_cnt <= 0)
+ return 0xFFFF;
+
+ phy_blk = segment->free_table[segment->get_index];
+ segment->free_table[segment->get_index++] = 0xFFFF;
+ if (segment->get_index >= MS_FREE_TABLE_CNT)
+ segment->get_index = 0;
+ segment->unused_blk_cnt--;
+
+ return phy_blk;
+}
+
+static const unsigned short ms_start_idx[] = {
+ 0, 494, 990, 1486, 1982, 2478, 2974, 3470,
+ 3966, 4462, 4958, 5454, 5950, 6446, 6942, 7438, 7934
+};
+
+static int ms_arbitrate_l2p(struct rts51x_chip *chip, u16 phy_blk, u16 log_off,
+ u8 us1, u8 us2)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+ int seg_no;
+ u16 tmp_blk;
+
+ seg_no = (int)phy_blk >> 9;
+ segment = &(ms_card->segment[seg_no]);
+ tmp_blk = segment->l2p_table[log_off];
+
+ if (us1 != us2) {
+ if (us1 == 0) {
+ if (!(chip->card_wp & MS_CARD))
+ ms_erase_block(chip, tmp_blk);
+ ms_set_unused_block(chip, tmp_blk);
+ segment->l2p_table[log_off] = phy_blk;
+ } else {
+ if (!(chip->card_wp & MS_CARD))
+ ms_erase_block(chip, phy_blk);
+ ms_set_unused_block(chip, phy_blk);
+ }
+ } else {
+ if (phy_blk < tmp_blk) {
+ if (!(chip->card_wp & MS_CARD))
+ ms_erase_block(chip, phy_blk);
+ ms_set_unused_block(chip, phy_blk);
+ } else {
+ if (!(chip->card_wp & MS_CARD))
+ ms_erase_block(chip, tmp_blk);
+ ms_set_unused_block(chip, tmp_blk);
+ segment->l2p_table[log_off] = phy_blk;
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_build_l2p_tbl(struct rts51x_chip *chip, int seg_no)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct zone_entry *segment;
+ int retval, table_size, disable_cnt, defect_flag, i;
+ u16 start, end, phy_blk, log_blk, tmp_blk;
+ u8 extra[MS_EXTRA_SIZE], us1, us2;
+
+ RTS51X_DEBUGP("ms_build_l2p_tbl: %d\n", seg_no);
+
+ if (ms_card->segment == NULL) {
+ retval = ms_init_l2p_tbl(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ if (ms_card->segment[seg_no].build_flag) {
+ RTS51X_DEBUGP("l2p table of segment %d has been built\n",
+ seg_no);
+ return STATUS_SUCCESS;
+ }
+
+ if (seg_no == 0)
+ table_size = 494;
+ else
+ table_size = 496;
+
+ segment = &(ms_card->segment[seg_no]);
+
+ if (segment->l2p_table == NULL) {
+ segment->l2p_table = vmalloc(table_size * 2);
+ if (segment->l2p_table == NULL)
+ TRACE_GOTO(chip, BUILD_FAIL);
+ }
+ memset((u8 *) (segment->l2p_table), 0xff, table_size * 2);
+
+ if (segment->free_table == NULL) {
+ segment->free_table = vmalloc(MS_FREE_TABLE_CNT * 2);
+ if (segment->free_table == NULL)
+ TRACE_GOTO(chip, BUILD_FAIL);
+ }
+ memset((u8 *) (segment->free_table), 0xff, MS_FREE_TABLE_CNT * 2);
+
+ start = (u16) seg_no << 9;
+ end = (u16) (seg_no + 1) << 9;
+
+ disable_cnt = segment->disable_count;
+
+ segment->get_index = segment->set_index = 0;
+ segment->unused_blk_cnt = 0;
+
+ for (phy_blk = start; phy_blk < end; phy_blk++) {
+ if (disable_cnt) {
+ defect_flag = 0;
+ for (i = 0; i < segment->disable_count; i++) {
+ if (phy_blk == segment->defect_list[i]) {
+ defect_flag = 1;
+ break;
+ }
+ }
+ if (defect_flag) {
+ disable_cnt--;
+ continue;
+ }
+ }
+
+ retval =
+ ms_read_extra_data(chip, phy_blk, 0, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS) {
+ RTS51X_DEBUGP("read extra data fail\n");
+ ms_set_bad_block(chip, phy_blk);
+ continue;
+ }
+
+ if (seg_no == ms_card->segment_cnt - 1) {
+ if (!(extra[1] & NOT_TRANSLATION_TABLE)) {
+ if (!(chip->card_wp & MS_CARD)) {
+ retval = ms_erase_block(chip, phy_blk);
+ if (retval != STATUS_SUCCESS)
+ continue;
+ extra[2] = 0xff;
+ extra[3] = 0xff;
+ }
+ }
+ }
+
+ if (!(extra[0] & BLOCK_OK))
+ continue;
+ if (!(extra[1] & NOT_BOOT_BLOCK))
+ continue;
+ if ((extra[0] & PAGE_OK) != PAGE_OK)
+ continue;
+
+ log_blk = ((u16) extra[2] << 8) | extra[3];
+
+ if (log_blk == 0xFFFF) {
+ if (!(chip->card_wp & MS_CARD)) {
+ retval = ms_erase_block(chip, phy_blk);
+ if (retval != STATUS_SUCCESS)
+ continue;
+ }
+ ms_set_unused_block(chip, phy_blk);
+ continue;
+ }
+
+ if ((log_blk < ms_start_idx[seg_no]) ||
+ (log_blk >= ms_start_idx[seg_no + 1])) {
+ if (!(chip->card_wp & MS_CARD)) {
+ retval = ms_erase_block(chip, phy_blk);
+ if (retval != STATUS_SUCCESS)
+ continue;
+ }
+ ms_set_unused_block(chip, phy_blk);
+ continue;
+ }
+
+ if (segment->l2p_table[log_blk - ms_start_idx[seg_no]] ==
+ 0xFFFF) {
+ segment->l2p_table[log_blk - ms_start_idx[seg_no]] =
+ phy_blk;
+ continue;
+ }
+
+ us1 = extra[0] & 0x10;
+ tmp_blk = segment->l2p_table[log_blk - ms_start_idx[seg_no]];
+ retval =
+ ms_read_extra_data(chip, tmp_blk, 0, extra, MS_EXTRA_SIZE);
+ if (retval != STATUS_SUCCESS)
+ continue;
+ us2 = extra[0] & 0x10;
+
+ (void)ms_arbitrate_l2p(chip, phy_blk,
+ log_blk - ms_start_idx[seg_no], us1,
+ us2);
+ continue;
+ }
+
+ segment->build_flag = 1;
+
+ RTS51X_DEBUGP("unused block count: %d\n", segment->unused_blk_cnt);
+
+ if (seg_no == ms_card->segment_cnt - 1) {
+ if (segment->unused_blk_cnt < 2)
+ chip->card_wp |= MS_CARD;
+ } else {
+ if (segment->unused_blk_cnt < 1)
+ chip->card_wp |= MS_CARD;
+ }
+
+ if (chip->card_wp & MS_CARD)
+ return STATUS_SUCCESS;
+
+ for (log_blk = ms_start_idx[seg_no]; log_blk < ms_start_idx[seg_no + 1];
+ log_blk++) {
+ if (segment->l2p_table[log_blk - ms_start_idx[seg_no]] ==
+ 0xFFFF) {
+ phy_blk = ms_get_unused_block(chip, seg_no);
+ if (phy_blk == 0xFFFF) {
+ chip->card_wp |= MS_CARD;
+ return STATUS_SUCCESS;
+ }
+ retval = ms_init_page(chip, phy_blk, log_blk, 0, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, BUILD_FAIL);
+ segment->l2p_table[log_blk - ms_start_idx[seg_no]] =
+ phy_blk;
+ if (seg_no == ms_card->segment_cnt - 1) {
+ if (segment->unused_blk_cnt < 2) {
+ chip->card_wp |= MS_CARD;
+ return STATUS_SUCCESS;
+ }
+ } else {
+ if (segment->unused_blk_cnt < 1) {
+ chip->card_wp |= MS_CARD;
+ return STATUS_SUCCESS;
+ }
+ }
+ }
+ }
+
+ if (seg_no == 0) {
+ for (log_blk = 0; log_blk < 494; log_blk++) {
+ tmp_blk = segment->l2p_table[log_blk];
+ if (tmp_blk < ms_card->boot_block) {
+ RTS51X_DEBUGP("Boot block is not the first normal block.\n");
+
+ if (chip->card_wp & MS_CARD)
+ break;
+
+ phy_blk = ms_get_unused_block(chip, 0);
+#ifdef MS_SPEEDUP
+ retval =
+ ms_auto_copy_page(chip, tmp_blk, phy_blk,
+ log_blk, 0,
+ ms_card->page_off + 1);
+#else
+ retval = ms_copy_page(chip, tmp_blk, phy_blk,
+ log_blk, 0,
+ ms_card->page_off + 1);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ segment->l2p_table[log_blk] = phy_blk;
+
+ retval = ms_set_bad_block(chip, tmp_blk);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ }
+ }
+
+ return STATUS_SUCCESS;
+
+BUILD_FAIL:
+ segment->build_flag = 0;
+ if (segment->l2p_table) {
+ vfree(segment->l2p_table);
+ segment->l2p_table = NULL;
+ }
+ if (segment->free_table) {
+ vfree(segment->free_table);
+ segment->free_table = NULL;
+ }
+
+ return STATUS_FAIL;
+}
+
+int rts51x_reset_ms_card(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ memset(ms_card, 0, sizeof(struct ms_info));
+
+ rts51x_enable_card_clock(chip, MS_CARD);
+
+ retval = rts51x_select_card(chip, MS_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_card->ms_type = 0;
+ ms_card->last_rw_int = 0;
+
+ retval = reset_ms_pro(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (ms_card->check_ms_flow) {
+ retval = reset_ms(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (chip->option.reset_or_rw_fail_set_pad_drive) {
+ rts51x_write_register(chip,
+ CARD_DRIVE_SEL, SD20_DRIVE_MASK,
+ DRIVE_8mA);
+ }
+ TRACE_RET(chip, retval);
+ }
+ } else {
+ if (chip->option.reset_or_rw_fail_set_pad_drive) {
+ rts51x_write_register(chip, CARD_DRIVE_SEL,
+ SD20_DRIVE_MASK,
+ DRIVE_8mA);
+ }
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ retval = ms_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!CHK_MSPRO(ms_card)) {
+ retval = ms_build_l2p_tbl(chip, ms_card->total_block / 512 - 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ RTS51X_DEBUGP("ms_card->ms_type = 0x%x\n", ms_card->ms_type);
+
+ return STATUS_SUCCESS;
+}
+
+static int mspro_set_rw_cmd(struct rts51x_chip *chip, u32 start_sec,
+ u16 sec_cnt, u8 cmd)
+{
+ int retval, i;
+ u8 data[8];
+
+ data[0] = cmd;
+ data[1] = (u8) (sec_cnt >> 8);
+ data[2] = (u8) sec_cnt;
+ data[3] = (u8) (start_sec >> 24);
+ data[4] = (u8) (start_sec >> 16);
+ data[5] = (u8) (start_sec >> 8);
+ data[6] = (u8) start_sec;
+ data[7] = 0;
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, PRO_EX_SET_CMD, 7, WAIT_INT, data, 8);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static void mspro_stop_seq_mode(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ if (ms_card->seq_mode) {
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ return;
+
+ ms_card->seq_mode = 0;
+ ms_card->total_sec_cnt = 0;
+ ms_card->last_rw_int = 0;
+ ms_send_cmd(chip, PRO_STOP, WAIT_INT);
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH,
+ FIFO_FLUSH);
+ }
+}
+
+static inline int ms_auto_tune_clock(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ if (chip->asic_code) {
+ if (ms_card->ms_clock > 30)
+ ms_card->ms_clock -= 20;
+ } else {
+ if (ms_card->ms_clock == CLK_80)
+ ms_card->ms_clock = CLK_60;
+ else if (ms_card->ms_clock == CLK_60)
+ ms_card->ms_clock = CLK_40;
+ }
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int mspro_rw_multi_sector(struct scsi_cmnd *srb,
+ struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, mode_2k = 0;
+ u16 count;
+ u8 val, trans_mode, rw_tpc, rw_cmd;
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ ms_card->counter = 0;
+
+ if (CHK_MSHG(ms_card)) {
+ if ((start_sector % 4) || (sector_cnt % 4)) {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ rw_tpc = PRO_READ_LONG_DATA;
+ rw_cmd = PRO_READ_DATA;
+ } else {
+ rw_tpc = PRO_WRITE_LONG_DATA;
+ rw_cmd = PRO_WRITE_DATA;
+ }
+ } else {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ rw_tpc = PRO_READ_QUAD_DATA;
+ rw_cmd = PRO_READ_2K_DATA;
+ } else {
+ rw_tpc = PRO_WRITE_QUAD_DATA;
+ rw_cmd = PRO_WRITE_2K_DATA;
+ }
+ mode_2k = 1;
+ }
+ } else {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ rw_tpc = PRO_READ_LONG_DATA;
+ rw_cmd = PRO_READ_DATA;
+ } else {
+ rw_tpc = PRO_WRITE_LONG_DATA;
+ rw_cmd = PRO_WRITE_DATA;
+ }
+ }
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (srb->sc_data_direction == DMA_FROM_DEVICE)
+ trans_mode = MS_TM_AUTO_READ;
+ else
+ trans_mode = MS_TM_AUTO_WRITE;
+
+ val = ms_card->last_rw_int;
+
+ if (ms_card->seq_mode) {
+ if ((ms_card->pre_dir != srb->sc_data_direction)
+ || ((ms_card->pre_sec_addr + ms_card->pre_sec_cnt) !=
+ start_sector)
+ || (mode_2k && (ms_card->seq_mode & MODE_512_SEQ))
+ || (!mode_2k && (ms_card->seq_mode & MODE_2K_SEQ))
+ || !(val & MS_INT_BREQ)
+ || ((ms_card->total_sec_cnt + sector_cnt) > 0xFE00)) {
+ ms_card->seq_mode = 0;
+ ms_card->total_sec_cnt = 0;
+ ms_card->last_rw_int = 0;
+ if (val & MS_INT_BREQ) {
+ retval = ms_send_cmd(chip, PRO_STOP, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL,
+ FIFO_FLUSH, FIFO_FLUSH);
+ }
+ }
+ }
+
+ if (!ms_card->seq_mode) {
+ ms_card->total_sec_cnt = 0;
+ if (sector_cnt >= 0x80) {
+ if ((ms_card->capacity - start_sector) > 0xFE00)
+ count = 0xFE00;
+ else
+ count =
+ (u16) (ms_card->capacity - start_sector);
+ if (count > sector_cnt) {
+ if (mode_2k)
+ ms_card->seq_mode |= MODE_2K_SEQ;
+ else
+ ms_card->seq_mode |= MODE_512_SEQ;
+ }
+ } else {
+ count = sector_cnt;
+ }
+ retval = mspro_set_rw_cmd(chip, start_sector, count, rw_cmd);
+ if (retval != STATUS_SUCCESS) {
+ ms_card->seq_mode = 0;
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ retval =
+ ms_transfer_data(chip, trans_mode, rw_tpc, sector_cnt, WAIT_INT,
+ mode_2k, scsi_sg_count(srb), scsi_sglist(srb),
+ scsi_bufflen(srb));
+ if (retval != STATUS_SUCCESS) {
+ ms_card->seq_mode = 0;
+ rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val);
+ rts51x_clear_ms_error(chip);
+ if (val & MS_INT_BREQ)
+ ms_send_cmd(chip, PRO_STOP, WAIT_INT);
+ if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) {
+ RTS51X_DEBUGP("MSPro CRC error, tune clock!\n");
+ ms_auto_tune_clock(chip);
+ }
+
+ TRACE_RET(chip, retval);
+ }
+
+ ms_card->pre_sec_addr = start_sector;
+ ms_card->pre_sec_cnt = sector_cnt;
+ ms_card->pre_dir = srb->sc_data_direction;
+ ms_card->total_sec_cnt += sector_cnt;
+
+ return STATUS_SUCCESS;
+}
+
+static int mspro_read_format_progress(struct rts51x_chip *chip,
+ const int short_data_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u32 total_progress, cur_progress;
+ u8 cnt, tmp;
+ u8 data[8];
+
+ ms_card->format_status = FORMAT_FAIL;
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp);
+
+ if ((tmp & (MS_INT_CED | MS_INT_CMDNK | MS_INT_ERR)) == MS_INT_CED) {
+ ms_card->format_status = FORMAT_SUCCESS;
+ ms_card->pro_under_formatting = 0;
+ return STATUS_SUCCESS;
+ }
+ if (!
+ ((tmp & (MS_INT_BREQ | MS_INT_CED | MS_INT_CMDNK | MS_INT_ERR)) ==
+ MS_INT_BREQ)) {
+ ms_card->pro_under_formatting = 0;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (short_data_len >= 256)
+ cnt = 0;
+ else
+ cnt = (u8) short_data_len;
+
+ retval =
+ ms_read_bytes(chip, PRO_READ_SHORT_DATA, cnt, WAIT_INT, data, 8);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ total_progress =
+ (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+ cur_progress =
+ (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7];
+
+ RTS51X_DEBUGP("total_progress = %d, cur_progress = %d\n",
+ total_progress, cur_progress);
+
+ if (total_progress == 0) {
+ ms_card->progress = 0;
+ } else {
+ u64 ulltmp = (u64) cur_progress * (u64) 65535;
+ do_div(ulltmp, total_progress);
+ ms_card->progress = (u16) ulltmp;
+ }
+ RTS51X_DEBUGP("progress = %d\n", ms_card->progress);
+
+ for (i = 0; i < 2500; i++) {
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp);
+ if (tmp &
+ (MS_INT_CED | MS_INT_CMDNK | MS_INT_BREQ | MS_INT_ERR))
+ break;
+
+ wait_timeout(1);
+ }
+
+ if (i == 2500)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_DEBUGP("MSPro format tmp:%d\n", tmp);
+
+ if (tmp & (MS_INT_CMDNK | MS_INT_ERR))
+ TRACE_RET(chip, STATUS_FAIL);
+ if (tmp & MS_INT_CED) {
+ ms_card->format_status = FORMAT_SUCCESS;
+ ms_card->pro_under_formatting = 0;
+ } else if (tmp & MS_INT_BREQ) {
+ ms_card->format_status = FORMAT_IN_PROGRESS;
+ } else {
+ ms_card->format_status = FORMAT_FAIL;
+ ms_card->pro_under_formatting = 0;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ RTS51X_DEBUGP("MSPro format format_status:%d\n",
+ ms_card->format_status);
+
+ return STATUS_SUCCESS;
+}
+
+void rts51x_mspro_polling_format_status(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int i;
+
+ if (ms_card->pro_under_formatting) {
+ for (i = 0; i < 65535; i++) {
+ mspro_read_format_progress(chip, MS_SHORT_DATA_LEN);
+ if (ms_card->format_status != FORMAT_IN_PROGRESS)
+ break;
+ }
+ }
+
+ return;
+}
+
+void rts51x_mspro_format_sense(struct rts51x_chip *chip, unsigned int lun)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ if (CHK_FORMAT_STATUS(ms_card, FORMAT_SUCCESS)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE);
+ ms_card->pro_under_formatting = 0;
+ ms_card->progress = 0;
+ } else if (CHK_FORMAT_STATUS(ms_card, FORMAT_IN_PROGRESS)) {
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x04, 0x04,
+ 0, (u16) (ms_card->progress));
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_FORMAT_CMD_FAILED);
+ ms_card->pro_under_formatting = 0;
+ ms_card->progress = 0;
+ }
+}
+
+int rts51x_mspro_format(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ int short_data_len, int quick_format)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 buf[8], tmp;
+ u16 para;
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_set_rw_reg_addr(chip, 0x00, 0x00, Pro_TPCParm, 0x01);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ memset(buf, 0, 2);
+ switch (short_data_len) {
+ case 32:
+ buf[0] = 0;
+ break;
+ case 64:
+ buf[0] = 1;
+ break;
+ case 128:
+ buf[0] = 2;
+ break;
+ case 256:
+ default:
+ buf[0] = 3;
+ break;
+ }
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_REG, 1, NO_WAIT_INT, buf, 2);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+ /* Format command */
+ if (quick_format)
+ para = 0x0000;
+ else
+ para = 0x0001;
+ retval = mspro_set_rw_cmd(chip, 0, para, PRO_FORMAT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Check INT */
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp);
+ if (tmp & (MS_INT_CMDNK | MS_INT_ERR))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if ((tmp & (MS_INT_BREQ | MS_INT_CED)) == MS_INT_BREQ) {
+ ms_card->pro_under_formatting = 1;
+ ms_card->progress = 0;
+ ms_card->format_status = FORMAT_IN_PROGRESS;
+ return STATUS_SUCCESS;
+ }
+
+ if (tmp & MS_INT_CED) {
+ ms_card->pro_under_formatting = 0;
+ ms_card->progress = 0;
+ ms_card->format_status = FORMAT_SUCCESS;
+ rts51x_set_sense_type(chip, SCSI_LUN(srb), SENSE_TYPE_NO_SENSE);
+ return STATUS_SUCCESS;
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+#ifdef MS_SPEEDUP
+static int ms_read_multiple_pages(struct rts51x_chip *chip, u16 phy_blk,
+ u16 log_blk, u8 start_page, u8 end_page,
+ u8 *buf, void **ptr, unsigned int *offset)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ int send_blkend;
+ u8 extra[MS_EXTRA_SIZE], val1, val2, data[6];
+ u8 page_cnt = end_page - start_page, page_addr, sec_cnt;
+
+ if (end_page != (ms_card->page_off + 1))
+ send_blkend = 1;
+ else
+ send_blkend = 0;
+
+ retval =
+ ms_read_extra_data(chip, phy_blk, start_page, extra, MS_EXTRA_SIZE);
+ if (retval == STATUS_SUCCESS) {
+ if ((extra[1] & 0x30) != 0x30) {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (phy_blk >> 8);
+ data[3] = (u8) phy_blk;
+ /* Page Number
+ * Extra data access mode */
+ data[4] = 0;
+ data[5] = start_page;
+
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6,
+ BLOCK_READ, WAIT_INT, data, 6, &val1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_init_cmd(chip);
+
+ if (send_blkend)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND,
+ SET_BLKEND);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, WAIT_INT,
+ NO_WAIT_INT);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF,
+ (u8) page_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, READ_PAGE_DATA);
+
+ rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, 512 * page_cnt, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_MULTI_READ);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDIR | STAGE_MS_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip), (void *)buf,
+ ptr, offset, 512 * page_cnt,
+ scsi_sg_count(chip->srb), NULL, 2000);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_ms_error(chip);
+ if (retval == STATUS_TIMEDOUT)
+ TRACE_RET(chip, retval);
+ TRACE_GOTO(chip, Fail);
+ }
+ retval = rts51x_get_rsp(chip, 3, 200);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_ms_error(chip);
+ if (retval == STATUS_TIMEDOUT)
+ TRACE_RET(chip, retval);
+ TRACE_GOTO(chip, Fail);
+ }
+
+ return STATUS_SUCCESS;
+
+Fail:
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, MS_SECTOR_CNT_L, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR | STAGE_MS_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 3, 200);
+
+ if (CHECK_MS_TRANS_FAIL(chip, retval))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ sec_cnt = chip->rsp_buf[0];
+ RTS51X_DEBUGP("%d pages need be transferred, %d pages remained\n",
+ (int)page_cnt, (int)sec_cnt);
+ page_addr = start_page + (page_cnt - sec_cnt);
+
+ if (CHK_MS4BIT(ms_card)) {
+ val1 = chip->rsp_buf[1];
+ RTS51X_DEBUGP("MS_TRANS_CFG: 0x%x\n", val1);
+ } else {
+ val1 = 0;
+ }
+
+ val2 = chip->rsp_buf[2];
+ RTS51X_DEBUGP("GET_INT: 0x%x\n", val2);
+
+ if ((val1 & INT_CMDNK) || (val2 & INT_REG_CMDNK)) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if ((val1 & INT_ERR) || (val2 & INT_REG_ERR)) {
+ if ((val1 & INT_BREQ) || (val2 & INT_REG_BREQ)) {
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (!(chip->card_wp & MS_CARD)) {
+ reset_ms(chip);
+ ms_set_page_status(log_blk, setPS_NG,
+ extra, MS_EXTRA_SIZE);
+ ms_write_extra_data(chip, phy_blk,
+ page_addr, extra,
+ MS_EXTRA_SIZE);
+ }
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ if (CHK_MS4BIT(ms_card)) {
+ if (!(val1 & INT_BREQ) && !(val2 & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ if (!(val2 & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int ms_write_multiple_pages(struct rts51x_chip *chip, u16 old_blk,
+ u16 new_blk, u16 log_blk, u8 start_page,
+ u8 end_page, u8 *buf, void **ptr,
+ unsigned int *offset)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ int send_blkend;
+ u8 val, data[16];
+ u8 page_cnt = end_page - start_page;
+
+ if ((end_page == (ms_card->page_off + 1)) || (page_cnt == 1))
+ send_blkend = 0;
+ else
+ send_blkend = 1;
+
+ if (!start_page) {
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (old_blk >> 8);
+ data[3] = (u8) old_blk;
+ data[4] = 0x80;
+ data[5] = 0;
+ data[6] = 0xEF;
+ data[7] = 0xFF;
+
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE,
+ SystemParm, 7, BLOCK_WRITE, WAIT_INT, data,
+ 7, &val);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ (6 + MS_EXTRA_SIZE));
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (new_blk >> 8);
+ data[3] = (u8) new_blk;
+ /* Page Number
+ * Extra data access mode */
+ if (page_cnt == 1) {
+ /* Single page access mode */
+ data[4] = 0x20;
+ } else {
+ /* Block access mode */
+ data[4] = 0;
+ }
+ data[5] = start_page;
+ data[6] = 0xF8;
+ data[7] = 0xFF;
+ data[8] = (u8) (log_blk >> 8);
+ data[9] = (u8) log_blk;
+
+ for (i = 0x0A; i < 0x10; i++) {
+ /* ECC */
+ data[i] = 0xFF;
+ }
+
+ retval =
+ ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ (6 + MS_EXTRA_SIZE), BLOCK_WRITE, WAIT_INT, data,
+ 16, &val);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_init_cmd(chip);
+
+ if (send_blkend)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND,
+ SET_BLKEND);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, WAIT_INT,
+ NO_WAIT_INT);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF,
+ (u8) page_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, WRITE_PAGE_DATA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+
+ rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512 * page_cnt, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_MULTI_WRITE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END,
+ MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR | STAGE_MS_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip), (void *)buf,
+ ptr, offset, 512 * page_cnt,
+ scsi_sg_count(chip->srb), NULL, 2000);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval = rts51x_get_rsp(chip, 3, 2000);
+
+
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+#else
+
+static int ms_read_multiple_pages(struct rts51x_chip *chip, u16 phy_blk,
+ u16 log_blk, u8 start_page, u8 end_page,
+ u8 *buf, void **ptr, unsigned int *offset)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 extra[MS_EXTRA_SIZE], page_addr, val, trans_cfg, data[6];
+
+ retval =
+ ms_read_extra_data(chip, phy_blk, start_page, extra, MS_EXTRA_SIZE);
+ if (retval == STATUS_SUCCESS) {
+ if ((extra[1] & 0x30) != 0x30) {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Write REG */
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (phy_blk >> 8);
+ data[3] = (u8) phy_blk;
+ /* Page Number
+ * Extra data access mode */
+ data[4] = 0;
+ data[5] = start_page;
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 6, NO_WAIT_INT, data, 6);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ retval = ms_send_cmd(chip, BLOCK_READ, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ for (page_addr = start_page; page_addr < end_page; page_addr++) {
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) {
+ ms_set_err_code(chip, MS_NO_CARD);
+ chip->card_exist &= ~MS_CARD;
+ chip->card_ready &= ~MS_CARD;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ /* GET_INT Register */
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & INT_REG_ERR) {
+ if (val & INT_REG_BREQ) {
+ retval = ms_read_status_reg(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (!(chip->card_wp & MS_CARD)) {
+ reset_ms(chip);
+ ms_set_page_status(log_blk,
+ setPS_NG, extra,
+ MS_EXTRA_SIZE);
+ ms_write_extra_data(chip,
+ phy_blk, page_addr,
+ extra, MS_EXTRA_SIZE);
+ }
+ ms_set_err_code(chip,
+ MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ if (!(val & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ if (page_addr == (end_page - 1)) {
+ if (!(val & INT_REG_CED)) {
+ retval = ms_send_cmd(chip, BLOCK_END, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ retval =
+ ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val,
+ 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (!(val & INT_REG_CED)) {
+ ms_set_err_code(chip, MS_FLASH_READ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ trans_cfg = NO_WAIT_INT;
+ } else {
+ trans_cfg = WAIT_INT;
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF,
+ READ_PAGE_DATA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF,
+ trans_cfg);
+
+ rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_NORMAL_READ);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER,
+ MS_TRANSFER_END, MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDIR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip),
+ (void *)buf, ptr, offset, 512,
+ scsi_sg_count(chip->srb), NULL,
+ 2000);
+ if (retval != STATUS_SUCCESS) {
+ if (retval == STATUS_TIMEDOUT) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val);
+ if (retval != STATUS_SUCCESS) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) {
+ ms_set_err_code(chip, MS_CRC16_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ retval = rts51x_get_rsp(chip, 1, 2000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ if (retval == STATUS_TIMEDOUT) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val);
+ if (retval != STATUS_SUCCESS) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, retval);
+ }
+ if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) {
+ ms_set_err_code(chip, MS_CRC16_ERROR);
+ rts51x_clear_ms_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_write_multiple_pages(struct rts51x_chip *chip, u16 old_blk,
+ u16 new_blk, u16 log_blk, u8 start_page,
+ u8 end_page, u8 *buf, void **ptr,
+ unsigned int *offset)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ u8 page_addr, val, data[16];
+
+ if (!start_page) {
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE,
+ SystemParm, 7);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (old_blk >> 8);
+ data[3] = (u8) old_blk;
+ data[4] = 0x80;
+ data[5] = 0;
+ data[6] = 0xEF;
+ data[7] = 0xFF;
+
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 7, NO_WAIT_INT, data, 8);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* GET_INT Register */
+ ms_set_err_code(chip, MS_NO_ERROR);
+ retval =
+ ms_transfer_tpc(chip, MS_TM_READ_BYTES, GET_INT, 1,
+ NO_WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm,
+ (6 + MS_EXTRA_SIZE));
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (CHK_MS4BIT(ms_card)) {
+ /* Parallel interface */
+ data[0] = 0x88;
+ } else {
+ /* Serial interface */
+ data[0] = 0x80;
+ }
+ /* Block Address */
+ data[1] = 0;
+ data[2] = (u8) (new_blk >> 8);
+ data[3] = (u8) new_blk;
+ /* Page Number
+ * Extra data access mode */
+ if ((end_page - start_page) == 1) {
+ /* Single page access mode */
+ data[4] = 0x20;
+ } else {
+ /* Block access mode */
+ data[4] = 0;
+ }
+ data[5] = start_page;
+ data[6] = 0xF8;
+ data[7] = 0xFF;
+ data[8] = (u8) (log_blk >> 8);
+ data[9] = (u8) log_blk;
+
+ for (i = 0x0A; i < 0x10; i++) {
+ /* ECC */
+ data[i] = 0xFF;
+ }
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, WRITE_REG, 6 + MS_EXTRA_SIZE,
+ NO_WAIT_INT, data, 16);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+ /* GET_INT Register */
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ for (page_addr = start_page; page_addr < end_page; page_addr++) {
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) {
+ ms_set_err_code(chip, MS_NO_CARD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (val & INT_REG_CMDNK) {
+ ms_set_err_code(chip, MS_CMD_NK);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (val & INT_REG_ERR) {
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (!(val & INT_REG_BREQ)) {
+ ms_set_err_code(chip, MS_BREQ_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ udelay(30);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF,
+ WRITE_PAGE_DATA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF,
+ WAIT_INT);
+
+ rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_NORMAL_WRITE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER,
+ MS_TRANSFER_END, MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip),
+ (void *)buf, ptr, offset, 512,
+ scsi_sg_count(chip->srb), NULL,
+ 2000);
+ if (retval != STATUS_SUCCESS) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+
+ if (retval == STATUS_TIMEDOUT)
+ TRACE_RET(chip, STATUS_TIMEDOUT);
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = rts51x_get_rsp(chip, 1, 2000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)) {
+ ms_set_err_code(chip, MS_TO_ERROR);
+ rts51x_clear_ms_error(chip);
+
+ if (retval == STATUS_TIMEDOUT)
+ TRACE_RET(chip, STATUS_TIMEDOUT);
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ /* GET_INT Register */
+ retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if ((end_page - start_page) == 1) {
+ if (!(val & INT_REG_CED)) {
+ /* Command can not be executed */
+ ms_set_err_code(chip, MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ if (page_addr == (end_page - 1)) {
+ if (!(val & INT_REG_CED)) {
+ retval =
+ ms_send_cmd(chip, BLOCK_END,
+ WAIT_INT);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ /* GET_INT Register */
+ retval =
+ ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT,
+ &val, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ if ((page_addr == (end_page - 1))
+ || (page_addr == ms_card->page_off)) {
+ if (!(val & INT_REG_CED)) {
+ ms_set_err_code(chip,
+ MS_FLASH_WRITE_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+ }
+
+ return STATUS_SUCCESS;
+}
+#endif
+
+static int ms_finish_write(struct rts51x_chip *chip, u16 old_blk, u16 new_blk,
+ u16 log_blk, u8 page_off)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, seg_no;
+
+#ifdef MS_SPEEDUP
+ retval = ms_auto_copy_page(chip, old_blk, new_blk, log_blk,
+ page_off, ms_card->page_off + 1);
+#else
+ retval = ms_copy_page(chip, old_blk, new_blk, log_blk,
+ page_off, ms_card->page_off + 1);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ seg_no = old_blk >> 9;
+
+ if (MS_TST_BAD_BLOCK_FLG(ms_card)) {
+ MS_CLR_BAD_BLOCK_FLG(ms_card);
+ ms_set_bad_block(chip, old_blk);
+ } else {
+ retval = ms_erase_block(chip, old_blk);
+ if (retval == STATUS_SUCCESS)
+ ms_set_unused_block(chip, old_blk);
+ }
+
+ ms_set_l2p_tbl(chip, seg_no, log_blk - ms_start_idx[seg_no], new_blk);
+
+ return STATUS_SUCCESS;
+}
+
+static int ms_prepare_write(struct rts51x_chip *chip, u16 old_blk, u16 new_blk,
+ u16 log_blk, u8 start_page)
+{
+ int retval;
+
+ if (start_page) {
+#ifdef MS_SPEEDUP
+ retval =
+ ms_auto_copy_page(chip, old_blk, new_blk, log_blk, 0,
+ start_page);
+#else
+ retval =
+ ms_copy_page(chip, old_blk, new_blk, log_blk, 0,
+ start_page);
+#endif
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_ms_delay_write(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ struct rts51x_ms_delay_write_tag *delay_write = &(ms_card->delay_write);
+ int retval;
+
+ if (delay_write->delay_write_flag) {
+ retval = ms_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ delay_write->delay_write_flag = 0;
+ retval = ms_finish_write(chip,
+ delay_write->old_phyblock,
+ delay_write->new_phyblock,
+ delay_write->logblock,
+ delay_write->pageoff);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static inline void rts51x_ms_rw_fail(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ if (srb->sc_data_direction == DMA_FROM_DEVICE)
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ else
+ rts51x_set_sense_type(chip, SCSI_LUN(srb), SENSE_TYPE_MEDIA_WRITE_ERR);
+}
+
+static int rts51x_ms_rw_multi_sector(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ u32 start_sector, u16 sector_cnt)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval, seg_no;
+ unsigned int offset = 0;
+ u16 old_blk = 0, new_blk = 0, log_blk, total_sec_cnt = sector_cnt;
+ u8 start_page, end_page = 0, page_cnt;
+ u8 *buf;
+ void *ptr = NULL;
+ struct rts51x_ms_delay_write_tag *delay_write = &(ms_card->delay_write);
+
+ ms_set_err_code(chip, MS_NO_ERROR);
+
+ ms_card->counter = 0;
+
+ buf = (u8 *) scsi_sglist(srb);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_ms_rw_fail(srb, chip);
+ TRACE_RET(chip, retval);
+ }
+
+ log_blk = (u16) (start_sector >> ms_card->block_shift);
+ start_page = (u8) (start_sector & ms_card->page_off);
+
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
+ break;
+ }
+
+ if (ms_card->segment[seg_no].build_flag == 0) {
+ retval = ms_build_l2p_tbl(chip, seg_no);
+ if (retval != STATUS_SUCCESS) {
+ chip->card_fail |= MS_CARD;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ if (delay_write->delay_write_flag &&
+ (delay_write->logblock == log_blk) &&
+ (start_page > delay_write->pageoff)) {
+ delay_write->delay_write_flag = 0;
+#ifdef MS_SPEEDUP
+ retval = ms_auto_copy_page(chip,
+ delay_write->old_phyblock,
+ delay_write->new_phyblock,
+ log_blk,
+ delay_write->pageoff,
+ start_page);
+#else
+ retval = ms_copy_page(chip,
+ delay_write->old_phyblock,
+ delay_write->new_phyblock,
+ log_blk, delay_write->pageoff,
+ start_page);
+#endif
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ old_blk = delay_write->old_phyblock;
+ new_blk = delay_write->new_phyblock;
+ } else if (delay_write->delay_write_flag &&
+ (delay_write->logblock == log_blk) &&
+ (start_page == delay_write->pageoff)) {
+ delay_write->delay_write_flag = 0;
+ old_blk = delay_write->old_phyblock;
+ new_blk = delay_write->new_phyblock;
+ } else {
+ retval = rts51x_ms_delay_write(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ old_blk =
+ ms_get_l2p_tbl(chip, seg_no,
+ log_blk - ms_start_idx[seg_no]);
+ new_blk = ms_get_unused_block(chip, seg_no);
+ if ((old_blk == 0xFFFF) || (new_blk == 0xFFFF)) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval =
+ ms_prepare_write(chip, old_blk, new_blk, log_blk,
+ start_page);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, MS_CARD) ==
+ CD_NOT_EXIST) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ }
+ } else {
+ retval = rts51x_ms_delay_write(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, retval);
+ }
+ old_blk =
+ ms_get_l2p_tbl(chip, seg_no,
+ log_blk - ms_start_idx[seg_no]);
+ if (old_blk == 0xFFFF) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ RTS51X_DEBUGP("seg_no = %d, old_blk = 0x%x, new_blk = 0x%x\n", seg_no,
+ old_blk, new_blk);
+
+ while (total_sec_cnt) {
+ if ((start_page + total_sec_cnt) > (ms_card->page_off + 1))
+ end_page = ms_card->page_off + 1;
+ else
+ end_page = start_page + (u8) total_sec_cnt;
+ page_cnt = end_page - start_page;
+
+ RTS51X_DEBUGP("start_page = %d, end_page = %d, page_cnt = %d\n",
+ start_page, end_page, page_cnt);
+
+ if (srb->sc_data_direction == DMA_FROM_DEVICE)
+ retval = ms_read_multiple_pages(chip,
+ old_blk, log_blk,
+ start_page, end_page,
+ buf, &ptr, &offset);
+ else
+ retval = ms_write_multiple_pages(chip, old_blk,
+ new_blk, log_blk,
+ start_page, end_page,
+ buf, &ptr, &offset);
+
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_ms_rw_fail(srb, chip);
+ TRACE_RET(chip, retval);
+ }
+ /* Update L2P table if need */
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ if (end_page == (ms_card->page_off + 1)) {
+ retval = ms_erase_block(chip, old_blk);
+ if (retval == STATUS_SUCCESS)
+ ms_set_unused_block(chip, old_blk);
+ ms_set_l2p_tbl(chip, seg_no,
+ log_blk - ms_start_idx[seg_no],
+ new_blk);
+ }
+ }
+
+ total_sec_cnt -= page_cnt;
+
+ if (total_sec_cnt == 0)
+ break;
+
+ log_blk++;
+
+ for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1;
+ seg_no++) {
+ if (log_blk < ms_start_idx[seg_no + 1])
+ break;
+ }
+
+ if (ms_card->segment[seg_no].build_flag == 0) {
+ retval = ms_build_l2p_tbl(chip, seg_no);
+ if (retval != STATUS_SUCCESS) {
+ chip->card_fail |= MS_CARD;
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ old_blk =
+ ms_get_l2p_tbl(chip, seg_no,
+ log_blk - ms_start_idx[seg_no]);
+ if (old_blk == 0xFFFF) {
+ rts51x_ms_rw_fail(srb, chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ new_blk = ms_get_unused_block(chip, seg_no);
+ if (new_blk == 0xFFFF) {
+ rts51x_ms_rw_fail(srb, chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ RTS51X_DEBUGP("seg_no = %d, old_blk = 0x%x, new_blk = 0x%x\n",
+ seg_no, old_blk, new_blk);
+
+ start_page = 0;
+ }
+
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ if (end_page < (ms_card->page_off + 1)) {
+ delay_write->delay_write_flag = 1;
+ delay_write->old_phyblock = old_blk;
+ delay_write->new_phyblock = new_blk;
+ delay_write->logblock = log_blk;
+ delay_write->pageoff = end_page;
+ }
+ }
+
+ scsi_set_resid(srb, 0);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_ms_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ if (CHK_MSPRO(ms_card))
+ retval =
+ mspro_rw_multi_sector(srb, chip, start_sector, sector_cnt);
+ else
+ retval =
+ rts51x_ms_rw_multi_sector(srb, chip, start_sector, sector_cnt);
+
+ return retval;
+}
+
+void rts51x_ms_free_l2p_tbl(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int i = 0;
+
+ if (ms_card->segment != NULL) {
+ for (i = 0; i < ms_card->segment_cnt; i++) {
+ if (ms_card->segment[i].l2p_table != NULL) {
+ vfree(ms_card->segment[i].l2p_table);
+ ms_card->segment[i].l2p_table = NULL;
+ }
+ if (ms_card->segment[i].free_table != NULL) {
+ vfree(ms_card->segment[i].free_table);
+ ms_card->segment[i].free_table = NULL;
+ }
+ }
+ vfree(ms_card->segment);
+ ms_card->segment = NULL;
+ }
+}
+
+void rts51x_ms_cleanup_work(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ if (CHK_MSPRO(ms_card)) {
+ if (ms_card->seq_mode) {
+ RTS51X_DEBUGP("MS Pro: stop transmission\n");
+ mspro_stop_seq_mode(chip);
+ ms_card->counter = 0;
+ }
+ if (CHK_MSHG(ms_card)) {
+ u8 value;
+ rts51x_read_register(chip, MS_CFG, &value);
+ if (value & MS_2K_SECTOR_MODE)
+ rts51x_write_register(chip, MS_CFG,
+ MS_2K_SECTOR_MODE, 0x00);
+ }
+ } else if ((!CHK_MSPRO(ms_card))
+ && ms_card->delay_write.delay_write_flag) {
+ RTS51X_DEBUGP("MS: delay write\n");
+ rts51x_ms_delay_write(chip);
+ ms_card->counter = 0;
+ }
+}
+
+static int ms_power_off_card3v3(struct rts51x_chip *chip)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, MS_CLK_EN, 0);
+ if (chip->asic_code)
+ ms_pull_ctl_disable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL,
+ FPGA_MS_PULL_CTL_BIT | 0x20,
+ FPGA_MS_PULL_CTL_BIT);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0);
+ if (!chip->option.FT2_fast_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_release_ms_card(struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+
+ RTS51X_DEBUGP("rts51x_release_ms_card\n");
+
+ ms_card->delay_write.delay_write_flag = 0;
+ ms_card->pro_under_formatting = 0;
+
+ chip->card_ready &= ~MS_CARD;
+ chip->card_fail &= ~MS_CARD;
+ chip->card_wp &= ~MS_CARD;
+
+ rts51x_ms_free_l2p_tbl(chip);
+
+ rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP);
+
+ memset(ms_card->raw_sys_info, 0, 96);
+#ifdef SUPPORT_PCGL_1P18
+ memset(ms_card->raw_model_name, 0, 48);
+#endif
+
+ retval = ms_power_off_card3v3(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
diff --git a/drivers/staging/rts5139/ms.h b/drivers/staging/rts5139/ms.h
new file mode 100644
index 000000000000..857c1974ef24
--- /dev/null
+++ b/drivers/staging/rts5139/ms.h
@@ -0,0 +1,261 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_MS_H
+#define __RTS51X_MS_H
+
+#include "rts51x_chip.h"
+
+#define MS_MAX_RETRY_COUNT 3
+
+#define MS_EXTRA_SIZE 0x9
+
+#define WRT_PRTCT 0x01
+
+/* Error Code */
+#define MS_NO_ERROR 0x00
+#define MS_CRC16_ERROR 0x80
+#define MS_TO_ERROR 0x40
+#define MS_NO_CARD 0x20
+#define MS_NO_MEMORY 0x10
+#define MS_CMD_NK 0x08
+#define MS_FLASH_READ_ERROR 0x04
+#define MS_FLASH_WRITE_ERROR 0x02
+#define MS_BREQ_ERROR 0x01
+#define MS_NOT_FOUND 0x03
+
+/* Transfer Protocol Command */
+#define READ_PAGE_DATA 0x02
+#define READ_REG 0x04
+#define GET_INT 0x07
+#define WRITE_PAGE_DATA 0x0D
+#define WRITE_REG 0x0B
+#define SET_RW_REG_ADRS 0x08
+#define SET_CMD 0x0E
+
+#define PRO_READ_LONG_DATA 0x02
+#define PRO_READ_SHORT_DATA 0x03
+#define PRO_READ_REG 0x04
+#define PRO_READ_QUAD_DATA 0x05
+#define PRO_GET_INT 0x07
+#define PRO_WRITE_LONG_DATA 0x0D
+#define PRO_WRITE_SHORT_DATA 0x0C
+#define PRO_WRITE_QUAD_DATA 0x0A
+#define PRO_WRITE_REG 0x0B
+#define PRO_SET_RW_REG_ADRS 0x08
+#define PRO_SET_CMD 0x0E
+#define PRO_EX_SET_CMD 0x09
+
+#ifdef SUPPORT_MAGIC_GATE
+#define MG_GET_ID 0x40
+#define MG_SET_LID 0x41
+#define MG_GET_LEKB 0x42
+#define MG_SET_RD 0x43
+#define MG_MAKE_RMS 0x44
+#define MG_MAKE_KSE 0x45
+#define MG_SET_IBD 0x46
+#define MG_GET_IBD 0x47
+#endif
+
+#ifdef XC_POWERCLASS
+#define XC_CHG_POWER 0x16
+#endif
+
+/* ++ CMD over Memory Stick */
+/* Flash CMD */
+#define BLOCK_READ 0xAA
+#define BLOCK_WRITE 0x55
+#define BLOCK_END 0x33
+#define BLOCK_ERASE 0x99
+#define FLASH_STOP 0xCC
+
+/* Function CMD */
+#define SLEEP 0x5A
+#define CLEAR_BUF 0xC3
+#define MS_RESET 0x3C
+/* -- CMD over Memory Stick */
+
+/* ++ CMD over Memory Stick Pro */
+/* Flash CMD */
+#define PRO_READ_DATA 0x20
+#define PRO_WRITE_DATA 0x21
+#define PRO_READ_ATRB 0x24
+#define PRO_STOP 0x25
+#define PRO_ERASE 0x26
+#define PRO_READ_2K_DATA 0x27
+#define PRO_WRITE_2K_DATA 0x28
+
+/* Function CMD */
+#define PRO_FORMAT 0x10
+#define PRO_SLEEP 0x11
+/* -- CMD over Memory Stick Pro */
+
+/* register inside memory stick */
+#define IntReg 0x01
+#define StatusReg0 0x02
+#define StatusReg1 0x03
+
+#define SystemParm 0x10
+#define BlockAdrs 0x11
+#define CMDParm 0x14
+#define PageAdrs 0x15
+
+#define OverwriteFlag 0x16
+#define ManagemenFlag 0x17
+#define LogicalAdrs 0x18
+#define ReserveArea 0x1A
+
+/* register inside memory pro */
+#define Pro_IntReg 0x01
+#define Pro_StatusReg 0x02
+#define Pro_TypeReg 0x04
+#define Pro_IFModeReg 0x05
+#define Pro_CatagoryReg 0x06
+#define Pro_ClassReg 0x07
+
+#define Pro_SystemParm 0x10
+#define Pro_DataCount1 0x11
+#define Pro_DataCount0 0x12
+#define Pro_DataAddr3 0x13
+#define Pro_DataAddr2 0x14
+#define Pro_DataAddr1 0x15
+#define Pro_DataAddr0 0x16
+
+#define Pro_TPCParm 0x17
+#define Pro_CMDParm 0x18
+
+/* define for INT Register */
+#define INT_REG_CED 0x80
+#define INT_REG_ERR 0x40
+#define INT_REG_BREQ 0x20
+#define INT_REG_CMDNK 0x01
+
+/* INT signal */
+#define INT_CED 0x01
+#define INT_ERR 0x02
+#define INT_BREQ 0x04
+#define INT_CMDNK 0x08
+
+/* define for OverwriteFlag Register */
+#define BLOCK_BOOT 0xC0
+#define BLOCK_OK 0x80
+#define PAGE_OK 0x60
+#define DATA_COMPL 0x10
+
+/* define for ManagemenFlag Register */
+#define NOT_BOOT_BLOCK 0x4
+#define NOT_TRANSLATION_TABLE 0x8
+
+/* Header */
+#define HEADER_ID0 (PPBUF_BASE2) /* 0 */
+#define HEADER_ID1 (PPBUF_BASE2 + 1) /* 1 */
+/* System Entry */
+#define DISABLED_BLOCK0 (PPBUF_BASE2 + 0x170 + 4) /* 2 */
+#define DISABLED_BLOCK1 (PPBUF_BASE2 + 0x170 + 5) /* 3 */
+#define DISABLED_BLOCK2 (PPBUF_BASE2 + 0x170 + 6) /* 4 */
+#define DISABLED_BLOCK3 (PPBUF_BASE2 + 0x170 + 7) /* 5 */
+/* Boot & Attribute Information */
+#define BLOCK_SIZE_0 (PPBUF_BASE2 + 0x1a0 + 2) /* 6 */
+#define BLOCK_SIZE_1 (PPBUF_BASE2 + 0x1a0 + 3) /* 7 */
+#define BLOCK_COUNT_0 (PPBUF_BASE2 + 0x1a0 + 4) /* 8 */
+#define BLOCK_COUNT_1 (PPBUF_BASE2 + 0x1a0 + 5) /* 9 */
+#define EBLOCK_COUNT_0 (PPBUF_BASE2 + 0x1a0 + 6) /* 10 */
+#define EBLOCK_COUNT_1 (PPBUF_BASE2 + 0x1a0 + 7) /* 11 */
+#define PAGE_SIZE_0 (PPBUF_BASE2 + 0x1a0 + 8) /* 12 */
+#define PAGE_SIZE_1 (PPBUF_BASE2 + 0x1a0 + 9) /* 13 */
+
+/* joey 2004-08-07 for MS check Procedure */
+#define MS_Device_Type (PPBUF_BASE2 + 0x1D8) /* 14 */
+/* end */
+
+/* joey 2004-05-03 */
+#define MS_4bit_Support (PPBUF_BASE2 + 0x1D3) /* 15 */
+/* end */
+
+#define setPS_NG 1
+#define setPS_Error 0
+
+/* define for Pro_SystemParm Register */
+#define PARALLEL_8BIT_IF 0x40
+#define PARALLEL_4BIT_IF 0x00
+#define SERIAL_IF 0x80
+
+/* define for StatusReg0 Register */
+#define BUF_FULL 0x10
+#define BUF_EMPTY 0x20
+
+/* define for StatusReg1 Register */
+#define MEDIA_BUSY 0x80
+#define FLASH_BUSY 0x40
+#define DATA_ERROR 0x20
+#define STS_UCDT 0x10
+#define EXTRA_ERROR 0x08
+#define STS_UCEX 0x04
+#define FLAG_ERROR 0x02
+#define STS_UCFG 0x01
+
+#define MS_SHORT_DATA_LEN 32
+
+#define FORMAT_SUCCESS 0
+#define FORMAT_FAIL 1
+#define FORMAT_IN_PROGRESS 2
+
+#define MS_SET_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag |= 0x80)
+#define MS_CLR_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag &= 0x7F)
+#define MS_TST_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag & 0x80)
+
+#define CHECK_MS_TRANS_FAIL(chip, retval) \
+ (((retval) != STATUS_SUCCESS) || \
+ (chip->rsp_buf[0] & MS_TRANSFER_ERR))
+
+void rts51x_mspro_polling_format_status(struct rts51x_chip *chip);
+void rts51x_mspro_format_sense(struct rts51x_chip *chip, unsigned int lun);
+
+int rts51x_reset_ms_card(struct rts51x_chip *chip);
+int rts51x_ms_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt);
+int rts51x_mspro_format(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ int short_data_len, int quick_format);
+void rts51x_ms_free_l2p_tbl(struct rts51x_chip *chip);
+void rts51x_ms_cleanup_work(struct rts51x_chip *chip);
+int rts51x_release_ms_card(struct rts51x_chip *chip);
+int rts51x_ms_delay_write(struct rts51x_chip *chip);
+
+#ifdef SUPPORT_MAGIC_GATE
+
+int ms_switch_clock(struct rts51x_chip *chip);
+int ms_write_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data,
+ int data_len);
+int ms_read_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data,
+ int data_len);
+int ms_set_rw_reg_addr(struct rts51x_chip *chip, u8 read_start, u8 read_cnt,
+ u8 write_start, u8 write_cnt);
+int ms_transfer_data(struct rts51x_chip *chip, u8 trans_mode, u8 tpc,
+ u16 sec_cnt, u8 cfg, int mode_2k, int use_sg, void *buf,
+ int buf_len);
+#endif
+
+#endif /* __RTS51X_MS_H */
diff --git a/drivers/staging/rts5139/ms_mg.c b/drivers/staging/rts5139/ms_mg.c
new file mode 100644
index 000000000000..c8f26062c682
--- /dev/null
+++ b/drivers/staging/rts5139/ms_mg.c
@@ -0,0 +1,643 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_transport.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "ms.h"
+#include "ms_mg.h"
+
+#ifdef SUPPORT_MAGIC_GATE
+
+static int mg_check_int_error(struct rts51x_chip *chip)
+{
+ u8 value;
+
+ rts51x_read_register(chip, MS_TRANS_CFG, &value);
+ if (value & (INT_ERR | INT_CMDNK))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int mg_send_ex_cmd(struct rts51x_chip *chip, u8 cmd, u8 entry_num)
+{
+ int retval, i;
+ u8 data[8];
+
+ data[0] = cmd;
+ data[1] = 0;
+ data[2] = 0;
+ data[3] = 0;
+ data[4] = 0;
+ data[5] = 0;
+ data[6] = entry_num;
+ data[7] = 0;
+
+ for (i = 0; i < MS_MAX_RETRY_COUNT; i++) {
+ retval =
+ ms_write_bytes(chip, PRO_EX_SET_CMD, 7, WAIT_INT, data, 8);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i == MS_MAX_RETRY_COUNT)
+ TRACE_RET(chip, STATUS_FAIL);
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_mg_set_tpc_para_sub(struct rts51x_chip *chip, int type, u8 mg_entry_num)
+{
+ int retval;
+ u8 buf[6];
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ if (type == 0)
+ retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_TPCParm, 1);
+ else
+ retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_DataCount1, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf[0] = 0;
+ buf[1] = 0;
+ if (type == 1) {
+ buf[2] = 0;
+ buf[3] = 0;
+ buf[4] = 0;
+ buf[5] = mg_entry_num;
+ }
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_REG, (type == 0) ? 1 : 6,
+ NO_WAIT_INT, buf, 6);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+/**
+ * Get MagciGate ID and set Leaf ID to medium.
+
+ * After receiving this SCSI command, adapter shall fulfill 2 tasks
+ * below in order:
+ * 1. send GET_ID TPC command to get MagicGate ID and hold it till
+ * Response&challenge CMD.
+ * 2. send SET_ID TPC command to medium with Leaf ID released by host
+ * in this SCSI CMD.
+ */
+int rts51x_mg_set_leaf_id(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval;
+ int i;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 buf1[32], buf2[12];
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ if (scsi_bufflen(srb) < 12) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = mg_send_ex_cmd(chip, MG_SET_LID, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ TRACE_RET(chip, retval);
+ }
+
+ memset(buf1, 0, 32);
+ rts51x_get_xfer_buf(buf2, min(12, (int)scsi_bufflen(srb)), srb);
+ for (i = 0; i < 8; i++)
+ buf1[8 + i] = buf2[4 + i];
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf1, 32);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ TRACE_RET(chip, retval);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/**
+ * Send Local EKB to host.
+
+ * After receiving this SCSI command, adapter shall read the divided
+ * data(1536 bytes totally) from medium by using READ_LONG_DATA TPC
+ * for 3 times, and report data to host with data-length is 1052 bytes.
+ */
+int rts51x_mg_get_local_EKB(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval = STATUS_FAIL;
+ int bufflen;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 *buf = NULL;
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf = kmalloc(1540, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ buf[0] = 0x04;
+ buf[1] = 0x1A;
+ buf[2] = 0x00;
+ buf[3] = 0x00;
+
+ retval = mg_send_ex_cmd(chip, MG_GET_LEKB, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_GOTO(chip, GetEKBFinish);
+ }
+
+ retval = ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA,
+ 3, WAIT_INT, 0, 0, buf + 4, 1536);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ rts51x_write_register(chip, CARD_STOP, MS_STOP | MS_CLR_ERR,
+ MS_STOP | MS_CLR_ERR);
+ TRACE_GOTO(chip, GetEKBFinish);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_GOTO(chip, GetEKBFinish);
+ }
+
+ bufflen = min(1052, (int)scsi_bufflen(srb));
+ rts51x_set_xfer_buf(buf, bufflen, srb);
+
+GetEKBFinish:
+ kfree(buf);
+ return retval;
+}
+
+/**
+ * Send challenge(host) to medium.
+
+ * After receiving this SCSI command, adapter shall sequentially issues
+ * TPC commands to the medium for writing 8-bytes data as challenge
+ * by host within a short data packet.
+ */
+int rts51x_mg_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ int bufflen;
+ int i;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 buf[32], tmp;
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = mg_send_ex_cmd(chip, MG_GET_ID, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ ms_read_bytes(chip, PRO_READ_SHORT_DATA, 32, WAIT_INT, buf, 32);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+
+ memcpy(ms_card->magic_gate_id, buf, 16);
+
+ for (i = 0; i < 2500; i++) {
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp);
+ if (tmp &
+ (MS_INT_CED | MS_INT_CMDNK | MS_INT_BREQ | MS_INT_ERR))
+ break;
+
+ wait_timeout(1);
+ }
+
+ if (i == 2500) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = mg_send_ex_cmd(chip, MG_SET_RD, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+
+ bufflen = min(12, (int)scsi_bufflen(srb));
+ rts51x_get_xfer_buf(buf, bufflen, srb);
+
+ for (i = 0; i < 8; i++)
+ buf[i] = buf[4 + i];
+ for (i = 0; i < 24; i++)
+ buf[8 + i] = 0;
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf, 32);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, retval);
+ }
+
+ ms_card->mg_auth = 0;
+
+ return STATUS_SUCCESS;
+}
+
+/**
+ * Send Response and Challenge data to host.
+
+ * After receiving this SCSI command, adapter shall communicates with
+ * the medium, get parameters(HRd, Rms, MagicGateID) by using READ_SHORT_DATA
+ * TPC and send the data to host according to certain format required by
+ * MG-R specification.
+ * The paremeter MagicGateID is the one that adapter has obtained from
+ * the medium by TPC commands in Set Leaf ID command phase previously.
+ */
+int rts51x_mg_get_rsp_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval, i;
+ int bufflen;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 buf1[32], buf2[36], tmp;
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = mg_send_ex_cmd(chip, MG_MAKE_RMS, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ ms_read_bytes(chip, PRO_READ_SHORT_DATA, 32, WAIT_INT, buf1, 32);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+
+ buf2[0] = 0x00;
+ buf2[1] = 0x22;
+ buf2[2] = 0x00;
+ buf2[3] = 0x00;
+
+ memcpy(buf2 + 4, ms_card->magic_gate_id, 16);
+ memcpy(buf2 + 20, buf1, 16);
+
+ bufflen = min(36, (int)scsi_bufflen(srb));
+ rts51x_set_xfer_buf(buf2, bufflen, srb);
+
+ for (i = 0; i < 2500; i++) {
+ RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp);
+ if (tmp & (MS_INT_CED | MS_INT_CMDNK |
+ MS_INT_BREQ | MS_INT_ERR))
+ break;
+
+ wait_timeout(1);
+ }
+
+ if (i == 2500) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/**
+ * Send response(host) to medium.
+
+ * After receiving this SCSI command, adapter shall sequentially
+ * issues TPC commands to the medium for writing 8-bytes data as
+ * challenge by host within a short data packet.
+ */
+int rts51x_mg_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ int i;
+ int bufflen;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 buf[32];
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = mg_send_ex_cmd(chip, MG_MAKE_KSE, 0);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+
+ bufflen = min(12, (int)scsi_bufflen(srb));
+ rts51x_get_xfer_buf(buf, bufflen, srb);
+
+ for (i = 0; i < 8; i++)
+ buf[i] = buf[4 + i];
+ for (i = 0; i < 24; i++)
+ buf[8 + i] = 0;
+ retval =
+ ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf, 32);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN);
+ TRACE_RET(chip, retval);
+ }
+
+ ms_card->mg_auth = 1;
+
+ return STATUS_SUCCESS;
+}
+
+/** * Send ICV data to host.
+
+ * After receiving this SCSI command, adapter shall read the divided
+ * data(1024 bytes totally) from medium by using READ_LONG_DATA TPC
+ * for 2 times, and report data to host with data-length is 1028 bytes.
+ *
+ * Since the extra 4 bytes data is just only a prefix to original data
+ * that read from medium, so that the 4-byte data pushed into Ring buffer
+ * precedes data transmission from medium to Ring buffer by DMA mechanism
+ * in order to get maximum performance and minimum code size simultaneously.
+ */
+int rts51x_mg_get_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ int bufflen;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 *buf = NULL;
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf = kmalloc(1028, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ buf[0] = 0x04;
+ buf[1] = 0x02;
+ buf[2] = 0x00;
+ buf[3] = 0x00;
+
+ retval = mg_send_ex_cmd(chip, MG_GET_IBD, ms_card->mg_entry_num);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_GOTO(chip, GetICVFinish);
+ }
+
+ retval = ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA,
+ 2, WAIT_INT, 0, 0, buf + 4, 1024);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ rts51x_write_register(chip, CARD_STOP, MS_STOP | MS_CLR_ERR,
+ MS_STOP | MS_CLR_ERR);
+ TRACE_GOTO(chip, GetICVFinish);
+ }
+ retval = mg_check_int_error(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_GOTO(chip, GetICVFinish);
+ }
+
+ bufflen = min(1028, (int)scsi_bufflen(srb));
+ rts51x_set_xfer_buf(buf, bufflen, srb);
+
+GetICVFinish:
+ kfree(buf);
+ return retval;
+}
+
+/**
+ * Send ICV data to medium.
+
+ * After receiving this SCSI command, adapter shall receive 1028 bytes
+ * and write the later 1024 bytes to medium by WRITE_LONG_DATA TPC
+ * consecutively.
+ *
+ * Since the first 4-bytes data is just only a prefix to original data
+ * that sent by host, and it should be skipped by shifting DMA pointer
+ * before writing 1024 bytes to medium.
+ */
+int rts51x_mg_set_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ int bufflen;
+#ifdef MG_SET_ICV_SLOW
+ int i;
+#endif
+ unsigned int lun = SCSI_LUN(srb);
+ u8 *buf = NULL;
+
+ RTS51X_DEBUGP("--%s--\n", __func__);
+
+ rts51x_ms_cleanup_work(chip);
+
+ retval = ms_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ buf = kmalloc(1028, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ bufflen = min(1028, (int)scsi_bufflen(srb));
+ rts51x_get_xfer_buf(buf, bufflen, srb);
+
+ retval = mg_send_ex_cmd(chip, MG_SET_IBD, ms_card->mg_entry_num);
+ if (retval != STATUS_SUCCESS) {
+ if (ms_card->mg_auth == 0) {
+ if ((buf[5] & 0xC0) != 0)
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ else
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR);
+ }
+ TRACE_GOTO(chip, SetICVFinish);
+ }
+
+#ifdef MG_SET_ICV_SLOW
+ for (i = 0; i < 2; i++) {
+ udelay(50);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF,
+ PRO_WRITE_LONG_DATA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF,
+ WAIT_INT);
+
+ rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF,
+ MS_TRANSFER_START | MS_TM_NORMAL_WRITE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER,
+ MS_TRANSFER_END, MS_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR);
+ TRACE_GOTO(chip, SetICVFinish);
+ }
+
+ retval = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip),
+ buf + 4 + i * 512, 512, 0,
+ NULL, 3000, STAGE_DO);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_ms_error(chip);
+ if (ms_card->mg_auth == 0) {
+ if ((buf[5] & 0xC0) != 0)
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ else
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ }
+ retval = STATUS_FAIL;
+ TRACE_GOTO(chip, SetICVFinish);
+ }
+
+ retval = rts51x_get_rsp(chip, 1, 3000);
+ if (CHECK_MS_TRANS_FAIL(chip, retval)
+ || mg_check_int_error(chip)) {
+ rts51x_clear_ms_error(chip);
+ if (ms_card->mg_auth == 0) {
+ if ((buf[5] & 0xC0) != 0)
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ else
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ }
+ retval = STATUS_FAIL;
+ TRACE_GOTO(chip, SetICVFinish);
+ }
+ }
+#else
+ retval = ms_transfer_data(chip, MS_TM_AUTO_WRITE, PRO_WRITE_LONG_DATA,
+ 2, WAIT_INT, 0, 0, buf + 4, 1024);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_ms_error(chip);
+ if (ms_card->mg_auth == 0) {
+ if ((buf[5] & 0xC0) != 0)
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB);
+ else
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MG_WRITE_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR);
+ }
+ TRACE_GOTO(chip, SetICVFinish);
+ }
+#endif
+
+SetICVFinish:
+ kfree(buf);
+ return retval;
+}
+
+#endif /* SUPPORT_MAGIC_GATE */
diff --git a/drivers/staging/rts5139/ms_mg.h b/drivers/staging/rts5139/ms_mg.h
new file mode 100644
index 000000000000..109c71290953
--- /dev/null
+++ b/drivers/staging/rts5139/ms_mg.h
@@ -0,0 +1,42 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_MS_MG_H
+#define __RTS51X_MS_MG_H
+
+#include "rts51x_chip.h"
+#include "ms.h"
+
+int rts51x_mg_set_tpc_para_sub(struct rts51x_chip *chip, int type, u8 mg_entry_num);
+int rts51x_mg_set_leaf_id(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_get_local_EKB(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_get_rsp_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_get_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_mg_set_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+
+#endif /* __RTS51X_MS_MG_H */
diff --git a/drivers/staging/rts5139/rts51x.c b/drivers/staging/rts5139/rts51x.c
new file mode 100644
index 000000000000..8529cbabc554
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x.c
@@ -0,0 +1,846 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/workqueue.h>
+#include <linux/errno.h>
+#include <linux/freezer.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/mutex.h>
+#include <linux/utsname.h>
+#include <linux/usb.h>
+
+#include <scsi/scsi.h>
+#include <scsi/scsi_cmnd.h>
+#include <scsi/scsi_device.h>
+#include <scsi/scsi_devinfo.h>
+#include <scsi/scsi_eh.h>
+#include <scsi/scsi_host.h>
+
+#include "debug.h"
+#include "ms.h"
+#include "rts51x.h"
+#include "rts51x_chip.h"
+#include "rts51x_card.h"
+#include "rts51x_scsi.h"
+#include "rts51x_transport.h"
+#include "rts51x_fop.h"
+
+MODULE_DESCRIPTION(RTS51X_DESC);
+MODULE_LICENSE("GPL");
+MODULE_VERSION(DRIVER_VERSION);
+
+static int auto_delink_en;
+module_param(auto_delink_en, int, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(auto_delink_en, "enable auto delink");
+
+static int ss_en;
+module_param(ss_en, int, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(ss_en, "enable selective suspend");
+
+static int ss_delay = 50;
+module_param(ss_delay, int, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(ss_delay,
+ "seconds to delay before entering selective suspend");
+
+static int needs_remote_wakeup;
+module_param(needs_remote_wakeup, int, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(needs_remote_wakeup, "ss state needs remote wakeup supported");
+
+#ifdef SUPPORT_FILE_OP
+static const struct file_operations rts51x_fops = {
+ .owner = THIS_MODULE,
+ .read = rts51x_read,
+ .write = rts51x_write,
+ .unlocked_ioctl = rts51x_ioctl,
+ .open = rts51x_open,
+ .release = rts51x_release,
+};
+
+/*
+ * usb class driver info in order to get a minor number from the usb core,
+ * and to have the device registered with the driver core
+ */
+static struct usb_class_driver rts51x_class = {
+ .name = "rts51x%d",
+ .fops = &rts51x_fops,
+ .minor_base = 192,
+};
+#endif
+
+#ifdef CONFIG_PM /* Minimal support for suspend and resume */
+
+static inline void usb_autopm_enable(struct usb_interface *intf)
+{
+ atomic_set(&intf->pm_usage_cnt, 1);
+ usb_autopm_put_interface(intf);
+}
+
+static inline void usb_autopm_disable(struct usb_interface *intf)
+{
+ atomic_set(&intf->pm_usage_cnt, 0);
+ usb_autopm_get_interface(intf);
+}
+
+static void rts51x_try_to_enter_ss(struct rts51x_chip *chip)
+{
+ pr_debug("Ready to enter SS state\n");
+ usb_autopm_enable(chip->usb->pusb_intf);
+}
+
+void rts51x_try_to_exit_ss(struct rts51x_chip *chip)
+{
+ pr_debug("Exit from SS state\n");
+ usb_autopm_disable(chip->usb->pusb_intf);
+}
+
+int rts51x_suspend(struct usb_interface *iface, pm_message_t message)
+{
+ struct rts51x_chip *chip = usb_get_intfdata(iface);
+
+ pr_debug("%s, message.event = 0x%x\n", __func__, message.event);
+
+ /* Wait until no command is running */
+ mutex_lock(&chip->usb->dev_mutex);
+
+ chip->fake_card_ready = chip->card_ready;
+ rts51x_do_before_power_down(chip);
+
+ if (message.event == PM_EVENT_AUTO_SUSPEND) {
+ pr_debug("Enter SS state");
+ chip->resume_from_scsi = 0;
+ RTS51X_SET_STAT(chip, STAT_SS);
+ } else {
+ pr_debug("Enter SUSPEND state");
+ RTS51X_SET_STAT(chip, STAT_SUSPEND);
+ }
+
+ /* When runtime PM is working, we'll set a flag to indicate
+ * whether we should autoresume when a SCSI request arrives. */
+
+ mutex_unlock(&chip->usb->dev_mutex);
+ return 0;
+}
+
+int rts51x_resume(struct usb_interface *iface)
+{
+ struct rts51x_chip *chip = usb_get_intfdata(iface);
+
+ pr_debug("%s\n", __func__);
+
+ if (!RTS51X_CHK_STAT(chip, STAT_SS) || !chip->resume_from_scsi) {
+ mutex_lock(&chip->usb->dev_mutex);
+
+ if (chip->option.ss_en) {
+ if (GET_PM_USAGE_CNT(chip) <= 0) {
+ /* Remote wake up, increase pm_usage_cnt */
+ pr_debug("Incr pm_usage_cnt\n");
+ SET_PM_USAGE_CNT(chip, 1);
+ }
+ }
+
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ rts51x_init_chip(chip);
+ rts51x_init_cards(chip);
+
+ mutex_unlock(&chip->usb->dev_mutex);
+ }
+
+ return 0;
+}
+
+int rts51x_reset_resume(struct usb_interface *iface)
+{
+ struct rts51x_chip *chip = usb_get_intfdata(iface);
+
+ pr_debug("%s\n", __func__);
+
+ mutex_lock(&chip->usb->dev_mutex);
+
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ if (chip->option.ss_en)
+ SET_PM_USAGE_CNT(chip, 1);
+
+ rts51x_init_chip(chip);
+ rts51x_init_cards(chip);
+
+ mutex_unlock(&chip->usb->dev_mutex);
+
+ /* FIXME: Notify the subdrivers that they need to reinitialize
+ * the device */
+ return 0;
+}
+
+#else /* CONFIG_PM */
+
+static void rts51x_try_to_enter_ss(struct rts51x_chip *chip)
+{
+}
+
+void rts51x_try_to_exit_ss(struct rts51x_chip *chip)
+{
+}
+
+#endif /* CONFIG_PM */
+
+/*
+ * The next two routines get called just before and just after
+ * a USB port reset, whether from this driver or a different one.
+ */
+
+static int rts51x_pre_reset(struct usb_interface *iface)
+{
+ struct rts51x_chip *chip = usb_get_intfdata(iface);
+
+ pr_debug("%s\n", __func__);
+
+ /* Make sure no command runs during the reset */
+ mutex_lock(&chip->usb->dev_mutex);
+ return 0;
+}
+
+static int rts51x_post_reset(struct usb_interface *iface)
+{
+ struct rts51x_chip *chip = usb_get_intfdata(iface);
+
+ pr_debug("%s\n", __func__);
+
+ /* Report the reset to the SCSI core */
+ /* usb_stor_report_bus_reset(us); */
+
+ /* FIXME: Notify the subdrivers that they need to reinitialize
+ * the device */
+
+ mutex_unlock(&chip->usb->dev_mutex);
+ return 0;
+}
+
+static int rts51x_control_thread(void *__chip)
+{
+ struct rts51x_chip *chip = (struct rts51x_chip *)__chip;
+ struct Scsi_Host *host = rts51x_to_host(chip);
+
+ for (;;) {
+ if (wait_for_completion_interruptible(&chip->usb->cmnd_ready))
+ break;
+
+ if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) {
+ pr_debug("-- exiting from rts51x-control\n");
+ break;
+ }
+
+ /* lock the device pointers */
+ mutex_lock(&(chip->usb->dev_mutex));
+
+ /* lock access to the state */
+ scsi_lock(host);
+
+ /* When we are called with no command pending, we're done */
+ if (chip->srb == NULL) {
+ scsi_unlock(host);
+ mutex_unlock(&chip->usb->dev_mutex);
+ pr_debug("-- exiting from control thread\n");
+ break;
+ }
+
+ /* has the command timed out *already* ? */
+ if (test_bit(FLIDX_TIMED_OUT, &chip->usb->dflags)) {
+ chip->srb->result = DID_ABORT << 16;
+ goto abort;
+ }
+
+ scsi_unlock(host);
+
+ /* reject the command if the direction indicator
+ * is UNKNOWN
+ */
+ if (chip->srb->sc_data_direction == DMA_BIDIRECTIONAL) {
+ pr_debug("UNKNOWN data direction\n");
+ chip->srb->result = DID_ERROR << 16;
+ }
+
+ /* reject if target != 0 or if LUN is higher than
+ * the maximum known LUN
+ */
+ else if (chip->srb->device->id) {
+ pr_debug("Bad target number (%d:%d)\n",
+ chip->srb->device->id,
+ chip->srb->device->lun);
+ chip->srb->result = DID_BAD_TARGET << 16;
+ }
+
+ else if (chip->srb->device->lun > chip->max_lun) {
+ pr_debug("Bad LUN (%d:%d)\n",
+ chip->srb->device->id,
+ chip->srb->device->lun);
+ chip->srb->result = DID_BAD_TARGET << 16;
+ }
+
+ /* we've got a command, let's do it! */
+ else {
+ RTS51X_DEBUG(rts51x_scsi_show_command(chip->srb));
+ rts51x_invoke_transport(chip->srb, chip);
+ }
+
+ /* lock access to the state */
+ scsi_lock(host);
+
+ /* indicate that the command is done */
+ if (chip->srb->result != DID_ABORT << 16)
+ chip->srb->scsi_done(chip->srb);
+ else
+abort :
+ pr_debug("scsi command aborted\n");
+
+ /* If an abort request was received we need to signal that
+ * the abort has finished. The proper test for this is
+ * the TIMED_OUT flag, not srb->result == DID_ABORT, because
+ * the timeout might have occurred after the command had
+ * already completed with a different result code. */
+ if (test_bit(FLIDX_TIMED_OUT, &chip->usb->dflags)) {
+ complete(&(chip->usb->notify));
+
+ /* Allow USB transfers to resume */
+ clear_bit(FLIDX_ABORTING, &chip->usb->dflags);
+ clear_bit(FLIDX_TIMED_OUT, &chip->usb->dflags);
+ }
+
+ /* finished working on this command */
+ chip->srb = NULL;
+ scsi_unlock(host);
+
+ /* unlock the device pointers */
+ mutex_unlock(&chip->usb->dev_mutex);
+ } /* for (;;) */
+
+ complete(&chip->usb->control_exit);
+
+ /* Wait until we are told to stop */
+/* for (;;) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (kthread_should_stop())
+ break;
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING);*/
+ return 0;
+}
+
+static int rts51x_polling_thread(void *__chip)
+{
+ struct rts51x_chip *chip = (struct rts51x_chip *)__chip;
+
+ for (;;) {
+ wait_timeout(POLLING_INTERVAL);
+
+ /* if the device has disconnected, we are free to exit */
+ if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) {
+ pr_debug("-- exiting from rts51x-polling\n");
+ break;
+ }
+
+ /* if the device has disconnected, we are free to exit */
+ /* if (kthread_should_stop()) {
+ printk(KERN_INFO "Stop polling thread!\n");
+ break;
+ } */
+
+#ifdef CONFIG_PM
+ if (RTS51X_CHK_STAT(chip, STAT_SS) ||
+ RTS51X_CHK_STAT(chip, STAT_SS_PRE) ||
+ RTS51X_CHK_STAT(chip, STAT_SUSPEND)) {
+ continue;
+ }
+
+ if (ss_en) {
+ if (RTS51X_CHK_STAT(chip, STAT_IDLE)) {
+ if (chip->ss_counter <
+ (ss_delay * 1000 / POLLING_INTERVAL)) {
+ chip->ss_counter++;
+ } else {
+ /* Prepare SS state */
+ RTS51X_SET_STAT(chip, STAT_SS_PRE);
+ rts51x_try_to_enter_ss(chip);
+ continue;
+ }
+ } else {
+ chip->ss_counter = 0;
+ }
+ }
+#endif
+
+ rts51x_mspro_polling_format_status(chip);
+
+ /* lock the device pointers */
+ mutex_lock(&(chip->usb->dev_mutex));
+
+ rts51x_polling_func(chip);
+
+ /* unlock the device pointers */
+ mutex_unlock(&chip->usb->dev_mutex);
+ } /* for (;;) */
+
+ complete(&chip->usb->polling_exit);
+
+ /* Wait until we are told to stop */
+ /* for (;;) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (kthread_should_stop())
+ break;
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING); */
+ return 0;
+}
+
+/* Associate our private data with the USB device */
+static int associate_dev(struct rts51x_chip *chip, struct usb_interface *intf)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+#ifdef SUPPORT_FILE_OP
+ int retval;
+#endif
+
+ /* Fill in the device-related fields */
+ rts51x->pusb_dev = interface_to_usbdev(intf);
+ rts51x->pusb_intf = intf;
+ rts51x->ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
+ pr_debug("Vendor: 0x%04x, Product: 0x%04x, Revision: 0x%04x\n",
+ le16_to_cpu(rts51x->pusb_dev->descriptor.idVendor),
+ le16_to_cpu(rts51x->pusb_dev->descriptor.idProduct),
+ le16_to_cpu(rts51x->pusb_dev->descriptor.bcdDevice));
+ pr_debug("Interface Subclass: 0x%02x, Protocol: 0x%02x\n",
+ intf->cur_altsetting->desc.bInterfaceSubClass,
+ intf->cur_altsetting->desc.bInterfaceProtocol);
+
+ /* Store our private data in the interface */
+ usb_set_intfdata(intf, chip);
+
+#ifdef SUPPORT_FILE_OP
+ /* we can register the device now, as it is ready */
+ retval = usb_register_dev(intf, &rts51x_class);
+ if (retval) {
+ /* something prevented us from registering this driver */
+ pr_debug("Not able to get a minor for this device.");
+ usb_set_intfdata(intf, NULL);
+ return -ENOMEM;
+ }
+#endif
+
+ /* Allocate the device-related DMA-mapped buffers */
+ rts51x->cr = usb_buffer_alloc(rts51x->pusb_dev, sizeof(*rts51x->cr),
+ GFP_KERNEL, &rts51x->cr_dma);
+ if (!rts51x->cr) {
+ usb_set_intfdata(intf, NULL);
+ return -ENOMEM;
+ }
+
+ rts51x->iobuf = usb_buffer_alloc(rts51x->pusb_dev, RTS51X_IOBUF_SIZE,
+ GFP_KERNEL, &rts51x->iobuf_dma);
+ if (!rts51x->iobuf) {
+ usb_set_intfdata(intf, NULL);
+ return -ENOMEM;
+ }
+ return 0;
+}
+
+static void rts51x_init_options(struct rts51x_chip *chip)
+{
+ struct rts51x_option *option = &(chip->option);
+
+ option->rts51x_mspro_formatter_enable = 1;
+
+ option->fpga_sd_sdr104_clk = CLK_100;
+ option->fpga_sd_sdr50_clk = CLK_100;
+ option->fpga_sd_ddr50_clk = CLK_100;
+ option->fpga_sd_hs_clk = CLK_100;
+ option->fpga_mmc_52m_clk = CLK_80;
+ option->fpga_ms_hg_clk = CLK_80;
+ option->fpga_ms_4bit_clk = CLK_80;
+
+ option->asic_sd_sdr104_clk = 98;
+ option->asic_sd_sdr50_clk = 98;
+ option->asic_sd_ddr50_clk = 98;
+ option->asic_sd_hs_clk = 97;
+ option->asic_mmc_52m_clk = 95;
+ option->asic_ms_hg_clk = 116;
+ option->asic_ms_4bit_clk = 77;
+
+ option->sd_ddr_tx_phase = 0;
+ option->mmc_ddr_tx_phase = 1;
+
+ option->sd_speed_prior = 0;
+ option->sd_ctl =
+ SD_PUSH_POINT_AUTO | SD_SAMPLE_POINT_AUTO | SUPPORT_UHS50_MMC44;
+
+ option->ss_en = ss_en;
+ option->ss_delay = ss_delay;
+
+ option->auto_delink_en = auto_delink_en;
+
+ option->FT2_fast_mode = 0;
+ option->pwr_delay = 800;
+ option->rts51x_xd_rw_step = 0;
+ option->D3318_off_delay = 50;
+ option->delink_delay = 100;
+ option->rts5129_D3318_off_enable = 0;
+ option->sd20_pad_drive = 0;
+ option->reset_or_rw_fail_set_pad_drive = 1;
+ option->debounce_num = 2;
+ option->led_toggle_interval = 6;
+ option->rts51x_xd_rwn_step = 0;
+ option->sd_send_status_en = 0;
+ option->sdr50_tx_phase = 0x01;
+ option->sdr50_rx_phase = 0x05;
+ option->ddr50_tx_phase = 0x09;
+ option->ddr50_rx_phase = 0x06;
+ option->sdr50_phase_sel = 0;
+ option->sd30_pad_drive = 1;
+ option->ms_errreg_fix = 0;
+ option->reset_mmc_first = 0;
+ option->speed_mmc = 1;
+ option->led_always_on = 0;
+}
+
+/* Get the pipe settings */
+static int get_pipes(struct rts51x_chip *chip)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+ struct usb_host_interface *altsetting =
+ rts51x->pusb_intf->cur_altsetting;
+ int i;
+ struct usb_endpoint_descriptor *ep;
+ struct usb_endpoint_descriptor *ep_in = NULL;
+ struct usb_endpoint_descriptor *ep_out = NULL;
+ struct usb_endpoint_descriptor *ep_int = NULL;
+
+ /*
+ * Find the first endpoint of each type we need.
+ * We are expecting a minimum of 2 endpoints - in and out (bulk).
+ * An optional interrupt-in is OK (necessary for CBI protocol).
+ * We will ignore any others.
+ */
+ for (i = 0; i < altsetting->desc.bNumEndpoints; i++) {
+ ep = &altsetting->endpoint[i].desc;
+
+ if (usb_endpoint_xfer_bulk(ep)) {
+ if (usb_endpoint_dir_in(ep)) {
+ if (!ep_in)
+ ep_in = ep;
+ } else {
+ if (!ep_out)
+ ep_out = ep;
+ }
+ }
+
+ else if (usb_endpoint_is_int_in(ep)) {
+ if (!ep_int)
+ ep_int = ep;
+ }
+ }
+
+ if (!ep_in || !ep_out) {
+ pr_debug("Endpoint sanity check failed! Rejecting dev.\n");
+ return -EIO;
+ }
+
+ /* Calculate and store the pipe values */
+ rts51x->send_ctrl_pipe = usb_sndctrlpipe(rts51x->pusb_dev, 0);
+ rts51x->recv_ctrl_pipe = usb_rcvctrlpipe(rts51x->pusb_dev, 0);
+ rts51x->send_bulk_pipe = usb_sndbulkpipe(rts51x->pusb_dev,
+ usb_endpoint_num(ep_out));
+ rts51x->recv_bulk_pipe = usb_rcvbulkpipe(rts51x->pusb_dev,
+ usb_endpoint_num(ep_in));
+ if (ep_int) {
+ rts51x->recv_intr_pipe = usb_rcvintpipe(rts51x->pusb_dev,
+ usb_endpoint_num
+ (ep_int));
+ rts51x->ep_bInterval = ep_int->bInterval;
+ }
+ return 0;
+}
+
+/* Initialize all the dynamic resources we need */
+static int rts51x_acquire_resources(struct rts51x_chip *chip)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+ int retval;
+
+ rts51x->current_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!rts51x->current_urb)
+ return -ENOMEM;
+
+ rts51x->intr_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!rts51x->intr_urb)
+ return -ENOMEM;
+
+ chip->cmd_buf = rts51x->iobuf;
+ chip->rsp_buf = rts51x->iobuf;
+
+ rts51x_init_options(chip);
+
+ /* Init rts51xx device */
+ retval = rts51x_init_chip(chip);
+ if (retval != STATUS_SUCCESS)
+ return -EIO;
+
+ return 0;
+}
+
+/* Release all our dynamic resources */
+static void rts51x_release_resources(struct rts51x_chip *chip)
+{
+ pr_debug("-- %s\n", __func__);
+
+ /* Tell the control thread to exit. The SCSI host must
+ * already have been removed and the DISCONNECTING flag set
+ * so that we won't accept any more commands.
+ */
+ pr_debug("-- sending exit command to thread\n");
+ complete(&chip->usb->cmnd_ready);
+ if (chip->usb->ctl_thread)
+ wait_for_completion(&chip->usb->control_exit);
+ /* kthread_stop(chip->usb->ctl_thread); */
+ if (chip->usb->polling_thread)
+ wait_for_completion(&chip->usb->polling_exit);
+
+ /* if (chip->usb->polling_thread)
+ kthread_stop(chip->usb->polling_thread); */
+
+ wait_timeout(200);
+
+ /* Release rts51xx device here */
+ rts51x_release_chip(chip);
+
+ usb_free_urb(chip->usb->current_urb);
+ usb_free_urb(chip->usb->intr_urb);
+}
+
+/* Dissociate from the USB device */
+static void dissociate_dev(struct rts51x_chip *chip)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+
+ pr_debug("-- %s\n", __func__);
+
+ /* Free the device-related DMA-mapped buffers */
+ if (rts51x->cr)
+ usb_buffer_free(rts51x->pusb_dev, sizeof(*rts51x->cr),
+ rts51x->cr, rts51x->cr_dma);
+ if (rts51x->iobuf)
+ usb_buffer_free(rts51x->pusb_dev, RTS51X_IOBUF_SIZE,
+ rts51x->iobuf, rts51x->iobuf_dma);
+
+ /* Remove our private data from the interface */
+ usb_set_intfdata(rts51x->pusb_intf, NULL);
+
+#ifdef SUPPORT_FILE_OP
+ /* give back our minor */
+ usb_deregister_dev(rts51x->pusb_intf, &rts51x_class);
+#endif
+
+ kfree(rts51x);
+ chip->usb = NULL;
+}
+
+/* First stage of disconnect processing: stop SCSI scanning,
+ * remove the host, and stop accepting new commands
+ */
+static void quiesce_and_remove_host(struct rts51x_chip *chip)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+ struct Scsi_Host *host = rts51x_to_host(chip);
+
+ /* If the device is really gone, cut short reset delays */
+ if (rts51x->pusb_dev->state == USB_STATE_NOTATTACHED)
+ set_bit(FLIDX_DISCONNECTING, &rts51x->dflags);
+
+ /* Removing the host will perform an orderly shutdown: caches
+ * synchronized, disks spun down, etc.
+ */
+ scsi_remove_host(host);
+
+ /* Prevent any new commands from being accepted and cut short
+ * reset delays.
+ */
+ scsi_lock(host);
+ set_bit(FLIDX_DISCONNECTING, &rts51x->dflags);
+ scsi_unlock(host);
+}
+
+/* Second stage of disconnect processing: deallocate all resources */
+static void release_everything(struct rts51x_chip *chip)
+{
+ rts51x_release_resources(chip);
+ dissociate_dev(chip);
+
+ /* Drop our reference to the host; the SCSI core will free it
+ * (and "chip" along with it) when the refcount becomes 0. */
+ scsi_host_put(rts51x_to_host(chip));
+}
+
+static int rts51x_probe(struct usb_interface *intf,
+ const struct usb_device_id *id)
+{
+ struct Scsi_Host *host;
+ struct rts51x_chip *chip;
+ struct rts51x_usb *rts51x;
+ int result;
+ struct task_struct *th;
+
+ pr_debug("%s detected\n", RTS51X_NAME);
+
+ rts51x = kzalloc(sizeof(*rts51x), GFP_KERNEL);
+ if (!rts51x)
+ return -ENOMEM;
+
+ /*
+ * Ask the SCSI layer to allocate a host structure, with extra
+ * space at the end for our private us_data structure.
+ */
+ host = scsi_host_alloc(&rts51x_host_template, sizeof(*chip));
+ if (!host) {
+ kfree(rts51x);
+ return -ENOMEM;
+ }
+
+ /*
+ * Allow 16-byte CDBs and thus > 2TB
+ */
+ host->max_cmd_len = 16;
+ chip = host_to_rts51x(host);
+ memset(chip, 0, sizeof(struct rts51x_chip));
+
+ chip->vendor_id = id->idVendor;
+ chip->product_id = id->idProduct;
+
+ mutex_init(&(rts51x->dev_mutex));
+ init_completion(&rts51x->cmnd_ready);
+ init_completion(&rts51x->control_exit);
+ init_completion(&rts51x->polling_exit);
+ init_completion(&(rts51x->notify));
+
+ chip->usb = rts51x;
+
+ /* Associate the us_data structure with the USB device */
+ result = associate_dev(chip, intf);
+ if (result)
+ goto bad_device;
+
+ /* Find the endpoints and calculate pipe values */
+ result = get_pipes(chip);
+ if (result)
+ goto bad_device;
+
+ /* Acquire all the other resources and add the host */
+ result = rts51x_acquire_resources(chip);
+ if (result)
+ goto bad_device;
+
+ /* Start up our control thread */
+ th = kthread_run(rts51x_control_thread, chip, RTS51X_CTL_THREAD);
+ if (IS_ERR(th)) {
+ pr_warn("Unable to start control thread\n");
+ result = PTR_ERR(th);
+ goto bad_device;
+ }
+ rts51x->ctl_thread = th;
+
+ result = scsi_add_host(rts51x_to_host(chip), &rts51x->pusb_intf->dev);
+ if (result) {
+ pr_warn("Unable to add the scsi host\n");
+ goto bad_device;
+ }
+ scsi_scan_host(rts51x_to_host(chip));
+
+ /* Start up our polling thread */
+ th = kthread_run(rts51x_polling_thread, chip, RTS51X_POLLING_THREAD);
+ if (IS_ERR(th)) {
+ pr_warn("Unable to start polling thread\n");
+ result = PTR_ERR(th);
+ goto bad_device;
+ }
+ rts51x->polling_thread = th;
+
+#ifdef CONFIG_PM
+ if (ss_en) {
+ rts51x->pusb_intf->needs_remote_wakeup = needs_remote_wakeup;
+ SET_PM_USAGE_CNT(chip, 1);
+ pr_debug("pm_usage_cnt = %d\n", GET_PM_USAGE_CNT(chip));
+ }
+#endif
+
+ return 0;
+
+ /* We come here if there are any problems */
+bad_device:
+ pr_debug("rts51x_probe() failed\n");
+ release_everything(chip);
+ return result;
+}
+
+static void rts51x_disconnect(struct usb_interface *intf)
+{
+ struct rts51x_chip *chip = (struct rts51x_chip *)usb_get_intfdata(intf);
+
+ pr_debug("rts51x_disconnect() called\n");
+ quiesce_and_remove_host(chip);
+ release_everything(chip);
+}
+
+/***********************************************************************
+ * Initialization and registration
+ ***********************************************************************/
+
+static struct usb_device_id rts5139_usb_ids[] = {
+ {USB_DEVICE(0x0BDA, 0x0139)},
+ {USB_DEVICE(0x0BDA, 0x0129)},
+ {} /* Terminating entry */
+};
+EXPORT_SYMBOL_GPL(rts5139_usb_ids);
+
+MODULE_DEVICE_TABLE(usb, rts5139_usb_ids);
+
+struct usb_driver rts51x_driver = {
+ .name = RTS51X_NAME,
+ .probe = rts51x_probe,
+ .disconnect = rts51x_disconnect,
+ .suspend = rts51x_suspend,
+ .resume = rts51x_resume,
+ .reset_resume = rts51x_reset_resume,
+ .pre_reset = rts51x_pre_reset,
+ .post_reset = rts51x_post_reset,
+ .id_table = rts5139_usb_ids,
+ .soft_unbind = 1,
+};
+
+module_usb_driver(rts51x_driver);
diff --git a/drivers/staging/rts5139/rts51x.h b/drivers/staging/rts5139/rts51x.h
new file mode 100644
index 000000000000..ecc0109a5b1a
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x.h
@@ -0,0 +1,194 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_H
+#define __RTS51X_H
+
+#include <linux/usb.h>
+#include <linux/usb_usual.h>
+#include <linux/blkdev.h>
+#include <linux/completion.h>
+#include <linux/mutex.h>
+#include <linux/cdrom.h>
+#include <linux/kernel.h>
+
+#include <scsi/scsi.h>
+#include <scsi/scsi_cmnd.h>
+#include <scsi/scsi_device.h>
+#include <scsi/scsi_devinfo.h>
+#include <scsi/scsi_eh.h>
+#include <scsi/scsi_host.h>
+
+#define DRIVER_VERSION "v1.04"
+
+#define RTS51X_DESC "Realtek RTS5139/29 USB card reader driver"
+#define RTS51X_NAME "rts5139"
+#define RTS51X_CTL_THREAD "rts5139-control"
+#define RTS51X_POLLING_THREAD "rts5139-polling"
+
+#define POLLING_IN_THREAD
+#define SUPPORT_FILE_OP
+
+#define wait_timeout_x(task_state, msecs) \
+do { \
+ set_current_state((task_state)); \
+ schedule_timeout((msecs) * HZ / 1000); \
+} while (0)
+
+#define wait_timeout(msecs) wait_timeout_x(TASK_INTERRUPTIBLE, (msecs))
+
+#define SCSI_LUN(srb) ((srb)->device->lun)
+
+/* Size of the DMA-mapped I/O buffer */
+#define RTS51X_IOBUF_SIZE 1024
+
+/* Dynamic bitflag definitions (dflags): used in set_bit() etc. */
+#define FLIDX_URB_ACTIVE 0 /* current_urb is in use */
+#define FLIDX_SG_ACTIVE 1 /* current_sg is in use */
+#define FLIDX_ABORTING 2 /* abort is in progress */
+#define FLIDX_DISCONNECTING 3 /* disconnect in progress */
+#define FLIDX_RESETTING 4 /* device reset in progress */
+#define FLIDX_TIMED_OUT 5 /* SCSI midlayer timed out */
+
+struct rts51x_chip;
+
+struct rts51x_usb {
+ /* The device we're working with
+ * It's important to note:
+ * (o) you must hold dev_mutex to change pusb_dev
+ */
+ struct mutex dev_mutex; /* protect pusb_dev */
+ struct usb_device *pusb_dev; /* this usb_device */
+ struct usb_interface *pusb_intf; /* this interface */
+
+ unsigned long dflags; /* dynamic atomic bitflags */
+
+ unsigned int send_bulk_pipe; /* cached pipe values */
+ unsigned int recv_bulk_pipe;
+ unsigned int send_ctrl_pipe;
+ unsigned int recv_ctrl_pipe;
+ unsigned int recv_intr_pipe;
+
+ u8 ifnum; /* interface number */
+ u8 ep_bInterval; /* interrupt interval */
+
+ /* control and bulk communications data */
+ struct urb *current_urb; /* USB requests */
+ struct urb *intr_urb; /* Interrupt USB request */
+ struct usb_ctrlrequest *cr; /* control requests */
+ struct usb_sg_request current_sg; /* scatter-gather req. */
+ unsigned char *iobuf; /* I/O buffer */
+ dma_addr_t cr_dma; /* buffer DMA addresses */
+ dma_addr_t iobuf_dma;
+ struct task_struct *ctl_thread; /* the control thread */
+ struct task_struct *polling_thread; /* the polling thread */
+
+ /* mutual exclusion and synchronization structures */
+ struct completion cmnd_ready; /* to sleep thread on */
+ struct completion control_exit; /* control thread exit */
+ struct completion polling_exit; /* polling thread exit */
+ struct completion notify; /* thread begin/end */
+};
+
+extern struct usb_driver rts51x_driver;
+
+static inline void get_current_time(u8 *timeval_buf, int buf_len)
+{
+ struct timeval tv;
+
+ if (!timeval_buf || (buf_len < 8))
+ return;
+
+ do_gettimeofday(&tv);
+
+ timeval_buf[0] = (u8) (tv.tv_sec >> 24);
+ timeval_buf[1] = (u8) (tv.tv_sec >> 16);
+ timeval_buf[2] = (u8) (tv.tv_sec >> 8);
+ timeval_buf[3] = (u8) (tv.tv_sec);
+ timeval_buf[4] = (u8) (tv.tv_usec >> 24);
+ timeval_buf[5] = (u8) (tv.tv_usec >> 16);
+ timeval_buf[6] = (u8) (tv.tv_usec >> 8);
+ timeval_buf[7] = (u8) (tv.tv_usec);
+}
+
+#define SND_CTRL_PIPE(chip) ((chip)->usb->send_ctrl_pipe)
+#define RCV_CTRL_PIPE(chip) ((chip)->usb->recv_ctrl_pipe)
+#define SND_BULK_PIPE(chip) ((chip)->usb->send_bulk_pipe)
+#define RCV_BULK_PIPE(chip) ((chip)->usb->recv_bulk_pipe)
+#define RCV_INTR_PIPE(chip) ((chip)->usb->recv_intr_pipe)
+
+/* The scsi_lock() and scsi_unlock() macros protect the sm_state and the
+ * single queue element srb for write access */
+#define scsi_unlock(host) spin_unlock_irq(host->host_lock)
+#define scsi_lock(host) spin_lock_irq(host->host_lock)
+
+#define GET_PM_USAGE_CNT(chip) \
+ atomic_read(&((chip)->usb->pusb_intf->pm_usage_cnt))
+#define SET_PM_USAGE_CNT(chip, cnt) \
+ atomic_set(&((chip)->usb->pusb_intf->pm_usage_cnt), (cnt))
+
+/* Compatible macros while we switch over */
+static inline void *usb_buffer_alloc(struct usb_device *dev, size_t size,
+ gfp_t mem_flags, dma_addr_t *dma)
+{
+ return usb_alloc_coherent(dev, size, mem_flags, dma);
+}
+
+static inline void usb_buffer_free(struct usb_device *dev, size_t size,
+ void *addr, dma_addr_t dma)
+{
+ return usb_free_coherent(dev, size, addr, dma);
+}
+
+/* Convert between us_data and the corresponding Scsi_Host */
+static inline struct Scsi_Host *rts51x_to_host(struct rts51x_chip *chip)
+{
+ return container_of((void *)chip, struct Scsi_Host, hostdata);
+}
+
+static inline struct rts51x_chip *host_to_rts51x(struct Scsi_Host *host)
+{
+ return (struct rts51x_chip *)(host->hostdata);
+}
+
+/* struct scsi_cmnd transfer buffer access utilities */
+enum xfer_buf_dir { TO_XFER_BUF, FROM_XFER_BUF };
+
+/* General routines provided by the usb-storage standard core */
+#ifdef CONFIG_PM
+void rts51x_try_to_exit_ss(struct rts51x_chip *chip);
+int rts51x_suspend(struct usb_interface *iface, pm_message_t message);
+int rts51x_resume(struct usb_interface *iface);
+int rts51x_reset_resume(struct usb_interface *iface);
+#else
+#define rts51x_suspend NULL
+#define rts51x_resume NULL
+#define rts51x_reset_resume NULL
+#endif
+
+extern struct scsi_host_template rts51x_host_template;
+
+#endif /* __RTS51X_H */
diff --git a/drivers/staging/rts5139/rts51x_card.c b/drivers/staging/rts5139/rts51x_card.c
new file mode 100644
index 000000000000..03456d9873e5
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_card.c
@@ -0,0 +1,940 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/workqueue.h>
+
+#include <scsi/scsi.h>
+#include <scsi/scsi_eh.h>
+#include <scsi/scsi_device.h>
+
+#include "debug.h"
+#include "rts51x.h"
+#include "rts51x_chip.h"
+#include "rts51x_card.h"
+#include "rts51x_transport.h"
+#include "xd.h"
+#include "sd.h"
+#include "ms.h"
+
+void rts51x_do_remaining_work(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ if (chip->card_ready & SD_CARD) {
+ if (sd_card->seq_mode) {
+ RTS51X_SET_STAT(chip, STAT_RUN);
+ sd_card->counter++;
+ } else {
+ sd_card->counter = 0;
+ }
+ }
+
+ if (chip->card_ready & XD_CARD) {
+ if (xd_card->delay_write.delay_write_flag) {
+ RTS51X_SET_STAT(chip, STAT_RUN);
+ xd_card->counter++;
+ } else {
+ xd_card->counter = 0;
+ }
+ }
+
+ if (chip->card_ready & MS_CARD) {
+ if (CHK_MSPRO(ms_card)) {
+ if (ms_card->seq_mode) {
+ RTS51X_SET_STAT(chip, STAT_RUN);
+ ms_card->counter++;
+ } else {
+ ms_card->counter = 0;
+ }
+ } else {
+ if (ms_card->delay_write.delay_write_flag) {
+ RTS51X_SET_STAT(chip, STAT_RUN);
+ ms_card->counter++;
+ } else {
+ ms_card->counter = 0;
+ }
+ }
+ }
+
+ if (sd_card->counter > POLLING_WAIT_CNT)
+ rts51x_sd_cleanup_work(chip);
+
+ if (xd_card->counter > POLLING_WAIT_CNT)
+ rts51x_xd_cleanup_work(chip);
+
+ if (ms_card->counter > POLLING_WAIT_CNT)
+ rts51x_ms_cleanup_work(chip);
+}
+
+static void do_rts51x_reset_xd_card(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (chip->card2lun[XD_CARD] >= MAX_ALLOWED_LUN_CNT)
+ return;
+
+ retval = rts51x_reset_xd_card(chip);
+ if (retval == STATUS_SUCCESS) {
+ chip->card_ready |= XD_CARD;
+ chip->card_fail &= ~XD_CARD;
+ chip->rw_card[chip->card2lun[XD_CARD]] = rts51x_xd_rw;
+ } else {
+ chip->card_ready &= ~XD_CARD;
+ chip->card_fail |= XD_CARD;
+ chip->capacity[chip->card2lun[XD_CARD]] = 0;
+ chip->rw_card[chip->card2lun[XD_CARD]] = NULL;
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, XD_CLK_EN, 0);
+ rts51x_send_cmd(chip, MODE_C, 100);
+ }
+}
+
+void rts51x_do_rts51x_reset_sd_card(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (chip->card2lun[SD_CARD] >= MAX_ALLOWED_LUN_CNT)
+ return;
+
+ retval = rts51x_reset_sd_card(chip);
+ if (retval == STATUS_SUCCESS) {
+ chip->card_ready |= SD_CARD;
+ chip->card_fail &= ~SD_CARD;
+ chip->rw_card[chip->card2lun[SD_CARD]] = rts51x_sd_rw;
+ } else {
+ chip->card_ready &= ~SD_CARD;
+ chip->card_fail |= SD_CARD;
+ chip->capacity[chip->card2lun[SD_CARD]] = 0;
+ chip->rw_card[chip->card2lun[SD_CARD]] = NULL;
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, SD_CLK_EN, 0);
+ rts51x_send_cmd(chip, MODE_C, 100);
+ }
+}
+
+static void do_rts51x_reset_ms_card(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (chip->card2lun[MS_CARD] >= MAX_ALLOWED_LUN_CNT)
+ return;
+
+ retval = rts51x_reset_ms_card(chip);
+ if (retval == STATUS_SUCCESS) {
+ chip->card_ready |= MS_CARD;
+ chip->card_fail &= ~MS_CARD;
+ chip->rw_card[chip->card2lun[MS_CARD]] = rts51x_ms_rw;
+ } else {
+ chip->card_ready &= ~MS_CARD;
+ chip->card_fail |= MS_CARD;
+ chip->capacity[chip->card2lun[MS_CARD]] = 0;
+ chip->rw_card[chip->card2lun[MS_CARD]] = NULL;
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, MS_CLK_EN, 0);
+ rts51x_send_cmd(chip, MODE_C, 100);
+ }
+}
+
+static void card_cd_debounce(struct rts51x_chip *chip, u8 *need_reset,
+ u8 *need_release)
+{
+ int retval;
+ u8 release_map = 0, reset_map = 0;
+ u8 value;
+
+ retval = rts51x_get_card_status(chip, &(chip->card_status));
+#ifdef SUPPORT_OCP
+ chip->ocp_stat = (chip->card_status >> 4) & 0x03;
+#endif
+
+ if (retval != STATUS_SUCCESS)
+ goto Exit_Debounce;
+
+ if (chip->card_exist) {
+ retval = rts51x_read_register(chip, CARD_INT_PEND, &value);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH,
+ FIFO_FLUSH);
+ rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8);
+ value = 0;
+ }
+
+ if (chip->card_exist & XD_CARD) {
+ if (!(chip->card_status & XD_CD))
+ release_map |= XD_CARD;
+ } else if (chip->card_exist & SD_CARD) {
+ /* if (!(chip->card_status & SD_CD)) { */
+ if (!(chip->card_status & SD_CD) || (value & SD_INT))
+ release_map |= SD_CARD;
+ } else if (chip->card_exist & MS_CARD) {
+ /* if (!(chip->card_status & MS_CD)) { */
+ if (!(chip->card_status & MS_CD) || (value & MS_INT))
+ release_map |= MS_CARD;
+ }
+ } else {
+ if (chip->card_status & XD_CD)
+ reset_map |= XD_CARD;
+ else if (chip->card_status & SD_CD)
+ reset_map |= SD_CARD;
+ else if (chip->card_status & MS_CD)
+ reset_map |= MS_CARD;
+ }
+
+ if (CHECK_PKG(chip, QFN24) && reset_map) {
+ if (chip->card_exist & XD_CARD) {
+ reset_map = 0;
+ goto Exit_Debounce;
+ }
+ }
+
+ if (reset_map) {
+ int xd_cnt = 0, sd_cnt = 0, ms_cnt = 0;
+ int i;
+
+ for (i = 0; i < (chip->option.debounce_num); i++) {
+ retval =
+ rts51x_get_card_status(chip, &(chip->card_status));
+ if (retval != STATUS_SUCCESS) {
+ reset_map = release_map = 0;
+ goto Exit_Debounce;
+ }
+ if (chip->card_status & XD_CD)
+ xd_cnt++;
+ else
+ xd_cnt = 0;
+ if (chip->card_status & SD_CD)
+ sd_cnt++;
+ else
+ sd_cnt = 0;
+ if (chip->card_status & MS_CD)
+ ms_cnt++;
+ else
+ ms_cnt = 0;
+ wait_timeout(30);
+ }
+
+ reset_map = 0;
+ if (!(chip->card_exist & XD_CARD)
+ && (xd_cnt > (chip->option.debounce_num - 1))) {
+ reset_map |= XD_CARD;
+ }
+ if (!(chip->card_exist & SD_CARD)
+ && (sd_cnt > (chip->option.debounce_num - 1))) {
+ reset_map |= SD_CARD;
+ }
+ if (!(chip->card_exist & MS_CARD)
+ && (ms_cnt > (chip->option.debounce_num - 1))) {
+ reset_map |= MS_CARD;
+ }
+ }
+ rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT,
+ XD_INT | MS_INT | SD_INT);
+
+Exit_Debounce:
+ if (need_reset)
+ *need_reset = reset_map;
+ if (need_release)
+ *need_release = release_map;
+}
+
+void rts51x_init_cards(struct rts51x_chip *chip)
+{
+ u8 need_reset = 0, need_release = 0;
+
+ card_cd_debounce(chip, &need_reset, &need_release);
+
+ if (need_release) {
+ RTS51X_DEBUGP("need_release = 0x%x\n", need_release);
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+#ifdef SUPPORT_OCP
+ if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) {
+ rts51x_write_register(chip, OCPCTL, MS_OCP_CLEAR,
+ MS_OCP_CLEAR);
+ chip->ocp_stat = 0;
+ RTS51X_DEBUGP("Clear OCP status.\n");
+ }
+#endif
+
+ if (need_release & XD_CARD) {
+ chip->card_exist &= ~XD_CARD;
+ chip->card_ejected = 0;
+ if (chip->card_ready & XD_CARD) {
+ rts51x_release_xd_card(chip);
+ chip->rw_card[chip->card2lun[XD_CARD]] = NULL;
+ clear_bit(chip->card2lun[XD_CARD],
+ &(chip->lun_mc));
+ }
+ }
+
+ if (need_release & SD_CARD) {
+ chip->card_exist &= ~SD_CARD;
+ chip->card_ejected = 0;
+ if (chip->card_ready & SD_CARD) {
+ rts51x_release_sd_card(chip);
+ chip->rw_card[chip->card2lun[SD_CARD]] = NULL;
+ clear_bit(chip->card2lun[SD_CARD],
+ &(chip->lun_mc));
+ }
+ }
+
+ if (need_release & MS_CARD) {
+ chip->card_exist &= ~MS_CARD;
+ chip->card_ejected = 0;
+ if (chip->card_ready & MS_CARD) {
+ rts51x_release_ms_card(chip);
+ chip->rw_card[chip->card2lun[MS_CARD]] = NULL;
+ clear_bit(chip->card2lun[MS_CARD],
+ &(chip->lun_mc));
+ }
+ }
+ }
+
+ if (need_reset && !chip->card_ready) {
+ RTS51X_DEBUGP("need_reset = 0x%x\n", need_reset);
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ if (need_reset & XD_CARD) {
+ chip->card_exist |= XD_CARD;
+ do_rts51x_reset_xd_card(chip);
+ } else if (need_reset & SD_CARD) {
+ chip->card_exist |= SD_CARD;
+ rts51x_do_rts51x_reset_sd_card(chip);
+ } else if (need_reset & MS_CARD) {
+ chip->card_exist |= MS_CARD;
+ do_rts51x_reset_ms_card(chip);
+ }
+ }
+}
+
+void rts51x_release_cards(struct rts51x_chip *chip)
+{
+ if (chip->card_ready & SD_CARD) {
+ rts51x_sd_cleanup_work(chip);
+ rts51x_release_sd_card(chip);
+ chip->card_ready &= ~SD_CARD;
+ }
+
+ if (chip->card_ready & XD_CARD) {
+ rts51x_xd_cleanup_work(chip);
+ rts51x_release_xd_card(chip);
+ chip->card_ready &= ~XD_CARD;
+ }
+
+ if (chip->card_ready & MS_CARD) {
+ rts51x_ms_cleanup_work(chip);
+ rts51x_release_ms_card(chip);
+ chip->card_ready &= ~MS_CARD;
+ }
+}
+
+static inline u8 double_depth(u8 depth)
+{
+ return (depth > 1) ? (depth - 1) : depth;
+}
+
+int rts51x_switch_ssc_clock(struct rts51x_chip *chip, int clk)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ struct ms_info *ms_card = &(chip->ms_card);
+ int retval;
+ u8 N = (u8) (clk - 2), min_N, max_N;
+ u8 mcu_cnt, div, max_div, ssc_depth;
+ int sd_vpclk_phase_reset = 0;
+
+ if (chip->cur_clk == clk)
+ return STATUS_SUCCESS;
+
+ min_N = 60;
+ max_N = 120;
+ max_div = CLK_DIV_4;
+
+ RTS51X_DEBUGP("Switch SSC clock to %dMHz\n", clk);
+
+ if ((clk <= 2) || (N > max_N))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ mcu_cnt = (u8) (60 / clk + 3);
+ if (mcu_cnt > 15)
+ mcu_cnt = 15;
+ /* To make sure that the SSC clock div_n is
+ * equal or greater than min_N */
+ div = CLK_DIV_1;
+ while ((N < min_N) && (div < max_div)) {
+ N = (N + 2) * 2 - 2;
+ div++;
+ }
+ RTS51X_DEBUGP("N = %d, div = %d\n", N, div);
+
+ if (chip->option.ssc_en) {
+ if (chip->cur_card == SD_CARD) {
+ if (CHK_SD_SDR104(sd_card)) {
+ ssc_depth = chip->option.ssc_depth_sd_sdr104;
+ } else if (CHK_SD_SDR50(sd_card)) {
+ ssc_depth = chip->option.ssc_depth_sd_sdr50;
+ } else if (CHK_SD_DDR50(sd_card)) {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_sd_ddr50);
+ } else if (CHK_SD_HS(sd_card)) {
+ ssc_depth =
+ double_depth(chip->option.ssc_depth_sd_hs);
+ } else if (CHK_MMC_52M(sd_card)
+ || CHK_MMC_DDR52(sd_card)) {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_mmc_52m);
+ } else {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_low_speed);
+ }
+ } else if (chip->cur_card == MS_CARD) {
+ if (CHK_MSPRO(ms_card)) {
+ if (CHK_HG8BIT(ms_card)) {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_ms_hg);
+ } else {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_ms_4bit);
+ }
+ } else {
+ if (CHK_MS4BIT(ms_card)) {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_ms_4bit);
+ } else {
+ ssc_depth =
+ double_depth(chip->option.
+ ssc_depth_low_speed);
+ }
+ }
+ } else {
+ ssc_depth =
+ double_depth(chip->option.ssc_depth_low_speed);
+ }
+
+ if (ssc_depth) {
+ if (div == CLK_DIV_2) {
+ /* If clock divided by 2, ssc depth must
+ * be multiplied by 2 */
+ if (ssc_depth > 1)
+ ssc_depth -= 1;
+ else
+ ssc_depth = SSC_DEPTH_2M;
+ } else if (div == CLK_DIV_4) {
+ /* If clock divided by 4, ssc depth must
+ * be multiplied by 4 */
+ if (ssc_depth > 2)
+ ssc_depth -= 2;
+ else
+ ssc_depth = SSC_DEPTH_2M;
+ }
+ }
+ } else {
+ /* Disable SSC */
+ ssc_depth = 0;
+ }
+
+ RTS51X_DEBUGP("ssc_depth = %d\n", ssc_depth);
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, CLK_CHANGE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F,
+ (div << 4) | mcu_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CTL1, SSC_RSTB, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CTL2, SSC_DEPTH_MASK,
+ ssc_depth);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_DIV_N_0, 0xFF, N);
+ if (sd_vpclk_phase_reset) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL,
+ PHASE_NOT_RESET, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL,
+ PHASE_NOT_RESET, PHASE_NOT_RESET);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 2000);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (chip->option.ssc_en && ssc_depth)
+ rts51x_write_register(chip, SSC_CTL1, 0xff, 0xD0);
+ else
+ rts51x_write_register(chip, SSC_CTL1, 0xff, 0x50);
+ udelay(100);
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0);
+
+ chip->cur_clk = clk;
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_switch_normal_clock(struct rts51x_chip *chip, int clk)
+{
+ int retval;
+ u8 sel, div, mcu_cnt;
+ int sd_vpclk_phase_reset = 0;
+
+ if (chip->cur_clk == clk)
+ return STATUS_SUCCESS;
+
+ if (chip->cur_card == SD_CARD) {
+ struct sd_info *sd_card = &(chip->sd_card);
+ if (CHK_SD30_SPEED(sd_card) || CHK_MMC_DDR52(sd_card))
+ sd_vpclk_phase_reset = 1;
+ }
+
+ switch (clk) {
+ case CLK_20:
+ RTS51X_DEBUGP("Switch clock to 20MHz\n");
+ sel = SSC_80;
+ div = CLK_DIV_4;
+ mcu_cnt = 5;
+ break;
+
+ case CLK_30:
+ RTS51X_DEBUGP("Switch clock to 30MHz\n");
+ sel = SSC_60;
+ div = CLK_DIV_2;
+ mcu_cnt = 4;
+ break;
+
+ case CLK_40:
+ RTS51X_DEBUGP("Switch clock to 40MHz\n");
+ sel = SSC_80;
+ div = CLK_DIV_2;
+ mcu_cnt = 3;
+ break;
+
+ case CLK_50:
+ RTS51X_DEBUGP("Switch clock to 50MHz\n");
+ sel = SSC_100;
+ div = CLK_DIV_2;
+ mcu_cnt = 3;
+ break;
+
+ case CLK_60:
+ RTS51X_DEBUGP("Switch clock to 60MHz\n");
+ sel = SSC_60;
+ div = CLK_DIV_1;
+ mcu_cnt = 3;
+ break;
+
+ case CLK_80:
+ RTS51X_DEBUGP("Switch clock to 80MHz\n");
+ sel = SSC_80;
+ div = CLK_DIV_1;
+ mcu_cnt = 2;
+ break;
+
+ case CLK_100:
+ RTS51X_DEBUGP("Switch clock to 100MHz\n");
+ sel = SSC_100;
+ div = CLK_DIV_1;
+ mcu_cnt = 2;
+ break;
+
+ /* case CLK_120:
+ RTS51X_DEBUGP("Switch clock to 120MHz\n");
+ sel = SSC_120;
+ div = CLK_DIV_1;
+ mcu_cnt = 2;
+ break;
+
+ case CLK_150:
+ RTS51X_DEBUGP("Switch clock to 150MHz\n");
+ sel = SSC_150;
+ div = CLK_DIV_1;
+ mcu_cnt = 2;
+ break; */
+
+ default:
+ RTS51X_DEBUGP("Try to switch to an illegal clock (%d)\n",
+ clk);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (!sd_vpclk_phase_reset) {
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE,
+ CLK_CHANGE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F,
+ (div << 4) | mcu_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CLK_FPGA_SEL, 0xFF,
+ sel);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE,
+ CLK_CHANGE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL,
+ PHASE_NOT_RESET, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK1_CTL,
+ PHASE_NOT_RESET, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F,
+ (div << 4) | mcu_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CLK_FPGA_SEL, 0xFF,
+ sel);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ udelay(200);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL,
+ PHASE_NOT_RESET, PHASE_NOT_RESET);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK1_CTL,
+ PHASE_NOT_RESET, PHASE_NOT_RESET);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ udelay(200);
+
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0);
+ }
+
+ chip->cur_clk = clk;
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_card_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ u32 sec_addr, u16 sec_cnt)
+{
+ int retval;
+ unsigned int lun = SCSI_LUN(srb);
+ int i;
+
+ if (chip->rw_card[lun] == NULL)
+ return STATUS_FAIL;
+
+ RTS51X_DEBUGP("%s card, sector addr: 0x%x, sector cnt: %d\n",
+ (srb->sc_data_direction ==
+ DMA_TO_DEVICE) ? "Write" : "Read", sec_addr, sec_cnt);
+
+ chip->rw_need_retry = 0;
+ for (i = 0; i < 3; i++) {
+ retval = chip->rw_card[lun] (srb, chip, sec_addr, sec_cnt);
+ if (retval != STATUS_SUCCESS) {
+ CATCH_TRIGGER(chip);
+ if (chip->option.reset_or_rw_fail_set_pad_drive) {
+ rts51x_write_register(chip, CARD_DRIVE_SEL,
+ SD20_DRIVE_MASK,
+ DRIVE_8mA);
+ }
+ }
+
+ if (!chip->rw_need_retry)
+ break;
+
+ RTS51X_DEBUGP("Retry RW, (i = %d\n)", i);
+ }
+
+ return retval;
+}
+
+u8 rts51x_get_lun_card(struct rts51x_chip *chip, unsigned int lun)
+{
+ if ((chip->card_ready & chip->lun2card[lun]) == XD_CARD)
+ return (u8) XD_CARD;
+ else if ((chip->card_ready & chip->lun2card[lun]) == SD_CARD)
+ return (u8) SD_CARD;
+ else if ((chip->card_ready & chip->lun2card[lun]) == MS_CARD)
+ return (u8) MS_CARD;
+
+ return 0;
+}
+
+static int card_share_mode(struct rts51x_chip *chip, int card)
+{
+ u8 value;
+
+ if (card == SD_CARD)
+ value = CARD_SHARE_SD;
+ else if (card == MS_CARD)
+ value = CARD_SHARE_MS;
+ else if (card == XD_CARD)
+ value = CARD_SHARE_XD;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_WRITE_REG(chip, CARD_SHARE_MODE, CARD_SHARE_MASK, value);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_select_card(struct rts51x_chip *chip, int card)
+{
+ int retval;
+
+ if (chip->cur_card != card) {
+ u8 mod;
+
+ if (card == SD_CARD)
+ mod = SD_MOD_SEL;
+ else if (card == MS_CARD)
+ mod = MS_MOD_SEL;
+ else if (card == XD_CARD)
+ mod = XD_MOD_SEL;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ RTS51X_WRITE_REG(chip, CARD_SELECT, 0x07, mod);
+ chip->cur_card = card;
+
+ retval = card_share_mode(chip, card);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+void rts51x_eject_card(struct rts51x_chip *chip, unsigned int lun)
+{
+ RTS51X_DEBUGP("eject card\n");
+ RTS51X_SET_STAT(chip, STAT_RUN);
+ rts51x_do_remaining_work(chip);
+
+ if ((chip->card_ready & chip->lun2card[lun]) == SD_CARD) {
+ rts51x_release_sd_card(chip);
+ chip->card_ejected |= SD_CARD;
+ chip->card_ready &= ~SD_CARD;
+ chip->capacity[lun] = 0;
+ } else if ((chip->card_ready & chip->lun2card[lun]) == XD_CARD) {
+ rts51x_release_xd_card(chip);
+ chip->card_ejected |= XD_CARD;
+ chip->card_ready &= ~XD_CARD;
+ chip->capacity[lun] = 0;
+ } else if ((chip->card_ready & chip->lun2card[lun]) == MS_CARD) {
+ rts51x_release_ms_card(chip);
+ chip->card_ejected |= MS_CARD;
+ chip->card_ready &= ~MS_CARD;
+ chip->capacity[lun] = 0;
+ }
+ rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT,
+ XD_INT | MS_INT | SD_INT);
+}
+
+void rts51x_trans_dma_enable(enum dma_data_direction dir,
+ struct rts51x_chip *chip, u32 byte_cnt, u8 pack_size)
+{
+ if (pack_size > DMA_1024)
+ pack_size = DMA_512;
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC3, 0xFF,
+ (u8) (byte_cnt >> 24));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC2, 0xFF,
+ (u8) (byte_cnt >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC1, 0xFF,
+ (u8) (byte_cnt >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC0, 0xFF, (u8) byte_cnt);
+
+ if (dir == DMA_FROM_DEVICE) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_CTL,
+ 0x03 | DMA_PACK_SIZE_MASK,
+ DMA_DIR_FROM_CARD | DMA_EN | pack_size);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_CTL,
+ 0x03 | DMA_PACK_SIZE_MASK,
+ DMA_DIR_TO_CARD | DMA_EN | pack_size);
+ }
+}
+
+int rts51x_enable_card_clock(struct rts51x_chip *chip, u8 card)
+{
+ u8 clk_en = 0;
+
+ if (card & XD_CARD)
+ clk_en |= XD_CLK_EN;
+ if (card & SD_CARD)
+ clk_en |= SD_CLK_EN;
+ if (card & MS_CARD)
+ clk_en |= MS_CLK_EN;
+
+ RTS51X_WRITE_REG(chip, CARD_CLK_EN, clk_en, clk_en);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_card_power_on(struct rts51x_chip *chip, u8 card)
+{
+ u8 mask, val1, val2;
+
+ mask = POWER_MASK;
+ val1 = PARTIAL_POWER_ON;
+ val2 = POWER_ON;
+
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if ((card == SD_CARD) || (card == XD_CARD)) {
+ RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask | LDO3318_PWR_MASK,
+ val1 | LDO_SUSPEND);
+ } else {
+#endif
+ RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask, val1);
+#ifdef SD_XD_IO_FOLLOW_PWR
+ }
+#endif
+ udelay(chip->option.pwr_delay);
+ RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask, val2);
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (card == SD_CARD) {
+ rts51x_write_register(chip, CARD_PWR_CTL, LDO3318_PWR_MASK,
+ LDO_ON);
+ }
+#endif
+
+ return STATUS_SUCCESS;
+}
+
+int monitor_card_cd(struct rts51x_chip *chip, u8 card)
+{
+ int retval;
+ u8 card_cd[32] = { 0 };
+
+ card_cd[SD_CARD] = SD_CD;
+ card_cd[XD_CARD] = XD_CD;
+ card_cd[MS_CARD] = MS_CD;
+
+ retval = rts51x_get_card_status(chip, &(chip->card_status));
+ if (retval != STATUS_SUCCESS)
+ return CD_NOT_EXIST;
+
+ if (chip->card_status & card_cd[card])
+ return CD_EXIST;
+
+ return CD_NOT_EXIST;
+}
+
+int rts51x_toggle_gpio(struct rts51x_chip *chip, u8 gpio)
+{
+ int retval;
+ u8 temp_reg;
+ u8 gpio_output[4] = {
+ 0x01,
+ };
+ u8 gpio_oe[4] = {
+ 0x02,
+ };
+ if (chip->rts5179) {
+ retval = rts51x_ep0_read_register(chip, CARD_GPIO, &temp_reg);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ temp_reg ^= gpio_oe[gpio];
+ temp_reg &= 0xfe; /* bit 0 always set 0 */
+ retval =
+ rts51x_ep0_write_register(chip, CARD_GPIO, 0x03, temp_reg);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ } else {
+ retval = rts51x_ep0_read_register(chip, CARD_GPIO, &temp_reg);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ temp_reg ^= gpio_output[gpio];
+ retval =
+ rts51x_ep0_write_register(chip, CARD_GPIO, 0xFF,
+ temp_reg | gpio_oe[gpio]);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_turn_on_led(struct rts51x_chip *chip, u8 gpio)
+{
+ int retval;
+ u8 gpio_oe[4] = {
+ 0x02,
+ };
+ u8 gpio_mask[4] = {
+ 0x03,
+ };
+
+ retval =
+ rts51x_ep0_write_register(chip, CARD_GPIO, gpio_mask[gpio],
+ gpio_oe[gpio]);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_turn_off_led(struct rts51x_chip *chip, u8 gpio)
+{
+ int retval;
+ u8 gpio_output[4] = {
+ 0x01,
+ };
+ u8 gpio_oe[4] = {
+ 0x02,
+ };
+ u8 gpio_mask[4] = {
+ 0x03,
+ };
+
+ retval =
+ rts51x_ep0_write_register(chip, CARD_GPIO, gpio_mask[gpio],
+ gpio_oe[gpio] | gpio_output[gpio]);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
diff --git a/drivers/staging/rts5139/rts51x_card.h b/drivers/staging/rts5139/rts51x_card.h
new file mode 100644
index 000000000000..df8816e0f840
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_card.h
@@ -0,0 +1,870 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_CARD_H
+#define __RTS51X_CARD_H
+
+#include "rts51x_chip.h"
+
+/* Register bit definition */
+
+/* Card Power Control Register */
+#define POWER_OFF 0x03
+#define PARTIAL_POWER_ON 0x02
+#define POWER_ON 0x00
+#define POWER_MASK 0x03
+#define LDO3318_PWR_MASK 0x0C
+#define LDO_ON 0x00
+#define LDO_SUSPEND 0x08
+#define LDO_OFF 0x0C
+#define DV3318_AUTO_PWR_OFF 0x10
+#define FORCE_LDO_POWERB 0x60
+
+/* Card Output Enable Register */
+#define XD_OUTPUT_EN 0x02
+#define SD_OUTPUT_EN 0x04
+#define MS_OUTPUT_EN 0x08
+
+/* System Clock Control Register */
+
+/* System Clock Divider Register */
+#define CLK_CHANGE 0x80
+#define CLK_DIV_1 0x00
+#define CLK_DIV_2 0x01
+#define CLK_DIV_4 0x02
+#define CLK_DIV_8 0x03
+
+/* System Clock Select Register */
+#define SSC_60 0
+#define SSC_80 1
+#define SSC_100 2
+#define SSC_120 3
+#define SSC_150 4
+
+/* Card Clock Enable Register */
+#define XD_CLK_EN 0x02
+#define SD_CLK_EN 0x04
+#define MS_CLK_EN 0x08
+
+/* Card Select Register */
+#define XD_MOD_SEL 1
+#define SD_MOD_SEL 2
+#define MS_MOD_SEL 3
+
+/* Card Transfer Reset Register */
+#define XD_STOP 0x02
+#define SD_STOP 0x04
+#define MS_STOP 0x08
+#define XD_CLR_ERR 0x20
+#define SD_CLR_ERR 0x40
+#define MS_CLR_ERR 0x80
+
+/* SD30_drive_sel */
+#define SD30_DRIVE_MASK 0x07
+
+/* CARD_DRIVE_SEL */
+#define SD20_DRIVE_MASK 0x03
+#define DRIVE_4mA 0x00
+#define DRIVE_8mA 0x01
+#define DRIVE_12mA 0x02
+
+/* FPGA_PULL_CTL */
+#define FPGA_MS_PULL_CTL_EN 0xEF
+#define FPGA_SD_PULL_CTL_EN 0xF7
+#define FPGA_XD_PULL_CTL_EN1 0xFE
+#define FPGA_XD_PULL_CTL_EN2 0xFD
+#define FPGA_XD_PULL_CTL_EN3 0xFB
+
+#define FPGA_MS_PULL_CTL_BIT 0x10
+#define FPGA_SD_PULL_CTL_BIT 0x08
+
+/* Card Data Source Register */
+#define PINGPONG_BUFFER 0x01
+#define RING_BUFFER 0x00
+
+/* SFSM_ED */
+#define HW_CMD_STOP 0x80
+#define CLR_STAGE_STALL 0x08
+#define CARD_ERR 0x10
+
+/* CARD_SHARE_MODE */
+#define CARD_SHARE_LQFP48 0x04
+#define CARD_SHARE_QFN24 0x00
+#define CARD_SHARE_LQFP_SEL 0x04
+#define CARD_SHARE_XD 0x00
+#define CARD_SHARE_SD 0x01
+#define CARD_SHARE_MS 0x02
+#define CARD_SHARE_MASK 0x03
+
+/* CARD_AUTO_BLINK */
+#define BLINK_ENABLE 0x08
+#define BLINK_SPEED_MASK 0x07
+
+/* CARD_GPIO */
+#define GPIO_OE 0x02
+#define GPIO_OUTPUT 0x01
+
+/* CARD_CLK_SOURCE */
+#define CRC_FIX_CLK (0x00 << 0)
+#define CRC_VAR_CLK0 (0x01 << 0)
+#define CRC_VAR_CLK1 (0x02 << 0)
+#define SD30_FIX_CLK (0x00 << 2)
+#define SD30_VAR_CLK0 (0x01 << 2)
+#define SD30_VAR_CLK1 (0x02 << 2)
+#define SAMPLE_FIX_CLK (0x00 << 4)
+#define SAMPLE_VAR_CLK0 (0x01 << 4)
+#define SAMPLE_VAR_CLK1 (0x02 << 4)
+
+/* DCM_DRP_CTL */
+#define DCM_RESET 0x08
+#define DCM_LOCKED 0x04
+#define DCM_208M 0x00
+#define DCM_TX 0x01
+#define DCM_RX 0x02
+
+/* DCM_DRP_TRIG */
+#define DRP_START 0x80
+#define DRP_DONE 0x40
+
+/* DCM_DRP_CFG */
+#define DRP_WRITE 0x80
+#define DRP_READ 0x00
+#define DCM_WRITE_ADDRESS_50 0x50
+#define DCM_WRITE_ADDRESS_51 0x51
+#define DCM_READ_ADDRESS_00 0x00
+#define DCM_READ_ADDRESS_51 0x51
+
+/* HW_VERSION */
+#define FPGA_VER 0x80
+#define HW_VER_MASK 0x0F
+
+/* CD_DEGLITCH_EN */
+#define DISABLE_SD_CD 0x08
+#define DISABLE_MS_CD 0x10
+#define DISABLE_XD_CD 0x20
+#define SD_CD_DEGLITCH_EN 0x01
+#define MS_CD_DEGLITCH_EN 0x02
+#define XD_CD_DEGLITCH_EN 0x04
+
+/* OCPCTL */
+#define CARD_OC_DETECT_EN 0x08
+#define CARD_OC_CLR 0x01
+
+/* CARD_DMA1_CTL */
+#define EXTEND_DMA1_ASYNC_SIGNAL 0x02
+
+/* HS_USB_STAT */
+#define USB_HI_SPEED 0x01
+
+/* CFG_MODE_1 */
+#define RTS5179 0x02
+
+/* SYS_DUMMY0 */
+#define NYET_EN 0x01
+#define NYET_MSAK 0x01
+
+/* SSC_CTL1 */
+#define SSC_RSTB 0x80
+#define SSC_8X_EN 0x40
+#define SSC_FIX_FRAC 0x20
+#define SSC_SEL_1M 0x00
+#define SSC_SEL_2M 0x08
+#define SSC_SEL_4M 0x10
+#define SSC_SEL_8M 0x18
+
+/* SSC_CTL2 */
+#define SSC_DEPTH_MASK 0x03
+#define SSC_DEPTH_DISALBE 0x00
+#define SSC_DEPTH_2M 0x01
+#define SSC_DEPTH_1M 0x02
+#define SSC_DEPTH_512K 0x03
+
+/* LDO_POWER_CFG */
+#define TUNE_SD18_MASK 0x1C
+#define TUNE_SD18_1V8 (0x01 << 2)
+#define TUNE_SD18_3V3 (0x07 << 2)
+
+/* XD_CP_WAITTIME */
+#define WAIT_1F 0x00
+#define WAIT_3F 0x01
+#define WAIT_7F 0x02
+#define WAIT_FF 0x03
+
+/* XD_INIT */
+#define XD_PWR_OFF_DELAY0 0x00
+#define XD_PWR_OFF_DELAY1 0x02
+#define XD_PWR_OFF_DELAY2 0x04
+#define XD_PWR_OFF_DELAY3 0x06
+#define XD_AUTO_PWR_OFF_EN 0xF7
+#define XD_NO_AUTO_PWR_OFF 0x08
+
+/* XD_DTCTL */
+/* XD_CATCTL */
+#define XD_TIME_RWN_1 0x00
+#define XD_TIME_RWN_STEP 0x20
+#define XD_TIME_RW_1 0x00
+#define XD_TIME_RW_STEP 0x04
+#define XD_TIME_SETUP_1 0x00
+#define XD_TIME_SETUP_STEP 0x01
+
+/* XD_CTL */
+#define XD_ECC2_UNCORRECTABLE 0x80
+#define XD_ECC2_ERROR 0x40
+#define XD_ECC1_UNCORRECTABLE 0x20
+#define XD_ECC1_ERROR 0x10
+#define XD_RDY 0x04
+#define XD_CE_EN 0xFD
+#define XD_CE_DISEN 0x02
+#define XD_WP_EN 0xFE
+#define XD_WP_DISEN 0x01
+
+/* XD_TRANSFER */
+#define XD_TRANSFER_START 0x80
+#define XD_TRANSFER_END 0x40
+#define XD_PPB_EMPTY 0x20
+#define XD_ERR 0x10
+#define XD_RESET 0x00
+#define XD_ERASE 0x01
+#define XD_READ_STATUS 0x02
+#define XD_READ_ID 0x03
+#define XD_READ_REDUNDANT 0x04
+#define XD_READ_PAGES 0x05
+#define XD_SET_CMD 0x06
+#define XD_NORMAL_READ 0x07
+#define XD_WRITE_PAGES 0x08
+#define XD_NORMAL_WRITE 0x09
+#define XD_WRITE_REDUNDANT 0x0A
+#define XD_SET_ADDR 0x0B
+#define XD_COPY_PAGES 0x0C
+
+/* XD_CFG */
+#define XD_PPB_TO_SIE 0x80
+#define XD_TO_PPB_ONLY 0x00
+#define XD_BA_TRANSFORM 0x40
+#define XD_BA_NO_TRANSFORM 0x00
+#define XD_NO_CALC_ECC 0x20
+#define XD_CALC_ECC 0x00
+#define XD_IGNORE_ECC 0x10
+#define XD_CHECK_ECC 0x00
+#define XD_DIRECT_TO_RB 0x08
+#define XD_ADDR_MASK 0x07
+#define XD_ADDR_LENGTH_0 0x00
+#define XD_ADDR_LENGTH_1 0x01
+#define XD_ADDR_LENGTH_2 0x02
+#define XD_ADDR_LENGTH_3 0x03
+#define XD_ADDR_LENGTH_4 0x04
+
+/* XD_PAGE_STATUS */
+#define XD_GPG 0xFF
+#define XD_BPG 0x00
+
+/* XD_BLOCK_STATUS */
+#define XD_GBLK 0xFF
+#define XD_LATER_BBLK 0xF0
+
+/* XD_PARITY */
+#define XD_ECC2_ALL1 0x80
+#define XD_ECC1_ALL1 0x40
+#define XD_BA2_ALL0 0x20
+#define XD_BA1_ALL0 0x10
+#define XD_BA1_BA2_EQL 0x04
+#define XD_BA2_VALID 0x02
+#define XD_BA1_VALID 0x01
+
+/* XD_CHK_DATA_STATUS */
+#define XD_PGSTS_ZEROBIT_OVER4 0x00
+#define XD_PGSTS_NOT_FF 0x02
+#define XD_AUTO_CHK_DATA_STATUS 0x01
+
+/* SD_CFG1 */
+#define SD_CLK_DIVIDE_0 0x00
+#define SD_CLK_DIVIDE_256 0xC0
+#define SD_CLK_DIVIDE_128 0x80
+#define SD_CLK_DIVIDE_MASK 0xC0
+#define SD_BUS_WIDTH_1 0x00
+#define SD_BUS_WIDTH_4 0x01
+#define SD_BUS_WIDTH_8 0x02
+#define SD_ASYNC_FIFO_RST 0x10
+#define SD_20_MODE 0x00
+#define SD_DDR_MODE 0x04
+#define SD_30_MODE 0x08
+
+/* SD_CFG2 */
+#define SD_CALCULATE_CRC7 0x00
+#define SD_NO_CALCULATE_CRC7 0x80
+#define SD_CHECK_CRC16 0x00
+#define SD_NO_CHECK_CRC16 0x40
+#define SD_WAIT_CRC_TO_EN 0x20
+#define SD_WAIT_BUSY_END 0x08
+#define SD_NO_WAIT_BUSY_END 0x00
+#define SD_CHECK_CRC7 0x00
+#define SD_NO_CHECK_CRC7 0x04
+#define SD_RSP_LEN_0 0x00
+#define SD_RSP_LEN_6 0x01
+#define SD_RSP_LEN_17 0x02
+/* SD/MMC Response Type Definition */
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7,
+ * SD_RSP_LEN_0 */
+#define SD_RSP_TYPE_R0 0x04
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R1 0x01
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R1b 0x09
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_17 */
+#define SD_RSP_TYPE_R2 0x02
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R3 0x05
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R4 0x05
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R5 0x01
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R6 0x01
+/* SD_CALCULATE_CRC7, SD_CHECK_CRC16,
+ * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7,
+ * SD_RSP_LEN_6 */
+#define SD_RSP_TYPE_R7 0x01
+
+/* SD_CFG3 */
+#define SD_RSP_80CLK_TIMEOUT_EN 0x01
+
+/* SD_STAT1 */
+#define SD_CRC7_ERR 0x80
+#define SD_CRC16_ERR 0x40
+#define SD_CRC_WRITE_ERR 0x20
+#define SD_CRC_WRITE_ERR_MASK 0x1C
+#define GET_CRC_TIME_OUT 0x02
+#define SD_TUNING_COMPARE_ERR 0x01
+
+/* SD_STAT2 */
+#define SD_RSP_80CLK_TIMEOUT 0x01
+
+/* SD_BUS_STAT */
+#define SD_CLK_TOGGLE_EN 0x80
+#define SD_CLK_FORCE_STOP 0x40
+#define SD_DAT3_STATUS 0x10
+#define SD_DAT2_STATUS 0x08
+#define SD_DAT1_STATUS 0x04
+#define SD_DAT0_STATUS 0x02
+#define SD_CMD_STATUS 0x01
+
+/* SD_PAD_CTL */
+#define SD_IO_USING_1V8 0x80
+#define SD_IO_USING_3V3 0x7F
+#define TYPE_A_DRIVING 0x00
+#define TYPE_B_DRIVING 0x01
+#define TYPE_C_DRIVING 0x02
+#define TYPE_D_DRIVING 0x03
+
+/* SD_SAMPLE_POINT_CTL */
+#define DDR_FIX_RX_DAT 0x00
+#define DDR_VAR_RX_DAT 0x80
+#define DDR_FIX_RX_DAT_EDGE 0x00
+#define DDR_FIX_RX_DAT_14_DELAY 0x40
+#define DDR_FIX_RX_CMD 0x00
+#define DDR_VAR_RX_CMD 0x20
+#define DDR_FIX_RX_CMD_POS_EDGE 0x00
+#define DDR_FIX_RX_CMD_14_DELAY 0x10
+#define SD20_RX_POS_EDGE 0x00
+#define SD20_RX_14_DELAY 0x08
+#define SD20_RX_SEL_MASK 0x08
+
+/* SD_PUSH_POINT_CTL */
+#define DDR_FIX_TX_CMD_DAT 0x00
+#define DDR_VAR_TX_CMD_DAT 0x80
+#define DDR_FIX_TX_DAT_14_TSU 0x00
+#define DDR_FIX_TX_DAT_12_TSU 0x40
+#define DDR_FIX_TX_CMD_NEG_EDGE 0x00
+#define DDR_FIX_TX_CMD_14_AHEAD 0x20
+#define SD20_TX_NEG_EDGE 0x00
+#define SD20_TX_14_AHEAD 0x10
+#define SD20_TX_SEL_MASK 0x10
+#define DDR_VAR_SDCLK_POL_SWAP 0x01
+
+/* SD_TRANSFER */
+#define SD_TRANSFER_START 0x80
+#define SD_TRANSFER_END 0x40
+#define SD_STAT_IDLE 0x20
+#define SD_TRANSFER_ERR 0x10
+/* SD Transfer Mode definition */
+#define SD_TM_NORMAL_WRITE 0x00
+#define SD_TM_AUTO_WRITE_3 0x01
+#define SD_TM_AUTO_WRITE_4 0x02
+#define SD_TM_AUTO_READ_3 0x05
+#define SD_TM_AUTO_READ_4 0x06
+#define SD_TM_CMD_RSP 0x08
+#define SD_TM_AUTO_WRITE_1 0x09
+#define SD_TM_AUTO_WRITE_2 0x0A
+#define SD_TM_NORMAL_READ 0x0C
+#define SD_TM_AUTO_READ_1 0x0D
+#define SD_TM_AUTO_READ_2 0x0E
+#define SD_TM_AUTO_TUNING 0x0F
+
+/* SD_VPTX_CTL / SD_VPRX_CTL */
+#define PHASE_CHANGE 0x80
+#define PHASE_NOT_RESET 0x40
+
+/* SD_DCMPS_TX_CTL / SD_DCMPS_RX_CTL */
+#define DCMPS_CHANGE 0x80
+#define DCMPS_CHANGE_DONE 0x40
+#define DCMPS_ERROR 0x20
+#define DCMPS_CURRENT_PHASE 0x1F
+
+/* SD_CMD_STATE */
+#define SD_CMD_IDLE 0x80
+
+/* SD_DATA_STATE */
+#define SD_DATA_IDLE 0x80
+
+/* MS_BLKEND */
+#define SET_BLKEND 0x01
+
+/* MS_CFG */
+#define SAMPLE_TIME_RISING 0x00
+#define SAMPLE_TIME_FALLING 0x80
+#define PUSH_TIME_DEFAULT 0x00
+#define PUSH_TIME_ODD 0x40
+#define NO_EXTEND_TOGGLE 0x00
+#define EXTEND_TOGGLE_CHK 0x20
+#define MS_BUS_WIDTH_1 0x00
+#define MS_BUS_WIDTH_4 0x10
+#define MS_BUS_WIDTH_8 0x18
+#define MS_2K_SECTOR_MODE 0x04
+#define MS_512_SECTOR_MODE 0x00
+#define MS_TOGGLE_TIMEOUT_EN 0x00
+#define MS_TOGGLE_TIMEOUT_DISEN 0x01
+#define MS_NO_CHECK_INT 0x02
+
+/* MS_TRANS_CFG */
+#define WAIT_INT 0x80
+#define NO_WAIT_INT 0x00
+#define NO_AUTO_READ_INT_REG 0x00
+#define AUTO_READ_INT_REG 0x40
+#define MS_CRC16_ERR 0x20
+#define MS_RDY_TIMEOUT 0x10
+#define MS_INT_CMDNK 0x08
+#define MS_INT_BREQ 0x04
+#define MS_INT_ERR 0x02
+#define MS_INT_CED 0x01
+
+/* MS_TRANSFER */
+#define MS_TRANSFER_START 0x80
+#define MS_TRANSFER_END 0x40
+#define MS_TRANSFER_ERR 0x20
+#define MS_BS_STATE 0x10
+#define MS_TM_READ_BYTES 0x00
+#define MS_TM_NORMAL_READ 0x01
+#define MS_TM_WRITE_BYTES 0x04
+#define MS_TM_NORMAL_WRITE 0x05
+#define MS_TM_AUTO_READ 0x08
+#define MS_TM_AUTO_WRITE 0x0C
+#define MS_TM_SET_CMD 0x06
+#define MS_TM_COPY_PAGE 0x07
+#define MS_TM_MULTI_READ 0x02
+#define MS_TM_MULTI_WRITE 0x03
+
+/* MC_DMA_CTL */
+#define DMA_TC_EQ_0 0x80
+#define DMA_DIR_TO_CARD 0x00
+#define DMA_DIR_FROM_CARD 0x02
+#define DMA_EN 0x01
+#define DMA_128 (0 << 2)
+#define DMA_256 (1 << 2)
+#define DMA_512 (2 << 2)
+#define DMA_1024 (3 << 2)
+#define DMA_PACK_SIZE_MASK 0x0C
+
+/* CARD_INT_PEND */
+#define XD_INT 0x10
+#define MS_INT 0x08
+#define SD_INT 0x04
+
+/* MC_FIFO_CTL */
+#define FIFO_FLUSH 0x01
+
+/* AUTO_DELINK_EN */
+#define AUTO_DELINK 0x02
+#define FORCE_DELINK 0x01
+
+/* MC_DMA_RST */
+#define DMA_RESET 0x01
+
+#define SSC_POWER_MASK 0x01
+#define SSC_POWER_DOWN 0x01
+#define SSC_POWER_ON 0x00
+
+/* OCPCTL */
+#define MS_OCP_DETECT_EN 0x08
+#define MS_OCP_INT_EN 0x04
+#define MS_OCP_INT_CLR 0x02
+#define MS_OCP_CLEAR 0x01
+
+/* OCPSTAT */
+#define MS_OCP_DETECT 0x80
+#define MS_OCP_NOW 0x02
+#define MS_OCP_EVER 0x01
+
+/* MC_FIFO_STAT */
+#define FIFO_FULL 0x01
+#define FIFO_EMPTY 0x02
+
+/* RCCTL */
+#define U_HW_CMD_EN_MASK 0x02
+#define U_HW_CMD_EN 0x02
+#define U_HW_CMD_DIS 0x00
+
+/* Register address */
+#define FPDCTL 0xFC00
+#define SSC_DIV_N_0 0xFC07
+#define SSC_CTL1 0xFC09
+#define SSC_CTL2 0xFC0A
+#define CFG_MODE_1 0xFC0F
+#define RCCTL 0xFC14
+#define SYS_DUMMY0 0xFC30
+#define XD_CP_WAITTIME 0xFD00
+#define XD_CP_PAGELEN 0xFD01
+#define XD_CP_READADDR0 0xFD02
+#define XD_CP_READADDR1 0xFD03
+#define XD_CP_READADDR2 0xFD04
+#define XD_CP_READADDR3 0xFD05
+#define XD_CP_READADDR4 0xFD06
+#define XD_CP_WRITEADDR0 0xFD07
+#define XD_CP_WRITEADDR1 0xFD08
+#define XD_CP_WRITEADDR2 0xFD09
+#define XD_CP_WRITEADDR3 0xFD0A
+#define XD_CP_WRITEADDR4 0xFD0B
+#define XD_INIT 0xFD10
+#define XD_DTCTL 0xFD11
+#define XD_CTL 0xFD12
+#define XD_TRANSFER 0xFD13
+#define XD_CFG 0xFD14
+#define XD_ADDRESS0 0xFD15
+#define XD_ADDRESS1 0xFD16
+#define XD_ADDRESS2 0xFD17
+#define XD_ADDRESS3 0xFD18
+#define XD_ADDRESS4 0xFD19
+#define XD_DAT 0xFD1A
+#define XD_PAGE_CNT 0xFD1B
+#define XD_PAGE_STATUS 0xFD1C
+#define XD_BLOCK_STATUS 0xFD1D
+#define XD_BLOCK_ADDR1_L 0xFD1E
+#define XD_BLOCK_ADDR1_H 0xFD1F
+#define XD_BLOCK_ADDR2_L 0xFD20
+#define XD_BLOCK_ADDR2_H 0xFD21
+#define XD_BYTE_CNT_L 0xFD22
+#define XD_BYTE_CNT_H 0xFD23
+#define XD_PARITY 0xFD24
+#define XD_ECC_BIT1 0xFD25
+#define XD_ECC_BYTE1 0xFD26
+#define XD_ECC_BIT2 0xFD27
+#define XD_ECC_BYTE2 0xFD28
+#define XD_RESERVED0 0xFD29
+#define XD_RESERVED1 0xFD2A
+#define XD_RESERVED2 0xFD2B
+#define XD_RESERVED3 0xFD2C
+#define XD_CHK_DATA_STATUS 0xFD2D
+#define XD_CATCTL 0xFD2E
+
+#define MS_BLKEND 0xFD30
+#define MS_READ_START 0xFD31
+#define MS_READ_COUNT 0xFD32
+#define MS_WRITE_START 0xFD33
+#define MS_WRITE_COUNT 0xFD34
+#define MS_COMMAND 0xFD35
+#define MS_OLD_BLOCK_0 0xFD36
+#define MS_OLD_BLOCK_1 0xFD37
+#define MS_NEW_BLOCK_0 0xFD38
+#define MS_NEW_BLOCK_1 0xFD39
+#define MS_LOG_BLOCK_0 0xFD3A
+#define MS_LOG_BLOCK_1 0xFD3B
+#define MS_BUS_WIDTH 0xFD3C
+#define MS_PAGE_START 0xFD3D
+#define MS_PAGE_LENGTH 0xFD3E
+#define MS_CFG 0xFD40
+#define MS_TPC 0xFD41
+#define MS_TRANS_CFG 0xFD42
+#define MS_TRANSFER 0xFD43
+#define MS_INT_REG 0xFD44
+#define MS_BYTE_CNT 0xFD45
+#define MS_SECTOR_CNT_L 0xFD46
+#define MS_SECTOR_CNT_H 0xFD47
+#define MS_DBUS_H 0xFD48
+
+#define CARD_DMA1_CTL 0xFD5C
+#define CARD_PULL_CTL1 0xFD60
+#define CARD_PULL_CTL2 0xFD61
+#define CARD_PULL_CTL3 0xFD62
+#define CARD_PULL_CTL4 0xFD63
+#define CARD_PULL_CTL5 0xFD64
+#define CARD_PULL_CTL6 0xFD65
+#define CARD_EXIST 0xFD6F
+#define CARD_INT_PEND 0xFD71
+
+#define LDO_POWER_CFG 0xFD7B
+
+#define SD_CFG1 0xFDA0
+#define SD_CFG2 0xFDA1
+#define SD_CFG3 0xFDA2
+#define SD_STAT1 0xFDA3
+#define SD_STAT2 0xFDA4
+#define SD_BUS_STAT 0xFDA5
+#define SD_PAD_CTL 0xFDA6
+#define SD_SAMPLE_POINT_CTL 0xFDA7
+#define SD_PUSH_POINT_CTL 0xFDA8
+#define SD_CMD0 0xFDA9
+#define SD_CMD1 0xFDAA
+#define SD_CMD2 0xFDAB
+#define SD_CMD3 0xFDAC
+#define SD_CMD4 0xFDAD
+#define SD_CMD5 0xFDAE
+#define SD_BYTE_CNT_L 0xFDAF
+#define SD_BYTE_CNT_H 0xFDB0
+#define SD_BLOCK_CNT_L 0xFDB1
+#define SD_BLOCK_CNT_H 0xFDB2
+#define SD_TRANSFER 0xFDB3
+#define SD_CMD_STATE 0xFDB5
+#define SD_DATA_STATE 0xFDB6
+#define SD_VPCLK0_CTL 0xFC2A
+#define SD_VPCLK1_CTL 0xFC2B
+#define SD_DCMPS0_CTL 0xFC2C
+#define SD_DCMPS1_CTL 0xFC2D
+
+#define CARD_DMA1_CTL 0xFD5C
+
+#define HW_VERSION 0xFC01
+
+#define SSC_CLK_FPGA_SEL 0xFC02
+#define CLK_DIV 0xFC03
+#define SFSM_ED 0xFC04
+
+#define CD_DEGLITCH_WIDTH 0xFC20
+#define CD_DEGLITCH_EN 0xFC21
+#define AUTO_DELINK_EN 0xFC23
+
+#define FPGA_PULL_CTL 0xFC1D
+#define CARD_CLK_SOURCE 0xFC2E
+
+#define CARD_SHARE_MODE 0xFD51
+#define CARD_DRIVE_SEL 0xFD52
+#define CARD_STOP 0xFD53
+#define CARD_OE 0xFD54
+#define CARD_AUTO_BLINK 0xFD55
+#define CARD_GPIO 0xFD56
+#define SD30_DRIVE_SEL 0xFD57
+
+#define CARD_DATA_SOURCE 0xFD5D
+#define CARD_SELECT 0xFD5E
+
+#define CARD_CLK_EN 0xFD79
+#define CARD_PWR_CTL 0xFD7A
+
+#define OCPCTL 0xFD80
+#define OCPPARA1 0xFD81
+#define OCPPARA2 0xFD82
+#define OCPSTAT 0xFD83
+
+#define HS_USB_STAT 0xFE01
+#define HS_VCONTROL 0xFE26
+#define HS_VSTAIN 0xFE27
+#define HS_VLOADM 0xFE28
+#define HS_VSTAOUT 0xFE29
+
+#define MC_IRQ 0xFF00
+#define MC_IRQEN 0xFF01
+#define MC_FIFO_CTL 0xFF02
+#define MC_FIFO_BC0 0xFF03
+#define MC_FIFO_BC1 0xFF04
+#define MC_FIFO_STAT 0xFF05
+#define MC_FIFO_MODE 0xFF06
+#define MC_FIFO_RD_PTR0 0xFF07
+#define MC_FIFO_RD_PTR1 0xFF08
+#define MC_DMA_CTL 0xFF10
+#define MC_DMA_TC0 0xFF11
+#define MC_DMA_TC1 0xFF12
+#define MC_DMA_TC2 0xFF13
+#define MC_DMA_TC3 0xFF14
+#define MC_DMA_RST 0xFF15
+
+/* Memory mapping */
+#define RBUF_SIZE_MASK 0xFBFF
+#define RBUF_BASE 0xF000
+#define PPBUF_BASE1 0xF800
+#define PPBUF_BASE2 0xFA00
+
+/* int monitor_card_cd */
+#define CD_EXIST 0
+#define CD_NOT_EXIST 1
+
+#define DEBOUNCE_CNT 5
+
+int monitor_card_cd(struct rts51x_chip *chip, u8 card);
+
+void rts51x_do_remaining_work(struct rts51x_chip *chip);
+void rts51x_do_rts51x_reset_sd_card(struct rts51x_chip *chip);
+void rts51x_init_cards(struct rts51x_chip *chip);
+void rts51x_release_cards(struct rts51x_chip *chip);
+int rts51x_switch_ssc_clock(struct rts51x_chip *chip, int clk);
+int rts51x_switch_normal_clock(struct rts51x_chip *chip, int clk);
+int rts51x_card_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ u32 sec_addr, u16 sec_cnt);
+u8 rts51x_get_lun_card(struct rts51x_chip *chip, unsigned int lun);
+int rts51x_select_card(struct rts51x_chip *chip, int card);
+void rts51x_eject_card(struct rts51x_chip *chip, unsigned int lun);
+void rts51x_trans_dma_enable(enum dma_data_direction dir,
+ struct rts51x_chip *chip, u32 byte_cnt, u8 pack_size);
+int rts51x_enable_card_clock(struct rts51x_chip *chip, u8 card);
+int rts51x_card_power_on(struct rts51x_chip *chip, u8 card);
+int rts51x_toggle_gpio(struct rts51x_chip *chip, u8 gpio);
+int rts51x_turn_on_led(struct rts51x_chip *chip, u8 gpio);
+int rts51x_turn_off_led(struct rts51x_chip *chip, u8 gpio);
+
+static inline int check_card_ready(struct rts51x_chip *chip, unsigned int lun)
+{
+ if (chip->card_ready & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline int check_card_exist(struct rts51x_chip *chip, unsigned int lun)
+{
+ if (chip->card_exist & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline int check_card_wp(struct rts51x_chip *chip, unsigned int lun)
+{
+ if (chip->card_wp & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline int check_card_fail(struct rts51x_chip *chip, unsigned int lun)
+{
+ if (chip->card_fail & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline int check_card_ejected(struct rts51x_chip *chip, unsigned int lun)
+{
+ if (chip->card_ejected & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline int check_fake_card_ready(struct rts51x_chip *chip,
+ unsigned int lun)
+{
+ if (chip->fake_card_ready & chip->lun2card[lun])
+ return 1;
+
+ return 0;
+}
+
+static inline u8 get_lun2card(struct rts51x_chip *chip, unsigned int lun)
+{
+ return chip->lun2card[lun];
+}
+
+static inline int check_lun_mc(struct rts51x_chip *chip, unsigned int lun)
+{
+ return CHK_BIT(chip->lun_mc, lun);
+}
+
+static inline void set_lun_mc(struct rts51x_chip *chip, unsigned int lun)
+{
+ SET_BIT(chip->lun_mc, lun);
+}
+
+static inline void clear_lun_mc(struct rts51x_chip *chip, unsigned int lun)
+{
+ CLR_BIT(chip->lun_mc, lun);
+}
+
+static inline int switch_clock(struct rts51x_chip *chip, int clk)
+{
+ int retval = 0;
+
+ if (chip->asic_code)
+ retval = rts51x_switch_ssc_clock(chip, clk);
+ else
+ retval = rts51x_switch_normal_clock(chip, clk);
+
+ return retval;
+}
+
+static inline void rts51x_clear_xd_error(struct rts51x_chip *chip)
+{
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ XD_STOP | XD_CLR_ERR, XD_STOP | XD_CLR_ERR);
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH);
+ rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET);
+ rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8);
+}
+
+static inline void rts51x_clear_sd_error(struct rts51x_chip *chip)
+{
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ SD_STOP | SD_CLR_ERR, SD_STOP | SD_CLR_ERR);
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH);
+ rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET);
+ rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8);
+}
+
+static inline void rts51x_clear_ms_error(struct rts51x_chip *chip)
+{
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ MS_STOP | MS_CLR_ERR, MS_STOP | MS_CLR_ERR);
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH);
+ rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET);
+ rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8);
+}
+
+#endif /* __RTS51X_CARD_H */
diff --git a/drivers/staging/rts5139/rts51x_chip.c b/drivers/staging/rts5139/rts51x_chip.c
new file mode 100644
index 000000000000..7d7510de170c
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_chip.c
@@ -0,0 +1,1014 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/workqueue.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_chip.h"
+#include "rts51x_card.h"
+#include "rts51x_transport.h"
+#include "xd.h"
+#include "ms.h"
+#include "sd.h"
+
+static int check_sd_speed_prior(u32 sd_speed_prior)
+{
+ int i, fake_para = 0;
+
+ /* Check the legality of sd_speed_prior */
+ for (i = 0; i < 4; i++) {
+ u8 tmp = (u8) (sd_speed_prior >> (i * 8));
+ if ((tmp < 0x01) || (tmp > 0x04)) {
+ fake_para = 1;
+ break;
+ }
+ }
+
+ return !fake_para;
+}
+
+int rts51x_reset_chip(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (CHECK_PKG(chip, LQFP48)) {
+ RTS51X_WRITE_REG(chip, CARD_PWR_CTL, LDO3318_PWR_MASK,
+ LDO_SUSPEND);
+ RTS51X_WRITE_REG(chip, CARD_PWR_CTL, FORCE_LDO_POWERB,
+ FORCE_LDO_POWERB);
+ RTS51X_WRITE_REG(chip, CARD_PULL_CTL1, 0x30, 0x10);
+ RTS51X_WRITE_REG(chip, CARD_PULL_CTL5, 0x03, 0x01);
+ RTS51X_WRITE_REG(chip, CARD_PULL_CTL6, 0x0C, 0x04);
+ }
+ if (chip->asic_code) {
+ RTS51X_WRITE_REG(chip, SYS_DUMMY0, NYET_MSAK, NYET_EN);
+ RTS51X_WRITE_REG(chip, CD_DEGLITCH_WIDTH, 0xFF, 0x08);
+ rts51x_write_register(chip, CD_DEGLITCH_EN, XD_CD_DEGLITCH_EN,
+ 0x00);
+ rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK,
+ chip->option.sd30_pad_drive);
+ rts51x_write_register(chip, CARD_DRIVE_SEL, SD20_DRIVE_MASK,
+ chip->option.sd20_pad_drive);
+ if (chip->rts5179)
+ rts51x_write_register(chip, CARD_PULL_CTL5, 0x03, 0x01);
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_write_register(chip, CARD_PULL_CTL3,
+ 0x80, 0x80);
+ rts51x_write_register(chip, CARD_PULL_CTL6,
+ 0xf0, 0xA0);
+ } else {
+ rts51x_write_register(chip, CARD_PULL_CTL1,
+ 0x30, 0x20);
+ rts51x_write_register(chip, CARD_PULL_CTL3,
+ 0x80, 0x80);
+ rts51x_write_register(chip, CARD_PULL_CTL6,
+ 0x0c, 0x08);
+ }
+ }
+ if (chip->option.sd_ctl & SUPPORT_UHS50_MMC44) {
+ SET_UHS50(chip);
+ RTS51X_DEBUGP("option enable UHS50&MMC44,sd_ctl:0x%x\n",
+ chip->option.sd_ctl);
+ } else {
+ /* if(CHECK_PID(chip, 0x0139)&&CHECK_PKG(chip, LQFP48)) */
+ if ((CHECK_PID(chip, 0x0139) && CHECK_PKG(chip, LQFP48))
+ || chip->rts5179) {
+ SET_UHS50(chip);
+ RTS51X_DEBUGP("PID enable UHS50&MMC44\n");
+ } else {
+ CLEAR_UHS50(chip);
+ RTS51X_DEBUGP("PID disable UHS50&MMC44\n");
+ }
+ }
+
+ if (chip->option.ms_errreg_fix && (chip->ic_version > 1))
+ rts51x_write_register(chip, 0xFD4D, 0x01, 0x01);
+ retval = rts51x_write_phy_register(chip, 0xC2, 0x7C);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_init_cmd(chip);
+
+ /* GPIO OE */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_GPIO, GPIO_OE, GPIO_OE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL,
+ EXTEND_DMA1_ASYNC_SIGNAL, EXTEND_DMA1_ASYNC_SIGNAL);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#ifdef SUPPORT_OCP
+ if (chip->asic_code) {
+ rts51x_write_register(chip, OCPCTL, MS_OCP_DETECT_EN,
+ MS_OCP_DETECT_EN);
+ RTS51X_DEBUGP("Enable OCP detect!\n");
+ }
+#endif
+ if (chip->option.FT2_fast_mode) {
+ rts51x_card_power_on(chip, SD_CARD | MS_CARD | XD_CARD);
+ wait_timeout(10);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_init_chip(struct rts51x_chip *chip)
+{
+ int retval;
+ u8 val;
+
+ chip->max_lun = 0;
+ chip->cur_clk = 0;
+ chip->cur_card = 0;
+
+ chip->card2lun[XD_CARD] = 0;
+ chip->card2lun[SD_CARD] = 0;
+ chip->card2lun[MS_CARD] = 0;
+ chip->card_ejected = 0;
+
+ chip->lun2card[0] = XD_CARD | SD_CARD | MS_CARD;
+#ifdef CLOSE_SSC_POWER
+ rts51x_write_register(chip, FPDCTL, SSC_POWER_MASK, SSC_POWER_ON);
+ udelay(100);
+ rts51x_write_register(chip, CLK_DIV, CLK_CHANGE, 0x00);
+#endif
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ RTS51X_READ_REG(chip, HW_VERSION, &val);
+ RTS51X_DEBUGP("HW_VERSION: 0x%x\n", val);
+ if (val & FPGA_VER) {
+ chip->asic_code = 0;
+ RTS51X_DEBUGP("FPGA!\n");
+ } else {
+ chip->asic_code = 1;
+ RTS51X_DEBUGP("ASIC!\n");
+ }
+ chip->ic_version = val & HW_VER_MASK;
+
+ if (!check_sd_speed_prior(chip->option.sd_speed_prior))
+ chip->option.sd_speed_prior = 0x01020403;
+ RTS51X_DEBUGP("sd_speed_prior = 0x%08x\n",
+ chip->option.sd_speed_prior);
+
+ RTS51X_READ_REG(chip, CARD_SHARE_MODE, &val);
+ if (val & CARD_SHARE_LQFP_SEL) {
+ chip->package = LQFP48;
+ RTS51X_DEBUGP("Package: LQFP48\n");
+ } else {
+ chip->package = QFN24;
+ RTS51X_DEBUGP("Package: QFN24\n");
+ }
+
+ RTS51X_READ_REG(chip, HS_USB_STAT, &val);
+ if (val & USB_HI_SPEED) {
+ chip->usb_speed = USB_20;
+ RTS51X_DEBUGP("USB High Speed\n");
+ } else {
+ chip->usb_speed = USB_11;
+ RTS51X_DEBUGP("USB Full Speed\n");
+ }
+
+ RTS51X_READ_REG(chip, CFG_MODE_1, &val);
+ if (val & RTS5179) {
+ chip->rts5179 = 1;
+ RTS51X_DEBUGP("device is rts5179\n");
+ } else {
+ chip->rts5179 = 0;
+ }
+
+ retval = rts51x_reset_chip(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_release_chip(struct rts51x_chip *chip)
+{
+ rts51x_xd_free_l2p_tbl(chip);
+ rts51x_ms_free_l2p_tbl(chip);
+ chip->card_ready = 0;
+ return STATUS_SUCCESS;
+}
+
+static inline void rts51x_blink_led(struct rts51x_chip *chip)
+{
+ /* Read/Write */
+ if (chip->card_ready) {
+ if (chip->led_toggle_counter <
+ chip->option.led_toggle_interval) {
+ chip->led_toggle_counter++;
+ } else {
+ chip->led_toggle_counter = 0;
+ rts51x_toggle_gpio(chip, LED_GPIO);
+ }
+ }
+}
+
+static void rts51x_auto_delink_cmd(struct rts51x_chip *chip)
+{
+ rts51x_write_register(chip, AUTO_DELINK_EN,
+ AUTO_DELINK, AUTO_DELINK);
+}
+
+static void rts51x_auto_delink_force_cmd(struct rts51x_chip *chip)
+{
+ rts51x_write_register(chip, AUTO_DELINK_EN,
+ AUTO_DELINK | FORCE_DELINK,
+ AUTO_DELINK | FORCE_DELINK);
+}
+
+#ifdef USING_POLLING_CYCLE_DELINK
+/* using polling cycle as delink time */
+static void rts51x_auto_delink_polling_cycle(struct rts51x_chip *chip)
+{
+ if (chip->auto_delink_counter <=
+ chip->option.delink_delay * 2) {
+ if (chip->auto_delink_counter ==
+ chip->option.delink_delay) {
+ if (chip->card_exist) {
+ /* False card */
+ if (!chip->card_ejected) {
+ /* if card is not ejected or safely
+ * remove,then do force delink */
+ RTS51X_DEBUGP("False card inserted,"
+ "do force delink\n");
+ rts51x_auto_delink_force_cmd(chip);
+ chip->auto_delink_counter =
+ chip->option.delink_delay * 2 + 1;
+ }
+ } else {
+ RTS51X_DEBUGP("No card inserted, do delink\n");
+ /* rts51x_write_register(chip, CARD_PWR_CTL,
+ DV3318_AUTO_PWR_OFF, 0); */
+ rts51x_auto_delink_cmd(chip);
+ }
+ }
+ if (chip->auto_delink_counter ==
+ chip->option.delink_delay * 2) {
+ RTS51X_DEBUGP("Try to do force delink\n");
+ rts51x_auto_delink_force_cmd(chip);
+ }
+ chip->auto_delink_counter++;
+ }
+}
+
+static void rts51x_auto_delink(struct rts51x_chip *chip)
+{
+ rts51x_auto_delink_polling_cycle(chip);
+}
+#else
+/* some of called funcs are not implemented, so comment it out */
+static void rts51x_auto_delink(struct rts51x_chip *chip)
+{
+}
+#endif
+
+void rts51x_polling_func(struct rts51x_chip *chip)
+{
+
+ rts51x_init_cards(chip);
+
+#ifdef SUPPORT_OCP
+ /* if OCP happen and card exist, then close card OE */
+ if ((chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) &&
+ (chip->card_exist)) {
+
+ rts51x_prepare_run(chip);
+
+ if (chip->card_exist & SD_CARD)
+ rts51x_write_register(chip, CARD_OE, SD_OUTPUT_EN, 0);
+ else if (chip->card_exist & MS_CARD)
+ rts51x_write_register(chip, CARD_OE, MS_OUTPUT_EN, 0);
+ else if (chip->card_exist & XD_CARD)
+ rts51x_write_register(chip, CARD_OE, XD_OUTPUT_EN, 0);
+ }
+#endif
+
+ if (chip->idle_counter < IDLE_MAX_COUNT) {
+ chip->idle_counter++;
+ } else {
+ if (!RTS51X_CHK_STAT(chip, STAT_IDLE)) {
+ RTS51X_DEBUGP("Idle state!\n");
+ RTS51X_SET_STAT(chip, STAT_IDLE);
+ chip->led_toggle_counter = 0;
+ /* Idle state, turn off LED
+ * to reduce power consumption */
+ if (chip->option.led_always_on
+ && (chip->card_exist &
+ (SD_CARD | MS_CARD | XD_CARD))
+ && (!chip->card_ejected)) {
+ rts51x_turn_on_led(chip, LED_GPIO);
+ } else {
+ if (chip->rts5179) {
+ rts51x_ep0_write_register(chip,
+ CARD_GPIO,
+ 0x03, 0x00);
+ } else {
+ rts51x_turn_off_led(chip, LED_GPIO);
+ }
+
+ }
+
+#ifdef CLOSE_SSC_POWER
+ if (!chip->card_ready) {
+ rts51x_write_register(chip, CLK_DIV, CLK_CHANGE,
+ CLK_CHANGE);
+ rts51x_write_register(chip, FPDCTL,
+ SSC_POWER_MASK,
+ SSC_POWER_DOWN);
+ RTS51X_DEBUGP("Close SSC clock power!\n");
+ }
+#endif
+ }
+ }
+
+ switch (RTS51X_GET_STAT(chip)) {
+ case STAT_RUN:
+ rts51x_blink_led(chip);
+ rts51x_do_remaining_work(chip);
+ break;
+
+ case STAT_IDLE:
+ break;
+
+ default:
+ break;
+ }
+
+ if (chip->option.auto_delink_en && !chip->card_ready)
+ rts51x_auto_delink(chip);
+ else
+ chip->auto_delink_counter = 0;
+}
+
+void rts51x_add_cmd(struct rts51x_chip *chip,
+ u8 cmd_type, u16 reg_addr, u8 mask, u8 data)
+{
+ int i;
+
+ if (chip->cmd_idx < ((CMD_BUF_LEN - CMD_OFFSET) / 4)) {
+ i = CMD_OFFSET + chip->cmd_idx * 4;
+ chip->cmd_buf[i++] =
+ ((cmd_type & 0x03) << 6) | (u8) ((reg_addr >> 8) & 0x3F);
+ chip->cmd_buf[i++] = (u8) reg_addr;
+ chip->cmd_buf[i++] = mask;
+ chip->cmd_buf[i++] = data;
+ chip->cmd_idx++;
+ }
+}
+
+int rts51x_send_cmd(struct rts51x_chip *chip, u8 flag, int timeout)
+{
+ int result;
+
+ chip->cmd_buf[CNT_H] = (u8) (chip->cmd_idx >> 8);
+ chip->cmd_buf[CNT_L] = (u8) (chip->cmd_idx);
+ chip->cmd_buf[STAGE_FLAG] = flag;
+
+ result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip),
+ (void *)(chip->cmd_buf),
+ chip->cmd_idx * 4 + CMD_OFFSET,
+ 0, NULL, timeout, MODE_C);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, result);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_get_rsp(struct rts51x_chip *chip, int rsp_len, int timeout)
+{
+ int result;
+
+ if (rsp_len <= 0)
+ TRACE_RET(chip, STATUS_ERROR);
+ /* rsp_len must aligned to dword */
+ if (rsp_len % 4)
+ rsp_len += (4 - rsp_len % 4);
+
+ result = rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip),
+ (void *)chip->rsp_buf, rsp_len,
+ 0, NULL, timeout, STAGE_R);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, result);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_get_card_status(struct rts51x_chip *chip, u16 *status)
+{
+ int retval;
+ u16 val;
+
+#ifdef GET_CARD_STATUS_USING_EPC
+ retval = rts51x_get_epc_status(chip, &val);
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#else
+ retval = rts51x_ctrl_transfer(chip, RCV_CTRL_PIPE(chip), 0x02, 0xC0,
+ 0, 0, &val, 2, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#endif
+
+ if (status)
+ *status = val;
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, u8 data)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, addr, mask, data);
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_read_register(struct rts51x_chip *chip, u16 addr, u8 *data)
+{
+ int retval;
+
+ if (data)
+ *data = 0;
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, READ_REG_CMD, addr, 0, 0);
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = rts51x_get_rsp(chip, 1, 100);
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (data)
+ *data = chip->rsp_buf[0];
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_ep0_write_register(struct rts51x_chip *chip, u16 addr, u8 mask,
+ u8 data)
+{
+ int retval;
+ u16 value = 0, index = 0;
+
+ value |= (u16) (3 & 0x03) << 14;
+ value |= (u16) (addr & 0x3FFF);
+ index |= (u16) mask << 8;
+ index |= (u16) data;
+
+ retval = rts51x_ctrl_transfer(chip, SND_CTRL_PIPE(chip), 0x00, 0x40,
+ cpu_to_be16(value), cpu_to_be16(index),
+ NULL, 0, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_ep0_read_register(struct rts51x_chip *chip, u16 addr, u8 *data)
+{
+ int retval;
+ u16 value = 0;
+ u8 val;
+
+ if (data)
+ *data = 0;
+
+ value |= (u16) (2 & 0x03) << 14;
+ value |= (u16) (addr & 0x3FFF);
+
+ retval = rts51x_ctrl_transfer(chip, RCV_CTRL_PIPE(chip), 0x00, 0xC0,
+ cpu_to_be16(value), 0, &val, 1, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (data)
+ *data = val;
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_seq_write_register(struct rts51x_chip *chip, u16 addr, u16 len,
+ u8 *data)
+{
+ int result;
+ u16 cmd_len = len + 12;
+
+ if (!data)
+ TRACE_RET(chip, STATUS_ERROR);
+
+ cmd_len = (cmd_len <= CMD_BUF_LEN) ? cmd_len : CMD_BUF_LEN;
+
+ /* cmd_len must aligned to dword */
+ if (cmd_len % 4)
+ cmd_len += (4 - cmd_len % 4);
+
+ chip->cmd_buf[0] = 'R';
+ chip->cmd_buf[1] = 'T';
+ chip->cmd_buf[2] = 'C';
+ chip->cmd_buf[3] = 'R';
+ chip->cmd_buf[PACKET_TYPE] = SEQ_WRITE;
+ chip->cmd_buf[5] = (u8) (len >> 8);
+ chip->cmd_buf[6] = (u8) len;
+ chip->cmd_buf[STAGE_FLAG] = 0;
+ chip->cmd_buf[8] = (u8) (addr >> 8);
+ chip->cmd_buf[9] = (u8) addr;
+
+ memcpy(chip->cmd_buf + 12, data, len);
+
+ result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip),
+ (void *)(chip->cmd_buf), cmd_len, 0,
+ NULL, 100, MODE_C);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, result);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_seq_read_register(struct rts51x_chip *chip, u16 addr, u16 len,
+ u8 *data)
+{
+ int result;
+ u16 rsp_len;
+
+ if (!data)
+ TRACE_RET(chip, STATUS_ERROR);
+ /* rsp_len must aligned to dword */
+ if (len % 4)
+ rsp_len = len + (4 - len % 4);
+ else
+ rsp_len = len;
+
+ chip->cmd_buf[0] = 'R';
+ chip->cmd_buf[1] = 'T';
+ chip->cmd_buf[2] = 'C';
+ chip->cmd_buf[3] = 'R';
+ chip->cmd_buf[PACKET_TYPE] = SEQ_READ;
+ chip->cmd_buf[5] = (u8) (rsp_len >> 8);
+ chip->cmd_buf[6] = (u8) rsp_len;
+ chip->cmd_buf[STAGE_FLAG] = STAGE_R;
+ chip->cmd_buf[8] = (u8) (addr >> 8);
+ chip->cmd_buf[9] = (u8) addr;
+
+ result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip),
+ (void *)(chip->cmd_buf), 12, 0, NULL,
+ 100, MODE_C);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, result);
+
+ result = rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip),
+ (void *)data, rsp_len, 0, NULL, 100,
+ STAGE_DI);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, result);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_read_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len)
+{
+ int retval;
+
+ if (!buf)
+ TRACE_RET(chip, STATUS_ERROR);
+
+ retval =
+ rts51x_seq_read_register(chip, PPBUF_BASE2, (u16) buf_len, buf);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_write_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len)
+{
+ int retval;
+
+ if (!buf)
+ TRACE_RET(chip, STATUS_ERROR);
+
+ retval =
+ rts51x_seq_write_register(chip, PPBUF_BASE2, (u16) buf_len, buf);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_write_phy_register(struct rts51x_chip *chip, u8 addr, u8 val)
+{
+ int retval;
+
+ RTS51X_DEBUGP("Write 0x%x to phy register 0x%x\n", val, addr);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VSTAIN, 0xFF, val);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, addr & 0x0F);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF,
+ (addr >> 4) & 0x0F);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_read_phy_register(struct rts51x_chip *chip, u8 addr, u8 *val)
+{
+ int retval;
+
+ RTS51X_DEBUGP("Read from phy register 0x%x\n", addr);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, 0x07);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF,
+ (addr >> 4) & 0x0F);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, addr & 0x0F);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01);
+ rts51x_add_cmd(chip, READ_REG_CMD, HS_VSTAOUT, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, 100);
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (val)
+ *val = chip->rsp_buf[0];
+
+ RTS51X_DEBUGP("Return value: 0x%x\n", chip->rsp_buf[0]);
+
+ return STATUS_SUCCESS;
+}
+
+void rts51x_do_before_power_down(struct rts51x_chip *chip)
+{
+ RTS51X_DEBUGP("rts51x_do_before_power_down\n");
+
+ rts51x_prepare_run(chip);
+
+ rts51x_release_cards(chip);
+ if (chip->rts5179)
+ rts51x_ep0_write_register(chip, CARD_GPIO, 0x03, 0x00);
+ else
+ rts51x_turn_off_led(chip, LED_GPIO);
+
+ chip->cur_clk = 0;
+ chip->card_exist = 0;
+ chip->cur_card = 0;
+ if (chip->asic_code) {
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_write_register(chip, CARD_PULL_CTL3, 0x80, 0x00);
+ rts51x_write_register(chip, CARD_PULL_CTL6, 0xf0, 0x50);
+ } else {
+ rts51x_write_register(chip, CARD_PULL_CTL1, 0x30, 0x10);
+ rts51x_write_register(chip, CARD_PULL_CTL3, 0x80, 0x00);
+ rts51x_write_register(chip, CARD_PULL_CTL6, 0x0c, 0x04);
+ }
+ }
+ if (CHECK_PKG(chip, LQFP48))
+ rts51x_write_register(chip, CARD_PWR_CTL, LDO3318_PWR_MASK,
+ LDO_OFF);
+}
+
+void rts51x_clear_hw_error(struct rts51x_chip *chip)
+{
+ rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8);
+}
+
+void rts51x_prepare_run(struct rts51x_chip *chip)
+{
+#ifdef CLOSE_SSC_POWER
+ if (RTS51X_CHK_STAT(chip, STAT_IDLE) && (!chip->card_ready)) {
+ rts51x_write_register(chip, FPDCTL, SSC_POWER_MASK,
+ SSC_POWER_ON);
+ udelay(100);
+ RTS51X_DEBUGP("Open SSC clock power.\n");
+
+ rts51x_write_register(chip, CLK_DIV, CLK_CHANGE, 0x00);
+ }
+#endif
+}
+
+#ifdef _MSG_TRACE
+void rts51x_trace_msg(struct rts51x_chip *chip, unsigned char *buf, int clear)
+{
+ unsigned char *ptr;
+ int i, msg_cnt;
+
+ if (!buf)
+ return;
+
+ ptr = buf;
+
+ if (chip->trace_msg[chip->msg_idx].valid)
+ msg_cnt = TRACE_ITEM_CNT;
+ else
+ msg_cnt = chip->msg_idx;
+ *(ptr++) = (u8) (msg_cnt >> 24);
+ *(ptr++) = (u8) (msg_cnt >> 16);
+ *(ptr++) = (u8) (msg_cnt >> 8);
+ *(ptr++) = (u8) msg_cnt;
+ RTS51X_DEBUGP("Trace message count is %d\n", msg_cnt);
+
+ for (i = 1; i <= msg_cnt; i++) {
+ int j, idx;
+
+ idx = chip->msg_idx - i;
+ if (idx < 0)
+ idx += TRACE_ITEM_CNT;
+
+ *(ptr++) = (u8) (chip->trace_msg[idx].line >> 8);
+ *(ptr++) = (u8) (chip->trace_msg[idx].line);
+ for (j = 0; j < MSG_FUNC_LEN; j++)
+ *(ptr++) = chip->trace_msg[idx].func[j];
+ for (j = 0; j < MSG_FILE_LEN; j++)
+ *(ptr++) = chip->trace_msg[idx].file[j];
+ for (j = 0; j < TIME_VAL_LEN; j++)
+ *(ptr++) = chip->trace_msg[idx].timeval_buf[j];
+ }
+
+ if (clear) {
+ chip->msg_idx = 0;
+ for (i = 0; i < TRACE_ITEM_CNT; i++)
+ chip->trace_msg[i].valid = 0;
+ }
+}
+#endif
+
+void rts51x_pp_status(struct rts51x_chip *chip, unsigned int lun, u8 *status,
+ u8 status_len)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ struct ms_info *ms_card = &(chip->ms_card);
+ u8 card = rts51x_get_lun_card(chip, lun);
+#ifdef SUPPORT_OC
+ u8 oc_now_mask = 0, oc_ever_mask = 0;
+#endif
+
+ if (!status || (status_len < 32))
+ return;
+ /* IC Version */
+ status[0] = (u8) RTS51X_GET_PID(chip);
+ status[1] = (u8) (chip->ic_version);
+
+ /* Auto delink mode */
+ if (chip->option.auto_delink_en)
+ status[2] = 0x10;
+ else
+ status[2] = 0x00;
+
+ /* Spec version */
+ status[3] = 20;
+ status[4] = 10;
+ status[5] = 05;
+ status[6] = 21;
+
+ /* Card WP */
+ if (chip->card_wp)
+ status[7] = 0x20;
+ else
+ status[7] = 0x00;
+
+#ifdef SUPPORT_OC
+ /* Over current status */
+ status[8] = 0;
+ oc_now_mask = MS_OCP_NOW;
+ oc_ever_mask = MS_OCP_EVER;
+
+ if (chip->ocp_stat & oc_now_mask)
+ status[8] |= 0x02;
+ if (chip->ocp_stat & oc_ever_mask)
+ status[8] |= 0x01;
+#endif
+
+ if (card == SD_CARD) {
+ if (CHK_SD(sd_card)) {
+ if (CHK_SD_HCXC(sd_card)) {
+ if (sd_card->capacity > 0x4000000)
+ /* SDXC */
+ status[0x0E] = 0x02;
+ else /* SDHC */
+ status[0x0E] = 0x01;
+ } else { /* SDSC */
+ status[0x0E] = 0x00;
+ }
+
+ if (CHK_SD_SDR104(sd_card))
+ status[0x0F] = 0x03;
+ else if (CHK_SD_DDR50(sd_card))
+ status[0x0F] = 0x04;
+ else if (CHK_SD_SDR50(sd_card))
+ status[0x0F] = 0x02;
+ else if (CHK_SD_HS(sd_card))
+ status[0x0F] = 0x01;
+ else
+ status[0x0F] = 0x00; /* Normal speed */
+ } else {
+ if (CHK_MMC_SECTOR_MODE(sd_card))
+ status[0x0E] = 0x01; /* High capacity */
+ else
+ status[0x0E] = 0x00; /* Normal capacity */
+
+ if (CHK_MMC_DDR52(sd_card))
+ status[0x0F] = 0x03; /* DDR 52M */
+ else if (CHK_MMC_52M(sd_card))
+ status[0x0F] = 0x02; /* SDR 52M */
+ else if (CHK_MMC_26M(sd_card))
+ status[0x0F] = 0x01; /* SDR 26M */
+ else
+ status[0x0F] = 0x00; /* Normal speed */
+ }
+ } else if (card == MS_CARD) {
+ if (CHK_MSPRO(ms_card)) {
+ if (CHK_MSXC(ms_card))
+ status[0x0E] = 0x01; /* XC */
+ else
+ status[0x0E] = 0x00;
+
+ if (CHK_HG8BIT(ms_card))
+ status[0x0F] = 0x01;
+ else
+ status[0x0F] = 0x00;
+ }
+ }
+
+ /* Function 0
+ * Support Magic Gate, CPRM and PhyRegister R/W */
+ status[0x18] = 0x8A;
+
+ /* Function 2
+ * Support OC LUN status & WP LUN status */
+ status[0x1A] = 0x28;
+
+ /* Function 2
+ * Support OC LUN status & WP LUN status */
+ status[0x1A] = 0x28;
+}
+
+void rts51x_read_status(struct rts51x_chip *chip, unsigned int lun,
+ u8 *rts51x_status, u8 status_len)
+{
+ if (!rts51x_status || (status_len < 16))
+ return;
+ /* VID */
+ rts51x_status[0] = (u8) (RTS51X_GET_VID(chip) >> 8);
+ rts51x_status[1] = (u8) RTS51X_GET_VID(chip);
+
+ /* PID */
+ rts51x_status[2] = (u8) (RTS51X_GET_PID(chip) >> 8);
+ rts51x_status[3] = (u8) RTS51X_GET_PID(chip);
+
+ /* gbLUN */
+ rts51x_status[4] = (u8) lun;
+
+ /* Lun Card Number */
+ if (chip->card_exist) {
+ if (chip->card_exist & XD_CARD)
+ rts51x_status[5] = 4; /* xD Card */
+ else if (chip->card_exist & SD_CARD)
+ rts51x_status[5] = 2; /* SD Card */
+ else if (chip->card_exist & MS_CARD)
+ rts51x_status[5] = 3; /* MS Card */
+ else
+ rts51x_status[5] = 7; /* Multi */
+ } else {
+ rts51x_status[5] = 7; /* Multi */
+ }
+
+ /* Total LUNs */
+ rts51x_status[6] = 1;
+
+ /* IC Version */
+ rts51x_status[7] = (u8) RTS51X_GET_PID(chip);
+ rts51x_status[8] = chip->ic_version;
+
+ /* Physical Exist */
+ if (check_card_exist(chip, lun))
+ rts51x_status[9] = 1;
+ else
+ rts51x_status[9] = 0;
+
+ /* Multi Flag */
+ rts51x_status[10] = 1;
+
+ /* LUN Valid Map */
+ rts51x_status[11] = XD_CARD | SD_CARD | MS_CARD;
+
+ /* Logical Exist */
+ if (check_card_ready(chip, lun))
+ rts51x_status[12] = 1;
+ else
+ rts51x_status[12] = 0;
+
+ /* Detailed Type */
+ if (rts51x_get_lun_card(chip, lun) == XD_CARD) {
+ rts51x_status[13] = 0x40;
+ } else if (rts51x_get_lun_card(chip, lun) == SD_CARD) {
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ rts51x_status[13] = 0x20;
+ if (CHK_SD(sd_card)) {
+ if (CHK_SD_HCXC(sd_card))
+ rts51x_status[13] |= 0x04; /* Hi capacity SD */
+ if (CHK_SD_HS(sd_card))
+ rts51x_status[13] |= 0x02; /* Hi speed SD */
+ } else {
+ rts51x_status[13] |= 0x08; /* MMC card */
+ if (CHK_MMC_52M(sd_card))
+ rts51x_status[13] |= 0x02; /* Hi speed */
+ if (CHK_MMC_SECTOR_MODE(sd_card))
+ rts51x_status[13] |= 0x04; /* Hi capacity */
+ }
+ } else if (rts51x_get_lun_card(chip, lun) == MS_CARD) {
+ struct ms_info *ms_card = &(chip->ms_card);
+
+ if (CHK_MSPRO(ms_card)) {
+ rts51x_status[13] = 0x38; /* MS Pro */
+ if (CHK_HG8BIT(ms_card))
+ rts51x_status[13] |= 0x04; /* HG */
+#ifdef SUPPORT_MSXC
+ if (CHK_MSXC(ms_card))
+ rts51x_status[13] |= 0x01; /* MSXC */
+#endif
+ } else {
+ rts51x_status[13] = 0x30;
+ }
+ } else {
+ rts51x_status[13] = 0x70;
+ }
+/* Support OC, auto delink, vendor r/w, get bus width */
+ rts51x_status[14] = 0x78;
+
+ rts51x_status[15] = 0x82;
+}
+
+int rts51x_transfer_data_rcc(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout, u8 stage_flag)
+{
+ int retval;
+
+ retval =
+ rts51x_transfer_data(chip, pipe, buf, len, use_sg, act_len,
+ timeout);
+
+ return retval;
+
+}
diff --git a/drivers/staging/rts5139/rts51x_chip.h b/drivers/staging/rts5139/rts51x_chip.h
new file mode 100644
index 000000000000..12deb24cfbbe
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_chip.h
@@ -0,0 +1,821 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_CHIP_H
+#define __RTS51X_CHIP_H
+
+#include <linux/usb.h>
+#include <linux/usb_usual.h>
+#include <linux/blkdev.h>
+#include <linux/completion.h>
+#include <linux/mutex.h>
+#include <scsi/scsi_host.h>
+
+#include "trace.h"
+
+#define SUPPORT_CPRM
+#define SUPPORT_MAGIC_GATE
+#define SUPPORT_MSXC
+#define USING_POLLING_CYCLE_DELINK
+
+#ifdef SUPPORT_MAGIC_GA
+/* Using NORMAL_WRITE instead of AUTO_WRITE to set ICVTE */
+#define MG_SET_ICV_SLOW
+#endif
+
+#ifdef SUPPORT_MSXC
+#define XC_POWERCLASS
+#define SUPPORT_PCGL_1P18
+#endif
+
+#define GET_CARD_STATUS_USING_EPC
+
+#define CLOSE_SSC_POWER
+
+#define SUPPORT_OCP
+
+#define MS_SPEEDUP
+
+#define SD_XD_IO_FOLLOW_PWR
+
+#define SD_NR 2
+#define MS_NR 3
+#define XD_NR 4
+#define SD_CARD (1 << SD_NR)
+#define MS_CARD (1 << MS_NR)
+#define XD_CARD (1 << XD_NR)
+
+#define SD_CD 0x01
+#define MS_CD 0x02
+#define XD_CD 0x04
+#define SD_WP 0x08
+
+#define MAX_ALLOWED_LUN_CNT 8
+#define CMD_BUF_LEN 1024
+#define POLLING_INTERVAL 50 /* 50ms */
+
+#define XD_FREE_TABLE_CNT 1200
+#define MS_FREE_TABLE_CNT 512
+
+/* Bit Operation */
+#define SET_BIT(data, idx) ((data) |= 1 << (idx))
+#define CLR_BIT(data, idx) ((data) &= ~(1 << (idx)))
+#define CHK_BIT(data, idx) ((data) & (1 << (idx)))
+
+/* Command type */
+#define READ_REG_CMD 0
+#define WRITE_REG_CMD 1
+#define CHECK_REG_CMD 2
+
+#define PACKET_TYPE 4
+#define CNT_H 5
+#define CNT_L 6
+#define STAGE_FLAG 7
+#define CMD_OFFSET 8
+
+/* Packet type */
+#define BATCH_CMD 0
+#define SEQ_READ 1
+#define SEQ_WRITE 2
+
+/* Stage flag */
+#define STAGE_R 0x01
+#define STAGE_DI 0x02
+#define STAGE_DO 0x04
+/* Return MS_TRANS_CFG, GET_INT */
+#define STAGE_MS_STATUS 0x08
+/* Return XD_CFG, XD_CTL, XD_PAGE_STATUS */
+#define STAGE_XD_STATUS 0x10
+/* Command stage mode */
+#define MODE_C 0x00
+#define MODE_CR (STAGE_R)
+#define MODE_CDIR (STAGE_R | STAGE_DI)
+#define MODE_CDOR (STAGE_R | STAGE_DO)
+
+/* Function return code */
+#ifndef STATUS_SUCCESS
+#define STATUS_SUCCESS 0
+#endif
+
+#define STATUS_FAIL 1
+#define STATUS_TIMEDOUT 4
+#define STATUS_NOMEM 5
+#define STATUS_TRANS_SHORT 6
+#define STATUS_TRANS_LONG 7
+#define STATUS_STALLED 8
+#define STATUS_ERROR 10
+
+#define IDLE_MAX_COUNT 10
+#define POLLING_WAIT_CNT 1
+#define LED_GPIO 0
+
+/* package */
+#define QFN24 0
+#define LQFP48 1
+
+#define USB_11 0
+#define USB_20 1
+
+/*
+ * Transport return codes
+ */
+/* Transport good, command good */
+#define TRANSPORT_GOOD 0
+/* Transport good, command failed */
+#define TRANSPORT_FAILED 1
+/* Transport bad (i.e. device dead) */
+#define TRANSPORT_ERROR 3
+
+/* Supported Clock */
+enum card_clock { CLK_20 = 1, CLK_30, CLK_40, CLK_50, CLK_60, CLK_80, CLK_100 };
+
+#ifdef _MSG_TRACE
+
+#define TRACE_ITEM_CNT 64
+
+struct trace_msg_t {
+ u16 line;
+#define MSG_FUNC_LEN 64
+ char func[MSG_FUNC_LEN];
+#define MSG_FILE_LEN 32
+ char file[MSG_FILE_LEN];
+#define TIME_VAL_LEN 16
+ u8 timeval_buf[TIME_VAL_LEN];
+ u8 valid;
+};
+
+#endif /* _MSG_TRACE */
+
+/* Size of the autosense data buffer */
+#define SENSE_SIZE 18
+
+/* Sense type */
+#define SENSE_TYPE_NO_SENSE 0
+#define SENSE_TYPE_MEDIA_CHANGE 1
+#define SENSE_TYPE_MEDIA_NOT_PRESENT 2
+#define SENSE_TYPE_MEDIA_LBA_OVER_RANGE 3
+#define SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT 4
+#define SENSE_TYPE_MEDIA_WRITE_PROTECT 5
+#define SENSE_TYPE_MEDIA_INVALID_CMD_FIELD 6
+#define SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR 7
+#define SENSE_TYPE_MEDIA_WRITE_ERR 8
+#define SENSE_TYPE_FORMAT_CMD_FAILED 10
+#ifdef SUPPORT_MAGIC_GATE
+/* COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED */
+#define SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB 0x0b
+/* COPY PROTECTION KEY EXCHANGE FAILURE - AUTHENTICATION FAILURE */
+#define SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN 0x0c
+/* INCOMPATIBLE MEDIUM INSTALLED */
+#define SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM 0x0d
+/* WRITE ERROR */
+#define SENSE_TYPE_MG_WRITE_ERR 0x0e
+#endif
+
+/*---- sense key ----*/
+#define ILGAL_REQ 0x05 /* CDB/parameter/identify msg error */
+
+/*-----------------------------------
+ SENSE_DATA
+-----------------------------------*/
+
+/*---- error code ----*/
+#define CUR_ERR 0x70 /* current error */
+
+/*---- sense key Information ----*/
+
+#define SKSV 0x80
+#define CDB_ILLEGAL 0x40
+
+/*---- ASC ----*/
+#define ASC_INVLD_CDB 0x24
+
+/*---- ASQC ----*/
+#define ASCQ_INVLD_CDB 0x00
+
+struct sense_data_t {
+ unsigned char err_code; /* error code */
+ /* bit7 : valid */
+ /* (1 : SCSI2) */
+ /* (0 : Vendor specific) */
+ /* bit6-0 : error code */
+ /* (0x70 : current error) */
+ /* (0x71 : specific command error) */
+ unsigned char seg_no; /* segment No. */
+ unsigned char sense_key; /* byte5 : ILI */
+ /* bit3-0 : sense key */
+ unsigned char info[4]; /* information */
+ unsigned char ad_sense_len; /* additional sense data length */
+ unsigned char cmd_info[4]; /* command specific information */
+ unsigned char asc; /* ASC */
+ unsigned char ascq; /* ASCQ */
+ unsigned char rfu; /* FRU */
+ unsigned char sns_key_info[3]; /* sense key specific information */
+};
+
+/* sd_ctl bit map */
+/* SD push point control, bit 0, 1 */
+#define SD_PUSH_POINT_CTL_MASK 0x03
+#define SD_PUSH_POINT_DELAY 0x01
+#define SD_PUSH_POINT_AUTO 0x02
+/* SD sample point control, bit 2, 3 */
+#define SD_SAMPLE_POINT_CTL_MASK 0x0C
+#define SD_SAMPLE_POINT_DELAY 0x04
+#define SD_SAMPLE_POINT_AUTO 0x08
+/* SD DDR Tx phase set by user, bit 4 */
+#define SD_DDR_TX_PHASE_SET_BY_USER 0x10
+/* MMC DDR Tx phase set by user, bit 5 */
+#define MMC_DDR_TX_PHASE_SET_BY_USER 0x20
+/* Support MMC DDR mode, bit 6 */
+/*#define SUPPORT_MMC_DDR_MODE 0x40 */
+#define SUPPORT_UHS50_MMC44 0x40
+
+struct rts51x_option {
+ int rts51x_mspro_formatter_enable;
+
+ /* card clock expected by user for fpga platform */
+ int fpga_sd_sdr104_clk;
+ int fpga_sd_ddr50_clk;
+ int fpga_sd_sdr50_clk;
+ int fpga_sd_hs_clk;
+ int fpga_mmc_52m_clk;
+ int fpga_ms_hg_clk;
+ int fpga_ms_4bit_clk;
+
+ /* card clock expected by user for asic platform */
+ int asic_sd_sdr104_clk;
+ int asic_sd_ddr50_clk;
+ int asic_sd_sdr50_clk;
+ int asic_sd_hs_clk;
+ int asic_mmc_52m_clk;
+ int asic_ms_hg_clk;
+ int asic_ms_4bit_clk;
+
+ u8 ssc_depth_sd_sdr104; /* sw */
+ u8 ssc_depth_sd_ddr50; /* sw */
+ u8 ssc_depth_sd_sdr50; /* sw */
+ u8 ssc_depth_sd_hs; /* sw */
+ u8 ssc_depth_mmc_52m; /* sw */
+ u8 ssc_depth_ms_hg; /* sw */
+ u8 ssc_depth_ms_4bit; /* sw */
+ u8 ssc_depth_low_speed; /* sw */
+
+ /* SD/MMC Tx phase */
+ int sd_ddr_tx_phase; /* Enabled by bit 4 of sd_ctl */
+ int mmc_ddr_tx_phase; /* Enabled by bit 5 of sd_ctl */
+
+ /* priority of choosing sd speed funciton */
+ u32 sd_speed_prior;
+
+ /* sd card control */
+ u32 sd_ctl;
+
+ /* Enable Selective Suspend */
+ int ss_en;
+ /* Interval to enter SS from IDLE state (second) */
+ int ss_delay;
+
+ /* Enable SSC clock */
+ int ssc_en;
+
+ int auto_delink_en;
+
+ /* sangdy2010-07-13:add FT2 fast mode */
+ int FT2_fast_mode;
+ /* sangdy2010-07-15:
+ * add for config delay between 1/4 PMOS and 3/4 PMOS */
+ int pwr_delay;
+
+ int rts51x_xd_rw_step; /* add to tune xd tRP */
+ int D3318_off_delay; /* add to tune D3318 off delay time */
+ int delink_delay; /* add to tune delink delay time */
+ /* add for rts5129 to enable/disable D3318 off */
+ u8 rts5129_D3318_off_enable;
+ u8 sd20_pad_drive; /* add to config SD20 PAD drive */
+ u8 sd30_pad_drive; /* add to config SD30 pad drive */
+ /*if reset or rw fail,then set SD20 pad drive again */
+ u8 reset_or_rw_fail_set_pad_drive;
+
+ u8 debounce_num; /* debounce number */
+ u8 led_toggle_interval; /* used to control led toggle speed */
+ int rts51x_xd_rwn_step;
+ u8 sd_send_status_en;
+ /* used to store default phase which is
+ * used when phase tune all pass. */
+ u8 ddr50_tx_phase;
+ u8 ddr50_rx_phase;
+ u8 sdr50_tx_phase;
+ u8 sdr50_rx_phase;
+ /* used to enable select sdr50 tx phase according to proportion. */
+ u8 sdr50_phase_sel;
+ u8 ms_errreg_fix;
+ u8 reset_mmc_first;
+ u8 speed_mmc; /* when set, then try CMD55 only twice */
+ u8 led_always_on; /* if set, then led always on when card exist */
+ u8 dv18_voltage; /* add to tune dv18 voltage */
+};
+
+#define MS_FORMATTER_ENABLED(chip) ((chip)->option.rts51x_mspro_formatter_enable)
+
+struct rts51x_chip;
+
+typedef int (*rts51x_card_rw_func) (struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ u32 sec_addr, u16 sec_cnt);
+
+/* For MS Card */
+#define MAX_DEFECTIVE_BLOCK 10
+
+struct zone_entry {
+ u16 *l2p_table;
+ u16 *free_table;
+ u16 defect_list[MAX_DEFECTIVE_BLOCK]; /* For MS card only */
+ int set_index;
+ int get_index;
+ int unused_blk_cnt;
+ int disable_count;
+ /* To indicate whether the L2P table of this zone has been built. */
+ int build_flag;
+};
+
+struct xd_delay_write_tag {
+ u32 old_phyblock;
+ u32 new_phyblock;
+ u32 logblock;
+ u8 pageoff;
+ u8 delay_write_flag;
+};
+
+struct xd_info {
+ u8 maker_code;
+ u8 device_code;
+ u8 block_shift;
+ u8 page_off;
+ u8 addr_cycle;
+ u16 cis_block;
+ u8 multi_flag;
+ u8 err_code;
+ u32 capacity;
+
+ struct zone_entry *zone;
+ int zone_cnt;
+
+ struct xd_delay_write_tag delay_write;
+
+ int counter;
+
+ int xd_clock;
+};
+
+#define TYPE_SD 0x0000
+#define TYPE_MMC 0x0001
+
+/* TYPE_SD */
+#define SD_HS 0x0100
+#define SD_SDR50 0x0200
+#define SD_DDR50 0x0400
+#define SD_SDR104 0x0800
+#define SD_HCXC 0x1000
+
+/* TYPE_MMC */
+#define MMC_26M 0x0100
+#define MMC_52M 0x0200
+#define MMC_4BIT 0x0400
+#define MMC_8BIT 0x0800
+#define MMC_SECTOR_MODE 0x1000
+#define MMC_DDR52 0x2000
+
+/* SD card */
+#define CHK_SD(sd_card) (((sd_card)->sd_type & 0xFF) == TYPE_SD)
+#define CHK_SD_HS(sd_card) \
+ (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_HS))
+#define CHK_SD_SDR50(sd_card) \
+ (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_SDR50))
+#define CHK_SD_DDR50(sd_card) \
+ (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_DDR50))
+#define CHK_SD_SDR104(sd_card) \
+ (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_SDR104))
+#define CHK_SD_HCXC(sd_card) \
+ (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_HCXC))
+#define CHK_SD30_SPEED(sd_card) \
+ (CHK_SD_SDR50(sd_card) || CHK_SD_DDR50(sd_card) ||\
+ CHK_SD_SDR104(sd_card))
+
+#define SET_SD(sd_card) ((sd_card)->sd_type = TYPE_SD)
+#define SET_SD_HS(sd_card) ((sd_card)->sd_type |= SD_HS)
+#define SET_SD_SDR50(sd_card) ((sd_card)->sd_type |= SD_SDR50)
+#define SET_SD_DDR50(sd_card) ((sd_card)->sd_type |= SD_DDR50)
+#define SET_SD_SDR104(sd_card) ((sd_card)->sd_type |= SD_SDR104)
+#define SET_SD_HCXC(sd_card) ((sd_card)->sd_type |= SD_HCXC)
+
+#define CLR_SD_HS(sd_card) ((sd_card)->sd_type &= ~SD_HS)
+#define CLR_SD_SDR50(sd_card) ((sd_card)->sd_type &= ~SD_SDR50)
+#define CLR_SD_DDR50(sd_card) ((sd_card)->sd_type &= ~SD_DDR50)
+#define CLR_SD_SDR104(sd_card) ((sd_card)->sd_type &= ~SD_SDR104)
+#define CLR_SD_HCXC(sd_card) ((sd_card)->sd_type &= ~SD_HCXC)
+#define CLR_SD30_SPEED(sd_card) \
+ ((sd_card)->sd_type &= ~(SD_SDR50|SD_DDR50|SD_SDR104))
+
+/* MMC card */
+#define CHK_MMC(sd_card) \
+ (((sd_card)->sd_type & 0xFF) == TYPE_MMC)
+#define CHK_MMC_26M(sd_card) \
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_26M))
+#define CHK_MMC_52M(sd_card) \
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_52M))
+#define CHK_MMC_4BIT(sd_card) \
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_4BIT))
+#define CHK_MMC_8BIT(sd_card) \
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_8BIT))
+#define CHK_MMC_SECTOR_MODE(sd_card)\
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_SECTOR_MODE))
+#define CHK_MMC_DDR52(sd_card) \
+ (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_DDR52))
+
+#define SET_MMC(sd_card) ((sd_card)->sd_type = TYPE_MMC)
+#define SET_MMC_26M(sd_card) ((sd_card)->sd_type |= MMC_26M)
+#define SET_MMC_52M(sd_card) ((sd_card)->sd_type |= MMC_52M)
+#define SET_MMC_4BIT(sd_card) ((sd_card)->sd_type |= MMC_4BIT)
+#define SET_MMC_8BIT(sd_card) ((sd_card)->sd_type |= MMC_8BIT)
+#define SET_MMC_SECTOR_MODE(sd_card) ((sd_card)->sd_type |= MMC_SECTOR_MODE)
+#define SET_MMC_DDR52(sd_card) ((sd_card)->sd_type |= MMC_DDR52)
+
+#define CLR_MMC_26M(sd_card) ((sd_card)->sd_type &= ~MMC_26M)
+#define CLR_MMC_52M(sd_card) ((sd_card)->sd_type &= ~MMC_52M)
+#define CLR_MMC_4BIT(sd_card) ((sd_card)->sd_type &= ~MMC_4BIT)
+#define CLR_MMC_8BIT(sd_card) ((sd_card)->sd_type &= ~MMC_8BIT)
+#define CLR_MMC_SECTOR_MODE(sd_card) ((sd_card)->sd_type &= ~MMC_SECTOR_MODE)
+#define CLR_MMC_DDR52(sd_card) ((sd_card)->sd_type &= ~MMC_DDR52)
+
+#define CHK_MMC_HS(sd_card) \
+ (CHK_MMC_52M(sd_card) && CHK_MMC_26M(sd_card))
+#define CLR_MMC_HS(sd_card) \
+do { \
+ CLR_MMC_DDR52(sd_card); \
+ CLR_MMC_52M(sd_card); \
+ CLR_MMC_26M(sd_card); \
+} while (0)
+
+#define SD_SUPPORT_CLASS_TEN 0x01
+#define SD_SUPPORT_1V8 0x02
+
+#define SD_SET_CLASS_TEN(sd_card) \
+ ((sd_card)->sd_setting |= SD_SUPPORT_CLASS_TEN)
+#define SD_CHK_CLASS_TEN(sd_card) \
+ ((sd_card)->sd_setting & SD_SUPPORT_CLASS_TEN)
+#define SD_CLR_CLASS_TEN(sd_card) \
+ ((sd_card)->sd_setting &= ~SD_SUPPORT_CLASS_TEN)
+#define SD_SET_1V8(sd_card) \
+ ((sd_card)->sd_setting |= SD_SUPPORT_1V8)
+#define SD_CHK_1V8(sd_card) \
+ ((sd_card)->sd_setting & SD_SUPPORT_1V8)
+#define SD_CLR_1V8(sd_card) \
+ ((sd_card)->sd_setting &= ~SD_SUPPORT_1V8)
+#define CLR_RETRY_SD20_MODE(sd_card) \
+ ((sd_card)->retry_SD20_mode = 0)
+#define SET_RETRY_SD20_MODE(sd_card) \
+ ((sd_card)->retry_SD20_mode = 1)
+#define CHK_RETRY_SD20_MODE(sd_card) \
+ ((sd_card)->retry_SD20_mode == 1)
+
+struct sd_info {
+ u16 sd_type;
+ u8 err_code;
+ u8 sd_data_buf_ready;
+ u32 sd_addr;
+ u32 capacity;
+
+ u8 raw_csd[16];
+ u8 raw_scr[8];
+
+ /* Sequential RW */
+ int seq_mode;
+ enum dma_data_direction pre_dir;
+ u32 pre_sec_addr;
+ u16 pre_sec_cnt;
+
+ int counter;
+
+ int sd_clock;
+
+#ifdef SUPPORT_CPRM
+ int sd_pass_thru_en;
+ int pre_cmd_err;
+ u8 last_rsp_type;
+ u8 rsp[17];
+#endif
+
+ u8 func_group1_mask;
+ u8 func_group2_mask;
+ u8 func_group3_mask;
+ u8 func_group4_mask;
+
+ u8 sd_switch_fail;
+ u8 sd_read_phase;
+ u8 retry_SD20_mode; /* sangdy2010-06-10 */
+ u8 sd_reset_fail; /* sangdy2010-07-01 */
+ u8 sd_send_status_en;
+
+};
+
+#define MODE_512_SEQ 0x01
+#define MODE_2K_SEQ 0x02
+
+#define TYPE_MS 0x0000
+#define TYPE_MSPRO 0x0001
+
+#define MS_4BIT 0x0100
+#define MS_8BIT 0x0200
+#define MS_HG 0x0400
+#define MS_XC 0x0800
+
+#define HG8BIT (MS_HG | MS_8BIT)
+
+#define CHK_MSPRO(ms_card) \
+ (((ms_card)->ms_type & 0xFF) == TYPE_MSPRO)
+#define CHK_HG8BIT(ms_card) \
+ (CHK_MSPRO(ms_card) && (((ms_card)->ms_type & HG8BIT) == HG8BIT))
+#define CHK_MSXC(ms_card) \
+ (CHK_MSPRO(ms_card) && ((ms_card)->ms_type & MS_XC))
+#define CHK_MSHG(ms_card) \
+ (CHK_MSPRO(ms_card) && ((ms_card)->ms_type & MS_HG))
+
+#define CHK_MS8BIT(ms_card) (((ms_card)->ms_type & MS_8BIT))
+#define CHK_MS4BIT(ms_card) (((ms_card)->ms_type & MS_4BIT))
+
+struct rts51x_ms_delay_write_tag {
+ u16 old_phyblock;
+ u16 new_phyblock;
+ u16 logblock;
+ u8 pageoff;
+ u8 delay_write_flag;
+};
+
+struct ms_info {
+ u16 ms_type;
+ u8 block_shift;
+ u8 page_off;
+ u16 total_block;
+ u16 boot_block;
+ u32 capacity;
+
+ u8 check_ms_flow;
+ u8 switch_8bit_fail;
+ u8 err_code;
+
+ struct zone_entry *segment;
+ int segment_cnt;
+
+ int pro_under_formatting;
+ int format_status;
+ u16 progress;
+ u8 raw_sys_info[96];
+#ifdef SUPPORT_PCGL_1P18
+ u8 raw_model_name[48];
+#endif
+
+ u8 multi_flag;
+
+ /* Sequential RW */
+ u8 seq_mode;
+ enum dma_data_direction pre_dir;
+ u32 pre_sec_addr;
+ u16 pre_sec_cnt;
+ u32 total_sec_cnt;
+ u8 last_rw_int;
+
+ struct rts51x_ms_delay_write_tag delay_write;
+
+ int counter;
+
+ int ms_clock;
+
+#ifdef SUPPORT_MAGIC_GATE
+ u8 magic_gate_id[16];
+ u8 mg_entry_num;
+ int mg_auth; /* flag to indicate authentication process */
+#endif
+};
+
+#define PRO_UNDER_FORMATTING(ms_card) \
+ ((ms_card)->pro_under_formatting)
+#define SET_FORMAT_STATUS(ms_card, status) \
+ ((ms_card)->format_status = (status))
+#define CHK_FORMAT_STATUS(ms_card, status) \
+ ((ms_card)->format_status == (status))
+
+struct scsi_cmnd;
+
+enum CHIP_STAT { STAT_INIT, STAT_IDLE, STAT_RUN, STAT_SS_PRE, STAT_SS,
+ STAT_SUSPEND };
+
+struct rts51x_chip {
+ u16 vendor_id;
+ u16 product_id;
+ char max_lun;
+
+ struct scsi_cmnd *srb;
+ struct sense_data_t sense_buffer[MAX_ALLOWED_LUN_CNT];
+
+ int led_toggle_counter;
+
+ int ss_counter;
+ int idle_counter;
+ int auto_delink_counter;
+ enum CHIP_STAT chip_stat;
+
+ int resume_from_scsi;
+
+ /* Card information */
+ struct xd_info xd_card;
+ struct sd_info sd_card;
+ struct ms_info ms_card;
+
+ int cur_clk; /* current card clock */
+ int cur_card; /* Current card module */
+
+ u8 card_exist; /* card exist bit map (physical exist) */
+ u8 card_ready; /* card ready bit map (reset successfully) */
+ u8 card_fail; /* card reset fail bit map */
+ u8 card_ejected; /* card ejected bit map */
+ u8 card_wp; /* card write protected bit map */
+
+ u8 fake_card_ready;
+ /* flag to indicate whether to answer MediaChange */
+ unsigned long lun_mc;
+
+ /* card bus width */
+ u8 card_bus_width[MAX_ALLOWED_LUN_CNT];
+ /* card capacity */
+ u32 capacity[MAX_ALLOWED_LUN_CNT];
+
+ /* read/write card function pointer */
+ rts51x_card_rw_func rw_card[MAX_ALLOWED_LUN_CNT];
+ /* read/write capacity, used for GPIO Toggle */
+ u32 rw_cap[MAX_ALLOWED_LUN_CNT];
+ /* card to lun mapping table */
+ u8 card2lun[32];
+ /* lun to card mapping table */
+ u8 lun2card[MAX_ALLOWED_LUN_CNT];
+
+#ifdef _MSG_TRACE
+ struct trace_msg_t trace_msg[TRACE_ITEM_CNT];
+ int msg_idx;
+#endif
+
+ int rw_need_retry;
+
+ /* ASIC or FPGA */
+ int asic_code;
+
+ /* QFN24 or LQFP48 */
+ int package;
+
+ /* Full Speed or High Speed */
+ int usb_speed;
+
+ /*sangdy:enable or disable UHS50 and MMC4.4 */
+ int uhs50_mmc44_en;
+
+ u8 ic_version;
+
+ /* Command buffer */
+ u8 *cmd_buf;
+ unsigned int cmd_idx;
+ /* Response buffer */
+ u8 *rsp_buf;
+
+ u16 card_status;
+
+#ifdef SUPPORT_OCP
+ u16 ocp_stat;
+#endif
+
+ struct rts51x_option option;
+ struct rts51x_usb *usb;
+
+ u8 rcc_read_response;
+ int reset_need_retry;
+ u8 rts5179;
+};
+
+#define UHS50_EN 0x0001
+#define UHS50_DIS 0x0000
+#define SET_UHS50(chip) ((chip)->uhs50_mmc44_en = UHS50_EN)
+#define CLEAR_UHS50(chip) ((chip)->uhs50_mmc44_en = UHS50_DIS)
+#define CHECK_UHS50(chip) (((chip)->uhs50_mmc44_en&0xff) == UHS50_EN)
+
+#define RTS51X_GET_VID(chip) ((chip)->vendor_id)
+#define RTS51X_GET_PID(chip) ((chip)->product_id)
+
+#define RTS51X_SET_STAT(chip, stat) \
+do { \
+ if ((stat) != STAT_IDLE) { \
+ (chip)->idle_counter = 0; \
+ } \
+ (chip)->chip_stat = (enum CHIP_STAT)(stat); \
+} while (0)
+#define RTS51X_CHK_STAT(chip, stat) ((chip)->chip_stat == (stat))
+#define RTS51X_GET_STAT(chip) ((chip)->chip_stat)
+
+#define CHECK_PID(chip, pid) (RTS51X_GET_PID(chip) == (pid))
+#define CHECK_PKG(chip, pkg) ((chip)->package == (pkg))
+#define CHECK_USB(chip, speed) ((chip)->usb_speed == (speed))
+
+int rts51x_reset_chip(struct rts51x_chip *chip);
+int rts51x_init_chip(struct rts51x_chip *chip);
+int rts51x_release_chip(struct rts51x_chip *chip);
+void rts51x_polling_func(struct rts51x_chip *chip);
+
+static inline void rts51x_init_cmd(struct rts51x_chip *chip)
+{
+ chip->cmd_idx = 0;
+ chip->cmd_buf[0] = 'R';
+ chip->cmd_buf[1] = 'T';
+ chip->cmd_buf[2] = 'C';
+ chip->cmd_buf[3] = 'R';
+ chip->cmd_buf[PACKET_TYPE] = BATCH_CMD;
+}
+
+void rts51x_add_cmd(struct rts51x_chip *chip,
+ u8 cmd_type, u16 reg_addr, u8 mask, u8 data);
+int rts51x_send_cmd(struct rts51x_chip *chip, u8 flag, int timeout);
+int rts51x_get_rsp(struct rts51x_chip *chip, int rsp_len, int timeout);
+
+static inline void rts51x_read_rsp_buf(struct rts51x_chip *chip, int offset,
+ u8 *buf, int buf_len)
+{
+ memcpy(buf, chip->rsp_buf + offset, buf_len);
+}
+
+static inline u8 *rts51x_get_rsp_data(struct rts51x_chip *chip)
+{
+ return chip->rsp_buf;
+}
+
+int rts51x_get_card_status(struct rts51x_chip *chip, u16 *status);
+int rts51x_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, u8 data);
+int rts51x_read_register(struct rts51x_chip *chip, u16 addr, u8 *data);
+int rts51x_ep0_write_register(struct rts51x_chip *chip, u16 addr, u8 mask,
+ u8 data);
+int rts51x_ep0_read_register(struct rts51x_chip *chip, u16 addr, u8 *data);
+int rts51x_seq_write_register(struct rts51x_chip *chip, u16 addr, u16 len,
+ u8 *data);
+int rts51x_seq_read_register(struct rts51x_chip *chip, u16 addr, u16 len,
+ u8 *data);
+int rts51x_read_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len);
+int rts51x_write_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len);
+int rts51x_write_phy_register(struct rts51x_chip *chip, u8 addr, u8 val);
+int rts51x_read_phy_register(struct rts51x_chip *chip, u8 addr, u8 *val);
+void rts51x_do_before_power_down(struct rts51x_chip *chip);
+void rts51x_clear_hw_error(struct rts51x_chip *chip);
+void rts51x_prepare_run(struct rts51x_chip *chip);
+void rts51x_trace_msg(struct rts51x_chip *chip, unsigned char *buf, int clear);
+void rts51x_pp_status(struct rts51x_chip *chip, unsigned int lun, u8 *status,
+ u8 status_len);
+void rts51x_read_status(struct rts51x_chip *chip, unsigned int lun,
+ u8 *rts51x_status, u8 status_len);
+int rts51x_transfer_data_rcc(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout, u8 stage_flag);
+
+#define RTS51X_WRITE_REG(chip, addr, mask, data) \
+do { \
+ int _retval = rts51x_write_register((chip), \
+ (addr), (mask), (data)); \
+ if (_retval != STATUS_SUCCESS) { \
+ TRACE_RET((chip), _retval); \
+ } \
+} while (0)
+
+#define RTS51X_READ_REG(chip, addr, data) \
+do { \
+ int _retval = rts51x_read_register((chip), \
+ (addr), (data)); \
+ if (_retval != STATUS_SUCCESS) { \
+ TRACE_RET((chip), _retval); \
+ } \
+} while (0)
+
+#endif /* __RTS51X_CHIP_H */
diff --git a/drivers/staging/rts5139/rts51x_fop.c b/drivers/staging/rts5139/rts51x_fop.c
new file mode 100644
index 000000000000..cf4e675aea69
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_fop.c
@@ -0,0 +1,295 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include "rts51x.h"
+
+#ifdef SUPPORT_FILE_OP
+
+#include <linux/types.h>
+#include <linux/stat.h>
+#include <linux/kref.h>
+#include <linux/slab.h>
+
+#include "rts51x_chip.h"
+#include "rts51x_card.h"
+#include "rts51x_fop.h"
+#include "sd_cprm.h"
+
+#define RTS5139_IOC_MAGIC 0x39
+
+#define RTS5139_IOC_SD_DIRECT _IOWR(RTS5139_IOC_MAGIC, 0xA0, int)
+#define RTS5139_IOC_SD_GET_RSP _IOWR(RTS5139_IOC_MAGIC, 0xA1, int)
+
+static int rts51x_sd_direct_cmnd(struct rts51x_chip *chip,
+ struct sd_direct_cmnd *cmnd)
+{
+ int retval;
+ u8 dir, cmd12, standby, acmd, cmd_idx, rsp_code;
+ u8 *buf;
+ u32 arg, len;
+
+ dir = (cmnd->cmnd[0] >> 3) & 0x03;
+ cmd12 = (cmnd->cmnd[0] >> 2) & 0x01;
+ standby = (cmnd->cmnd[0] >> 1) & 0x01;
+ acmd = cmnd->cmnd[0] & 0x01;
+ cmd_idx = cmnd->cmnd[1];
+ arg = ((u32) (cmnd->cmnd[2]) << 24) | ((u32) (cmnd->cmnd[3]) << 16) |
+ ((u32) (cmnd->cmnd[4]) << 8) | cmnd->cmnd[5];
+ len =
+ ((u32) (cmnd->cmnd[6]) << 16) | ((u32) (cmnd->cmnd[7]) << 8) |
+ cmnd->cmnd[8];
+ rsp_code = cmnd->cmnd[9];
+
+ if (dir) {
+ if (!cmnd->buf || (cmnd->buf_len < len))
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ switch (dir) {
+ case 0:
+ /* No data */
+ retval = ext_rts51x_sd_execute_no_data(chip,
+ chip->card2lun[SD_CARD],
+ cmd_idx, standby, acmd,
+ rsp_code, arg);
+ if (retval != TRANSPORT_GOOD)
+ TRACE_RET(chip, STATUS_FAIL);
+ break;
+
+ case 1:
+ /* Read from card */
+ buf = kzalloc(cmnd->buf_len, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ retval = ext_rts51x_sd_execute_read_data(chip,
+ chip->card2lun[SD_CARD],
+ cmd_idx, cmd12, standby, acmd,
+ rsp_code, arg, len, buf,
+ cmnd->buf_len, 0);
+ if (retval != TRANSPORT_GOOD) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval =
+ copy_to_user(cmnd->buf, (void *)buf, cmnd->buf_len);
+ if (retval) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_NOMEM);
+ }
+
+ kfree(buf);
+ break;
+
+ case 2:
+ /* Write to card */
+ buf = kmalloc(cmnd->buf_len, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ retval =
+ copy_from_user((void *)buf, cmnd->buf,
+ cmnd->buf_len);
+ if (retval) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_NOMEM);
+ }
+
+ retval =
+ ext_rts51x_sd_execute_write_data(chip,
+ chip->card2lun[SD_CARD],
+ cmd_idx, cmd12, standby, acmd,
+ rsp_code, arg, len, buf,
+ cmnd->buf_len, 0);
+ if (retval != TRANSPORT_GOOD) {
+ kfree(buf);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ kfree(buf);
+
+ break;
+
+ default:
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int rts51x_sd_get_rsp(struct rts51x_chip *chip, struct sd_rsp *rsp)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int count = 0, retval;
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (sd_card->last_rsp_type == SD_RSP_TYPE_R0)
+ TRACE_RET(chip, STATUS_FAIL);
+ else if (sd_card->last_rsp_type == SD_RSP_TYPE_R2)
+ count = (rsp->rsp_len < 17) ? rsp->rsp_len : 17;
+ else
+ count = (rsp->rsp_len < 6) ? rsp->rsp_len : 6;
+
+ retval = copy_to_user(rsp->rsp, (void *)sd_card->rsp, count);
+ if (retval)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ RTS51X_DEBUGP("Response length: %d\n", count);
+ RTS51X_DEBUGP("Response: 0x%x 0x%x 0x%x 0x%x\n",
+ sd_card->rsp[0], sd_card->rsp[1], sd_card->rsp[2],
+ sd_card->rsp[3]);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_open(struct inode *inode, struct file *filp)
+{
+ struct rts51x_chip *chip;
+ struct usb_interface *interface;
+ int subminor;
+ int retval = 0;
+
+ subminor = iminor(inode);
+
+ interface = usb_find_interface(&rts51x_driver, subminor);
+ if (!interface) {
+ RTS51X_DEBUGP("%s - error, can't find device for minor %d\n",
+ __func__, subminor);
+ retval = -ENODEV;
+ goto exit;
+ }
+
+ chip = (struct rts51x_chip *)usb_get_intfdata(interface);
+ if (!chip) {
+ RTS51X_DEBUGP("Can't find chip\n");
+ retval = -ENODEV;
+ goto exit;
+ }
+
+ /* Increase our reference to the host */
+ scsi_host_get(rts51x_to_host(chip));
+
+ /* lock the device pointers */
+ mutex_lock(&(chip->usb->dev_mutex));
+
+ /* save our object in the file's private structure */
+ filp->private_data = chip;
+
+ /* unlock the device pointers */
+ mutex_unlock(&chip->usb->dev_mutex);
+
+exit:
+ return retval;
+}
+
+int rts51x_release(struct inode *inode, struct file *filp)
+{
+ struct rts51x_chip *chip;
+
+ chip = (struct rts51x_chip *)filp->private_data;
+ if (chip == NULL)
+ return -ENODEV;
+
+ /* Drop our reference to the host; the SCSI core will free it
+ * (and "chip" along with it) when the refcount becomes 0. */
+ scsi_host_put(rts51x_to_host(chip));
+
+ return 0;
+}
+
+ssize_t rts51x_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *f_pos)
+{
+ return 0;
+}
+
+ssize_t rts51x_write(struct file *filp, const char __user *buf, size_t count,
+ loff_t *f_pos)
+{
+ return 0;
+}
+
+long rts51x_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+{
+ struct rts51x_chip *chip;
+ struct sd_direct_cmnd cmnd;
+ struct sd_rsp rsp;
+ int retval = 0;
+
+ chip = (struct rts51x_chip *)filp->private_data;
+ if (chip == NULL)
+ return -ENODEV;
+
+ /* lock the device pointers */
+ mutex_lock(&(chip->usb->dev_mutex));
+
+ switch (cmd) {
+ case RTS5139_IOC_SD_DIRECT:
+ retval =
+ copy_from_user((void *)&cmnd, (void __user *)arg,
+ sizeof(struct sd_direct_cmnd));
+ if (retval) {
+ retval = -ENOMEM;
+ TRACE_GOTO(chip, exit);
+ }
+ retval = rts51x_sd_direct_cmnd(chip, &cmnd);
+ if (retval != STATUS_SUCCESS) {
+ retval = -EIO;
+ TRACE_GOTO(chip, exit);
+ }
+ break;
+
+ case RTS5139_IOC_SD_GET_RSP:
+ retval =
+ copy_from_user(&rsp, (void __user *)arg,
+ sizeof(struct sd_rsp));
+ if (retval) {
+ retval = -ENOMEM;
+ TRACE_GOTO(chip, exit);
+ }
+ retval = rts51x_sd_get_rsp(chip, &rsp);
+ if (retval != STATUS_SUCCESS) {
+ retval = -EIO;
+ TRACE_GOTO(chip, exit);
+ }
+ break;
+
+ default:
+ break;
+ }
+
+exit:
+ /* unlock the device pointers */
+ mutex_unlock(&chip->usb->dev_mutex);
+
+ return retval;
+}
+
+#endif
diff --git a/drivers/staging/rts5139/rts51x_fop.h b/drivers/staging/rts5139/rts51x_fop.h
new file mode 100644
index 000000000000..c691ee99720e
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_fop.h
@@ -0,0 +1,57 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_FOP_H
+#define __RTS51X_FOP_H
+
+#include "rts51x.h"
+
+#ifdef SUPPORT_FILE_OP
+
+#include <linux/fs.h>
+#include <linux/types.h>
+
+struct sd_direct_cmnd {
+ u8 cmnd[12];
+ void __user *buf;
+ int buf_len;
+};
+
+struct sd_rsp {
+ void __user *rsp;
+ int rsp_len;
+};
+
+int rts51x_open(struct inode *inode, struct file *filp);
+int rts51x_release(struct inode *inode, struct file *filp);
+ssize_t rts51x_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *f_pos);
+ssize_t rts51x_write(struct file *filp, const char __user *buf, size_t count,
+ loff_t *f_pos);
+long rts51x_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
+
+#endif
+
+#endif /* __RTS51X_FOP_H */
diff --git a/drivers/staging/rts5139/rts51x_scsi.c b/drivers/staging/rts5139/rts51x_scsi.c
new file mode 100644
index 000000000000..75282fea38f7
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_scsi.c
@@ -0,0 +1,2135 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+#include <linux/export.h>
+
+#include <scsi/scsi.h>
+#include <scsi/scsi_eh.h>
+#include <scsi/scsi_device.h>
+
+#include "debug.h"
+#include "rts51x.h"
+#include "rts51x_chip.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "rts51x_transport.h"
+#include "sd_cprm.h"
+#include "ms_mg.h"
+#include "trace.h"
+
+void rts51x_scsi_show_command(struct scsi_cmnd *srb)
+{
+ char *what = NULL;
+ int i, unknown_cmd = 0;
+
+ switch (srb->cmnd[0]) {
+ case TEST_UNIT_READY:
+ what = (char *)"TEST_UNIT_READY";
+ break;
+ case REZERO_UNIT:
+ what = (char *)"REZERO_UNIT";
+ break;
+ case REQUEST_SENSE:
+ what = (char *)"REQUEST_SENSE";
+ break;
+ case FORMAT_UNIT:
+ what = (char *)"FORMAT_UNIT";
+ break;
+ case READ_BLOCK_LIMITS:
+ what = (char *)"READ_BLOCK_LIMITS";
+ break;
+ case 0x07:
+ what = (char *)"REASSIGN_BLOCKS";
+ break;
+ case READ_6:
+ what = (char *)"READ_6";
+ break;
+ case WRITE_6:
+ what = (char *)"WRITE_6";
+ break;
+ case SEEK_6:
+ what = (char *)"SEEK_6";
+ break;
+ case READ_REVERSE:
+ what = (char *)"READ_REVERSE";
+ break;
+ case WRITE_FILEMARKS:
+ what = (char *)"WRITE_FILEMARKS";
+ break;
+ case SPACE:
+ what = (char *)"SPACE";
+ break;
+ case INQUIRY:
+ what = (char *)"INQUIRY";
+ break;
+ case RECOVER_BUFFERED_DATA:
+ what = (char *)"RECOVER_BUFFERED_DATA";
+ break;
+ case MODE_SELECT:
+ what = (char *)"MODE_SELECT";
+ break;
+ case RESERVE:
+ what = (char *)"RESERVE";
+ break;
+ case RELEASE:
+ what = (char *)"RELEASE";
+ break;
+ case COPY:
+ what = (char *)"COPY";
+ break;
+ case ERASE:
+ what = (char *)"ERASE";
+ break;
+ case MODE_SENSE:
+ what = (char *)"MODE_SENSE";
+ break;
+ case START_STOP:
+ what = (char *)"START_STOP";
+ break;
+ case RECEIVE_DIAGNOSTIC:
+ what = (char *)"RECEIVE_DIAGNOSTIC";
+ break;
+ case SEND_DIAGNOSTIC:
+ what = (char *)"SEND_DIAGNOSTIC";
+ break;
+ case ALLOW_MEDIUM_REMOVAL:
+ what = (char *)"ALLOW_MEDIUM_REMOVAL";
+ break;
+ case SET_WINDOW:
+ what = (char *)"SET_WINDOW";
+ break;
+ case READ_CAPACITY:
+ what = (char *)"READ_CAPACITY";
+ break;
+ case READ_10:
+ what = (char *)"READ_10";
+ break;
+ case WRITE_10:
+ what = (char *)"WRITE_10";
+ break;
+ case SEEK_10:
+ what = (char *)"SEEK_10";
+ break;
+ case WRITE_VERIFY:
+ what = (char *)"WRITE_VERIFY";
+ break;
+ case VERIFY:
+ what = (char *)"VERIFY";
+ break;
+ case SEARCH_HIGH:
+ what = (char *)"SEARCH_HIGH";
+ break;
+ case SEARCH_EQUAL:
+ what = (char *)"SEARCH_EQUAL";
+ break;
+ case SEARCH_LOW:
+ what = (char *)"SEARCH_LOW";
+ break;
+ case SET_LIMITS:
+ what = (char *)"SET_LIMITS";
+ break;
+ case READ_POSITION:
+ what = (char *)"READ_POSITION";
+ break;
+ case SYNCHRONIZE_CACHE:
+ what = (char *)"SYNCHRONIZE_CACHE";
+ break;
+ case LOCK_UNLOCK_CACHE:
+ what = (char *)"LOCK_UNLOCK_CACHE";
+ break;
+ case READ_DEFECT_DATA:
+ what = (char *)"READ_DEFECT_DATA";
+ break;
+ case MEDIUM_SCAN:
+ what = (char *)"MEDIUM_SCAN";
+ break;
+ case COMPARE:
+ what = (char *)"COMPARE";
+ break;
+ case COPY_VERIFY:
+ what = (char *)"COPY_VERIFY";
+ break;
+ case WRITE_BUFFER:
+ what = (char *)"WRITE_BUFFER";
+ break;
+ case READ_BUFFER:
+ what = (char *)"READ_BUFFER";
+ break;
+ case UPDATE_BLOCK:
+ what = (char *)"UPDATE_BLOCK";
+ break;
+ case READ_LONG:
+ what = (char *)"READ_LONG";
+ break;
+ case WRITE_LONG:
+ what = (char *)"WRITE_LONG";
+ break;
+ case CHANGE_DEFINITION:
+ what = (char *)"CHANGE_DEFINITION";
+ break;
+ case WRITE_SAME:
+ what = (char *)"WRITE_SAME";
+ break;
+ case GPCMD_READ_SUBCHANNEL:
+ what = (char *)"READ SUBCHANNEL";
+ break;
+ case READ_TOC:
+ what = (char *)"READ_TOC";
+ break;
+ case GPCMD_READ_HEADER:
+ what = (char *)"READ HEADER";
+ break;
+ case GPCMD_PLAY_AUDIO_10:
+ what = (char *)"PLAY AUDIO (10)";
+ break;
+ case GPCMD_PLAY_AUDIO_MSF:
+ what = (char *)"PLAY AUDIO MSF";
+ break;
+ case GPCMD_GET_EVENT_STATUS_NOTIFICATION:
+ what = (char *)"GET EVENT/STATUS NOTIFICATION";
+ break;
+ case GPCMD_PAUSE_RESUME:
+ what = (char *)"PAUSE/RESUME";
+ break;
+ case LOG_SELECT:
+ what = (char *)"LOG_SELECT";
+ break;
+ case LOG_SENSE:
+ what = (char *)"LOG_SENSE";
+ break;
+ case GPCMD_STOP_PLAY_SCAN:
+ what = (char *)"STOP PLAY/SCAN";
+ break;
+ case GPCMD_READ_DISC_INFO:
+ what = (char *)"READ DISC INFORMATION";
+ break;
+ case GPCMD_READ_TRACK_RZONE_INFO:
+ what = (char *)"READ TRACK INFORMATION";
+ break;
+ case GPCMD_RESERVE_RZONE_TRACK:
+ what = (char *)"RESERVE TRACK";
+ break;
+ case GPCMD_SEND_OPC:
+ what = (char *)"SEND OPC";
+ break;
+ case MODE_SELECT_10:
+ what = (char *)"MODE_SELECT_10";
+ break;
+ case GPCMD_REPAIR_RZONE_TRACK:
+ what = (char *)"REPAIR TRACK";
+ break;
+ case 0x59:
+ what = (char *)"READ MASTER CUE";
+ break;
+ case MODE_SENSE_10:
+ what = (char *)"MODE_SENSE_10";
+ break;
+ case GPCMD_CLOSE_TRACK:
+ what = (char *)"CLOSE TRACK/SESSION";
+ break;
+ case 0x5C:
+ what = (char *)"READ BUFFER CAPACITY";
+ break;
+ case 0x5D:
+ what = (char *)"SEND CUE SHEET";
+ break;
+ case GPCMD_BLANK:
+ what = (char *)"BLANK";
+ break;
+ case REPORT_LUNS:
+ what = (char *)"REPORT LUNS";
+ break;
+ case MOVE_MEDIUM:
+ what = (char *)"MOVE_MEDIUM or PLAY AUDIO (12)";
+ break;
+ case READ_12:
+ what = (char *)"READ_12";
+ break;
+ case WRITE_12:
+ what = (char *)"WRITE_12";
+ break;
+ case WRITE_VERIFY_12:
+ what = (char *)"WRITE_VERIFY_12";
+ break;
+ case SEARCH_HIGH_12:
+ what = (char *)"SEARCH_HIGH_12";
+ break;
+ case SEARCH_EQUAL_12:
+ what = (char *)"SEARCH_EQUAL_12";
+ break;
+ case SEARCH_LOW_12:
+ what = (char *)"SEARCH_LOW_12";
+ break;
+ case SEND_VOLUME_TAG:
+ what = (char *)"SEND_VOLUME_TAG";
+ break;
+ case READ_ELEMENT_STATUS:
+ what = (char *)"READ_ELEMENT_STATUS";
+ break;
+ case GPCMD_READ_CD_MSF:
+ what = (char *)"READ CD MSF";
+ break;
+ case GPCMD_SCAN:
+ what = (char *)"SCAN";
+ break;
+ case GPCMD_SET_SPEED:
+ what = (char *)"SET CD SPEED";
+ break;
+ case GPCMD_MECHANISM_STATUS:
+ what = (char *)"MECHANISM STATUS";
+ break;
+ case GPCMD_READ_CD:
+ what = (char *)"READ CD";
+ break;
+ case 0xE1:
+ what = (char *)"WRITE CONTINUE";
+ break;
+ case WRITE_LONG_2:
+ what = (char *)"WRITE_LONG_2";
+ break;
+ case VENDOR_CMND:
+ what = (char *)"Realtek's vendor command";
+ break;
+ default:
+ what = (char *)"(unknown command)";
+ unknown_cmd = 1;
+ break;
+ }
+
+ if (srb->cmnd[0] != TEST_UNIT_READY)
+ RTS51X_DEBUGP("Command %s (%d bytes)\n", what, srb->cmd_len);
+ if (unknown_cmd) {
+ RTS51X_DEBUGP("");
+ for (i = 0; i < srb->cmd_len && i < 16; i++)
+ RTS51X_DEBUGPN(" %02x", srb->cmnd[i]);
+ RTS51X_DEBUGPN("\n");
+ }
+}
+
+void rts51x_set_sense_type(struct rts51x_chip *chip, unsigned int lun, int sense_type)
+{
+ switch (sense_type) {
+ case SENSE_TYPE_MEDIA_CHANGE:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x06, 0, 0x28, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_NOT_PRESENT:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x3A, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_LBA_OVER_RANGE:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x21, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x25, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_WRITE_PROTECT:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x07, 0, 0x27, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x11, 0, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_WRITE_ERR:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x0C, 0x02, 0, 0);
+ break;
+
+ case SENSE_TYPE_MEDIA_INVALID_CMD_FIELD:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, ILGAL_REQ, 0,
+ ASC_INVLD_CDB, ASCQ_INVLD_CDB, CDB_ILLEGAL, 1);
+ break;
+
+ case SENSE_TYPE_FORMAT_CMD_FAILED:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x31, 0x01, 0, 0);
+ break;
+
+#ifdef SUPPORT_MAGIC_GATE
+ case SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x6F, 0x02, 0, 0);
+ break;
+
+ case SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x6F, 0x00, 0, 0);
+ break;
+
+ case SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x30, 0x00, 0, 0);
+ break;
+
+ case SENSE_TYPE_MG_WRITE_ERR:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x0C, 0x00, 0, 0);
+ break;
+#endif
+
+ case SENSE_TYPE_NO_SENSE:
+ default:
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0, 0, 0, 0, 0, 0);
+ break;
+ }
+}
+
+void rts51x_set_sense_data(struct rts51x_chip *chip, unsigned int lun, u8 err_code,
+ u8 sense_key, u32 info, u8 asc, u8 ascq, u8 sns_key_info0,
+ u16 sns_key_info1)
+{
+ struct sense_data_t *sense = &(chip->sense_buffer[lun]);
+
+ sense->err_code = err_code;
+ sense->sense_key = sense_key;
+ sense->info[0] = (u8) (info >> 24);
+ sense->info[1] = (u8) (info >> 16);
+ sense->info[2] = (u8) (info >> 8);
+ sense->info[3] = (u8) info;
+
+ sense->ad_sense_len = sizeof(struct sense_data_t) - 8;
+ sense->asc = asc;
+ sense->ascq = ascq;
+ if (sns_key_info0 != 0) {
+ sense->sns_key_info[0] = SKSV | sns_key_info0;
+ sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 8;
+ sense->sns_key_info[2] = sns_key_info1 & 0x0f;
+ }
+}
+
+static int test_unit_ready(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+
+ rts51x_init_cards(chip);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ return TRANSPORT_FAILED;
+ }
+
+ if (!check_lun_mc(chip, lun)) {
+ set_lun_mc(chip, lun);
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ return TRANSPORT_FAILED;
+ }
+
+ return TRANSPORT_GOOD;
+}
+
+static unsigned char formatter_inquiry_str[20] = {
+ 'M', 'E', 'M', 'O', 'R', 'Y', 'S', 'T', 'I', 'C', 'K',
+ '-', 'M', 'G', /* Byte[47:49] */
+ 0x0B, /* Byte[50]: MG, MS, MSPro, MSXC */
+ 0x00, /* Byte[51]: Category Specific Commands */
+ 0x00, /* Byte[52]: Access Control and feature */
+ 0x20, 0x20, 0x20, /* Byte[53:55] */
+};
+
+static int inquiry(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ char *inquiry_default = (char *)"Generic-xD/SD/M.S. 1.00 ";
+ char *inquiry_string;
+ unsigned char sendbytes;
+ unsigned char *buf;
+ u8 card = rts51x_get_lun_card(chip, lun);
+ int pro_formatter_flag = 0;
+ unsigned char inquiry_buf[] = {
+ QULIFIRE | DRCT_ACCESS_DEV,
+ RMB_DISC | 0x0D,
+ 0x00,
+ 0x01,
+ 0x1f,
+ 0x02,
+ 0,
+ REL_ADR | WBUS_32 | WBUS_16 | SYNC | LINKED | CMD_QUE | SFT_RE,
+ };
+
+ inquiry_string = inquiry_default;
+
+ buf = vmalloc(scsi_bufflen(srb));
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ if (MS_FORMATTER_ENABLED(chip) && (get_lun2card(chip, lun) & MS_CARD)) {
+ if (!card || (card == MS_CARD))
+ pro_formatter_flag = 1;
+ }
+
+ if (pro_formatter_flag) {
+ if (scsi_bufflen(srb) < 56)
+ sendbytes = (unsigned char)(scsi_bufflen(srb));
+ else
+ sendbytes = 56;
+ } else {
+ if (scsi_bufflen(srb) < 36)
+ sendbytes = (unsigned char)(scsi_bufflen(srb));
+ else
+ sendbytes = 36;
+ }
+
+ if (sendbytes > 8) {
+ memcpy(buf, inquiry_buf, 8);
+ memcpy(buf + 8, inquiry_string, sendbytes - 8);
+ if (pro_formatter_flag)
+ buf[4] = 0x33; /* Additional Length */
+ } else {
+ memcpy(buf, inquiry_buf, sendbytes);
+ }
+
+ if (pro_formatter_flag) {
+ if (sendbytes > 36)
+ memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
+ }
+
+ scsi_set_resid(srb, 0);
+
+ rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb);
+ vfree(buf);
+
+ return TRANSPORT_GOOD;
+}
+
+static int start_stop_unit(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+
+ scsi_set_resid(srb, scsi_bufflen(srb));
+
+ if (srb->cmnd[1] == 1)
+ return TRANSPORT_GOOD;
+
+ switch (srb->cmnd[0x4]) {
+ case STOP_MEDIUM:
+ /* Media disabled */
+ return TRANSPORT_GOOD;
+
+ case UNLOAD_MEDIUM:
+ /* Media shall be unload */
+ if (check_card_ready(chip, lun))
+ rts51x_eject_card(chip, lun);
+ return TRANSPORT_GOOD;
+
+ case MAKE_MEDIUM_READY:
+ case LOAD_MEDIUM:
+ if (check_card_ready(chip, lun)) {
+ return TRANSPORT_GOOD;
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ break;
+ }
+
+ TRACE_RET(chip, TRANSPORT_ERROR);
+}
+
+static int allow_medium_removal(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int prevent;
+
+ prevent = srb->cmnd[4] & 0x1;
+
+ scsi_set_resid(srb, 0);
+
+ if (prevent) {
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ return TRANSPORT_GOOD;
+}
+
+static void ms_mode_sense(struct rts51x_chip *chip, u8 cmd,
+ int lun, u8 *buf, int buf_len)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ int sys_info_offset;
+ int data_size = buf_len;
+ int support_format = 0;
+ int i = 0;
+
+ if (cmd == MODE_SENSE) {
+ sys_info_offset = 8;
+ if (data_size > 0x68)
+ data_size = 0x68;
+ buf[i++] = 0x67; /* Mode Data Length */
+ } else {
+ sys_info_offset = 12;
+ if (data_size > 0x6C)
+ data_size = 0x6C;
+ buf[i++] = 0x00; /* Mode Data Length (MSB) */
+ buf[i++] = 0x6A; /* Mode Data Length (LSB) */
+ }
+
+ /* Medium Type Code */
+ if (check_card_ready(chip, lun)) {
+ if (CHK_MSXC(ms_card)) {
+ support_format = 1;
+ buf[i++] = 0x40;
+ } else if (CHK_MSPRO(ms_card)) {
+ support_format = 1;
+ buf[i++] = 0x20;
+ } else {
+ buf[i++] = 0x10;
+ }
+
+ /* WP */
+ if (check_card_wp(chip, lun))
+ buf[i++] = 0x80;
+ else
+ buf[i++] = 0x00;
+ } else {
+ buf[i++] = 0x00; /* MediaType */
+ buf[i++] = 0x00; /* WP */
+ }
+
+ buf[i++] = 0x00; /* Reserved */
+
+ if (cmd == MODE_SENSE_10) {
+ buf[i++] = 0x00; /* Reserved */
+ buf[i++] = 0x00; /* Block descriptor length(MSB) */
+ buf[i++] = 0x00; /* Block descriptor length(LSB) */
+
+ /* The Following Data is the content of "Page 0x20" */
+ if (data_size >= 9)
+ buf[i++] = 0x20; /* Page Code */
+ if (data_size >= 10)
+ buf[i++] = 0x62; /* Page Length */
+ if (data_size >= 11)
+ buf[i++] = 0x00; /* No Access Control */
+ if (data_size >= 12) {
+ if (support_format)
+ buf[i++] = 0xC0; /* SF, SGM */
+ else
+ buf[i++] = 0x00;
+ }
+ } else {
+ /* The Following Data is the content of "Page 0x20" */
+ if (data_size >= 5)
+ buf[i++] = 0x20; /* Page Code */
+ if (data_size >= 6)
+ buf[i++] = 0x62; /* Page Length */
+ if (data_size >= 7)
+ buf[i++] = 0x00; /* No Access Control */
+ if (data_size >= 8) {
+ if (support_format)
+ buf[i++] = 0xC0; /* SF, SGM */
+ else
+ buf[i++] = 0x00;
+ }
+ }
+
+ if (data_size > sys_info_offset) {
+ /* 96 Bytes Attribute Data */
+ int len = data_size - sys_info_offset;
+ len = (len < 96) ? len : 96;
+
+ memcpy(buf + sys_info_offset, ms_card->raw_sys_info, len);
+ }
+}
+
+static int mode_sense(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ unsigned int dataSize;
+ int status;
+ int pro_formatter_flag;
+ unsigned char pageCode, *buf;
+ u8 card = rts51x_get_lun_card(chip, lun);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ scsi_set_resid(srb, scsi_bufflen(srb));
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ pro_formatter_flag = 0;
+ dataSize = 8;
+ /* In Combo mode, device responses ModeSense command as a MS LUN
+ * when no card is inserted */
+ if ((get_lun2card(chip, lun) & MS_CARD)) {
+ if (!card || (card == MS_CARD)) {
+ dataSize = 108;
+ if (chip->option.rts51x_mspro_formatter_enable)
+ pro_formatter_flag = 1;
+ }
+ }
+
+ buf = kmalloc(dataSize, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ pageCode = srb->cmnd[2] & 0x3f;
+
+ if ((pageCode == 0x3F) || (pageCode == 0x1C) ||
+ (pageCode == 0x00) || (pro_formatter_flag && (pageCode == 0x20))) {
+ if (srb->cmnd[0] == MODE_SENSE) {
+ if ((pageCode == 0x3F) || (pageCode == 0x20)) {
+ ms_mode_sense(chip, srb->cmnd[0], lun, buf,
+ dataSize);
+ } else {
+ dataSize = 4;
+ buf[0] = 0x03;
+ buf[1] = 0x00;
+ if (check_card_wp(chip, lun))
+ buf[2] = 0x80;
+ else
+ buf[3] = 0x00;
+ }
+ } else {
+ if ((pageCode == 0x3F) || (pageCode == 0x20)) {
+ ms_mode_sense(chip, srb->cmnd[0], lun, buf,
+ dataSize);
+ } else {
+ dataSize = 8;
+ buf[0] = 0x00;
+ buf[1] = 0x06;
+ buf[2] = 0x00;
+ if (check_card_wp(chip, lun))
+ buf[3] = 0x80;
+ else
+ buf[3] = 0x00;
+ buf[4] = 0x00;
+ buf[5] = 0x00;
+ buf[6] = 0x00;
+ buf[7] = 0x00;
+ }
+ }
+ status = TRANSPORT_GOOD;
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ scsi_set_resid(srb, scsi_bufflen(srb));
+ status = TRANSPORT_FAILED;
+ }
+
+ if (status == TRANSPORT_GOOD) {
+ unsigned int len = min(scsi_bufflen(srb), dataSize);
+ rts51x_set_xfer_buf(buf, len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - len);
+ }
+ kfree(buf);
+
+ return status;
+}
+
+static int request_sense(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sense_data_t *sense;
+ unsigned int lun = SCSI_LUN(srb);
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned char *tmp, *buf;
+
+ sense = &(chip->sense_buffer[lun]);
+
+ if ((rts51x_get_lun_card(chip, lun) == MS_CARD)
+ && PRO_UNDER_FORMATTING(ms_card)) {
+ rts51x_mspro_format_sense(chip, lun);
+ }
+
+ buf = vmalloc(scsi_bufflen(srb));
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ tmp = (unsigned char *)sense;
+ memcpy(buf, tmp, scsi_bufflen(srb));
+
+ rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb);
+ vfree(buf);
+
+ scsi_set_resid(srb, 0);
+ /* Reset Sense Data */
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE);
+ return TRANSPORT_GOOD;
+}
+
+static int read_write(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ int retval;
+ u32 start_sec;
+ u16 sec_cnt;
+
+ if (!check_card_ready(chip, lun) || (chip->capacity[lun] == 0)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (!check_lun_mc(chip, lun)) {
+ set_lun_mc(chip, lun);
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ return TRANSPORT_FAILED;
+ }
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ if ((srb->cmnd[0] == READ_10) || (srb->cmnd[0] == WRITE_10)) {
+ start_sec =
+ ((u32) srb->cmnd[2] << 24) |
+ ((u32) srb->cmnd[3] << 16) |
+ ((u32) srb->cmnd[4] << 8) |
+ ((u32) srb->cmnd[5]);
+ sec_cnt = ((u16) (srb->cmnd[7]) << 8) | srb->cmnd[8];
+ } else if ((srb->cmnd[0] == READ_6) || (srb->cmnd[0] == WRITE_6)) {
+ start_sec = ((u32) (srb->cmnd[1] & 0x1F) << 16) |
+ ((u32) srb->cmnd[2] << 8) | ((u32) srb->cmnd[3]);
+ sec_cnt = srb->cmnd[4];
+ } else if ((srb->cmnd[0] == VENDOR_CMND) &&
+ (srb->cmnd[1] == SCSI_APP_CMD) &&
+ ((srb->cmnd[2] == PP_READ10) ||
+ (srb->cmnd[2] == PP_WRITE10))) {
+ start_sec = ((u32) srb->cmnd[4] << 24) |
+ ((u32) srb->cmnd[5] << 16) |
+ ((u32) srb->cmnd[6] << 8) |
+ ((u32) srb->cmnd[7]);
+ sec_cnt = ((u16) (srb->cmnd[9]) << 8) | srb->cmnd[10];
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if ((start_sec > chip->capacity[lun]) ||
+ ((start_sec + sec_cnt) > chip->capacity[lun])) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LBA_OVER_RANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (sec_cnt == 0) {
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+ }
+
+ if ((srb->sc_data_direction == DMA_TO_DEVICE)
+ && check_card_wp(chip, lun)) {
+ RTS51X_DEBUGP("Write protected card!\n");
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ retval = rts51x_card_rw(srb, chip, start_sec, sec_cnt);
+ if (retval != STATUS_SUCCESS) {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR);
+ }
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+
+ return TRANSPORT_GOOD;
+}
+
+static int read_format_capacity(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned char *buf;
+ unsigned int lun = SCSI_LUN(srb);
+ unsigned int buf_len;
+ u8 card = rts51x_get_lun_card(chip, lun);
+ int desc_cnt;
+ int i = 0;
+
+ if (!check_card_ready(chip, lun)) {
+ if (!chip->option.rts51x_mspro_formatter_enable) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ buf_len = (scsi_bufflen(srb) > 12) ? 0x14 : 12;
+
+ buf = kmalloc(buf_len, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ buf[i++] = 0;
+ buf[i++] = 0;
+ buf[i++] = 0;
+
+ /* Capacity List Length */
+ if ((buf_len > 12) && chip->option.rts51x_mspro_formatter_enable &&
+ (chip->lun2card[lun] & MS_CARD) && (!card || (card == MS_CARD))) {
+ buf[i++] = 0x10;
+ desc_cnt = 2;
+ } else {
+ buf[i++] = 0x08;
+ desc_cnt = 1;
+ }
+
+ while (desc_cnt) {
+ if (check_card_ready(chip, lun)) {
+ buf[i++] = (unsigned char)((chip->capacity[lun]) >> 24);
+ buf[i++] = (unsigned char)((chip->capacity[lun]) >> 16);
+ buf[i++] = (unsigned char)((chip->capacity[lun]) >> 8);
+ buf[i++] = (unsigned char)(chip->capacity[lun]);
+
+ if (desc_cnt == 2)
+ /* Byte[8]: Descriptor Type: Formatted medium */
+ buf[i++] = 2;
+ else
+ buf[i++] = 0; /* Byte[16] */
+ } else {
+ buf[i++] = 0xFF;
+ buf[i++] = 0xFF;
+ buf[i++] = 0xFF;
+ buf[i++] = 0xFF;
+
+ if (desc_cnt == 2)
+ /* Byte[8]: Descriptor Type: No medium */
+ buf[i++] = 3;
+ else
+ buf[i++] = 0; /*Byte[16] */
+ }
+
+ buf[i++] = 0x00;
+ buf[i++] = 0x02;
+ buf[i++] = 0x00;
+
+ desc_cnt--;
+ }
+
+ buf_len = min(scsi_bufflen(srb), buf_len);
+ rts51x_set_xfer_buf(buf, buf_len, srb);
+ kfree(buf);
+
+ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
+
+ return TRANSPORT_GOOD;
+}
+
+static int read_capacity(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned char *buf;
+ unsigned int lun = SCSI_LUN(srb);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (!check_lun_mc(chip, lun)) {
+ set_lun_mc(chip, lun);
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ return TRANSPORT_FAILED;
+ }
+
+ buf = kmalloc(8, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ buf[0] = (unsigned char)((chip->capacity[lun] - 1) >> 24);
+ buf[1] = (unsigned char)((chip->capacity[lun] - 1) >> 16);
+ buf[2] = (unsigned char)((chip->capacity[lun] - 1) >> 8);
+ buf[3] = (unsigned char)(chip->capacity[lun] - 1);
+
+ buf[4] = 0x00;
+ buf[5] = 0x00;
+ buf[6] = 0x02;
+ buf[7] = 0x00;
+
+ rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb);
+ kfree(buf);
+
+ scsi_set_resid(srb, 0);
+
+ return TRANSPORT_GOOD;
+}
+
+static int get_dev_status(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ unsigned int buf_len;
+ u8 status[32] = { 0 };
+
+ rts51x_pp_status(chip, lun, status, 32);
+
+ buf_len = min_t(unsigned int, scsi_bufflen(srb), sizeof(status));
+ rts51x_set_xfer_buf(status, buf_len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
+
+ return TRANSPORT_GOOD;
+}
+
+static int read_status(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ u8 rts51x_status[16];
+ unsigned int buf_len;
+ unsigned int lun = SCSI_LUN(srb);
+
+ rts51x_read_status(chip, lun, rts51x_status, 16);
+
+ buf_len = min_t(unsigned int, scsi_bufflen(srb), sizeof(rts51x_status));
+ rts51x_set_xfer_buf(rts51x_status, buf_len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
+
+ return TRANSPORT_GOOD;
+}
+
+static int read_mem(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ unsigned short addr, len, i;
+ int retval;
+ u8 *buf;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ addr = ((u16) srb->cmnd[2] << 8) | srb->cmnd[3];
+ len = ((u16) srb->cmnd[4] << 8) | srb->cmnd[5];
+
+ if (addr < 0xe000) {
+ RTS51X_DEBUGP("filter!addr=0x%x\n", addr);
+ return TRANSPORT_GOOD;
+ }
+
+ buf = vmalloc(len);
+ if (!buf)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ for (i = 0; i < len; i++) {
+ retval = rts51x_ep0_read_register(chip, addr + i, buf + i);
+ if (retval != STATUS_SUCCESS) {
+ vfree(buf);
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ len = (unsigned short)min(scsi_bufflen(srb), (unsigned int)len);
+ rts51x_set_xfer_buf(buf, len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - len);
+
+ vfree(buf);
+
+ return TRANSPORT_GOOD;
+}
+
+static int write_mem(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ unsigned short addr, len, i;
+ int retval;
+ u8 *buf;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ addr = ((u16) srb->cmnd[2] << 8) | srb->cmnd[3];
+ len = ((u16) srb->cmnd[4] << 8) | srb->cmnd[5];
+
+ if (addr < 0xe000) {
+ RTS51X_DEBUGP("filter!addr=0x%x\n", addr);
+ return TRANSPORT_GOOD;
+ }
+
+ len = (unsigned short)min(scsi_bufflen(srb), (unsigned int)len);
+ buf = vmalloc(len);
+ if (!buf)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ rts51x_get_xfer_buf(buf, len, srb);
+
+ for (i = 0; i < len; i++) {
+ retval =
+ rts51x_ep0_write_register(chip, addr + i, 0xFF, buf[i]);
+ if (retval != STATUS_SUCCESS) {
+ vfree(buf);
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ vfree(buf);
+ scsi_set_resid(srb, scsi_bufflen(srb) - len);
+
+ return TRANSPORT_GOOD;
+}
+
+static int get_sd_csd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ unsigned int lun = SCSI_LUN(srb);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (rts51x_get_lun_card(chip, lun) != SD_CARD) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ rts51x_set_xfer_buf(sd_card->raw_csd, scsi_bufflen(srb), srb);
+
+ return TRANSPORT_GOOD;
+}
+
+static int read_phy_register(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval;
+ u8 addr, len, i;
+ u8 *buf;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ addr = srb->cmnd[5];
+ len = srb->cmnd[7];
+
+ if (len) {
+ buf = vmalloc(len);
+ if (!buf)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ for (i = 0; i < len; i++) {
+ retval =
+ rts51x_read_phy_register(chip, addr + i, buf + i);
+ if (retval != STATUS_SUCCESS) {
+ vfree(buf);
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ len = min(scsi_bufflen(srb), (unsigned int)len);
+ rts51x_set_xfer_buf(buf, len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - len);
+
+ vfree(buf);
+ }
+
+ return TRANSPORT_GOOD;
+}
+
+static int write_phy_register(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval;
+ u8 addr, len, i;
+ u8 *buf;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ addr = srb->cmnd[5];
+ len = srb->cmnd[7];
+
+ if (len) {
+ len = min(scsi_bufflen(srb), (unsigned int)len);
+
+ buf = vmalloc(len);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ rts51x_get_xfer_buf(buf, len, srb);
+ scsi_set_resid(srb, scsi_bufflen(srb) - len);
+
+ for (i = 0; i < len; i++) {
+ retval =
+ rts51x_write_phy_register(chip, addr + i, buf[i]);
+ if (retval != STATUS_SUCCESS) {
+ vfree(buf);
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ vfree(buf);
+ }
+
+ return TRANSPORT_GOOD;
+}
+
+static int get_card_bus_width(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ u8 card, bus_width;
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ card = rts51x_get_lun_card(chip, lun);
+ if ((card == SD_CARD) || (card == MS_CARD)) {
+ bus_width = chip->card_bus_width[lun];
+ } else {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ rts51x_set_xfer_buf(&bus_width, scsi_bufflen(srb), srb);
+
+ return TRANSPORT_GOOD;
+}
+
+#ifdef _MSG_TRACE
+static int trace_msg_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned char *buf = NULL;
+ u8 clear;
+ unsigned int buf_len;
+
+ buf_len =
+ 4 +
+ ((2 + MSG_FUNC_LEN + MSG_FILE_LEN + TIME_VAL_LEN) * TRACE_ITEM_CNT);
+
+ if ((scsi_bufflen(srb) < buf_len) || (scsi_sglist(srb) == NULL)) {
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ clear = srb->cmnd[2];
+
+ buf = vmalloc(scsi_bufflen(srb));
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ rts51x_trace_msg(chip, buf, clear);
+
+ rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb);
+ vfree(buf);
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+#endif
+
+static int rw_mem_cmd_buf(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval = STATUS_SUCCESS;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 cmd_type, mask, value, idx, mode, len;
+ u16 addr;
+ u32 timeout;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ switch (srb->cmnd[3]) {
+ case INIT_BATCHCMD:
+ rts51x_init_cmd(chip);
+ break;
+
+ case ADD_BATCHCMD:
+ cmd_type = srb->cmnd[4];
+ if (cmd_type > 2) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ addr = (srb->cmnd[5] << 8) | srb->cmnd[6];
+ mask = srb->cmnd[7];
+ value = srb->cmnd[8];
+ rts51x_add_cmd(chip, cmd_type, addr, mask, value);
+ break;
+
+ case SEND_BATCHCMD:
+ mode = srb->cmnd[4];
+ len = srb->cmnd[5];
+ timeout =
+ ((u32) srb->cmnd[6] << 24) | ((u32) srb->
+ cmnd[7] << 16) | ((u32) srb->
+ cmnd[8] <<
+ 8) | ((u32)
+ srb->
+ cmnd
+ [9]);
+ retval = rts51x_send_cmd(chip, mode, 1000);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if (mode & STAGE_R) {
+ retval = rts51x_get_rsp(chip, len, timeout);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+ break;
+
+ case GET_BATCHRSP:
+ idx = srb->cmnd[4];
+ value = chip->rsp_buf[idx];
+ if (scsi_bufflen(srb) < 1) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ rts51x_set_xfer_buf(&value, 1, srb);
+ scsi_set_resid(srb, 0);
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ return TRANSPORT_GOOD;
+}
+
+static int suit_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int result;
+
+ switch (srb->cmnd[3]) {
+ case INIT_BATCHCMD:
+ case ADD_BATCHCMD:
+ case SEND_BATCHCMD:
+ case GET_BATCHRSP:
+ result = rw_mem_cmd_buf(srb, chip);
+ break;
+ default:
+ result = TRANSPORT_ERROR;
+ }
+
+ return result;
+}
+
+static int app_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int result;
+
+ switch (srb->cmnd[2]) {
+ case PP_READ10:
+ case PP_WRITE10:
+ result = read_write(srb, chip);
+ break;
+
+ case SUIT_CMD:
+ result = suit_cmd(srb, chip);
+ break;
+
+ case READ_PHY:
+ result = read_phy_register(srb, chip);
+ break;
+
+ case WRITE_PHY:
+ result = write_phy_register(srb, chip);
+ break;
+
+ case GET_DEV_STATUS:
+ result = get_dev_status(srb, chip);
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ return result;
+}
+
+static int vendor_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int result = TRANSPORT_GOOD;
+
+ switch (srb->cmnd[1]) {
+ case READ_STATUS:
+ result = read_status(srb, chip);
+ break;
+
+ case READ_MEM:
+ result = read_mem(srb, chip);
+ break;
+
+ case WRITE_MEM:
+ result = write_mem(srb, chip);
+ break;
+
+ case GET_BUS_WIDTH:
+ result = get_card_bus_width(srb, chip);
+ break;
+
+ case GET_SD_CSD:
+ result = get_sd_csd(srb, chip);
+ break;
+
+#ifdef _MSG_TRACE
+ case TRACE_MSG:
+ result = trace_msg_cmd(srb, chip);
+ break;
+#endif
+
+ case SCSI_APP_CMD:
+ result = app_cmd(srb, chip);
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, SCSI_LUN(srb),
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ return result;
+}
+
+static int ms_format_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval, quick_format;
+
+ if (rts51x_get_lun_card(chip, lun) != MS_CARD) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if ((srb->cmnd[3] != 0x4D) || (srb->cmnd[4] != 0x47)
+ || (srb->cmnd[5] != 0x66) || (srb->cmnd[6] != 0x6D)
+ || (srb->cmnd[7] != 0x74)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (srb->cmnd[8] & 0x01)
+ quick_format = 0;
+ else
+ quick_format = 1;
+
+ if (!(chip->card_ready & MS_CARD)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (chip->card_wp & MS_CARD) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (!CHK_MSPRO(ms_card)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ retval = rts51x_mspro_format(srb, chip, MS_SHORT_DATA_LEN, quick_format);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_FORMAT_CMD_FAILED);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+
+#ifdef SUPPORT_PCGL_1P18
+static int get_ms_information(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ u8 dev_info_id, data_len;
+ u8 *buf;
+ unsigned int buf_len;
+ int i;
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if ((srb->cmnd[2] != 0xB0) || (srb->cmnd[4] != 0x4D) ||
+ (srb->cmnd[5] != 0x53) || (srb->cmnd[6] != 0x49) ||
+ (srb->cmnd[7] != 0x44)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ dev_info_id = srb->cmnd[3];
+ if ((CHK_MSXC(ms_card) && (dev_info_id == 0x10)) ||
+ (!CHK_MSXC(ms_card) && (dev_info_id == 0x13)) ||
+ !CHK_MSPRO(ms_card)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (dev_info_id == 0x15)
+ buf_len = data_len = 0x3A;
+ else
+ buf_len = data_len = 0x6A;
+
+ buf = kmalloc(buf_len, GFP_KERNEL);
+ if (!buf)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ i = 0;
+ /* GET Memory Stick Media Information Response Header */
+ buf[i++] = 0x00; /* Data length MSB */
+ buf[i++] = data_len; /* Data length LSB */
+ /* Device Information Type Code */
+ if (CHK_MSXC(ms_card))
+ buf[i++] = 0x03;
+ else
+ buf[i++] = 0x02;
+ /* SGM bit */
+ buf[i++] = 0x01;
+ /* Reserved */
+ buf[i++] = 0x00;
+ buf[i++] = 0x00;
+ buf[i++] = 0x00;
+ /* Number of Device Information */
+ buf[i++] = 0x01;
+
+ /* Device Information Body
+ * Device Information ID Number */
+ buf[i++] = dev_info_id;
+ /* Device Information Length */
+ if (dev_info_id == 0x15)
+ data_len = 0x31;
+ else
+ data_len = 0x61;
+ buf[i++] = 0x00; /* Data length MSB */
+ buf[i++] = data_len; /* Data length LSB */
+ /* Valid Bit */
+ buf[i++] = 0x80;
+ if ((dev_info_id == 0x10) || (dev_info_id == 0x13)) {
+ /* System Information */
+ memcpy(buf + i, ms_card->raw_sys_info, 96);
+ } else {
+ /* Model Name */
+ memcpy(buf + i, ms_card->raw_model_name, 48);
+ }
+
+ rts51x_set_xfer_buf(buf, buf_len, srb);
+
+ if (dev_info_id == 0x15)
+ scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C);
+ else
+ scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C);
+
+ kfree(buf);
+ return STATUS_SUCCESS;
+}
+#endif
+
+static int ms_sp_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int retval = TRANSPORT_ERROR;
+
+ if (srb->cmnd[2] == MS_FORMAT)
+ retval = ms_format_cmnd(srb, chip);
+#ifdef SUPPORT_PCGL_1P18
+ else if (srb->cmnd[2] == GET_MS_INFORMATION)
+ retval = get_ms_information(srb, chip);
+#endif
+
+ return retval;
+}
+
+#ifdef SUPPORT_CPRM
+static int sd_extention_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ unsigned int lun = SCSI_LUN(srb);
+ int result;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ rts51x_sd_cleanup_work(chip);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if ((rts51x_get_lun_card(chip, lun) != SD_CARD)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ switch (srb->cmnd[0]) {
+ case SD_PASS_THRU_MODE:
+ result = rts51x_sd_pass_thru_mode(srb, chip);
+ break;
+
+ case SD_EXECUTE_NO_DATA:
+ result = rts51x_sd_execute_no_data(srb, chip);
+ break;
+
+ case SD_EXECUTE_READ:
+ result = rts51x_sd_execute_read_data(srb, chip);
+ break;
+
+ case SD_EXECUTE_WRITE:
+ result = rts51x_sd_execute_write_data(srb, chip);
+ break;
+
+ case SD_GET_RSP:
+ result = rts51x_sd_get_cmd_rsp(srb, chip);
+ break;
+
+ case SD_HW_RST:
+ result = rts51x_sd_hw_rst(srb, chip);
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ return result;
+}
+#endif
+
+#ifdef SUPPORT_MAGIC_GATE
+static int mg_report_key(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval;
+ u8 key_format;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ rts51x_ms_cleanup_work(chip);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (srb->cmnd[7] != KC_MG_R_PRO) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (!CHK_MSPRO(ms_card)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ key_format = srb->cmnd[10] & 0x3F;
+
+ switch (key_format) {
+ case KF_GET_LOC_EKB:
+ if ((scsi_bufflen(srb) == 0x41C) &&
+ (srb->cmnd[8] == 0x04) && (srb->cmnd[9] == 0x1C)) {
+ retval = rts51x_mg_get_local_EKB(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case KF_RSP_CHG:
+ if ((scsi_bufflen(srb) == 0x24) &&
+ (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x24)) {
+ retval = rts51x_mg_get_rsp_chg(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case KF_GET_ICV:
+ ms_card->mg_entry_num = srb->cmnd[5];
+ if ((scsi_bufflen(srb) == 0x404) &&
+ (srb->cmnd[8] == 0x04) &&
+ (srb->cmnd[9] == 0x04) &&
+ (srb->cmnd[2] == 0x00) &&
+ (srb->cmnd[3] == 0x00) &&
+ (srb->cmnd[4] == 0x00) && (srb->cmnd[5] < 32)) {
+ retval = rts51x_mg_get_ICV(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+
+static int mg_send_key(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval;
+ u8 key_format;
+
+ rts51x_prepare_run(chip);
+ RTS51X_SET_STAT(chip, STAT_RUN);
+
+ rts51x_ms_cleanup_work(chip);
+
+ if (!check_card_ready(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if (check_card_wp(chip, lun)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (srb->cmnd[7] != KC_MG_R_PRO) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (!CHK_MSPRO(ms_card)) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ key_format = srb->cmnd[10] & 0x3F;
+
+ switch (key_format) {
+ case KF_SET_LEAF_ID:
+ if ((scsi_bufflen(srb) == 0x0C) &&
+ (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) {
+ retval = rts51x_mg_set_leaf_id(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case KF_CHG_HOST:
+ if ((scsi_bufflen(srb) == 0x0C) &&
+ (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) {
+ retval = rts51x_mg_chg(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case KF_RSP_HOST:
+ if ((scsi_bufflen(srb) == 0x0C) &&
+ (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) {
+ retval = rts51x_mg_rsp(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case KF_SET_ICV:
+ ms_card->mg_entry_num = srb->cmnd[5];
+ if ((scsi_bufflen(srb) == 0x404) &&
+ (srb->cmnd[8] == 0x04) &&
+ (srb->cmnd[9] == 0x04) &&
+ (srb->cmnd[2] == 0x00) &&
+ (srb->cmnd[3] == 0x00) &&
+ (srb->cmnd[4] == 0x00) && (srb->cmnd[5] < 32)) {
+ retval = rts51x_mg_set_ICV(srb, chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+#endif
+
+int rts51x_scsi_handler(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct ms_info *ms_card = &(chip->ms_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int result = TRANSPORT_GOOD;
+
+ if ((rts51x_get_lun_card(chip, lun) == MS_CARD) &&
+ (ms_card->format_status == FORMAT_IN_PROGRESS)) {
+ if ((srb->cmnd[0] != REQUEST_SENSE)
+ && (srb->cmnd[0] != INQUIRY)) {
+ /* Logical Unit Not Ready Format in Progress */
+ rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x04, 0x04,
+ 0, (u16) (ms_card->progress));
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ }
+
+ switch (srb->cmnd[0]) {
+ case READ_10:
+ case WRITE_10:
+ case READ_6:
+ case WRITE_6:
+ result = read_write(srb, chip);
+ break;
+
+ case TEST_UNIT_READY:
+ result = test_unit_ready(srb, chip);
+ break;
+
+ case INQUIRY:
+ result = inquiry(srb, chip);
+ break;
+
+ case READ_CAPACITY:
+ result = read_capacity(srb, chip);
+ break;
+
+ case START_STOP:
+ result = start_stop_unit(srb, chip);
+ break;
+
+ case ALLOW_MEDIUM_REMOVAL:
+ result = allow_medium_removal(srb, chip);
+ break;
+
+ case REQUEST_SENSE:
+ result = request_sense(srb, chip);
+ break;
+
+ case MODE_SENSE:
+ case MODE_SENSE_10:
+ result = mode_sense(srb, chip);
+ break;
+
+ case 0x23:
+ result = read_format_capacity(srb, chip);
+ break;
+
+ case VENDOR_CMND:
+ result = vendor_cmnd(srb, chip);
+ break;
+
+ case MS_SP_CMND:
+ result = ms_sp_cmnd(srb, chip);
+ break;
+
+#ifdef SUPPORT_CPRM
+ case SD_PASS_THRU_MODE:
+ case SD_EXECUTE_NO_DATA:
+ case SD_EXECUTE_READ:
+ case SD_EXECUTE_WRITE:
+ case SD_GET_RSP:
+ case SD_HW_RST:
+ result = sd_extention_cmnd(srb, chip);
+ break;
+#endif
+
+#ifdef SUPPORT_MAGIC_GATE
+ case CMD_MSPRO_MG_RKEY:
+ result = mg_report_key(srb, chip);
+ break;
+
+ case CMD_MSPRO_MG_SKEY:
+ result = mg_send_key(srb, chip);
+ break;
+#endif
+
+ case FORMAT_UNIT:
+ case MODE_SELECT:
+ case VERIFY:
+ result = TRANSPORT_GOOD;
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ result = TRANSPORT_FAILED;
+ }
+
+ return result;
+}
+
+/***********************************************************************
+ * Host functions
+ ***********************************************************************/
+
+int slave_alloc(struct scsi_device *sdev)
+{
+ /*
+ * Set the INQUIRY transfer length to 36. We don't use any of
+ * the extra data and many devices choke if asked for more or
+ * less than 36 bytes.
+ */
+ sdev->inquiry_len = 36;
+ return 0;
+}
+
+int slave_configure(struct scsi_device *sdev)
+{
+ /* Scatter-gather buffers (all but the last) must have a length
+ * divisible by the bulk maxpacket size. Otherwise a data packet
+ * would end up being short, causing a premature end to the data
+ * transfer. Since high-speed bulk pipes have a maxpacket size
+ * of 512, we'll use that as the scsi device queue's DMA alignment
+ * mask. Guaranteeing proper alignment of the first buffer will
+ * have the desired effect because, except at the beginning and
+ * the end, scatter-gather buffers follow page boundaries. */
+ blk_queue_dma_alignment(sdev->request_queue, (512 - 1));
+
+ /* Set the SCSI level to at least 2. We'll leave it at 3 if that's
+ * what is originally reported. We need this to avoid confusing
+ * the SCSI layer with devices that report 0 or 1, but need 10-byte
+ * commands (ala ATAPI devices behind certain bridges, or devices
+ * which simply have broken INQUIRY data).
+ *
+ * NOTE: This means /dev/sg programs (ala cdrecord) will get the
+ * actual information. This seems to be the preference for
+ * programs like that.
+ *
+ * NOTE: This also means that /proc/scsi/scsi and sysfs may report
+ * the actual value or the modified one, depending on where the
+ * data comes from.
+ */
+ if (sdev->scsi_level < SCSI_2)
+ sdev->scsi_level = sdev->sdev_target->scsi_level = SCSI_2;
+
+ return 0;
+}
+
+/***********************************************************************
+ * /proc/scsi/ functions
+ ***********************************************************************/
+
+/* we use this macro to help us write into the buffer */
+#undef SPRINTF
+#define SPRINTF(args...) seq_printf(m, ##args)
+
+static int write_info(struct Scsi_Host *host, char *buffer, int length)
+{
+ /* if someone is sending us data, just throw it away */
+ return length;
+}
+
+static int show_info(struct seq_file *m, struct Scsi_Host *host)
+{
+ /* print the controller name */
+ SPRINTF(" Host scsi%d: %s\n", host->host_no, RTS51X_NAME);
+
+ /* print product, vendor, and driver version strings */
+ SPRINTF(" Vendor: Realtek Corp.\n");
+ SPRINTF(" Product: RTS51xx USB Card Reader\n");
+ SPRINTF(" Version: %s\n", DRIVER_VERSION);
+ return 0;
+}
+
+/* queue a command */
+/* This is always called with scsi_lock(host) held */
+static int queuecommand_lck(struct scsi_cmnd *srb, void (*done) (struct scsi_cmnd *))
+{
+ struct rts51x_chip *chip = host_to_rts51x(srb->device->host);
+
+ /* check for state-transition errors */
+ if (chip->srb != NULL) {
+ RTS51X_DEBUGP("Error in %s: chip->srb = %p\n",
+ __func__, chip->srb);
+ return SCSI_MLQUEUE_HOST_BUSY;
+ }
+
+ /* fail the command if we are disconnecting */
+ if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) {
+ RTS51X_DEBUGP("Fail command during disconnect\n");
+ srb->result = DID_NO_CONNECT << 16;
+ done(srb);
+ return 0;
+ }
+
+ /* enqueue the command and wake up the control thread */
+ srb->scsi_done = done;
+ chip->srb = srb;
+ complete(&chip->usb->cmnd_ready);
+
+ return 0;
+}
+
+DEF_SCSI_QCMD(queuecommand)
+/***********************************************************************
+ * Error handling functions
+ ***********************************************************************/
+/* Command timeout and abort */
+int command_abort(struct scsi_cmnd *srb)
+{
+ struct rts51x_chip *chip = host_to_rts51x(srb->device->host);
+
+ RTS51X_DEBUGP("%s called\n", __func__);
+
+ /* us->srb together with the TIMED_OUT, RESETTING, and ABORTING
+ * bits are protected by the host lock. */
+ scsi_lock(rts51x_to_host(chip));
+
+ /* Is this command still active? */
+ if (chip->srb != srb) {
+ scsi_unlock(rts51x_to_host(chip));
+ RTS51X_DEBUGP("-- nothing to abort\n");
+ return FAILED;
+ }
+
+ /* Set the TIMED_OUT bit. Also set the ABORTING bit, but only if
+ * a device reset isn't already in progress (to avoid interfering
+ * with the reset). Note that we must retain the host lock while
+ * calling usb_stor_stop_transport(); otherwise it might interfere
+ * with an auto-reset that begins as soon as we release the lock. */
+ set_bit(FLIDX_TIMED_OUT, &chip->usb->dflags);
+ if (!test_bit(FLIDX_RESETTING, &chip->usb->dflags)) {
+ set_bit(FLIDX_ABORTING, &chip->usb->dflags);
+ /* rts51x_stop_transport(us); */
+ }
+ scsi_unlock(rts51x_to_host(chip));
+
+ /* Wait for the aborted command to finish */
+ wait_for_completion(&chip->usb->notify);
+ return SUCCESS;
+}
+
+/* This invokes the transport reset mechanism to reset the state of the
+ * device */
+static int device_reset(struct scsi_cmnd *srb)
+{
+ int result = 0;
+
+ RTS51X_DEBUGP("%s called\n", __func__);
+
+ return result < 0 ? FAILED : SUCCESS;
+}
+
+/* Simulate a SCSI bus reset by resetting the device's USB port. */
+int bus_reset(struct scsi_cmnd *srb)
+{
+ int result = 0;
+
+ RTS51X_DEBUGP("%s called\n", __func__);
+
+ return result < 0 ? FAILED : SUCCESS;
+}
+
+static const char *rts5139_info(struct Scsi_Host *host)
+{
+ return "SCSI emulation for RTS5139 USB card reader";
+}
+
+struct scsi_host_template rts51x_host_template = {
+ /* basic userland interface stuff */
+ .name = RTS51X_NAME,
+ .proc_name = RTS51X_NAME,
+ .show_info = show_info,
+ .write_info = write_info,
+ .info = rts5139_info,
+
+ /* command interface -- queued only */
+ .queuecommand = queuecommand,
+
+ /* error and abort handlers */
+ .eh_abort_handler = command_abort,
+ .eh_device_reset_handler = device_reset,
+ .eh_bus_reset_handler = bus_reset,
+
+ /* queue commands only, only one command per LUN */
+ .can_queue = 1,
+ .cmd_per_lun = 1,
+
+ /* unknown initiator id */
+ .this_id = -1,
+
+ .slave_alloc = slave_alloc,
+ .slave_configure = slave_configure,
+
+ /* lots of sg segments can be handled */
+ .sg_tablesize = SG_ALL,
+
+ /* limit the total size of a transfer to 120 KB */
+ .max_sectors = 240,
+
+ /* merge commands... this seems to help performance, but
+ * periodically someone should test to see which setting is more
+ * optimal.
+ */
+ .use_clustering = 1,
+
+ /* emulated HBA */
+ .emulated = 1,
+
+ /* we do our own delay after a device or bus reset */
+ .skip_settle_delay = 1,
+
+ /* sysfs device attributes */
+ /* .sdev_attrs = sysfs_device_attr_list, */
+
+ /* module management */
+ .module = THIS_MODULE
+};
+
diff --git a/drivers/staging/rts5139/rts51x_scsi.h b/drivers/staging/rts5139/rts51x_scsi.h
new file mode 100644
index 000000000000..1a0d70566186
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_scsi.h
@@ -0,0 +1,154 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_SCSI_H
+#define __RTS51X_SCSI_H
+
+#include <linux/usb.h>
+#include <linux/usb_usual.h>
+#include <linux/blkdev.h>
+#include <linux/completion.h>
+#include <linux/mutex.h>
+#include <scsi/scsi_host.h>
+
+#include "rts51x_chip.h"
+
+#define MS_SP_CMND 0xFA
+#define MS_FORMAT 0xA0
+#define GET_MS_INFORMATION 0xB0
+
+#define VENDOR_CMND 0xF0
+
+#define READ_STATUS 0x09
+
+#define READ_MEM 0x0D
+#define WRITE_MEM 0x0E
+#define GET_BUS_WIDTH 0x13
+#define GET_SD_CSD 0x14
+#define TOGGLE_GPIO 0x15
+#define TRACE_MSG 0x18
+
+#define SCSI_APP_CMD 0x10
+
+#define PP_READ10 0x1A
+#define PP_WRITE10 0x0A
+#define READ_HOST_REG 0x1D
+#define WRITE_HOST_REG 0x0D
+#define SET_VAR 0x05
+#define GET_VAR 0x15
+#define DMA_READ 0x16
+#define DMA_WRITE 0x06
+#define GET_DEV_STATUS 0x10
+#define SET_CHIP_MODE 0x27
+#define SUIT_CMD 0xE0
+#define WRITE_PHY 0x07
+#define READ_PHY 0x17
+
+#define INIT_BATCHCMD 0x41
+#define ADD_BATCHCMD 0x42
+#define SEND_BATCHCMD 0x43
+#define GET_BATCHRSP 0x44
+
+#ifdef SUPPORT_CPRM
+/* SD Pass Through Command Extension */
+#define SD_PASS_THRU_MODE 0xD0
+#define SD_EXECUTE_NO_DATA 0xD1
+#define SD_EXECUTE_READ 0xD2
+#define SD_EXECUTE_WRITE 0xD3
+#define SD_GET_RSP 0xD4
+#define SD_HW_RST 0xD6
+#endif
+
+#ifdef SUPPORT_MAGIC_GATE
+#define CMD_MSPRO_MG_RKEY 0xA4 /* Report Key Command */
+#define CMD_MSPRO_MG_SKEY 0xA3 /* Send Key Command */
+
+/* CBWCB field: key class */
+#define KC_MG_R_PRO 0xBE /* MG-R PRO */
+
+/* CBWCB field: key format */
+#define KF_SET_LEAF_ID 0x31 /* Set Leaf ID */
+#define KF_GET_LOC_EKB 0x32 /* Get Local EKB */
+#define KF_CHG_HOST 0x33 /* Challenge (host) */
+#define KF_RSP_CHG 0x34 /* Response and Challenge (device) */
+#define KF_RSP_HOST 0x35 /* Response (host) */
+#define KF_GET_ICV 0x36 /* Get ICV */
+#define KF_SET_ICV 0x37 /* SSet ICV */
+#endif
+
+struct rts51x_chip;
+
+/*-----------------------------------
+ Start-Stop-Unit
+-----------------------------------*/
+#define STOP_MEDIUM 0x00 /* access disable */
+#define MAKE_MEDIUM_READY 0x01 /* access enable */
+#define UNLOAD_MEDIUM 0x02 /* unload */
+#define LOAD_MEDIUM 0x03 /* load */
+
+/*-----------------------------------
+ STANDARD_INQUIRY
+-----------------------------------*/
+#define QULIFIRE 0x00
+#define AENC_FNC 0x00
+#define TRML_IOP 0x00
+#define REL_ADR 0x00
+#define WBUS_32 0x00
+#define WBUS_16 0x00
+#define SYNC 0x00
+#define LINKED 0x00
+#define CMD_QUE 0x00
+#define SFT_RE 0x00
+
+#define VEN_ID_LEN 8 /* Vendor ID Length */
+#define PRDCT_ID_LEN 16 /* Product ID Length */
+#define PRDCT_REV_LEN 4 /* Product LOT Length */
+
+#define DRCT_ACCESS_DEV 0x00 /* Direct Access Device */
+#define RMB_DISC 0x80 /* The Device is Removable */
+#define ANSI_SCSI2 0x02 /* Based on ANSI-SCSI2 */
+
+#define SCSI 0x00 /* Interface ID */
+
+void rts51x_scsi_show_command(struct scsi_cmnd *srb);
+void rts51x_set_sense_type(struct rts51x_chip *chip, unsigned int lun, int sense_type);
+void rts51x_set_sense_data(struct rts51x_chip *chip, unsigned int lun, u8 err_code,
+ u8 sense_key, u32 info, u8 asc, u8 ascq, u8 sns_key_info0,
+ u16 sns_key_info1);
+
+int rts51x_scsi_handler(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+
+struct Scsi_Host;
+struct scsi_device;
+struct scsi_cmnd;
+
+int slave_alloc(struct scsi_device *sdev);
+int slave_configure(struct scsi_device *sdev);
+int queuecommand(struct Scsi_Host *, struct scsi_cmnd *);
+int command_abort(struct scsi_cmnd *srb);
+int bus_reset(struct scsi_cmnd *srb);
+
+#endif /* __RTS51X_SCSI_H */
diff --git a/drivers/staging/rts5139/rts51x_transport.c b/drivers/staging/rts5139/rts51x_transport.c
new file mode 100644
index 000000000000..0db1345df94e
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_transport.c
@@ -0,0 +1,738 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+
+#include <scsi/scsi.h>
+#include <scsi/scsi_eh.h>
+#include <scsi/scsi_device.h>
+
+#include "debug.h"
+#include "rts51x.h"
+#include "rts51x_chip.h"
+#include "rts51x_card.h"
+#include "rts51x_scsi.h"
+#include "rts51x_transport.h"
+#include "trace.h"
+
+/***********************************************************************
+ * Scatter-gather transfer buffer access routines
+ ***********************************************************************/
+
+/* Copy a buffer of length buflen to/from the srb's transfer buffer.
+ * Update the **sgptr and *offset variables so that the next copy will
+ * pick up from where this one left off.
+ */
+
+unsigned int rts51x_access_sglist(unsigned char *buffer,
+ unsigned int buflen, void *sglist,
+ void **sgptr, unsigned int *offset,
+ enum xfer_buf_dir dir)
+{
+ unsigned int cnt;
+ struct scatterlist *sg = (struct scatterlist *)*sgptr;
+
+ /* We have to go through the list one entry
+ * at a time. Each s-g entry contains some number of pages, and
+ * each page has to be kmap()'ed separately. If the page is already
+ * in kernel-addressable memory then kmap() will return its address.
+ * If the page is not directly accessible -- such as a user buffer
+ * located in high memory -- then kmap() will map it to a temporary
+ * position in the kernel's virtual address space.
+ */
+
+ if (!sg)
+ sg = (struct scatterlist *)sglist;
+
+ /* This loop handles a single s-g list entry, which may
+ * include multiple pages. Find the initial page structure
+ * and the starting offset within the page, and update
+ * the *offset and **sgptr values for the next loop.
+ */
+ cnt = 0;
+ while (cnt < buflen && sg) {
+ struct page *page = sg_page(sg) +
+ ((sg->offset + *offset) >> PAGE_SHIFT);
+ unsigned int poff = (sg->offset + *offset) & (PAGE_SIZE - 1);
+ unsigned int sglen = sg->length - *offset;
+
+ if (sglen > buflen - cnt) {
+
+ /* Transfer ends within this s-g entry */
+ sglen = buflen - cnt;
+ *offset += sglen;
+ } else {
+
+ /* Transfer continues to next s-g entry */
+ *offset = 0;
+ sg = sg_next(sg);
+ }
+
+ /* Transfer the data for all the pages in this
+ * s-g entry. For each page: call kmap(), do the
+ * transfer, and call kunmap() immediately after. */
+ while (sglen > 0) {
+ unsigned int plen = min(sglen, (unsigned int)
+ PAGE_SIZE - poff);
+ unsigned char *ptr = kmap(page);
+
+ if (dir == TO_XFER_BUF)
+ memcpy(ptr + poff, buffer + cnt, plen);
+ else
+ memcpy(buffer + cnt, ptr + poff, plen);
+ kunmap(page);
+
+ /* Start at the beginning of the next page */
+ poff = 0;
+ ++page;
+ cnt += plen;
+ sglen -= plen;
+ }
+ }
+ *sgptr = sg;
+
+ /* Return the amount actually transferred */
+ return cnt;
+}
+
+static unsigned int rts51x_access_xfer_buf(unsigned char *buffer,
+ unsigned int buflen, struct scsi_cmnd *srb,
+ struct scatterlist **sgptr,
+ unsigned int *offset, enum xfer_buf_dir dir)
+{
+ return rts51x_access_sglist(buffer, buflen, (void *)scsi_sglist(srb),
+ (void **)sgptr, offset, dir);
+}
+
+/* Store the contents of buffer into srb's transfer buffer and set the
+ * SCSI residue.
+ */
+void rts51x_set_xfer_buf(unsigned char *buffer,
+ unsigned int buflen, struct scsi_cmnd *srb)
+{
+ unsigned int offset = 0;
+ struct scatterlist *sg = NULL;
+
+ buflen = min(buflen, scsi_bufflen(srb));
+ buflen = rts51x_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ TO_XFER_BUF);
+ if (buflen < scsi_bufflen(srb))
+ scsi_set_resid(srb, scsi_bufflen(srb) - buflen);
+}
+
+void rts51x_get_xfer_buf(unsigned char *buffer,
+ unsigned int buflen, struct scsi_cmnd *srb)
+{
+ unsigned int offset = 0;
+ struct scatterlist *sg = NULL;
+
+ buflen = min(buflen, scsi_bufflen(srb));
+ buflen = rts51x_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ FROM_XFER_BUF);
+ if (buflen < scsi_bufflen(srb))
+ scsi_set_resid(srb, scsi_bufflen(srb) - buflen);
+}
+
+/* This is the completion handler which will wake us up when an URB
+ * completes.
+ */
+static void urb_done_completion(struct urb *urb)
+{
+ struct completion *urb_done_ptr = urb->context;
+
+ if (urb_done_ptr)
+ complete(urb_done_ptr);
+}
+
+/* This is the common part of the URB message submission code
+ *
+ * All URBs from the driver involved in handling a queued scsi
+ * command _must_ pass through this function (or something like it) for the
+ * abort mechanisms to work properly.
+ */
+static int rts51x_msg_common(struct rts51x_chip *chip, struct urb *urb,
+ int timeout)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+ struct completion urb_done;
+ long timeleft;
+ int status;
+
+ /* don't submit URBs during abort processing */
+ if (test_bit(FLIDX_ABORTING, &rts51x->dflags))
+ TRACE_RET(chip, -EIO);
+
+ /* set up data structures for the wakeup system */
+ init_completion(&urb_done);
+
+ /* fill the common fields in the URB */
+ urb->context = &urb_done;
+ urb->actual_length = 0;
+ urb->error_count = 0;
+ urb->status = 0;
+
+ /* we assume that if transfer_buffer isn't us->iobuf then it
+ * hasn't been mapped for DMA. Yes, this is clunky, but it's
+ * easier than always having the caller tell us whether the
+ * transfer buffer has already been mapped. */
+ urb->transfer_flags = URB_NO_SETUP_DMA_MAP;
+ if (urb->transfer_buffer == rts51x->iobuf) {
+ urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ urb->transfer_dma = rts51x->iobuf_dma;
+ }
+ urb->setup_dma = rts51x->cr_dma;
+
+ /* submit the URB */
+ status = usb_submit_urb(urb, GFP_NOIO);
+ if (status) {
+ /* something went wrong */
+ TRACE_RET(chip, status);
+ }
+
+ /* since the URB has been submitted successfully, it's now okay
+ * to cancel it */
+ set_bit(FLIDX_URB_ACTIVE, &rts51x->dflags);
+
+ /* did an abort occur during the submission? */
+ if (test_bit(FLIDX_ABORTING, &rts51x->dflags)) {
+
+ /* cancel the URB, if it hasn't been cancelled already */
+ if (test_and_clear_bit(FLIDX_URB_ACTIVE, &rts51x->dflags)) {
+ RTS51X_DEBUGP("-- cancelling URB\n");
+ usb_unlink_urb(urb);
+ }
+ }
+
+ /* wait for the completion of the URB */
+ timeleft =
+ wait_for_completion_interruptible_timeout(&urb_done,
+ (timeout * HZ /
+ 1000) ? :
+ MAX_SCHEDULE_TIMEOUT);
+
+ clear_bit(FLIDX_URB_ACTIVE, &rts51x->dflags);
+
+ if (timeleft <= 0) {
+ RTS51X_DEBUGP("%s -- cancelling URB\n",
+ timeleft == 0 ? "Timeout" : "Signal");
+ usb_kill_urb(urb);
+ if (timeleft == 0)
+ status = -ETIMEDOUT;
+ else
+ status = -EINTR;
+ } else {
+ status = urb->status;
+ }
+
+ return status;
+}
+
+static int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe);
+
+/*
+ * Interpret the results of a URB transfer
+ */
+static int interpret_urb_result(struct rts51x_chip *chip, unsigned int pipe,
+ unsigned int length, int result,
+ unsigned int partial)
+{
+ int retval = STATUS_SUCCESS;
+
+ /* RTS51X_DEBUGP("Status code %d; transferred %u/%u\n",
+ result, partial, length); */
+ switch (result) {
+ /* no error code; did we send all the data? */
+ case 0:
+ if (partial != length) {
+ RTS51X_DEBUGP("-- short transfer\n");
+ TRACE_RET(chip, STATUS_TRANS_SHORT);
+ }
+ /* RTS51X_DEBUGP("-- transfer complete\n"); */
+ return STATUS_SUCCESS;
+ /* stalled */
+ case -EPIPE:
+ /* for control endpoints, (used by CB[I]) a stall indicates
+ * a failed command */
+ if (usb_pipecontrol(pipe)) {
+ RTS51X_DEBUGP("-- stall on control pipe\n");
+ TRACE_RET(chip, STATUS_STALLED);
+ }
+ /* for other sorts of endpoint, clear the stall */
+ RTS51X_DEBUGP("clearing endpoint halt for pipe 0x%x\n", pipe);
+ if (rts51x_clear_halt(chip, pipe) < 0)
+ TRACE_RET(chip, STATUS_ERROR);
+ retval = STATUS_STALLED;
+ TRACE_GOTO(chip, Exit);
+
+ /* babble - the device tried to send more than
+ * we wanted to read */
+ case -EOVERFLOW:
+ RTS51X_DEBUGP("-- babble\n");
+ retval = STATUS_TRANS_LONG;
+ TRACE_GOTO(chip, Exit);
+
+ /* the transfer was cancelled by abort,
+ * disconnect, or timeout */
+ case -ECONNRESET:
+ RTS51X_DEBUGP("-- transfer cancelled\n");
+ retval = STATUS_ERROR;
+ TRACE_GOTO(chip, Exit);
+
+ /* short scatter-gather read transfer */
+ case -EREMOTEIO:
+ RTS51X_DEBUGP("-- short read transfer\n");
+ retval = STATUS_TRANS_SHORT;
+ TRACE_GOTO(chip, Exit);
+
+ /* abort or disconnect in progress */
+ case -EIO:
+ RTS51X_DEBUGP("-- abort or disconnect in progress\n");
+ retval = STATUS_ERROR;
+ TRACE_GOTO(chip, Exit);
+
+ case -ETIMEDOUT:
+ RTS51X_DEBUGP("-- time out\n");
+ retval = STATUS_TIMEDOUT;
+ TRACE_GOTO(chip, Exit);
+
+ /* the catch-all error case */
+ default:
+ RTS51X_DEBUGP("-- unknown error\n");
+ retval = STATUS_ERROR;
+ TRACE_GOTO(chip, Exit);
+ }
+
+Exit:
+ if ((retval != STATUS_SUCCESS) && !usb_pipecontrol(pipe))
+ rts51x_clear_hw_error(chip);
+
+ return retval;
+}
+
+int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe,
+ u8 request, u8 requesttype, u16 value, u16 index,
+ void *data, u16 size, int timeout)
+{
+ struct rts51x_usb *rts51x = chip->usb;
+ int result;
+
+ RTS51X_DEBUGP("%s: rq=%02x rqtype=%02x value=%04x index=%02x len=%u\n",
+ __func__, request, requesttype, value, index, size);
+
+ /* fill in the devrequest structure */
+ rts51x->cr->bRequestType = requesttype;
+ rts51x->cr->bRequest = request;
+ rts51x->cr->wValue = cpu_to_le16(value);
+ rts51x->cr->wIndex = cpu_to_le16(index);
+ rts51x->cr->wLength = cpu_to_le16(size);
+
+ /* fill and submit the URB */
+ usb_fill_control_urb(rts51x->current_urb, rts51x->pusb_dev, pipe,
+ (unsigned char *)rts51x->cr, data, size,
+ urb_done_completion, NULL);
+ result = rts51x_msg_common(chip, rts51x->current_urb, timeout);
+
+ return interpret_urb_result(chip, pipe, size, result,
+ rts51x->current_urb->actual_length);
+}
+
+static int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe)
+{
+ int result;
+ int endp = usb_pipeendpoint(pipe);
+
+ if (usb_pipein(pipe))
+ endp |= USB_DIR_IN;
+
+ result = rts51x_ctrl_transfer(chip, SND_CTRL_PIPE(chip),
+ USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT,
+ USB_ENDPOINT_HALT, endp, NULL, 0, 3000);
+ if (result != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ usb_reset_endpoint(chip->usb->pusb_dev, endp);
+
+ return STATUS_SUCCESS;
+}
+
+static void rts51x_sg_clean(struct usb_sg_request *io)
+{
+ if (io->urbs) {
+ while (io->entries--)
+ usb_free_urb(io->urbs[io->entries]);
+ kfree(io->urbs);
+ io->urbs = NULL;
+ }
+ io->dev = NULL;
+}
+
+static int rts51x_sg_init(struct usb_sg_request *io, struct usb_device *dev,
+ unsigned pipe, unsigned period, struct scatterlist *sg,
+ int nents, size_t length, gfp_t mem_flags)
+{
+ return usb_sg_init(io, dev, pipe, period, sg, nents, length, mem_flags);
+}
+
+static int rts51x_sg_wait(struct usb_sg_request *io, int timeout)
+{
+ long timeleft;
+ int i;
+ int entries = io->entries;
+
+ /* queue the urbs. */
+ spin_lock_irq(&io->lock);
+ i = 0;
+ while (i < entries && !io->status) {
+ int retval;
+
+ io->urbs[i]->dev = io->dev;
+ retval = usb_submit_urb(io->urbs[i], GFP_ATOMIC);
+
+ /* after we submit, let completions or cancelations fire;
+ * we handshake using io->status.
+ */
+ spin_unlock_irq(&io->lock);
+ switch (retval) {
+ /* maybe the retry will recover */
+ case -ENXIO: /* hc didn't queue this one */
+ case -EAGAIN:
+ case -ENOMEM:
+ io->urbs[i]->dev = NULL;
+ retval = 0;
+ yield();
+ break;
+
+ /* no error? continue immediately.
+ *
+ * NOTE: to work better with UHCI (4K I/O buffer may
+ * need 3K of TDs) it may be good to limit how many
+ * URBs are queued at once; N milliseconds?
+ */
+ case 0:
+ ++i;
+ cpu_relax();
+ break;
+
+ /* fail any uncompleted urbs */
+ default:
+ io->urbs[i]->dev = NULL;
+ io->urbs[i]->status = retval;
+ dev_dbg(&io->dev->dev, "%s, submit --> %d\n",
+ __func__, retval);
+ usb_sg_cancel(io);
+ }
+ spin_lock_irq(&io->lock);
+ if (retval && (io->status == 0 || io->status == -ECONNRESET))
+ io->status = retval;
+ }
+ io->count -= entries - i;
+ if (io->count == 0)
+ complete(&io->complete);
+ spin_unlock_irq(&io->lock);
+
+ timeleft =
+ wait_for_completion_interruptible_timeout(&io->complete,
+ (timeout * HZ /
+ 1000) ? :
+ MAX_SCHEDULE_TIMEOUT);
+ if (timeleft <= 0) {
+ RTS51X_DEBUGP("%s -- cancelling SG request\n",
+ timeleft == 0 ? "Timeout" : "Signal");
+ usb_sg_cancel(io);
+ if (timeleft == 0)
+ io->status = -ETIMEDOUT;
+ else
+ io->status = -EINTR;
+ }
+
+ rts51x_sg_clean(io);
+ return io->status;
+}
+
+/*
+ * Transfer a scatter-gather list via bulk transfer
+ *
+ * This function does basically the same thing as usb_stor_bulk_transfer_buf()
+ * above, but it uses the usbcore scatter-gather library.
+ */
+static int rts51x_bulk_transfer_sglist(struct rts51x_chip *chip,
+ unsigned int pipe,
+ struct scatterlist *sg, int num_sg,
+ unsigned int length,
+ unsigned int *act_len, int timeout)
+{
+ int result;
+
+ /* don't submit s-g requests during abort processing */
+ if (test_bit(FLIDX_ABORTING, &chip->usb->dflags))
+ TRACE_RET(chip, STATUS_ERROR);
+
+ /* initialize the scatter-gather request block */
+ RTS51X_DEBUGP("%s: xfer %u bytes, %d entries\n", __func__,
+ length, num_sg);
+ result =
+ rts51x_sg_init(&chip->usb->current_sg, chip->usb->pusb_dev, pipe, 0,
+ sg, num_sg, length, GFP_NOIO);
+ if (result) {
+ RTS51X_DEBUGP("rts51x_sg_init returned %d\n", result);
+ TRACE_RET(chip, STATUS_ERROR);
+ }
+
+ /* since the block has been initialized successfully, it's now
+ * okay to cancel it */
+ set_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags);
+
+ /* did an abort occur during the submission? */
+ if (test_bit(FLIDX_ABORTING, &chip->usb->dflags)) {
+
+ /* cancel the request, if it hasn't been cancelled already */
+ if (test_and_clear_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags)) {
+ RTS51X_DEBUGP("-- cancelling sg request\n");
+ usb_sg_cancel(&chip->usb->current_sg);
+ }
+ }
+
+ /* wait for the completion of the transfer */
+ result = rts51x_sg_wait(&chip->usb->current_sg, timeout);
+
+ clear_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags);
+
+ /* result = us->current_sg.status; */
+ if (act_len)
+ *act_len = chip->usb->current_sg.bytes;
+ return interpret_urb_result(chip, pipe, length, result,
+ chip->usb->current_sg.bytes);
+}
+
+static int rts51x_bulk_transfer_buf(struct rts51x_chip *chip,
+ unsigned int pipe,
+ void *buf, unsigned int length,
+ unsigned int *act_len, int timeout)
+{
+ int result;
+
+ /* fill and submit the URB */
+ usb_fill_bulk_urb(chip->usb->current_urb, chip->usb->pusb_dev, pipe,
+ buf, length, urb_done_completion, NULL);
+ result = rts51x_msg_common(chip, chip->usb->current_urb, timeout);
+
+ /* store the actual length of the data transferred */
+ if (act_len)
+ *act_len = chip->usb->current_urb->actual_length;
+ return interpret_urb_result(chip, pipe, length, result,
+ chip->usb->current_urb->actual_length);
+}
+
+int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout)
+{
+ int result;
+
+ if (timeout < 600)
+ timeout = 600;
+
+ if (use_sg) {
+ result =
+ rts51x_bulk_transfer_sglist(chip, pipe,
+ (struct scatterlist *)buf,
+ use_sg, len, act_len, timeout);
+ } else {
+ result =
+ rts51x_bulk_transfer_buf(chip, pipe, buf, len, act_len,
+ timeout);
+ }
+
+ return result;
+}
+
+int rts51x_transfer_data_partial(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, void **ptr, unsigned int *offset,
+ unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout)
+{
+ int result;
+
+ if (timeout < 600)
+ timeout = 600;
+
+ if (use_sg) {
+ void *tmp_buf = kmalloc(len, GFP_KERNEL);
+ if (!tmp_buf)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ if (usb_pipeout(pipe)) {
+ rts51x_access_sglist(tmp_buf, len, buf, ptr, offset,
+ FROM_XFER_BUF);
+ }
+ result =
+ rts51x_bulk_transfer_buf(chip, pipe, tmp_buf, len, act_len,
+ timeout);
+ if (result == STATUS_SUCCESS) {
+ if (usb_pipein(pipe)) {
+ rts51x_access_sglist(tmp_buf, len, buf, ptr,
+ offset, TO_XFER_BUF);
+ }
+ }
+
+ kfree(tmp_buf);
+ } else {
+ unsigned int step = 0;
+ if (offset)
+ step = *offset;
+ result =
+ rts51x_bulk_transfer_buf(chip, pipe, buf + step, len,
+ act_len, timeout);
+ if (act_len)
+ step += *act_len;
+ else
+ step += len;
+ if (offset)
+ *offset = step;
+ }
+
+ return result;
+}
+
+int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status)
+{
+ unsigned int pipe = RCV_INTR_PIPE(chip);
+ struct usb_host_endpoint *ep;
+ struct completion urb_done;
+ int result;
+
+ if (!status)
+ TRACE_RET(chip, STATUS_ERROR);
+
+ /* set up data structures for the wakeup system */
+ init_completion(&urb_done);
+
+ ep = chip->usb->pusb_dev->ep_in[usb_pipeendpoint(pipe)];
+
+ /* fill and submit the URB */
+ /* Set interval to 10 here to match the endpoint descriptor,
+ * the polling interval is controlled by the polling thread */
+ usb_fill_int_urb(chip->usb->intr_urb, chip->usb->pusb_dev, pipe,
+ status, 2, urb_done_completion, &urb_done, 10);
+
+ result = rts51x_msg_common(chip, chip->usb->intr_urb, 100);
+
+ return interpret_urb_result(chip, pipe, 2, result,
+ chip->usb->intr_urb->actual_length);
+}
+
+void rts51x_invoke_transport(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ int result;
+
+#ifdef CONFIG_PM
+ static const u8 media_not_present[] = {
+ 0x70, 0, 0x02, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0x3A, 0, 0, 0, 0, 0
+ };
+ static const u8 invalid_cmd_field[] = {
+ 0x70, 0, 0x05, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0x24, 0, 0, 0, 0, 0
+ };
+
+ if (chip->option.ss_en) {
+ if (srb->cmnd[0] == TEST_UNIT_READY) {
+ if (RTS51X_CHK_STAT(chip, STAT_SS)) {
+ if (check_fake_card_ready(chip,
+ SCSI_LUN(srb))) {
+ srb->result = SAM_STAT_GOOD;
+ } else {
+ srb->result = SAM_STAT_CHECK_CONDITION;
+ memcpy(srb->sense_buffer,
+ media_not_present, SENSE_SIZE);
+ }
+ return;
+ }
+ } else if (srb->cmnd[0] == ALLOW_MEDIUM_REMOVAL) {
+ if (RTS51X_CHK_STAT(chip, STAT_SS)) {
+ int prevent = srb->cmnd[4] & 0x1;
+
+ if (prevent) {
+ srb->result = SAM_STAT_CHECK_CONDITION;
+ memcpy(srb->sense_buffer,
+ invalid_cmd_field, SENSE_SIZE);
+ } else {
+ srb->result = SAM_STAT_GOOD;
+ }
+ return;
+ }
+ } else {
+ if (RTS51X_CHK_STAT(chip, STAT_SS)
+ || RTS51X_CHK_STAT(chip, STAT_SS_PRE)) {
+ /* Wake up device */
+ RTS51X_DEBUGP("Try to wake up device\n");
+ chip->resume_from_scsi = 1;
+
+ rts51x_try_to_exit_ss(chip);
+
+ if (RTS51X_CHK_STAT(chip, STAT_SS)) {
+ wait_timeout(3000);
+
+ rts51x_init_chip(chip);
+ rts51x_init_cards(chip);
+ }
+ }
+ }
+ }
+#endif
+
+ result = rts51x_scsi_handler(srb, chip);
+
+ /* if there is a transport error, reset and don't auto-sense */
+ if (result == TRANSPORT_ERROR) {
+ RTS51X_DEBUGP("-- transport indicates error, resetting\n");
+ srb->result = DID_ERROR << 16;
+ goto Handle_Errors;
+ }
+
+ srb->result = SAM_STAT_GOOD;
+
+ /*
+ * If we have a failure, we're going to do a REQUEST_SENSE
+ * automatically. Note that we differentiate between a command
+ * "failure" and an "error" in the transport mechanism.
+ */
+ if (result == TRANSPORT_FAILED) {
+ /* set the result so the higher layers expect this data */
+ srb->result = SAM_STAT_CHECK_CONDITION;
+ memcpy(srb->sense_buffer,
+ (unsigned char *)&(chip->sense_buffer[SCSI_LUN(srb)]),
+ sizeof(struct sense_data_t));
+ }
+
+ return;
+
+ /* Error and abort processing: try to resynchronize with the device
+ * by issuing a port reset. If that fails, try a class-specific
+ * device reset. */
+Handle_Errors:
+ return;
+}
diff --git a/drivers/staging/rts5139/rts51x_transport.h b/drivers/staging/rts5139/rts51x_transport.h
new file mode 100644
index 000000000000..024f115540a6
--- /dev/null
+++ b/drivers/staging/rts5139/rts51x_transport.h
@@ -0,0 +1,67 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_TRANSPORT_H
+#define __RTS51X_TRANSPORT_H
+
+#include <linux/kernel.h>
+
+#include "rts51x.h"
+#include "rts51x_chip.h"
+
+#if 1 /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 34) */
+#define URB_NO_SETUP_DMA_MAP 0
+#endif
+
+unsigned int rts51x_access_sglist(unsigned char *buffer,
+ unsigned int buflen, void *sglist,
+ void **sgptr, unsigned int *offset,
+ enum xfer_buf_dir dir);
+void rts51x_set_xfer_buf(unsigned char *buffer, unsigned int buflen,
+ struct scsi_cmnd *srb);
+void rts51x_get_xfer_buf(unsigned char *buffer, unsigned int buflen,
+ struct scsi_cmnd *srb);
+
+int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe,
+ u8 request, u8 requesttype, u16 value, u16 index,
+ void *data, u16 size, int timeout);
+int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout);
+int rts51x_transfer_data_partial(struct rts51x_chip *chip, unsigned int pipe,
+ void *buf, void **ptr, unsigned int *offset,
+ unsigned int len, int use_sg,
+ unsigned int *act_len, int timeout);
+
+#ifndef POLLING_IN_THREAD
+int rts51x_start_epc_transfer(struct rts51x_chip *chip);
+void rts51x_cancel_epc_transfer(struct rts51x_chip *chip);
+#endif
+
+int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status);
+void rts51x_invoke_transport(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+
+#endif /* __RTS51X_TRANSPORT_H */
diff --git a/drivers/staging/rts5139/sd.c b/drivers/staging/rts5139/sd.c
new file mode 100644
index 000000000000..da5a9b8fb69c
--- /dev/null
+++ b/drivers/staging/rts5139/sd.c
@@ -0,0 +1,3274 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_transport.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "sd.h"
+
+static inline void sd_set_reset_fail(struct rts51x_chip *chip, u8 err_code)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ sd_card->sd_reset_fail |= err_code;
+}
+
+static inline void sd_clear_reset_fail(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ sd_card->sd_reset_fail = 0;
+}
+
+static inline int sd_check_reset_fail(struct rts51x_chip *chip, u8 err_code)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ return sd_card->sd_reset_fail & err_code;
+}
+
+static inline void sd_set_err_code(struct rts51x_chip *chip, u8 err_code)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ sd_card->err_code |= err_code;
+}
+
+static inline void sd_clr_err_code(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ sd_card->err_code = 0;
+}
+
+static inline int sd_check_err_code(struct rts51x_chip *chip, u8 err_code)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ return sd_card->err_code & err_code;
+}
+
+static int sd_parse_err_code(struct rts51x_chip *chip)
+{
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+int sd_check_data0_status(struct rts51x_chip *chip)
+{
+ int retval;
+ u8 stat;
+
+ retval = rts51x_ep0_read_register(chip, SD_BUS_STAT, &stat);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (!(stat & SD_DAT0_STATUS)) {
+ sd_set_err_code(chip, SD_BUSY);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_send_cmd_get_rsp(struct rts51x_chip *chip, u8 cmd_idx,
+ u32 arg, u8 rsp_type, u8 *rsp, int rsp_len)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int timeout = 50;
+ u16 reg_addr;
+ u8 buf[17], stat;
+ int len = 2;
+ int rty_cnt = 0;
+
+ sd_clr_err_code(chip);
+
+ RTS51X_DEBUGP("SD/MMC CMD %d, arg = 0x%08x\n", cmd_idx, arg);
+
+ if (rsp_type == SD_RSP_TYPE_R1b)
+ timeout = 3000;
+
+RTY_SEND_CMD:
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | cmd_idx);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, (u8) (arg >> 24));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, (u8) (arg >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, (u8) (arg >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_CMD_RSP | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END | SD_STAT_IDLE,
+ SD_TRANSFER_END | SD_STAT_IDLE);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, SD_STAT1, 0, 0);
+
+ if (CHECK_USB(chip, USB_20)) {
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ /* Read data from ping-pong buffer */
+ for (reg_addr = PPBUF_BASE2;
+ reg_addr < PPBUF_BASE2 + 16; reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0,
+ 0);
+ }
+ len = 18;
+ } else if (rsp_type != SD_RSP_TYPE_R0) {
+ /* Read data from SD_CMDx registers */
+ for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4;
+ reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0,
+ 0);
+ }
+ len = 7;
+ } else {
+ len = 2;
+ }
+ } else {
+ len = 2;
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, len, timeout);
+
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ u8 val;
+
+ rts51x_ep0_read_register(chip, SD_STAT1, &val);
+ RTS51X_DEBUGP("SD_STAT1: 0x%x\n", val);
+
+ rts51x_ep0_read_register(chip, SD_STAT2, &val);
+ RTS51X_DEBUGP("SD_STAT2: 0x%x\n", val);
+
+ if (val & SD_RSP_80CLK_TIMEOUT)
+ sd_set_err_code(chip, SD_RSP_TIMEOUT);
+
+ rts51x_ep0_read_register(chip, SD_BUS_STAT, &val);
+ RTS51X_DEBUGP("SD_BUS_STAT: 0x%x\n", val);
+
+ if (retval == STATUS_TIMEDOUT) {
+ if (rsp_type & SD_WAIT_BUSY_END) {
+ retval = sd_check_data0_status(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ sd_set_err_code(chip, SD_TO_ERR);
+ }
+ }
+ rts51x_clear_sd_error(chip);
+
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (rsp_type == SD_RSP_TYPE_R0)
+ return STATUS_SUCCESS;
+
+ if (CHECK_USB(chip, USB_20)) {
+ rts51x_read_rsp_buf(chip, 2, buf, len - 2);
+ } else {
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ reg_addr = PPBUF_BASE2;
+ len = 16;
+ } else {
+ reg_addr = SD_CMD0;
+ len = 5;
+ }
+ retval = rts51x_seq_read_register(chip, reg_addr,
+ (unsigned short)len, buf);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ stat = chip->rsp_buf[1];
+
+ /* Check (Start,Transmission) bit of Response */
+ if ((buf[0] & 0xC0) != 0) {
+ sd_set_err_code(chip, SD_STS_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ /* Check CRC7 */
+ if (!(rsp_type & SD_NO_CHECK_CRC7)) {
+ if (stat & SD_CRC7_ERR) {
+ if (cmd_idx == WRITE_MULTIPLE_BLOCK) {
+ sd_set_err_code(chip, SD_CRC_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (rty_cnt < SD_MAX_RETRY_COUNT) {
+ wait_timeout(20);
+ rty_cnt++;
+ goto RTY_SEND_CMD;
+ } else {
+ sd_set_err_code(chip, SD_CRC_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+ /* Check Status */
+ if ((rsp_type == SD_RSP_TYPE_R1) || (rsp_type == SD_RSP_TYPE_R1b)) {
+ if ((cmd_idx != SEND_RELATIVE_ADDR)
+ && (cmd_idx != SEND_IF_COND)) {
+ if (cmd_idx != STOP_TRANSMISSION) {
+ if (buf[1] & 0x80)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (buf[1] & 0x7F) {
+ RTS51X_DEBUGP("buf[1]: 0x%02x\n", buf[1]);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (buf[2] & 0xFF) {
+ RTS51X_DEBUGP("buf[2]: 0x%02x\n", buf[2]);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (buf[3] & 0x80) {
+ RTS51X_DEBUGP("buf[3]: 0x%02x\n", buf[3]);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (buf[3] & 0x01) {
+ /* Get "READY_FOR_DATA" bit */
+ sd_card->sd_data_buf_ready = 1;
+ } else {
+ sd_card->sd_data_buf_ready = 0;
+ }
+ }
+ }
+
+ if (rsp && rsp_len)
+ memcpy(rsp, buf, rsp_len);
+
+ return STATUS_SUCCESS;
+}
+
+static inline void sd_print_debug_reg(struct rts51x_chip *chip)
+{
+#ifdef CONFIG_RTS5139_DEBUG
+ u8 val = 0;
+
+ rts51x_ep0_read_register(chip, SD_STAT1, &val);
+ RTS51X_DEBUGP("SD_STAT1: 0x%x\n", val);
+ rts51x_ep0_read_register(chip, SD_STAT2, &val);
+ RTS51X_DEBUGP("SD_STAT2: 0x%x\n", val);
+ rts51x_ep0_read_register(chip, SD_BUS_STAT, &val);
+ RTS51X_DEBUGP("SD_BUS_STAT: 0x%x\n", val);
+#endif
+}
+
+int sd_read_data(struct rts51x_chip *chip, u8 trans_mode, u8 *cmd, int cmd_len,
+ u16 byte_cnt, u16 blk_cnt, u8 bus_width, u8 *buf, int buf_len,
+ int timeout)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i;
+
+ sd_clr_err_code(chip);
+
+ if (!buf)
+ buf_len = 0;
+
+ if (buf_len > 512)
+ /* This function can't read data more than one page */
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ if (cmd_len) {
+ RTS51X_DEBUGP("SD/MMC CMD %d\n", cmd[0] - 0x40);
+ for (i = 0; i < (cmd_len < 6 ? cmd_len : 6); i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0 + i, 0xFF,
+ cmd[i]);
+ }
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, (u8) byte_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF,
+ (u8) (byte_cnt >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, (u8) blk_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF,
+ (u8) (blk_cnt >> 8));
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | SD_NO_WAIT_BUSY_END
+ | SD_CHECK_CRC7 | SD_RSP_LEN_6);
+ if (trans_mode != SD_TM_AUTO_TUNING) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ trans_mode | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END,
+ SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, timeout);
+
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ sd_print_debug_reg(chip);
+ if (retval == STATUS_TIMEDOUT) {
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (buf && buf_len) {
+ retval = rts51x_read_ppbuf(chip, buf, buf_len);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_write_data(struct rts51x_chip *chip, u8 trans_mode,
+ u8 *cmd, int cmd_len, u16 byte_cnt, u16 blk_cnt,
+ u8 bus_width, u8 *buf, int buf_len, int timeout)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i;
+
+ sd_clr_err_code(chip);
+
+ if (!buf)
+ buf_len = 0;
+
+ /* This function can't write data more than one page */
+ if (buf_len > 512)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (buf && buf_len) {
+ retval = rts51x_write_ppbuf(chip, buf, buf_len);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ rts51x_init_cmd(chip);
+
+ if (cmd_len) {
+ RTS51X_DEBUGP("SD/MMC CMD %d\n", cmd[0] - 0x40);
+ for (i = 0; i < (cmd_len < 6 ? cmd_len : 6); i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0 + i, 0xFF,
+ cmd[i]);
+ }
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, (u8) byte_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF,
+ (u8) (byte_cnt >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, (u8) blk_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF,
+ (u8) (blk_cnt >> 8));
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width);
+
+ if (cmd_len) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_CHECK_CRC16 |
+ SD_WAIT_BUSY_END | SD_CHECK_CRC7 | SD_RSP_LEN_6);
+
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_CHECK_CRC16 |
+ SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 |
+ SD_RSP_LEN_6);
+ }
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ trans_mode | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END,
+ SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, timeout);
+
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ sd_print_debug_reg(chip);
+
+ if (retval == STATUS_TIMEDOUT)
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_check_csd(struct rts51x_chip *chip, char check_wp)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i;
+ u8 csd_ver, trans_speed;
+ u8 rsp[16];
+
+ for (i = 0; i < 6; i++) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SEND_CSD, sd_card->sd_addr,
+ SD_RSP_TYPE_R2, rsp, 16);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+
+ if (i == 6)
+ TRACE_RET(chip, STATUS_FAIL);
+ memcpy(sd_card->raw_csd, rsp + 1, 15);
+ /* Get CRC7 */
+ RTS51X_READ_REG(chip, SD_CMD5, sd_card->raw_csd + 15);
+
+ RTS51X_DEBUGP("CSD Response:\n");
+ RTS51X_DUMP(rsp, 16);
+
+ /* Get CSD Version */
+ csd_ver = (rsp[1] & 0xc0) >> 6;
+ RTS51X_DEBUGP("csd_ver = %d\n", csd_ver);
+
+ trans_speed = rsp[4];
+ if ((trans_speed & 0x07) == 0x02) { /* 10Mbits/s */
+ if ((trans_speed & 0xf8) >= 0x30) { /* >25Mbits/s */
+ if (chip->asic_code)
+ sd_card->sd_clock = 46;
+ else
+ sd_card->sd_clock = CLK_50;
+ } else if ((trans_speed & 0xf8) == 0x28) { /* 20Mbits/s */
+ if (chip->asic_code)
+ sd_card->sd_clock = 39;
+ else
+ sd_card->sd_clock = CLK_40;
+ } else if ((trans_speed & 0xf8) == 0x20) { /* 15Mbits/s */
+ if (chip->asic_code)
+ sd_card->sd_clock = 29;
+ else
+ sd_card->sd_clock = CLK_30;
+ } else if ((trans_speed & 0xf8) >= 0x10) { /* 12Mbits/s */
+ if (chip->asic_code)
+ sd_card->sd_clock = 23;
+ else
+ sd_card->sd_clock = CLK_20;
+ } else if ((trans_speed & 0x08) >= 0x08) { /* 10Mbits/s */
+ if (chip->asic_code)
+ sd_card->sd_clock = 19;
+ else
+ sd_card->sd_clock = CLK_20;
+ } /*else { */
+ /*If this ,then slow card will use 30M clock */
+ /* TRACE_RET(chip, STATUS_FAIL); */
+ /* } */
+ }
+ /*else {
+ TRACE_RET(chip, STATUS_FAIL);
+ } */
+ if (CHK_MMC_SECTOR_MODE(sd_card)) {
+ sd_card->capacity = 0;
+ } else {
+ /* For High-Capacity Card, CSD_STRUCTURE always be "0x1" */
+ if ((!CHK_SD_HCXC(sd_card)) || (csd_ver == 0)) {
+ /* Calculate total sector according to C_SIZE,
+ * C_SIZE_MULT & READ_BL_LEN */
+ u8 blk_size, c_size_mult;
+ u16 c_size;
+ /* Get READ_BL_LEN */
+ blk_size = rsp[6] & 0x0F;
+ /* Get C_SIZE */
+ c_size = ((u16) (rsp[7] & 0x03) << 10)
+ + ((u16) rsp[8] << 2)
+ + ((u16) (rsp[9] & 0xC0) >> 6);
+ /* Get C_SIZE_MUL */
+ c_size_mult = (u8) ((rsp[10] & 0x03) << 1);
+ c_size_mult += (rsp[11] & 0x80) >> 7;
+ /* Calculate total Capacity */
+ sd_card->capacity =
+ (((u32) (c_size + 1)) *
+ (1 << (c_size_mult + 2))) << (blk_size - 9);
+ } else {
+ /* High Capacity Card and Use CSD2.0 Version */
+ u32 total_sector = 0;
+ total_sector = (((u32) rsp[8] & 0x3f) << 16) |
+ ((u32) rsp[9] << 8) | (u32) rsp[10];
+ /* Total Capacity= (C_SIZE+1) *
+ * 512K Byte = (C_SIZE+1)K Sector,1K = 1024 Bytes */
+ sd_card->capacity = (total_sector + 1) << 10;
+ }
+ }
+
+ /* We need check Write-Protected Status by Field PERM WP or TEMP WP */
+ if (check_wp) {
+ if (rsp[15] & 0x30)
+ chip->card_wp |= SD_CARD;
+ RTS51X_DEBUGP("CSD WP Status: 0x%x\n", rsp[15]);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_set_sample_push_timing(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ if (CHK_SD_SDR104(sd_card) || CHK_SD_SDR50(sd_card)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1,
+ 0x0C | SD_ASYNC_FIFO_RST,
+ SD_30_MODE | SD_ASYNC_FIFO_RST);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF,
+ CRC_VAR_CLK0 | SD30_FIX_CLK | SAMPLE_VAR_CLK1);
+ } else if (CHK_SD_DDR50(sd_card) || CHK_MMC_DDR52(sd_card)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1,
+ 0x0C | SD_ASYNC_FIFO_RST,
+ SD_DDR_MODE | SD_ASYNC_FIFO_RST);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF,
+ CRC_VAR_CLK0 | SD30_FIX_CLK | SAMPLE_VAR_CLK1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL,
+ DDR_VAR_TX_CMD_DAT, DDR_VAR_TX_CMD_DAT);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL,
+ DDR_VAR_RX_DAT | DDR_VAR_RX_CMD,
+ DDR_VAR_RX_DAT | DDR_VAR_RX_CMD);
+ } else {
+ u8 val = 0;
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x0C, SD_20_MODE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF,
+ CRC_FIX_CLK | SD30_VAR_CLK0 | SAMPLE_VAR_CLK1);
+
+ if ((chip->option.sd_ctl & SD_PUSH_POINT_CTL_MASK) ==
+ SD_PUSH_POINT_AUTO) {
+ val = SD20_TX_NEG_EDGE;
+ } else if ((chip->option.sd_ctl & SD_PUSH_POINT_CTL_MASK) ==
+ SD_PUSH_POINT_DELAY) {
+ val = SD20_TX_14_AHEAD;
+ } else {
+ val = SD20_TX_NEG_EDGE;
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL,
+ SD20_TX_SEL_MASK, val);
+
+ if ((chip->option.sd_ctl & SD_SAMPLE_POINT_CTL_MASK) ==
+ SD_SAMPLE_POINT_AUTO) {
+ if (chip->asic_code) {
+ if (CHK_SD_HS(sd_card) || CHK_MMC_52M(sd_card))
+ val = SD20_RX_14_DELAY;
+ else
+ val = SD20_RX_POS_EDGE;
+ } else {
+ val = SD20_RX_14_DELAY;
+ }
+ } else if ((chip->option.sd_ctl & SD_SAMPLE_POINT_CTL_MASK) ==
+ SD_SAMPLE_POINT_DELAY) {
+ val = SD20_RX_14_DELAY;
+ } else {
+ val = SD20_RX_POS_EDGE;
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL,
+ SD20_RX_SEL_MASK, val);
+ }
+
+ if (CHK_MMC_DDR52(sd_card) && CHK_MMC_8BIT(sd_card)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL,
+ EXTEND_DMA1_ASYNC_SIGNAL, 0);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static void sd_choose_proper_clock(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ if (CHK_SD_SDR104(sd_card)) {
+ if (chip->asic_code)
+ sd_card->sd_clock = chip->option.asic_sd_sdr104_clk;
+ else
+ sd_card->sd_clock = chip->option.fpga_sd_sdr104_clk;
+ } else if (CHK_SD_DDR50(sd_card)) {
+ if (chip->asic_code)
+ sd_card->sd_clock = chip->option.asic_sd_ddr50_clk;
+ else
+ sd_card->sd_clock = chip->option.fpga_sd_ddr50_clk;
+ } else if (CHK_SD_SDR50(sd_card)) {
+ if (chip->asic_code)
+ sd_card->sd_clock = chip->option.asic_sd_sdr50_clk;
+ else
+ sd_card->sd_clock = chip->option.fpga_sd_sdr50_clk;
+ } else if (CHK_SD_HS(sd_card)) {
+ if (chip->asic_code)
+ sd_card->sd_clock = chip->option.asic_sd_hs_clk;
+ else
+ sd_card->sd_clock = chip->option.fpga_sd_hs_clk;
+ } else if (CHK_MMC_52M(sd_card) || CHK_MMC_DDR52(sd_card)) {
+ if (chip->asic_code)
+ sd_card->sd_clock = chip->option.asic_mmc_52m_clk;
+ else
+ sd_card->sd_clock = chip->option.fpga_mmc_52m_clk;
+ } else if (CHK_MMC_26M(sd_card)) {
+ if (chip->asic_code) {
+ sd_card->sd_clock = 46;
+ RTS51X_DEBUGP("Set MMC clock to 22.5MHz\n");
+ } else {
+ sd_card->sd_clock = CLK_50;
+ }
+ }
+}
+
+static int sd_set_init_para(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ retval = sd_set_sample_push_timing(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ sd_choose_proper_clock(chip);
+
+ retval = switch_clock(chip, sd_card->sd_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_sd_select_card(struct rts51x_chip *chip, int select)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd_idx, cmd_type;
+ u32 addr;
+
+ if (select) {
+ cmd_idx = SELECT_CARD;
+ cmd_type = SD_RSP_TYPE_R1;
+ addr = sd_card->sd_addr;
+ } else {
+ cmd_idx = DESELECT_CARD;
+ cmd_type = SD_RSP_TYPE_R0;
+ addr = 0;
+ }
+
+ retval = sd_send_cmd_get_rsp(chip, cmd_idx, addr, cmd_type, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_wait_currentstate_dataready(struct rts51x_chip *chip, u8 statechk,
+ u8 rdychk, u16 pollingcnt)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 rsp[5];
+ u16 i;
+
+ for (i = 0; i < pollingcnt; i++) {
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, rsp, 5);
+ if (retval == STATUS_SUCCESS) {
+ if (((rsp[3] & 0x1E) == statechk)
+ && ((rsp[3] & 0x01) == rdychk)) {
+ return STATUS_SUCCESS;
+ }
+ } else {
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ return STATUS_TIMEDOUT;
+}
+
+static int sd_voltage_switch(struct rts51x_chip *chip)
+{
+ int retval;
+ u8 stat;
+
+ RTS51X_WRITE_REG(chip, SD_BUS_STAT,
+ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP,
+ SD_CLK_TOGGLE_EN);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, VOLTAGE_SWITCH, 0, SD_RSP_TYPE_R1, NULL,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_READ_REG(chip, SD_BUS_STAT, &stat);
+ if (stat & (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS |
+ SD_DAT1_STATUS | SD_DAT0_STATUS))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BUS_STAT, 0xFF,
+ SD_CLK_FORCE_STOP);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PAD_CTL, SD_IO_USING_1V8,
+ SD_IO_USING_1V8);
+ if (chip->asic_code)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG,
+ TUNE_SD18_MASK, TUNE_SD18_1V8);
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ wait_timeout(chip->option.D3318_off_delay);
+
+ RTS51X_WRITE_REG(chip, SD_BUS_STAT, 0xFF, SD_CLK_TOGGLE_EN);
+ wait_timeout(10);
+
+ RTS51X_READ_REG(chip, SD_BUS_STAT, &stat);
+ if ((stat & (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS |
+ SD_DAT1_STATUS | SD_DAT0_STATUS)) !=
+ (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS |
+ SD_DAT1_STATUS | SD_DAT0_STATUS)) {
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BUS_STAT, 0xFF,
+ SD_CLK_FORCE_STOP);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, 0xFF, 0);
+ rts51x_send_cmd(chip, MODE_C, 100);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ RTS51X_WRITE_REG(chip, SD_BUS_STAT,
+ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_change_phase(struct rts51x_chip *chip, u8 sample_point,
+ u8 tune_dir)
+{
+ u16 SD_VP_CTL, SD_DCMPS_CTL;
+ u8 val;
+ int retval;
+
+ RTS51X_DEBUGP("sd_change_phase (sample_point = %d, tune_dir = %d)\n",
+ sample_point, tune_dir);
+
+ if (tune_dir == TUNE_RX) {
+ SD_VP_CTL = SD_VPCLK1_CTL;
+ SD_DCMPS_CTL = SD_DCMPS1_CTL;
+ } else {
+ SD_VP_CTL = SD_VPCLK0_CTL;
+ SD_DCMPS_CTL = SD_DCMPS0_CTL;
+ }
+
+ if (chip->asic_code) {
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, CLK_CHANGE);
+ RTS51X_WRITE_REG(chip, SD_VP_CTL, 0x1F, sample_point);
+ RTS51X_WRITE_REG(chip, SD_VPCLK0_CTL, PHASE_NOT_RESET, 0);
+ RTS51X_WRITE_REG(chip, SD_VPCLK0_CTL, PHASE_NOT_RESET,
+ PHASE_NOT_RESET);
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0);
+ } else {
+#ifdef CONFIG_RTS5139_DEBUG
+ RTS51X_READ_REG(chip, SD_VP_CTL, &val);
+ RTS51X_DEBUGP("SD_VP_CTL: 0x%x\n", val);
+ RTS51X_READ_REG(chip, SD_DCMPS_CTL, &val);
+ RTS51X_DEBUGP("SD_DCMPS_CTL: 0x%x\n", val);
+#endif
+
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, CLK_CHANGE);
+ udelay(100);
+ RTS51X_WRITE_REG(chip, SD_VP_CTL, 0xFF,
+ PHASE_NOT_RESET | sample_point);
+ udelay(200);
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_DCMPS_CTL, DCMPS_CHANGE,
+ DCMPS_CHANGE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_DCMPS_CTL,
+ DCMPS_CHANGE_DONE, DCMPS_CHANGE_DONE);
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, Fail);
+
+ retval = rts51x_get_rsp(chip, 1, 500);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, Fail);
+
+ val = chip->rsp_buf[0];
+ if (val & DCMPS_ERROR)
+ TRACE_GOTO(chip, Fail);
+ if ((val & DCMPS_CURRENT_PHASE) != sample_point)
+ TRACE_GOTO(chip, Fail);
+ RTS51X_WRITE_REG(chip, SD_DCMPS_CTL, DCMPS_CHANGE, 0);
+ RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0);
+ udelay(100);
+ }
+
+ RTS51X_WRITE_REG(chip, SD_CFG1, SD_ASYNC_FIFO_RST, 0);
+
+ return STATUS_SUCCESS;
+
+Fail:
+#ifdef CONFIG_RTS5139_DEBUG
+ rts51x_ep0_read_register(chip, SD_VP_CTL, &val);
+ RTS51X_DEBUGP("SD_VP_CTL: 0x%x\n", val);
+ rts51x_ep0_read_register(chip, SD_DCMPS_CTL, &val);
+ RTS51X_DEBUGP("SD_DCMPS_CTL: 0x%x\n", val);
+#endif
+
+ RTS51X_WRITE_REG(chip, SD_DCMPS_CTL, DCMPS_CHANGE, 0);
+ RTS51X_WRITE_REG(chip, SD_VP_CTL, PHASE_CHANGE, 0);
+ wait_timeout(10);
+
+ return STATUS_FAIL;
+}
+
+static int sd_check_spec(struct rts51x_chip *chip, u8 bus_width)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd[5], buf[8];
+
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ cmd[0] = 0x40 | SEND_SCR;
+ cmd[1] = 0;
+ cmd[2] = 0;
+ cmd[3] = 0;
+ cmd[4] = 0;
+
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 8, 1, bus_width, buf,
+ 8, 250);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ memcpy(sd_card->raw_scr, buf, 8);
+
+ if ((buf[0] & 0x0F) == 0)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_query_switch_result(struct rts51x_chip *chip, u8 func_group,
+ u8 func_to_switch, u8 *buf, int buf_len)
+{
+ u8 support_mask = 0, query_switch = 0, switch_busy = 0;
+ int support_offset = 0, query_switch_offset = 0, check_busy_offset = 0;
+
+ if (func_group == SD_FUNC_GROUP_1) {
+ support_offset = FUNCTION_GROUP1_SUPPORT_OFFSET;
+ query_switch_offset = FUNCTION_GROUP1_QUERY_SWITCH_OFFSET;
+ check_busy_offset = FUNCTION_GROUP1_CHECK_BUSY_OFFSET;
+
+ switch (func_to_switch) {
+ case HS_SUPPORT:
+ support_mask = HS_SUPPORT_MASK;
+ query_switch = HS_QUERY_SWITCH_OK;
+ switch_busy = HS_SWITCH_BUSY;
+ break;
+
+ case SDR50_SUPPORT:
+ support_mask = SDR50_SUPPORT_MASK;
+ query_switch = SDR50_QUERY_SWITCH_OK;
+ switch_busy = SDR50_SWITCH_BUSY;
+ break;
+
+ case SDR104_SUPPORT:
+ support_mask = SDR104_SUPPORT_MASK;
+ query_switch = SDR104_QUERY_SWITCH_OK;
+ switch_busy = SDR104_SWITCH_BUSY;
+ break;
+
+ case DDR50_SUPPORT:
+ support_mask = DDR50_SUPPORT_MASK;
+ query_switch = DDR50_QUERY_SWITCH_OK;
+ switch_busy = DDR50_SWITCH_BUSY;
+ break;
+
+ default:
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else if (func_group == SD_FUNC_GROUP_3) {
+ support_offset = FUNCTION_GROUP3_SUPPORT_OFFSET;
+ query_switch_offset = FUNCTION_GROUP3_QUERY_SWITCH_OFFSET;
+ check_busy_offset = FUNCTION_GROUP3_CHECK_BUSY_OFFSET;
+
+ switch (func_to_switch) {
+ case DRIVING_TYPE_A:
+ support_mask = DRIVING_TYPE_A_MASK;
+ query_switch = TYPE_A_QUERY_SWITCH_OK;
+ switch_busy = TYPE_A_SWITCH_BUSY;
+ break;
+
+ case DRIVING_TYPE_C:
+ support_mask = DRIVING_TYPE_C_MASK;
+ query_switch = TYPE_C_QUERY_SWITCH_OK;
+ switch_busy = TYPE_C_SWITCH_BUSY;
+ break;
+
+ case DRIVING_TYPE_D:
+ support_mask = DRIVING_TYPE_D_MASK;
+ query_switch = TYPE_D_QUERY_SWITCH_OK;
+ switch_busy = TYPE_D_SWITCH_BUSY;
+ break;
+
+ default:
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else if (func_group == SD_FUNC_GROUP_4) {
+ support_offset = FUNCTION_GROUP4_SUPPORT_OFFSET;
+ query_switch_offset = FUNCTION_GROUP4_QUERY_SWITCH_OFFSET;
+ check_busy_offset = FUNCTION_GROUP4_CHECK_BUSY_OFFSET;
+
+ switch (func_to_switch) {
+ case CURRENT_LIMIT_400:
+ support_mask = CURRENT_LIMIT_400_MASK;
+ query_switch = CURRENT_LIMIT_400_QUERY_SWITCH_OK;
+ switch_busy = CURRENT_LIMIT_400_SWITCH_BUSY;
+ break;
+
+ case CURRENT_LIMIT_600:
+ support_mask = CURRENT_LIMIT_600_MASK;
+ query_switch = CURRENT_LIMIT_600_QUERY_SWITCH_OK;
+ switch_busy = CURRENT_LIMIT_600_SWITCH_BUSY;
+ break;
+
+ case CURRENT_LIMIT_800:
+ support_mask = CURRENT_LIMIT_800_MASK;
+ query_switch = CURRENT_LIMIT_800_QUERY_SWITCH_OK;
+ switch_busy = CURRENT_LIMIT_800_SWITCH_BUSY;
+ break;
+
+ default:
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (func_group == SD_FUNC_GROUP_4)
+ buf[query_switch_offset] =
+ (buf[query_switch_offset] & 0xf0) >> 4;
+ if (!(buf[support_offset] & support_mask) ||
+ ((buf[query_switch_offset] & 0x0F) != query_switch))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if ((buf[DATA_STRUCTURE_VER_OFFSET] == 0x01) &&
+ ((buf[check_busy_offset] & switch_busy) == switch_busy))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_check_switch_mode(struct rts51x_chip *chip, u8 mode,
+ u8 func_group, u8 func_to_switch, u8 bus_width)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd[5], buf[64];
+
+ RTS51X_DEBUGP("sd_check_switch_mode (mode = %d, func_group = %d,"
+ "func_to_switch = %d)\n", mode, func_group, func_to_switch);
+
+ cmd[0] = 0x40 | SWITCH;
+ cmd[1] = mode;
+
+ if (func_group == SD_FUNC_GROUP_1) {
+ cmd[2] = 0xFF;
+ cmd[3] = 0xFF;
+ cmd[4] = 0xF0 + func_to_switch;
+ } else if (func_group == SD_FUNC_GROUP_3) {
+ cmd[2] = 0xFF;
+ cmd[3] = 0xF0 + func_to_switch;
+ cmd[4] = 0xFF;
+ } else if (func_group == SD_FUNC_GROUP_4) {
+ cmd[2] = 0xFF;
+ cmd[3] = 0x0F + (func_to_switch << 4);
+ cmd[4] = 0xFF;
+ } else {
+ cmd[1] = SD_CHECK_MODE;
+ cmd[2] = 0xFF;
+ cmd[3] = 0xFF;
+ cmd[4] = 0xFF;
+ }
+
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 64, 1, bus_width, buf,
+ 64, 250);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ if (func_group == NO_ARGUMENT) {
+ sd_card->func_group1_mask = buf[0x0D];
+ sd_card->func_group2_mask = buf[0x0B];
+ sd_card->func_group3_mask = buf[0x09];
+ sd_card->func_group4_mask = buf[0x07];
+
+ RTS51X_DEBUGP("func_group1_mask = 0x%02x\n", buf[0x0D]);
+ RTS51X_DEBUGP("func_group2_mask = 0x%02x\n", buf[0x0B]);
+ RTS51X_DEBUGP("func_group3_mask = 0x%02x\n", buf[0x09]);
+ RTS51X_DEBUGP("func_group4_mask = 0x%02x\n", buf[0x07]);
+ } else {
+ if ((buf[0] == 0) && (buf[1] == 0))
+ TRACE_RET(chip, STATUS_FAIL);
+ retval =
+ sd_query_switch_result(chip, func_group, func_to_switch,
+ buf, 64);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_check_switch(struct rts51x_chip *chip,
+ u8 func_group, u8 func_to_switch, u8 bus_width)
+{
+ int retval;
+ int i;
+ int switch_good = 0;
+
+ for (i = 0; i < 3; i++) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = sd_check_switch_mode(chip, SD_CHECK_MODE, func_group,
+ func_to_switch, bus_width);
+ if (retval == STATUS_SUCCESS) {
+ u8 stat;
+
+ retval = sd_check_switch_mode(chip, SD_SWITCH_MODE,
+ func_group, func_to_switch, bus_width);
+ if (retval == STATUS_SUCCESS) {
+ switch_good = 1;
+ break;
+ }
+
+ RTS51X_READ_REG(chip, SD_STAT1, &stat);
+
+ if (stat & SD_CRC16_ERR) {
+ RTS51X_DEBUGP("SD CRC16 error when switching"
+ "mode\n");
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ wait_timeout(20);
+ }
+
+ if (!switch_good)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_switch_function(struct rts51x_chip *chip, u8 bus_width)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i;
+ u8 func_to_switch = 0;
+
+ /* Get supported functions */
+ retval = sd_check_switch_mode(chip, SD_CHECK_MODE,
+ NO_ARGUMENT, NO_ARGUMENT, bus_width);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ sd_card->func_group1_mask &= ~(sd_card->sd_switch_fail);
+
+ for (i = 0; i < 4; i++) {
+ switch ((u8) (chip->option.sd_speed_prior >> (i * 8))) {
+ case DDR50_SUPPORT:
+ if ((sd_card->func_group1_mask & DDR50_SUPPORT_MASK)
+ && (CHECK_UHS50(chip)))
+ func_to_switch = DDR50_SUPPORT;
+ break;
+
+ case SDR50_SUPPORT:
+ if ((sd_card->func_group1_mask & SDR50_SUPPORT_MASK)
+ && (CHECK_UHS50(chip)))
+ func_to_switch = SDR50_SUPPORT;
+ break;
+
+ case HS_SUPPORT:
+ if (sd_card->func_group1_mask & HS_SUPPORT_MASK)
+ func_to_switch = HS_SUPPORT;
+ break;
+
+ default:
+ continue;
+ }
+
+ if (func_to_switch)
+ break;
+ }
+ RTS51X_DEBUGP("SD_FUNC_GROUP_1: func_to_switch = 0x%02x",
+ func_to_switch);
+
+ if (func_to_switch) {
+ retval =
+ sd_check_switch(chip, SD_FUNC_GROUP_1, func_to_switch,
+ bus_width);
+ if (retval != STATUS_SUCCESS) {
+ if (func_to_switch == SDR104_SUPPORT)
+ sd_card->sd_switch_fail = SDR104_SUPPORT_MASK;
+ else if (func_to_switch == DDR50_SUPPORT)
+ sd_card->sd_switch_fail = DDR50_SUPPORT_MASK;
+ else if (func_to_switch == SDR50_SUPPORT)
+ sd_card->sd_switch_fail = SDR50_SUPPORT_MASK;
+ else if (func_to_switch == HS_SUPPORT)
+ sd_card->sd_switch_fail = HS_SUPPORT_MASK;
+
+ TRACE_RET(chip, retval);
+ }
+
+ if (func_to_switch == SDR104_SUPPORT)
+ SET_SD_SDR104(sd_card);
+ else if (func_to_switch == DDR50_SUPPORT)
+ SET_SD_DDR50(sd_card);
+ else if (func_to_switch == SDR50_SUPPORT)
+ SET_SD_SDR50(sd_card);
+ else
+ SET_SD_HS(sd_card);
+ }
+
+ if (CHK_SD_DDR50(sd_card))
+ RTS51X_WRITE_REG(chip, SD_CFG1, 0x0C, SD_DDR_MODE);
+
+ func_to_switch = 0;
+ if (sd_card->func_group4_mask & CURRENT_LIMIT_400_MASK)
+ func_to_switch = CURRENT_LIMIT_400;
+
+ if (func_to_switch) {
+ RTS51X_DEBUGP("Try to switch current_limit_400\n");
+ retval =
+ sd_check_switch(chip, SD_FUNC_GROUP_4, func_to_switch,
+ bus_width);
+ RTS51X_DEBUGP("Switch current_limit_400 status: (%d)\n",
+ retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_wait_data_idle(struct rts51x_chip *chip)
+{
+ int retval = STATUS_TIMEDOUT;
+ int i;
+ u8 val = 0;
+
+ for (i = 0; i < 100; i++) {
+ retval = rts51x_ep0_read_register(chip, SD_DATA_STATE, &val);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ if (val & SD_DATA_IDLE) {
+ retval = STATUS_SUCCESS;
+ break;
+ }
+ udelay(100);
+ }
+ RTS51X_DEBUGP("SD_DATA_STATE: 0x%02x\n", val);
+
+ return retval;
+}
+
+static int sd_sdr_tuning_rx_cmd(struct rts51x_chip *chip, u8 sample_point)
+{
+ int retval;
+ u8 cmd[5];
+
+ retval = sd_change_phase(chip, sample_point, TUNE_RX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ cmd[0] = 0x40 | SEND_TUNING_PATTERN;
+ cmd[1] = 0;
+ cmd[2] = 0;
+ cmd[3] = 0;
+ cmd[4] = 0;
+
+ retval = sd_read_data(chip, SD_TM_AUTO_TUNING,
+ cmd, 5, 0x40, 1, SD_BUS_WIDTH_4, NULL, 0, 100);
+ if (retval != STATUS_SUCCESS) {
+ /* Wait till SD DATA IDLE */
+ (void)sd_wait_data_idle(chip);
+
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_ddr_tuning_rx_cmd(struct rts51x_chip *chip, u8 sample_point)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd[5];
+
+ retval = sd_change_phase(chip, sample_point, TUNE_RX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_DEBUGP("sd ddr tuning rx\n");
+
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ cmd[0] = 0x40 | SD_STATUS;
+ cmd[1] = 0;
+ cmd[2] = 0;
+ cmd[3] = 0;
+ cmd[4] = 0;
+
+ retval = sd_read_data(chip, SD_TM_NORMAL_READ,
+ cmd, 5, 64, 1, SD_BUS_WIDTH_4, NULL, 0, 100);
+ if (retval != STATUS_SUCCESS) {
+ /* Wait till SD DATA IDLE */
+ (void)sd_wait_data_idle(chip);
+
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int mmc_ddr_tunning_rx_cmd(struct rts51x_chip *chip, u8 sample_point)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd[5], bus_width;
+
+ if (CHK_MMC_8BIT(sd_card))
+ bus_width = SD_BUS_WIDTH_8;
+ else if (CHK_MMC_4BIT(sd_card))
+ bus_width = SD_BUS_WIDTH_4;
+ else
+ bus_width = SD_BUS_WIDTH_1;
+
+ retval = sd_change_phase(chip, sample_point, TUNE_RX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_DEBUGP("mmc ddr tuning rx\n");
+
+ cmd[0] = 0x40 | SEND_EXT_CSD;
+ cmd[1] = 0;
+ cmd[2] = 0;
+ cmd[3] = 0;
+ cmd[4] = 0;
+
+ retval = sd_read_data(chip, SD_TM_NORMAL_READ,
+ cmd, 5, 0x200, 1, bus_width, NULL, 0, 100);
+ if (retval != STATUS_SUCCESS) {
+ /* Wait till SD DATA IDLE */
+ (void)sd_wait_data_idle(chip);
+
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_sdr_tuning_tx_cmd(struct rts51x_chip *chip, u8 sample_point)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ retval = sd_change_phase(chip, sample_point, TUNE_TX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN,
+ SD_RSP_80CLK_TIMEOUT_EN);
+
+ retval = sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ if (retval != STATUS_SUCCESS) {
+ if (sd_check_err_code(chip, SD_RSP_TIMEOUT)) {
+ /* Tunning TX fail */
+ rts51x_ep0_write_register(chip, SD_CFG3,
+ SD_RSP_80CLK_TIMEOUT_EN, 0);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_ddr_tuning_tx_cmd(struct rts51x_chip *chip, u8 sample_point)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 cmd[5], bus_width;
+
+ retval = sd_change_phase(chip, sample_point, TUNE_TX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_SD(sd_card)) {
+ bus_width = SD_BUS_WIDTH_4;
+ } else {
+ if (CHK_MMC_8BIT(sd_card))
+ bus_width = SD_BUS_WIDTH_8;
+ else if (CHK_MMC_4BIT(sd_card))
+ bus_width = SD_BUS_WIDTH_4;
+ else
+ bus_width = SD_BUS_WIDTH_1;
+ }
+ retval = sd_wait_currentstate_dataready(chip, 0x08, 1, 20);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN,
+ SD_RSP_80CLK_TIMEOUT_EN);
+
+ cmd[0] = 0x40 | PROGRAM_CSD;
+ cmd[1] = 0;
+ cmd[2] = 0;
+ cmd[3] = 0;
+ cmd[4] = 0;
+
+ retval = sd_write_data(chip, SD_TM_AUTO_WRITE_2,
+ cmd, 5, 16, 1, bus_width, sd_card->raw_csd, 16, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_sd_error(chip);
+ /* Tunning TX fail */
+ rts51x_ep0_write_register(chip, SD_CFG3,
+ SD_RSP_80CLK_TIMEOUT_EN, 0);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0);
+
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+
+ return STATUS_SUCCESS;
+}
+
+static u8 sd_search_final_phase(struct rts51x_chip *chip, u32 phase_map,
+ u8 tune_dir)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ struct timing_phase_path path[MAX_PHASE + 1];
+ int i, j, cont_path_cnt;
+ int new_block, max_len;
+ u8 final_phase = 0xFF;
+ int final_path_idx;
+
+ if (phase_map == 0xffff) {
+ if (CHK_SD_DDR50(sd_card)) {
+ if (tune_dir == TUNE_TX)
+ final_phase = chip->option.ddr50_tx_phase;
+ else
+ final_phase = chip->option.ddr50_rx_phase;
+ RTS51X_DEBUGP("DDR50 tuning dir:%d all pass,"
+ "so select default phase:0x%x.\n",
+ tune_dir, final_phase);
+ } else {
+ if (tune_dir == TUNE_TX)
+ final_phase = chip->option.sdr50_tx_phase;
+ else
+ final_phase = chip->option.sdr50_rx_phase;
+ RTS51X_DEBUGP("SDR50 tuning dir:%d all pass,"
+ "so select default phase:0x%x.\n",
+ tune_dir, final_phase);
+ }
+ goto Search_Finish;
+ }
+
+ cont_path_cnt = 0;
+ new_block = 1;
+ j = 0;
+ for (i = 0; i < MAX_PHASE + 1; i++) {
+ if (phase_map & (1 << i)) {
+ if (new_block) {
+ new_block = 0;
+ j = cont_path_cnt++;
+ path[j].start = i;
+ path[j].end = i;
+ } else {
+ path[j].end = i;
+ }
+ } else {
+ new_block = 1;
+ if (cont_path_cnt) {
+ int idx = cont_path_cnt - 1;
+ path[idx].len =
+ path[idx].end - path[idx].start + 1;
+ path[idx].mid =
+ path[idx].start + path[idx].len / 2;
+ }
+ }
+ }
+
+ if (cont_path_cnt == 0) {
+ RTS51X_DEBUGP("No continuous phase path\n");
+ goto Search_Finish;
+ } else {
+ int idx = cont_path_cnt - 1;
+ path[idx].len = path[idx].end - path[idx].start + 1;
+ path[idx].mid = path[idx].start + path[idx].len / 2;
+ }
+
+ if ((path[0].start == 0) &&
+ (path[cont_path_cnt - 1].end == MAX_PHASE)) {
+ path[0].start = path[cont_path_cnt - 1].start - MAX_PHASE - 1;
+ path[0].len += path[cont_path_cnt - 1].len;
+ path[0].mid = path[0].start + path[0].len / 2;
+ if (path[0].mid < 0)
+ path[0].mid += MAX_PHASE + 1;
+ cont_path_cnt--;
+ }
+ max_len = 0;
+ final_phase = 0;
+ final_path_idx = 0;
+ for (i = 0; i < cont_path_cnt; i++) {
+ if (path[i].len > max_len) {
+ max_len = path[i].len;
+ final_phase = (u8) path[i].mid;
+ final_path_idx = i;
+ }
+
+ RTS51X_DEBUGP("path[%d].start = %d\n", i, path[i].start);
+ RTS51X_DEBUGP("path[%d].end = %d\n", i, path[i].end);
+ RTS51X_DEBUGP("path[%d].len = %d\n", i, path[i].len);
+ RTS51X_DEBUGP("path[%d].mid = %d\n", i, path[i].mid);
+ RTS51X_DEBUGP("\n");
+ }
+
+ if ((tune_dir == TUNE_TX) && (CHK_SD_SDR50(sd_card))
+ && chip->option.sdr50_phase_sel) {
+ if (max_len > 6) {
+ int temp_mid = (max_len - 6) / 2;
+ int temp_final_phase =
+ path[final_path_idx].end - (max_len -
+ (3 + temp_mid));
+
+ if (temp_final_phase < 0)
+ final_phase = temp_final_phase + MAX_PHASE + 1;
+ else
+ final_phase = (u8) temp_final_phase;
+ }
+ }
+
+Search_Finish:
+ RTS51X_DEBUGP("Final chosen phase: %d\n", final_phase);
+ return final_phase;
+}
+
+static int sd_tuning_rx(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i, j;
+ u32 raw_phase_map[3], phase_map;
+ u8 final_phase;
+ int (*tuning_cmd)(struct rts51x_chip *chip, u8 sample_point);
+
+ if (CHK_SD(sd_card)) {
+ if (CHK_SD_DDR50(sd_card))
+ tuning_cmd = sd_ddr_tuning_rx_cmd;
+ else
+ tuning_cmd = sd_sdr_tuning_rx_cmd;
+ } else {
+ if (CHK_MMC_DDR52(sd_card))
+ tuning_cmd = mmc_ddr_tunning_rx_cmd;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ for (i = 0; i < 3; i++) {
+ raw_phase_map[i] = 0;
+ for (j = MAX_PHASE; j >= 0; j--) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = tuning_cmd(chip, (u8) j);
+ if (retval == STATUS_SUCCESS)
+ raw_phase_map[i] |= 1 << j;
+ else
+ RTS51X_DEBUGP("Tuning phase %d fail\n", j);
+ }
+ }
+
+ phase_map = raw_phase_map[0] & raw_phase_map[1] & raw_phase_map[2];
+ for (i = 0; i < 3; i++)
+ RTS51X_DEBUGP("RX raw_phase_map[%d] = 0x%04x\n", i,
+ raw_phase_map[i]);
+ RTS51X_DEBUGP("RX phase_map = 0x%04x\n", phase_map);
+
+ final_phase = sd_search_final_phase(chip, phase_map, TUNE_RX);
+ if (final_phase == 0xFF)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = tuning_cmd(chip, final_phase);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_ddr_pre_tuning_tx(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 i;
+ u8 pre_tune_tx_phase;
+ u32 pre_tune_phase_map;
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN,
+ SD_RSP_80CLK_TIMEOUT_EN);
+
+ pre_tune_tx_phase = 0xFF;
+ pre_tune_phase_map = 0x0000;
+ for (i = 0; i < MAX_PHASE + 1; i++) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = sd_change_phase(chip, (u8) i, TUNE_TX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ if ((retval == STATUS_SUCCESS)
+ || !sd_check_err_code(chip, SD_RSP_TIMEOUT))
+ pre_tune_phase_map |= (u32) 1 << i;
+ }
+
+ RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0);
+
+ pre_tune_tx_phase =
+ sd_search_final_phase(chip, pre_tune_phase_map, TUNE_TX);
+ if (pre_tune_tx_phase == 0xFF)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ sd_change_phase(chip, pre_tune_tx_phase, TUNE_TX);
+ RTS51X_DEBUGP("DDR TX pre tune phase: %d\n", (int)pre_tune_tx_phase);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_tuning_tx(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i, j;
+ u32 raw_phase_map[3], phase_map;
+ u8 final_phase;
+ int (*tuning_cmd)(struct rts51x_chip *chip, u8 sample_point);
+
+ if (CHK_SD(sd_card)) {
+ if (CHK_SD_DDR50(sd_card))
+ tuning_cmd = sd_ddr_tuning_tx_cmd;
+ else
+ tuning_cmd = sd_sdr_tuning_tx_cmd;
+ } else {
+ if (CHK_MMC_DDR52(sd_card))
+ tuning_cmd = sd_ddr_tuning_tx_cmd;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ for (i = 0; i < 3; i++) {
+ raw_phase_map[i] = 0;
+ for (j = MAX_PHASE; j >= 0; j--) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = tuning_cmd(chip, (u8) j);
+ if (retval == STATUS_SUCCESS)
+ raw_phase_map[i] |= 1 << j;
+ else
+ RTS51X_DEBUGP("Tuning phase %d fail\n", j);
+ }
+ }
+
+ phase_map = raw_phase_map[0] & raw_phase_map[1] & raw_phase_map[2];
+ for (i = 0; i < 3; i++)
+ RTS51X_DEBUGP("TX raw_phase_map[%d] = 0x%04x\n", i,
+ raw_phase_map[i]);
+ RTS51X_DEBUGP("TX phase_map = 0x%04x\n", phase_map);
+
+ final_phase = sd_search_final_phase(chip, phase_map, TUNE_TX);
+ if (final_phase == 0xFF)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = tuning_cmd(chip, final_phase);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_sdr_tuning(struct rts51x_chip *chip)
+{
+ int retval;
+
+ retval = sd_tuning_tx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = sd_tuning_rx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_ddr_tuning(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (!(chip->option.sd_ctl & SD_DDR_TX_PHASE_SET_BY_USER)) {
+ retval = sd_ddr_pre_tuning_tx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ retval =
+ sd_change_phase(chip, (u8) chip->option.sd_ddr_tx_phase,
+ TUNE_TX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ retval = sd_tuning_rx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!(chip->option.sd_ctl & SD_DDR_TX_PHASE_SET_BY_USER)) {
+ retval = sd_tuning_tx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int mmc_ddr_tuning(struct rts51x_chip *chip)
+{
+ int retval;
+
+ if (!(chip->option.sd_ctl & MMC_DDR_TX_PHASE_SET_BY_USER)) {
+ retval = sd_ddr_pre_tuning_tx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ retval =
+ sd_change_phase(chip, (u8) chip->option.mmc_ddr_tx_phase,
+ TUNE_TX);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ retval = sd_tuning_rx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (!(chip->option.sd_ctl & MMC_DDR_TX_PHASE_SET_BY_USER)) {
+ retval = sd_tuning_tx(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_sd_switch_clock(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int re_tuning = 0;
+
+ retval = rts51x_select_card(chip, SD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_SD30_SPEED(sd_card) || CHK_MMC_DDR52(sd_card)) {
+ if (sd_card->sd_clock != chip->cur_clk)
+ re_tuning = 1;
+ }
+
+ retval = switch_clock(chip, sd_card->sd_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (re_tuning) {
+ if (CHK_SD(sd_card)) {
+ if (CHK_SD_DDR50(sd_card))
+ retval = sd_ddr_tuning(chip);
+ else
+ retval = sd_sdr_tuning(chip);
+ } else {
+ if (CHK_MMC_DDR52(sd_card))
+ retval = mmc_ddr_tuning(chip);
+ }
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_prepare_reset(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ if (chip->asic_code)
+ sd_card->sd_clock = 29;
+ else
+ sd_card->sd_clock = CLK_30;
+
+ /* Set SD Clocks */
+ retval = sd_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0xFF,
+ SD_CLK_DIVIDE_128 | SD_20_MODE | SD_BUS_WIDTH_1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL, 0xFF,
+ SD20_RX_POS_EDGE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL, 0xFF, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_select_card(chip, SD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static void sd_pull_ctl_disable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);
+ }
+}
+
+static void sd_pull_ctl_enable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xAA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0xAA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0xA9);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xA5);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x9A);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0xA5);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x9A);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x65);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x5A);
+ }
+}
+
+static int sd_init_power(struct rts51x_chip *chip)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, LDO3318_PWR_MASK,
+ LDO_ON);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PAD_CTL, SD_IO_USING_1V8,
+ SD_IO_USING_3V3);
+ if (chip->asic_code)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG,
+ TUNE_SD18_MASK, TUNE_SD18_3V3);
+ if (chip->asic_code)
+ sd_pull_ctl_disable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL,
+ FPGA_SD_PULL_CTL_BIT | 0x20,
+ FPGA_SD_PULL_CTL_BIT);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0);
+ if (!chip->option.FT2_fast_mode)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (!chip->option.FT2_fast_mode) {
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable)
+ rts51x_write_register(chip, CARD_PWR_CTL,
+ LDO_OFF, LDO_OFF);
+#endif
+ wait_timeout(250);
+
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable) {
+ rts51x_init_cmd(chip);
+ if (chip->asic_code)
+ sd_pull_ctl_enable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD,
+ FPGA_PULL_CTL,
+ FPGA_SD_PULL_CTL_BIT | 0x20, 0);
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ if (chip->asic_code)
+ rts51x_write_register(chip, CARD_PULL_CTL6,
+ 0x03, 0x00);
+ }
+#endif
+
+ /* Power on card */
+ retval = rts51x_card_power_on(chip, SD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ wait_timeout(260);
+
+#ifdef SUPPORT_OCP
+ rts51x_get_card_status(chip, &(chip->card_status));
+ chip->ocp_stat = (chip->card_status >> 4) & 0x03;
+
+ if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) {
+ RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n",
+ chip->ocp_stat);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#endif
+ }
+
+ rts51x_init_cmd(chip);
+ if (chip->asic_code) {
+ sd_pull_ctl_enable(chip);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL,
+ FPGA_SD_PULL_CTL_BIT | 0x20, 0);
+ }
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#ifdef SD_XD_IO_FOLLOW_PWR
+ rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT,
+ XD_INT | MS_INT | SD_INT);
+#endif
+
+ RTS51X_WRITE_REG(chip, CARD_OE, SD_OUTPUT_EN, SD_OUTPUT_EN);
+
+ return STATUS_SUCCESS;
+}
+
+static int sd_dummy_clock(struct rts51x_chip *chip)
+{
+ RTS51X_WRITE_REG(chip, SD_BUS_STAT, SD_CLK_TOGGLE_EN, SD_CLK_TOGGLE_EN);
+ wait_timeout(5);
+ RTS51X_WRITE_REG(chip, SD_BUS_STAT, SD_CLK_TOGGLE_EN, 0x00);
+
+ return STATUS_SUCCESS;
+}
+
+int reset_sd(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval, i = 0, j = 0, k = 0, hi_cap_flow = 0;
+ int sd_dont_switch = 0;
+ int support_1v8 = 0;
+ u8 rsp[16];
+ u8 switch_bus_width;
+ u32 voltage = 0;
+ u8 cmd[5], buf[64];
+ u16 sd_card_type;
+
+ SET_SD(sd_card);
+ CLR_RETRY_SD20_MODE(sd_card);
+Switch_Fail:
+ i = 0;
+ j = 0;
+ k = 0;
+ hi_cap_flow = 0;
+ support_1v8 = 0;
+
+ retval = sd_prepare_reset(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ sd_dummy_clock(chip);
+
+ /* Start Initialization Process of SD Card */
+RTY_SD_RST:
+ retval =
+ sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0, NULL,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ wait_timeout(20);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SEND_IF_COND, 0x000001AA, SD_RSP_TYPE_R7,
+ rsp, 5);
+ if (retval == STATUS_SUCCESS) {
+ if ((rsp[4] == 0xAA) && ((rsp[3] & 0x0f) == 0x01)) {
+ hi_cap_flow = 1;
+ if (CHK_RETRY_SD20_MODE(sd_card)) {
+ voltage =
+ SUPPORT_VOLTAGE |
+ SUPPORT_HIGH_AND_EXTENDED_CAPACITY;
+ } else {
+ voltage =
+ SUPPORT_VOLTAGE |
+ SUPPORT_HIGH_AND_EXTENDED_CAPACITY |
+ SUPPORT_MAX_POWER_PERMANCE | SUPPORT_1V8;
+ }
+ }
+ }
+
+ if (!hi_cap_flow) {
+ voltage = SUPPORT_VOLTAGE;
+
+ retval =
+ sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ wait_timeout(20);
+ }
+
+ /* ACMD41 */
+ do {
+ {
+ u8 temp = 0;
+ rts51x_read_register(chip, CARD_INT_PEND, &temp);
+ RTS51X_DEBUGP("CARD_INT_PEND:%x\n", temp);
+ if (temp & SD_INT) {
+ chip->reset_need_retry = 1;
+ rts51x_write_register(chip, CARD_INT_PEND,
+ XD_INT | SD_INT | MS_INT,
+ XD_INT | SD_INT | MS_INT);
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+RTY_CMD55:
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, 0, SD_RSP_TYPE_R1, NULL,
+ 0);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, SD_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ j++;
+ if (chip->option.speed_mmc) {
+ if (j < 2)
+ goto RTY_CMD55;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ } else {
+ if (j < 3)
+ goto RTY_SD_RST;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SD_APP_OP_COND, voltage,
+ SD_RSP_TYPE_R3, rsp, 5);
+ if (retval != STATUS_SUCCESS) {
+ k++;
+ if (k < 3)
+ goto RTY_SD_RST;
+ else
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ i++;
+ wait_timeout(20);
+ } while (!(rsp[1] & 0x80) && (i < 255)); /* Not complete power on */
+
+ if (i == 255) {
+ /* Time out */
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (hi_cap_flow) {
+ if (rsp[1] & 0x40)
+ SET_SD_HCXC(sd_card);
+ else
+ CLR_SD_HCXC(sd_card);
+ if (!CHK_RETRY_SD20_MODE(sd_card)) {
+ if ((CHK_SD_HCXC(sd_card)) && (CHECK_UHS50(chip))) {
+ support_1v8 = (rsp[1] & 0x01) ? 1 : 0;
+ RTS51X_DEBUGP("support_1v8 = %d\n",
+ support_1v8);
+ }
+ }
+ } else {
+ CLR_SD_HCXC(sd_card);
+ support_1v8 = 0;
+ }
+
+ /* CMD11: Switch Voltage */
+ if (support_1v8 && CHECK_UHS50(chip)
+ && !(((u8) chip->option.sd_speed_prior & SDR104_SUPPORT) ==
+ HS_SUPPORT)) {
+ retval = sd_voltage_switch(chip);
+ if (retval != STATUS_SUCCESS) {
+ SET_RETRY_SD20_MODE(sd_card);
+ sd_init_power(chip);
+ RTS51X_DEBUGP("1.8v switch fail\n");
+ goto Switch_Fail;
+ }
+ }
+
+ /* CMD 2 */
+ retval =
+ sd_send_cmd_get_rsp(chip, ALL_SEND_CID, 0, SD_RSP_TYPE_R2, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* CMD 3 */
+ retval =
+ sd_send_cmd_get_rsp(chip, SEND_RELATIVE_ADDR, 0, SD_RSP_TYPE_R6,
+ rsp, 5);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ sd_card->sd_addr = (u32) rsp[1] << 24;
+ sd_card->sd_addr += (u32) rsp[2] << 16;
+
+ /* Get CSD register for Calculating Timing,Capacity,
+ * Check CSD to determine as if this is the SD ROM card */
+ retval = sd_check_csd(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Select SD card */
+ retval = rts51x_sd_select_card(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* ACMD42 */
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SET_CLR_CARD_DETECT, 0, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (support_1v8) {
+ /* ACMD6 */
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Enable 4 bit data bus */
+ retval =
+ sd_send_cmd_get_rsp(chip, SET_BUS_WIDTH, 2, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ switch_bus_width = SD_BUS_WIDTH_4;
+ } else {
+ switch_bus_width = SD_BUS_WIDTH_1;
+ }
+
+ /* Set block length 512 bytes for all block commands */
+ retval = sd_send_cmd_get_rsp(chip, SET_BLOCKLEN,
+ 0x200, SD_RSP_TYPE_R1, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_WRITE_REG(chip, SD_CFG1, SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
+
+ if (!(sd_card->raw_csd[4] & 0x40)) {
+ sd_dont_switch = 1;
+ RTS51X_DEBUGP("Not support class ten\n");
+ }
+
+ if (!sd_dont_switch) {
+ /* Check the card whether flow SD1.1 spec or higher */
+ retval = sd_check_spec(chip, switch_bus_width);
+ if (retval == STATUS_SUCCESS) {
+ retval = sd_switch_function(chip, switch_bus_width);
+ if (retval != STATUS_SUCCESS) {
+ if ((sd_card->sd_switch_fail ==
+ SDR104_SUPPORT_MASK)
+ || (sd_card->sd_switch_fail ==
+ DDR50_SUPPORT_MASK)
+ || (sd_card->sd_switch_fail ==
+ SDR50_SUPPORT_MASK)) {
+ sd_init_power(chip);
+ SET_RETRY_SD20_MODE(sd_card);
+ } else if (sd_card->sd_switch_fail ==
+ HS_SUPPORT_MASK) {
+ sd_dont_switch = 1;
+ }
+ goto Switch_Fail;
+ }
+ } else {
+ if (support_1v8) {
+ SET_RETRY_SD20_MODE(sd_card);
+ sd_init_power(chip);
+ sd_dont_switch = 1;
+
+ goto Switch_Fail;
+ }
+ }
+ }
+
+ if (!support_1v8) {
+ /* ACMD6 */
+ retval =
+ sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Enable 4 bit data bus */
+ retval =
+ sd_send_cmd_get_rsp(chip, SET_BUS_WIDTH, 2, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ if (CHK_SD30_SPEED(sd_card)) {
+ rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK,
+ 0x03);
+
+ retval = sd_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (CHK_SD_DDR50(sd_card))
+ retval = sd_ddr_tuning(chip);
+ else
+ retval = sd_sdr_tuning(chip);
+
+ if (retval != STATUS_SUCCESS) {
+ SET_RETRY_SD20_MODE(sd_card);
+ RTS51X_DEBUGP("tuning phase fail,goto SD20 mode\n");
+ sd_init_power(chip);
+ CLR_SD30_SPEED(sd_card);
+ goto Switch_Fail;
+ }
+ if (STATUS_SUCCESS ==
+ sd_wait_currentstate_dataready(chip, 0x08, 1, 20)) {
+ cmd[0] = 0x40 | READ_SINGLE_BLOCK;
+ cmd[1] = 0x00;
+ cmd[2] = 0x00;
+ cmd[3] = 0x00;
+ cmd[4] = 0x00;
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 512,
+ 1, SD_BUS_WIDTH_4, NULL, 0, 600);
+ if (retval != STATUS_SUCCESS) {
+ SET_RETRY_SD20_MODE(sd_card);
+ RTS51X_DEBUGP("read lba0 fail,"
+ "goto SD20 mode\n");
+ sd_init_power(chip);
+ CLR_SD30_SPEED(sd_card);
+ goto Switch_Fail;
+ }
+ }
+ }
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+
+ retval = sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ if (retval == STATUS_SUCCESS) {
+ int ret;
+ cmd[0] = 0x40 | SEND_STATUS;
+ cmd[1] = 0x00;
+ cmd[2] = 0x00;
+ cmd[3] = 0x00;
+ cmd[4] = 0x00;
+ ret =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 64, 1,
+ SD_BUS_WIDTH_4, buf, 64, 600);
+ if (ret == STATUS_SUCCESS) {
+ sd_card_type = ((u16) buf[2] << 8) | (u16) buf[3];
+ RTS51X_DEBUGP("sd_card_type:0x%4x\n", sd_card_type);
+ if ((sd_card_type == 0x0001)
+ || (sd_card_type == 0x0002))
+ chip->card_wp |= SD_CARD;
+ } else {
+ rts51x_clear_sd_error(chip);
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ }
+ } else {
+ rts51x_clear_sd_error(chip);
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ }
+
+ /* Check SD Machanical Write-Protect Switch */
+ retval = rts51x_get_card_status(chip, &(chip->card_status));
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (chip->card_status & SD_WP)
+ chip->card_wp |= SD_CARD;
+
+ chip->card_bus_width[chip->card2lun[SD_CARD]] = 4;
+
+ return STATUS_SUCCESS;
+}
+
+static int mmc_test_switch_bus(struct rts51x_chip *chip, u8 width)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 buf[8] = { 0 }, bus_width;
+ u16 byte_cnt;
+ int len;
+
+ retval =
+ sd_send_cmd_get_rsp(chip, BUSTEST_W, 0, SD_RSP_TYPE_R1, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (width == MMC_8BIT_BUS) {
+ buf[0] = 0x55;
+ buf[1] = 0xAA;
+ len = 8;
+ byte_cnt = 8;
+ bus_width = SD_BUS_WIDTH_8;
+ } else {
+ buf[0] = 0x5A;
+ len = 4;
+ byte_cnt = 4;
+ bus_width = SD_BUS_WIDTH_4;
+ }
+
+ retval = sd_write_data(chip, SD_TM_AUTO_WRITE_3,
+ NULL, 0, byte_cnt, 1, bus_width, buf, len, 100);
+ if (retval != STATUS_SUCCESS) {
+ u8 val1 = 0, val2 = 0;
+ rts51x_ep0_read_register(chip, SD_STAT1, &val1);
+ rts51x_ep0_read_register(chip, SD_STAT2, &val2);
+ rts51x_clear_sd_error(chip);
+ if ((val1 & 0xE0) || val2)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ RTS51X_DEBUGP("SD/MMC CMD %d\n", BUSTEST_R);
+
+ rts51x_init_cmd(chip);
+
+ /* CMD14 */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | BUSTEST_R);
+
+ if (width == MMC_8BIT_BUS)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x08);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x04);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_NO_CHECK_CRC16 |
+ SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 | SD_RSP_LEN_6);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_NORMAL_READ | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END,
+ SD_TRANSFER_END);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2, 0, 0);
+ if (width == MMC_8BIT_BUS) {
+ len = 3;
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 1, 0, 0);
+ } else {
+ len = 2;
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, len, 100);
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_read_rsp_buf(chip, 1, buf, 2);
+
+ if (width == MMC_8BIT_BUS) {
+ RTS51X_DEBUGP("BUSTEST_R [8bits]: 0x%02x 0x%02x\n",
+ buf[0], buf[1]);
+ if ((buf[0] == 0xAA) && (buf[1] == 0x55)) {
+ u8 rsp[5];
+ u32 arg;
+
+ if (CHK_MMC_DDR52(sd_card))
+ arg = 0x03B70600;
+ else
+ arg = 0x03B70200;
+ /* Switch MMC to 8-bit mode */
+ retval =
+ sd_send_cmd_get_rsp(chip, SWITCH, arg,
+ SD_RSP_TYPE_R1b, rsp, 5);
+ if ((retval == STATUS_SUCCESS)
+ && !(rsp[4] & MMC_SWITCH_ERR))
+ return STATUS_SUCCESS;
+ }
+ } else {
+ RTS51X_DEBUGP("BUSTEST_R [4bits]: 0x%02x\n", buf[0]);
+ if (buf[0] == 0xA5) {
+ u8 rsp[5];
+ u32 arg;
+
+ if (CHK_MMC_DDR52(sd_card))
+ arg = 0x03B70500;
+ else
+ arg = 0x03B70100;
+ /* Switch MMC to 4-bit mode */
+ retval =
+ sd_send_cmd_get_rsp(chip, SWITCH, arg,
+ SD_RSP_TYPE_R1b, rsp, 5);
+ if ((retval == STATUS_SUCCESS)
+ && !(rsp[4] & MMC_SWITCH_ERR))
+ return STATUS_SUCCESS;
+ }
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int mmc_switch_timing_bus(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ u8 card_type, card_type_mask = 0;
+ u8 buf[6];
+
+ CLR_MMC_HS(sd_card);
+
+ RTS51X_DEBUGP("SD/MMC CMD %d\n", SEND_EXT_CSD);
+
+ rts51x_init_cmd(chip);
+
+ /* SEND_EXT_CSD command */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF,
+ 0x40 | SEND_EXT_CSD);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, 0);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 2);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | SD_NO_WAIT_BUSY_END
+ | SD_CHECK_CRC7 | SD_RSP_LEN_6);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_NORMAL_READ | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END,
+ SD_TRANSFER_END);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 196, 0xFF, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 212, 0xFF, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 213, 0xFF, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 214, 0xFF, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 215, 0xFF, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 6, 1000);
+
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ if (retval == STATUS_TIMEDOUT) {
+ rts51x_clear_sd_error(chip);
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ }
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_read_rsp_buf(chip, 0, buf, 6);
+
+ if (buf[0] & SD_TRANSFER_ERR) {
+ sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (CHK_MMC_SECTOR_MODE(sd_card))
+ sd_card->capacity =
+ ((u32) buf[5] << 24) | ((u32) buf[4] << 16) |
+ ((u32) buf[3] << 8) | ((u32) buf[2]);
+ if (CHECK_UHS50(chip))
+ card_type_mask = 0x07;
+ else
+ card_type_mask = 0x03;
+
+ card_type = buf[1] & card_type_mask;
+ if (card_type) {
+ /* CARD TYPE FIELD = DDR52MHz, 52MHz or 26MHz */
+ u8 rsp[5];
+
+ if (card_type & 0x04)
+ SET_MMC_DDR52(sd_card);
+ else if (card_type & 0x02)
+ SET_MMC_52M(sd_card);
+ else
+ SET_MMC_26M(sd_card);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, SWITCH, 0x03B90100,
+ SD_RSP_TYPE_R1b, rsp, 5);
+ if ((retval != STATUS_SUCCESS) || (rsp[4] & MMC_SWITCH_ERR))
+ CLR_MMC_HS(sd_card);
+ }
+ sd_choose_proper_clock(chip);
+ retval = switch_clock(chip, sd_card->sd_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* Test Bus Procedure */
+ if (mmc_test_switch_bus(chip, MMC_8BIT_BUS) == STATUS_SUCCESS) {
+ SET_MMC_8BIT(sd_card);
+ chip->card_bus_width[chip->card2lun[SD_CARD]] = 8;
+ } else if (mmc_test_switch_bus(chip, MMC_4BIT_BUS) == STATUS_SUCCESS) {
+ SET_MMC_4BIT(sd_card);
+ chip->card_bus_width[chip->card2lun[SD_CARD]] = 4;
+ } else {
+ CLR_MMC_8BIT(sd_card);
+ CLR_MMC_4BIT(sd_card);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int reset_mmc(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval, i = 0, j = 0, k = 0;
+ u8 rsp[16];
+ u8 spec_ver = 0;
+ u8 change_to_ddr52 = 1;
+ u8 cmd[5];
+
+MMC_DDR_FAIL:
+
+ retval = sd_prepare_reset(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ SET_MMC(sd_card);
+
+RTY_MMC_RST:
+ retval =
+ sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0, NULL,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ do {
+ {
+ u8 temp = 0;
+ rts51x_read_register(chip, CARD_INT_PEND, &temp);
+ if (temp & SD_INT) {
+ chip->reset_need_retry = 1;
+ rts51x_write_register(chip, CARD_INT_PEND,
+ XD_INT | SD_INT | MS_INT,
+ XD_INT | SD_INT | MS_INT);
+ sd_set_reset_fail(chip, MMC_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ /* CMD 1 */
+ retval = sd_send_cmd_get_rsp(chip, SEND_OP_COND,
+ (SUPPORT_VOLTAGE | 0x40000000),
+ SD_RSP_TYPE_R3, rsp, 5);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ sd_set_reset_fail(chip, MMC_RESET_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (sd_check_err_code(chip, SD_BUSY)
+ || sd_check_err_code(chip, SD_TO_ERR)) {
+ k++;
+ if (k < 20) {
+ sd_clr_err_code(chip);
+ goto RTY_MMC_RST;
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ j++;
+ if (j < 100) {
+ sd_clr_err_code(chip);
+ goto RTY_MMC_RST;
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ wait_timeout(20);
+ i++;
+ } while (!(rsp[1] & 0x80) && (i < 100)); /* Not complete power on */
+
+ if (i == 100) {
+ /* Time out */
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if ((rsp[1] & 0x60) == 0x40)
+ SET_MMC_SECTOR_MODE(sd_card);
+ else
+ CLR_MMC_SECTOR_MODE(sd_card);
+
+ /* CMD 2 */
+ retval =
+ sd_send_cmd_get_rsp(chip, ALL_SEND_CID, 0, SD_RSP_TYPE_R2, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* CMD 3 */
+ sd_card->sd_addr = 0x00100000;
+ retval =
+ sd_send_cmd_get_rsp(chip, SET_RELATIVE_ADDR, sd_card->sd_addr,
+ SD_RSP_TYPE_R6, rsp, 5);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* Get CSD register for Calculating Timing,Capacity
+ * Check CSD to determine as if this is the SD ROM card */
+ retval = sd_check_csd(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ /* Get MMC Spec_Ver in the CSD register */
+ spec_ver = (sd_card->raw_csd[0] & 0x3C) >> 2;
+
+ /* Select MMC card */
+ retval = rts51x_sd_select_card(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ /* Set block length 512 bytes for all block commands */
+ retval =
+ sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200, SD_RSP_TYPE_R1, NULL,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_WRITE_REG(chip, SD_CFG1, SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
+
+ if (chip->ic_version < 2)
+ rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK,
+ 0x02);
+ rts51x_write_register(chip, CARD_DRIVE_SEL, SD20_DRIVE_MASK, DRIVE_8mA);
+
+ chip->card_bus_width[chip->card2lun[SD_CARD]] = 1;
+ if (spec_ver == 4) {
+ /* MMC 4.x Cards */
+ (void)mmc_switch_timing_bus(chip);
+ }
+
+ if (CHK_MMC_SECTOR_MODE(sd_card) && (sd_card->capacity == 0))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (CHK_MMC_DDR52(sd_card) && change_to_ddr52) {
+ /* Card is extracted while identifying */
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = sd_set_init_para(chip);
+ if (retval != STATUS_SUCCESS) {
+ CLR_MMC_DDR52(sd_card);
+ sd_init_power(chip);
+ change_to_ddr52 = 0;
+ goto MMC_DDR_FAIL;
+ }
+
+ retval = mmc_ddr_tuning(chip);
+ if (retval != STATUS_SUCCESS) {
+ CLR_MMC_DDR52(sd_card);
+ sd_init_power(chip);
+ change_to_ddr52 = 0;
+ goto MMC_DDR_FAIL;
+ }
+
+ if (STATUS_SUCCESS ==
+ sd_wait_currentstate_dataready(chip, 0x08, 1, 20)) {
+ cmd[0] = 0x40 | READ_SINGLE_BLOCK;
+ cmd[1] = 0x00;
+ cmd[2] = 0x00;
+ cmd[3] = 0x00;
+ cmd[4] = 0x00;
+ if (CHK_MMC_8BIT(sd_card)) {
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd,
+ 5, 512, 1, SD_BUS_WIDTH_8,
+ NULL, 0, 600);
+ } else if (CHK_MMC_4BIT(sd_card)) {
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd,
+ 5, 512, 1, SD_BUS_WIDTH_4,
+ NULL, 0, 600);
+ } else {
+ retval =
+ sd_read_data(chip, SD_TM_NORMAL_READ, cmd,
+ 5, 512, 1, SD_BUS_WIDTH_1,
+ NULL, 0, 600);
+ }
+
+ if (retval != STATUS_SUCCESS) {
+ CLR_MMC_DDR52(sd_card);
+ change_to_ddr52 = 0;
+ RTS51X_DEBUGP("read lba0 fail,"
+ "goto SD20 mode\n");
+ sd_init_power(chip);
+ goto MMC_DDR_FAIL;
+ }
+ }
+ }
+
+ retval = rts51x_get_card_status(chip, &(chip->card_status));
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (chip->card_status & SD_WP)
+ chip->card_wp |= SD_CARD;
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_reset_sd_card(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ int i;
+
+ memset(sd_card, 0, sizeof(struct sd_info));
+
+ /* Init variables */
+ sd_card->sd_type = 0;
+ sd_card->seq_mode = 0;
+ sd_card->sd_data_buf_ready = 0;
+ sd_card->capacity = 0;
+ sd_card->sd_switch_fail = 0;
+
+ sd_clear_reset_fail(chip);
+ rts51x_enable_card_clock(chip, SD_CARD);
+
+ sd_init_power(chip);
+
+ chip->reset_need_retry = 0;
+ for (i = 0; i < 3; i++) {
+ if (!chip->option.reset_mmc_first) { /* reset sd first */
+ retval = reset_sd(chip);
+ if (retval != STATUS_SUCCESS) {
+ /* Switch SD bus to 3V3 signal */
+ RTS51X_WRITE_REG(chip, SD_PAD_CTL,
+ SD_IO_USING_1V8, 0);
+ if (sd_check_reset_fail(chip, SD_RESET_FAIL))
+ sd_clear_reset_fail(chip);
+ else
+ retval = reset_mmc(chip);
+ }
+ } else { /* reset MMC first */
+ retval = reset_mmc(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (sd_check_reset_fail(chip, MMC_RESET_FAIL)) {
+ sd_clear_reset_fail(chip);
+ } else {
+ retval = reset_sd(chip);
+ if (retval != STATUS_SUCCESS) {
+ /* Switch SD bus to
+ * 3V3 signal */
+ RTS51X_WRITE_REG(chip,
+ SD_PAD_CTL,
+ SD_IO_USING_1V8, 0);
+ }
+ }
+ }
+ }
+
+ if ((retval == STATUS_SUCCESS) || (!chip->reset_need_retry)) {
+ /* if reset success or don't need retry,then break */
+ break;
+ }
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) {
+ /* card is extracted */
+ break;
+ }
+ RTS51X_DEBUGP("retry reset sd card,%d\n", i);
+ chip->reset_need_retry = 0;
+ }
+
+ sd_clear_reset_fail(chip);
+ chip->reset_need_retry = 0;
+
+ if (retval == STATUS_SUCCESS) {
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, SD_CLK_DIVIDE_MASK,
+ SD_CLK_DIVIDE_0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 2);
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ chip->capacity[chip->card2lun[SD_CARD]] = sd_card->capacity = 0;
+ if (chip->option.reset_or_rw_fail_set_pad_drive) {
+ rts51x_write_register(chip, CARD_DRIVE_SEL,
+ SD20_DRIVE_MASK, DRIVE_8mA);
+ }
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ chip->capacity[chip->card2lun[SD_CARD]] = sd_card->capacity;
+
+ if (chip->option.sd_send_status_en) {
+ sd_card->sd_send_status_en = 1;
+ } else {
+ if (sd_card->capacity > 0x20000) { /* 64MB */
+ sd_card->sd_send_status_en = 0;
+ } else {
+ sd_card->sd_send_status_en = 1;
+ }
+ }
+ RTS51X_DEBUGP("sd_card->sd_send_status = %d\n",
+ sd_card->sd_send_status_en);
+
+ retval = sd_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_DEBUGP("sd_card->sd_type = 0x%x\n", sd_card->sd_type);
+
+ return STATUS_SUCCESS;
+}
+
+#define WAIT_DATA_READY_RTY_CNT 255
+
+static int wait_data_buf_ready(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int i, retval;
+
+ for (i = 0; i < WAIT_DATA_READY_RTY_CNT; i++) {
+ if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ sd_card->sd_data_buf_ready = 0;
+
+ retval = sd_send_cmd_get_rsp(chip, SEND_STATUS,
+ sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (sd_card->sd_data_buf_ready)
+ return sd_send_cmd_get_rsp(chip, SEND_STATUS,
+ sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0);
+ }
+
+ sd_set_err_code(chip, SD_TO_ERR);
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static void sd_stop_seq_mode(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ if (sd_card->seq_mode) {
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ return;
+
+ retval = sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0,
+ SD_RSP_TYPE_R1b, NULL, 0);
+ if (retval != STATUS_SUCCESS)
+ sd_set_err_code(chip, SD_STS_ERR);
+ sd_card->seq_mode = 0;
+
+ rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH,
+ FIFO_FLUSH);
+ }
+}
+
+static inline int sd_auto_tune_clock(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ if (chip->asic_code) {
+ if (sd_card->sd_clock > 30)
+ sd_card->sd_clock -= 20;
+ } else {
+ if (sd_card->sd_clock == CLK_100)
+ sd_card->sd_clock = CLK_80;
+ else if (sd_card->sd_clock == CLK_80)
+ sd_card->sd_clock = CLK_60;
+ else if (sd_card->sd_clock == CLK_60)
+ sd_card->sd_clock = CLK_50;
+ }
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_sd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ u32 data_addr;
+ int retval;
+ u8 flag;
+ unsigned int pipe;
+ u8 stageflag;
+
+ sd_card->counter = 0;
+
+ if (!CHK_SD_HCXC(sd_card) && !CHK_MMC_SECTOR_MODE(sd_card))
+ data_addr = start_sector << 9;
+ else
+ data_addr = start_sector;
+
+ RTS51X_DEBUGP("rts51x_sd_rw, data_addr = 0x%x\n", data_addr);
+
+ sd_clr_err_code(chip);
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (sd_card->seq_mode && ((sd_card->pre_dir != srb->sc_data_direction)
+ ||
+ ((sd_card->pre_sec_addr +
+ sd_card->pre_sec_cnt) != start_sector))) {
+ if ((sd_card->pre_dir == DMA_FROM_DEVICE)
+ && !CHK_SD30_SPEED(sd_card)
+ && !CHK_SD_HS(sd_card)
+ && !CHK_MMC_HS(sd_card)
+ && sd_card->sd_send_status_en) {
+ sd_send_cmd_get_rsp(chip, SEND_STATUS,
+ sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ }
+
+ retval =
+ sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0,
+ SD_RSP_TYPE_R1b, NULL, 0);
+ if (retval != STATUS_SUCCESS) {
+ sd_set_err_code(chip, SD_STS_ERR);
+ TRACE_RET(chip, sd_parse_err_code(chip));
+ }
+
+ sd_card->seq_mode = 0;
+
+ RTS51X_WRITE_REG(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH);
+
+ if (!CHK_SD30_SPEED(sd_card)
+ && !CHK_SD_HS(sd_card)
+ && !CHK_MMC_HS(sd_card)
+ && sd_card->sd_send_status_en) {
+ /* random rw, so pre_sec_cnt < 0x80 */
+ sd_send_cmd_get_rsp(chip, SEND_STATUS,
+ sd_card->sd_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ }
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF,
+ (u8) sector_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF,
+ (u8) (sector_cnt >> 8));
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+
+ if (CHK_MMC_8BIT(sd_card))
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03,
+ SD_BUS_WIDTH_8);
+ else if (CHK_MMC_4BIT(sd_card) || CHK_SD(sd_card))
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03,
+ SD_BUS_WIDTH_4);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03,
+ SD_BUS_WIDTH_1);
+
+ if (sd_card->seq_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_NO_CALCULATE_CRC7 | SD_CHECK_CRC16 |
+ SD_NO_WAIT_BUSY_END | SD_NO_CHECK_CRC7 |
+ SD_RSP_LEN_0);
+
+ rts51x_trans_dma_enable(srb->sc_data_direction, chip, sector_cnt * 512,
+ DMA_512);
+
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ flag = MODE_CDIR;
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_READ_3 | SD_TRANSFER_START);
+ } else {
+ flag = MODE_CDOR;
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START);
+ }
+
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, flag, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ RTS51X_DEBUGP("SD/MMC CMD %d\n", READ_MULTIPLE_BLOCK);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF,
+ 0x40 | READ_MULTIPLE_BLOCK);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF,
+ (u8) (data_addr >> 24));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF,
+ (u8) (data_addr >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF,
+ (u8) (data_addr >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF,
+ (u8) data_addr);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_CALCULATE_CRC7 | SD_CHECK_CRC16 |
+ SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 |
+ SD_RSP_LEN_6);
+
+ rts51x_trans_dma_enable(srb->sc_data_direction, chip,
+ sector_cnt * 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_READ_2 | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDIR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ } else {
+ retval = rts51x_send_cmd(chip, MODE_C, 50);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_sd_error(chip);
+
+ sd_set_err_code(chip, SD_TO_ERR);
+ TRACE_RET(chip, sd_parse_err_code(chip));
+ }
+
+ retval = wait_data_buf_ready(chip);
+ if (retval != STATUS_SUCCESS) {
+ sd_set_err_code(chip, SD_TO_ERR);
+ TRACE_RET(chip, sd_parse_err_code(chip));
+ }
+
+ retval = sd_send_cmd_get_rsp(chip, WRITE_MULTIPLE_BLOCK,
+ data_addr, SD_RSP_TYPE_R1,
+ NULL, 0);
+ if (retval != STATUS_SUCCESS) {
+ sd_set_err_code(chip, SD_CRC_ERR);
+ TRACE_RET(chip, sd_parse_err_code(chip));
+ }
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF,
+ SD_NO_CALCULATE_CRC7 | SD_CHECK_CRC16 |
+ SD_NO_WAIT_BUSY_END | SD_NO_CHECK_CRC7 |
+ SD_RSP_LEN_0);
+
+ rts51x_trans_dma_enable(srb->sc_data_direction, chip,
+ sector_cnt * 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ sd_card->seq_mode = 1;
+ }
+
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ pipe = RCV_BULK_PIPE(chip);
+ stageflag = STAGE_DI;
+ } else {
+ pipe = SND_BULK_PIPE(chip);
+ stageflag = STAGE_DO;
+ }
+
+ retval =
+ rts51x_transfer_data_rcc(chip, pipe, scsi_sglist(srb),
+ scsi_bufflen(srb), scsi_sg_count(srb),
+ NULL, 10000, stageflag);
+ if (retval != STATUS_SUCCESS) {
+ u8 stat = 0;
+ int err = retval;
+
+ sd_print_debug_reg(chip);
+
+ rts51x_ep0_read_register(chip, SD_STAT1, &stat);
+ RTS51X_DEBUGP("SD_STAT1: 0x%x\n", stat);
+
+ rts51x_clear_sd_error(chip);
+
+ retval =
+ sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0,
+ SD_RSP_TYPE_R1b, NULL, 0);
+ if (retval != STATUS_SUCCESS) {
+ sd_set_err_code(chip, SD_STS_ERR);
+ TRACE_RET(chip, retval);
+ }
+
+ if (stat & (SD_CRC7_ERR | SD_CRC16_ERR | SD_CRC_WRITE_ERR)) {
+ RTS51X_DEBUGP("SD CRC error, tune clock!\n");
+ sd_auto_tune_clock(chip);
+ }
+
+ sd_card->seq_mode = 0;
+
+ TRACE_RET(chip, err);
+ }
+ retval = rts51x_get_rsp(chip, 1, 2000);
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_sd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ sd_card->pre_sec_addr = start_sector;
+ sd_card->pre_sec_cnt = sector_cnt;
+ sd_card->pre_dir = srb->sc_data_direction;
+
+ return STATUS_SUCCESS;
+}
+
+void rts51x_sd_cleanup_work(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+
+ if (sd_card->seq_mode) {
+ RTS51X_DEBUGP("SD: stop transmission\n");
+ sd_stop_seq_mode(chip);
+ sd_card->counter = 0;
+ }
+}
+
+static inline void sd_fill_power_off_card3v3(struct rts51x_chip *chip)
+{
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, SD_CLK_EN, 0);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0);
+ if (!chip->option.FT2_fast_mode) {
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL,
+ POWER_MASK | LDO_OFF,
+ POWER_OFF | LDO_OFF);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL,
+ POWER_MASK, POWER_OFF);
+#else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+#endif
+ }
+}
+
+static int sd_power_off_card3v3(struct rts51x_chip *chip)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ sd_fill_power_off_card3v3(chip);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (!chip->option.FT2_fast_mode)
+ wait_timeout(chip->option.D3318_off_delay);
+#endif
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_release_sd_card(struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+
+ RTS51X_DEBUGP("rts51x_release_sd_card\n");
+
+ chip->card_ready &= ~SD_CARD;
+ chip->card_fail &= ~SD_CARD;
+ chip->card_wp &= ~SD_CARD;
+
+ memset(sd_card->raw_csd, 0, 16);
+ memset(sd_card->raw_scr, 0, 8);
+
+ rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP);
+ rts51x_write_register(chip, SD_PAD_CTL, SD_IO_USING_1V8, 0);
+ if (CHECK_PKG(chip, LQFP48) || chip->option.rts5129_D3318_off_enable)
+ sd_power_off_card3v3(chip);
+
+ rts51x_init_cmd(chip);
+ if (!(CHECK_PKG(chip, LQFP48) || chip->option.rts5129_D3318_off_enable))
+ sd_fill_power_off_card3v3(chip);
+
+ if (chip->asic_code)
+ sd_pull_ctl_disable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL,
+ FPGA_SD_PULL_CTL_BIT | 0x20,
+ FPGA_SD_PULL_CTL_BIT);
+
+ /* Switch LDO3318 to 3.3V */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG, TUNE_SD18_MASK,
+ TUNE_SD18_3V3);
+
+ if (CHK_MMC_DDR52(sd_card) && CHK_MMC_8BIT(sd_card))
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL,
+ EXTEND_DMA1_ASYNC_SIGNAL,
+ EXTEND_DMA1_ASYNC_SIGNAL);
+ if (CHK_SD30_SPEED(sd_card) || CHK_MMC(sd_card))
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD30_DRIVE_SEL,
+ SD30_DRIVE_MASK, chip->option.sd30_pad_drive);
+ /* Suspend LDO3318 */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, LDO3318_PWR_MASK,
+ LDO_SUSPEND);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ wait_timeout(20);
+
+ return STATUS_SUCCESS;
+}
diff --git a/drivers/staging/rts5139/sd.h b/drivers/staging/rts5139/sd.h
new file mode 100644
index 000000000000..7dd943f54c74
--- /dev/null
+++ b/drivers/staging/rts5139/sd.h
@@ -0,0 +1,275 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_SD_H
+#define __RTS51X_SD_H
+
+#include "rts51x_chip.h"
+
+#define SD_MAX_RETRY_COUNT 3
+
+#define SUPPORT_VOLTAGE 0x003C0000
+
+#define SD_RESET_FAIL 0x01
+#define MMC_RESET_FAIL 0x02
+
+/* Error Code */
+#define SD_NO_ERROR 0x0
+#define SD_CRC_ERR 0x80
+#define SD_TO_ERR 0x40
+#define SD_NO_CARD 0x20
+#define SD_BUSY 0x10
+#define SD_STS_ERR 0x08
+#define SD_RSP_TIMEOUT 0x04
+
+/* MMC/SD Command Index */
+/* Basic command (class 0) */
+#define GO_IDLE_STATE 0
+#define SEND_OP_COND 1 /* reserved for SD */
+#define ALL_SEND_CID 2
+#define SET_RELATIVE_ADDR 3
+#define SEND_RELATIVE_ADDR 3
+#define SET_DSR 4
+#define IO_SEND_OP_COND 5
+#define SWITCH 6
+#define SELECT_CARD 7
+#define DESELECT_CARD 7
+/* CMD8 is "SEND_EXT_CSD" for MMC4.x Spec
+ * while is "SEND_IF_COND" for SD 2.0 */
+#define SEND_EXT_CSD 8
+#define SEND_IF_COND 8
+/* end */
+#define SEND_CSD 9
+#define SEND_CID 10
+#define VOLTAGE_SWITCH 11
+#define READ_DAT_UTIL_STOP 11 /* reserved for SD */
+#define STOP_TRANSMISSION 12
+#define SEND_STATUS 13
+#define GO_INACTIVE_STATE 15
+
+/* Block oriented read commands (class 2) */
+#define SET_BLOCKLEN 16
+#define READ_SINGLE_BLOCK 17
+#define READ_MULTIPLE_BLOCK 18
+#define SEND_TUNING_PATTERN 19
+
+/* Bus Width Test */
+#define BUSTEST_R 14
+#define BUSTEST_W 19
+/* end */
+
+/* Block oriented write commands (class 4) */
+#define WRITE_BLOCK 24
+#define WRITE_MULTIPLE_BLOCK 25
+#define PROGRAM_CSD 27
+
+/* Erase commands */
+#define ERASE_WR_BLK_START 32
+#define ERASE_WR_BLK_END 33
+#define ERASE_CMD 38
+
+/* Block Oriented Write Protection Commands */
+#define LOCK_UNLOCK 42
+
+#define IO_RW_DIRECT 52
+
+/* Application specific commands (class 8) */
+#define APP_CMD 55
+#define GEN_CMD 56
+
+/* SD Application command Index */
+#define SET_BUS_WIDTH 6
+#define SD_STATUS 13
+#define SEND_NUM_WR_BLOCKS 22
+#define SET_WR_BLK_ERASE_COUNT 23
+#define SD_APP_OP_COND 41
+#define SET_CLR_CARD_DETECT 42
+#define SEND_SCR 51
+
+/* SD TIMEOUT function return error */
+#define SD_READ_COMPLETE 0x00
+#define SD_READ_TO 0x01
+#define SD_READ_ADVENCE 0x02
+
+/* SD v1.1 CMD6 SWITCH function */
+#define SD_CHECK_MODE 0x00
+#define SD_SWITCH_MODE 0x80
+#define SD_FUNC_GROUP_1 0x01
+#define SD_FUNC_GROUP_2 0x02
+#define SD_FUNC_GROUP_3 0x03
+#define SD_FUNC_GROUP_4 0x04
+#define SD_CHECK_SPEC_V1_1 0xFF
+
+/* SD Command Argument */
+#define NO_ARGUMENT 0x00
+#define CHECK_PATTERN 0x000000AA
+#define VOLTAGE_SUPPLY_RANGE 0x00000100 /* 2.7~3.6V */
+#define SUPPORT_HIGH_AND_EXTENDED_CAPACITY 0x40000000
+#define SUPPORT_MAX_POWER_PERMANCE 0x10000000
+#define SUPPORT_1V8 0x01000000
+
+/* Switch Command Error Code */
+#define SWTICH_NO_ERR 0x00
+#define CARD_NOT_EXIST 0x01
+#define SPEC_NOT_SUPPORT 0x02
+#define CHECK_MODE_ERR 0x03
+#define CHECK_NOT_READY 0x04
+#define SWITCH_CRC_ERR 0x05
+#define SWITCH_MODE_ERR 0x06
+#define SWITCH_PASS 0x07
+
+/* Function Group Definition */
+/* Function Group 1 */
+#define HS_SUPPORT 0x01
+#define SDR50_SUPPORT 0x02
+#define SDR104_SUPPORT 0x03
+#define DDR50_SUPPORT 0x04
+#define HS_SUPPORT_MASK 0x02
+#define SDR50_SUPPORT_MASK 0x04
+#define SDR104_SUPPORT_MASK 0x08
+#define DDR50_SUPPORT_MASK 0x10
+#define HS_QUERY_SWITCH_OK 0x01
+#define SDR50_QUERY_SWITCH_OK 0x02
+#define SDR104_QUERY_SWITCH_OK 0x03
+#define DDR50_QUERY_SWITCH_OK 0x04
+#define HS_SWITCH_BUSY 0x02
+#define SDR50_SWITCH_BUSY 0x04
+#define SDR104_SWITCH_BUSY 0x08
+#define DDR50_SWITCH_BUSY 0x10
+#define FUNCTION_GROUP1_SUPPORT_OFFSET 0x0D
+#define FUNCTION_GROUP1_QUERY_SWITCH_OFFSET 0x10
+#define FUNCTION_GROUP1_CHECK_BUSY_OFFSET 0x1D
+/* Function Group 3 */
+#define DRIVING_TYPE_A 0x01
+#define DRIVING_TYPE_B 0x00
+#define DRIVING_TYPE_C 0x02
+#define DRIVING_TYPE_D 0x03
+#define DRIVING_TYPE_A_MASK 0x02
+#define DRIVING_TYPE_B_MASK 0x01
+#define DRIVING_TYPE_C_MASK 0x04
+#define DRIVING_TYPE_D_MASK 0x08
+#define TYPE_A_QUERY_SWITCH_OK 0x01
+#define TYPE_B_QUERY_SWITCH_OK 0x00
+#define TYPE_C_QUERY_SWITCH_OK 0x02
+#define TYPE_D_QUERY_SWITCH_OK 0x03
+#define TYPE_A_SWITCH_BUSY 0x02
+#define TYPE_B_SWITCH_BUSY 0x01
+#define TYPE_C_SWITCH_BUSY 0x04
+#define TYPE_D_SWITCH_BUSY 0x08
+#define FUNCTION_GROUP3_SUPPORT_OFFSET 0x09
+#define FUNCTION_GROUP3_QUERY_SWITCH_OFFSET 0x0F
+#define FUNCTION_GROUP3_CHECK_BUSY_OFFSET 0x19
+/* Function Group 4 */
+#define CURRENT_LIMIT_200 0x00
+#define CURRENT_LIMIT_400 0x01
+#define CURRENT_LIMIT_600 0x02
+#define CURRENT_LIMIT_800 0x03
+#define CURRENT_LIMIT_200_MASK 0x01
+#define CURRENT_LIMIT_400_MASK 0x02
+#define CURRENT_LIMIT_600_MASK 0x04
+#define CURRENT_LIMIT_800_MASK 0x08
+#define CURRENT_LIMIT_200_QUERY_SWITCH_OK 0x00
+#define CURRENT_LIMIT_400_QUERY_SWITCH_OK 0x01
+#define CURRENT_LIMIT_600_QUERY_SWITCH_OK 0x02
+#define CURRENT_LIMIT_800_QUERY_SWITCH_OK 0x03
+#define CURRENT_LIMIT_200_SWITCH_BUSY 0x01
+#define CURRENT_LIMIT_400_SWITCH_BUSY 0x02
+#define CURRENT_LIMIT_600_SWITCH_BUSY 0x04
+#define CURRENT_LIMIT_800_SWITCH_BUSY 0x08
+#define FUNCTION_GROUP4_SUPPORT_OFFSET 0x07
+#define FUNCTION_GROUP4_QUERY_SWITCH_OFFSET 0x0F
+#define FUNCTION_GROUP4_CHECK_BUSY_OFFSET 0x17
+/* Switch Function Status Offset */
+#define DATA_STRUCTURE_VER_OFFSET 0x11 /* The high offset */
+#define MAX_PHASE 15
+/* #define TOTAL_READ_PHASE 0x20 */
+/* #define TOTAL_WRITE_PHASE 0x20 */
+/* MMC v4.0 */
+/* #define MMC_52MHZ_SPEED 0x0001 */
+/* #define MMC_26MHZ_SPEED 0x0002 */
+#define MMC_8BIT_BUS 0x0010
+#define MMC_4BIT_BUS 0x0020
+/* #define MMC_SECTOR_MODE 0x0100 */
+#define MMC_SWITCH_ERR 0x80
+/* Tuning direction RX or TX */
+#define TUNE_TX 0x00
+#define TUNE_RX 0x01
+/* For Change_DCM_FreqMode Function */
+#define CHANGE_TX 0x00
+#define CHANGE_RX 0x01
+#define DCM_HIGH_FREQUENCY_MODE 0x00
+#define DCM_LOW_FREQUENCY_MODE 0x01
+#define DCM_HIGH_FREQUENCY_MODE_SET 0x0C
+#define DCM_Low_FREQUENCY_MODE_SET 0x00
+/* For Change_FPGA_SSCClock Function */
+#define MULTIPLY_BY_1 0x00
+#define MULTIPLY_BY_2 0x01
+#define MULTIPLY_BY_3 0x02
+#define MULTIPLY_BY_4 0x03
+#define MULTIPLY_BY_5 0x04
+#define MULTIPLY_BY_6 0x05
+#define MULTIPLY_BY_7 0x06
+#define MULTIPLY_BY_8 0x07
+#define MULTIPLY_BY_9 0x08
+#define MULTIPLY_BY_10 0x09
+#define DIVIDE_BY_2 0x01
+#define DIVIDE_BY_3 0x02
+#define DIVIDE_BY_4 0x03
+#define DIVIDE_BY_5 0x04
+#define DIVIDE_BY_6 0x05
+#define DIVIDE_BY_7 0x06
+#define DIVIDE_BY_8 0x07
+#define DIVIDE_BY_9 0x08
+#define DIVIDE_BY_10 0x09
+#define CHECK_SD_TRANS_FAIL(chip, retval) \
+ (((retval) != STATUS_SUCCESS) || \
+ (chip->rsp_buf[0] & SD_TRANSFER_ERR))
+/* SD Tuning Data Structure */
+/* Record continuous timing phase path */
+struct timing_phase_path {
+ int start;
+ int end;
+ int mid;
+ int len;
+};
+
+int rts51x_sd_select_card(struct rts51x_chip *chip, int select);
+int rts51x_reset_sd_card(struct rts51x_chip *chip);
+int rts51x_sd_switch_clock(struct rts51x_chip *chip);
+int rts51x_sd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt);
+void rts51x_sd_cleanup_work(struct rts51x_chip *chip);
+int rts51x_release_sd_card(struct rts51x_chip *chip);
+
+#ifdef SUPPORT_CPRM
+extern int reset_sd(struct rts51x_chip *chip);
+extern int sd_check_data0_status(struct rts51x_chip *chip);
+extern int sd_read_data(struct rts51x_chip *chip, u8 trans_mode, u8 *cmd,
+ int cmd_len, u16 byte_cnt, u16 blk_cnt, u8 bus_width,
+ u8 *buf, int buf_len, int timeout);
+#endif
+
+#endif /* __RTS51X_SD_H */
diff --git a/drivers/staging/rts5139/sd_cprm.c b/drivers/staging/rts5139/sd_cprm.c
new file mode 100644
index 000000000000..cede6c07394f
--- /dev/null
+++ b/drivers/staging/rts5139/sd_cprm.c
@@ -0,0 +1,1056 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_transport.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "rts51x_chip.h"
+#include "sd_cprm.h"
+#include "sd.h"
+
+#ifdef SUPPORT_CPRM
+
+static inline int get_rsp_type(u8 rsp_code, u8 *rsp_type, int *rsp_len)
+{
+ if (!rsp_type || !rsp_len)
+ return STATUS_FAIL;
+
+ switch (rsp_code) {
+ case 0x03:
+ *rsp_type = SD_RSP_TYPE_R0; /* no response */
+ *rsp_len = 0;
+ break;
+
+ case 0x04:
+ *rsp_type = SD_RSP_TYPE_R1; /* R1,R6(,R4,R5) */
+ *rsp_len = 6;
+ break;
+
+ case 0x05:
+ *rsp_type = SD_RSP_TYPE_R1b; /* R1b */
+ *rsp_len = 6;
+ break;
+
+ case 0x06:
+ *rsp_type = SD_RSP_TYPE_R2; /* R2 */
+ *rsp_len = 17;
+ break;
+
+ case 0x07:
+ *rsp_type = SD_RSP_TYPE_R3; /* R3 */
+ *rsp_len = 6;
+ break;
+
+ default:
+ return STATUS_FAIL;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int ext_sd_send_cmd_get_rsp(struct rts51x_chip *chip, u8 cmd_idx,
+ u32 arg, u8 rsp_type, u8 *rsp, int rsp_len,
+ int special_check)
+{
+ int retval;
+ int timeout = 50;
+ u16 reg_addr;
+ u8 buf[17], stat;
+ int len = 2;
+ int rty_cnt = 0;
+
+ RTS51X_DEBUGP("EXT SD/MMC CMD %d\n", cmd_idx);
+
+ if (rsp_type == SD_RSP_TYPE_R1b)
+ timeout = 3000;
+
+RTY_SEND_CMD:
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | cmd_idx);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, (u8) (arg >> 24));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, (u8) (arg >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, (u8) (arg >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE,
+ 0x01, PINGPONG_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER,
+ 0xFF, SD_TM_CMD_RSP | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END,
+ SD_TRANSFER_END);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, SD_STAT1, 0, 0);
+
+ if (CHECK_USB(chip, USB_20)) {
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ for (reg_addr = PPBUF_BASE2;
+ reg_addr < PPBUF_BASE2 + 16; reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0,
+ 0);
+ }
+ len = 19;
+ } else if (rsp_type != SD_RSP_TYPE_R0) {
+ /* Read data from SD_CMDx registers */
+ for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4;
+ reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0,
+ 0);
+ }
+ len = 8;
+ } else {
+ len = 3;
+ }
+ rts51x_add_cmd(chip, READ_REG_CMD, SD_CMD5, 0, 0);
+ } else {
+ len = 2;
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, len, timeout);
+
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ rts51x_clear_sd_error(chip);
+
+ if (retval == STATUS_TIMEDOUT) {
+ if (rsp_type & SD_WAIT_BUSY_END) {
+ retval = sd_check_data0_status(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+ }
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (rsp_type == SD_RSP_TYPE_R0)
+ return STATUS_SUCCESS;
+
+ if (CHECK_USB(chip, USB_20)) {
+ rts51x_read_rsp_buf(chip, 2, buf, len - 2);
+ } else {
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ reg_addr = PPBUF_BASE2;
+ len = 16;
+ } else {
+ reg_addr = SD_CMD0;
+ len = 5;
+ }
+ retval =
+ rts51x_seq_read_register(chip, reg_addr,
+ (unsigned short)len, buf);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ RTS51X_READ_REG(chip, SD_CMD5, buf + len);
+ }
+ stat = chip->rsp_buf[1];
+
+ if ((buf[0] & 0xC0) != 0)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (!(rsp_type & SD_NO_CHECK_CRC7)) {
+ if (stat & SD_CRC7_ERR) {
+ if (cmd_idx == WRITE_MULTIPLE_BLOCK)
+ TRACE_RET(chip, STATUS_FAIL);
+ if (rty_cnt < SD_MAX_RETRY_COUNT) {
+ wait_timeout(20);
+ rty_cnt++;
+ goto RTY_SEND_CMD;
+ } else {
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ if ((cmd_idx == SELECT_CARD) || (cmd_idx == APP_CMD) ||
+ (cmd_idx == SEND_STATUS) || (cmd_idx == STOP_TRANSMISSION)) {
+ if ((cmd_idx != STOP_TRANSMISSION) && (special_check == 0)) {
+ if (buf[1] & 0x80)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ if (buf[1] & 0x7F)
+ TRACE_RET(chip, STATUS_FAIL);
+ if (buf[2] & 0xF8)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (cmd_idx == SELECT_CARD) {
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ if ((buf[3] & 0x1E) != 0x04)
+ TRACE_RET(chip, STATUS_FAIL);
+ } else if (rsp_type == SD_RSP_TYPE_R2) {
+ if ((buf[3] & 0x1E) != 0x03)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ if (rsp && rsp_len)
+ memcpy(rsp, buf, rsp_len);
+
+ return STATUS_SUCCESS;
+}
+
+static int ext_sd_get_rsp(struct rts51x_chip *chip, int len,
+ u8 *rsp, u8 rsp_type)
+{
+ int retval, rsp_len;
+ u16 reg_addr;
+
+ if (rsp_type == SD_RSP_TYPE_R0)
+ return STATUS_SUCCESS;
+
+ rts51x_init_cmd(chip);
+
+ if (rsp_type == SD_RSP_TYPE_R2) {
+ for (reg_addr = PPBUF_BASE2; reg_addr < PPBUF_BASE2 + 16;
+ reg_addr++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0xFF, 0);
+ }
+ rsp_len = 17;
+ } else if (rsp_type != SD_RSP_TYPE_R0) {
+ for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4; reg_addr++)
+ rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0xFF, 0);
+ rsp_len = 6;
+ }
+ rts51x_add_cmd(chip, READ_REG_CMD, SD_CMD5, 0xFF, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, rsp_len, 100);
+
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (rsp) {
+ int min_len = (rsp_len < len) ? rsp_len : len;
+
+ memcpy(rsp, rts51x_get_rsp_data(chip), min_len);
+
+ RTS51X_DEBUGP("min_len = %d\n", min_len);
+ RTS51X_DEBUGP("Response in cmd buf: 0x%x 0x%x 0x%x 0x%x\n",
+ rsp[0], rsp[1], rsp[2], rsp[3]);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int ext_rts51x_sd_execute_no_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 standby, u8 acmd, u8 rsp_code,
+ u32 arg)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval, rsp_len;
+ u8 rsp_type;
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ sd_card->last_rsp_type = rsp_type;
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ /* Set H/W SD/MMC Bus Width */
+ rts51x_write_register(chip, SD_CFG1, 0x03, SD_BUS_WIDTH_4);
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Cmd_Failed);
+ }
+
+ if (acmd) {
+ retval =
+ ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Cmd_Failed);
+ }
+
+ retval = ext_sd_send_cmd_get_rsp(chip, cmd_idx, arg, rsp_type,
+ sd_card->rsp, rsp_len, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Cmd_Failed);
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Cmd_Failed);
+ }
+
+ return TRANSPORT_GOOD;
+
+SD_Execute_Cmd_Failed:
+ sd_card->pre_cmd_err = 1;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE);
+ rts51x_release_sd_card(chip);
+ rts51x_do_rts51x_reset_sd_card(chip);
+ if (!(chip->card_ready & SD_CARD))
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+
+ TRACE_RET(chip, TRANSPORT_FAILED);
+}
+
+int ext_rts51x_sd_execute_read_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 cmd12, u8 standby,
+ u8 acmd, u8 rsp_code, u32 arg, u32 data_len,
+ void *data_buf, unsigned int buf_len, int use_sg)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval, rsp_len, i;
+ int cmd13_checkbit = 0, read_err = 0;
+ u8 rsp_type, bus_width;
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ sd_card->last_rsp_type = rsp_type;
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ bus_width = SD_BUS_WIDTH_4;
+
+ if (data_len < 512) {
+ retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, data_len,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ if (acmd) {
+ retval =
+ ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ if (data_len <= 512) {
+ int min_len;
+ u8 *buf;
+ u16 byte_cnt, blk_cnt;
+ u8 cmd[5];
+ unsigned int offset = 0;
+ void *sg = NULL;
+
+ byte_cnt = (u16) (data_len & 0x3FF);
+ blk_cnt = 1;
+
+ cmd[0] = 0x40 | cmd_idx;
+ cmd[1] = (u8) (arg >> 24);
+ cmd[2] = (u8) (arg >> 16);
+ cmd[3] = (u8) (arg >> 8);
+ cmd[4] = (u8) arg;
+
+ buf = kmalloc(data_len, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ retval = sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, byte_cnt,
+ blk_cnt, bus_width, buf, data_len, 2000);
+ if (retval != STATUS_SUCCESS) {
+ read_err = 1;
+ kfree(buf);
+ rts51x_write_register(chip, CARD_STOP,
+ SD_STOP | SD_CLR_ERR,
+ SD_STOP | SD_CLR_ERR);
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ min_len = min(data_len, buf_len);
+ if (use_sg)
+ rts51x_access_sglist(buf, min_len, (void *)data_buf,
+ &sg, &offset, TO_XFER_BUF);
+ else
+ memcpy(data_buf, buf, min_len);
+
+ kfree(buf);
+ } else if (!(data_len & 0x1FF)) {
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H,
+ 0xFF, (u8) (data_len >> 17));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L,
+ 0xFF, (u8) ((data_len & 0x0001FE00) >> 9));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF,
+ 0x40 | cmd_idx);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF,
+ (u8) (arg >> 24));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF,
+ (u8) (arg >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF,
+ (u8) (arg >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type);
+ rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, data_len, DMA_512);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_READ_2 | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+ retval = rts51x_send_cmd(chip, MODE_CDIR, 100);
+ if (retval != STATUS_SUCCESS) {
+ read_err = 1;
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ SD_STOP | SD_CLR_ERR,
+ SD_STOP | SD_CLR_ERR);
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ retval =
+ rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip),
+ data_buf, buf_len, use_sg, NULL,
+ 10000, STAGE_DI);
+ if (retval != STATUS_SUCCESS) {
+ read_err = 1;
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ SD_STOP | SD_CLR_ERR,
+ SD_STOP | SD_CLR_ERR);
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+ retval = rts51x_get_rsp(chip, 1, 500);
+ if (CHECK_SD_TRANS_FAIL(chip, retval)) {
+ read_err = 1;
+ rts51x_ep0_write_register(chip, CARD_STOP,
+ SD_STOP | SD_CLR_ERR,
+ SD_STOP | SD_CLR_ERR);
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+ } else {
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ retval = ext_sd_get_rsp(chip, rsp_len, sd_card->rsp, rsp_type);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ if (cmd12) {
+ retval = ext_sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION,
+ 0, SD_RSP_TYPE_R1b, NULL, 0,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+ }
+
+ if (data_len < 512) {
+ retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+
+ rts51x_write_register(chip, SD_BYTE_CNT_H, 0xFF, 0x02);
+ rts51x_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
+ }
+
+ if (standby || cmd12)
+ cmd13_checkbit = 1;
+
+ for (i = 0; i < 3; i++) {
+ retval =
+ ext_sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0,
+ cmd13_checkbit);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed);
+
+ return TRANSPORT_GOOD;
+
+SD_Execute_Read_Cmd_Failed:
+ sd_card->pre_cmd_err = 1;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE);
+ if (read_err)
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ rts51x_release_sd_card(chip);
+ rts51x_do_rts51x_reset_sd_card(chip);
+ if (!(chip->card_ready & SD_CARD))
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+
+ TRACE_RET(chip, TRANSPORT_FAILED);
+}
+
+int ext_rts51x_sd_execute_write_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd,
+ u8 rsp_code, u32 arg, u32 data_len,
+ void *data_buf, unsigned int buf_len, int use_sg)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval, rsp_len;
+ int cmd13_checkbit = 0, write_err = 0;
+ u8 rsp_type;
+ u32 i;
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ sd_card->last_rsp_type = rsp_type;
+
+ retval = rts51x_sd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ rts51x_write_register(chip, SD_CFG1, 0x03, SD_BUS_WIDTH_4);
+
+ if (data_len < 512) {
+ retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, data_len,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (acmd) {
+ retval =
+ ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ retval = ext_sd_send_cmd_get_rsp(chip, cmd_idx, arg, rsp_type,
+ sd_card->rsp, rsp_len, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ if (data_len <= 512) {
+ u8 *buf;
+ unsigned int offset = 0;
+ void *sg = NULL;
+
+ buf = kmalloc(data_len, GFP_KERNEL);
+ if (buf == NULL)
+ TRACE_RET(chip, TRANSPORT_ERROR);
+
+ if (use_sg)
+ rts51x_access_sglist(buf, data_len, (void *)data_buf,
+ &sg, &offset, FROM_XFER_BUF);
+ else
+ memcpy(buf, data_buf, data_len);
+
+
+ if (data_len > 256) {
+ rts51x_init_cmd(chip);
+ for (i = 0; i < 256; i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD,
+ (u16) (PPBUF_BASE2 + i), 0xFF,
+ buf[i]);
+ }
+ retval = rts51x_send_cmd(chip, MODE_C, 250);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ rts51x_init_cmd(chip);
+ for (i = 256; i < data_len; i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD,
+ (u16) (PPBUF_BASE2 + i), 0xFF,
+ buf[i]);
+ }
+ retval = rts51x_send_cmd(chip, MODE_C, 250);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+ } else {
+ rts51x_init_cmd(chip);
+ for (i = 0; i < data_len; i++) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD,
+ (u16) (PPBUF_BASE2 + i), 0xFF,
+ buf[i]);
+ }
+ retval = rts51x_send_cmd(chip, MODE_C, 250);
+ if (retval != STATUS_SUCCESS) {
+ kfree(buf);
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+ }
+
+ kfree(buf);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF,
+ (u8) ((data_len >> 8) & 0x03));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF,
+ (u8) data_len);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 0x01);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ retval = rts51x_get_rsp(chip, 1, 250);
+ if (CHECK_SD_TRANS_FAIL(chip, retval))
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ } else if (!(data_len & 0x1FF)) {
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H,
+ 0xFF, (u8) (data_len >> 17));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L,
+ 0xFF, (u8) ((data_len & 0x0001FE00) >> 9));
+
+ rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, data_len, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF,
+ SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER,
+ SD_TRANSFER_END, SD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ retval =
+ rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip),
+ data_buf, buf_len, use_sg, NULL,
+ 10000, STAGE_DO);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ retval = rts51x_get_rsp(chip, 1, 10000);
+ if (CHECK_SD_TRANS_FAIL(chip, retval))
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ } else {
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (retval < 0) {
+ write_err = 1;
+ rts51x_write_register(chip, CARD_STOP, SD_STOP | SD_CLR_ERR,
+ SD_STOP | SD_CLR_ERR);
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (standby) {
+ retval = rts51x_sd_select_card(chip, 1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (cmd12) {
+ retval = ext_sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION,
+ 0, SD_RSP_TYPE_R1b, NULL, 0,
+ 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+ }
+
+ if (data_len < 512) {
+ retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200,
+ SD_RSP_TYPE_R1, NULL, 0, 0);
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ rts51x_write_register(chip, SD_BYTE_CNT_H, 0xFF, 0x02);
+ rts51x_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00);
+ }
+
+ if (cmd12 || standby) {
+ /* There is CMD7 or CMD12 sent before CMD13 */
+ cmd13_checkbit = 1;
+ }
+
+ for (i = 0; i < 3; i++) {
+ retval =
+ ext_sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr,
+ SD_RSP_TYPE_R1, NULL, 0,
+ cmd13_checkbit);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (retval != STATUS_SUCCESS)
+ TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed);
+
+ return TRANSPORT_GOOD;
+
+SD_Execute_Write_Cmd_Failed:
+ sd_card->pre_cmd_err = 1;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE);
+ if (write_err)
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR);
+ rts51x_release_sd_card(chip);
+ rts51x_do_rts51x_reset_sd_card(chip);
+ if (!(chip->card_ready & SD_CARD))
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+
+ TRACE_RET(chip, TRANSPORT_FAILED);
+}
+
+int rts51x_sd_pass_thru_mode(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int len;
+ u8 buf[18] = {
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x0E,
+ 0x00, /* Version Number */
+ 0x00, /* WP | Media Type */
+ 0x00, /* RCA (Low byte) */
+ 0x00, /* RCA (High byte) */
+ 0x53, /* 'S' */
+ 0x44, /* 'D' */
+ 0x20, /* ' ' */
+ 0x43, /* 'C' */
+ 0x61, /* 'a' */
+ 0x72, /* 'r' */
+ 0x64, /* 'd' */
+ 0x00, /* Max LUN Number */
+ 0x00,
+ 0x00,
+ };
+
+ sd_card->pre_cmd_err = 0;
+
+ if (!(CHK_BIT(chip->lun_mc, lun))) {
+ SET_BIT(chip->lun_mc, lun);
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if ((0x53 != srb->cmnd[2]) || (0x44 != srb->cmnd[3])
+ || (0x20 != srb->cmnd[4]) || (0x43 != srb->cmnd[5])
+ || (0x61 != srb->cmnd[6]) || (0x72 != srb->cmnd[7])
+ || (0x64 != srb->cmnd[8])) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ switch (srb->cmnd[1] & 0x0F) {
+ case 0:
+ sd_card->sd_pass_thru_en = 0;
+ break;
+
+ case 1:
+ sd_card->sd_pass_thru_en = 1;
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ /* 0x01:SD Memory Card; 0x02:Other Media; 0x03:Illegal Media; */
+ buf[5] = (1 == CHK_SD(sd_card)) ? 0x01 : 0x02;
+ if (chip->card_wp & SD_CARD)
+ buf[5] |= 0x80;
+
+ buf[6] = (u8) (sd_card->sd_addr >> 16);
+ buf[7] = (u8) (sd_card->sd_addr >> 24);
+
+ buf[15] = chip->max_lun;
+
+ len = min_t(unsigned, 18, scsi_bufflen(srb));
+ rts51x_set_xfer_buf(buf, len, srb);
+
+ return TRANSPORT_GOOD;
+}
+
+int rts51x_sd_execute_no_data(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval;
+ u8 cmd_idx, rsp_code;
+ u8 standby = 0, acmd = 0;
+ u32 arg;
+
+ if (!sd_card->sd_pass_thru_en) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ cmd_idx = srb->cmnd[2] & 0x3F;
+ if (srb->cmnd[1] & 0x02)
+ standby = 1;
+ if (srb->cmnd[1] & 0x01)
+ acmd = 1;
+
+ arg = ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) |
+ ((u32) srb->cmnd[5] << 8) | srb->cmnd[6];
+
+ rsp_code = srb->cmnd[10];
+
+ retval =
+ ext_rts51x_sd_execute_no_data(chip, lun, cmd_idx, standby, acmd, rsp_code,
+ arg);
+ scsi_set_resid(srb, 0);
+ return retval;
+}
+
+int rts51x_sd_execute_read_data(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 cmd_idx, rsp_code, send_cmd12 = 0, standby = 0, acmd = 0;
+ u32 arg, data_len;
+
+ if (!sd_card->sd_pass_thru_en) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ cmd_idx = srb->cmnd[2] & 0x3F;
+ if (srb->cmnd[1] & 0x04)
+ send_cmd12 = 1;
+ if (srb->cmnd[1] & 0x02)
+ standby = 1;
+ if (srb->cmnd[1] & 0x01)
+ acmd = 1;
+
+ arg = ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) |
+ ((u32) srb->cmnd[5] << 8) | srb->cmnd[6];
+
+ data_len =
+ ((u32) srb->cmnd[7] << 16) | ((u32) srb->cmnd[8] << 8) |
+ srb->cmnd[9];
+ rsp_code = srb->cmnd[10];
+
+ retval =
+ ext_rts51x_sd_execute_read_data(chip, lun, cmd_idx, send_cmd12, standby,
+ acmd, rsp_code, arg, data_len,
+ scsi_sglist(srb), scsi_bufflen(srb),
+ scsi_sg_count(srb));
+ scsi_set_resid(srb, 0);
+ return retval;
+}
+
+int rts51x_sd_execute_write_data(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ int retval;
+ unsigned int lun = SCSI_LUN(srb);
+ u8 cmd_idx, rsp_code, send_cmd12 = 0, standby = 0, acmd = 0;
+ u32 data_len, arg;
+
+ if (!sd_card->sd_pass_thru_en) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ cmd_idx = srb->cmnd[2] & 0x3F;
+ if (srb->cmnd[1] & 0x04)
+ send_cmd12 = 1;
+ if (srb->cmnd[1] & 0x02)
+ standby = 1;
+ if (srb->cmnd[1] & 0x01)
+ acmd = 1;
+
+ data_len =
+ ((u32) srb->cmnd[7] << 16) | ((u32) srb->cmnd[8] << 8) |
+ srb->cmnd[9];
+ arg =
+ ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) |
+ ((u32) srb->cmnd[5] << 8) | srb->cmnd[6];
+ rsp_code = srb->cmnd[10];
+
+ retval =
+ ext_rts51x_sd_execute_write_data(chip, lun, cmd_idx, send_cmd12, standby,
+ acmd, rsp_code, arg, data_len,
+ scsi_sglist(srb), scsi_bufflen(srb),
+ scsi_sg_count(srb));
+ scsi_set_resid(srb, 0);
+ return retval;
+}
+
+int rts51x_sd_get_cmd_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int count;
+ u16 data_len;
+
+ if (!sd_card->sd_pass_thru_en) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ data_len = ((u16) srb->cmnd[7] << 8) | srb->cmnd[8];
+
+ if (sd_card->last_rsp_type == SD_RSP_TYPE_R0) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ } else if (sd_card->last_rsp_type == SD_RSP_TYPE_R2) {
+ count = (data_len < 17) ? data_len : 17;
+ } else {
+ count = (data_len < 6) ? data_len : 6;
+ }
+ rts51x_set_xfer_buf(sd_card->rsp, count, srb);
+
+ RTS51X_DEBUGP("Response length: %d\n", data_len);
+ RTS51X_DEBUGP("Response: 0x%x 0x%x 0x%x 0x%x\n",
+ sd_card->rsp[0], sd_card->rsp[1], sd_card->rsp[2],
+ sd_card->rsp[3]);
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+
+int rts51x_sd_hw_rst(struct scsi_cmnd *srb, struct rts51x_chip *chip)
+{
+ struct sd_info *sd_card = &(chip->sd_card);
+ unsigned int lun = SCSI_LUN(srb);
+ int retval;
+
+ if (!sd_card->sd_pass_thru_en) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if (sd_card->pre_cmd_err) {
+ sd_card->pre_cmd_err = 0;
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ if ((0x53 != srb->cmnd[2]) || (0x44 != srb->cmnd[3])
+ || (0x20 != srb->cmnd[4]) || (0x43 != srb->cmnd[5])
+ || (0x61 != srb->cmnd[6]) || (0x72 != srb->cmnd[7])
+ || (0x64 != srb->cmnd[8])) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ switch (srb->cmnd[1] & 0x0F) {
+ case 0:
+ /* SD Card Power Off -> ON and Initialization */
+ retval = rts51x_reset_sd_card(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ sd_card->pre_cmd_err = 1;
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ case 1:
+ /* reset CMD(CMD0) and Initialization
+ * (without SD Card Power Off -> ON) */
+ retval = reset_sd(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT);
+ sd_card->pre_cmd_err = 1;
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+ break;
+
+ default:
+ rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD);
+ TRACE_RET(chip, TRANSPORT_FAILED);
+ }
+
+ scsi_set_resid(srb, 0);
+ return TRANSPORT_GOOD;
+}
+#endif
diff --git a/drivers/staging/rts5139/sd_cprm.h b/drivers/staging/rts5139/sd_cprm.h
new file mode 100644
index 000000000000..79dfd27db41a
--- /dev/null
+++ b/drivers/staging/rts5139/sd_cprm.h
@@ -0,0 +1,54 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_SD_CPRM_H
+#define __RTS51X_SD_CPRM_H
+
+#include "rts51x_chip.h"
+#include "sd.h"
+
+#ifdef SUPPORT_CPRM
+int ext_rts51x_sd_execute_no_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 standby, u8 acmd, u8 rsp_code,
+ u32 arg);
+int ext_rts51x_sd_execute_read_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd,
+ u8 rsp_code, u32 arg, u32 data_len, void *data_buf,
+ unsigned int buf_len, int use_sg);
+int ext_rts51x_sd_execute_write_data(struct rts51x_chip *chip, unsigned int lun,
+ u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd,
+ u8 rsp_code, u32 arg, u32 data_len,
+ void *data_buf, unsigned int buf_len, int use_sg);
+
+int rts51x_sd_pass_thru_mode(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_sd_execute_no_data(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_sd_execute_read_data(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_sd_execute_write_data(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_sd_get_cmd_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+int rts51x_sd_hw_rst(struct scsi_cmnd *srb, struct rts51x_chip *chip);
+#endif
+
+#endif /* __RTS51X_SD_CPRM_H */
diff --git a/drivers/staging/rts5139/trace.h b/drivers/staging/rts5139/trace.h
new file mode 100644
index 000000000000..ac58b452ecb8
--- /dev/null
+++ b/drivers/staging/rts5139/trace.h
@@ -0,0 +1,95 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_TRACE_H
+#define __RTS51X_TRACE_H
+
+#include <linux/string.h>
+
+#include "debug.h"
+
+#define _MSG_TRACE
+
+#ifdef _MSG_TRACE
+#define TRACE_RET(chip, ret) \
+do { \
+ const char *_file = kbasename(__FILE__); \
+ RTS51X_DEBUGP("[%s][%s]:[%d]\n", _file, __func__, __LINE__); \
+ (chip)->trace_msg[(chip)->msg_idx].line = (u16)(__LINE__); \
+ strncpy((chip)->trace_msg[(chip)->msg_idx].func, \
+ __func__, MSG_FUNC_LEN-1); \
+ strncpy((chip)->trace_msg[(chip)->msg_idx].file, \
+ _file, MSG_FILE_LEN-1); \
+ get_current_time((chip)->trace_msg[(chip)->msg_idx].timeval_buf,\
+ TIME_VAL_LEN); \
+ (chip)->trace_msg[(chip)->msg_idx].valid = 1; \
+ (chip)->msg_idx++; \
+ if ((chip)->msg_idx >= TRACE_ITEM_CNT) { \
+ (chip)->msg_idx = 0; \
+ } \
+ return ret; \
+} while (0)
+
+#define TRACE_GOTO(chip, label) \
+do { \
+ const char *_file = kbasename(__FILE__); \
+ RTS51X_DEBUGP("[%s][%s]:[%d]\n", _file, __func__, __LINE__); \
+ (chip)->trace_msg[(chip)->msg_idx].line = (u16)(__LINE__); \
+ strncpy((chip)->trace_msg[(chip)->msg_idx].func, \
+ __func__, MSG_FUNC_LEN-1); \
+ strncpy((chip)->trace_msg[(chip)->msg_idx].file, \
+ _file, MSG_FILE_LEN-1); \
+ get_current_time((chip)->trace_msg[(chip)->msg_idx].timeval_buf,\
+ TIME_VAL_LEN); \
+ (chip)->trace_msg[(chip)->msg_idx].valid = 1; \
+ (chip)->msg_idx++; \
+ if ((chip)->msg_idx >= TRACE_ITEM_CNT) { \
+ (chip)->msg_idx = 0; \
+ } \
+ goto label; \
+} while (0)
+#else
+#define TRACE_RET(chip, ret) return (ret)
+#define TRACE_GOTO(chip, label) goto label
+#endif
+
+#ifdef CONFIG_RTS5139_DEBUG
+#define RTS51X_DUMP(buf, buf_len) \
+ print_hex_dump(KERN_DEBUG, RTS51X_TIP, DUMP_PREFIX_NONE, \
+ 16, 1, (buf), (buf_len), false)
+
+#define CATCH_TRIGGER(chip) \
+do { \
+ rts51x_ep0_write_register((chip), 0xFC31, 0x01, 0x01); \
+ RTS51X_DEBUGP("Catch trigger!\n"); \
+} while (0)
+
+#else
+#define RTS51X_DUMP(buf, buf_len)
+#define CATCH_TRIGGER(chip)
+#endif
+
+#endif /* __RTS51X_TRACE_H */
diff --git a/drivers/staging/rts5139/xd.c b/drivers/staging/rts5139/xd.c
new file mode 100644
index 000000000000..be432351be86
--- /dev/null
+++ b/drivers/staging/rts5139/xd.c
@@ -0,0 +1,2145 @@
+/* Driver for Realtek RTS51xx USB card reader
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#include <linux/blkdev.h>
+#include <linux/kthread.h>
+#include <linux/sched.h>
+#include <linux/vmalloc.h>
+
+#include "debug.h"
+#include "trace.h"
+#include "rts51x.h"
+#include "rts51x_transport.h"
+#include "rts51x_scsi.h"
+#include "rts51x_card.h"
+#include "xd.h"
+
+static int xd_build_l2p_tbl(struct rts51x_chip *chip, int zone_no);
+static int xd_init_page(struct rts51x_chip *chip, u32 phy_blk, u16 logoff,
+ u8 start_page, u8 end_page);
+
+static inline void xd_set_err_code(struct rts51x_chip *chip, u8 err_code)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+
+ xd_card->err_code = err_code;
+}
+
+static int xd_set_init_para(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+
+ if (chip->asic_code)
+ xd_card->xd_clock = 47;
+ else
+ xd_card->xd_clock = CLK_50;
+
+ retval = switch_clock(chip, xd_card->xd_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_switch_clock(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+
+ retval = rts51x_select_card(chip, XD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = switch_clock(chip, xd_card->xd_clock);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_read_id(struct rts51x_chip *chip, u8 id_cmd, u8 *id_buf,
+ u8 buf_len)
+{
+ int retval, i;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DAT, 0xFF, id_cmd);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_READ_ID);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ for (i = 0; i < 4; i++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_ADDRESS1 + i), 0,
+ 0);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 20);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 5, 20);
+
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ if (id_buf && buf_len) {
+ if (buf_len > 4)
+ buf_len = 4;
+ rts51x_read_rsp_buf(chip, 1, id_buf, buf_len);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static void xd_assign_phy_addr(struct rts51x_chip *chip, u32 addr, u8 mode)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+
+ switch (mode) {
+ case XD_RW_ADDR:
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS0, 0xFF, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS1, 0xFF,
+ (u8) addr);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS2, 0xFF,
+ (u8) (addr >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS3, 0xFF,
+ (u8) (addr >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, 0xFF,
+ xd_card->addr_cycle | XD_CALC_ECC |
+ XD_BA_NO_TRANSFORM);
+ break;
+
+ case XD_ERASE_ADDR:
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS0, 0xFF,
+ (u8) addr);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS1, 0xFF,
+ (u8) (addr >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS2, 0xFF,
+ (u8) (addr >> 16));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, 0xFF,
+ (xd_card->addr_cycle - 1) |
+ XD_CALC_ECC | XD_BA_NO_TRANSFORM);
+ break;
+
+ default:
+ break;
+ }
+}
+
+static int xd_read_redundant(struct rts51x_chip *chip, u32 page_addr, u8 *buf,
+ int buf_len)
+{
+ int retval, i;
+
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_READ_REDUNDANT);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ for (i = 0; i < 6; i++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_PAGE_STATUS + i),
+ 0, 0);
+ }
+ for (i = 0; i < 4; i++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_RESERVED0 + i), 0,
+ 0);
+ }
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_PARITY, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 11, 500);
+
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ if (buf && buf_len) {
+ if (buf_len > 11)
+ buf_len = 11;
+ rts51x_read_rsp_buf(chip, 1, buf, buf_len);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_read_data_from_ppb(struct rts51x_chip *chip, int offset, u8 *buf,
+ int buf_len)
+{
+ int retval, i;
+
+ if (!buf || (buf_len <= 0))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ for (i = 0; i < buf_len; i++) {
+ rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + offset + i, 0,
+ 0);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, buf_len, 200);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_read_rsp_buf(chip, 0, buf, buf_len);
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_read_cis(struct rts51x_chip *chip, u32 page_addr, u8 *buf,
+ int buf_len)
+{
+ int retval;
+ u8 reg;
+
+ if (!buf || (buf_len < 10))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ PINGPONG_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS,
+ XD_AUTO_CHK_DATA_STATUS, XD_AUTO_CHK_DATA_STATUS);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_READ_PAGES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END | XD_PPB_EMPTY,
+ XD_TRANSFER_END | XD_PPB_EMPTY);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, 500);
+ if (retval == STATUS_TIMEDOUT) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ RTS51X_READ_REG(chip, XD_PAGE_STATUS, ®);
+ if (reg != XD_GPG) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ RTS51X_READ_REG(chip, XD_CTL, ®);
+
+ if (!(reg & XD_ECC1_ERROR) || !(reg & XD_ECC1_UNCORRECTABLE)) {
+ retval = xd_read_data_from_ppb(chip, 0, buf, buf_len);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (reg & XD_ECC1_ERROR) { /* correctable error */
+ u8 ecc_bit, ecc_byte;
+
+ RTS51X_READ_REG(chip, XD_ECC_BIT1, &ecc_bit);
+ RTS51X_READ_REG(chip, XD_ECC_BYTE1, &ecc_byte);
+
+ RTS51X_DEBUGP("ECC_BIT1 = 0x%x, ECC_BYTE1 = 0x%x\n",
+ ecc_bit, ecc_byte);
+ if (ecc_byte < buf_len) {
+ RTS51X_DEBUGP("Before correct: 0x%x\n",
+ buf[ecc_byte]);
+ buf[ecc_byte] ^= (1 << ecc_bit);
+ RTS51X_DEBUGP("After correct: 0x%x\n",
+ buf[ecc_byte]);
+ }
+ }
+ } else if (!(reg & XD_ECC2_ERROR) || !(reg & XD_ECC2_UNCORRECTABLE)) {
+ RTS51X_WRITE_REG(chip, CARD_STOP, XD_STOP | XD_CLR_ERR,
+ XD_STOP | XD_CLR_ERR);
+
+ retval = xd_read_data_from_ppb(chip, 256, buf, buf_len);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (reg & XD_ECC2_ERROR) {
+ u8 ecc_bit, ecc_byte;
+
+ RTS51X_READ_REG(chip, XD_ECC_BIT2, &ecc_bit);
+ RTS51X_READ_REG(chip, XD_ECC_BYTE2, &ecc_byte);
+
+ RTS51X_DEBUGP("ECC_BIT2 = 0x%x, ECC_BYTE2 = 0x%x\n",
+ ecc_bit, ecc_byte);
+ if (ecc_byte < buf_len) {
+ RTS51X_DEBUGP("Before correct: 0x%x\n",
+ buf[ecc_byte]);
+ buf[ecc_byte] ^= (1 << ecc_bit);
+ RTS51X_DEBUGP("After correct: 0x%x\n",
+ buf[ecc_byte]);
+ }
+ }
+ } else {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static void xd_pull_ctl_disable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);
+ }
+}
+
+static void xd_pull_ctl_enable(struct rts51x_chip *chip)
+{
+ if (CHECK_PKG(chip, LQFP48)) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xAA);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xA5);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x59);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59);
+ }
+}
+
+static int reset_xd(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval, i, j;
+ u8 id_buf[4], redunt[11];
+
+ retval = rts51x_select_card(chip, XD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS, 0xFF,
+ XD_PGSTS_NOT_FF);
+ if (chip->asic_code)
+ xd_pull_ctl_disable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF,
+ (FPGA_XD_PULL_CTL_EN1 & FPGA_XD_PULL_CTL_EN3));
+
+ if (!chip->option.FT2_fast_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_INIT, XD_NO_AUTO_PWR_OFF,
+ 0);
+ if (CHECK_PKG(chip, LQFP48) ||
+ chip->option.rts5129_D3318_off_enable) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL,
+ DV3318_AUTO_PWR_OFF,
+ DV3318_AUTO_PWR_OFF);
+ }
+ }
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0);
+ if (!chip->option.FT2_fast_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ if (!chip->option.FT2_fast_mode) {
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable) {
+ rts51x_write_register(chip, CARD_PWR_CTL,
+ LDO_OFF, LDO_OFF);
+ }
+#endif
+
+ wait_timeout(250);
+
+#ifdef SD_XD_IO_FOLLOW_PWR
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable) {
+ rts51x_init_cmd(chip);
+ if (chip->asic_code) {
+ xd_pull_ctl_enable(chip);
+ } else {
+ rts51x_add_cmd(chip, WRITE_REG_CMD,
+ FPGA_PULL_CTL, 0xFF,
+ (FPGA_XD_PULL_CTL_EN1 &
+ FPGA_XD_PULL_CTL_EN2));
+ }
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#endif
+
+ retval = rts51x_card_power_on(chip, XD_CARD);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+#ifdef SUPPORT_OCP
+ wait_timeout(50);
+ rts51x_get_card_status(chip, &(chip->card_status));
+ chip->ocp_stat = (chip->card_status >> 4) & 0x03;
+
+ if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) {
+ RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n",
+ chip->ocp_stat);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+#endif
+ }
+
+ rts51x_init_cmd(chip);
+
+ if (chip->asic_code)
+ xd_pull_ctl_enable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF,
+ (FPGA_XD_PULL_CTL_EN1 & FPGA_XD_PULL_CTL_EN2));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN,
+ XD_OUTPUT_EN);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CTL, XD_CE_DISEN, XD_CE_DISEN);
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if (!chip->option.FT2_fast_mode)
+ wait_timeout(200);
+
+ retval = xd_set_init_para(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+ /* Read ID to check if the timing setting is right */
+ for (i = 0; i < 4; i++) {
+ u8 xd_dat, xd_ctl;
+
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DTCTL, 0xFF,
+ XD_TIME_SETUP_STEP * 3 + XD_TIME_RW_STEP *
+ (2 + i + chip->option.rts51x_xd_rw_step)
+ + XD_TIME_RWN_STEP *
+ (i + chip->option.rts51x_xd_rwn_step));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CATCTL, 0xFF,
+ XD_TIME_SETUP_STEP * 3 + XD_TIME_RW_STEP * (4 +
+ i) + XD_TIME_RWN_STEP * (3 + i));
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_RESET);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END, XD_TRANSFER_END);
+
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_CTL, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ retval = rts51x_get_rsp(chip, 3, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ xd_dat = chip->rsp_buf[1];
+ xd_ctl = chip->rsp_buf[2];
+ RTS51X_DEBUGP("XD_DAT: 0x%x, XD_CTL: 0x%x\n", xd_dat, xd_ctl);
+
+ if (((xd_dat & READY_FLAG) != READY_STATE)
+ || !(xd_ctl & XD_RDY))
+ continue;
+
+ retval = xd_read_id(chip, READ_ID, id_buf, 4);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ RTS51X_DEBUGP("READ_ID: 0x%x 0x%x 0x%x 0x%x\n",
+ id_buf[0], id_buf[1], id_buf[2], id_buf[3]);
+
+ xd_card->device_code = id_buf[1];
+
+ switch (xd_card->device_code) {
+ case XD_4M_X8_512_1:
+ case XD_4M_X8_512_2:
+ xd_card->block_shift = 4; /* 16 pages per block */
+ xd_card->page_off = 0x0F;
+ xd_card->addr_cycle = 3;
+ xd_card->zone_cnt = 1;
+ xd_card->capacity = 8000; /* 500 * 2 ^ 4 */
+ XD_SET_4MB(xd_card);
+ break;
+ case XD_8M_X8_512:
+ xd_card->block_shift = 4;
+ xd_card->page_off = 0x0F;
+ xd_card->addr_cycle = 3;
+ xd_card->zone_cnt = 1;
+ xd_card->capacity = 16000; /* 1000 * 2 ^ 4 */
+ break;
+ case XD_16M_X8_512:
+ XD_PAGE_512(xd_card); /* 32 pages per block */
+ xd_card->addr_cycle = 3;
+ xd_card->zone_cnt = 1;
+ xd_card->capacity = 32000; /* 1000 * 2 ^ 5 */
+ break;
+ case XD_32M_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 3;
+ xd_card->zone_cnt = 2;
+ xd_card->capacity = 64000; /* 2000 * 2 ^ 5 */
+ break;
+ case XD_64M_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 4;
+ xd_card->capacity = 128000; /* 4000 * 2 ^ 5 */
+ break;
+ case XD_128M_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 8;
+ xd_card->capacity = 256000; /* 8000 * 2 ^ 5 */
+ break;
+ case XD_256M_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 16;
+ xd_card->capacity = 512000; /* 16000 * 2 ^ 5 */
+ break;
+ case XD_512M_X8:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 32;
+ xd_card->capacity = 1024000; /* 32000 * 2 ^ 5 */
+ break;
+ case xD_1G_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 64;
+ xd_card->capacity = 2048000; /* 64000 * 2 ^ 5 */
+ break;
+ case xD_2G_X8_512:
+ XD_PAGE_512(xd_card);
+ xd_card->addr_cycle = 4;
+ xd_card->zone_cnt = 128;
+ xd_card->capacity = 4096000; /* 128000 * 2 ^ 5 */
+ break;
+ default:
+ continue;
+ }
+
+ /* Confirm timing setting */
+ for (j = 0; j < 10; j++) {
+ retval = xd_read_id(chip, READ_ID, id_buf, 4);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (id_buf[1] != xd_card->device_code)
+ break;
+ }
+
+ /* Current timing pass */
+ if (j == 10)
+ break;
+ }
+
+ if (i == 4) {
+ xd_card->block_shift = 0;
+ xd_card->page_off = 0;
+ xd_card->addr_cycle = 0;
+ xd_card->capacity = 0;
+
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = xd_read_id(chip, READ_xD_ID, id_buf, 4);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ RTS51X_DEBUGP("READ_xD_ID: 0x%x 0x%x 0x%x 0x%x\n",
+ id_buf[0], id_buf[1], id_buf[2], id_buf[3]);
+ if (id_buf[2] != XD_ID_CODE)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ /* Search CIS block */
+ for (i = 0; i < 24; i++) {
+ u32 page_addr;
+
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ page_addr = (u32) i << xd_card->block_shift;
+
+ for (j = 0; j < 3; j++) {
+ retval = xd_read_redundant(chip, page_addr, redunt, 11);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (j == 3)
+ continue;
+
+ if (redunt[BLOCK_STATUS] != XD_GBLK)
+ continue;
+
+ j = 0;
+ /* Check page status */
+ if (redunt[PAGE_STATUS] != XD_GPG) {
+ for (j = 1; j <= 8; j++) {
+ retval =
+ xd_read_redundant(chip, page_addr + j,
+ redunt, 11);
+ if (retval == STATUS_SUCCESS) {
+ if (redunt[PAGE_STATUS] == XD_GPG)
+ break;
+ }
+ }
+
+ if (j == 9)
+ break;
+ }
+
+ if ((redunt[BLOCK_STATUS] == XD_GBLK)
+ && (redunt[PARITY] & XD_BA1_ALL0)) {
+ u8 buf[10];
+
+ page_addr += j;
+
+ retval = xd_read_cis(chip, page_addr, buf, 10);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if ((buf[0] == 0x01) && (buf[1] == 0x03)
+ && (buf[2] == 0xD9)
+ && (buf[3] == 0x01) && (buf[4] == 0xFF)
+ && (buf[5] == 0x18) && (buf[6] == 0x02)
+ && (buf[7] == 0xDF) && (buf[8] == 0x01)
+ && (buf[9] == 0x20)) {
+ xd_card->cis_block = (u16) i;
+ }
+ }
+
+ break;
+ }
+
+ RTS51X_DEBUGP("CIS block: 0x%x\n", xd_card->cis_block);
+ if (xd_card->cis_block == 0xFFFF)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ chip->capacity[chip->card2lun[XD_CARD]] = xd_card->capacity;
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_check_data_blank(u8 *redunt)
+{
+ int i;
+
+ for (i = 0; i < 6; i++) {
+ if (redunt[PAGE_STATUS + i] != 0xFF)
+ return 0;
+ }
+
+ if ((redunt[PARITY] & (XD_ECC1_ALL1 | XD_ECC2_ALL1)) !=
+ (XD_ECC1_ALL1 | XD_ECC2_ALL1))
+ return 0;
+
+ for (i = 0; i < 4; i++) {
+ if (redunt[RESERVED0 + i] != 0xFF)
+ return 0;
+ }
+
+ return 1;
+}
+
+static u16 xd_load_log_block_addr(u8 *redunt)
+{
+ u16 addr = 0xFFFF;
+
+ if (redunt[PARITY] & XD_BA1_BA2_EQL)
+ addr =
+ ((u16) redunt[BLOCK_ADDR1_H] << 8) | redunt[BLOCK_ADDR1_L];
+ else if (redunt[PARITY] & XD_BA1_VALID)
+ addr =
+ ((u16) redunt[BLOCK_ADDR1_H] << 8) | redunt[BLOCK_ADDR1_L];
+ else if (redunt[PARITY] & XD_BA2_VALID)
+ addr =
+ ((u16) redunt[BLOCK_ADDR2_H] << 8) | redunt[BLOCK_ADDR2_L];
+
+ return addr;
+}
+
+static int xd_init_l2p_tbl(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int size, i;
+
+ RTS51X_DEBUGP("xd_init_l2p_tbl: zone_cnt = %d\n", xd_card->zone_cnt);
+
+ if (xd_card->zone_cnt < 1)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ size = xd_card->zone_cnt * sizeof(struct zone_entry);
+ RTS51X_DEBUGP("Buffer size for l2p table is %d\n", size);
+
+ xd_card->zone = vmalloc(size);
+ if (!xd_card->zone)
+ TRACE_RET(chip, STATUS_NOMEM);
+
+ for (i = 0; i < xd_card->zone_cnt; i++) {
+ xd_card->zone[i].build_flag = 0;
+ xd_card->zone[i].l2p_table = NULL;
+ xd_card->zone[i].free_table = NULL;
+ xd_card->zone[i].get_index = 0;
+ xd_card->zone[i].set_index = 0;
+ xd_card->zone[i].unused_blk_cnt = 0;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static inline void free_zone(struct zone_entry *zone)
+{
+ RTS51X_DEBUGP("free_zone\n");
+ if (!zone)
+ return;
+ zone->build_flag = 0;
+ zone->set_index = 0;
+ zone->get_index = 0;
+ zone->unused_blk_cnt = 0;
+ if (zone->l2p_table) {
+ vfree(zone->l2p_table);
+ zone->l2p_table = NULL;
+ }
+ if (zone->free_table) {
+ vfree(zone->free_table);
+ zone->free_table = NULL;
+ }
+}
+
+static void xd_set_unused_block(struct rts51x_chip *chip, u32 phy_blk)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct zone_entry *zone;
+ int zone_no;
+
+ zone_no = (int)phy_blk >> 10;
+ if (zone_no >= xd_card->zone_cnt) {
+ RTS51X_DEBUGP("Set unused block to invalid zone"
+ "(zone_no = %d, zone_cnt = %d)\n",
+ zone_no, xd_card->zone_cnt);
+ return;
+ }
+ zone = &(xd_card->zone[zone_no]);
+
+ if (zone->free_table == NULL) {
+ if (xd_build_l2p_tbl(chip, zone_no) != STATUS_SUCCESS)
+ return;
+ }
+
+ if ((zone->set_index >= XD_FREE_TABLE_CNT)
+ || (zone->set_index < 0)) {
+ free_zone(zone);
+ RTS51X_DEBUGP("Set unused block fail, invalid set_index\n");
+ return;
+ }
+
+ RTS51X_DEBUGP("Set unused block to index %d\n", zone->set_index);
+
+ zone->free_table[zone->set_index++] = (u16) (phy_blk & 0x3ff);
+ if (zone->set_index >= XD_FREE_TABLE_CNT)
+ zone->set_index = 0;
+ zone->unused_blk_cnt++;
+}
+
+static u32 xd_get_unused_block(struct rts51x_chip *chip, int zone_no)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct zone_entry *zone;
+ u32 phy_blk;
+
+ if (zone_no >= xd_card->zone_cnt) {
+ RTS51X_DEBUGP("Get unused block from invalid zone"
+ "(zone_no = %d, zone_cnt = %d)\n",
+ zone_no, xd_card->zone_cnt);
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+ zone = &(xd_card->zone[zone_no]);
+
+ if ((zone->unused_blk_cnt == 0) ||
+ (zone->set_index == zone->get_index)) {
+ free_zone(zone);
+ RTS51X_DEBUGP("Get unused block fail,"
+ "no unused block available\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+ if ((zone->get_index >= XD_FREE_TABLE_CNT) || (zone->get_index < 0)) {
+ free_zone(zone);
+ RTS51X_DEBUGP("Get unused block fail, invalid get_index\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+
+ RTS51X_DEBUGP("Get unused block from index %d\n", zone->get_index);
+
+ phy_blk = zone->free_table[zone->get_index];
+ zone->free_table[zone->get_index++] = 0xFFFF;
+ if (zone->get_index >= XD_FREE_TABLE_CNT)
+ zone->get_index = 0;
+ zone->unused_blk_cnt--;
+
+ phy_blk += ((u32) (zone_no) << 10);
+ return phy_blk;
+}
+
+static void xd_set_l2p_tbl(struct rts51x_chip *chip, int zone_no, u16 log_off,
+ u16 phy_off)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct zone_entry *zone;
+
+ zone = &(xd_card->zone[zone_no]);
+ zone->l2p_table[log_off] = phy_off;
+}
+
+static int xd_delay_write(struct rts51x_chip *chip);
+
+static u32 xd_get_l2p_tbl(struct rts51x_chip *chip, int zone_no, u16 log_off)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct zone_entry *zone;
+ int retval;
+
+ zone = &(xd_card->zone[zone_no]);
+ if (zone->l2p_table[log_off] == 0xFFFF) {
+ u32 phy_blk = 0;
+ int i;
+
+ retval = xd_delay_write(chip);
+ if (retval != STATUS_SUCCESS) {
+ RTS51X_DEBUGP("In xd_get_l2p_tbl,"
+ "delay write fail!\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+
+ if (zone->unused_blk_cnt <= 0) {
+ RTS51X_DEBUGP("No unused block!\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+
+ for (i = 0; i < zone->unused_blk_cnt; i++) {
+ phy_blk = xd_get_unused_block(chip, zone_no);
+ if (phy_blk == BLK_NOT_FOUND) {
+ RTS51X_DEBUGP("No unused block available!\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+
+ retval =
+ xd_init_page(chip, phy_blk, log_off, 0,
+ xd_card->page_off + 1);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+ if (i >= zone->unused_blk_cnt) {
+ RTS51X_DEBUGP("No good unused block available!\n");
+ TRACE_RET(chip, BLK_NOT_FOUND);
+ }
+
+ xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (phy_blk & 0x3FF));
+ return phy_blk;
+ }
+
+ return (u32) zone->l2p_table[log_off] + ((u32) (zone_no) << 10);
+}
+
+int rts51x_reset_xd_card(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+
+ memset(xd_card, 0, sizeof(struct xd_info));
+
+ xd_card->block_shift = 0;
+ xd_card->page_off = 0;
+ xd_card->addr_cycle = 0;
+ xd_card->capacity = 0;
+ xd_card->zone_cnt = 0;
+ xd_card->cis_block = 0xFFFF;
+ xd_card->delay_write.delay_write_flag = 0;
+
+ rts51x_enable_card_clock(chip, XD_CARD);
+
+ retval = reset_xd(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (chip->option.reset_or_rw_fail_set_pad_drive) {
+ rts51x_write_register(chip, CARD_DRIVE_SEL,
+ SD20_DRIVE_MASK, DRIVE_8mA);
+ }
+ TRACE_RET(chip, retval);
+ }
+
+ retval = xd_init_l2p_tbl(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_mark_bad_block(struct rts51x_chip *chip, u32 phy_blk)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+ u32 page_addr;
+ u8 reg = 0;
+
+ RTS51X_DEBUGP("mark block 0x%x as bad block\n", phy_blk);
+
+ if (phy_blk == BLK_NOT_FOUND)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, XD_GPG);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF,
+ XD_LATER_BBLK);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR2_H, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR2_L, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED0, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED1, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED2, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED3, 0xFF, 0xFF);
+
+ page_addr = phy_blk << xd_card->block_shift;
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ /* Specify page count */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF,
+ xd_card->page_off + 1);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_WRITE_REDUNDANT);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = rts51x_get_rsp(chip, 1, 100);
+
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ rts51x_ep0_read_register(chip, XD_DAT, ®);
+ if (reg & PROGRAM_ERROR)
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ else
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_init_page(struct rts51x_chip *chip, u32 phy_blk, u16 logoff,
+ u8 start_page, u8 end_page)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+ u32 page_addr;
+ u8 reg = 0;
+
+ RTS51X_DEBUGP("Init block 0x%x\n", phy_blk);
+
+ if (start_page > end_page)
+ TRACE_RET(chip, STATUS_FAIL);
+ if (phy_blk == BLK_NOT_FOUND)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF, 0xFF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF,
+ (u8) (logoff >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF,
+ (u8) logoff);
+
+ page_addr = (phy_blk << xd_card->block_shift) + start_page;
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_BA_TRANSFORM,
+ XD_BA_TRANSFORM);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF,
+ (end_page - start_page));
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_WRITE_REDUNDANT);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ retval = rts51x_get_rsp(chip, 1, 500);
+
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ rts51x_ep0_read_register(chip, XD_DAT, ®);
+ if (reg & PROGRAM_ERROR) {
+ xd_mark_bad_block(chip, phy_blk);
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ } else {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ }
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_copy_page(struct rts51x_chip *chip,
+ u32 old_blk, u32 new_blk, u8 start_page, u8 end_page)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ u32 old_page, new_page;
+ u8 i, reg = 0;
+ int retval;
+
+ RTS51X_DEBUGP("Copy page from block 0x%x to block 0x%x\n", old_blk,
+ new_blk);
+
+ if (start_page > end_page)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ if ((old_blk == BLK_NOT_FOUND) || (new_blk == BLK_NOT_FOUND))
+ TRACE_RET(chip, STATUS_FAIL);
+
+ old_page = (old_blk << xd_card->block_shift) + start_page;
+ new_page = (new_blk << xd_card->block_shift) + start_page;
+
+ XD_CLR_BAD_NEWBLK(xd_card);
+
+ RTS51X_WRITE_REG(chip, CARD_DATA_SOURCE, 0x01, PINGPONG_BUFFER);
+
+ for (i = start_page; i < end_page; i++) {
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) {
+ RTS51X_WRITE_REG(chip, CARD_STOP, XD_STOP | XD_CLR_ERR,
+ XD_STOP | XD_CLR_ERR);
+ xd_set_err_code(chip, XD_NO_CARD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, old_page, XD_RW_ADDR);
+
+ /* Single page read */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS,
+ XD_AUTO_CHK_DATA_STATUS, 0);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_READ_PAGES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END, XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR | STAGE_XD_STATUS, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 4, 500);
+ if ((retval != STATUS_SUCCESS) ||
+ (chip->rsp_buf[2] & (XD_ECC1_ERROR | XD_ECC2_ERROR))) {
+ rts51x_clear_xd_error(chip);
+ reg = 0;
+ rts51x_ep0_read_register(chip, XD_CTL, ®);
+ if (reg & (XD_ECC1_ERROR | XD_ECC2_ERROR)) {
+ wait_timeout(100);
+
+ if (monitor_card_cd(chip, XD_CARD) ==
+ CD_NOT_EXIST) {
+ xd_set_err_code(chip, XD_NO_CARD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (((reg &
+ (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE))
+ == (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE))
+ || ((reg & (XD_ECC2_ERROR |
+ XD_ECC2_UNCORRECTABLE)) ==
+ (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE))) {
+ RTS51X_WRITE_REG(chip, XD_PAGE_STATUS,
+ 0xFF, XD_BPG);
+ RTS51X_WRITE_REG(chip, XD_BLOCK_STATUS,
+ 0xFF, XD_GBLK);
+ XD_SET_BAD_OLDBLK(xd_card);
+ RTS51X_DEBUGP("old block 0x%x"
+ "ecc error\n", old_blk);
+ }
+ } else {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ if (XD_CHK_BAD_OLDBLK(xd_card))
+ rts51x_clear_xd_error(chip);
+
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, new_page, XD_RW_ADDR);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_WRITE_PAGES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END, XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, 300);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ reg = 0;
+ rts51x_ep0_read_register(chip, XD_DAT, ®);
+ if (reg & PROGRAM_ERROR) {
+ xd_mark_bad_block(chip, new_blk);
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ XD_SET_BAD_NEWBLK(xd_card);
+ } else {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ }
+ TRACE_RET(chip, retval);
+ }
+
+ old_page++;
+ new_page++;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_reset_cmd(struct rts51x_chip *chip)
+{
+ int retval;
+ u8 xd_dat, xd_ctl;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_RESET);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0);
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_CTL, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 3, 100);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ xd_dat = chip->rsp_buf[1];
+ xd_ctl = chip->rsp_buf[2];
+ if (((xd_dat & READY_FLAG) == READY_STATE) && (xd_ctl & XD_RDY))
+ return STATUS_SUCCESS;
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int xd_erase_block(struct rts51x_chip *chip, u32 phy_blk)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ u32 page_addr;
+ u8 reg = 0, xd_dat;
+ int i, retval;
+
+ if (phy_blk == BLK_NOT_FOUND)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ page_addr = phy_blk << xd_card->block_shift;
+
+ for (i = 0; i < 3; i++) {
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, page_addr, XD_ERASE_ADDR);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_ERASE);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END, XD_TRANSFER_END);
+ rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 2, 300);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ rts51x_ep0_read_register(chip, XD_DAT, ®);
+ if (reg & PROGRAM_ERROR) {
+ xd_mark_bad_block(chip, phy_blk);
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ } else {
+ xd_set_err_code(chip, XD_ERASE_FAIL);
+ }
+ retval = xd_reset_cmd(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ continue;
+ }
+ xd_dat = chip->rsp_buf[1];
+ if (xd_dat & PROGRAM_ERROR) {
+ xd_mark_bad_block(chip, phy_blk);
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ return STATUS_SUCCESS;
+ }
+
+ xd_mark_bad_block(chip, phy_blk);
+ xd_set_err_code(chip, XD_ERASE_FAIL);
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int xd_build_l2p_tbl(struct rts51x_chip *chip, int zone_no)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct zone_entry *zone;
+ int retval;
+ u32 start, end, i;
+ u16 max_logoff, cur_fst_page_logoff, cur_lst_page_logoff,
+ ent_lst_page_logoff;
+ u8 redunt[11];
+
+ RTS51X_DEBUGP("xd_build_l2p_tbl: %d\n", zone_no);
+
+ if (xd_card->zone == NULL) {
+ retval = xd_init_l2p_tbl(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ if (xd_card->zone[zone_no].build_flag) {
+ RTS51X_DEBUGP("l2p table of zone %d has been built\n",
+ zone_no);
+ return STATUS_SUCCESS;
+ }
+
+ zone = &(xd_card->zone[zone_no]);
+
+ if (zone->l2p_table == NULL) {
+ zone->l2p_table = vmalloc(2000);
+ if (zone->l2p_table == NULL)
+ TRACE_GOTO(chip, Build_Fail);
+ }
+ memset((u8 *) (zone->l2p_table), 0xff, 2000);
+
+ if (zone->free_table == NULL) {
+ zone->free_table = vmalloc(XD_FREE_TABLE_CNT * 2);
+ if (zone->free_table == NULL)
+ TRACE_GOTO(chip, Build_Fail);
+ }
+ memset((u8 *) (zone->free_table), 0xff, XD_FREE_TABLE_CNT * 2);
+
+ if (zone_no == 0) {
+ if (xd_card->cis_block == 0xFFFF)
+ start = 0;
+ else
+ start = xd_card->cis_block + 1;
+ if (XD_CHK_4MB(xd_card)) {
+ end = 0x200;
+ max_logoff = 499;
+ } else {
+ end = 0x400;
+ max_logoff = 999;
+ }
+ } else {
+ start = (u32) (zone_no) << 10;
+ end = (u32) (zone_no + 1) << 10;
+ max_logoff = 999;
+ }
+
+ RTS51X_DEBUGP("start block 0x%x, end block 0x%x\n", start, end);
+
+ zone->set_index = zone->get_index = 0;
+ zone->unused_blk_cnt = 0;
+
+ for (i = start; i < end; i++) {
+ u32 page_addr = i << xd_card->block_shift;
+ u32 phy_block;
+
+ retval = xd_read_redundant(chip, page_addr, redunt, 11);
+ if (retval != STATUS_SUCCESS)
+ continue;
+
+ if (redunt[BLOCK_STATUS] != 0xFF) {
+ RTS51X_DEBUGP("bad block\n");
+ continue;
+ }
+
+ if (xd_check_data_blank(redunt)) {
+ RTS51X_DEBUGP("blank block\n");
+ xd_set_unused_block(chip, i);
+ continue;
+ }
+
+ cur_fst_page_logoff = xd_load_log_block_addr(redunt);
+ if ((cur_fst_page_logoff == 0xFFFF)
+ || (cur_fst_page_logoff > max_logoff)) {
+ retval = xd_erase_block(chip, i);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, i);
+ continue;
+ }
+ if ((zone_no == 0) && (cur_fst_page_logoff == 0)
+ && (redunt[PAGE_STATUS] != XD_GPG))
+ XD_SET_MBR_FAIL(xd_card);
+
+ if (zone->l2p_table[cur_fst_page_logoff] == 0xFFFF) {
+ zone->l2p_table[cur_fst_page_logoff] =
+ (u16) (i & 0x3FF);
+ continue;
+ }
+
+ phy_block =
+ zone->l2p_table[cur_fst_page_logoff] +
+ ((u32) ((zone_no) << 10));
+
+ page_addr = ((i + 1) << xd_card->block_shift) - 1;
+
+ retval = xd_read_redundant(chip, page_addr, redunt, 11);
+ if (retval != STATUS_SUCCESS)
+ continue;
+
+ cur_lst_page_logoff = xd_load_log_block_addr(redunt);
+ if (cur_lst_page_logoff == cur_fst_page_logoff) {
+ int m;
+
+ page_addr =
+ ((phy_block + 1) << xd_card->block_shift) - 1;
+
+ for (m = 0; m < 3; m++) {
+ retval =
+ xd_read_redundant(chip, page_addr, redunt,
+ 11);
+ if (retval == STATUS_SUCCESS)
+ break;
+ }
+
+ if (m == 3) {
+ zone->l2p_table[cur_fst_page_logoff] =
+ (u16) (i & 0x3FF);
+ retval = xd_erase_block(chip, phy_block);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, phy_block);
+ continue;
+ }
+
+ ent_lst_page_logoff = xd_load_log_block_addr(redunt);
+ if (ent_lst_page_logoff != cur_fst_page_logoff) {
+ zone->l2p_table[cur_fst_page_logoff] =
+ (u16) (i & 0x3FF);
+ retval = xd_erase_block(chip, phy_block);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, phy_block);
+ continue;
+ } else {
+ retval = xd_erase_block(chip, i);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, i);
+ }
+ } else {
+ retval = xd_erase_block(chip, i);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, i);
+ }
+ }
+
+ if (XD_CHK_4MB(xd_card))
+ end = 500;
+ else
+ end = 1000;
+
+ i = 0;
+ for (start = 0; start < end; start++) {
+ if (zone->l2p_table[start] == 0xFFFF)
+ i++;
+ }
+
+ RTS51X_DEBUGP("Block count %d, invalid L2P entry %d\n", end, i);
+ RTS51X_DEBUGP("Total unused block: %d\n", zone->unused_blk_cnt);
+
+ if ((zone->unused_blk_cnt - i) < 1)
+ chip->card_wp |= XD_CARD;
+
+ zone->build_flag = 1;
+
+ return STATUS_SUCCESS;
+
+Build_Fail:
+ if (zone->l2p_table) {
+ vfree(zone->l2p_table);
+ zone->l2p_table = NULL;
+ }
+ if (zone->free_table) {
+ vfree(zone->free_table);
+ zone->free_table = NULL;
+ }
+
+ return STATUS_FAIL;
+}
+
+static int xd_send_cmd(struct rts51x_chip *chip, u8 cmd)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DAT, 0xFF, cmd);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_SET_CMD);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval = rts51x_get_rsp(chip, 1, 200);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_read_multiple_pages(struct rts51x_chip *chip, u32 phy_blk,
+ u32 log_blk, u8 start_page, u8 end_page,
+ u8 *buf, void **ptr, unsigned int *offset)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ u32 page_addr, new_blk;
+ u16 log_off;
+ u8 reg_val, page_cnt;
+ int zone_no, retval, i;
+
+ if (start_page > end_page)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ page_cnt = end_page - start_page;
+ zone_no = (int)(log_blk / 1000);
+ log_off = (u16) (log_blk % 1000);
+
+ if ((phy_blk & 0x3FF) == 0x3FF) {
+ for (i = 0; i < 256; i++) {
+ page_addr = ((u32) i) << xd_card->block_shift;
+
+ retval = xd_read_redundant(chip, page_addr, NULL, 0);
+ if (retval == STATUS_SUCCESS)
+ break;
+
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) {
+ xd_set_err_code(chip, XD_NO_CARD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+ }
+
+ page_addr = (phy_blk << xd_card->block_shift) + start_page;
+
+ rts51x_init_cmd(chip);
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_PPB_TO_SIE,
+ XD_PPB_TO_SIE);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, page_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS,
+ XD_AUTO_CHK_DATA_STATUS, XD_AUTO_CHK_DATA_STATUS);
+
+ rts51x_trans_dma_enable(chip->srb->sc_data_direction, chip,
+ page_cnt * 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_READ_PAGES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER,
+ XD_TRANSFER_END | XD_PPB_EMPTY,
+ XD_TRANSFER_END | XD_PPB_EMPTY);
+
+ retval = rts51x_send_cmd(chip, MODE_CDIR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip), (void *)buf,
+ ptr, offset, page_cnt * 512,
+ scsi_sg_count(chip->srb), NULL, 2000);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+
+ if (retval == STATUS_TIMEDOUT) {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, retval);
+ } else {
+ TRACE_GOTO(chip, Fail);
+ }
+ }
+ retval = rts51x_get_rsp(chip, 1, 200);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+
+ if (retval == STATUS_TIMEDOUT) {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, retval);
+ } else {
+ TRACE_GOTO(chip, Fail);
+ }
+ }
+
+ return STATUS_SUCCESS;
+
+Fail:
+ rts51x_ep0_read_register(chip, XD_PAGE_STATUS, ®_val);
+ RTS51X_DEBUGP("XD_PAGE_STATUS: 0x%x\n", reg_val);
+
+ if (reg_val != XD_GPG)
+ xd_set_err_code(chip, XD_PRG_ERROR);
+
+ rts51x_ep0_read_register(chip, XD_CTL, ®_val);
+ RTS51X_DEBUGP("XD_CTL: 0x%x\n", reg_val);
+
+ /* Handle uncorrectable ECC error */
+ if (((reg_val & (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE))
+ == (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE))
+ || ((reg_val & (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE))
+ == (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE))) {
+ wait_timeout(100);
+
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) {
+ xd_set_err_code(chip, XD_NO_CARD);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ xd_set_err_code(chip, XD_ECC_ERROR);
+
+ new_blk = xd_get_unused_block(chip, zone_no);
+ if (new_blk == NO_NEW_BLK) {
+ XD_CLR_BAD_OLDBLK(xd_card);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ retval =
+ xd_copy_page(chip, phy_blk, new_blk, 0,
+ xd_card->page_off + 1);
+ if (retval != STATUS_SUCCESS) {
+ if (!XD_CHK_BAD_NEWBLK(xd_card)) {
+ retval = xd_erase_block(chip, new_blk);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, new_blk);
+ } else {
+ XD_CLR_BAD_NEWBLK(xd_card);
+ }
+ XD_CLR_BAD_OLDBLK(xd_card);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF));
+ xd_erase_block(chip, phy_blk);
+ xd_mark_bad_block(chip, phy_blk);
+ XD_CLR_BAD_OLDBLK(xd_card);
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int xd_finish_write(struct rts51x_chip *chip,
+ u32 old_blk, u32 new_blk, u32 log_blk, u8 page_off)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval, zone_no;
+ u16 log_off;
+
+ RTS51X_DEBUGP("xd_finish_write, old_blk = 0x%x, new_blk = 0x%x,"
+ "log_blk = 0x%x\n", old_blk, new_blk, log_blk);
+
+ if (page_off > xd_card->page_off)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ zone_no = (int)(log_blk / 1000);
+ log_off = (u16) (log_blk % 1000);
+
+ if (old_blk == BLK_NOT_FOUND) {
+ retval = xd_init_page(chip, new_blk, log_off,
+ page_off, xd_card->page_off + 1);
+ if (retval != STATUS_SUCCESS) {
+ retval = xd_erase_block(chip, new_blk);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, new_blk);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ retval = xd_copy_page(chip, old_blk, new_blk,
+ page_off, xd_card->page_off + 1);
+ if (retval != STATUS_SUCCESS) {
+ if (!XD_CHK_BAD_NEWBLK(xd_card)) {
+ retval = xd_erase_block(chip, new_blk);
+ if (retval == STATUS_SUCCESS)
+ xd_set_unused_block(chip, new_blk);
+ }
+ XD_CLR_BAD_NEWBLK(xd_card);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ retval = xd_erase_block(chip, old_blk);
+ if (retval == STATUS_SUCCESS) {
+ if (XD_CHK_BAD_OLDBLK(xd_card)) {
+ xd_mark_bad_block(chip, old_blk);
+ XD_CLR_BAD_OLDBLK(xd_card);
+ } else {
+ /* Add source block to unused block */
+ xd_set_unused_block(chip, old_blk);
+ }
+ } else {
+ xd_set_err_code(chip, XD_NO_ERROR);
+ XD_CLR_BAD_OLDBLK(xd_card);
+ }
+ }
+
+ /* Add target block to L2P table */
+ xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF));
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_prepare_write(struct rts51x_chip *chip,
+ u32 old_blk, u32 new_blk, u32 log_blk, u8 page_off)
+{
+ int retval;
+
+ RTS51X_DEBUGP("xd_prepare_write, old_blk = 0x%x, new_blk = 0x%x,"
+ "log_blk = 0x%x, page_off = %d\n",
+ old_blk, new_blk, log_blk, (int)page_off);
+
+ if (page_off) {
+ retval = xd_copy_page(chip, old_blk, new_blk, 0, page_off);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+static int xd_write_multiple_pages(struct rts51x_chip *chip, u32 old_blk,
+ u32 new_blk, u32 log_blk, u8 start_page,
+ u8 end_page, u8 *buf, void **ptr,
+ unsigned int *offset)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ u32 page_addr;
+ int zone_no, retval;
+ u16 log_off;
+ u8 page_cnt, reg_val;
+
+ RTS51X_DEBUGP("xd_write_multiple_pages, old_blk = 0x%x,"
+ "new_blk = 0x%x, log_blk = 0x%x\n",
+ old_blk, new_blk, log_blk);
+
+ if (start_page > end_page)
+ TRACE_RET(chip, STATUS_FAIL);
+
+ page_cnt = end_page - start_page;
+ zone_no = (int)(log_blk / 1000);
+ log_off = (u16) (log_blk % 1000);
+
+ page_addr = (new_blk << xd_card->block_shift) + start_page;
+
+ /* Send index command */
+ retval = xd_send_cmd(chip, READ1_1);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ rts51x_init_cmd(chip);
+
+ /* Prepare redundant field */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF,
+ (u8) (log_off >> 8));
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF,
+ (u8) log_off);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF, XD_GBLK);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, XD_GPG);
+
+ xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR);
+
+ /* Transform the block address by hardware */
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_BA_TRANSFORM,
+ XD_BA_TRANSFORM);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, page_cnt);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01,
+ RING_BUFFER);
+
+ rts51x_trans_dma_enable(chip->srb->sc_data_direction, chip,
+ page_cnt * 512, DMA_512);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF,
+ XD_TRANSFER_START | XD_WRITE_PAGES);
+ rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END,
+ XD_TRANSFER_END);
+
+ retval = rts51x_send_cmd(chip, MODE_CDOR, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ retval =
+ rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip), (void *)buf,
+ ptr, offset, page_cnt * 512,
+ scsi_sg_count(chip->srb), NULL, 2000);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+
+ if (retval == STATUS_TIMEDOUT) {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, retval);
+ } else {
+ TRACE_GOTO(chip, Fail);
+ }
+ }
+ retval = rts51x_get_rsp(chip, 1, 200);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_clear_xd_error(chip);
+
+ if (retval == STATUS_TIMEDOUT) {
+ xd_set_err_code(chip, XD_TO_ERROR);
+ TRACE_RET(chip, retval);
+ } else {
+ TRACE_GOTO(chip, Fail);
+ }
+ }
+
+ if (end_page == (xd_card->page_off + 1)) {
+ xd_card->delay_write.delay_write_flag = 0;
+
+ if (old_blk != BLK_NOT_FOUND) {
+ retval = xd_erase_block(chip, old_blk);
+ if (retval == STATUS_SUCCESS) {
+ if (XD_CHK_BAD_OLDBLK(xd_card)) {
+ xd_mark_bad_block(chip, old_blk);
+ XD_CLR_BAD_OLDBLK(xd_card);
+ } else {
+ xd_set_unused_block(chip, old_blk);
+ }
+ } else {
+ xd_set_err_code(chip, XD_NO_ERROR);
+ XD_CLR_BAD_OLDBLK(xd_card);
+ }
+ }
+ xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF));
+ }
+
+ return STATUS_SUCCESS;
+
+Fail:
+ rts51x_ep0_read_register(chip, XD_DAT, ®_val);
+ RTS51X_DEBUGP("XD_DAT: 0x%x\n", reg_val);
+
+ if (reg_val & PROGRAM_ERROR) {
+ xd_set_err_code(chip, XD_PRG_ERROR);
+ xd_mark_bad_block(chip, new_blk);
+ }
+
+ TRACE_RET(chip, STATUS_FAIL);
+}
+
+static int xd_delay_write(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ struct xd_delay_write_tag *delay_write = &(xd_card->delay_write);
+ int retval;
+
+ if (delay_write->delay_write_flag) {
+ RTS51X_DEBUGP("xd_delay_write\n");
+ retval = xd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ delay_write->delay_write_flag = 0;
+ retval = xd_finish_write(chip,
+ delay_write->old_phyblock,
+ delay_write->new_phyblock,
+ delay_write->logblock,
+ delay_write->pageoff);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+ }
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_xd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip,
+ u32 start_sector, u16 sector_cnt)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ unsigned int lun = SCSI_LUN(srb);
+ struct xd_delay_write_tag *delay_write = &(xd_card->delay_write);
+ int retval, zone_no;
+ u32 log_blk, old_blk = 0, new_blk = 0;
+ u16 log_off, total_sec_cnt = sector_cnt;
+ u8 start_page, end_page = 0, page_cnt;
+ u8 *buf;
+ void *ptr = NULL;
+ unsigned int offset = 0;
+
+ xd_set_err_code(chip, XD_NO_ERROR);
+
+ xd_card->counter = 0;
+
+ RTS51X_DEBUGP("rts51x_xd_rw: scsi_bufflen = %d, scsi_sg_count = %d\n",
+ scsi_bufflen(srb), scsi_sg_count(srb));
+ RTS51X_DEBUGP("Data direction: %s\n",
+ (srb->sc_data_direction ==
+ DMA_TO_DEVICE) ? "write" : "read");
+
+ buf = (u8 *) scsi_sglist(srb);
+
+ retval = xd_switch_clock(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ log_blk = start_sector >> xd_card->block_shift;
+ start_page = (u8) start_sector & xd_card->page_off;
+ zone_no = (int)(log_blk / 1000);
+ log_off = (u16) (log_blk % 1000);
+
+ RTS51X_DEBUGP("log_blk = 0x%x\n", log_blk);
+
+ if (xd_card->zone[zone_no].build_flag == 0) {
+ retval = xd_build_l2p_tbl(chip, zone_no);
+ if (retval != STATUS_SUCCESS) {
+ chip->card_fail |= XD_CARD;
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ if (delay_write->delay_write_flag &&
+ (delay_write->logblock == log_blk) &&
+ (start_page > delay_write->pageoff)) {
+ delay_write->delay_write_flag = 0;
+ if (delay_write->old_phyblock != BLK_NOT_FOUND) {
+ retval = xd_copy_page(chip,
+ delay_write->old_phyblock,
+ delay_write->new_phyblock,
+ delay_write->pageoff,
+ start_page);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ }
+ old_blk = delay_write->old_phyblock;
+ new_blk = delay_write->new_phyblock;
+ } else if (delay_write->delay_write_flag &&
+ (delay_write->logblock == log_blk) &&
+ (start_page == delay_write->pageoff)) {
+ delay_write->delay_write_flag = 0;
+ old_blk = delay_write->old_phyblock;
+ new_blk = delay_write->new_phyblock;
+ } else {
+ retval = xd_delay_write(chip);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ old_blk = xd_get_l2p_tbl(chip, zone_no, log_off);
+ new_blk = xd_get_unused_block(chip, zone_no);
+ if ((old_blk == BLK_NOT_FOUND)
+ || (new_blk == BLK_NOT_FOUND)) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+
+ retval =
+ xd_prepare_write(chip, old_blk, new_blk, log_blk,
+ start_page);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, XD_CARD) ==
+ CD_NOT_EXIST) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, retval);
+ }
+ }
+ } else {
+ retval = xd_delay_write(chip);
+ if (retval != STATUS_SUCCESS) {
+ if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, retval);
+ }
+
+ old_blk = xd_get_l2p_tbl(chip, zone_no, log_off);
+ if (old_blk == BLK_NOT_FOUND) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ RTS51X_DEBUGP("old_blk = 0x%x\n", old_blk);
+ if (srb->sc_data_direction == DMA_TO_DEVICE)
+ RTS51X_DEBUGP("new_blk = 0x%x\n", new_blk);
+
+ while (total_sec_cnt) {
+ if ((start_page + total_sec_cnt) > (xd_card->page_off + 1))
+ end_page = xd_card->page_off + 1;
+ else
+ end_page = start_page + (u8) total_sec_cnt;
+ page_cnt = end_page - start_page;
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ retval = xd_read_multiple_pages(chip, old_blk, log_blk,
+ start_page, end_page,
+ buf, &ptr, &offset);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ } else {
+ retval =
+ xd_write_multiple_pages(chip, old_blk, new_blk,
+ log_blk, start_page,
+ end_page, buf, &ptr,
+ &offset);
+ if (retval != STATUS_SUCCESS) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ total_sec_cnt -= page_cnt;
+
+ if (total_sec_cnt == 0)
+ break;
+
+ log_blk++;
+ zone_no = (int)(log_blk / 1000);
+ log_off = (u16) (log_blk % 1000);
+
+ if (xd_card->zone[zone_no].build_flag == 0) {
+ retval = xd_build_l2p_tbl(chip, zone_no);
+ if (retval != STATUS_SUCCESS) {
+ chip->card_fail |= XD_CARD;
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_NOT_PRESENT);
+ TRACE_RET(chip, retval);
+ }
+ }
+
+ old_blk = xd_get_l2p_tbl(chip, zone_no, log_off);
+ if (old_blk == BLK_NOT_FOUND) {
+ if (srb->sc_data_direction == DMA_FROM_DEVICE) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR);
+ } else {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ }
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+
+ if (srb->sc_data_direction == DMA_TO_DEVICE) {
+ new_blk = xd_get_unused_block(chip, zone_no);
+ if (new_blk == BLK_NOT_FOUND) {
+ rts51x_set_sense_type(chip, lun,
+ SENSE_TYPE_MEDIA_WRITE_ERR);
+ TRACE_RET(chip, STATUS_FAIL);
+ }
+ }
+
+ start_page = 0;
+ }
+
+ if ((srb->sc_data_direction == DMA_TO_DEVICE) &&
+ (end_page != (xd_card->page_off + 1))) {
+ delay_write->delay_write_flag = 1;
+ delay_write->old_phyblock = old_blk;
+ delay_write->new_phyblock = new_blk;
+ delay_write->logblock = log_blk;
+ delay_write->pageoff = end_page;
+ }
+
+ scsi_set_resid(srb, 0);
+
+ return STATUS_SUCCESS;
+}
+
+void rts51x_xd_free_l2p_tbl(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int i = 0;
+
+ if (xd_card->zone != NULL) {
+ for (i = 0; i < xd_card->zone_cnt; i++) {
+ if (xd_card->zone[i].l2p_table != NULL) {
+ vfree(xd_card->zone[i].l2p_table);
+ xd_card->zone[i].l2p_table = NULL;
+ }
+ if (xd_card->zone[i].free_table != NULL) {
+ vfree(xd_card->zone[i].free_table);
+ xd_card->zone[i].free_table = NULL;
+ }
+ }
+ vfree(xd_card->zone);
+ xd_card->zone = NULL;
+ }
+}
+
+void rts51x_xd_cleanup_work(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+
+ if (xd_card->delay_write.delay_write_flag) {
+ RTS51X_DEBUGP("xD: delay write\n");
+ xd_delay_write(chip);
+ xd_card->counter = 0;
+ }
+}
+
+static int xd_power_off_card3v3(struct rts51x_chip *chip)
+{
+ int retval;
+
+ rts51x_init_cmd(chip);
+
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, XD_CLK_EN, 0);
+
+ if (chip->asic_code)
+ xd_pull_ctl_disable(chip);
+ else
+ rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF, 0xDF);
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0);
+ if (!chip->option.FT2_fast_mode) {
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK,
+ POWER_OFF);
+ if (CHECK_PKG(chip, LQFP48)
+ || chip->option.rts5129_D3318_off_enable)
+ rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL,
+ DV3318_AUTO_PWR_OFF, 0);
+ }
+
+ retval = rts51x_send_cmd(chip, MODE_C, 100);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ return STATUS_SUCCESS;
+}
+
+int rts51x_release_xd_card(struct rts51x_chip *chip)
+{
+ struct xd_info *xd_card = &(chip->xd_card);
+ int retval;
+
+ RTS51X_DEBUGP("rts51x_release_xd_card\n");
+
+ chip->card_ready &= ~XD_CARD;
+ chip->card_fail &= ~XD_CARD;
+ chip->card_wp &= ~XD_CARD;
+
+ xd_card->delay_write.delay_write_flag = 0;
+
+ rts51x_xd_free_l2p_tbl(chip);
+
+ rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP);
+
+ retval = xd_power_off_card3v3(chip);
+ if (retval != STATUS_SUCCESS)
+ TRACE_RET(chip, retval);
+
+ if (chip->asic_code && CHECK_PKG(chip, QFN24))
+ wait_timeout(20);
+
+ return STATUS_SUCCESS;
+}
diff --git a/drivers/staging/rts5139/xd.h b/drivers/staging/rts5139/xd.h
new file mode 100644
index 000000000000..695a0b4d7e52
--- /dev/null
+++ b/drivers/staging/rts5139/xd.h
@@ -0,0 +1,191 @@
+/* Driver for Realtek RTS51xx USB card reader
+ * Header file
+ *
+ * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author:
+ * wwang (wei_wang(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ * Maintainer:
+ * Edwin Rong (edwin_rong(a)realsil.com.cn)
+ * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China
+ */
+
+#ifndef __RTS51X_XD_H
+#define __RTS51X_XD_H
+
+/* Error Codes */
+#define XD_NO_ERROR 0x00
+#define XD_NO_MEMORY 0x80
+#define XD_PRG_ERROR 0x40
+#define XD_NO_CARD 0x20
+#define XD_READ_FAIL 0x10
+#define XD_ERASE_FAIL 0x08
+#define XD_WRITE_FAIL 0x04
+#define XD_ECC_ERROR 0x02
+#define XD_TO_ERROR 0x01
+
+/* XD Commands */
+#define READ1_1 0x00
+#define READ1_2 0x01
+#define READ2 0x50
+#define READ_ID 0x90
+#define RESET 0xff
+#define PAGE_PRG_1 0x80
+#define PAGE_PRG_2 0x10
+#define BLK_ERASE_1 0x60
+#define BLK_ERASE_2 0xD0
+#define READ_STS 0x70
+#define READ_xD_ID 0x9A
+#define COPY_BACK_512 0x8A
+#define COPY_BACK_2K 0x85
+#define READ1_1_2 0x30
+#define READ1_1_3 0x35
+#define CHG_DAT_OUT_1 0x05
+#define RDM_DAT_OUT_1 0x05
+#define CHG_DAT_OUT_2 0xE0
+#define RDM_DAT_OUT_2 0xE0
+#define CHG_DAT_OUT_2 0xE0
+#define CHG_DAT_IN_1 0x85
+#define CACHE_PRG 0x15
+
+/* Redundant Area Related */
+#define XD_EXTRA_SIZE 0x10
+#define XD_2K_EXTRA_SIZE 0x40
+
+/* Define for XD Status */
+#define NOT_WRITE_PROTECTED 0x80
+#define READY_STATE 0x40
+#define PROGRAM_ERROR 0x01
+#define PROGRAM_ERROR_N_1 0x02
+#define INTERNAL_READY 0x20
+#define READY_FLAG 0x5F
+
+/* Define for device code */
+#define XD_8M_X8_512 0xE6
+#define XD_16M_X8_512 0x73
+#define XD_32M_X8_512 0x75
+#define XD_64M_X8_512 0x76
+#define XD_128M_X8_512 0x79
+#define XD_256M_X8_512 0x71
+#define XD_128M_X8_2048 0xF1
+#define XD_256M_X8_2048 0xDA
+#define XD_512M_X8 0xDC
+#define XD_128M_X16_2048 0xC1
+#define XD_4M_X8_512_1 0xE3
+#define XD_4M_X8_512_2 0xE5
+#define xD_1G_X8_512 0xD3
+#define xD_2G_X8_512 0xD5
+
+#define XD_ID_CODE 0xB5
+
+#define VENDOR_BLOCK 0xEFFF
+#define CIS_BLOCK 0xDFFF
+
+#define BLK_NOT_FOUND 0xFFFFFFFF
+
+#define NO_NEW_BLK 0xFFFFFFFF
+
+#define PAGE_CORRECTABLE 0x0
+#define PAGE_NOTCORRECTABLE 0x1
+
+#define NO_OFFSET 0x0
+#define WITH_OFFSET 0x1
+
+#define Sect_Per_Page 4
+#define XD_ADDR_MODE_2C XD_ADDR_MODE_2A
+
+#define ZONE0_BAD_BLOCK 23
+#define NOT_ZONE0_BAD_BLOCK 24
+
+/* Assign address mode */
+#define XD_RW_ADDR 0x01
+#define XD_ERASE_ADDR 0x02
+
+/* Macro Definition */
+#define XD_PAGE_512(xd_card) \
+ do { \
+ (xd_card)->block_shift = 5; \
+ (xd_card)->page_off = 0x1F; \
+ } while (0)
+
+#define XD_SET_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag |= 0x01)
+#define XD_CLR_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag &= ~0x01)
+#define XD_CHK_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag & 0x01)
+
+#define XD_SET_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag |= 0x02)
+#define XD_CLR_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag &= ~0x02)
+#define XD_CHK_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag & 0x02)
+
+#define XD_SET_MBR_FAIL(xd_card) ((xd_card)->multi_flag |= 0x04)
+#define XD_CLR_MBR_FAIL(xd_card) ((xd_card)->multi_flag &= ~0x04)
+#define XD_CHK_MBR_FAIL(xd_card) ((xd_card)->multi_flag & 0x04)
+
+#define XD_SET_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag |= 0x08)
+#define XD_CLR_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag &= ~0x08)
+#define XD_CHK_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag & 0x08)
+
+#define XD_SET_4MB(xd_card) ((xd_card)->multi_flag |= 0x10)
+#define XD_CLR_4MB(xd_card) ((xd_card)->multi_flag &= ~0x10)
+#define XD_CHK_4MB(xd_card) ((xd_card)->multi_flag & 0x10)
+
+#define XD_SET_ECC_ERR(xd_card) ((xd_card)->multi_flag |= 0x40)
+#define XD_CLR_ECC_ERR(xd_card) ((xd_card)->multi_flag &= ~0x40)
+#define XD_CHK_ECC_ERR(xd_card) ((xd_card)->multi_flag & 0x40)
+
+/* Offset in xD redundant buffer */
+#define PAGE_STATUS 0
+#define BLOCK_STATUS 1
+#define BLOCK_ADDR1_L 2
+#define BLOCK_ADDR1_H 3
+#define BLOCK_ADDR2_L 4
+#define BLOCK_ADDR2_H 5
+#define RESERVED0 6
+#define RESERVED1 7
+#define RESERVED2 8
+#define RESERVED3 9
+#define PARITY 10
+
+/* For CIS block */
+#define CIS0_0 0
+#define CIS0_1 1
+#define CIS0_2 2
+#define CIS0_3 3
+#define CIS0_4 4
+#define CIS0_5 5
+#define CIS0_6 6
+#define CIS0_7 7
+#define CIS0_8 8
+#define CIS0_9 9
+#define CIS1_0 256
+#define CIS1_1 (256 + 1)
+#define CIS1_2 (256 + 2)
+#define CIS1_3 (256 + 3)
+#define CIS1_4 (256 + 4)
+#define CIS1_5 (256 + 5)
+#define CIS1_6 (256 + 6)
+#define CIS1_7 (256 + 7)
+#define CIS1_8 (256 + 8)
+#define CIS1_9 (256 + 9)
+
+int rts51x_reset_xd_card(struct rts51x_chip *chip);
+int rts51x_xd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector,
+ u16 sector_cnt);
+void rts51x_xd_free_l2p_tbl(struct rts51x_chip *chip);
+void rts51x_xd_cleanup_work(struct rts51x_chip *chip);
+int rts51x_release_xd_card(struct rts51x_chip *chip);
+
+#endif /* __RTS51X_XD_H */
--
2.43.0
3 months, 3 weeks
- 2
- 2
[PATCH 1/2] soc: mediatek: mtk-devapc: Fix leaking IO map on error paths
by Krzysztof Kozlowski
Error paths of mtk_devapc_probe() should unmap the memory. Reported by
Smatch:
drivers/soc/mediatek/mtk-devapc.c:292 mtk_devapc_probe() warn: 'ctx->infra_base' from of_iomap() not released on lines: 277,281,286.
Fixes: 0890beb22618 ("soc: mediatek: add mt6779 devapc driver")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>
---
drivers/soc/mediatek/mtk-devapc.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/mediatek/mtk-devapc.c b/drivers/soc/mediatek/mtk-devapc.c
index 2a1adcb87d4e..500847b41b16 100644
--- a/drivers/soc/mediatek/mtk-devapc.c
+++ b/drivers/soc/mediatek/mtk-devapc.c
@@ -273,23 +273,31 @@ static int mtk_devapc_probe(struct platform_device *pdev)
return -EINVAL;
devapc_irq = irq_of_parse_and_map(node, 0);
- if (!devapc_irq)
- return -EINVAL;
+ if (!devapc_irq) {
+ ret = -EINVAL;
+ goto err;
+ }
ctx->infra_clk = devm_clk_get_enabled(&pdev->dev, "devapc-infra-clock");
- if (IS_ERR(ctx->infra_clk))
- return -EINVAL;
+ if (IS_ERR(ctx->infra_clk)) {
+ ret = -EINVAL;
+ goto err;
+ }
ret = devm_request_irq(&pdev->dev, devapc_irq, devapc_violation_irq,
IRQF_TRIGGER_NONE, "devapc", ctx);
if (ret)
- return ret;
+ goto err;
platform_set_drvdata(pdev, ctx);
start_devapc(ctx);
return 0;
+
+err:
+ iounmap(ctx->infra_base);
+ return ret;
}
static void mtk_devapc_remove(struct platform_device *pdev)
--
2.43.0
3 months, 3 weeks
- 2
- 3
[PATCH] media/mmp: Bring back registration of the device
by Lubomir Rintel
In commit 4af65141e38e ("media: marvell: cafe: Register V4L2 device
earlier"), a call to v4l2_device_register() was moved away from
mccic_register() into its caller, marvell/cafe's cafe_pci_probe().
This is not the only caller though -- there's also marvell/mmp.
Add v4l2_device_register() into mmpcam_probe() to unbreak the MMP camera
driver, in a fashion analogous to what's been done to the Cafe driver.
Same for the teardown path.
Fixes: 4af65141e38e ("media: marvell: cafe: Register V4L2 device earlier")
Signed-off-by: Lubomir Rintel <lkundrak(a)v3.sk>
Cc: stable(a)vger.kernel.org # v6.6+
---
drivers/media/platform/marvell/mmp-driver.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/marvell/mmp-driver.c b/drivers/media/platform/marvell/mmp-driver.c
index 3fd4fc1b9c48..d3da7ebb4a2b 100644
--- a/drivers/media/platform/marvell/mmp-driver.c
+++ b/drivers/media/platform/marvell/mmp-driver.c
@@ -231,13 +231,23 @@ static int mmpcam_probe(struct platform_device *pdev)
mcam_init_clk(mcam);
+ /*
+ * Register with V4L.
+ */
+
+ ret = v4l2_device_register(mcam->dev, &mcam->v4l2_dev);
+ if (ret)
+ return ret;
+
/*
* Create a match of the sensor against its OF node.
*/
ep = fwnode_graph_get_next_endpoint(of_fwnode_handle(pdev->dev.of_node),
NULL);
- if (!ep)
- return -ENODEV;
+ if (!ep) {
+ ret = -ENODEV;
+ goto out_v4l2_device_unregister;
+ }
v4l2_async_nf_init(&mcam->notifier, &mcam->v4l2_dev);
@@ -246,7 +256,7 @@ static int mmpcam_probe(struct platform_device *pdev)
fwnode_handle_put(ep);
if (IS_ERR(asd)) {
ret = PTR_ERR(asd);
- goto out;
+ goto out_v4l2_device_unregister;
}
/*
@@ -254,7 +264,7 @@ static int mmpcam_probe(struct platform_device *pdev)
*/
ret = mccic_register(mcam);
if (ret)
- goto out;
+ goto out_v4l2_device_unregister;
/*
* Add OF clock provider.
@@ -283,6 +293,8 @@ static int mmpcam_probe(struct platform_device *pdev)
return 0;
out:
mccic_shutdown(mcam);
+out_v4l2_device_unregister:
+ v4l2_device_unregister(&mcam->v4l2_dev);
return ret;
}
@@ -293,6 +305,7 @@ static void mmpcam_remove(struct platform_device *pdev)
struct mcam_camera *mcam = &cam->mcam;
mccic_shutdown(mcam);
+ v4l2_device_unregister(&mcam->v4l2_dev);
pm_runtime_force_suspend(mcam->dev);
}
--
2.47.1
3 months, 3 weeks
- 3
- 4
[PATCH net] ptp: limit number of virtual clocks per physical clock
by Thomas Weißschuh
The sysfs interface can be used to trigger arbitrarily large memory
allocations. This can induce pressure on the VM layer to satisfy the
request only to fail anyways.
Reported-by: cheung wall <zzqq0103.hey(a)gmail.com>
Closes: https://lore.kernel.org/lkml/20250103091906.GD1977892@ZenIV/
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Cc: stable(a)vger.kernel.org
Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net>
---
The limit is completely made up, let me know if there is something
better.
I'm also wondering about the point of the max_vclocks sysfs attribute.
It could easily be removed and all its logic moved into the n_vclocks
attribute, simplifying the UAPI.
---
drivers/ptp/ptp_private.h | 1 +
drivers/ptp/ptp_sysfs.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index 18934e28469ee6e3bf9c9e6d1a1adb82808d88e6..07003339795e9c0fb813887e47eaee4ba0e20064 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -22,6 +22,7 @@
#define PTP_MAX_TIMESTAMPS 128
#define PTP_BUF_TIMESTAMPS 30
#define PTP_DEFAULT_MAX_VCLOCKS 20
+#define PTP_MAX_VCLOCKS_LIMIT 2048
#define PTP_MAX_CHANNELS 2048
struct timestamp_event_queue {
diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
index 6b1b8f57cd9510f269c86dd89a7a74f277f6916b..200eaf50069681eecc87d63c0e0440f28cccab77 100644
--- a/drivers/ptp/ptp_sysfs.c
+++ b/drivers/ptp/ptp_sysfs.c
@@ -284,7 +284,7 @@ static ssize_t max_vclocks_store(struct device *dev,
size_t size;
u32 max;
- if (kstrtou32(buf, 0, &max) || max == 0)
+ if (kstrtou32(buf, 0, &max) || max == 0 || max > PTP_MAX_VCLOCKS_LIMIT)
return -EINVAL;
if (max == ptp->max_vclocks)
---
base-commit: 582ef8a0c406e0b17030b0773392595ec331a0d2
change-id: 20250103-ptp-max_vclocks-0dab5b03b006
Best regards,
--
Thomas Weißschuh <linux(a)weissschuh.net>
3 months, 3 weeks
- 2
- 1
[PATCH v2] spi: atmel-qspi: Memory barriers after memory-mapped I/O
by Bence Csókás
The QSPI peripheral control and status registers are
accessible via the SoC's APB bus, whereas MMIO transactions'
data travels on the AHB bus.
Microchip documentation and even sample code from Atmel
emphasises the need for a memory barrier before the first
MMIO transaction to the AHB-connected QSPI, and before the
last write to its registers via APB. This is achieved by
the following lines in `atmel_qspi_transfer()`:
/* Dummy read of QSPI_IFR to synchronize APB and AHB accesses */
(void)atmel_qspi_read(aq, QSPI_IFR);
However, the current documentation makes no mention to
synchronization requirements in the other direction, i.e.
after the last data written via AHB, and before the first
register access on APB.
In our case, we were facing an issue where the QSPI peripheral
would cease to send any new CSR (nCS Rise) interrupts,
leading to a timeout in `atmel_qspi_wait_for_completion()`
and ultimately this panic in higher levels:
ubi0 error: ubi_io_write: error -110 while writing 63108 bytes
to PEB 491:128, written 63104 bytes
After months of extensive research of the codebase, fiddling
around the debugger with kgdb, and back-and-forth with
Microchip, we came to the conclusion that the issue is
probably that the peripheral is still busy receiving on AHB
when the LASTXFER bit is written to its Control Register
on APB, therefore this write gets lost, and the peripheral
still thinks there is more data to come in the MMIO transfer.
This was first formulated when we noticed that doubling the
write() of QSPI_CR_LASTXFER seemed to solve the problem.
Ultimately, the solution is to introduce memory barriers
after the AHB-mapped MMIO transfers, to ensure ordering.
Fixes: d5433def3153 ("mtd: spi-nor: atmel-quadspi: Add spi-mem support to atmel-quadspi")
Cc: Hari.PrasathGE(a)microchip.com
Cc: Mahesh.Abotula(a)microchip.com
Cc: Marco.Cardellini(a)microchip.com
Cc: <stable(a)vger.kernel.org> # c0a0203cf579: ("spi: atmel-quadspi: Create `atmel_qspi_ops`"...)
Cc: <stable(a)vger.kernel.org> # 6.x.y
Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu>
---
Notes:
Changes in v2:
* dropping --- from commit msg
drivers/spi/atmel-quadspi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
index 73cf0c3f1477..96fc1c56a221 100644
--- a/drivers/spi/atmel-quadspi.c
+++ b/drivers/spi/atmel-quadspi.c
@@ -625,13 +625,20 @@ static int atmel_qspi_transfer(struct spi_mem *mem,
(void)atmel_qspi_read(aq, QSPI_IFR);
/* Send/Receive data */
- if (op->data.dir == SPI_MEM_DATA_IN)
+ if (op->data.dir == SPI_MEM_DATA_IN) {
memcpy_fromio(op->data.buf.in, aq->mem + offset,
op->data.nbytes);
- else
+
+ /* Synchronize AHB and APB accesses again */
+ rmb();
+ } else {
memcpy_toio(aq->mem + offset, op->data.buf.out,
op->data.nbytes);
+ /* Synchronize AHB and APB accesses again */
+ wmb();
+ }
+
/* Release the chip-select */
atmel_qspi_write(QSPI_CR_LASTXFER, aq, QSPI_CR);
--
2.34.1
3 months, 3 weeks
- 2
- 1
[PATCH] media: lirc: Fix error handling in lirc_register()
by Ma Ke
When cdev_device_add() failed, calling put_device() to explicitly
release dev->lirc_dev. Otherwise, it could cause the fault of the
reference count.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/media/rc/lirc_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index a2257dc2f25d..ed839e15fa16 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -765,6 +765,7 @@ int lirc_register(struct rc_dev *dev)
return 0;
out_ida:
+ put_device(&dev->lirc_dev);
ida_free(&lirc_ida, minor);
return err;
}
--
2.25.1
3 months, 3 weeks
- 2
- 3
[PATCH] [SCSI] raid class: Fix error handling in raid_component_add
by Ma Ke
The reference count of the device incremented in device_initialize() is
not decremented when device_add() fails. Add a put_device() and delete
kfree() before returning from the function to decrement reference
count for cleanup. Or it could cause memory leak.
As comment of device_add() says, if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: ed542bed126c ("[SCSI] raid class: handle component-add errors")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/scsi/raid_class.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/raid_class.c b/drivers/scsi/raid_class.c
index 898a0bdf8df6..77c91dbf3b77 100644
--- a/drivers/scsi/raid_class.c
+++ b/drivers/scsi/raid_class.c
@@ -251,7 +251,7 @@ int raid_component_add(struct raid_template *r,struct device *raid_dev,
list_del(&rc->node);
rd->component_count--;
put_device(component_dev);
- kfree(rc);
+ put_device(&rc->dev);
return err;
}
EXPORT_SYMBOL(raid_component_add);
--
2.25.1
3 months, 3 weeks
- 1
- 0
[PATCH] zram: fix potential UAF of zram table
by Kairui Song
From: Kairui Song <kasong(a)tencent.com>
If zram_meta_alloc failed early, it frees allocated zram->table without
setting it NULL. Which will potentially cause zram_meta_free to access
the table if user reset an failed and uninitialized device.
Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Kairui Song <kasong(a)tencent.com>
---
drivers/block/zram/zram_drv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index 5b8e4f4171ab..70ecaee25c20 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -1465,6 +1465,7 @@ static bool zram_meta_alloc(struct zram *zram, u64 disksize)
zram->mem_pool = zs_create_pool(zram->disk->disk_name);
if (!zram->mem_pool) {
vfree(zram->table);
+ zram->table = NULL;
return false;
}
--
2.47.1
3 months, 3 weeks
- 2
- 1
[PATCH v3] arm64: mm: Populate vmemmap at the page level for hotplugged sections
by Zhenhua Huang
Commit c1cc1552616d ("arm64: MMU initialisation") optimizes the
vmemmap to populate at the PMD section level which was suitable
initially since hotplugging granule is always 128M. However,
commit ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug")
which added 2M hotplugging granule disrupted the arm64 assumptions.
Considering the vmemmap_free -> unmap_hotplug_pmd_range path, when
pmd_sect() is true, the entire PMD section is cleared, even if there is
other effective subsection. For example pagemap1 and pagemap2 are part
of a single PMD entry and they are hot-added sequentially. Then pagemap1
is removed, vmemmap_free() will clear the entire PMD entry freeing the
struct page metadata for the whole section, even though pagemap2 is still
active.
To address the issue, we need to prevent PMD/PUD/CONT mappings for both
linear and vmemmap for non-boot sections if the size exceeds 2MB
(considering sub-section is 2MB). We only permit 2MB blocks in a 4KB page
configuration.
Cc: stable(a)vger.kernel.org # v5.4+
Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug")
Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com>
---
Hi Catalin and Anshuman,
Based on your review comments, I concluded below patch and tested with my setup.
I have not folded patchset #2 since this patch seems to be enough for backporting..
Please see if you have further suggestions.
arch/arm64/mm/mmu.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index e2739b69e11b..2b4d23f01d85 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -42,9 +42,11 @@
#include <asm/pgalloc.h>
#include <asm/kfence.h>
-#define NO_BLOCK_MAPPINGS BIT(0)
+#define NO_PMD_BLOCK_MAPPINGS BIT(0)
#define NO_CONT_MAPPINGS BIT(1)
#define NO_EXEC_MAPPINGS BIT(2) /* assumes FEAT_HPDS is not used */
+#define NO_PUD_BLOCK_MAPPINGS BIT(3) /* Hotplug case: do not want block mapping for PUD */
+#define NO_BLOCK_MAPPINGS (NO_PMD_BLOCK_MAPPINGS | NO_PUD_BLOCK_MAPPINGS)
u64 kimage_voffset __ro_after_init;
EXPORT_SYMBOL(kimage_voffset);
@@ -254,7 +256,7 @@ static void init_pmd(pmd_t *pmdp, unsigned long addr, unsigned long end,
/* try section mapping first */
if (((addr | next | phys) & ~PMD_MASK) == 0 &&
- (flags & NO_BLOCK_MAPPINGS) == 0) {
+ (flags & NO_PMD_BLOCK_MAPPINGS) == 0) {
pmd_set_huge(pmdp, phys, prot);
/*
@@ -356,10 +358,11 @@ static void alloc_init_pud(p4d_t *p4dp, unsigned long addr, unsigned long end,
/*
* For 4K granule only, attempt to put down a 1GB block
+ * Hotplug case: do not attempt 1GB block
*/
if (pud_sect_supported() &&
((addr | next | phys) & ~PUD_MASK) == 0 &&
- (flags & NO_BLOCK_MAPPINGS) == 0) {
+ (flags & NO_PUD_BLOCK_MAPPINGS) == 0) {
pud_set_huge(pudp, phys, prot);
/*
@@ -1175,9 +1178,16 @@ int __meminit vmemmap_check_pmd(pmd_t *pmdp, int node,
int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node,
struct vmem_altmap *altmap)
{
+ unsigned long start_pfn;
+ struct mem_section *ms;
+
WARN_ON((start < VMEMMAP_START) || (end > VMEMMAP_END));
- if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES))
+ start_pfn = page_to_pfn((struct page *)start);
+ ms = __pfn_to_section(start_pfn);
+
+ /* Hotplugged section not support hugepages */
+ if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES) || !early_section(ms))
return vmemmap_populate_basepages(start, end, node, altmap);
else
return vmemmap_populate_hugepages(start, end, node, altmap);
@@ -1339,9 +1349,24 @@ int arch_add_memory(int nid, u64 start, u64 size,
struct mhp_params *params)
{
int ret, flags = NO_EXEC_MAPPINGS;
+ unsigned long start_pfn = page_to_pfn((struct page *)start);
+ struct mem_section *ms = __pfn_to_section(start_pfn);
VM_BUG_ON(!mhp_range_allowed(start, size, true));
+ /* Should not be invoked by early section */
+ WARN_ON(early_section(ms));
+
+ if (IS_ENABLED(CONFIG_ARM64_4K_PAGES))
+ /*
+ * As per subsection granule is 2M, allow PMD block mapping in
+ * case 4K PAGES.
+ * Other cases forbid section mapping.
+ */
+ flags |= NO_PUD_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
+ else
+ flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
+
if (can_set_direct_map())
flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
--
2.25.1
3 months, 3 weeks
- 2
- 2
[merged] revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch removed from -mm tree
by Andrew Morton
The quilt patch titled
Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()"
has been removed from the -mm tree. Its filename was
revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Andrew Morton <akpm(a)linux-foundation.org>
Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()"
Date: Mon Jan 6 06:24:12 PM PST 2025
Revert adcfb264c3ed ("vmstat: disable vmstat_work on
vmstat_cpu_down_prep()") due to "workqueue: work disable count
underflowed" WARNings.
Fixes: adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()")
Reported-by: Borislav Petkov <bp(a)alien8.de>
Reported-by: Alexander Gordeev <agordeev(a)linux.ibm.com>
Cc: Greg KH <greg(a)kroah.com>
Cc: Koichiro Den <koichiro.den(a)canonical.com>
Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/vmstat.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/vmstat.c~revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep
+++ a/mm/vmstat.c
@@ -2148,14 +2148,13 @@ static int vmstat_cpu_online(unsigned in
if (!node_state(cpu_to_node(cpu), N_CPU)) {
node_set_state(cpu_to_node(cpu), N_CPU);
}
- enable_delayed_work(&per_cpu(vmstat_work, cpu));
return 0;
}
static int vmstat_cpu_down_prep(unsigned int cpu)
{
- disable_delayed_work_sync(&per_cpu(vmstat_work, cpu));
+ cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu));
return 0;
}
_
Patches currently in -mm which might be from akpm(a)linux-foundation.org are
mm-swap_cgroup-allocate-swap_cgroup-map-using-vcalloc-fix.patch
mm-page_alloc-add-some-detailed-comments-in-can_steal_fallback-fix.patch
mm-introduce-mmap_lock_speculate_try_beginretry-fix.patch
mm-damon-tests-vaddr-kunith-reduce-stack-consumption.patch
mm-damon-tests-vaddr-kunith-reduce-stack-consumption-fix.patch
mm-remove-an-avoidable-load-of-page-refcount-in-page_ref_add_unless-fix.patch
mm-fix-outdated-incorrect-code-comments-for-handle_mm_fault-fix.patch
mm-huge_memoryc-rename-shadowed-local.patch
replace-free-hugepage-folios-after-migration-fix.patch
xarray-port-tests-to-kunit-fix.patch
checkpatch-check-return-of-git_commit_info-fix.patch
fault-inject-use-prandom-where-cryptographically-secure-randomness-is-not-needed-fix.patch
3 months, 3 weeks
- 1
- 0
Re: Linux 6.13-rc6
by Borislav Petkov
On Sun, Jan 05, 2025 at 02:20:54PM -0800, Linus Torvalds wrote:
> So we had a slight pickup in commits this last week, but as expected
> and hoped for, things were still pretty quiet. About twice as many
> commits as the holiday week, but that's still not all that many.
>
> I expect things will start becoming more normal now that people are
> back from the holidays and are starting to recover and wake up from
> their food comas.
>
> In the meantime, below is the shortlog for the last week. Nothing
> particularly stands out, the changes are dominated by various driver
> updates (gpu, rdma and networking), with a random smattering of fixes
> elsewhere.
Something not well baked managed to sneak in and it is tagged for stable:
adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()")
Reverting it fixes the warn splat below.
[ 0.310373] smpboot: x86: Booting SMP configuration:
[ 0.311074] .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 #15
[ 0.313798] ------------[ cut here ]------------
[ 0.317530] workqueue: work disable count underflowed
[ 0.317530] WARNING: CPU: 1 PID: 21 at kernel/workqueue.c:4317 enable_work+0xa4/0xb0
[ 0.317530] Modules linked in:
[ 0.317530] CPU: 1 UID: 0 PID: 21 Comm: cpuhp/1 Not tainted 6.13.0-rc6 #11
[ 0.317530] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-8 02/21/2024
[ 0.317530] RIP: 0010:enable_work+0xa4/0xb0
[ 0.317530] Code: c0 48 83 c4 18 5b 5d e9 ca 25 9f 00 80 3d 0a c7 48 08 00 75 b3 c6 05 01 c7 48 08 01 90 48 c7 c7 c8 eb 1d 82 e8 5d 77 fd ff 90 <0f> 0b 90 90 eb 98 90 0f 0b 90 eb b1 90 90 90 90 90 90 90 90 90 90
[ 0.317530] RSP: 0018:ffffc90000137e18 EFLAGS: 00010082
[ 0.317530] RAX: 0000000000000029 RBX: ffff88807d66dda0 RCX: 00000000ffefffff
[ 0.317530] RDX: 0000000000000001 RSI: ffffc90000137ce0 RDI: 0000000000000001
[ 0.317530] RBP: 0000000000000000 R08: 00000000ffefffff R09: 0000000000000058
[ 0.317530] R10: 0000000000000000 R11: ffffffff8244df00 R12: 0000000000000000
[ 0.317530] R13: ffff88807d6604e0 R14: ffffffff812439f0 R15: ffff88807d660508
[ 0.317530] FS: 0000000000000000(0000) GS:ffff88807d640000(0000) knlGS:0000000000000000
[ 0.317530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.317530] CR2: 0000000000000000 CR3: 0000000002c1a000 CR4: 00000000003506f0
[ 0.317530] Call Trace:
[ 0.317530] <TASK>
[ 0.317530] ? __warn+0xa0/0x160
[ 0.317530] ? enable_work+0xa4/0xb0
[ 0.317530] ? report_bug+0x18c/0x1c0
[ 0.317530] ? handle_bug+0x54/0x90
[ 0.317530] ? exc_invalid_op+0x1b/0x80
[ 0.317530] ? asm_exc_invalid_op+0x1a/0x20
[ 0.317530] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 0.317530] ? enable_work+0xa4/0xb0
[ 0.317530] ? enable_work+0xa3/0xb0
[ 0.317530] vmstat_cpu_online+0x61/0x80
[ 0.317530] cpuhp_invoke_callback+0x10f/0x480
[ 0.317530] ? srso_return_thunk+0x5/0x5f
[ 0.317530] cpuhp_thread_fun+0xd4/0x160
[ 0.317530] smpboot_thread_fn+0xdd/0x1f0
[ 0.317530] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 0.317530] kthread+0xca/0xf0
[ 0.317530] ? __pfx_kthread+0x10/0x10
[ 0.317530] ret_from_fork+0x50/0x60
[ 0.317530] ? __pfx_kthread+0x10/0x10
[ 0.317530] ret_from_fork_asm+0x1a/0x30
[ 0.317530] </TASK>
[ 0.317530] ---[ end trace 0000000000000000 ]---
[ 0.377680] smp: Brought up 1 node, 16 CPUs
[ 0.378345] smpboot: Total of 16 processors activated (118393.24 BogoMIPS)
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
3 months, 3 weeks
- 6
- 6
[merged] fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch removed from -mm tree
by Andrew Morton
The quilt patch titled
Subject: fs/proc: do_task_stat: fix ESP not readable during coredump
has been removed from the -mm tree. Its filename was
fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Nam Cao <namcao(a)linutronix.de>
Subject: fs/proc: do_task_stat: fix ESP not readable during coredump
Date: Thu, 2 Jan 2025 09:22:56 +0100
The field "eip" (instruction pointer) and "esp" (stack pointer) of a task
can be read from /proc/PID/stat. These fields can be interesting for
coredump.
However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop
reporting eip and esp in /proc/PID/stat"), because it is generally unsafe
to do so. But it is safe for a coredumping process, and therefore
exceptions were made:
- for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report
eip/esp in /prod/PID/stat for coredumping").
- for all other threads in a coredumping process by commit cb8f381f1613
("fs/proc/array.c: allow reporting eip/esp for all coredumping
threads").
The above two commits check the PF_DUMPCORE flag to determine a coredump
thread and the PF_EXITING flag for the other threads.
Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups
before dumping core") moved coredump to happen earlier and before
PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way
to determine threads in a coredumping process.
Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads.
Checking of PF_EXITING was added for coredumping, so it probably can now
be removed. But it doesn't hurt to keep.
Link: https://lkml.kernel.org/r/d89af63d478d6c64cc46a01420b46fd6eb147d6f.17358057…
Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core")
Signed-off-by: Nam Cao <namcao(a)linutronix.de>
Acked-by: Oleg Nesterov <oleg(a)redhat.com>
Acked-by: Kees Cook <kees(a)kernel.org>
Cc: Eric W. Biederman <ebiederm(a)xmission.com>
Cc: Dylan Hatch <dylanbhatch(a)google.com>
Cc: John Ogness <john.ogness(a)linutronix.de>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
fs/proc/array.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/proc/array.c~fs-proc-do_task_stat-fix-esp-not-readable-during-coredump
+++ a/fs/proc/array.c
@@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file
* a program is not able to use ptrace(2) in that case. It is
* safe because the task has stopped executing permanently.
*/
- if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) {
+ if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) {
if (try_get_task_stack(task)) {
eip = KSTK_EIP(task);
esp = KSTK_ESP(task);
_
Patches currently in -mm which might be from namcao(a)linutronix.de are
3 months, 3 weeks
- 1
- 0
+ hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Muchun Song <songmuchun(a)bytedance.com>
Subject: hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode
Date: Mon, 6 Jan 2025 11:31:17 +0800
hugetlb_file_setup() will pass a NULL @dir to hugetlbfs_get_inode(), so we
will access a NULL pointer for @dir. Fix it and set __entry->dr to 0 if
@dir is NULL. Because ->i_ino cannot be 0 (see get_next_ino()), there is
no confusing if user sees a 0 inode number.
Link: https://lkml.kernel.org/r/20250106033118.4640-1-songmuchun@bytedance.com
Fixes: 318580ad7f28 ("hugetlbfs: support tracepoint")
Signed-off-by: Muchun Song <songmuchun(a)bytedance.com>
Reported-by: Cheung Wall <zzqq0103.hey(a)gmail.com>
Closes: https://lore.kernel.org/linux-mm/02858D60-43C1-4863-A84F-3C76A8AF1F15@linux…
Reviewed-by: Hongbo Li <lihongbo22(a)huawei.com>
Cc: cheung wall <zzqq0103.hey(a)gmail.com>
Cc: Christian Brauner <brauner(a)kernel.org>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
include/trace/events/hugetlbfs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/trace/events/hugetlbfs.h~hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode
+++ a/include/trace/events/hugetlbfs.h
@@ -23,7 +23,7 @@ TRACE_EVENT(hugetlbfs_alloc_inode,
TP_fast_assign(
__entry->dev = inode->i_sb->s_dev;
__entry->ino = inode->i_ino;
- __entry->dir = dir->i_ino;
+ __entry->dir = dir ? dir->i_ino : 0;
__entry->mode = mode;
),
_
Patches currently in -mm which might be from songmuchun(a)bytedance.com are
hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch
3 months, 3 weeks
- 1
- 0
+ revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch added to mm-hotfixes-unstable branch
by Andrew Morton
The patch titled
Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()"
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Andrew Morton <akpm(a)linux-foundation.org>
Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()"
Date: Mon Jan 6 06:24:12 PM PST 2025
Revert adcfb264c3ed ("vmstat: disable vmstat_work on
vmstat_cpu_down_prep()") due to "workqueue: work disable count
underflowed" WARNings.
Fixes: adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()")
Reported-by: Borislav Petkov <bp(a)alien8.de>
Reported-by: Alexander Gordeev <agordeev(a)linux.ibm.com>
Cc: Greg KH <greg(a)kroah.com>
Cc: Koichiro Den <koichiro.den(a)canonical.com>
Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/vmstat.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/vmstat.c~revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep
+++ a/mm/vmstat.c
@@ -2148,14 +2148,13 @@ static int vmstat_cpu_online(unsigned in
if (!node_state(cpu_to_node(cpu), N_CPU)) {
node_set_state(cpu_to_node(cpu), N_CPU);
}
- enable_delayed_work(&per_cpu(vmstat_work, cpu));
return 0;
}
static int vmstat_cpu_down_prep(unsigned int cpu)
{
- disable_delayed_work_sync(&per_cpu(vmstat_work, cpu));
+ cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu));
return 0;
}
_
Patches currently in -mm which might be from akpm(a)linux-foundation.org are
revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch
mm-swap_cgroup-allocate-swap_cgroup-map-using-vcalloc-fix.patch
mm-page_alloc-add-some-detailed-comments-in-can_steal_fallback-fix.patch
mm-introduce-mmap_lock_speculate_try_beginretry-fix.patch
mm-damon-tests-vaddr-kunith-reduce-stack-consumption.patch
mm-damon-tests-vaddr-kunith-reduce-stack-consumption-fix.patch
mm-remove-an-avoidable-load-of-page-refcount-in-page_ref_add_unless-fix.patch
mm-fix-outdated-incorrect-code-comments-for-handle_mm_fault-fix.patch
mm-huge_memoryc-rename-shadowed-local.patch
replace-free-hugepage-folios-after-migration-fix.patch
xarray-port-tests-to-kunit-fix.patch
checkpatch-check-return-of-git_commit_info-fix.patch
fault-inject-use-prandom-where-cryptographically-secure-randomness-is-not-needed-fix.patch
3 months, 3 weeks
- 1
- 0
[PATCH v2] misc: microchip: pci1xxxx: Fix possible double free in error handling path
by Ma Ke
When auxiliary_device_add() returns error and then calls
auxiliary_device_uninit(), the callback function
gp_auxiliary_device_release() calls kfree() to free memory. Do not
call kfree() again in the error handling path.
Fix this by skipping the redundant kfree().
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v2:
- modified the patch omitted.
---
drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
index 32af2b14ff34..de75d89ef53e 100644
--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
+++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
@@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
err_aux_dev_add_1:
auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev);
+ goto err_aux_dev_add_0;
err_aux_dev_init_1:
ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id);
@@ -120,6 +121,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
err_aux_dev_add_0:
auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev);
+ goto err_ret;
err_aux_dev_init_0:
ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id);
@@ -127,6 +129,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
err_ida_alloc_0:
kfree(aux_bus->aux_device_wrapper[0]);
+err_ret:
return retval;
}
--
2.25.1
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.12-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010627-retry-detached-672f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001
From: Yosry Ahmed <yosryahmed(a)google.com>
Date: Thu, 19 Dec 2024 21:24:37 +0000
Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
the CPUs read lock.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev>
Acked-by: Barry Song <baohua(a)kernel.org>
Reviewed-by: Nhat Pham <nphamcs(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb23..5a27af8d86ea 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ cpus_read_lock();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ cpus_read_unlock();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
3 months, 3 weeks
- 2
- 1
[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
by Yosry Ahmed
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are
disabled, it is possible that the operation continues on a different
CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are
freed during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to
use crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure
the CPU cannot go away from under us. Preemption cannot be disabled with
the crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from
under zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
the CPUs read lock.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
---
mm/zswap.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..5a27af8d86ea9 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ cpus_read_lock();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ cpus_read_unlock();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 1
- 1
[PATCH v3 1/3] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
by Douglas Anderson
The code for detecting CPUs that are vulnerable to Spectre BHB was
based on a hardcoded list of CPU IDs that were known to be affected.
Unfortunately, the list mostly only contained the IDs of standard ARM
cores. The IDs for many cores that are minor variants of the standard
ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
code to assume that those variants were not affected.
Flip the code on its head and instead assume that a core is vulnerable
if it doesn't have CSV2_3 but is unrecognized as being safe. This
involves creating a "Spectre BHB safe" list.
As of right now, the only CPU IDs added to the "Spectre BHB safe" list
are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
looking for cores that weren't listed in ARM's list [1] as per review
feedback on v2 of this patch [2].
NOTE: this patch will not actually _mitigate_ anyone, it will simply
cause them to report themselves as vulnerable. If any cores in the
system are reported as vulnerable but not mitigated then the whole
system will be reported as vulnerable though the system will attempt
to mitigate with the information it has about the known cores.
[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable(a)vger.kernel.org
Signed-off-by: Douglas Anderson <dianders(a)chromium.org>
---
Changes in v3:
- Don't guess the mitigation; just report unknown cores as vulnerable.
- Restructure the code since is_spectre_bhb_affected() defaults to true
Changes in v2:
- New
arch/arm64/include/asm/spectre.h | 1 -
arch/arm64/kernel/proton-pack.c | 144 +++++++++++++++++--------------
2 files changed, 77 insertions(+), 68 deletions(-)
diff --git a/arch/arm64/include/asm/spectre.h b/arch/arm64/include/asm/spectre.h
index 0c4d9045c31f..f1524cdeacf1 100644
--- a/arch/arm64/include/asm/spectre.h
+++ b/arch/arm64/include/asm/spectre.h
@@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown_state(void);
enum mitigation_state arm64_get_spectre_bhb_state(void);
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
-u8 spectre_bhb_loop_affected(int scope);
void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
index da53722f95d4..06e04c9e6480 100644
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -845,52 +845,68 @@ static unsigned long system_bhb_mitigations;
* This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
* SCOPE_SYSTEM call will give the right answer.
*/
-u8 spectre_bhb_loop_affected(int scope)
+static bool is_spectre_bhb_safe(int scope)
+{
+ static const struct midr_range spectre_bhb_safe_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ {},
+ };
+ static bool all_safe = true;
+
+ if (scope != SCOPE_LOCAL_CPU)
+ return all_safe;
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
+ return true;
+
+ all_safe = false;
+
+ return false;
+}
+
+static u8 spectre_bhb_loop_affected(void)
{
u8 k = 0;
- static u8 max_bhb_k;
-
- if (scope == SCOPE_LOCAL_CPU) {
- static const struct midr_range spectre_bhb_k32_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
- {},
- };
- static const struct midr_range spectre_bhb_k24_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
- {},
- };
- static const struct midr_range spectre_bhb_k11_list[] = {
- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
- {},
- };
- static const struct midr_range spectre_bhb_k8_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
- {},
- };
-
- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
- k = 32;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
- k = 24;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
- k = 11;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
- k = 8;
-
- max_bhb_k = max(max_bhb_k, k);
- } else {
- k = max_bhb_k;
- }
+
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k24_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k11_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k8_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+ {},
+ };
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ k = 32;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+ k = 24;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+ k = 11;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+ k = 8;
return k;
}
@@ -916,9 +932,8 @@ static enum mitigation_state spectre_bhb_get_cpu_fw_mitigation_state(void)
}
}
-static bool is_spectre_bhb_fw_affected(int scope)
+static bool is_spectre_bhb_fw_affected(void)
{
- static bool system_affected;
enum mitigation_state fw_state;
bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
@@ -929,16 +944,8 @@ static bool is_spectre_bhb_fw_affected(int scope)
bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
spectre_bhb_firmware_mitigated_list);
- if (scope != SCOPE_LOCAL_CPU)
- return system_affected;
-
fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
- system_affected = true;
- return true;
- }
-
- return false;
+ return cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED);
}
static bool supports_ecbhb(int scope)
@@ -954,6 +961,8 @@ static bool supports_ecbhb(int scope)
ID_AA64MMFR1_EL1_ECBHB_SHIFT);
}
+static u8 max_bhb_k;
+
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
int scope)
{
@@ -962,16 +971,18 @@ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
if (supports_csv2p3(scope))
return false;
- if (supports_clearbhb(scope))
- return true;
-
- if (spectre_bhb_loop_affected(scope))
- return true;
+ if (is_spectre_bhb_safe(scope))
+ return false;
- if (is_spectre_bhb_fw_affected(scope))
- return true;
+ /*
+ * At this point the core isn't known to be "safe" so we're going to
+ * assume it's vulnerable. We still need to update `max_bhb_k` though,
+ * but only if we aren't mitigating with clearbhb though.
+ */
+ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
+ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
- return false;
+ return true;
}
static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
@@ -1028,7 +1039,7 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
state = SPECTRE_MITIGATED;
set_bit(BHB_INSN, &system_bhb_mitigations);
- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
+ } else if (spectre_bhb_loop_affected()) {
/*
* Ensure KVM uses the indirect vector which will have the
* branchy-loop added. A57/A72-r0 will already have selected
@@ -1041,7 +1052,7 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
state = SPECTRE_MITIGATED;
set_bit(BHB_LOOP, &system_bhb_mitigations);
- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
+ } else if (is_spectre_bhb_fw_affected()) {
fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
if (fw_state == SPECTRE_MITIGATED) {
/*
@@ -1100,7 +1111,6 @@ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt,
{
u8 rd;
u32 insn;
- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
BUG_ON(nr_inst != 1); /* MOV -> MOV */
@@ -1109,7 +1119,7 @@ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt,
insn = le32_to_cpu(*origptr);
rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
+ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
AARCH64_INSN_VARIANT_64BIT,
AARCH64_INSN_MOVEWIDE_ZERO);
*updptr++ = cpu_to_le32(insn);
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 4
- 3
[PATCH v5] tpm: Map the ACPI provided event log
by Jarkko Sakkinen
The following failure was reported:
[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)
[ 10.848132][ T1] ------------[ cut here ]------------
[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330
[ 10.862827][ T1] Modules linked in:
[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375
[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024
[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330
[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1
[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246
[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000
[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0
Above shows that ACPI pointed a 16 MiB buffer for the log events because
RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the
bug by mapping the region when needed instead of copying.
Cc: stable(a)vger.kernel.org # v2.6.16+
Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log")
Reported-by: Andy Liang <andy.liang(a)hpe.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495
Suggested-by: Matthew Garrett <mjg59(a)srcf.ucam.org>
Tested-by: Andy Liang <andy.liang(a)hpe.com>
Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org>
---
v5:
* Spotted this right after sending: remove extra acpi_os_unmap_iomem()
call.
v4:
* Added tested-by from Andy Liang.
v3:
* Flag mapping code in tpm{1,2}.c with CONFIG_ACPI (nios2 compilation
fix).
v2:
* There was some extra cruft (irrelevant diff), which is now wiped away.
* Added missing tags (fixes, stable).
---
drivers/char/tpm/eventlog/acpi.c | 27 ++++++---------------
drivers/char/tpm/eventlog/common.c | 25 +++++++++++++-------
drivers/char/tpm/eventlog/common.h | 28 ++++++++++++++++++++++
drivers/char/tpm/eventlog/tpm1.c | 30 ++++++++++++++---------
drivers/char/tpm/eventlog/tpm2.c | 38 +++++++++++++++++-------------
include/linux/tpm.h | 1 +
6 files changed, 94 insertions(+), 55 deletions(-)
diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
index 69533d0bfb51..fb84dd3f6106 100644
--- a/drivers/char/tpm/eventlog/acpi.c
+++ b/drivers/char/tpm/eventlog/acpi.c
@@ -70,14 +70,11 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
acpi_status status;
void __iomem *virt;
u64 len, start;
- struct tpm_bios_log *log;
struct acpi_table_tpm2 *tbl;
struct acpi_tpm2_phy *tpm2_phy;
int format;
int ret;
- log = &chip->log;
-
/* Unfortuntely ACPI does not associate the event log with a specific
* TPM, like PPI. Thus all ACPI TPMs will read the same log.
*/
@@ -135,36 +132,26 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
return -EIO;
}
- /* malloc EventLog space */
- log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL);
- if (!log->bios_event_log)
- return -ENOMEM;
-
- log->bios_event_log_end = log->bios_event_log + len;
-
virt = acpi_os_map_iomem(start, len);
if (!virt) {
dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__);
/* try EFI log next */
- ret = -ENODEV;
- goto err;
+ return -ENODEV;
}
- memcpy_fromio(log->bios_event_log, virt, len);
-
- acpi_os_unmap_iomem(virt, len);
-
- if (chip->flags & TPM_CHIP_FLAG_TPM2 &&
- !tpm_is_tpm2_log(log->bios_event_log, len)) {
+ if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_tpm2_log(virt, len)) {
/* try EFI log next */
ret = -ENODEV;
goto err;
}
+ acpi_os_unmap_iomem(virt, len);
+ chip->flags |= TPM_CHIP_FLAG_ACPI_LOG;
+ chip->log.bios_event_log = (void *)start;
+ chip->log.bios_event_log_end = (void *)start + len;
return format;
err:
- devm_kfree(&chip->dev, log->bios_event_log);
- log->bios_event_log = NULL;
+ acpi_os_unmap_iomem(virt, len);
return ret;
}
diff --git a/drivers/char/tpm/eventlog/common.c b/drivers/char/tpm/eventlog/common.c
index 4c0bbba64ee5..44340ca6e2ac 100644
--- a/drivers/char/tpm/eventlog/common.c
+++ b/drivers/char/tpm/eventlog/common.c
@@ -27,6 +27,7 @@ static int tpm_bios_measurements_open(struct inode *inode,
{
int err;
struct seq_file *seq;
+ struct tpm_measurements *priv;
struct tpm_chip_seqops *chip_seqops;
const struct seq_operations *seqops;
struct tpm_chip *chip;
@@ -42,13 +43,18 @@ static int tpm_bios_measurements_open(struct inode *inode,
get_device(&chip->dev);
inode_unlock(inode);
- /* now register seq file */
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+ priv->chip = chip;
+
err = seq_open(file, seqops);
- if (!err) {
- seq = file->private_data;
- seq->private = chip;
- } else {
+ if (err) {
+ kfree(priv);
put_device(&chip->dev);
+ } else {
+ seq = file->private_data;
+ seq->private = priv;
}
return err;
@@ -58,11 +64,14 @@ static int tpm_bios_measurements_release(struct inode *inode,
struct file *file)
{
struct seq_file *seq = file->private_data;
- struct tpm_chip *chip = seq->private;
+ struct tpm_measurements *priv = seq->private;
+ int ret;
- put_device(&chip->dev);
+ put_device(&priv->chip->dev);
+ ret = seq_release(inode, file);
+ kfree(priv);
- return seq_release(inode, file);
+ return ret;
}
static const struct file_operations tpm_bios_measurements_ops = {
diff --git a/drivers/char/tpm/eventlog/common.h b/drivers/char/tpm/eventlog/common.h
index 47ff8136ceb5..b98fd6d9a6e9 100644
--- a/drivers/char/tpm/eventlog/common.h
+++ b/drivers/char/tpm/eventlog/common.h
@@ -1,12 +1,40 @@
#ifndef __TPM_EVENTLOG_COMMON_H__
#define __TPM_EVENTLOG_COMMON_H__
+#include <linux/acpi.h>
#include "../tpm.h"
extern const struct seq_operations tpm1_ascii_b_measurements_seqops;
extern const struct seq_operations tpm1_binary_b_measurements_seqops;
extern const struct seq_operations tpm2_binary_b_measurements_seqops;
+struct tpm_measurements {
+ struct tpm_chip *chip;
+ void *start;
+ void *end;
+};
+
+static inline bool tpm_measurements_map(struct tpm_measurements *measurements)
+{
+ struct tpm_chip *chip = measurements->chip;
+ struct tpm_bios_log *log = &chip->log;
+ size_t size;
+
+ size = log->bios_event_log_end - log->bios_event_log;
+ measurements->start = log->bios_event_log;
+
+#ifdef CONFIG_ACPI
+ if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG)
+ measurements->start = acpi_os_map_iomem((unsigned long)log->bios_event_log, size);
+#endif
+
+ if (!measurements->start)
+ return false;
+
+ measurements->end = measurements->start + size;
+ return true;
+}
+
#if defined(CONFIG_ACPI)
int tpm_read_log_acpi(struct tpm_chip *chip);
#else
diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
index 12ee42a31c71..aef6ee39423a 100644
--- a/drivers/char/tpm/eventlog/tpm1.c
+++ b/drivers/char/tpm/eventlog/tpm1.c
@@ -70,20 +70,23 @@ static const char* tcpa_pc_event_id_strings[] = {
static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos)
{
loff_t i = 0;
- struct tpm_chip *chip = m->private;
- struct tpm_bios_log *log = &chip->log;
- void *addr = log->bios_event_log;
- void *limit = log->bios_event_log_end;
+ struct tpm_measurements *priv = m->private;
struct tcpa_event *event;
u32 converted_event_size;
u32 converted_event_type;
+ void *addr;
+
+ if (!tpm_measurements_map(priv))
+ return NULL;
+
+ addr = priv->start;
/* read over *pos measurements */
do {
event = addr;
/* check if current entry is valid */
- if (addr + sizeof(struct tcpa_event) > limit)
+ if (addr + sizeof(struct tcpa_event) > priv->end)
return NULL;
converted_event_size =
@@ -93,7 +96,7 @@ static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos)
if (((converted_event_type == 0) && (converted_event_size == 0))
|| ((addr + sizeof(struct tcpa_event) + converted_event_size)
- > limit))
+ > priv->end))
return NULL;
if (i++ == *pos)
@@ -109,9 +112,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v,
loff_t *pos)
{
struct tcpa_event *event = v;
- struct tpm_chip *chip = m->private;
- struct tpm_bios_log *log = &chip->log;
- void *limit = log->bios_event_log_end;
+ struct tpm_measurements *priv = m->private;
u32 converted_event_size;
u32 converted_event_type;
@@ -121,7 +122,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v,
v += sizeof(struct tcpa_event) + converted_event_size;
/* now check if current entry is valid */
- if ((v + sizeof(struct tcpa_event)) > limit)
+ if ((v + sizeof(struct tcpa_event)) > priv->end)
return NULL;
event = v;
@@ -130,7 +131,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v,
converted_event_type = do_endian_conversion(event->event_type);
if (((converted_event_type == 0) && (converted_event_size == 0)) ||
- ((v + sizeof(struct tcpa_event) + converted_event_size) > limit))
+ ((v + sizeof(struct tcpa_event) + converted_event_size) > priv->end))
return NULL;
return v;
@@ -138,6 +139,13 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v,
static void tpm1_bios_measurements_stop(struct seq_file *m, void *v)
{
+#ifdef CONFIG_ACPI
+ struct tpm_measurements *priv = m->private;
+ struct tpm_chip *chip = priv->chip;
+
+ if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG)
+ acpi_os_unmap_iomem(priv->start, priv->end - priv->start);
+#endif
}
static int get_event_name(char *dest, struct tcpa_event *event,
diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c
index 37a05800980c..6289d8893e46 100644
--- a/drivers/char/tpm/eventlog/tpm2.c
+++ b/drivers/char/tpm/eventlog/tpm2.c
@@ -41,20 +41,22 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos)
{
- struct tpm_chip *chip = m->private;
- struct tpm_bios_log *log = &chip->log;
- void *addr = log->bios_event_log;
- void *limit = log->bios_event_log_end;
+ struct tpm_measurements *priv = m->private;
struct tcg_pcr_event *event_header;
struct tcg_pcr_event2_head *event;
size_t size;
+ void *addr;
int i;
+ if (!tpm_measurements_map(priv))
+ return NULL;
+
+ addr = priv->start;
event_header = addr;
size = struct_size(event_header, event, event_header->event_size);
if (*pos == 0) {
- if (addr + size < limit) {
+ if (addr + size < priv->end) {
if ((event_header->event_type == 0) &&
(event_header->event_size == 0))
return NULL;
@@ -66,7 +68,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos)
addr += size;
event = addr;
size = calc_tpm2_event_size(event, event_header);
- if ((addr + size >= limit) || (size == 0))
+ if ((addr + size >= priv->end) || !size)
return NULL;
}
@@ -74,7 +76,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos)
event = addr;
size = calc_tpm2_event_size(event, event_header);
- if ((addr + size >= limit) || (size == 0))
+ if ((addr + size >= priv->end) || !size)
return NULL;
addr += size;
}
@@ -87,14 +89,12 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v,
{
struct tcg_pcr_event *event_header;
struct tcg_pcr_event2_head *event;
- struct tpm_chip *chip = m->private;
- struct tpm_bios_log *log = &chip->log;
- void *limit = log->bios_event_log_end;
+ struct tpm_measurements *priv = m->private;
size_t event_size;
void *marker;
(*pos)++;
- event_header = log->bios_event_log;
+ event_header = priv->start;
if (v == SEQ_START_TOKEN) {
event_size = struct_size(event_header, event,
@@ -109,13 +109,13 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v,
}
marker = marker + event_size;
- if (marker >= limit)
+ if (marker >= priv->end)
return NULL;
v = marker;
event = v;
event_size = calc_tpm2_event_size(event, event_header);
- if (((v + event_size) >= limit) || (event_size == 0))
+ if (((v + event_size) >= priv->end) || !event_size)
return NULL;
return v;
@@ -123,13 +123,19 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v,
static void tpm2_bios_measurements_stop(struct seq_file *m, void *v)
{
+#ifdef CONFIG_ACPI
+ struct tpm_measurements *priv = m->private;
+ struct tpm_chip *chip = priv->chip;
+
+ if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG)
+ acpi_os_unmap_iomem(priv->start, priv->end - priv->start);
+#endif
}
static int tpm2_binary_bios_measurements_show(struct seq_file *m, void *v)
{
- struct tpm_chip *chip = m->private;
- struct tpm_bios_log *log = &chip->log;
- struct tcg_pcr_event *event_header = log->bios_event_log;
+ struct tpm_measurements *priv = m->private;
+ struct tcg_pcr_event *event_header = priv->start;
struct tcg_pcr_event2_head *event = v;
void *temp_ptr;
size_t size;
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 20a40ade8030..f3d12738b93b 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -348,6 +348,7 @@ enum tpm_chip_flags {
TPM_CHIP_FLAG_SUSPENDED = BIT(8),
TPM_CHIP_FLAG_HWRNG_DISABLED = BIT(9),
TPM_CHIP_FLAG_DISABLE = BIT(10),
+ TPM_CHIP_FLAG_ACPI_LOG = BIT(11),
};
#define to_tpm_chip(d) container_of(d, struct tpm_chip, dev)
--
2.47.1
3 months, 3 weeks
- 2
- 5
6.12.7 stable new error: event xe_bo_move has unsafe dereference of argument 4
by Genes Lists
I have not had a chance to bisect this yet but since its in stable
thought it best to share sooner than later.
If noone spots anything, I will do a bisect soon as I can. Boot
completes and aside from this error things seem fine.
- Does not happen with 6.12.6.
- Does happen with Mainline + patch for different drm bug
mainline commit : d6ef8b40d075c425f548002d2f35ae3f06e9cf96
Patch: https://patchwork.freedesktop.org/series/141911/
Patch fixes drm bug reported here (patch not yet in mainline):
https://lore.kernel.org/lkml/3b097dddd7095bccabe6791b90899c689f271a35.camel…
Graphics h/w:
00:02.0 VGA compatible controller: Intel Corporation Raptor Lake-P
[Iris Xe Graphics] (rev 04)
Trace below and full dmesg attached.
gene
[ +0.143567] ------------[ cut here ]------------
[ +0.000003] WARNING: CPU: 6 PID: 344 at
kernel/trace/trace_events.c:577 trace_event_raw_init+0x159/0x660
[ +0.000005] Modules linked in: xe(+) drm_ttm_helper gpu_sched
drm_suballoc_helper drm_gpuvm drm_exec typec_displayport usbhid
hid_sensor_custom hid_sensor_hub intel_ishtp_hid nvme
spi_pxa2xx_platform hid_multitouch dw_dmac nvme_core 8250_dw
spi_pxa2xx_core i915 crct10dif_pclmul crc32_pclmul i2c_algo_bit
crc32c_intel psmouse polyval_clmulni serio_raw polyval_generic
drm_buddy atkbd ghash_clmulni_intel libps2 vivaldi_fmap ttm
sha512_ssse3 sha256_ssse3 intel_gtt sha1_ssse3 aesni_intel gf128mul
drm_display_helper ucsi_acpi crypto_simd typec_ucsi intel_lpss_pci
intel_ish_ipc cryptd intel_lpss roles intel_ishtp idma64 cec vmd typec
i2c_hid_acpi i8042 video i2c_hid serio wmi pkcs8_key_parser wireguard
curve25519_x86_64 libchacha20poly1305 chacha_x86_64 poly1305_x86_64
ip6_udp_tunnel udp_tunnel libcurve25519_generic libchacha loop sg
crypto_user
[ +0.000022] CPU: 6 UID: 0 PID: 344 Comm: (udev-worker) Not tainted
6.12.7-stable-1 #16 8ef5eca39d52f9e2c5a50ace761c4a6858369a18
[ +0.000003] Hardware name: Dell Inc. XPS 9320/0CR6NC, BIOS 2.16.1
09/11/2024
[ +0.000001] RIP: 0010:trace_event_raw_init+0x159/0x660
[ +0.000002] Code: 89 ea 0f 83 3b 04 00 00 e8 84 db ff ff 84 c0 74 10
8b 0c 24 48 c7 c0 fe ff ff ff 48 d3 c0 49 21 c6 4d 85 f6 0f 84 d6 fe ff
ff <0f> 0b bb 01 00 00 00 41 f6 c6 01 0f 85 f3 78 bf 00 66 0f 1f 44 00
[ +0.000001] RSP: 0018:ffffa3c8007bb980 EFLAGS: 00010206
[ +0.000001] RAX: ffffffffffffffdf RBX: ffffffffc0ef8731 RCX:
0000000000000005
[ +0.000001] RDX: 0000000000000002 RSI: 0000000000000001 RDI:
ffffffffc0ef8727
[ +0.000001] RBP: ffffffffc0ef8640 R08: 0000000000000039 R09:
0000000000000000
[ +0.000000] R10: 0000000000000076 R11: 000000000000004e R12:
00000000000000f2
[ +0.000001] R13: ffffffffc0ef9760 R14: 0000000000000018 R15:
0000000000000000
[ +0.000001] FS: 000075f6c10d0880(0000) GS:ffff96b92f500000(0000)
knlGS:0000000000000000
[ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000000] CR2: 00007be641f52f70 CR3: 000000010cffe000 CR4:
0000000000f50ef0
[ +0.000001] PKRU: 55555554
[ +0.000001] Call Trace:
[ +0.000001] <TASK>
[ +0.000000] ? trace_event_raw_init+0x159/0x660
[ +0.000002] ? __warn.cold+0x93/0xf6
[ +0.000001] ? trace_event_raw_init+0x159/0x660
[ +0.000003] ? report_bug+0xff/0x140
[ +0.000002] ? handle_bug+0x58/0x90
[ +0.000001] ? exc_invalid_op+0x17/0x70
[ +0.000002] ? asm_exc_invalid_op+0x1a/0x20
[ +0.000003] ? trace_event_raw_init+0x159/0x660
[ +0.000002] event_init+0x28/0x70
[ +0.000002] trace_module_notify+0x19a/0x250
[ +0.000001] notifier_call_chain+0x5a/0xd0
[ +0.000002] blocking_notifier_call_chain_robust+0x65/0xc0
[ +0.000002] load_module+0x1818/0x1ce0
[ +0.000004] ? init_module_from_file+0x89/0xe0
[ +0.000001] init_module_from_file+0x89/0xe0
[ +0.000002] idempotent_init_module+0x11e/0x310
[ +0.000002] __x64_sys_finit_module+0x5e/0xb0
[ +0.000002] do_syscall_64+0x82/0x160
[ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200
[ +0.000001] ? do_syscall_64+0x8e/0x160
[ +0.000001] ? syscall_exit_to_user_mode+0x10/0x200
[ +0.000001] ? do_syscall_64+0x8e/0x160
[ +0.000001] ? do_sys_openat2+0x9c/0xe0
[ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200
[ +0.000001] ? do_syscall_64+0x8e/0x160
[ +0.000001] ? do_sys_openat2+0x9c/0xe0
[ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200
[ +0.000001] ? do_syscall_64+0x8e/0x160
[ +0.000001] ? exc_page_fault+0x7e/0x180
[ +0.000001] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ +0.000002] RIP: 0033:0x75f6c18c71fd
[ +0.000011] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 fa 0c 00 f7 d8 64 89 01 48
[ +0.000001] RSP: 002b:00007ffdec463948 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ +0.000001] RAX: ffffffffffffffda RBX: 000057194ec1c5c0 RCX:
000075f6c18c71fd
[ +0.000001] RDX: 0000000000000004 RSI: 000075f6c10ca05d RDI:
000000000000002b
[ +0.000000] RBP: 00007ffdec463a00 R08: 0000000000000001 R09:
00007ffdec463990
[ +0.000001] R10: 0000000000000040 R11: 0000000000000246 R12:
000075f6c10ca05d
[ +0.000000] R13: 0000000000020000 R14: 000057194ec1dc40 R15:
000057194ec1e900
[ +0.000001] </TASK>
[ +0.000001] ---[ end trace 0000000000000000 ]---
[ +0.000000] event xe_bo_move has unsafe dereference of argument 4
[ +0.000001] print_fmt: "move_lacks_source:%s, migrate object %p [size
%zu] from %s to %s device_id:%s", REC->move_lacks_source ? "yes" :
"no", REC->bo, REC->size, xe_mem_type_to_name[REC->old_placement],
xe_mem_type_to_name[REC->new_placement], __get_str(device_id)
--
Gene
3 months, 3 weeks
- 4
- 12
[PATCH v8] tpm: Map the ACPI provided event log
by Jarkko Sakkinen
The following failure was reported:
[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)
[ 10.848132][ T1] ------------[ cut here ]------------
[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330
[ 10.862827][ T1] Modules linked in:
[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375
[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024
[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330
[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1
[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246
[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000
[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0
Above shows that ACPI pointed a 16 MiB buffer for the log events because
RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the
bug with kvmalloc() and devm_add_action_or_reset().
Suggested-by: Ard Biesheuvel <ardb(a)kernel.org>
Cc: stable(a)vger.kernel.org # v2.6.16+
Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log")
Reported-by: Andy Liang <andy.liang(a)hpe.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495
Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org>
---
v8:
* Reduced to only to this quick fix. Let HPE reserve 16 MiB if they want
to. We have mapping approach backed up in lore.
v7:
* Use devm_add_action_or_reset().
* Fix tags.
v6:
* A new patch.
---
drivers/char/tpm/eventlog/acpi.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
index 69533d0bfb51..394c8302cefd 100644
--- a/drivers/char/tpm/eventlog/acpi.c
+++ b/drivers/char/tpm/eventlog/acpi.c
@@ -63,6 +63,11 @@ static bool tpm_is_tpm2_log(void *bios_event_log, u64 len)
return n == 0;
}
+static void tpm_bios_log_free(void *data)
+{
+ kvfree(data);
+}
+
/* read binary bios log */
int tpm_read_log_acpi(struct tpm_chip *chip)
{
@@ -136,10 +141,16 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
}
/* malloc EventLog space */
- log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL);
+ log->bios_event_log = kvmalloc(len, GFP_KERNEL);
if (!log->bios_event_log)
return -ENOMEM;
+ ret = devm_add_action_or_reset(&chip->dev, tpm_bios_log_free, log->bios_event_log);
+ if (ret) {
+ log->bios_event_log = NULL;
+ return ret;
+ }
+
log->bios_event_log_end = log->bios_event_log + len;
virt = acpi_os_map_iomem(start, len);
--
2.47.1
3 months, 3 weeks
- 2
- 2
[PATCH v3] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented
by Marc Zyngier
The hwcaps code that exposes SVE features to userspace only
considers ID_AA64ZFR0_EL1, while this is only valid when
ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported.
The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the
ID_AA64ZFR0_EL1 register is also 0. So far, so good.
Things become a bit more interesting if the HW implements SME.
In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME*
features. And these fields overlap with their SVE interpretations.
But the architecture says that the SME and SVE feature sets must
match, so we're still hunky-dory.
This goes wrong if the HW implements SME, but not SVE. In this
case, we end-up advertising some SVE features to userspace, even
if the HW has none. That's because we never consider whether SVE
is actually implemented. Oh well.
Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE
being non-zero. The HWCAPS documentation is amended to reflect the
actually checks performed by the kernel.
Fixes: 06a916feca2b ("arm64: Expose SVE2 features for userspace")
Reported-by: Catalin Marinas <catalin.marinas(a)arm.com>
Signed-off-by: Marc Zyngier <maz(a)kernel.org>
Cc: Will Deacon <will(a)kernel.org>
Cc: Mark Rutland <mark.rutland(a)arm.com>
Cc: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
Documentation/arch/arm64/elf_hwcaps.rst | 39 ++++++++++++++++--------
arch/arm64/kernel/cpufeature.c | 40 +++++++++++++++++--------
2 files changed, 53 insertions(+), 26 deletions(-)
diff --git a/Documentation/arch/arm64/elf_hwcaps.rst b/Documentation/arch/arm64/elf_hwcaps.rst
index 2ff922a406ad8..1a31723e79fd2 100644
--- a/Documentation/arch/arm64/elf_hwcaps.rst
+++ b/Documentation/arch/arm64/elf_hwcaps.rst
@@ -178,22 +178,28 @@ HWCAP2_DCPODP
Functionality implied by ID_AA64ISAR1_EL1.DPB == 0b0010.
HWCAP2_SVE2
- Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.SVEver == 0b0001.
HWCAP2_SVEAES
- Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.AES == 0b0001.
HWCAP2_SVEPMULL
- Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0010.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.AES == 0b0010.
HWCAP2_SVEBITPERM
- Functionality implied by ID_AA64ZFR0_EL1.BitPerm == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.BitPerm == 0b0001.
HWCAP2_SVESHA3
- Functionality implied by ID_AA64ZFR0_EL1.SHA3 == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.SHA3 == 0b0001.
HWCAP2_SVESM4
- Functionality implied by ID_AA64ZFR0_EL1.SM4 == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.SM4 == 0b0001.
HWCAP2_FLAGM2
Functionality implied by ID_AA64ISAR0_EL1.TS == 0b0010.
@@ -202,16 +208,20 @@ HWCAP2_FRINT
Functionality implied by ID_AA64ISAR1_EL1.FRINTTS == 0b0001.
HWCAP2_SVEI8MM
- Functionality implied by ID_AA64ZFR0_EL1.I8MM == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.I8MM == 0b0001.
HWCAP2_SVEF32MM
- Functionality implied by ID_AA64ZFR0_EL1.F32MM == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.F32MM == 0b0001.
HWCAP2_SVEF64MM
- Functionality implied by ID_AA64ZFR0_EL1.F64MM == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.F64MM == 0b0001.
HWCAP2_SVEBF16
- Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.BF16 == 0b0001.
HWCAP2_I8MM
Functionality implied by ID_AA64ISAR1_EL1.I8MM == 0b0001.
@@ -277,7 +287,8 @@ HWCAP2_EBF16
Functionality implied by ID_AA64ISAR1_EL1.BF16 == 0b0010.
HWCAP2_SVE_EBF16
- Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0010.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.BF16 == 0b0010.
HWCAP2_CSSC
Functionality implied by ID_AA64ISAR2_EL1.CSSC == 0b0001.
@@ -286,7 +297,8 @@ HWCAP2_RPRFM
Functionality implied by ID_AA64ISAR2_EL1.RPRFM == 0b0001.
HWCAP2_SVE2P1
- Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0010.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.SVEver == 0b0010.
HWCAP2_SME2
Functionality implied by ID_AA64SMFR0_EL1.SMEver == 0b0001.
@@ -313,7 +325,8 @@ HWCAP2_HBC
Functionality implied by ID_AA64ISAR2_EL1.BC == 0b0001.
HWCAP2_SVE_B16B16
- Functionality implied by ID_AA64ZFR0_EL1.B16B16 == 0b0001.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and
+ ID_AA64ZFR0_EL1.B16B16 == 0b0001.
HWCAP2_LRCPC3
Functionality implied by ID_AA64ISAR1_EL1.LRCPC == 0b0011.
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 6ce71f444ed84..6874aca5da9df 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -3022,6 +3022,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
.matches = match, \
}
+#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \
+ { \
+ __HWCAP_CAP(#cap, cap_type, cap) \
+ HWCAP_CPUID_MATCH(reg, field, min_value) \
+ .matches = match, \
+ }
+
#ifdef CONFIG_ARM64_PTR_AUTH
static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = {
{
@@ -3050,6 +3057,13 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = {
};
#endif
+#ifdef CONFIG_ARM64_SVE
+static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope)
+{
+ return system_supports_sve() && has_user_cpuid_feature(cap, scope);
+}
+#endif
+
static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL),
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES),
@@ -3092,19 +3106,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT),
#ifdef CONFIG_ARM64_SVE
HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
- HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
#endif
#ifdef CONFIG_ARM64_GCS
HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS),
--
2.39.2
3 months, 3 weeks
- 2
- 1
[PATCH AUTOSEL 5.4] nvmet: propagate npwg topology
by Sasha Levin
From: Luis Chamberlain <mcgrof(a)kernel.org>
[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ]
Ensure we propagate npwg to the target as well instead
of assuming its the same logical blocks per physical block.
This ensures devices with large IUs information properly
propagated on the target.
Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org>
Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me>
Signed-off-by: Keith Busch <kbusch(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/nvme/target/io-cmd-bdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
index 32008d85172b..40afe3d0599d 100644
--- a/drivers/nvme/target/io-cmd-bdev.c
+++ b/drivers/nvme/target/io-cmd-bdev.c
@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
*/
id->nsfeat |= 1 << 4;
/* NPWG = Namespace Preferred Write Granularity. 0's based */
- id->npwg = lpp0b;
+ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev));
/* NPWA = Namespace Preferred Write Alignment. 0's based */
id->npwa = id->npwg;
/* NPDG = Namespace Preferred Deallocate Granularity. 0's based */
--
2.39.5
3 months, 3 weeks
- 1
- 0
[PATCH AUTOSEL 5.10] nvmet: propagate npwg topology
by Sasha Levin
From: Luis Chamberlain <mcgrof(a)kernel.org>
[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ]
Ensure we propagate npwg to the target as well instead
of assuming its the same logical blocks per physical block.
This ensures devices with large IUs information properly
propagated on the target.
Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org>
Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me>
Signed-off-by: Keith Busch <kbusch(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/nvme/target/io-cmd-bdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
index 6a9626ff0713..58dd91d2d71c 100644
--- a/drivers/nvme/target/io-cmd-bdev.c
+++ b/drivers/nvme/target/io-cmd-bdev.c
@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
*/
id->nsfeat |= 1 << 4;
/* NPWG = Namespace Preferred Write Granularity. 0's based */
- id->npwg = lpp0b;
+ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev));
/* NPWA = Namespace Preferred Write Alignment. 0's based */
id->npwa = id->npwg;
/* NPDG = Namespace Preferred Deallocate Granularity. 0's based */
--
2.39.5
3 months, 3 weeks
- 1
- 0
[PATCH AUTOSEL 5.15] nvmet: propagate npwg topology
by Sasha Levin
From: Luis Chamberlain <mcgrof(a)kernel.org>
[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ]
Ensure we propagate npwg to the target as well instead
of assuming its the same logical blocks per physical block.
This ensures devices with large IUs information properly
propagated on the target.
Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org>
Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me>
Signed-off-by: Keith Busch <kbusch(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/nvme/target/io-cmd-bdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
index 0fc2781ab970..58da949696c2 100644
--- a/drivers/nvme/target/io-cmd-bdev.c
+++ b/drivers/nvme/target/io-cmd-bdev.c
@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
*/
id->nsfeat |= 1 << 4;
/* NPWG = Namespace Preferred Write Granularity. 0's based */
- id->npwg = lpp0b;
+ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev));
/* NPWA = Namespace Preferred Write Alignment. 0's based */
id->npwa = id->npwg;
/* NPDG = Namespace Preferred Deallocate Granularity. 0's based */
--
2.39.5
3 months, 3 weeks
- 1
- 0
[PATCH AUTOSEL 6.1] nvmet: propagate npwg topology
by Sasha Levin
From: Luis Chamberlain <mcgrof(a)kernel.org>
[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ]
Ensure we propagate npwg to the target as well instead
of assuming its the same logical blocks per physical block.
This ensures devices with large IUs information properly
propagated on the target.
Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org>
Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me>
Signed-off-by: Keith Busch <kbusch(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/nvme/target/io-cmd-bdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
index c2d6cea0236b..ada58a4d0d0c 100644
--- a/drivers/nvme/target/io-cmd-bdev.c
+++ b/drivers/nvme/target/io-cmd-bdev.c
@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
*/
id->nsfeat |= 1 << 4;
/* NPWG = Namespace Preferred Write Granularity. 0's based */
- id->npwg = lpp0b;
+ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev));
/* NPWA = Namespace Preferred Write Alignment. 0's based */
id->npwa = id->npwg;
/* NPDG = Namespace Preferred Deallocate Granularity. 0's based */
--
2.39.5
3 months, 3 weeks
- 1
- 0
[PATCH AUTOSEL 6.6 1/2] RDMA/bnxt_re: Fix to export port num to ib_query_qp
by Sasha Levin
From: Hongguang Gao <hongguang.gao(a)broadcom.com>
[ Upstream commit 34db8ec931b84d1426423f263b1927539e73b397 ]
Current driver implementation doesn't populate the port_num
field in query_qp. Adding the code to convert internal firmware
port id to ibv defined port number and export it.
Reviewed-by: Saravanan Vajravel <saravanan.vajravel(a)broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com>
Signed-off-by: Hongguang Gao <hongguang.gao(a)broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier(a)broadcom.com>
Link: https://patch.msgid.link/20241211083931.968831-5-kalesh-anakkur.purayil@bro…
Signed-off-by: Leon Romanovsky <leon(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 +
drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 ++++
drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 +
drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 +
4 files changed, 7 insertions(+)
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
index df5897260601..5f6b1d7278da 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -2214,6 +2214,7 @@ int bnxt_re_query_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr,
qp_attr->retry_cnt = qplib_qp->retry_cnt;
qp_attr->rnr_retry = qplib_qp->rnr_retry;
qp_attr->min_rnr_timer = qplib_qp->min_rnr_timer;
+ qp_attr->port_num = __to_ib_port_num(qplib_qp->port_id);
qp_attr->rq_psn = qplib_qp->rq.psn;
qp_attr->max_rd_atomic = qplib_qp->max_rd_atomic;
qp_attr->sq_psn = qplib_qp->sq.psn;
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.h b/drivers/infiniband/hw/bnxt_re/ib_verbs.h
index 98baea98fc17..ef910e6e2ccb 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h
@@ -245,6 +245,10 @@ void bnxt_re_dealloc_ucontext(struct ib_ucontext *context);
int bnxt_re_mmap(struct ib_ucontext *context, struct vm_area_struct *vma);
void bnxt_re_mmap_free(struct rdma_user_mmap_entry *rdma_entry);
+static inline u32 __to_ib_port_num(u16 port_id)
+{
+ return (u32)port_id + 1;
+}
unsigned long bnxt_re_lock_cqs(struct bnxt_re_qp *qp);
void bnxt_re_unlock_cqs(struct bnxt_re_qp *qp, unsigned long flags);
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
index b624c255eee6..00df8360dcd8 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
@@ -1451,6 +1451,7 @@ int bnxt_qplib_query_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
qp->dest_qpn = le32_to_cpu(sb->dest_qp_id);
memcpy(qp->smac, sb->src_mac, 6);
qp->vlan_id = le16_to_cpu(sb->vlan_pcp_vlan_dei_vlan_id);
+ qp->port_id = le16_to_cpu(sb->port_id);
bail:
dma_free_coherent(&rcfw->pdev->dev, sbuf.size,
sbuf.sb, sbuf.dma_addr);
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
index 5d4c49089a20..0e0df5083ed3 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
@@ -297,6 +297,7 @@ struct bnxt_qplib_qp {
u32 dest_qpn;
u8 smac[6];
u16 vlan_id;
+ u16 port_id;
u8 nw_type;
struct bnxt_qplib_ah ah;
--
2.39.5
3 months, 3 weeks
- 1
- 1
[PATCH AUTOSEL 6.12 1/8] selftests/sched_ext: fix build after renames in sched_ext API
by Sasha Levin
From: Ihor Solodrai <ihor.solodrai(a)pm.me>
[ Upstream commit ef7009decc30eb2515a64253791d61b72229c119 ]
The selftests are falining to build on current tip of bpf-next and
sched_ext [1]. This has broken BPF CI [2] after merge from upstream.
Use appropriate function names in the selftests according to the
recent changes in the sched_ext API [3].
[1] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id…
[2] https://github.com/kernel-patches/bpf/actions/runs/11959327258/job/33340923…
[3] https://lore.kernel.org/all/20241109194853.580310-1-tj@kernel.org/
Signed-off-by: Ihor Solodrai <ihor.solodrai(a)pm.me>
Acked-by: Andrea Righi <arighi(a)nvidia.com>
Acked-by: David Vernet <void(a)manifault.com>
Signed-off-by: Tejun Heo <tj(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
.../testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c | 2 +-
.../selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c | 4 ++--
tools/testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 +-
.../selftests/sched_ext/enq_select_cpu_fails.bpf.c | 2 +-
tools/testing/selftests/sched_ext/exit.bpf.c | 4 ++--
tools/testing/selftests/sched_ext/maximal.bpf.c | 4 ++--
tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c | 2 +-
.../selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c | 2 +-
.../testing/selftests/sched_ext/select_cpu_dispatch.bpf.c | 2 +-
.../selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c | 2 +-
.../selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c | 4 ++--
tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c | 8 ++++----
12 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c b/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c
index 37d9bf6fb745..6f4c3f5a1c5d 100644
--- a/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c
+++ b/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c
@@ -20,7 +20,7 @@ s32 BPF_STRUCT_OPS(ddsp_bogus_dsq_fail_select_cpu, struct task_struct *p,
* If we dispatch to a bogus DSQ that will fall back to the
* builtin global DSQ, we fail gracefully.
*/
- scx_bpf_dispatch_vtime(p, 0xcafef00d, SCX_SLICE_DFL,
+ scx_bpf_dsq_insert_vtime(p, 0xcafef00d, SCX_SLICE_DFL,
p->scx.dsq_vtime, 0);
return cpu;
}
diff --git a/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c b/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c
index dffc97d9cdf1..e4a55027778f 100644
--- a/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c
+++ b/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c
@@ -17,8 +17,8 @@ s32 BPF_STRUCT_OPS(ddsp_vtimelocal_fail_select_cpu, struct task_struct *p,
if (cpu >= 0) {
/* Shouldn't be allowed to vtime dispatch to a builtin DSQ. */
- scx_bpf_dispatch_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL,
- p->scx.dsq_vtime, 0);
+ scx_bpf_dsq_insert_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL,
+ p->scx.dsq_vtime, 0);
return cpu;
}
diff --git a/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c b/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c
index 6a7db1502c29..6325bf76f47e 100644
--- a/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c
+++ b/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c
@@ -45,7 +45,7 @@ void BPF_STRUCT_OPS(dsp_local_on_dispatch, s32 cpu, struct task_struct *prev)
target = bpf_get_prandom_u32() % nr_cpus;
- scx_bpf_dispatch(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0);
+ scx_bpf_dsq_insert(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0);
bpf_task_release(p);
}
diff --git a/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c b/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c
index 1efb50d61040..a7cf868d5e31 100644
--- a/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c
+++ b/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c
@@ -31,7 +31,7 @@ void BPF_STRUCT_OPS(enq_select_cpu_fails_enqueue, struct task_struct *p,
/* Can only call from ops.select_cpu() */
scx_bpf_select_cpu_dfl(p, 0, 0, &found);
- scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
+ scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
}
SEC(".struct_ops.link")
diff --git a/tools/testing/selftests/sched_ext/exit.bpf.c b/tools/testing/selftests/sched_ext/exit.bpf.c
index d75d4faf07f6..4bc36182d3ff 100644
--- a/tools/testing/selftests/sched_ext/exit.bpf.c
+++ b/tools/testing/selftests/sched_ext/exit.bpf.c
@@ -33,7 +33,7 @@ void BPF_STRUCT_OPS(exit_enqueue, struct task_struct *p, u64 enq_flags)
if (exit_point == EXIT_ENQUEUE)
EXIT_CLEANLY();
- scx_bpf_dispatch(p, DSQ_ID, SCX_SLICE_DFL, enq_flags);
+ scx_bpf_dsq_insert(p, DSQ_ID, SCX_SLICE_DFL, enq_flags);
}
void BPF_STRUCT_OPS(exit_dispatch, s32 cpu, struct task_struct *p)
@@ -41,7 +41,7 @@ void BPF_STRUCT_OPS(exit_dispatch, s32 cpu, struct task_struct *p)
if (exit_point == EXIT_DISPATCH)
EXIT_CLEANLY();
- scx_bpf_consume(DSQ_ID);
+ scx_bpf_dsq_move_to_local(DSQ_ID);
}
void BPF_STRUCT_OPS(exit_enable, struct task_struct *p)
diff --git a/tools/testing/selftests/sched_ext/maximal.bpf.c b/tools/testing/selftests/sched_ext/maximal.bpf.c
index 4d4cd8d966db..4c005fa71810 100644
--- a/tools/testing/selftests/sched_ext/maximal.bpf.c
+++ b/tools/testing/selftests/sched_ext/maximal.bpf.c
@@ -20,7 +20,7 @@ s32 BPF_STRUCT_OPS(maximal_select_cpu, struct task_struct *p, s32 prev_cpu,
void BPF_STRUCT_OPS(maximal_enqueue, struct task_struct *p, u64 enq_flags)
{
- scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
+ scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
}
void BPF_STRUCT_OPS(maximal_dequeue, struct task_struct *p, u64 deq_flags)
@@ -28,7 +28,7 @@ void BPF_STRUCT_OPS(maximal_dequeue, struct task_struct *p, u64 deq_flags)
void BPF_STRUCT_OPS(maximal_dispatch, s32 cpu, struct task_struct *prev)
{
- scx_bpf_consume(SCX_DSQ_GLOBAL);
+ scx_bpf_dsq_move_to_local(SCX_DSQ_GLOBAL);
}
void BPF_STRUCT_OPS(maximal_runnable, struct task_struct *p, u64 enq_flags)
diff --git a/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c
index f171ac470970..13d0f5be788d 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c
@@ -30,7 +30,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_enqueue, struct task_struct *p,
}
scx_bpf_put_idle_cpumask(idle_mask);
- scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
+ scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags);
}
SEC(".struct_ops.link")
diff --git a/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c
index 9efdbb7da928..815f1d5d61ac 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c
@@ -67,7 +67,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_nodispatch_enqueue, struct task_struct *p,
saw_local = true;
}
- scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, enq_flags);
+ scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, enq_flags);
}
s32 BPF_STRUCT_OPS(select_cpu_dfl_nodispatch_init_task,
diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c
index 59bfc4f36167..4bb99699e920 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c
@@ -29,7 +29,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_select_cpu, struct task_struct *p,
cpu = prev_cpu;
dispatch:
- scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, 0);
+ scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, 0);
return cpu;
}
diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c
index 3bbd5fcdfb18..2a75de11b2cf 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c
@@ -18,7 +18,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_bad_dsq_select_cpu, struct task_struct *p
s32 prev_cpu, u64 wake_flags)
{
/* Dispatching to a random DSQ should fail. */
- scx_bpf_dispatch(p, 0xcafef00d, SCX_SLICE_DFL, 0);
+ scx_bpf_dsq_insert(p, 0xcafef00d, SCX_SLICE_DFL, 0);
return prev_cpu;
}
diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c
index 0fda57fe0ecf..99d075695c97 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c
@@ -18,8 +18,8 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_dbl_dsp_select_cpu, struct task_struct *p
s32 prev_cpu, u64 wake_flags)
{
/* Dispatching twice in a row is disallowed. */
- scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0);
- scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0);
+ scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0);
+ scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0);
return prev_cpu;
}
diff --git a/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c
index e6c67bcf5e6e..bfcb96cd4954 100644
--- a/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c
+++ b/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c
@@ -2,8 +2,8 @@
/*
* A scheduler that validates that enqueue flags are properly stored and
* applied at dispatch time when a task is directly dispatched from
- * ops.select_cpu(). We validate this by using scx_bpf_dispatch_vtime(), and
- * making the test a very basic vtime scheduler.
+ * ops.select_cpu(). We validate this by using scx_bpf_dsq_insert_vtime(),
+ * and making the test a very basic vtime scheduler.
*
* Copyright (c) 2024 Meta Platforms, Inc. and affiliates.
* Copyright (c) 2024 David Vernet <dvernet(a)meta.com>
@@ -47,13 +47,13 @@ s32 BPF_STRUCT_OPS(select_cpu_vtime_select_cpu, struct task_struct *p,
cpu = prev_cpu;
scx_bpf_test_and_clear_cpu_idle(cpu);
ddsp:
- scx_bpf_dispatch_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0);
+ scx_bpf_dsq_insert_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0);
return cpu;
}
void BPF_STRUCT_OPS(select_cpu_vtime_dispatch, s32 cpu, struct task_struct *p)
{
- if (scx_bpf_consume(VTIME_DSQ))
+ if (scx_bpf_dsq_move_to_local(VTIME_DSQ))
consumed = true;
}
--
2.39.5
3 months, 3 weeks
- 1
- 7
[PATCH resubmit v2] spi: atmel-qspi: Memory barriers after memory-mapped I/O
by Bence Csókás
The QSPI peripheral control and status registers are
accessible via the SoC's APB bus, whereas MMIO transactions'
data travels on the AHB bus.
Microchip documentation and even sample code from Atmel
emphasises the need for a memory barrier before the first
MMIO transaction to the AHB-connected QSPI, and before the
last write to its registers via APB. This is achieved by
the following lines in `atmel_qspi_transfer()`:
/* Dummy read of QSPI_IFR to synchronize APB and AHB accesses */
(void)atmel_qspi_read(aq, QSPI_IFR);
However, the current documentation makes no mention to
synchronization requirements in the other direction, i.e.
after the last data written via AHB, and before the first
register access on APB.
In our case, we were facing an issue where the QSPI peripheral
would cease to send any new CSR (nCS Rise) interrupts,
leading to a timeout in `atmel_qspi_wait_for_completion()`
and ultimately this panic in higher levels:
ubi0 error: ubi_io_write: error -110 while writing 63108 bytes
to PEB 491:128, written 63104 bytes
After months of extensive research of the codebase, fiddling
around the debugger with kgdb, and back-and-forth with
Microchip, we came to the conclusion that the issue is
probably that the peripheral is still busy receiving on AHB
when the LASTXFER bit is written to its Control Register
on APB, therefore this write gets lost, and the peripheral
still thinks there is more data to come in the MMIO transfer.
This was first formulated when we noticed that doubling the
write() of QSPI_CR_LASTXFER seemed to solve the problem.
Ultimately, the solution is to introduce memory barriers
after the AHB-mapped MMIO transfers, to ensure ordering.
Fixes: d5433def3153 ("mtd: spi-nor: atmel-quadspi: Add spi-mem support to atmel-quadspi")
Cc: Hari.PrasathGE(a)microchip.com
Cc: Mahesh.Abotula(a)microchip.com
Cc: Marco.Cardellini(a)microchip.com
Cc: <stable(a)vger.kernel.org> # c0a0203cf579: ("spi: atmel-quadspi: Create `atmel_qspi_ops`"...)
Cc: <stable(a)vger.kernel.org> # 6.x.y
Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu>
---
Notes:
Changes in v2:
* dropping --- from commit msg
Resubmit: rebased on current spi-next
drivers/spi/atmel-quadspi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
index f46da363574f..8fdc9d27a95e 100644
--- a/drivers/spi/atmel-quadspi.c
+++ b/drivers/spi/atmel-quadspi.c
@@ -661,13 +661,20 @@ static int atmel_qspi_transfer(struct spi_mem *mem,
(void)atmel_qspi_read(aq, QSPI_IFR);
/* Send/Receive data */
- if (op->data.dir == SPI_MEM_DATA_IN)
+ if (op->data.dir == SPI_MEM_DATA_IN) {
memcpy_fromio(op->data.buf.in, aq->mem + offset,
op->data.nbytes);
- else
+
+ /* Synchronize AHB and APB accesses again */
+ rmb();
+ } else {
memcpy_toio(aq->mem + offset, op->data.buf.out,
op->data.nbytes);
+ /* Synchronize AHB and APB accesses again */
+ wmb();
+ }
+
/* Release the chip-select */
atmel_qspi_write(QSPI_CR_LASTXFER, aq, QSPI_CR);
--
2.34.1
3 months, 3 weeks
- 1
- 0
[PATCH 0/5] clk: Fix simple video pipelines on i.MX8
by Miquel Raynal
Recent changes in the clock tree have set CLK_SET_RATE_PARENT to the two
LCDIF pixel clocks. The idea is, instead of using assigned-clock
properties to set upstream PLL rates to high frequencies and hoping that
a single divisor (namely media_disp[12]_pix) will be close enough in
most cases, we should tell the clock core to use the PLL to properly
derive an accurate pixel clock rate in the first place. Here is the
situation.
[Before ff06ea04e4cf ("clk: imx: clk-imx8mp: Allow media_disp pixel clock reconfigure parent rate")]
Before setting CLK_SET_RATE_PARENT to the media_disp[12]_pix clocks, the sequence of events was:
- PLL is assigned to a high rate,
- media_disp[12]_pix is set to approximately freq A by using a single divisor,
- media_ldb is set to approximately freq 7*A by using another single divisor.
=> The display was working, but the pixel clock was inaccurate.
[After ff06ea04e4cf ("clk: imx: clk-imx8mp: Allow media_disp pixel clock reconfigure parent rate")]
After setting CLK_SET_RATE_PARENT to the media_disp[12]_pix clocks, the
sequence of events became:
- media_disp[12]_pix is set to freq A by using a divisor of 1 and
setting video_pll1 to freq A.
- media_ldb is trying to compute its divisor to set freq 7*A, but the
upstream PLL is to low, it does not recompute it, so it ends up
setting a divisor of 1 and being at freq A instead of 7*A.
=> The display is sadly no longer working
[After applying PATCH "clk: imx: clk-imx8mp: Allow LDB serializer clock reconfigure parent rate"]
This is a commit from Marek, which is, I believe going in the right
direction, so I am including it. Just with this change, the situation is
slightly different, but the result is the same:
- media_disp[12]_pix is set to freq A by using a divisor of 1 and
setting video_pll1 to freq A.
- media_ldb is set to 7*A by using a divisor of 1 and setting video_pll1
to freq 7*A.
/!\ This as the side effect of changing media_disp[12]_pix from freq A
to freq 7*A.
=> The display is still not working
[After applying this series]
The goal of the following patches is to prevent clock subtree walks to
"just recalculate" the pixel clocks, ignoring the fact that they should
no longer change. They should adapt their divisors to the new upstream
rates instead. As a result, the display pipeline is working again.
Note: if more than one display is connected, we need the LDB driver to
act accordingly, thus the LDB driver must be adapted. Also, if accurate
pixel clocks are not possible with two different displays, we will still
need (at least for now) to make sure one of them is reparented to
another PLL, like the audio PLL (but audio PLL are of a different kind,
and are slightly less accurate).
So this series aims at fixing the i.MX8MP display pipeline for simple
setups. Said otherwise, returning to the same level of support as
before, but with (hopefully) more accurate frequencies. I believe this
approach manages to fix both Marek situation and all people using a
straightforward LCD based setup. For more complex setups, we need more
smartness from DRM and clk, but this is gonna take a bit of time.
---
Marek Vasut (1):
clk: imx: clk-imx8mp: Allow LDB serializer clock reconfigure parent rate
Miquel Raynal (4):
clk: Add a helper to determine a clock rate
clk: Split clk_calc_subtree()
clk: Add flag to prevent frequency changes when walking subtrees
clk: imx: imx8mp: Prevent media clocks to be incompatibly changed
drivers/clk/clk.c | 39 ++++++++++++++++++++++++++++++++-------
drivers/clk/imx/clk-imx8mp.c | 6 +++---
include/linux/clk-provider.h | 2 ++
3 files changed, 37 insertions(+), 10 deletions(-)
---
base-commit: 62facaf164585923d081eedcb6871f4ff3c2e953
change-id: 20241121-ge-ian-debug-imx8-clk-tree-bd325aa866f1
Best regards,
--
Miquel Raynal <miquel.raynal(a)bootlin.com>
3 months, 3 weeks
- 3
- 9
Re: Patch "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" has been added to the 6.6-stable tree
by Peter Griffin
Hi Sasha,
+ cc stable(a)vger.kernel.org
On Fri, 3 Jan 2025 at 00:45, Sasha Levin <sashal(a)kernel.org> wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs
>
> to the 6.6-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
>
> The filename of the patch is:
> watchdog-s3c2410_wdt-use-exynos_get_pmu_regmap_by_ph.patch
> and it can be found in the queue-6.6 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable(a)vger.kernel.org> know about it.
It doesn't make sense (to me at least) to add this patch and then also
add the revert of it to v6.6 stable tree, as it becomes a no-op. The
only reason I can think of is it somehow helps with your automated
tooling?
Additionally the hardware (Pixel 6 & gs101 SoC ) which these patches
and APIs were added for wasn't merged until v6.8. The revert is also
only applicable if the kernel has the corresponding enhancements made
to syscon driver to register custom regmaps. See 769cb63166d9 ("mfd:
syscon: Add of_syscon_register_regmap() API")
Thanks,
Peter
3 months, 3 weeks
- 2
- 3
Re: Patch "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" has been added to the 6.12-stable tree
by Koichiro Den
On Mon, Jan 06, 2025 at 11:41:20AM +0100, gregkh(a)linuxfoundation.org wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> vmstat: disable vmstat_work on vmstat_cpu_down_prep()
>
> to the 6.12-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
>
> The filename of the patch is:
> vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch
> and it can be found in the queue-6.12 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable(a)vger.kernel.org> know about it.
Hi, could you hold off on adding this for now? It's broken [1] and needs to
be fixed. Once a follow-up fix is ready, I'll make sure to notify you.
[1] https://lore.kernel.org/linux-mm/7ed97096-859e-46d0-8f27-16a2298a8914@lucif…
Thanks.
-Koichiro Den
>
>
> From adcfb264c3ed51fbbf5068ddf10d309a63683868 Mon Sep 17 00:00:00 2001
> From: Koichiro Den <koichiro.den(a)canonical.com>
> Date: Sat, 21 Dec 2024 12:33:20 +0900
> Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep()
>
> From: Koichiro Den <koichiro.den(a)canonical.com>
>
> commit adcfb264c3ed51fbbf5068ddf10d309a63683868 upstream.
>
> Even after mm/vmstat:online teardown, shepherd may still queue work for
> the dying cpu until the cpu is removed from online mask. While it's quite
> rare, this means that after unbind_workers() unbinds a per-cpu kworker, it
> potentially runs vmstat_update for the dying CPU on an irrelevant cpu
> before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results
> in the following error with the backtrace.
>
> BUG: using smp_processor_id() in preemptible [00000000] code: \
> kworker/7:3/1702
> caller is refresh_cpu_vm_stats+0x235/0x5f0
> CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G
> Tainted: [N]=TEST
> Workqueue: mm_percpu_wq vmstat_update
> Call Trace:
> <TASK>
> dump_stack_lvl+0x8d/0xb0
> check_preemption_disabled+0xce/0xe0
> refresh_cpu_vm_stats+0x235/0x5f0
> vmstat_update+0x17/0xa0
> process_one_work+0x869/0x1aa0
> worker_thread+0x5e5/0x1100
> kthread+0x29e/0x380
> ret_from_fork+0x2d/0x70
> ret_from_fork_asm+0x1a/0x30
> </TASK>
>
> So, for mm/vmstat:online, disable vmstat_work reliably on teardown and
> symmetrically enable it on startup.
>
> Link: https://lkml.kernel.org/r/20241221033321.4154409-1-koichiro.den@canonical.c…
> Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com>
> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de>
> Cc: <stable(a)vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
> ---
> mm/vmstat.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- a/mm/vmstat.c
> +++ b/mm/vmstat.c
> @@ -2139,13 +2139,14 @@ static int vmstat_cpu_online(unsigned in
> if (!node_state(cpu_to_node(cpu), N_CPU)) {
> node_set_state(cpu_to_node(cpu), N_CPU);
> }
> + enable_delayed_work(&per_cpu(vmstat_work, cpu));
>
> return 0;
> }
>
> static int vmstat_cpu_down_prep(unsigned int cpu)
> {
> - cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu));
> + disable_delayed_work_sync(&per_cpu(vmstat_work, cpu));
> return 0;
> }
>
>
>
> Patches currently in stable-queue which might be from koichiro.den(a)canonical.com are
>
> queue-6.12/vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch
3 months, 3 weeks
- 2
- 1
[PATCHv3 1/2] media: venus: destroy hfi session after m2m_ctx release
by Sergey Senozhatsky
This partially reverts commit that made hfi_session_destroy()
the first step of vdec/venc close(). The reason being is a
regression report when, supposedly, encode/decoder is closed
with still active streaming (no ->stop_streaming() call before
close()) and pending pkts, so isr_thread cannot find instance
and fails to process those pending pkts. This was the idea
behind the original patch - make it impossible to use instance
under destruction, because this is racy, but apparently there
are uses cases that depend on that unsafe pattern. Return to
the old (unsafe) behaviour for the time being (until a better
fix is found).
Fixes: 45b1a1b348ec1 ("media: venus: sync with threaded IRQ during inst destruction")
Cc: stable(a)vger.kernel.org
Reported-by: Nathan Hebert <nhebert(a)google.com>
Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org>
---
drivers/media/platform/qcom/venus/core.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
index 2d27c5167246..807487a1f536 100644
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -506,18 +506,14 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev)
void venus_close_common(struct venus_inst *inst)
{
/*
- * First, remove the inst from the ->instances list, so that
- * to_instance() will return NULL.
- */
- hfi_session_destroy(inst);
- /*
- * Second, make sure we don't have IRQ/IRQ-thread currently running
+ * Make sure we don't have IRQ/IRQ-thread currently running
* or pending execution, which would race with the inst destruction.
*/
synchronize_irq(inst->core->irq);
v4l2_m2m_ctx_release(inst->m2m_ctx);
v4l2_m2m_release(inst->m2m_dev);
+ hfi_session_destroy(inst);
v4l2_fh_del(&inst->fh);
v4l2_fh_exit(&inst->fh);
v4l2_ctrl_handler_free(&inst->ctrl_handler);
--
2.47.1.613.gc27f4b7a9f-goog
3 months, 3 weeks
- 2
- 2
[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
by Gustavo Azor
Estimated people:
Seems to me, I browse drivers/acpi/resources.c: the patch was not included in kernel versions stable 6.12.7 or long term 6.6.68.
I hope will be include in mainline 6.13.-rc5 to inform if work in the ASUS Vivobook 15 X1504VAP_X1504VA keyboard.
I have not idea how work with git diff or compiling kernels to try the patch, and need to try in installed kernel.
Thanks.Regards.
Sent: Friday, December 20, 2024 at 8:23 PM
From: bugzilla-daemon(a)kernel.org
To: gazo11(a)mail.com
Subject: [Bug 219224] Laptop Internal Keyboard not working on ASUS VivoBook E1404GA on ubuntu 24.04.
https://bugzilla.kernel.org/show_bug.cgi?id=219224
--- Comment #11 from Hans de Goede (jwrdegoede(a)fedoraproject.org) ---
(In reply to gazo11 from comment #10)
> Hello I have the same problem for dmidecode:
>
>
> System Information
> Manufacturer: ASUSTeK COMPUTER INC.
> Product Name: ASUS Vivobook 15 X1504VAP_X1504VA
> Version: 1.0
> Serial Number: S1N0CV02L86302G
> UUID: cdc508f0-d3f1-f743-bce4-5eb9d4c06fda
> Wake-up Type: Power Switch
> SKU Number:
> Family: ASUS Vivobook 15
>
> Its possible to get this model listed in future kernels? Thanks!
Thank you for reporting this, I've submitted a patch to add this to the
irq1_level_low_skip_override[] list:
https://lore.kernel.org/linux-acpi/20241220181352.25974-1-hdegoede@redhat.c…
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are on the CC list for the bug.
3 months, 3 weeks
- 2
- 1
FAILED: patch "[PATCH] mptcp: fix TCP options overflow." failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x cbb26f7d8451fe56ccac802c6db48d16240feebd
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010636-stereo-friend-8023@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From cbb26f7d8451fe56ccac802c6db48d16240feebd Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni(a)redhat.com>
Date: Sat, 21 Dec 2024 09:51:46 +0100
Subject: [PATCH] mptcp: fix TCP options overflow.
Syzbot reported the following splat:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]
RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552
Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83
RSP: 0000:ffffc90003916c90 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac
R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007
R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_page_unref include/linux/skbuff_ref.h:43 [inline]
__skb_frag_unref include/linux/skbuff_ref.h:56 [inline]
skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb+0x55/0x70 net/core/skbuff.c:1204
tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]
tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032
tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805
tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939
tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351
ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
__netif_receive_skb_one_core net/core/dev.c:5672 [inline]
__netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785
process_backlog+0x662/0x15b0 net/core/dev.c:6117
__napi_poll+0xcb/0x490 net/core/dev.c:6883
napi_poll net/core/dev.c:6952 [inline]
net_rx_action+0x89b/0x1240 net/core/dev.c:7074
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0033:0x7f34f4519ad5
Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246
RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5
RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0
RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000
R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4
R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68
</TASK>
Eric noted a probable shinfo->nr_frags corruption, which indeed
occurs.
The root cause is a buggy MPTCP option len computation in some
circumstances: the ADD_ADDR option should be mutually exclusive
with DSS since the blamed commit.
Still, mptcp_established_options_add_addr() tries to set the
relevant info in mptcp_out_options, if the remaining space is
large enough even when DSS is present.
Since the ADD_ADDR infos and the DSS share the same union
fields, adding first corrupts the latter. In the worst-case
scenario, such corruption increases the DSS binary layout,
exceeding the computed length and possibly overwriting the
skb shared info.
Address the issue by enforcing mutual exclusion in
mptcp_established_options_add_addr(), too.
Cc: stable(a)vger.kernel.org
Reported-by: syzbot+38a095a81f30d82884c1(a)syzkaller.appspotmail.com
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org>
Reviewed-by: Eric Dumazet <edumazet(a)google.com>
Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.173477104…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 1603b3702e22..a62bc874bf1e 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -667,8 +667,15 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
&echo, &drop_other_suboptions))
return false;
+ /*
+ * Later on, mptcp_write_options() will enforce mutually exclusion with
+ * DSS, bail out if such option is set and we can't drop it.
+ */
if (drop_other_suboptions)
remaining += opt_size;
+ else if (opts->suboptions & OPTION_MPTCP_DSS)
+ return false;
+
len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port);
if (remaining < len)
return false;
3 months, 3 weeks
- 1
- 0
[PATCH v2] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented
by Marc Zyngier
The hwcaps code that exposes SVE features to userspace only
considers ID_AA64ZFR0_EL1, while this is only valid when
ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported.
The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the
ID_AA64ZFR0_EL1 register is also 0. So far, so good.
Things become a bit more interesting if the HW implements SME.
In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME*
features. And these fields overlap with their SVE interpretations.
But the architecture says that the SME and SVE feature sets must
match, so we're still hunky-dory.
This goes wrong if the HW implements SME, but not SVE. In this
case, we end-up advertising some SVE features to userspace, even
if the HW has none. That's because we never consider whether SVE
is actually implemented. Oh well.
Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE
being non-zero.
Fixes: 06a916feca2b ("arm64: Expose SVE2 features for userspace")
Reported-by: Catalin Marinas <catalin.marinas(a)arm.com>
Signed-off-by: Marc Zyngier <maz(a)kernel.org>
Cc: Will Deacon <will(a)kernel.org>
Cc: Mark Rutland <mark.rutland(a)arm.com>
Cc: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
arch/arm64/kernel/cpufeature.c | 40 +++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 6ce71f444ed84..6874aca5da9df 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -3022,6 +3022,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
.matches = match, \
}
+#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \
+ { \
+ __HWCAP_CAP(#cap, cap_type, cap) \
+ HWCAP_CPUID_MATCH(reg, field, min_value) \
+ .matches = match, \
+ }
+
#ifdef CONFIG_ARM64_PTR_AUTH
static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = {
{
@@ -3050,6 +3057,13 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = {
};
#endif
+#ifdef CONFIG_ARM64_SVE
+static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope)
+{
+ return system_supports_sve() && has_user_cpuid_feature(cap, scope);
+}
+#endif
+
static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL),
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES),
@@ -3092,19 +3106,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT),
#ifdef CONFIG_ARM64_SVE
HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
- HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
+ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
#endif
#ifdef CONFIG_ARM64_GCS
HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS),
--
2.39.2
3 months, 3 weeks
- 3
- 5
FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010652-resemble-faceplate-702c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Date: Thu, 28 Nov 2024 15:06:17 +0000
Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings
read-only
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047…
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Reported-by: Julian Orth <ju.orth(a)gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx…
Cc: Jann Horn <jannh(a)google.com>
Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com>
Cc: Linus Torvalds <torvalds(a)linux-foundation.org>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Vlastimil Babka <vbabka(a)suse.cz>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/memfd.h b/include/linux/memfd.h
index 3f2cf339ceaf..d437e3070850 100644
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -7,6 +7,7 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);
struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a)
{
@@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
{
return ERR_PTR(-EINVAL);
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 338a76ce9083..fb397918c43d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {}
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
+ if (!is_write_sealed(seals))
+ return 0;
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vm_flags_clear(vma, VM_MAYWRITE);
- }
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
diff --git a/mm/memfd.c b/mm/memfd.c
index c17c3ea701a1..35a370d75c9a 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping)
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
diff --git a/mm/mmap.c b/mm/mmap.c
index d32b7e701058..16f8e8be01f8 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -47,6 +47,7 @@
#include <linux/oom.h>
#include <linux/sched/mm.h>
#include <linux/ksm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
3 months, 3 weeks
- 3
- 3
FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.4-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y
git checkout FETCH_HEAD
git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010625-stopped-snowflake-603f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
From: Liu Shixin <liushixin2(a)huawei.com>
Date: Mon, 16 Dec 2024 15:11:47 +0800
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com>
Cc: Ken Chen <kenneth.w.chen(a)intel.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: Jane Chu <jane.chu(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/mm.h b/include/linux/mm.h
index fb397918c43d..b1c3db9cf355 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
if (!pmd_ptlock_init(ptdesc))
return false;
__folio_set_pgtable(folio);
+ ptdesc_pmd_pts_init(ptdesc);
lruvec_stat_add_folio(folio, NR_PAGETABLE);
return true;
}
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..332cee285662 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
* @pt_index: Used for s390 gmap.
* @pt_mm: Used for x86 pgds.
* @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count: Used for HugeTLB PMD page table share count.
* @_pt_pad_2: Padding to ensure proper alignment.
* @ptl: Lock for the page table.
* @__page_type: Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
pgoff_t pt_index;
struct mm_struct *pt_mm;
atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+ atomic_t pt_share_count;
+#endif
};
union {
@@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
const struct page *: (const struct ptdesc *)(p), \
struct page *: (struct ptdesc *)(p)))
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+ atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+ atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+ atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+ return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+}
+#endif
+
/*
* Used for sizing the vmemmap region on some architectures
*/
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..c498874a7170 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
spte = hugetlb_walk(svma, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
break;
}
}
@@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
}
spin_unlock(&mm->page_table_lock);
out:
@@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
mm_dec_nr_pmds(mm);
return 1;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010623-platform-unmasked-77c7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
From: Liu Shixin <liushixin2(a)huawei.com>
Date: Mon, 16 Dec 2024 15:11:47 +0800
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com>
Cc: Ken Chen <kenneth.w.chen(a)intel.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: Jane Chu <jane.chu(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/mm.h b/include/linux/mm.h
index fb397918c43d..b1c3db9cf355 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
if (!pmd_ptlock_init(ptdesc))
return false;
__folio_set_pgtable(folio);
+ ptdesc_pmd_pts_init(ptdesc);
lruvec_stat_add_folio(folio, NR_PAGETABLE);
return true;
}
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..332cee285662 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
* @pt_index: Used for s390 gmap.
* @pt_mm: Used for x86 pgds.
* @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count: Used for HugeTLB PMD page table share count.
* @_pt_pad_2: Padding to ensure proper alignment.
* @ptl: Lock for the page table.
* @__page_type: Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
pgoff_t pt_index;
struct mm_struct *pt_mm;
atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+ atomic_t pt_share_count;
+#endif
};
union {
@@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
const struct page *: (const struct ptdesc *)(p), \
struct page *: (struct ptdesc *)(p)))
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+ atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+ atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+ atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+ return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+}
+#endif
+
/*
* Used for sizing the vmemmap region on some architectures
*/
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..c498874a7170 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
spte = hugetlb_walk(svma, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
break;
}
}
@@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
}
spin_unlock(&mm->page_table_lock);
out:
@@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
mm_dec_nr_pmds(mm);
return 1;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010622-overflow-raffle-07fa@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
From: Liu Shixin <liushixin2(a)huawei.com>
Date: Mon, 16 Dec 2024 15:11:47 +0800
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com>
Cc: Ken Chen <kenneth.w.chen(a)intel.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: Jane Chu <jane.chu(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/mm.h b/include/linux/mm.h
index fb397918c43d..b1c3db9cf355 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
if (!pmd_ptlock_init(ptdesc))
return false;
__folio_set_pgtable(folio);
+ ptdesc_pmd_pts_init(ptdesc);
lruvec_stat_add_folio(folio, NR_PAGETABLE);
return true;
}
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..332cee285662 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
* @pt_index: Used for s390 gmap.
* @pt_mm: Used for x86 pgds.
* @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count: Used for HugeTLB PMD page table share count.
* @_pt_pad_2: Padding to ensure proper alignment.
* @ptl: Lock for the page table.
* @__page_type: Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
pgoff_t pt_index;
struct mm_struct *pt_mm;
atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+ atomic_t pt_share_count;
+#endif
};
union {
@@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
const struct page *: (const struct ptdesc *)(p), \
struct page *: (struct ptdesc *)(p)))
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+ atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+ atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+ atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+ return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+}
+#endif
+
/*
* Used for sizing the vmemmap region on some architectures
*/
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..c498874a7170 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
spte = hugetlb_walk(svma, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
break;
}
}
@@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
}
spin_unlock(&mm->page_table_lock);
out:
@@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
mm_dec_nr_pmds(mm);
return 1;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010621-candy-fall-1396@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
From: Liu Shixin <liushixin2(a)huawei.com>
Date: Mon, 16 Dec 2024 15:11:47 +0800
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com>
Cc: Ken Chen <kenneth.w.chen(a)intel.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: Jane Chu <jane.chu(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/mm.h b/include/linux/mm.h
index fb397918c43d..b1c3db9cf355 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
if (!pmd_ptlock_init(ptdesc))
return false;
__folio_set_pgtable(folio);
+ ptdesc_pmd_pts_init(ptdesc);
lruvec_stat_add_folio(folio, NR_PAGETABLE);
return true;
}
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..332cee285662 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
* @pt_index: Used for s390 gmap.
* @pt_mm: Used for x86 pgds.
* @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count: Used for HugeTLB PMD page table share count.
* @_pt_pad_2: Padding to ensure proper alignment.
* @ptl: Lock for the page table.
* @__page_type: Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
pgoff_t pt_index;
struct mm_struct *pt_mm;
atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+ atomic_t pt_share_count;
+#endif
};
union {
@@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
const struct page *: (const struct ptdesc *)(p), \
struct page *: (struct ptdesc *)(p)))
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+ atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+ atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+ atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+ return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+}
+#endif
+
/*
* Used for sizing the vmemmap region on some architectures
*/
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..c498874a7170 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
spte = hugetlb_walk(svma, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
break;
}
}
@@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
}
spin_unlock(&mm->page_table_lock);
out:
@@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
mm_dec_nr_pmds(mm);
return 1;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010620-lethargic-backspin-e75d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
From: Liu Shixin <liushixin2(a)huawei.com>
Date: Mon, 16 Dec 2024 15:11:47 +0800
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
to check whether a pmd page table is shared. The check is incorrect if
the refcount is increased by the above caller, and this can cause the page
table leaked:
BUG: Bad page state in process sh pfn:109324
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
page_type: f2(table)
raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
page dumped because: nonzero mapcount
...
CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
Tainted: [B]=BAD_PAGE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
show_stack+0x20/0x38 (C)
dump_stack_lvl+0x80/0xf8
dump_stack+0x18/0x28
bad_page+0x8c/0x130
free_page_is_bad_report+0xa4/0xb0
free_unref_page+0x3cc/0x620
__folio_put+0xf4/0x158
split_huge_pages_all+0x1e0/0x3e8
split_huge_pages_write+0x25c/0x2d8
full_proxy_write+0x64/0xd8
vfs_write+0xcc/0x280
ksys_write+0x70/0x110
__arm64_sys_write+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x34/0x128
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x190/0x198
The issue may be triggered by damon, offline_page, page_idle, etc, which
will increase the refcount of page table.
1. The page table itself will be discarded after reporting the
"nonzero mapcount".
2. The HugeTLB page mapped by the page table miss freeing since we
treat the page table as shared and a shared page table will not be
unmapped.
Fix it by introducing independent PMD page table shared count. As
described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
pmds, so we can reuse the field as pt_share_count.
Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com>
Cc: Ken Chen <kenneth.w.chen(a)intel.com>
Cc: Muchun Song <muchun.song(a)linux.dev>
Cc: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: Jane Chu <jane.chu(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/mm.h b/include/linux/mm.h
index fb397918c43d..b1c3db9cf355 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
if (!pmd_ptlock_init(ptdesc))
return false;
__folio_set_pgtable(folio);
+ ptdesc_pmd_pts_init(ptdesc);
lruvec_stat_add_folio(folio, NR_PAGETABLE);
return true;
}
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..332cee285662 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
* @pt_index: Used for s390 gmap.
* @pt_mm: Used for x86 pgds.
* @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count: Used for HugeTLB PMD page table share count.
* @_pt_pad_2: Padding to ensure proper alignment.
* @ptl: Lock for the page table.
* @__page_type: Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
pgoff_t pt_index;
struct mm_struct *pt_mm;
atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+ atomic_t pt_share_count;
+#endif
};
union {
@@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
const struct page *: (const struct ptdesc *)(p), \
struct page *: (struct ptdesc *)(p)))
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+ atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+ atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+ atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+ return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+}
+#endif
+
/*
* Used for sizing the vmemmap region on some architectures
*/
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..c498874a7170 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
spte = hugetlb_walk(svma, saddr,
vma_mmu_pagesize(svma));
if (spte) {
- get_page(virt_to_page(spte));
+ ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
break;
}
}
@@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
(pmd_t *)((unsigned long)spte & PAGE_MASK));
mm_inc_nr_pmds(mm);
} else {
- put_page(virt_to_page(spte));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
}
spin_unlock(&mm->page_table_lock);
out:
@@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
/*
* unmap huge page backed by shared pte.
*
- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
* Called with page table lock held.
*
* returns: 1 successfully unmapped a shared pte page
@@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, pte_t *ptep)
{
+ unsigned long sz = huge_page_size(hstate_vma(vma));
pgd_t *pgd = pgd_offset(mm, addr);
p4d_t *p4d = p4d_offset(pgd, addr);
pud_t *pud = pud_offset(p4d, addr);
i_mmap_assert_write_locked(vma->vm_file->f_mapping);
hugetlb_vma_assert_locked(vma);
- BUG_ON(page_count(virt_to_page(ptep)) == 0);
- if (page_count(virt_to_page(ptep)) == 1)
+ if (sz != PMD_SIZE)
+ return 0;
+ if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
return 0;
pud_clear(pud);
- put_page(virt_to_page(ptep));
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
mm_dec_nr_pmds(mm);
return 1;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010657-rental-seltzer-1a53@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Date: Thu, 28 Nov 2024 15:06:17 +0000
Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings
read-only
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047…
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Reported-by: Julian Orth <ju.orth(a)gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx…
Cc: Jann Horn <jannh(a)google.com>
Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com>
Cc: Linus Torvalds <torvalds(a)linux-foundation.org>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Vlastimil Babka <vbabka(a)suse.cz>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/memfd.h b/include/linux/memfd.h
index 3f2cf339ceaf..d437e3070850 100644
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -7,6 +7,7 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);
struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a)
{
@@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
{
return ERR_PTR(-EINVAL);
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 338a76ce9083..fb397918c43d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {}
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
+ if (!is_write_sealed(seals))
+ return 0;
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vm_flags_clear(vma, VM_MAYWRITE);
- }
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
diff --git a/mm/memfd.c b/mm/memfd.c
index c17c3ea701a1..35a370d75c9a 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping)
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
diff --git a/mm/mmap.c b/mm/mmap.c
index d32b7e701058..16f8e8be01f8 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -47,6 +47,7 @@
#include <linux/oom.h>
#include <linux/sched/mm.h>
#include <linux/ksm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010655-pliable-affection-87eb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Date: Thu, 28 Nov 2024 15:06:17 +0000
Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings
read-only
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047…
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Reported-by: Julian Orth <ju.orth(a)gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx…
Cc: Jann Horn <jannh(a)google.com>
Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com>
Cc: Linus Torvalds <torvalds(a)linux-foundation.org>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Vlastimil Babka <vbabka(a)suse.cz>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/memfd.h b/include/linux/memfd.h
index 3f2cf339ceaf..d437e3070850 100644
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -7,6 +7,7 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);
struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a)
{
@@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
{
return ERR_PTR(-EINVAL);
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 338a76ce9083..fb397918c43d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {}
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
+ if (!is_write_sealed(seals))
+ return 0;
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vm_flags_clear(vma, VM_MAYWRITE);
- }
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
diff --git a/mm/memfd.c b/mm/memfd.c
index c17c3ea701a1..35a370d75c9a 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping)
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
diff --git a/mm/mmap.c b/mm/mmap.c
index d32b7e701058..16f8e8be01f8 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -47,6 +47,7 @@
#include <linux/oom.h>
#include <linux/sched/mm.h>
#include <linux/ksm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010654-streak-cornfield-7b88@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Date: Thu, 28 Nov 2024 15:06:17 +0000
Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings
read-only
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047…
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com>
Reported-by: Julian Orth <ju.orth(a)gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx…
Cc: Jann Horn <jannh(a)google.com>
Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com>
Cc: Linus Torvalds <torvalds(a)linux-foundation.org>
Cc: Shuah Khan <shuah(a)kernel.org>
Cc: Vlastimil Babka <vbabka(a)suse.cz>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/include/linux/memfd.h b/include/linux/memfd.h
index 3f2cf339ceaf..d437e3070850 100644
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -7,6 +7,7 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);
struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a)
{
@@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx)
{
return ERR_PTR(-EINVAL);
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 338a76ce9083..fb397918c43d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {}
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
+ if (!is_write_sealed(seals))
+ return 0;
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vm_flags_clear(vma, VM_MAYWRITE);
- }
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
diff --git a/mm/memfd.c b/mm/memfd.c
index c17c3ea701a1..35a370d75c9a 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping)
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
diff --git a/mm/mmap.c b/mm/mmap.c
index d32b7e701058..16f8e8be01f8 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -47,6 +47,7 @@
#include <linux/oom.h>
#include <linux/sched/mm.h>
#include <linux/ksm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010631-rice-vocalize-bfc1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001
From: Yosry Ahmed <yosryahmed(a)google.com>
Date: Thu, 19 Dec 2024 21:24:37 +0000
Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
the CPUs read lock.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev>
Acked-by: Barry Song <baohua(a)kernel.org>
Reviewed-by: Nhat Pham <nphamcs(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb23..5a27af8d86ea 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ cpus_read_lock();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ cpus_read_unlock();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010630-chewable-chewer-e363@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001
From: Yosry Ahmed <yosryahmed(a)google.com>
Date: Thu, 19 Dec 2024 21:24:37 +0000
Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
the CPUs read lock.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev>
Acked-by: Barry Song <baohua(a)kernel.org>
Reviewed-by: Nhat Pham <nphamcs(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb23..5a27af8d86ea 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ cpus_read_lock();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ cpus_read_unlock();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010629-undusted-massager-f7d9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001
From: Yosry Ahmed <yosryahmed(a)google.com>
Date: Thu, 19 Dec 2024 21:24:37 +0000
Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.
There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
the CPUs read lock.
Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).
Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com
Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com>
Reported-by: Johannes Weiner <hannes(a)cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219(a)gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP…
Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev>
Acked-by: Barry Song <baohua(a)kernel.org>
Reviewed-by: Nhat Pham <nphamcs(a)gmail.com>
Cc: Vitaly Wool <vitalywool(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb23..5a27af8d86ea 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
return 0;
}
+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx)
+{
+ cpus_read_lock();
+ return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(void)
+{
+ cpus_read_unlock();
+}
+
static bool zswap_compress(struct page *page, struct zswap_entry *entry,
struct zswap_pool *pool)
{
@@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
gfp_t gfp;
u8 *dst;
- acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+ acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
dst = acomp_ctx->buffer;
@@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
zswap_reject_alloc_fail++;
mutex_unlock(&acomp_ctx->mutex);
+ acomp_ctx_put_cpu();
return comp_ret == 0 && alloc_ret == 0;
}
@@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
struct crypto_acomp_ctx *acomp_ctx;
u8 *src;
- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx);
mutex_lock(&acomp_ctx->mutex);
src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
if (src != acomp_ctx->buffer)
zpool_unmap_handle(zpool, entry->handle);
+ acomp_ctx_put_cpu();
}
/*********************************
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] gve: clean XDP queues in gve_tx_stop_ring_gqi" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x 6321f5fb70d502d95de8a212a7b484c297ec9644
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010642-annually-shirt-b4e1@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 6321f5fb70d502d95de8a212a7b484c297ec9644 Mon Sep 17 00:00:00 2001
From: Joshua Washington <joshwash(a)google.com>
Date: Wed, 18 Dec 2024 05:34:11 -0800
Subject: [PATCH] gve: clean XDP queues in gve_tx_stop_ring_gqi
When stopping XDP TX rings, the XDP clean function needs to be called to
clean out the entire queue, similar to what happens in the normal TX
queue case. Otherwise, the FIFO won't be cleared correctly, and
xsk_tx_completed won't be reported.
Fixes: 75eaae158b1b ("gve: Add XDP DROP and TX support for GQI-QPL format")
Cc: stable(a)vger.kernel.org
Signed-off-by: Joshua Washington <joshwash(a)google.com>
Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com>
Reviewed-by: Praveen Kaligineedi <pkaligineedi(a)google.com>
Reviewed-by: Willem de Bruijn <willemb(a)google.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c
index e7fb7d6d283d..83ad278ec91f 100644
--- a/drivers/net/ethernet/google/gve/gve_tx.c
+++ b/drivers/net/ethernet/google/gve/gve_tx.c
@@ -206,7 +206,10 @@ void gve_tx_stop_ring_gqi(struct gve_priv *priv, int idx)
return;
gve_remove_napi(priv, ntfy_idx);
- gve_clean_tx_done(priv, tx, priv->tx_desc_cnt, false);
+ if (tx->q_num < priv->tx_cfg.num_queues)
+ gve_clean_tx_done(priv, tx, priv->tx_desc_cnt, false);
+ else
+ gve_clean_xdp_done(priv, tx, priv->tx_desc_cnt);
netdev_tx_reset_queue(tx->netdev_txq);
gve_tx_remove_from_block(priv, idx);
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.4-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y
git checkout FETCH_HEAD
git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010606-prude-geiger-28e3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001
From: Biju Das <biju.das.jz(a)bp.renesas.com>
Date: Tue, 19 Nov 2024 19:20:29 +0000
Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The host_node pointer was assigned and freed in adv7533_parse_dt(), and
later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue
by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()
in error path of probe() and also in the remove().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device")
Cc: stable(a)vger.kernel.org
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com>
Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.…
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index eb5919b38263..a13b3d8ab6ac 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c)
return ret;
ret = adv7511_init_regulators(adv7511);
- if (ret)
- return dev_err_probe(dev, ret, "failed to init regulators\n");
+ if (ret) {
+ dev_err_probe(dev, ret, "failed to init regulators\n");
+ goto err_of_node_put;
+ }
/*
* The power down GPIO is optional. If present, toggle it from active to
@@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c)
i2c_unregister_device(adv7511->i2c_edid);
uninit_regulators:
adv7511_uninit_regulators(adv7511);
+err_of_node_put:
+ of_node_put(adv7511->host_node);
return ret;
}
@@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c)
{
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+ of_node_put(adv7511->host_node);
+
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
index 4481489aaf5e..5f195e91b3e6 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
@@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv)
if (!adv->host_node)
return -ENODEV;
- of_node_put(adv->host_node);
-
adv->use_timing_gen = !of_property_read_bool(np,
"adi,disable-timing-generator");
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010606-rifling-dreamily-f58e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001
From: Biju Das <biju.das.jz(a)bp.renesas.com>
Date: Tue, 19 Nov 2024 19:20:29 +0000
Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The host_node pointer was assigned and freed in adv7533_parse_dt(), and
later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue
by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()
in error path of probe() and also in the remove().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device")
Cc: stable(a)vger.kernel.org
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com>
Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.…
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index eb5919b38263..a13b3d8ab6ac 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c)
return ret;
ret = adv7511_init_regulators(adv7511);
- if (ret)
- return dev_err_probe(dev, ret, "failed to init regulators\n");
+ if (ret) {
+ dev_err_probe(dev, ret, "failed to init regulators\n");
+ goto err_of_node_put;
+ }
/*
* The power down GPIO is optional. If present, toggle it from active to
@@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c)
i2c_unregister_device(adv7511->i2c_edid);
uninit_regulators:
adv7511_uninit_regulators(adv7511);
+err_of_node_put:
+ of_node_put(adv7511->host_node);
return ret;
}
@@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c)
{
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+ of_node_put(adv7511->host_node);
+
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
index 4481489aaf5e..5f195e91b3e6 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
@@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv)
if (!adv->host_node)
return -ENODEV;
- of_node_put(adv->host_node);
-
adv->use_timing_gen = !of_property_read_bool(np,
"adi,disable-timing-generator");
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010605-quit-rockfish-a0e8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001
From: Biju Das <biju.das.jz(a)bp.renesas.com>
Date: Tue, 19 Nov 2024 19:20:29 +0000
Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The host_node pointer was assigned and freed in adv7533_parse_dt(), and
later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue
by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()
in error path of probe() and also in the remove().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device")
Cc: stable(a)vger.kernel.org
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com>
Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.…
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index eb5919b38263..a13b3d8ab6ac 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c)
return ret;
ret = adv7511_init_regulators(adv7511);
- if (ret)
- return dev_err_probe(dev, ret, "failed to init regulators\n");
+ if (ret) {
+ dev_err_probe(dev, ret, "failed to init regulators\n");
+ goto err_of_node_put;
+ }
/*
* The power down GPIO is optional. If present, toggle it from active to
@@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c)
i2c_unregister_device(adv7511->i2c_edid);
uninit_regulators:
adv7511_uninit_regulators(adv7511);
+err_of_node_put:
+ of_node_put(adv7511->host_node);
return ret;
}
@@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c)
{
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+ of_node_put(adv7511->host_node);
+
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
index 4481489aaf5e..5f195e91b3e6 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
@@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv)
if (!adv->host_node)
return -ENODEV;
- of_node_put(adv->host_node);
-
adv->use_timing_gen = !of_property_read_bool(np,
"adi,disable-timing-generator");
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010604-resilient-unpaired-7bb7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001
From: Biju Das <biju.das.jz(a)bp.renesas.com>
Date: Tue, 19 Nov 2024 19:20:29 +0000
Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The host_node pointer was assigned and freed in adv7533_parse_dt(), and
later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue
by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()
in error path of probe() and also in the remove().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device")
Cc: stable(a)vger.kernel.org
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com>
Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.…
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index eb5919b38263..a13b3d8ab6ac 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c)
return ret;
ret = adv7511_init_regulators(adv7511);
- if (ret)
- return dev_err_probe(dev, ret, "failed to init regulators\n");
+ if (ret) {
+ dev_err_probe(dev, ret, "failed to init regulators\n");
+ goto err_of_node_put;
+ }
/*
* The power down GPIO is optional. If present, toggle it from active to
@@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c)
i2c_unregister_device(adv7511->i2c_edid);
uninit_regulators:
adv7511_uninit_regulators(adv7511);
+err_of_node_put:
+ of_node_put(adv7511->host_node);
return ret;
}
@@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c)
{
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+ of_node_put(adv7511->host_node);
+
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
index 4481489aaf5e..5f195e91b3e6 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
@@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv)
if (!adv->host_node)
return -ENODEV;
- of_node_put(adv->host_node);
-
adv->use_timing_gen = !of_property_read_bool(np,
"adi,disable-timing-generator");
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.4-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y
git checkout FETCH_HEAD
git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010656-establish-cleat-3ed7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001
From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Date: Thu, 19 Dec 2024 09:30:30 +0000
Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work
from !WQ_MEM_RECLAIM worker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After commit
746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
amdgpu started seeing the following warning:
[ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]
...
[ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]
...
[ ] Call Trace:
[ ] <TASK>
...
[ ] ? check_flush_dependency+0xf5/0x110
...
[ ] cancel_delayed_work_sync+0x6e/0x80
[ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]
[ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]
[ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]
[ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]
[ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]
[ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]
[ ] process_one_work+0x217/0x720
...
[ ] </TASK>
The intent of the verifcation done in check_flush_depedency is to ensure
forward progress during memory reclaim, by flagging cases when either a
memory reclaim process, or a memory reclaim work item is flushed from a
context not marked as memory reclaim safe.
This is correct when flushing, but when called from the
cancel(_delayed)_work_sync() paths it is a false positive because work is
either already running, or will not be running at all. Therefore
cancelling it is safe and we can relax the warning criteria by letting the
helper know of the calling context.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue")
References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
Cc: Tejun Heo <tj(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Lai Jiangshan <jiangshanlai(a)gmail.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: Christian König <christian.koenig(a)amd.com
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Tejun Heo <tj(a)kernel.org>
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 8b07576814a5..8336218ec4b8 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu)
* check_flush_dependency - check for flush dependency sanity
* @target_wq: workqueue being flushed
* @target_work: work item being flushed (NULL for workqueue flushes)
+ * @from_cancel: are we called from the work cancel path
*
* %current is trying to flush the whole @target_wq or @target_work on it.
- * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not
- * reclaiming memory or running on a workqueue which doesn't have
- * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to
- * a deadlock.
+ * If this is not the cancel path (which implies work being flushed is either
+ * already running, or will not be at all), check if @target_wq doesn't have
+ * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running
+ * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward-
+ * progress guarantee leading to a deadlock.
*/
static void check_flush_dependency(struct workqueue_struct *target_wq,
- struct work_struct *target_work)
+ struct work_struct *target_work,
+ bool from_cancel)
{
- work_func_t target_func = target_work ? target_work->func : NULL;
+ work_func_t target_func;
struct worker *worker;
- if (target_wq->flags & WQ_MEM_RECLAIM)
+ if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM)
return;
worker = current_wq_worker();
+ target_func = target_work ? target_work->func : NULL;
WARN_ONCE(current->flags & PF_MEMALLOC,
"workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps",
@@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq)
list_add_tail(&this_flusher.list, &wq->flusher_overflow);
}
- check_flush_dependency(wq, NULL);
+ check_flush_dependency(wq, NULL, false);
mutex_unlock(&wq->mutex);
@@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
}
wq = pwq->wq;
- check_flush_dependency(wq, work);
+ check_flush_dependency(wq, work, from_cancel);
insert_wq_barrier(pwq, barr, work, worker);
raw_spin_unlock_irq(&pool->lock);
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010655-risk-opacity-5ce7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001
From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Date: Thu, 19 Dec 2024 09:30:30 +0000
Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work
from !WQ_MEM_RECLAIM worker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After commit
746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
amdgpu started seeing the following warning:
[ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]
...
[ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]
...
[ ] Call Trace:
[ ] <TASK>
...
[ ] ? check_flush_dependency+0xf5/0x110
...
[ ] cancel_delayed_work_sync+0x6e/0x80
[ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]
[ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]
[ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]
[ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]
[ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]
[ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]
[ ] process_one_work+0x217/0x720
...
[ ] </TASK>
The intent of the verifcation done in check_flush_depedency is to ensure
forward progress during memory reclaim, by flagging cases when either a
memory reclaim process, or a memory reclaim work item is flushed from a
context not marked as memory reclaim safe.
This is correct when flushing, but when called from the
cancel(_delayed)_work_sync() paths it is a false positive because work is
either already running, or will not be running at all. Therefore
cancelling it is safe and we can relax the warning criteria by letting the
helper know of the calling context.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue")
References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
Cc: Tejun Heo <tj(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Lai Jiangshan <jiangshanlai(a)gmail.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: Christian König <christian.koenig(a)amd.com
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Tejun Heo <tj(a)kernel.org>
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 8b07576814a5..8336218ec4b8 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu)
* check_flush_dependency - check for flush dependency sanity
* @target_wq: workqueue being flushed
* @target_work: work item being flushed (NULL for workqueue flushes)
+ * @from_cancel: are we called from the work cancel path
*
* %current is trying to flush the whole @target_wq or @target_work on it.
- * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not
- * reclaiming memory or running on a workqueue which doesn't have
- * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to
- * a deadlock.
+ * If this is not the cancel path (which implies work being flushed is either
+ * already running, or will not be at all), check if @target_wq doesn't have
+ * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running
+ * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward-
+ * progress guarantee leading to a deadlock.
*/
static void check_flush_dependency(struct workqueue_struct *target_wq,
- struct work_struct *target_work)
+ struct work_struct *target_work,
+ bool from_cancel)
{
- work_func_t target_func = target_work ? target_work->func : NULL;
+ work_func_t target_func;
struct worker *worker;
- if (target_wq->flags & WQ_MEM_RECLAIM)
+ if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM)
return;
worker = current_wq_worker();
+ target_func = target_work ? target_work->func : NULL;
WARN_ONCE(current->flags & PF_MEMALLOC,
"workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps",
@@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq)
list_add_tail(&this_flusher.list, &wq->flusher_overflow);
}
- check_flush_dependency(wq, NULL);
+ check_flush_dependency(wq, NULL, false);
mutex_unlock(&wq->mutex);
@@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
}
wq = pwq->wq;
- check_flush_dependency(wq, work);
+ check_flush_dependency(wq, work, from_cancel);
insert_wq_barrier(pwq, barr, work, worker);
raw_spin_unlock_irq(&pool->lock);
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010654-pedigree-employer-73ce@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001
From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Date: Thu, 19 Dec 2024 09:30:30 +0000
Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work
from !WQ_MEM_RECLAIM worker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After commit
746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
amdgpu started seeing the following warning:
[ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]
...
[ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]
...
[ ] Call Trace:
[ ] <TASK>
...
[ ] ? check_flush_dependency+0xf5/0x110
...
[ ] cancel_delayed_work_sync+0x6e/0x80
[ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]
[ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]
[ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]
[ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]
[ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]
[ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]
[ ] process_one_work+0x217/0x720
...
[ ] </TASK>
The intent of the verifcation done in check_flush_depedency is to ensure
forward progress during memory reclaim, by flagging cases when either a
memory reclaim process, or a memory reclaim work item is flushed from a
context not marked as memory reclaim safe.
This is correct when flushing, but when called from the
cancel(_delayed)_work_sync() paths it is a false positive because work is
either already running, or will not be running at all. Therefore
cancelling it is safe and we can relax the warning criteria by letting the
helper know of the calling context.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue")
References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
Cc: Tejun Heo <tj(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Lai Jiangshan <jiangshanlai(a)gmail.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: Christian König <christian.koenig(a)amd.com
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Tejun Heo <tj(a)kernel.org>
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 8b07576814a5..8336218ec4b8 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu)
* check_flush_dependency - check for flush dependency sanity
* @target_wq: workqueue being flushed
* @target_work: work item being flushed (NULL for workqueue flushes)
+ * @from_cancel: are we called from the work cancel path
*
* %current is trying to flush the whole @target_wq or @target_work on it.
- * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not
- * reclaiming memory or running on a workqueue which doesn't have
- * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to
- * a deadlock.
+ * If this is not the cancel path (which implies work being flushed is either
+ * already running, or will not be at all), check if @target_wq doesn't have
+ * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running
+ * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward-
+ * progress guarantee leading to a deadlock.
*/
static void check_flush_dependency(struct workqueue_struct *target_wq,
- struct work_struct *target_work)
+ struct work_struct *target_work,
+ bool from_cancel)
{
- work_func_t target_func = target_work ? target_work->func : NULL;
+ work_func_t target_func;
struct worker *worker;
- if (target_wq->flags & WQ_MEM_RECLAIM)
+ if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM)
return;
worker = current_wq_worker();
+ target_func = target_work ? target_work->func : NULL;
WARN_ONCE(current->flags & PF_MEMALLOC,
"workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps",
@@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq)
list_add_tail(&this_flusher.list, &wq->flusher_overflow);
}
- check_flush_dependency(wq, NULL);
+ check_flush_dependency(wq, NULL, false);
mutex_unlock(&wq->mutex);
@@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
}
wq = pwq->wq;
- check_flush_dependency(wq, work);
+ check_flush_dependency(wq, work, from_cancel);
insert_wq_barrier(pwq, barr, work, worker);
raw_spin_unlock_irq(&pool->lock);
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010653-enroll-disagree-652b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001
From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Date: Thu, 19 Dec 2024 09:30:30 +0000
Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work
from !WQ_MEM_RECLAIM worker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After commit
746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
amdgpu started seeing the following warning:
[ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]
...
[ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]
...
[ ] Call Trace:
[ ] <TASK>
...
[ ] ? check_flush_dependency+0xf5/0x110
...
[ ] cancel_delayed_work_sync+0x6e/0x80
[ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]
[ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]
[ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]
[ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]
[ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]
[ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]
[ ] process_one_work+0x217/0x720
...
[ ] </TASK>
The intent of the verifcation done in check_flush_depedency is to ensure
forward progress during memory reclaim, by flagging cases when either a
memory reclaim process, or a memory reclaim work item is flushed from a
context not marked as memory reclaim safe.
This is correct when flushing, but when called from the
cancel(_delayed)_work_sync() paths it is a false positive because work is
either already running, or will not be running at all. Therefore
cancelling it is safe and we can relax the warning criteria by letting the
helper know of the calling context.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue")
References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
Cc: Tejun Heo <tj(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Lai Jiangshan <jiangshanlai(a)gmail.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: Christian König <christian.koenig(a)amd.com
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Tejun Heo <tj(a)kernel.org>
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 8b07576814a5..8336218ec4b8 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu)
* check_flush_dependency - check for flush dependency sanity
* @target_wq: workqueue being flushed
* @target_work: work item being flushed (NULL for workqueue flushes)
+ * @from_cancel: are we called from the work cancel path
*
* %current is trying to flush the whole @target_wq or @target_work on it.
- * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not
- * reclaiming memory or running on a workqueue which doesn't have
- * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to
- * a deadlock.
+ * If this is not the cancel path (which implies work being flushed is either
+ * already running, or will not be at all), check if @target_wq doesn't have
+ * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running
+ * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward-
+ * progress guarantee leading to a deadlock.
*/
static void check_flush_dependency(struct workqueue_struct *target_wq,
- struct work_struct *target_work)
+ struct work_struct *target_work,
+ bool from_cancel)
{
- work_func_t target_func = target_work ? target_work->func : NULL;
+ work_func_t target_func;
struct worker *worker;
- if (target_wq->flags & WQ_MEM_RECLAIM)
+ if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM)
return;
worker = current_wq_worker();
+ target_func = target_work ? target_work->func : NULL;
WARN_ONCE(current->flags & PF_MEMALLOC,
"workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps",
@@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq)
list_add_tail(&this_flusher.list, &wq->flusher_overflow);
}
- check_flush_dependency(wq, NULL);
+ check_flush_dependency(wq, NULL, false);
mutex_unlock(&wq->mutex);
@@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
}
wq = pwq->wq;
- check_flush_dependency(wq, work);
+ check_flush_dependency(wq, work, from_cancel);
insert_wq_barrier(pwq, barr, work, worker);
raw_spin_unlock_irq(&pool->lock);
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010652-clad-doorframe-5d77@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001
From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Date: Thu, 19 Dec 2024 09:30:30 +0000
Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work
from !WQ_MEM_RECLAIM worker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After commit
746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
amdgpu started seeing the following warning:
[ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]
...
[ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]
...
[ ] Call Trace:
[ ] <TASK>
...
[ ] ? check_flush_dependency+0xf5/0x110
...
[ ] cancel_delayed_work_sync+0x6e/0x80
[ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]
[ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]
[ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]
[ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]
[ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]
[ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]
[ ] process_one_work+0x217/0x720
...
[ ] </TASK>
The intent of the verifcation done in check_flush_depedency is to ensure
forward progress during memory reclaim, by flagging cases when either a
memory reclaim process, or a memory reclaim work item is flushed from a
context not marked as memory reclaim safe.
This is correct when flushing, but when called from the
cancel(_delayed)_work_sync() paths it is a false positive because work is
either already running, or will not be running at all. Therefore
cancelling it is safe and we can relax the warning criteria by letting the
helper know of the calling context.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com>
Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue")
References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM")
Cc: Tejun Heo <tj(a)kernel.org>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Lai Jiangshan <jiangshanlai(a)gmail.com>
Cc: Alex Deucher <alexander.deucher(a)amd.com>
Cc: Christian König <christian.koenig(a)amd.com
Cc: Matthew Brost <matthew.brost(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v4.5+
Signed-off-by: Tejun Heo <tj(a)kernel.org>
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 8b07576814a5..8336218ec4b8 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu)
* check_flush_dependency - check for flush dependency sanity
* @target_wq: workqueue being flushed
* @target_work: work item being flushed (NULL for workqueue flushes)
+ * @from_cancel: are we called from the work cancel path
*
* %current is trying to flush the whole @target_wq or @target_work on it.
- * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not
- * reclaiming memory or running on a workqueue which doesn't have
- * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to
- * a deadlock.
+ * If this is not the cancel path (which implies work being flushed is either
+ * already running, or will not be at all), check if @target_wq doesn't have
+ * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running
+ * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward-
+ * progress guarantee leading to a deadlock.
*/
static void check_flush_dependency(struct workqueue_struct *target_wq,
- struct work_struct *target_work)
+ struct work_struct *target_work,
+ bool from_cancel)
{
- work_func_t target_func = target_work ? target_work->func : NULL;
+ work_func_t target_func;
struct worker *worker;
- if (target_wq->flags & WQ_MEM_RECLAIM)
+ if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM)
return;
worker = current_wq_worker();
+ target_func = target_work ? target_work->func : NULL;
WARN_ONCE(current->flags & PF_MEMALLOC,
"workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps",
@@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq)
list_add_tail(&this_flusher.list, &wq->flusher_overflow);
}
- check_flush_dependency(wq, NULL);
+ check_flush_dependency(wq, NULL, false);
mutex_unlock(&wq->mutex);
@@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr,
}
wq = pwq->wq;
- check_flush_dependency(wq, work);
+ check_flush_dependency(wq, work, from_cancel);
insert_wq_barrier(pwq, barr, work, worker);
raw_spin_unlock_irq(&pool->lock);
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.4-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y
git checkout FETCH_HEAD
git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010611-sphinx-mayflower-3d16@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001
From: Dennis Lam <dennis.lamerice(a)gmail.com>
Date: Tue, 17 Dec 2024 21:39:25 -0500
Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer
dqi_priv
When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.
During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed. Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags.
To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
[akpm(a)linux-foundation.org: coding-style cleanups]
Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com
Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com>
Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/
Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com>
Cc: Mark Fasheh <mark(a)fasheh.com>
Cc: Joel Becker <jlbec(a)evilplan.org>
Cc: Junxiao Bi <junxiao.bi(a)oracle.com>
Cc: Changwei Ge <gechangwei(a)live.cn>
Cc: Jun Piao <piaojun(a)huawei.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..3404e7a30c33 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_active(sb, type)) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010610-gratified-icy-21bc@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001
From: Dennis Lam <dennis.lamerice(a)gmail.com>
Date: Tue, 17 Dec 2024 21:39:25 -0500
Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer
dqi_priv
When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.
During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed. Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags.
To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
[akpm(a)linux-foundation.org: coding-style cleanups]
Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com
Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com>
Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/
Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com>
Cc: Mark Fasheh <mark(a)fasheh.com>
Cc: Joel Becker <jlbec(a)evilplan.org>
Cc: Junxiao Bi <junxiao.bi(a)oracle.com>
Cc: Changwei Ge <gechangwei(a)live.cn>
Cc: Jun Piao <piaojun(a)huawei.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..3404e7a30c33 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_active(sb, type)) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010609-busybody-impromptu-d5f7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001
From: Dennis Lam <dennis.lamerice(a)gmail.com>
Date: Tue, 17 Dec 2024 21:39:25 -0500
Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer
dqi_priv
When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.
During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed. Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags.
To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
[akpm(a)linux-foundation.org: coding-style cleanups]
Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com
Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com>
Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/
Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com>
Cc: Mark Fasheh <mark(a)fasheh.com>
Cc: Joel Becker <jlbec(a)evilplan.org>
Cc: Junxiao Bi <junxiao.bi(a)oracle.com>
Cc: Changwei Ge <gechangwei(a)live.cn>
Cc: Jun Piao <piaojun(a)huawei.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..3404e7a30c33 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_active(sb, type)) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
3 months, 3 weeks
- 1
- 0
FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010608-payphone-borough-d229@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001
From: Dennis Lam <dennis.lamerice(a)gmail.com>
Date: Tue, 17 Dec 2024 21:39:25 -0500
Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer
dqi_priv
When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.
During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed. Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags.
To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
[akpm(a)linux-foundation.org: coding-style cleanups]
Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com
Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com>
Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/
Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com>
Cc: Mark Fasheh <mark(a)fasheh.com>
Cc: Joel Becker <jlbec(a)evilplan.org>
Cc: Junxiao Bi <junxiao.bi(a)oracle.com>
Cc: Changwei Ge <gechangwei(a)live.cn>
Cc: Jun Piao <piaojun(a)huawei.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..3404e7a30c33 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_active(sb, type)) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
3 months, 3 weeks
- 1
- 0
Buggy patch -- Re: [PATCH 6.1 00/60] 6.1.123-rc1 review
by Pavel Machek
Hi!
> > > This is the start of the stable review cycle for the 6.1.123 release.
> > > There are 60 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> >
> > > Dan Carpenter <dan.carpenter(a)linaro.org>
> > > mtd: rawnand: fix double free in atmel_pmecc_create_user()
> >
> > This is wrong for 6.1 and older -- we don't use devm_kzalloc there, so
> > it creates memory leak.
>
> Thanks for testing and letting me know,
This was not "all good" mail. Patch cited above is buggy. But you
still included it in 6.1.123. Please drop.
Best regards.
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
3 months, 3 weeks
- 2
- 1
[PATCH] soc: samsung: exynos-pmu: Fix uninitialized ret in tensor_set_bits_atomic()
by Krzysztof Kozlowski
If tensor_set_bits_atomic() is called with a mask of 0 the function will
just iterate over its bit, not perform any updates and return stack
value of 'ret'.
Also reported by smatch:
drivers/soc/samsung/exynos-pmu.c:129 tensor_set_bits_atomic() error: uninitialized symbol 'ret'.
Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>
---
drivers/soc/samsung/exynos-pmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c
index d8c53cec7f37..dd5256e5aae1 100644
--- a/drivers/soc/samsung/exynos-pmu.c
+++ b/drivers/soc/samsung/exynos-pmu.c
@@ -126,7 +126,7 @@ static int tensor_set_bits_atomic(void *ctx, unsigned int offset, u32 val,
if (ret)
return ret;
}
- return ret;
+ return 0;
}
static bool tensor_is_atomic(unsigned int reg)
--
2.43.0
3 months, 3 weeks
- 1
- 1
[PATCH] sched/fair: Fix ksmd and kthreadd running on isolated CPU0 on arm64 systems
by wujing
This bug can be reproduced on Kunpeng arm64 and Phytium arm physical machines,
as well as in virtual machine environments, based on the linux-4.19.y stable
branch:
1. Check the number of CPUs on the system:
nproc --all
96
2. Add the parameter isolcpus=0-85 to the grub configuration,
update grub, and reboot.
3. Check the ksmd process:
ps aux | grep -i ksmd
root 502 0.0 0.0 0 0 ? S 10:00 0:00 [ksmd]
ps -o pid,psr,comm -p 502
PID PSR COMMAND
502 0 ksmd
4. Check the kthreadd process:
ps aux | grep -i kthreadd
root 2 0.0 0.0 0 0 ? S 10:00 0:00 [kthreadd]
ps -o pid,psr,comm -p 2
PID PSR COMMAND
2 0 kthreadd
From the output above, it can be seen that both ksmd and kthreadd are still
running on CPU0, which is unreasonable since CPU0 has been isolated.
Cc: stable(a)vger.kernel.org # 4.19.x
Signed-off-by: wujing <realwujing(a)qq.com>
Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn>
---
kernel/sched/fair.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 0950cabfc1d0..454021ff70a1 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -6211,7 +6211,7 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t
this_sd = rcu_dereference(*this_cpu_ptr(&sd_llc));
if (!this_sd)
- return -1;
+ return housekeeping_any_cpu(HK_FLAG_DOMAIN);
/*
* Due to large variance we need a large fuzz factor; hackbench in
--
2.39.5
3 months, 3 weeks
- 2
- 1
[PATCH] sched/fair: Correct CPU selection from isolated domain
by wujing
From: wujing <realwujing(a)gmail.com>
We encountered an issue where the kernel thread `ksmd` runs on the PMD
dedicated isolated core, leading to high latency in OVS packets.
Upon analysis, we discovered that this is caused by the current
select_idle_smt() function not taking the sched_domain mask into account.
Kernel version: linux-4.19.y
Cc: stable(a)vger.kernel.org # 4.19.x
Signed-off-by: wujing <realwujing(a)qq.com>
Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn>
---
kernel/sched/fair.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 09f82c84474b..0950cabfc1d0 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -6171,7 +6171,8 @@ static int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int t
return -1;
for_each_cpu(cpu, cpu_smt_mask(target)) {
- if (!cpumask_test_cpu(cpu, &p->cpus_allowed))
+ if (!cpumask_test_cpu(cpu, &p->cpus_allowed) ||
+ !cpumask_test_cpu(cpu, sched_domain_span(sd)))
continue;
if (available_idle_cpu(cpu))
return cpu;
--
2.39.5
3 months, 3 weeks
- 2
- 1
[PATCH] sched/fair: Fix ksmd and kthreadd running on isolated CPU0 on arm64 systems
by wujing
This bug can be reproduced on Kunpeng arm64 and Phytium arm physical machines,
as well as in virtual machine environments, based on the linux-4.19.y stable
branch:
1. Check the number of CPUs on the system:
nproc --all
96
2. Add the parameter isolcpus=0-85 to the grub configuration,
update grub, and reboot.
3. Check the ksmd process:
ps aux | grep -i ksmd
root 502 0.0 0.0 0 0 ? S 10:00 0:00 [ksmd]
ps -o pid,psr,comm -p 502
PID PSR COMMAND
502 0 ksmd
4. Check the kthreadd process:
ps aux | grep -i kthreadd
root 2 0.0 0.0 0 0 ? S 10:00 0:00 [kthreadd]
ps -o pid,psr,comm -p 2
PID PSR COMMAND
2 0 kthreadd
From the output above, it can be seen that both ksmd and kthreadd are still
running on CPU0, which is unreasonable since CPU0 has been isolated.
Signed-off-by: wujing <realwujing(a)qq.com>
Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn>
---
kernel/sched/fair.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 0950cabfc1d0..454021ff70a1 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -6211,7 +6211,7 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t
this_sd = rcu_dereference(*this_cpu_ptr(&sd_llc));
if (!this_sd)
- return -1;
+ return housekeeping_any_cpu(HK_FLAG_DOMAIN);
/*
* Due to large variance we need a large fuzz factor; hackbench in
--
2.39.5
3 months, 3 weeks
- 3
- 4
[PATCH v2] [ARM] fix reference leak in locomo_init_one_child()
by Ma Ke
Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add()
says, 'if device_add() succeeds, you should call device_del() when you
want to get rid of it. If device_add() has not succeeded, use only
put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v2:
- modified the patch as suggestions.
---
arch/arm/common/locomo.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c
index 309b74783468..9e48cbb2568e 100644
--- a/arch/arm/common/locomo.c
+++ b/arch/arm/common/locomo.c
@@ -253,6 +253,8 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info)
ret = device_register(&dev->dev);
if (ret) {
+ put_device(&dev->dev);
+ return ret;
out:
kfree(dev);
}
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH] usb: chipidea: ci_hdrc_imx: decrement device's refcount on the error path of .probe()
by Joe Hattori
Current implementation of ci_hdrc_imx_probe() does not decrement the
refcount of the device obtained in usbmisc_get_init_data(). Add a
put_device() call before returning an error after the call.
This bug was found by an experimental static analysis tool that I am
developing.
Cc: stable(a)vger.kernel.org
Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs")
Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp>
---
drivers/usb/chipidea/ci_hdrc_imx.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
index f2801700be8e..6418052264f2 100644
--- a/drivers/usb/chipidea/ci_hdrc_imx.c
+++ b/drivers/usb/chipidea/ci_hdrc_imx.c
@@ -370,25 +370,29 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
data->pinctrl = devm_pinctrl_get(dev);
if (PTR_ERR(data->pinctrl) == -ENODEV)
data->pinctrl = NULL;
- else if (IS_ERR(data->pinctrl))
- return dev_err_probe(dev, PTR_ERR(data->pinctrl),
+ else if (IS_ERR(data->pinctrl)) {
+ ret = dev_err_probe(dev, PTR_ERR(data->pinctrl),
"pinctrl get failed\n");
+ goto err_put;
+ }
data->hsic_pad_regulator =
devm_regulator_get_optional(dev, "hsic");
if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) {
/* no pad regulator is needed */
data->hsic_pad_regulator = NULL;
- } else if (IS_ERR(data->hsic_pad_regulator))
- return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
+ } else if (IS_ERR(data->hsic_pad_regulator)) {
+ ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
"Get HSIC pad regulator error\n");
+ goto err_put;
+ }
if (data->hsic_pad_regulator) {
ret = regulator_enable(data->hsic_pad_regulator);
if (ret) {
dev_err(dev,
"Failed to enable HSIC pad regulator\n");
- return ret;
+ goto err_put;
}
}
}
@@ -402,13 +406,14 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
dev_err(dev,
"pinctrl_hsic_idle lookup failed, err=%ld\n",
PTR_ERR(pinctrl_hsic_idle));
- return PTR_ERR(pinctrl_hsic_idle);
+ ret = PTR_ERR(pinctrl_hsic_idle);
+ goto err_put;
}
ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle);
if (ret) {
dev_err(dev, "hsic_idle select failed, err=%d\n", ret);
- return ret;
+ goto err_put;
}
data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl,
@@ -417,7 +422,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
dev_err(dev,
"pinctrl_hsic_active lookup failed, err=%ld\n",
PTR_ERR(data->pinctrl_hsic_active));
- return PTR_ERR(data->pinctrl_hsic_active);
+ ret = PTR_ERR(data->pinctrl_hsic_active);
+ goto err_put;
}
}
@@ -527,6 +533,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
if (pdata.flags & CI_HDRC_PMQOS)
cpu_latency_qos_remove_request(&data->pm_qos_req);
data->ci_pdev = NULL;
+err_put:
+ put_device(data->usbmisc_data->dev);
return ret;
}
--
2.34.1
3 months, 3 weeks
- 3
- 3
[PATCH 2/3] vfs: Fix implicit conversion problem when testing overflow case
by Julian Sun
The overflow check in generic_copy_file_checks() and generic_remap_checks()
is now broken because the result of the addition is implicitly converted to
an unsigned type, which disrupts the comparison with signed numbers.
This caused the kernel to not return EOVERFLOW in copy_file_range()
call with len is set to 0xffffffffa003e45bul.
Use the check_add_overflow() macro to fix this issue.
Reported-and-tested-by: syzbot+296b1c84b9cbf306e5a0(a)syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=296b1c84b9cbf306e5a0
Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files")
Fixes: 96e6e8f4a68d ("vfs: add missing checks to copy_file_range")
Inspired-by: Dave Chinner <david(a)fromorbit.com>
Reviewed-by: Jan Kara <jack(a)suse.cz>
Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com>
---
fs/read_write.c | 5 +++--
fs/remap_range.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/read_write.c b/fs/read_write.c
index 070a7c33b9dd..5211246edc2e 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1509,7 +1509,7 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
struct inode *inode_in = file_inode(file_in);
struct inode *inode_out = file_inode(file_out);
uint64_t count = *req_count;
- loff_t size_in;
+ loff_t size_in, tmp;
int ret;
ret = generic_file_rw_checks(file_in, file_out);
@@ -1544,7 +1544,8 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
return -ETXTBSY;
/* Ensure offsets don't wrap. */
- if (pos_in + count < pos_in || pos_out + count < pos_out)
+ if (check_add_overflow(pos_in, count, &tmp) ||
+ check_add_overflow(pos_out, count, &tmp))
return -EOVERFLOW;
/* Shorten the copy to EOF */
diff --git a/fs/remap_range.c b/fs/remap_range.c
index 28246dfc8485..6fdeb3c8cb70 100644
--- a/fs/remap_range.c
+++ b/fs/remap_range.c
@@ -36,7 +36,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in,
struct inode *inode_out = file_out->f_mapping->host;
uint64_t count = *req_count;
uint64_t bcount;
- loff_t size_in, size_out;
+ loff_t size_in, size_out, tmp;
loff_t bs = inode_out->i_sb->s_blocksize;
int ret;
@@ -45,7 +45,8 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in,
return -EINVAL;
/* Ensure offsets don't wrap. */
- if (pos_in + count < pos_in || pos_out + count < pos_out)
+ if (check_add_overflow(pos_in, count, &tmp) ||
+ check_add_overflow(pos_out, count, &tmp))
return -EINVAL;
size_in = i_size_read(inode_in);
--
2.39.2
3 months, 3 weeks
- 5
- 7
[PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
by jianqi.ren.cn@windriver.com
From: Kaixin Wang <kxwang23(a)m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23(a)m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index 35b90bb686ad..c5a37f58079a 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1667,6 +1667,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
{
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
+ cancel_work_sync(&master->hj_work);
i3c_master_unregister(&master->base);
clk_disable_unprepare(master->sysclk);
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH] Input: Fix error handling in input_register_device()
by Ma Ke
When device_add(&dev->dev) failed, calling put_device() to explicitly
release dev->dev. Otherwise, it could cause double free problem.
As comment of device_add() says, if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 0cd587735205 ("Input: preallocate memory to hold event values")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/input/input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/input/input.c b/drivers/input/input.c
index 7f0477e04ad2..a0a36aa90ecc 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -2456,8 +2456,10 @@ int input_register_device(struct input_dev *dev)
input_dev_poller_finalize(dev->poller);
error = device_add(&dev->dev);
- if (error)
+ if (error) {
+ put_device(&dev->dev);
goto err_devres_free;
+ }
path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
pr_info("%s as %s\n",
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH] hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode
by Muchun Song
hugetlb_file_setup() will pass a NULL @dir to hugetlbfs_get_inode(), so
we will access a NULL pointer for @dir. Fix it and set __entry->dr to
0 if @dir is NULL. Because ->i_ino cannot be 0 (see get_next_ino()),
there is no confusing if user sees a 0 inode number.
Fixes: 318580ad7f28 ("hugetlbfs: support tracepoint")
Cc: stable(a)vger.kernel.org
Reported-by: Cheung Wall <zzqq0103.hey(a)gmail.com>
Closes: https://lore.kernel.org/linux-mm/02858D60-43C1-4863-A84F-3C76A8AF1F15@linux…
Signed-off-by: Muchun Song <songmuchun(a)bytedance.com>
---
include/trace/events/hugetlbfs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/trace/events/hugetlbfs.h b/include/trace/events/hugetlbfs.h
index 8331c904a9ba8..59605dfaeeb43 100644
--- a/include/trace/events/hugetlbfs.h
+++ b/include/trace/events/hugetlbfs.h
@@ -23,7 +23,7 @@ TRACE_EVENT(hugetlbfs_alloc_inode,
TP_fast_assign(
__entry->dev = inode->i_sb->s_dev;
__entry->ino = inode->i_ino;
- __entry->dir = dir->i_ino;
+ __entry->dir = dir ? dir->i_ino : 0;
__entry->mode = mode;
),
--
2.20.1
3 months, 3 weeks
- 2
- 1
[REGRESSION] amdgpu: thinkpad e495 backlight brightness resets after suspend
by Siva Mahadevan
#regzbot introduced: 99a02eab8
Observed behaviour:
linux-stable v6.12.5 has a regression on my thinkpad e495 where
suspend/resume of the laptop results in my backlight brightness settings
to be reset to some very high value. After resume, I'm able to increase
brightness further until max brightness, but I'm not able to decrease it
anymore.
Behaviour prior to regression:
linux-stable v6.12.4 correctly maintains the same brightness setting on
the backlight that was set prior to suspend/resume.
Notes:
I bisected this issue between v6.12.4 and v6.12.5 to commit 99a02eab8
titled "drm/amdgpu: rework resume handling for display (v2)".
Hardware:
* lenovo thinkpad e495
* AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx
* VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]
Picasso/Raven 2 [Radeon Vega Series / Radeon Vega Mobile Series]
(rev c2)
3 months, 3 weeks
- 3
- 4
[PATCH stable 6.6] bpf: support non-r10 register spill/fill to/from stack in precision tracking
by Shung-Hsi Yu
From: Andrii Nakryiko <andrii(a)kernel.org>
[ Upstream commit 41f6f64e6999a837048b1bd13a2f8742964eca6b ]
Use instruction (jump) history to record instructions that performed
register spill/fill to/from stack, regardless if this was done through
read-only r10 register, or any other register after copying r10 into it
*and* potentially adjusting offset.
To make this work reliably, we push extra per-instruction flags into
instruction history, encoding stack slot index (spi) and stack frame
number in extra 10 bit flags we take away from prev_idx in instruction
history. We don't touch idx field for maximum performance, as it's
checked most frequently during backtracking.
This change removes basically the last remaining practical limitation of
precision backtracking logic in BPF verifier. It fixes known
deficiencies, but also opens up new opportunities to reduce number of
verified states, explored in the subsequent patches.
There are only three differences in selftests' BPF object files
according to veristat, all in the positive direction (less states).
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
-------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------
test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)
xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)
xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)
Note, I avoided renaming jmp_history to more generic insn_hist to
minimize number of lines changed and potential merge conflicts between
bpf and bpf-next trees.
Notice also cur_hist_entry pointer reset to NULL at the beginning of
instruction verification loop. This pointer avoids the problem of
relying on last jump history entry's insn_idx to determine whether we
already have entry for current instruction or not. It can happen that we
added jump history entry because current instruction is_jmp_point(), but
also we need to add instruction flags for stack access. In this case, we
don't want to entries, so we need to reuse last added entry, if it is
present.
Relying on insn_idx comparison has the same ambiguity problem as the one
that was fixed recently in [0], so we avoid that.
[0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352…
Acked-by: Eduard Zingerman <eddyz87(a)gmail.com>
Reported-by: Tao Lyu <tao.lyu(a)epfl.ch>
Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org>
Link: https://lore.kernel.org/r/20231205184248.1502704-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast(a)kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com>
---
This is a backport to fix CVE-2023-52920[1]
1: https://lore.kernel.org/linux-cve-announce/2024110518-CVE-2023-52920-17f6@g…
---
include/linux/bpf_verifier.h | 33 +++-
kernel/bpf/verifier.c | 175 ++++++++++--------
.../bpf/progs/verifier_subprog_precision.c | 23 ++-
.../testing/selftests/bpf/verifier/precise.c | 38 ++--
4 files changed, 170 insertions(+), 99 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 92919d52f7e1..cb8e97665eaa 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -319,12 +319,34 @@ struct bpf_func_state {
struct bpf_stack_state *stack;
};
-struct bpf_idx_pair {
- u32 prev_idx;
- u32 idx;
+#define MAX_CALL_FRAMES 8
+
+/* instruction history flags, used in bpf_jmp_history_entry.flags field */
+enum {
+ /* instruction references stack slot through PTR_TO_STACK register;
+ * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8)
+ * and accessed stack slot's index in next 6 bits (MAX_BPF_STACK is 512,
+ * 8 bytes per slot, so slot index (spi) is [0, 63])
+ */
+ INSN_F_FRAMENO_MASK = 0x7, /* 3 bits */
+
+ INSN_F_SPI_MASK = 0x3f, /* 6 bits */
+ INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */
+
+ INSN_F_STACK_ACCESS = BIT(9), /* we need 10 bits total */
+};
+
+static_assert(INSN_F_FRAMENO_MASK + 1 >= MAX_CALL_FRAMES);
+static_assert(INSN_F_SPI_MASK + 1 >= MAX_BPF_STACK / 8);
+
+struct bpf_jmp_history_entry {
+ u32 idx;
+ /* insn idx can't be bigger than 1 million */
+ u32 prev_idx : 22;
+ /* special flags, e.g., whether insn is doing register stack spill/load */
+ u32 flags : 10;
};
-#define MAX_CALL_FRAMES 8
/* Maximum number of register states that can exist at once */
#define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES)
struct bpf_verifier_state {
@@ -407,7 +429,7 @@ struct bpf_verifier_state {
* For most states jmp_history_cnt is [0-3].
* For loops can go up to ~40.
*/
- struct bpf_idx_pair *jmp_history;
+ struct bpf_jmp_history_entry *jmp_history;
u32 jmp_history_cnt;
u32 dfs_depth;
u32 callback_unroll_depth;
@@ -640,6 +662,7 @@ struct bpf_verifier_env {
int cur_stack;
} cfg;
struct backtrack_state bt;
+ struct bpf_jmp_history_entry *cur_hist_ent;
u32 pass_cnt; /* number of times do_check() was called */
u32 subprog_cnt;
/* number of instructions analyzed by the verifier */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4f19a091571b..5ca02af3a872 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1762,8 +1762,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
int i, err;
dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history,
- src->jmp_history_cnt, sizeof(struct bpf_idx_pair),
- GFP_USER);
+ src->jmp_history_cnt, sizeof(*dst_state->jmp_history),
+ GFP_USER);
if (!dst_state->jmp_history)
return -ENOMEM;
dst_state->jmp_history_cnt = src->jmp_history_cnt;
@@ -3397,6 +3397,21 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
return __check_reg_arg(env, state->regs, regno, t);
}
+static int insn_stack_access_flags(int frameno, int spi)
+{
+ return INSN_F_STACK_ACCESS | (spi << INSN_F_SPI_SHIFT) | frameno;
+}
+
+static int insn_stack_access_spi(int insn_flags)
+{
+ return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK;
+}
+
+static int insn_stack_access_frameno(int insn_flags)
+{
+ return insn_flags & INSN_F_FRAMENO_MASK;
+}
+
static void mark_jmp_point(struct bpf_verifier_env *env, int idx)
{
env->insn_aux_data[idx].jmp_point = true;
@@ -3408,28 +3423,51 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx)
}
/* for any branch, call, exit record the history of jmps in the given state */
-static int push_jmp_history(struct bpf_verifier_env *env,
- struct bpf_verifier_state *cur)
+static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur,
+ int insn_flags)
{
u32 cnt = cur->jmp_history_cnt;
- struct bpf_idx_pair *p;
+ struct bpf_jmp_history_entry *p;
size_t alloc_size;
- if (!is_jmp_point(env, env->insn_idx))
+ /* combine instruction flags if we already recorded this instruction */
+ if (env->cur_hist_ent) {
+ /* atomic instructions push insn_flags twice, for READ and
+ * WRITE sides, but they should agree on stack slot
+ */
+ WARN_ONCE((env->cur_hist_ent->flags & insn_flags) &&
+ (env->cur_hist_ent->flags & insn_flags) != insn_flags,
+ "verifier insn history bug: insn_idx %d cur flags %x new flags %x\n",
+ env->insn_idx, env->cur_hist_ent->flags, insn_flags);
+ env->cur_hist_ent->flags |= insn_flags;
return 0;
+ }
cnt++;
alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));
p = krealloc(cur->jmp_history, alloc_size, GFP_USER);
if (!p)
return -ENOMEM;
- p[cnt - 1].idx = env->insn_idx;
- p[cnt - 1].prev_idx = env->prev_insn_idx;
cur->jmp_history = p;
+
+ p = &cur->jmp_history[cnt - 1];
+ p->idx = env->insn_idx;
+ p->prev_idx = env->prev_insn_idx;
+ p->flags = insn_flags;
cur->jmp_history_cnt = cnt;
+ env->cur_hist_ent = p;
+
return 0;
}
+static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st,
+ u32 hist_end, int insn_idx)
+{
+ if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx)
+ return &st->jmp_history[hist_end - 1];
+ return NULL;
+}
+
/* Backtrack one insn at a time. If idx is not at the top of recorded
* history then previous instruction came from straight line execution.
* Return -ENOENT if we exhausted all instructions within given state.
@@ -3591,9 +3629,14 @@ static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg)
return bt->reg_masks[bt->frame] & (1 << reg);
}
+static inline bool bt_is_frame_slot_set(struct backtrack_state *bt, u32 frame, u32 slot)
+{
+ return bt->stack_masks[frame] & (1ull << slot);
+}
+
static inline bool bt_is_slot_set(struct backtrack_state *bt, u32 slot)
{
- return bt->stack_masks[bt->frame] & (1ull << slot);
+ return bt_is_frame_slot_set(bt, bt->frame, slot);
}
/* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */
@@ -3647,7 +3690,7 @@ static bool calls_callback(struct bpf_verifier_env *env, int insn_idx);
* - *was* processed previously during backtracking.
*/
static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
- struct backtrack_state *bt)
+ struct bpf_jmp_history_entry *hist, struct backtrack_state *bt)
{
const struct bpf_insn_cbs cbs = {
.cb_call = disasm_kfunc_name,
@@ -3660,7 +3703,7 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
u8 mode = BPF_MODE(insn->code);
u32 dreg = insn->dst_reg;
u32 sreg = insn->src_reg;
- u32 spi, i;
+ u32 spi, i, fr;
if (insn->code == 0)
return 0;
@@ -3723,20 +3766,15 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
* by 'precise' mark in corresponding register of this state.
* No further tracking necessary.
*/
- if (insn->src_reg != BPF_REG_FP)
+ if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
return 0;
-
/* dreg = *(u64 *)[fp - off] was a fill from the stack.
* that [fp - off] slot contains scalar that needs to be
* tracked with precision
*/
- spi = (-insn->off - 1) / BPF_REG_SIZE;
- if (spi >= 64) {
- verbose(env, "BUG spi %d\n", spi);
- WARN_ONCE(1, "verifier backtracking bug");
- return -EFAULT;
- }
- bt_set_slot(bt, spi);
+ spi = insn_stack_access_spi(hist->flags);
+ fr = insn_stack_access_frameno(hist->flags);
+ bt_set_frame_slot(bt, fr, spi);
} else if (class == BPF_STX || class == BPF_ST) {
if (bt_is_reg_set(bt, dreg))
/* stx & st shouldn't be using _scalar_ dst_reg
@@ -3745,17 +3783,13 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
*/
return -ENOTSUPP;
/* scalars can only be spilled into stack */
- if (insn->dst_reg != BPF_REG_FP)
+ if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))
return 0;
- spi = (-insn->off - 1) / BPF_REG_SIZE;
- if (spi >= 64) {
- verbose(env, "BUG spi %d\n", spi);
- WARN_ONCE(1, "verifier backtracking bug");
- return -EFAULT;
- }
- if (!bt_is_slot_set(bt, spi))
+ spi = insn_stack_access_spi(hist->flags);
+ fr = insn_stack_access_frameno(hist->flags);
+ if (!bt_is_frame_slot_set(bt, fr, spi))
return 0;
- bt_clear_slot(bt, spi);
+ bt_clear_frame_slot(bt, fr, spi);
if (class == BPF_STX)
bt_set_reg(bt, sreg);
} else if (class == BPF_JMP || class == BPF_JMP32) {
@@ -3799,10 +3833,14 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- /* we don't track register spills perfectly,
- * so fallback to force-precise instead of failing */
- if (bt_stack_mask(bt) != 0)
- return -ENOTSUPP;
+ /* we are now tracking register spills correctly,
+ * so any instance of leftover slots is a bug
+ */
+ if (bt_stack_mask(bt) != 0) {
+ verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
+ WARN_ONCE(1, "verifier backtracking bug (subprog leftover stack slots)");
+ return -EFAULT;
+ }
/* propagate r1-r5 to the caller */
for (i = BPF_REG_1; i <= BPF_REG_5; i++) {
if (bt_is_reg_set(bt, i)) {
@@ -3827,8 +3865,11 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
WARN_ONCE(1, "verifier backtracking bug");
return -EFAULT;
}
- if (bt_stack_mask(bt) != 0)
- return -ENOTSUPP;
+ if (bt_stack_mask(bt) != 0) {
+ verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt));
+ WARN_ONCE(1, "verifier backtracking bug (callback leftover stack slots)");
+ return -EFAULT;
+ }
/* clear r1-r5 in callback subprog's mask */
for (i = BPF_REG_1; i <= BPF_REG_5; i++)
bt_clear_reg(bt, i);
@@ -4265,6 +4306,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
for (;;) {
DECLARE_BITMAP(mask, 64);
u32 history = st->jmp_history_cnt;
+ struct bpf_jmp_history_entry *hist;
if (env->log.level & BPF_LOG_LEVEL2) {
verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n",
@@ -4328,7 +4370,8 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
err = 0;
skip_first = false;
} else {
- err = backtrack_insn(env, i, subseq_idx, bt);
+ hist = get_jmp_hist_entry(st, history, i);
+ err = backtrack_insn(env, i, subseq_idx, hist, bt);
}
if (err == -ENOTSUPP) {
mark_all_scalars_precise(env, env->cur_state);
@@ -4381,22 +4424,10 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr));
for_each_set_bit(i, mask, 64) {
if (i >= func->allocated_stack / BPF_REG_SIZE) {
- /* the sequence of instructions:
- * 2: (bf) r3 = r10
- * 3: (7b) *(u64 *)(r3 -8) = r0
- * 4: (79) r4 = *(u64 *)(r10 -8)
- * doesn't contain jmps. It's backtracked
- * as a single block.
- * During backtracking insn 3 is not recognized as
- * stack access, so at the end of backtracking
- * stack slot fp-8 is still marked in stack_mask.
- * However the parent state may not have accessed
- * fp-8 and it's "unallocated" stack space.
- * In such case fallback to conservative.
- */
- mark_all_scalars_precise(env, env->cur_state);
- bt_reset(bt);
- return 0;
+ verbose(env, "BUG backtracking (stack slot %d, total slots %d)\n",
+ i, func->allocated_stack / BPF_REG_SIZE);
+ WARN_ONCE(1, "verifier backtracking bug (stack slot out of bounds)");
+ return -EFAULT;
}
if (!is_spilled_scalar_reg(&func->stack[i])) {
@@ -4561,7 +4592,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
struct bpf_insn *insn = &env->prog->insnsi[insn_idx];
struct bpf_reg_state *reg = NULL;
- u32 dst_reg = insn->dst_reg;
+ int insn_flags = insn_stack_access_flags(state->frameno, spi);
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
* so it's aligned access and [off, off + size) are within stack limits
@@ -4599,17 +4630,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
mark_stack_slot_scratched(env, spi);
if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
!register_is_null(reg) && env->bpf_capable) {
- if (dst_reg != BPF_REG_FP) {
- /* The backtracking logic can only recognize explicit
- * stack slot address like [fp - 8]. Other spill of
- * scalar via different register has to be conservative.
- * Backtrack from here and mark all registers as precise
- * that contributed into 'reg' being a constant.
- */
- err = mark_chain_precision(env, value_regno);
- if (err)
- return err;
- }
save_register_state(state, spi, reg, size);
/* Break the relation on a narrowing spill. */
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
@@ -4621,6 +4641,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
__mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(state, spi, &fake_reg, size);
+ insn_flags = 0; /* not a register spill */
} else if (reg && is_spillable_regtype(reg->type)) {
/* register containing pointer is being spilled into stack */
if (size != BPF_REG_SIZE) {
@@ -4666,9 +4687,12 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
/* Mark slots affected by this stack write. */
for (i = 0; i < size; i++)
- state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
- type;
+ state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type;
+ insn_flags = 0; /* not a register spill */
}
+
+ if (insn_flags)
+ return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -4857,6 +4881,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
struct bpf_reg_state *reg;
u8 *stype, type;
+ int insn_flags = insn_stack_access_flags(reg_state->frameno, spi);
stype = reg_state->stack[spi].slot_type;
reg = ®_state->stack[spi].spilled_ptr;
@@ -4902,12 +4927,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
return -EACCES;
}
mark_reg_unknown(env, state->regs, dst_regno);
+ insn_flags = 0; /* not restoring original register state */
}
state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
- return 0;
- }
-
- if (dst_regno >= 0) {
+ } else if (dst_regno >= 0) {
/* restore register state from stack */
copy_register_state(&state->regs[dst_regno], reg);
/* mark reg as written since spilled pointer state likely
@@ -4943,7 +4966,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
if (dst_regno >= 0)
mark_reg_stack_read(env, reg_state, off, off + size, dst_regno);
+ insn_flags = 0; /* we are not restoring spilled register */
}
+ if (insn_flags)
+ return push_jmp_history(env, env->cur_state, insn_flags);
return 0;
}
@@ -7027,7 +7053,6 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i
BPF_SIZE(insn->code), BPF_WRITE, -1, true, false);
if (err)
return err;
-
return 0;
}
@@ -16773,7 +16798,8 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
* the precision needs to be propagated back in
* the current state.
*/
- err = err ? : push_jmp_history(env, cur);
+ if (is_jmp_point(env, env->insn_idx))
+ err = err ? : push_jmp_history(env, cur, 0);
err = err ? : propagate_precision(env, &sl->state);
if (err)
return err;
@@ -16997,6 +17023,9 @@ static int do_check(struct bpf_verifier_env *env)
u8 class;
int err;
+ /* reset current history entry on each new instruction */
+ env->cur_hist_ent = NULL;
+
env->prev_insn_idx = prev_insn_idx;
if (env->insn_idx >= insn_cnt) {
verbose(env, "invalid insn idx %d insn_cnt %d\n",
@@ -17036,7 +17065,7 @@ static int do_check(struct bpf_verifier_env *env)
}
if (is_jmp_point(env, env->insn_idx)) {
- err = push_jmp_history(env, state);
+ err = push_jmp_history(env, state, 0);
if (err)
return err;
}
diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
index f61d623b1ce8..f87365f7599b 100644
--- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c
@@ -541,11 +541,24 @@ static __u64 subprog_spill_reg_precise(void)
SEC("?raw_tp")
__success __log_level(2)
-/* precision backtracking can't currently handle stack access not through r10,
- * so we won't be able to mark stack slot fp-8 as precise, and so will
- * fallback to forcing all as precise
- */
-__msg("mark_precise: frame0: falling back to forcing all scalars precise")
+__msg("10: (0f) r1 += r7")
+__msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8")
+__msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4")
+__msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)")
+__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(map=.data.vals,ks=4,vs=16) R10=fp0 fp-8_rw=P1")
+__msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7")
+__msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit")
+__msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2")
+__msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)")
+__msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)")
+__msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2")
+__msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2")
+__msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6")
+__msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6")
+__msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8")
+__msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10")
+__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1")
__naked int subprog_spill_into_parent_stack_slot_precise(void)
{
asm volatile (
diff --git a/tools/testing/selftests/bpf/verifier/precise.c b/tools/testing/selftests/bpf/verifier/precise.c
index 0d84dd1f38b6..8a2ff81d8350 100644
--- a/tools/testing/selftests/bpf/verifier/precise.c
+++ b/tools/testing/selftests/bpf/verifier/precise.c
@@ -140,10 +140,11 @@
.result = REJECT,
},
{
- "precise: ST insn causing spi > allocated_stack",
+ "precise: ST zero to stack insn is supported",
.insns = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
+ /* not a register spill, so we stop precision propagation for R4 here */
BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
BPF_MOV64_IMM(BPF_REG_0, -1),
@@ -157,11 +158,11 @@
mark_precise: frame0: last_idx 4 first_idx 2\
mark_precise: frame0: regs=r4 stack= before 4\
mark_precise: frame0: regs=r4 stack= before 3\
- mark_precise: frame0: regs= stack=-8 before 2\
- mark_precise: frame0: falling back to forcing all scalars precise\
- force_precise: frame0: forcing r0 to be precise\
mark_precise: frame0: last_idx 5 first_idx 5\
- mark_precise: frame0: parent state regs= stack=:",
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 4 first_idx 2\
+ mark_precise: frame0: regs=r0 stack= before 4\
+ 5: R0=-1 R4=0",
.result = VERBOSE_ACCEPT,
.retval = -1,
},
@@ -169,6 +170,8 @@
"precise: STX insn causing spi > allocated_stack",
.insns = {
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
+ /* make later reg spill more interesting by having somewhat known scalar */
+ BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
@@ -179,18 +182,21 @@
},
.prog_type = BPF_PROG_TYPE_XDP,
.flags = BPF_F_TEST_STATE_FREQ,
- .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\
+ .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\
mark_precise: frame0: parent state regs=r4 stack=:\
- mark_precise: frame0: last_idx 5 first_idx 3\
- mark_precise: frame0: regs=r4 stack= before 5\
- mark_precise: frame0: regs=r4 stack= before 4\
- mark_precise: frame0: regs= stack=-8 before 3\
- mark_precise: frame0: falling back to forcing all scalars precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- force_precise: frame0: forcing r0 to be precise\
- mark_precise: frame0: last_idx 6 first_idx 6\
+ mark_precise: frame0: last_idx 6 first_idx 4\
+ mark_precise: frame0: regs=r4 stack= before 6: (b7) r0 = -1\
+ mark_precise: frame0: regs=r4 stack= before 5: (79) r4 = *(u64 *)(r10 -8)\
+ mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 3 first_idx 3\
+ mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\
+ mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\
+ mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\
+ mark_precise: frame0: parent state regs=r0 stack=:\
+ mark_precise: frame0: last_idx 0 first_idx 0\
+ mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\
+ mark_precise: frame0: last_idx 7 first_idx 7\
mark_precise: frame0: parent state regs= stack=:",
.result = VERBOSE_ACCEPT,
.retval = -1,
--
2.47.0
3 months, 3 weeks
- 3
- 5
[PATCH] PCI: fix reference leak in pci_register_host_bridge()
by Ma Ke
Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add()
says, 'if device_add() succeeds, you should call device_del() when you
want to get rid of it. If device_add() has not succeeded, use only
put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
drivers/pci/probe.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 2e81ab0f5a25..73464ffbb0fc 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -974,8 +974,10 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
name = dev_name(&bus->dev);
err = device_register(&bus->dev);
- if (err)
+ if (err) {
+ put_device(&bus->dev);
goto unregister;
+ }
pcibios_add_bus(bus);
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH v2, 2/2] usb: typec: tcpm: fix the sender response time issue
by joswang
From: Jos Wang <joswang(a)lenovo.com>
According to the USB PD3 CTS specification
(https://usb.org/document-library/
usb-power-delivery-compliance-test-specification-0/
USB_PD3_CTS_Q4_2024_OR.zip), the requirements for
tSenderResponse are different in PD2 and PD3 modes, see
Table 19 Timing Table & Calculations. For PD2 mode, the
tSenderResponse min 24ms and max 30ms; for PD3 mode, the
tSenderResponse min 27ms and max 33ms.
For the "TEST.PD.PROT.SRC.2 Get_Source_Cap No Request" test
item, after receiving the Source_Capabilities Message sent by
the UUT, the tester deliberately does not send a Request Message
in order to force the SenderResponse timer on the Source UUT to
timeout. The Tester checks that a Hard Reset is detected between
tSenderResponse min and max,the delay is between the last bit of
the GoodCRC Message EOP has been sent and the first bit of Hard
Reset SOP has been received. The current code does not distinguish
between PD2 and PD3 modes, and tSenderResponse defaults to 60ms.
This will cause this test item and the following tests to fail:
TEST.PD.PROT.SRC3.2 SenderResponseTimer Timeout
TEST.PD.PROT.SNK.6 SenderResponseTimer Timeout
Considering factors such as SOC performance, i2c rate, and the speed
of PD chip sending data, "pd2-sender-response-time-ms" and
"pd3-sender-response-time-ms" DT time properties are added to allow
users to define platform timing. For values that have not been
explicitly defined in DT using this property, a default value of 27ms
for PD2 tSenderResponse and 30ms for PD3 tSenderResponse is set.
Fixes: 2eadc33f40d4 ("typec: tcpm: Add core support for sink side PPS")
Cc: stable(a)vger.kernel.org
Signed-off-by: Jos Wang <joswang(a)lenovo.com>
---
v1 -> v2:
- modify the commit message
- patch 1/2 and patch 2/2 are placed in the same thread
drivers/usb/typec/tcpm/tcpm.c | 50 +++++++++++++++++++++++------------
include/linux/usb/pd.h | 3 ++-
2 files changed, 35 insertions(+), 18 deletions(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 6021eeb903fe..3a159bfcf382 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -314,12 +314,16 @@ struct pd_data {
* @sink_wait_cap_time: Deadline (in ms) for tTypeCSinkWaitCap timer
* @ps_src_wait_off_time: Deadline (in ms) for tPSSourceOff timer
* @cc_debounce_time: Deadline (in ms) for tCCDebounce timer
+ * @pd2_sender_response_time: Deadline (in ms) for pd20 tSenderResponse timer
+ * @pd3_sender_response_time: Deadline (in ms) for pd30 tSenderResponse timer
*/
struct pd_timings {
u32 sink_wait_cap_time;
u32 ps_src_off_time;
u32 cc_debounce_time;
u32 snk_bc12_cmpletion_time;
+ u32 pd2_sender_response_time;
+ u32 pd3_sender_response_time;
};
struct tcpm_port {
@@ -3776,7 +3780,9 @@ static bool tcpm_send_queued_message(struct tcpm_port *port)
} else if (port->pwr_role == TYPEC_SOURCE) {
tcpm_ams_finish(port);
tcpm_set_state(port, HARD_RESET_SEND,
- PD_T_SENDER_RESPONSE);
+ port->negotiated_rev >= PD_REV30 ?
+ port->timings.pd3_sender_response_time :
+ port->timings.pd2_sender_response_time);
} else {
tcpm_ams_finish(port);
}
@@ -4619,6 +4625,9 @@ static void run_state_machine(struct tcpm_port *port)
enum typec_pwr_opmode opmode;
unsigned int msecs;
enum tcpm_state upcoming_state;
+ u32 sender_response_time = port->negotiated_rev >= PD_REV30 ?
+ port->timings.pd3_sender_response_time :
+ port->timings.pd2_sender_response_time;
if (port->tcpc->check_contaminant && port->state != CHECK_CONTAMINANT)
port->potential_contaminant = ((port->enter_state == SRC_ATTACH_WAIT &&
@@ -5113,7 +5122,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state(port, SNK_WAIT_CAPABILITIES, 0);
} else {
tcpm_set_state_cond(port, hard_reset_state(port),
- PD_T_SENDER_RESPONSE);
+ sender_response_time);
}
break;
case SNK_NEGOTIATE_PPS_CAPABILITIES:
@@ -5135,7 +5144,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state(port, SNK_READY, 0);
} else {
tcpm_set_state_cond(port, hard_reset_state(port),
- PD_T_SENDER_RESPONSE);
+ sender_response_time);
}
break;
case SNK_TRANSITION_SINK:
@@ -5387,7 +5396,7 @@ static void run_state_machine(struct tcpm_port *port)
port->message_id_prime = 0;
port->rx_msgid_prime = -1;
tcpm_pd_send_control(port, PD_CTRL_SOFT_RESET, TCPC_TX_SOP_PRIME);
- tcpm_set_state_cond(port, ready_state(port), PD_T_SENDER_RESPONSE);
+ tcpm_set_state_cond(port, ready_state(port), sender_response_time);
} else {
port->message_id = 0;
port->rx_msgid = -1;
@@ -5398,7 +5407,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state_cond(port, hard_reset_state(port), 0);
else
tcpm_set_state_cond(port, hard_reset_state(port),
- PD_T_SENDER_RESPONSE);
+ sender_response_time);
}
break;
@@ -5409,8 +5418,7 @@ static void run_state_machine(struct tcpm_port *port)
port->send_discover = true;
port->send_discover_prime = false;
}
- tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT,
- PD_T_SENDER_RESPONSE);
+ tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT, sender_response_time);
break;
case DR_SWAP_ACCEPT:
tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP);
@@ -5444,7 +5452,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state(port, ERROR_RECOVERY, 0);
break;
}
- tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, PD_T_SENDER_RESPONSE);
+ tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, sender_response_time);
break;
case FR_SWAP_SEND_TIMEOUT:
tcpm_set_state(port, ERROR_RECOVERY, 0);
@@ -5475,8 +5483,7 @@ static void run_state_machine(struct tcpm_port *port)
break;
case PR_SWAP_SEND:
tcpm_pd_send_control(port, PD_CTRL_PR_SWAP, TCPC_TX_SOP);
- tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT,
- PD_T_SENDER_RESPONSE);
+ tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT, sender_response_time);
break;
case PR_SWAP_SEND_TIMEOUT:
tcpm_swap_complete(port, -ETIMEDOUT);
@@ -5574,8 +5581,7 @@ static void run_state_machine(struct tcpm_port *port)
break;
case VCONN_SWAP_SEND:
tcpm_pd_send_control(port, PD_CTRL_VCONN_SWAP, TCPC_TX_SOP);
- tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT,
- PD_T_SENDER_RESPONSE);
+ tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT, sender_response_time);
break;
case VCONN_SWAP_SEND_TIMEOUT:
tcpm_swap_complete(port, -ETIMEDOUT);
@@ -5656,23 +5662,21 @@ static void run_state_machine(struct tcpm_port *port)
break;
case GET_STATUS_SEND:
tcpm_pd_send_control(port, PD_CTRL_GET_STATUS, TCPC_TX_SOP);
- tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT,
- PD_T_SENDER_RESPONSE);
+ tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT, sender_response_time);
break;
case GET_STATUS_SEND_TIMEOUT:
tcpm_set_state(port, ready_state(port), 0);
break;
case GET_PPS_STATUS_SEND:
tcpm_pd_send_control(port, PD_CTRL_GET_PPS_STATUS, TCPC_TX_SOP);
- tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT,
- PD_T_SENDER_RESPONSE);
+ tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT, sender_response_time);
break;
case GET_PPS_STATUS_SEND_TIMEOUT:
tcpm_set_state(port, ready_state(port), 0);
break;
case GET_SINK_CAP:
tcpm_pd_send_control(port, PD_CTRL_GET_SINK_CAP, TCPC_TX_SOP);
- tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, PD_T_SENDER_RESPONSE);
+ tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, sender_response_time);
break;
case GET_SINK_CAP_TIMEOUT:
port->sink_cap_done = true;
@@ -7109,6 +7113,18 @@ static void tcpm_fw_get_timings(struct tcpm_port *port, struct fwnode_handle *fw
ret = fwnode_property_read_u32(fwnode, "sink-bc12-completion-time-ms", &val);
if (!ret)
port->timings.snk_bc12_cmpletion_time = val;
+
+ ret = fwnode_property_read_u32(fwnode, "pd2-sender-response-time-ms", &val);
+ if (!ret)
+ port->timings.pd2_sender_response_time = val;
+ else
+ port->timings.pd2_sender_response_time = PD_T_PD2_SENDER_RESPONSE;
+
+ ret = fwnode_property_read_u32(fwnode, "pd3-sender-response-time-ms", &val);
+ if (!ret)
+ port->timings.pd3_sender_response_time = val;
+ else
+ port->timings.pd3_sender_response_time = PD_T_PD3_SENDER_RESPONSE;
}
static int tcpm_fw_get_caps(struct tcpm_port *port, struct fwnode_handle *fwnode)
diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h
index d50098fb16b5..9c599e851b9a 100644
--- a/include/linux/usb/pd.h
+++ b/include/linux/usb/pd.h
@@ -457,7 +457,6 @@ static inline unsigned int rdo_max_power(u32 rdo)
#define PD_T_NO_RESPONSE 5000 /* 4.5 - 5.5 seconds */
#define PD_T_DB_DETECT 10000 /* 10 - 15 seconds */
#define PD_T_SEND_SOURCE_CAP 150 /* 100 - 200 ms */
-#define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */
#define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */
#define PD_T_SOURCE_ACTIVITY 45
#define PD_T_SINK_ACTIVITY 135
@@ -491,6 +490,8 @@ static inline unsigned int rdo_max_power(u32 rdo)
#define PD_T_CC_DEBOUNCE 200 /* 100 - 200 ms */
#define PD_T_PD_DEBOUNCE 20 /* 10 - 20 ms */
#define PD_T_TRY_CC_DEBOUNCE 15 /* 10 - 20 ms */
+#define PD_T_PD2_SENDER_RESPONSE 27 /* PD20 spec 24 - 30 ms */
+#define PD_T_PD3_SENDER_RESPONSE 30 /* PD30 spec 27 - 33 ms */
#define PD_N_CAPS_COUNT (PD_T_NO_RESPONSE / PD_T_SEND_SOURCE_CAP)
#define PD_N_HARD_RESET_COUNT 2
--
2.17.1
3 months, 3 weeks
- 3
- 7
[PATCH] [ARM] fix reference leak in locomo_init_one_child()
by Ma Ke
Once device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
device_register() includes device_add(). As comment of device_add()
says, 'if device_add() succeeds, you should call device_del() when you
want to get rid of it. If device_add() has not succeeded, use only
put_device() to drop the reference count'.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
arch/arm/common/locomo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c
index cb6ef449b987..7274010218ec 100644
--- a/arch/arm/common/locomo.c
+++ b/arch/arm/common/locomo.c
@@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info)
ret = device_register(&dev->dev);
if (ret) {
+ put_device(&dev->dev);
out:
kfree(dev);
}
--
2.25.1
3 months, 3 weeks
- 2
- 1
[PATCH v6 0/8] driver core: class: Fix bug and code improvements for class APIs
by Zijun Hu
This patch series is to fix bugs and improve codes regarding various
driver core device iterating APIs
Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com>
---
Changes in v6:
- Remove dependencies since they have been merged into driver-core tree
- Link to v5: https://lore.kernel.org/r/20241224-class_fix-v5-0-9eaaf7abe843@quicinc.com
Changes in v5:
- Add comments back and correct tile and commit messages for patch 8/8.
- Link to v4: https://lore.kernel.org/r/20241218-class_fix-v4-0-3c40f098356b@quicinc.com
Changes in v4:
- Squich patches 3-5 into one based on Jonathan and Fan comments.
- Add one more patch
- Link to v3: https://lore.kernel.org/r/20241212-class_fix-v3-0-04e20c4f0971@quicinc.com
Changes in v3:
- Correct commit message, add fix tag, and correct pr_crit() message for 1st patch
- Add more patches regarding driver core device iterating APIs.
- Link to v2: https://lore.kernel.org/r/20241112-class_fix-v2-0-73d198d0a0d5@quicinc.com
Changes in v2:
- Remove both fix and stable tag for patch 1/3
- drop patch 3/3
- Link to v1: https://lore.kernel.org/r/20241105-class_fix-v1-0-80866f9994a5@quicinc.com
---
Zijun Hu (8):
driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()
blk-cgroup: Fix class @block_class's subsystem refcount leakage
driver core: Move true expression out of if condition in 3 device finding APIs
driver core: Rename declaration parameter name for API device_find_child() cluster
driver core: Correct parameter check for API device_for_each_child_reverse_from()
driver core: Correct API device_for_each_child_reverse_from() prototype
driver core: Introduce device_iter_t for device iterating APIs
driver core: Move two simple APIs for finding child device to header
block/blk-cgroup.c | 1 +
drivers/base/bus.c | 9 +++++---
drivers/base/class.c | 11 ++++++++--
drivers/base/core.c | 49 +++++++++----------------------------------
drivers/base/driver.c | 9 +++++---
drivers/cxl/core/hdm.c | 2 +-
drivers/cxl/core/region.c | 2 +-
include/linux/device.h | 46 +++++++++++++++++++++++++++++++---------
include/linux/device/bus.h | 7 +++++--
include/linux/device/class.h | 4 ++--
include/linux/device/driver.h | 2 +-
11 files changed, 78 insertions(+), 64 deletions(-)
---
base-commit: 7687c66c18c66d4ccd9949c6f641c0e7b5773483
change-id: 20241104-class_fix-f176bd9eba22
Best regards,
--
Zijun Hu <quic_zijuhu(a)quicinc.com>
3 months, 3 weeks
- 1
- 1
[PATCH v2 1/2] HID: hid-plantronics: Add mic mute mapping and generalize quirks
by Wade Wang
From: Terry Junge <linuxhid(a)cosmicgizmosystems.com>
Add mapping for headset mute key events.
Remove PLT_QUIRK_DOUBLE_VOLUME_KEYS quirk and made it generic.
The quirk logic did not keep track of the actual previous key
so any key event occurring in less than or equal to 5ms was ignored.
Remove PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS quirk.
It had the same logic issue as the double key quirk and was actually
masking the as designed behavior of most of the headsets.
It's occurrence should be minimized with the ALSA control naming
quirk that is part of the patch set.
Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com>
Signed-off-by: Wade Wang <wade.wang(a)hp.com>
Cc: stable(a)vger.kernel.org
---
V1 -> V2: Optimize out 2 macros - no functional changes
drivers/hid/hid-plantronics.c | 144 ++++++++++++++++------------------
1 file changed, 67 insertions(+), 77 deletions(-)
diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
index 25cfd964dc25..acb9eb18f7cc 100644
--- a/drivers/hid/hid-plantronics.c
+++ b/drivers/hid/hid-plantronics.c
@@ -6,9 +6,6 @@
* Copyright (c) 2015-2018 Terry Junge <terry.junge(a)plantronics.com>
*/
-/*
- */
-
#include "hid-ids.h"
#include <linux/hid.h>
@@ -23,30 +20,28 @@
#define PLT_VOL_UP 0x00b1
#define PLT_VOL_DOWN 0x00b2
+#define PLT_MIC_MUTE 0x00b5
#define PLT1_VOL_UP (PLT_HID_1_0_PAGE | PLT_VOL_UP)
#define PLT1_VOL_DOWN (PLT_HID_1_0_PAGE | PLT_VOL_DOWN)
+#define PLT1_MIC_MUTE (PLT_HID_1_0_PAGE | PLT_MIC_MUTE)
#define PLT2_VOL_UP (PLT_HID_2_0_PAGE | PLT_VOL_UP)
#define PLT2_VOL_DOWN (PLT_HID_2_0_PAGE | PLT_VOL_DOWN)
+#define PLT2_MIC_MUTE (PLT_HID_2_0_PAGE | PLT_MIC_MUTE)
+#define HID_TELEPHONY_MUTE (HID_UP_TELEPHONY | 0x2f)
+#define HID_CONSUMER_MUTE (HID_UP_CONSUMER | 0xe2)
#define PLT_DA60 0xda60
#define PLT_BT300_MIN 0x0413
#define PLT_BT300_MAX 0x0418
-
-#define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \
- (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER)
-
-#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0)
-#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1)
-
#define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */
-#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */
struct plt_drv_data {
unsigned long device_type;
- unsigned long last_volume_key_ts;
- u32 quirks;
+ unsigned long last_key_ts;
+ unsigned long double_key_to;
+ __u16 last_key;
};
static int plantronics_input_mapping(struct hid_device *hdev,
@@ -58,34 +53,43 @@ static int plantronics_input_mapping(struct hid_device *hdev,
unsigned short mapped_key;
struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
unsigned long plt_type = drv_data->device_type;
+ int allow_mute = usage->hid == HID_TELEPHONY_MUTE;
+ int allow_consumer = field->application == HID_CP_CONSUMERCONTROL &&
+ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER &&
+ usage->hid != HID_CONSUMER_MUTE;
/* special case for PTT products */
if (field->application == HID_GD_JOYSTICK)
goto defaulted;
- /* handle volume up/down mapping */
/* non-standard types or multi-HID interfaces - plt_type is PID */
if (!(plt_type & HID_USAGE_PAGE)) {
switch (plt_type) {
case PLT_DA60:
- if (PLT_ALLOW_CONSUMER)
+ if (allow_consumer)
goto defaulted;
- goto ignored;
+ if (usage->hid == HID_CONSUMER_MUTE) {
+ mapped_key = KEY_MICMUTE;
+ goto mapped;
+ }
+ break;
default:
- if (PLT_ALLOW_CONSUMER)
+ if (allow_consumer || allow_mute)
goto defaulted;
}
+ goto ignored;
}
- /* handle standard types - plt_type is 0xffa0uuuu or 0xffa2uuuu */
- /* 'basic telephony compliant' - allow default consumer page map */
- else if ((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY &&
- (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) {
- if (PLT_ALLOW_CONSUMER)
- goto defaulted;
- }
- /* not 'basic telephony' - apply legacy mapping */
- /* only map if the field is in the device's primary vendor page */
- else if (!((field->application ^ plt_type) & HID_USAGE_PAGE)) {
+
+ /* handle standard consumer control mapping */
+ /* and standard telephony mic mute mapping */
+ if (allow_consumer || allow_mute)
+ goto defaulted;
+
+ /* handle vendor unique types - plt_type is 0xffa0uuuu or 0xffa2uuuu */
+ /* if not 'basic telephony compliant' - map vendor unique controls */
+ if (!((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY &&
+ (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) &&
+ !((field->application ^ plt_type) & HID_USAGE_PAGE))
switch (usage->hid) {
case PLT1_VOL_UP:
case PLT2_VOL_UP:
@@ -95,8 +99,11 @@ static int plantronics_input_mapping(struct hid_device *hdev,
case PLT2_VOL_DOWN:
mapped_key = KEY_VOLUMEDOWN;
goto mapped;
+ case PLT1_MIC_MUTE:
+ case PLT2_MIC_MUTE:
+ mapped_key = KEY_MICMUTE;
+ goto mapped;
}
- }
/*
* Future mapping of call control or other usages,
@@ -105,6 +112,8 @@ static int plantronics_input_mapping(struct hid_device *hdev,
*/
ignored:
+ hid_dbg(hdev, "usage: %08x (appl: %08x) - ignored\n",
+ usage->hid, field->application);
return -1;
defaulted:
@@ -123,38 +132,26 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field,
struct hid_usage *usage, __s32 value)
{
struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
+ unsigned long prev_tsto, cur_ts;
+ __u16 prev_key, cur_key;
- if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) {
- unsigned long prev_ts, cur_ts;
+ /* Usages are filtered in plantronics_usages. */
- /* Usages are filtered in plantronics_usages. */
+ /* HZ too low for ms resolution - double key detection disabled */
+ /* or it is a key release - handle key presses only. */
+ if (!drv_data->double_key_to || !value)
+ return 0;
- if (!value) /* Handle key presses only. */
- return 0;
+ prev_tsto = drv_data->last_key_ts + drv_data->double_key_to;
+ cur_ts = drv_data->last_key_ts = jiffies;
+ prev_key = drv_data->last_key;
+ cur_key = drv_data->last_key = usage->code;
- prev_ts = drv_data->last_volume_key_ts;
- cur_ts = jiffies;
- if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT)
- return 1; /* Ignore the repeated key. */
-
- drv_data->last_volume_key_ts = cur_ts;
+ /* If the same key occurs in <= double_key_to -- ignore it */
+ if (prev_key == cur_key && time_before_eq(cur_ts, prev_tsto)) {
+ hid_dbg(hdev, "double key %d ignored\n", cur_key);
+ return 1; /* Ignore the repeated key. */
}
- if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) {
- unsigned long prev_ts, cur_ts;
-
- /* Usages are filtered in plantronics_usages. */
-
- if (!value) /* Handle key presses only. */
- return 0;
-
- prev_ts = drv_data->last_volume_key_ts;
- cur_ts = jiffies;
- if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT)
- return 1; /* Ignore the followed opposite volume key. */
-
- drv_data->last_volume_key_ts = cur_ts;
- }
-
return 0;
}
@@ -196,12 +193,16 @@ static int plantronics_probe(struct hid_device *hdev,
ret = hid_parse(hdev);
if (ret) {
hid_err(hdev, "parse failed\n");
- goto err;
+ return ret;
}
drv_data->device_type = plantronics_device_type(hdev);
- drv_data->quirks = id->driver_data;
- drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
+ drv_data->double_key_to = msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
+ drv_data->last_key_ts = jiffies - drv_data->double_key_to;
+
+ /* if HZ does not allow ms resolution - disable double key detection */
+ if (drv_data->double_key_to < PLT_DOUBLE_KEY_TIMEOUT)
+ drv_data->double_key_to = 0;
hid_set_drvdata(hdev, drv_data);
@@ -210,29 +211,10 @@ static int plantronics_probe(struct hid_device *hdev,
if (ret)
hid_err(hdev, "hw start failed\n");
-err:
return ret;
}
static const struct hid_device_id plantronics_devices[] = {
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES),
- .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES),
- .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS },
- { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
- USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES),
- .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
{ }
};
@@ -241,6 +223,14 @@ MODULE_DEVICE_TABLE(hid, plantronics_devices);
static const struct hid_usage_id plantronics_usages[] = {
{ HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID },
{ HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID },
+ { HID_TELEPHONY_MUTE, EV_KEY, HID_ANY_ID },
+ { HID_CONSUMER_MUTE, EV_KEY, HID_ANY_ID },
+ { PLT2_VOL_UP, EV_KEY, HID_ANY_ID },
+ { PLT2_VOL_DOWN, EV_KEY, HID_ANY_ID },
+ { PLT2_MIC_MUTE, EV_KEY, HID_ANY_ID },
+ { PLT1_VOL_UP, EV_KEY, HID_ANY_ID },
+ { PLT1_VOL_DOWN, EV_KEY, HID_ANY_ID },
+ { PLT1_MIC_MUTE, EV_KEY, HID_ANY_ID },
{ HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR }
};
--
2.43.0
3 months, 4 weeks
- 3
- 5
[PATCH] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented
by Marc Zyngier
The hwcaps code that exposes SVE features to userspace only
considers ID_AA64ZFR0_EL1, while this is only valid when
ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported.
The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the
ID_AA64ZFR0_EL1 register is also 0. So far, so good.
Things become a bit more interesting if the HW implements SME.
In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME*
features. And these fields overlap with their SVE interpretations.
But the architecture says that the SME and SVE feature sets must
match, so we're still hunky-dory.
This goes wrong if the HW implements SME, but not SVE. In this
case, we end-up advertising some SVE features to userspace, even
if the HW has none. That's because we never consider whether SVE
is actually implemented. Oh well.
Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE
being non-zero.
Reported-by: Catalin Marinas <catalin.marinas(a)arm.com>
Signed-off-by: Marc Zyngier <maz(a)kernel.org>
Cc: Will Deacon <will(a)kernel.org>
Cc: Mark Rutland <mark.rutland(a)arm.com>
Cc: Mark Brown <broonie(a)kernel.org>
Cc: stable(a)vger.kernel.org
---
arch/arm64/kernel/cpufeature.c | 58 ++++++++++++++++++++++++----------
1 file changed, 41 insertions(+), 17 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 6ce71f444ed84..d793ca08549cd 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1593,14 +1593,19 @@ feature_matches(u64 reg, const struct arm64_cpu_capabilities *entry)
return val >= min && val <= max;
}
-static u64
-read_scoped_sysreg(const struct arm64_cpu_capabilities *entry, int scope)
+static u64 __read_scoped_sysreg(u64 reg, int scope)
{
WARN_ON(scope == SCOPE_LOCAL_CPU && preemptible());
if (scope == SCOPE_SYSTEM)
- return read_sanitised_ftr_reg(entry->sys_reg);
+ return read_sanitised_ftr_reg(reg);
else
- return __read_sysreg_by_encoding(entry->sys_reg);
+ return __read_sysreg_by_encoding(reg);
+}
+
+static u64
+read_scoped_sysreg(const struct arm64_cpu_capabilities *entry, int scope)
+{
+ return __read_scoped_sysreg(entry->sys_reg, scope);
}
static bool
@@ -3022,6 +3027,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = {
.matches = match, \
}
+#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \
+ { \
+ __HWCAP_CAP(#cap, cap_type, cap) \
+ HWCAP_CPUID_MATCH(reg, field, min_value) \
+ .matches = match, \
+ }
+
#ifdef CONFIG_ARM64_PTR_AUTH
static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = {
{
@@ -3050,6 +3062,18 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = {
};
#endif
+#ifdef CONFIG_ARM64_SVE
+static bool has_sve(const struct arm64_cpu_capabilities *cap, int scope)
+{
+ u64 aa64pfr0 = __read_scoped_sysreg(SYS_ID_AA64PFR0_EL1, scope);
+
+ if (FIELD_GET(ID_AA64PFR0_EL1_SVE, aa64pfr0) < ID_AA64PFR0_EL1_SVE_IMP)
+ return false;
+
+ return has_user_cpuid_feature(cap, scope);
+}
+#endif
+
static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL),
HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES),
@@ -3092,19 +3116,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT),
#ifdef CONFIG_ARM64_SVE
HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
- HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
- HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
- HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM),
+ HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM),
#endif
#ifdef CONFIG_ARM64_GCS
HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS),
--
2.39.2
3 months, 4 weeks
- 2
- 4
[PATCH AUTOSEL 5.10] ASoC: mediatek: disable buffer pre-allocation
by Sasha Levin
From: Chen-Yu Tsai <wenst(a)chromium.org>
[ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ]
On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend
(AFE) is limited to accessing a very small window (1 MiB) of memory,
which is described as a reserved memory region in the device tree.
On these two platforms, the maximum buffer size is given as 512 KiB.
The MediaTek common code uses the same value for preallocations. This
means that only the first two PCM substreams get preallocations, and
then the whole space is exhausted, barring any other substreams from
working. Since the substreams used are not always the first two, this
means audio won't work correctly.
This is observed on the MT8188 Geralt Chromebooks, on which the
"mediatek,dai-link" property was dropped when it was upstreamed. That
property causes the driver to only register the PCM substreams listed
in the property, and in the order given.
Instead of trying to compute an optimal value and figuring out which
streams are used, simply disable preallocation. The PCM buffers are
managed by the core and are allocated and released on the fly. There
should be no impact to any of the other MediaTek platforms.
Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com>
Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
index 01501d5747a7..52495c930ca3 100644
--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
@@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component,
struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
size = afe->mtk_afe_hardware->buffer_bytes_max;
- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
- afe->dev, size, size);
+ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size);
+
return 0;
}
EXPORT_SYMBOL_GPL(mtk_afe_pcm_new);
--
2.39.5
3 months, 4 weeks
- 1
- 0
[PATCH AUTOSEL 5.15] ASoC: mediatek: disable buffer pre-allocation
by Sasha Levin
From: Chen-Yu Tsai <wenst(a)chromium.org>
[ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ]
On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend
(AFE) is limited to accessing a very small window (1 MiB) of memory,
which is described as a reserved memory region in the device tree.
On these two platforms, the maximum buffer size is given as 512 KiB.
The MediaTek common code uses the same value for preallocations. This
means that only the first two PCM substreams get preallocations, and
then the whole space is exhausted, barring any other substreams from
working. Since the substreams used are not always the first two, this
means audio won't work correctly.
This is observed on the MT8188 Geralt Chromebooks, on which the
"mediatek,dai-link" property was dropped when it was upstreamed. That
property causes the driver to only register the PCM substreams listed
in the property, and in the order given.
Instead of trying to compute an optimal value and figuring out which
streams are used, simply disable preallocation. The PCM buffers are
managed by the core and are allocated and released on the fly. There
should be no impact to any of the other MediaTek platforms.
Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com>
Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
index 01501d5747a7..52495c930ca3 100644
--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
@@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component,
struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
size = afe->mtk_afe_hardware->buffer_bytes_max;
- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
- afe->dev, size, size);
+ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size);
+
return 0;
}
EXPORT_SYMBOL_GPL(mtk_afe_pcm_new);
--
2.39.5
3 months, 4 weeks
- 1
- 0
[PATCH AUTOSEL 6.1] ASoC: mediatek: disable buffer pre-allocation
by Sasha Levin
From: Chen-Yu Tsai <wenst(a)chromium.org>
[ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ]
On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend
(AFE) is limited to accessing a very small window (1 MiB) of memory,
which is described as a reserved memory region in the device tree.
On these two platforms, the maximum buffer size is given as 512 KiB.
The MediaTek common code uses the same value for preallocations. This
means that only the first two PCM substreams get preallocations, and
then the whole space is exhausted, barring any other substreams from
working. Since the substreams used are not always the first two, this
means audio won't work correctly.
This is observed on the MT8188 Geralt Chromebooks, on which the
"mediatek,dai-link" property was dropped when it was upstreamed. That
property causes the driver to only register the PCM substreams listed
in the property, and in the order given.
Instead of trying to compute an optimal value and figuring out which
streams are used, simply disable preallocation. The PCM buffers are
managed by the core and are allocated and released on the fly. There
should be no impact to any of the other MediaTek platforms.
Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com>
Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
index 01501d5747a7..52495c930ca3 100644
--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c
+++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c
@@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component,
struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component);
size = afe->mtk_afe_hardware->buffer_bytes_max;
- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
- afe->dev, size, size);
+ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size);
+
return 0;
}
EXPORT_SYMBOL_GPL(mtk_afe_pcm_new);
--
2.39.5
3 months, 4 weeks
- 1
- 0
[PATCH AUTOSEL 6.6 1/3] ASoC: rt722: add delay time to wait for the calibration procedure
by Sasha Levin
From: Shuming Fan <shumingf(a)realtek.com>
[ Upstream commit c9e3ebdc52ebe028f238c9df5162ae92483bedd5 ]
The calibration procedure needs some time to finish.
This patch adds the delay time to ensure the calibration procedure is completed correctly.
Signed-off-by: Shuming Fan <shumingf(a)realtek.com>
Link: https://patch.msgid.link/20241218091307.96656-1-shumingf@realtek.com
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
sound/soc/codecs/rt722-sdca.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/rt722-sdca.c b/sound/soc/codecs/rt722-sdca.c
index b9b330375add..0f9f592744ad 100644
--- a/sound/soc/codecs/rt722-sdca.c
+++ b/sound/soc/codecs/rt722-sdca.c
@@ -1466,13 +1466,18 @@ static void rt722_sdca_jack_preset(struct rt722_sdca_priv *rt722)
0x008d);
/* check HP calibration FSM status */
for (loop_check = 0; loop_check < chk_cnt; loop_check++) {
+ usleep_range(10000, 11000);
ret = rt722_sdca_index_read(rt722, RT722_VENDOR_CALI,
RT722_DAC_DC_CALI_CTL3, &calib_status);
- if (ret < 0 || loop_check == chk_cnt)
+ if (ret < 0)
dev_dbg(&rt722->slave->dev, "calibration failed!, ret=%d\n", ret);
if ((calib_status & 0x0040) == 0x0)
break;
}
+
+ if (loop_check == chk_cnt)
+ dev_dbg(&rt722->slave->dev, "%s, calibration time-out!\n", __func__);
+
/* Set ADC09 power entity floating control */
rt722_sdca_index_write(rt722, RT722_VENDOR_HDA_CTL, RT722_ADC0A_08_PDE_FLOAT_CTL,
0x2a12);
--
2.39.5
3 months, 4 weeks
- 1
- 2
[PATCH AUTOSEL 6.12 1/4] perf/x86/intel/uncore: Add Clearwater Forest support
by Sasha Levin
From: Kan Liang <kan.liang(a)linux.intel.com>
[ Upstream commit b6ccddd6fe1fd49c7a82b6fbed01cccad21a29c7 ]
From the perspective of the uncore PMU, the Clearwater Forest is the
same as the previous Sierra Forest. The only difference is the event
list, which will be supported in the perf tool later.
Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org>
Link: https://lkml.kernel.org/r/20241211161146.235253-1-kan.liang@linux.intel.com
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
arch/x86/events/intel/uncore.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
index d98fac567684..e7aba7349231 100644
--- a/arch/x86/events/intel/uncore.c
+++ b/arch/x86/events/intel/uncore.c
@@ -1910,6 +1910,7 @@ static const struct x86_cpu_id intel_uncore_match[] __initconst = {
X86_MATCH_VFM(INTEL_ATOM_GRACEMONT, &adl_uncore_init),
X86_MATCH_VFM(INTEL_ATOM_CRESTMONT_X, &gnr_uncore_init),
X86_MATCH_VFM(INTEL_ATOM_CRESTMONT, &gnr_uncore_init),
+ X86_MATCH_VFM(INTEL_ATOM_DARKMONT_X, &gnr_uncore_init),
{},
};
MODULE_DEVICE_TABLE(x86cpu, intel_uncore_match);
--
2.39.5
3 months, 4 weeks
- 1
- 3
[PATCH 1/7] mm/hugetlb: Fix avoid_reserve to allow taking folio from subpool
by Peter Xu
Since commit 04f2cbe35699 ("hugetlb: guarantee that COW faults for a
process that called mmap(MAP_PRIVATE) on hugetlbfs will succeed"),
avoid_reserve was introduced for a special case of CoW on hugetlb private
mappings, and only if the owner VMA is trying to allocate yet another
hugetlb folio that is not reserved within the private vma reserved map.
Later on, in commit d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas
hole punched by fallocate"), alloc_huge_page() enforced to not consume any
global reservation as long as avoid_reserve=true. This operation doesn't
look correct, because even if it will enforce the allocation to not use
global reservation at all, it will still try to take one reservation from
the spool (if the subpool existed). Then since the spool reserved pages
take from global reservation, it'll also take one reservation globally.
Logically it can cause global reservation to go wrong.
I wrote a reproducer below, trigger this special path, and every run of
such program will cause global reservation count to increment by one, until
it hits the number of free pages:
#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/mman.h>
#define MSIZE (2UL << 20)
int main(int argc, char *argv[])
{
const char *path;
int *buf;
int fd, ret;
pid_t child;
if (argc < 2) {
printf("usage: %s <hugetlb_file>\n", argv[0]);
return -1;
}
path = argv[1];
fd = open(path, O_RDWR | O_CREAT, 0666);
if (fd < 0) {
perror("open failed");
return -1;
}
ret = fallocate(fd, 0, 0, MSIZE);
if (ret != 0) {
perror("fallocate");
return -1;
}
buf = mmap(NULL, MSIZE, PROT_READ|PROT_WRITE,
MAP_PRIVATE, fd, 0);
if (buf == MAP_FAILED) {
perror("mmap() failed");
return -1;
}
/* Allocate a page */
*buf = 1;
child = fork();
if (child == 0) {
/* child doesn't need to do anything */
exit(0);
}
/* Trigger CoW from owner */
*buf = 2;
munmap(buf, MSIZE);
close(fd);
unlink(path);
return 0;
}
It can only reproduce with a sub-mount when there're reserved pages on the
spool, like:
# sysctl vm.nr_hugepages=128
# mkdir ./hugetlb-pool
# mount -t hugetlbfs -o min_size=8M,pagesize=2M none ./hugetlb-pool
Then run the reproducer on the mountpoint:
# ./reproducer ./hugetlb-pool/test
Fix it by taking the reservation from spool if available. In general,
avoid_reserve is IMHO more about "avoid vma resv map", not spool's.
I copied stable, however I have no intention for backporting if it's not a
clean cherry-pick, because private hugetlb mapping, and then fork() on top
is too rare to hit.
Cc: linux-stable <stable(a)vger.kernel.org>
Fixes: d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate")
Signed-off-by: Peter Xu <peterx(a)redhat.com>
---
mm/hugetlb.c | 22 +++-------------------
1 file changed, 3 insertions(+), 19 deletions(-)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index cec4b121193f..9ce69fd22a01 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1394,8 +1394,7 @@ static unsigned long available_huge_pages(struct hstate *h)
static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h,
struct vm_area_struct *vma,
- unsigned long address, int avoid_reserve,
- long chg)
+ unsigned long address, long chg)
{
struct folio *folio = NULL;
struct mempolicy *mpol;
@@ -1411,10 +1410,6 @@ static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h,
if (!vma_has_reserves(vma, chg) && !available_huge_pages(h))
goto err;
- /* If reserves cannot be used, ensure enough pages are in the pool */
- if (avoid_reserve && !available_huge_pages(h))
- goto err;
-
gfp_mask = htlb_alloc_mask(h);
nid = huge_node(vma, address, gfp_mask, &mpol, &nodemask);
@@ -1430,7 +1425,7 @@ static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h,
folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask,
nid, nodemask);
- if (folio && !avoid_reserve && vma_has_reserves(vma, chg)) {
+ if (folio && vma_has_reserves(vma, chg)) {
folio_set_hugetlb_restore_reserve(folio);
h->resv_huge_pages--;
}
@@ -3007,17 +3002,6 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma,
gbl_chg = hugepage_subpool_get_pages(spool, 1);
if (gbl_chg < 0)
goto out_end_reservation;
-
- /*
- * Even though there was no reservation in the region/reserve
- * map, there could be reservations associated with the
- * subpool that can be used. This would be indicated if the
- * return value of hugepage_subpool_get_pages() is zero.
- * However, if avoid_reserve is specified we still avoid even
- * the subpool reservations.
- */
- if (avoid_reserve)
- gbl_chg = 1;
}
/* If this allocation is not consuming a reservation, charge it now.
@@ -3040,7 +3024,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma,
* from the global free pool (global change). gbl_chg == 0 indicates
* a reservation exists for the allocation.
*/
- folio = dequeue_hugetlb_folio_vma(h, vma, addr, avoid_reserve, gbl_chg);
+ folio = dequeue_hugetlb_folio_vma(h, vma, addr, gbl_chg);
if (!folio) {
spin_unlock_irq(&hugetlb_lock);
folio = alloc_buddy_hugetlb_folio_with_mpol(h, vma, addr);
--
2.47.0
3 months, 4 weeks
- 2
- 3
[PATCH 1/2] dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2)
by Milan Broz
This patch fixes an issue that was fixed in the commit
df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size")
but later broken again in the commit
8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
If the Reed-Solomon roots setting spans multiple blocks, the code does not
use proper parity bytes and randomly fails to repair even trivial errors.
This bug cannot happen if the sector size is multiple of RS roots
setting (Android case with roots 2).
The previous solution was to find a dm-bufio block size that is multiple
of the device sector size and roots size. Unfortunately, the optimization
in commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
is incorrect and uses data block size for some roots (for example, it uses
4096 block size for roots = 20).
This patch uses a different approach:
- It always uses a configured data block size for dm-bufio to avoid
possible misaligned IOs.
- and it caches the processed parity bytes, so it can join it
if it spans two blocks.
As the RS calculation is called only if an error is detected and
the process is computationally intensive, copying a few more bytes
should not introduce performance issues.
The issue was reported to cryptsetup with trivial reproducer
https://gitlab.com/cryptsetup/cryptsetup/-/issues/923
Reproducer (with roots=20):
# create verity device with RS FEC
dd if=/dev/urandom of=data.img bs=4096 count=8 status=none
veritysetup format data.img hash.img --fec-device=fec.img --fec-roots=20 | \
awk '/^Root hash/{ print $3 }' >roothash
# create an erasure that should always be repairable with this roots setting
dd if=/dev/zero of=data.img conv=notrunc bs=1 count=4 seek=4 status=none
# try to read it through dm-verity
veritysetup open data.img test hash.img --fec-device=fec.img --fec-roots=20 $(cat roothash)
dd if=/dev/mapper/test of=/dev/null bs=4096 status=noxfer
Even now the log says it cannot repair it:
: verity-fec: 7:1: FEC 0: failed to correct: -74
: device-mapper: verity: 7:1: data block 0 is corrupted
...
With this fix, errors are properly repaired.
: verity-fec: 7:1: FEC 0: corrected 4 errors
Signed-off-by: Milan Broz <gmazyland(a)gmail.com>
Fixes: 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO")
Cc: stable(a)vger.kernel.org
---
drivers/md/dm-verity-fec.c | 40 +++++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 14 deletions(-)
diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c
index 62b1a44b8dd2..6bd9848518d4 100644
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -60,15 +60,19 @@ static int fec_decode_rs8(struct dm_verity *v, struct dm_verity_fec_io *fio,
* to the data block. Caller is responsible for releasing buf.
*/
static u8 *fec_read_parity(struct dm_verity *v, u64 rsb, int index,
- unsigned int *offset, struct dm_buffer **buf,
- unsigned short ioprio)
+ unsigned int *offset, unsigned int par_buf_offset,
+ struct dm_buffer **buf, unsigned short ioprio)
{
u64 position, block, rem;
u8 *res;
+ /* We have already part of parity bytes read, skip to the next block */
+ if (par_buf_offset)
+ index++;
+
position = (index + rsb) * v->fec->roots;
block = div64_u64_rem(position, v->fec->io_size, &rem);
- *offset = (unsigned int)rem;
+ *offset = par_buf_offset ? 0 : (unsigned int)rem;
res = dm_bufio_read_with_ioprio(v->fec->bufio, block, buf, ioprio);
if (IS_ERR(res)) {
@@ -128,11 +132,12 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io,
{
int r, corrected = 0, res;
struct dm_buffer *buf;
- unsigned int n, i, offset;
- u8 *par, *block;
+ unsigned int n, i, offset, par_buf_offset = 0;
+ u8 *par, *block, par_buf[DM_VERITY_FEC_RSM - DM_VERITY_FEC_MIN_RSN];
struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size);
- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio));
+ par = fec_read_parity(v, rsb, block_offset, &offset,
+ par_buf_offset, &buf, bio_prio(bio));
if (IS_ERR(par))
return PTR_ERR(par);
@@ -142,7 +147,8 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io,
*/
fec_for_each_buffer_rs_block(fio, n, i) {
block = fec_buffer_rs_block(v, fio, n, i);
- res = fec_decode_rs8(v, fio, block, &par[offset], neras);
+ memcpy(&par_buf[par_buf_offset], &par[offset], v->fec->roots - par_buf_offset);
+ res = fec_decode_rs8(v, fio, block, par_buf, neras);
if (res < 0) {
r = res;
goto error;
@@ -155,12 +161,21 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io,
if (block_offset >= 1 << v->data_dev_block_bits)
goto done;
- /* read the next block when we run out of parity bytes */
- offset += v->fec->roots;
+ /* Read the next block when we run out of parity bytes */
+ offset += (v->fec->roots - par_buf_offset);
+ /* Check if parity bytes are split between blocks */
+ if (offset < v->fec->io_size && (offset + v->fec->roots) > v->fec->io_size) {
+ par_buf_offset = v->fec->io_size - offset;
+ memcpy(par_buf, &par[offset], par_buf_offset);
+ offset += par_buf_offset;
+ } else
+ par_buf_offset = 0;
+
if (offset >= v->fec->io_size) {
dm_bufio_release(buf);
- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio));
+ par = fec_read_parity(v, rsb, block_offset, &offset,
+ par_buf_offset, &buf, bio_prio(bio));
if (IS_ERR(par))
return PTR_ERR(par);
}
@@ -724,10 +739,7 @@ int verity_fec_ctr(struct dm_verity *v)
return -E2BIG;
}
- if ((f->roots << SECTOR_SHIFT) & ((1 << v->data_dev_block_bits) - 1))
- f->io_size = 1 << v->data_dev_block_bits;
- else
- f->io_size = v->fec->roots << SECTOR_SHIFT;
+ f->io_size = 1 << v->data_dev_block_bits;
f->bufio = dm_bufio_client_create(f->dev->bdev,
f->io_size,
--
2.45.2
3 months, 4 weeks
- 2
- 1
FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 6.6-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122324-twitter-clustered-891d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001
From: Naman Jain <namjain(a)linux.microsoft.com>
Date: Tue, 17 Sep 2024 11:09:17 +0530
Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation
read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is
bigger than the variable hv_sched_clock_offset, which is cached during
early boot, but depending on the timing this assumption may be false
when a hibernated VM starts again (the clock counter starts from 0
again) and is resuming back (Note: hv_init_tsc_clocksource() is not
called during hibernation/resume); consequently,
read_hv_sched_clock_tsc() may return a negative integer (which is
interpreted as a huge positive integer since the return type is u64)
and new kernel messages are prefixed with huge timestamps before
read_hv_sched_clock_tsc() grows big enough (which typically takes
several seconds).
Fix the issue by saving the Hyper-V clock counter just before the
suspend, and using it to correct the hv_sched_clock_offset in
resume. This makes hv tsc page based sched_clock continuous and ensures
that post resume, it starts from where it left off during suspend.
Override x86_platform.save_sched_clock_state and
x86_platform.restore_sched_clock_state routines to correct this as soon
as possible.
Note: if Invariant TSC is available, the issue doesn't happen because
1) we don't register read_hv_sched_clock_tsc() for sched clock:
See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework
clocksource and sched clock setup");
2) the common x86 code adjusts TSC similarly: see
__restore_processor_state() -> tsc_verify_tsc_adjust(true) and
x86_platform.restore_sched_clock_state().
Cc: stable(a)vger.kernel.org
Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation")
Co-developed-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com>
Reviewed-by: Michael Kelley <mhklinux(a)outlook.com>
Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu(a)kernel.org>
Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com>
diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
index d18078834ded..dc12fe5ef3ca 100644
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs)
hyperv_cleanup();
}
#endif /* CONFIG_CRASH_DUMP */
+
+static u64 hv_ref_counter_at_suspend;
+static void (*old_save_sched_clock_state)(void);
+static void (*old_restore_sched_clock_state)(void);
+
+/*
+ * Hyper-V clock counter resets during hibernation. Save and restore clock
+ * offset during suspend/resume, while also considering the time passed
+ * before suspend. This is to make sure that sched_clock using hv tsc page
+ * based clocksource, proceeds from where it left off during suspend and
+ * it shows correct time for the timestamps of kernel messages after resume.
+ */
+static void save_hv_clock_tsc_state(void)
+{
+ hv_ref_counter_at_suspend = hv_read_reference_counter();
+}
+
+static void restore_hv_clock_tsc_state(void)
+{
+ /*
+ * Adjust the offsets used by hv tsc clocksource to
+ * account for the time spent before hibernation.
+ * adjusted value = reference counter (time) at suspend
+ * - reference counter (time) now.
+ */
+ hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter());
+}
+
+/*
+ * Functions to override save_sched_clock_state and restore_sched_clock_state
+ * functions of x86_platform. The Hyper-V clock counter is reset during
+ * suspend-resume and the offset used to measure time needs to be
+ * corrected, post resume.
+ */
+static void hv_save_sched_clock_state(void)
+{
+ old_save_sched_clock_state();
+ save_hv_clock_tsc_state();
+}
+
+static void hv_restore_sched_clock_state(void)
+{
+ restore_hv_clock_tsc_state();
+ old_restore_sched_clock_state();
+}
+
+static void __init x86_setup_ops_for_tsc_pg_clock(void)
+{
+ if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE))
+ return;
+
+ old_save_sched_clock_state = x86_platform.save_sched_clock_state;
+ x86_platform.save_sched_clock_state = hv_save_sched_clock_state;
+
+ old_restore_sched_clock_state = x86_platform.restore_sched_clock_state;
+ x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state;
+}
#endif /* CONFIG_HYPERV */
static uint32_t __init ms_hyperv_platform(void)
@@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void)
/* Register Hyper-V specific clocksource */
hv_init_clocksource();
+ x86_setup_ops_for_tsc_pg_clock();
hv_vtl_init_platform();
#endif
/*
diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c
index 99177835cade..b39dee7b93af 100644
--- a/drivers/clocksource/hyperv_timer.c
+++ b/drivers/clocksource/hyperv_timer.c
@@ -27,7 +27,8 @@
#include <asm/mshyperv.h>
static struct clock_event_device __percpu *hv_clock_event;
-static u64 hv_sched_clock_offset __ro_after_init;
+/* Note: offset can hold negative values after hibernation. */
+static u64 hv_sched_clock_offset __read_mostly;
/*
* If false, we're using the old mechanism for stimer0 interrupts
@@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg)
hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64);
}
+/*
+ * Called during resume from hibernation, from overridden
+ * x86_platform.restore_sched_clock_state routine. This is to adjust offsets
+ * used to calculate time for hv tsc page based sched_clock, to account for
+ * time spent before hibernation.
+ */
+void hv_adj_sched_clock_offset(u64 offset)
+{
+ hv_sched_clock_offset -= offset;
+}
+
#ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK
static int hv_cs_enable(struct clocksource *cs)
{
diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h
index 6cdc873ac907..aa5233b1eba9 100644
--- a/include/clocksource/hyperv_timer.h
+++ b/include/clocksource/hyperv_timer.h
@@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void);
extern unsigned long hv_get_tsc_pfn(void);
extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void);
+extern void hv_adj_sched_clock_offset(u64 offset);
+
static __always_inline bool
hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg,
u64 *cur_tsc, u64 *time)
3 months, 4 weeks
- 3
- 2
FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 5.10-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122327-imaginary-gizzard-8e8b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001
From: Naman Jain <namjain(a)linux.microsoft.com>
Date: Tue, 17 Sep 2024 11:09:17 +0530
Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation
read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is
bigger than the variable hv_sched_clock_offset, which is cached during
early boot, but depending on the timing this assumption may be false
when a hibernated VM starts again (the clock counter starts from 0
again) and is resuming back (Note: hv_init_tsc_clocksource() is not
called during hibernation/resume); consequently,
read_hv_sched_clock_tsc() may return a negative integer (which is
interpreted as a huge positive integer since the return type is u64)
and new kernel messages are prefixed with huge timestamps before
read_hv_sched_clock_tsc() grows big enough (which typically takes
several seconds).
Fix the issue by saving the Hyper-V clock counter just before the
suspend, and using it to correct the hv_sched_clock_offset in
resume. This makes hv tsc page based sched_clock continuous and ensures
that post resume, it starts from where it left off during suspend.
Override x86_platform.save_sched_clock_state and
x86_platform.restore_sched_clock_state routines to correct this as soon
as possible.
Note: if Invariant TSC is available, the issue doesn't happen because
1) we don't register read_hv_sched_clock_tsc() for sched clock:
See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework
clocksource and sched clock setup");
2) the common x86 code adjusts TSC similarly: see
__restore_processor_state() -> tsc_verify_tsc_adjust(true) and
x86_platform.restore_sched_clock_state().
Cc: stable(a)vger.kernel.org
Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation")
Co-developed-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com>
Reviewed-by: Michael Kelley <mhklinux(a)outlook.com>
Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu(a)kernel.org>
Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com>
diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
index d18078834ded..dc12fe5ef3ca 100644
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs)
hyperv_cleanup();
}
#endif /* CONFIG_CRASH_DUMP */
+
+static u64 hv_ref_counter_at_suspend;
+static void (*old_save_sched_clock_state)(void);
+static void (*old_restore_sched_clock_state)(void);
+
+/*
+ * Hyper-V clock counter resets during hibernation. Save and restore clock
+ * offset during suspend/resume, while also considering the time passed
+ * before suspend. This is to make sure that sched_clock using hv tsc page
+ * based clocksource, proceeds from where it left off during suspend and
+ * it shows correct time for the timestamps of kernel messages after resume.
+ */
+static void save_hv_clock_tsc_state(void)
+{
+ hv_ref_counter_at_suspend = hv_read_reference_counter();
+}
+
+static void restore_hv_clock_tsc_state(void)
+{
+ /*
+ * Adjust the offsets used by hv tsc clocksource to
+ * account for the time spent before hibernation.
+ * adjusted value = reference counter (time) at suspend
+ * - reference counter (time) now.
+ */
+ hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter());
+}
+
+/*
+ * Functions to override save_sched_clock_state and restore_sched_clock_state
+ * functions of x86_platform. The Hyper-V clock counter is reset during
+ * suspend-resume and the offset used to measure time needs to be
+ * corrected, post resume.
+ */
+static void hv_save_sched_clock_state(void)
+{
+ old_save_sched_clock_state();
+ save_hv_clock_tsc_state();
+}
+
+static void hv_restore_sched_clock_state(void)
+{
+ restore_hv_clock_tsc_state();
+ old_restore_sched_clock_state();
+}
+
+static void __init x86_setup_ops_for_tsc_pg_clock(void)
+{
+ if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE))
+ return;
+
+ old_save_sched_clock_state = x86_platform.save_sched_clock_state;
+ x86_platform.save_sched_clock_state = hv_save_sched_clock_state;
+
+ old_restore_sched_clock_state = x86_platform.restore_sched_clock_state;
+ x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state;
+}
#endif /* CONFIG_HYPERV */
static uint32_t __init ms_hyperv_platform(void)
@@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void)
/* Register Hyper-V specific clocksource */
hv_init_clocksource();
+ x86_setup_ops_for_tsc_pg_clock();
hv_vtl_init_platform();
#endif
/*
diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c
index 99177835cade..b39dee7b93af 100644
--- a/drivers/clocksource/hyperv_timer.c
+++ b/drivers/clocksource/hyperv_timer.c
@@ -27,7 +27,8 @@
#include <asm/mshyperv.h>
static struct clock_event_device __percpu *hv_clock_event;
-static u64 hv_sched_clock_offset __ro_after_init;
+/* Note: offset can hold negative values after hibernation. */
+static u64 hv_sched_clock_offset __read_mostly;
/*
* If false, we're using the old mechanism for stimer0 interrupts
@@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg)
hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64);
}
+/*
+ * Called during resume from hibernation, from overridden
+ * x86_platform.restore_sched_clock_state routine. This is to adjust offsets
+ * used to calculate time for hv tsc page based sched_clock, to account for
+ * time spent before hibernation.
+ */
+void hv_adj_sched_clock_offset(u64 offset)
+{
+ hv_sched_clock_offset -= offset;
+}
+
#ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK
static int hv_cs_enable(struct clocksource *cs)
{
diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h
index 6cdc873ac907..aa5233b1eba9 100644
--- a/include/clocksource/hyperv_timer.h
+++ b/include/clocksource/hyperv_timer.h
@@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void);
extern unsigned long hv_get_tsc_pfn(void);
extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void);
+extern void hv_adj_sched_clock_offset(u64 offset);
+
static __always_inline bool
hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg,
u64 *cur_tsc, u64 *time)
3 months, 4 weeks
- 3
- 2
FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 6.1-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122325-flavoring-mute-cb7e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001
From: Naman Jain <namjain(a)linux.microsoft.com>
Date: Tue, 17 Sep 2024 11:09:17 +0530
Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation
read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is
bigger than the variable hv_sched_clock_offset, which is cached during
early boot, but depending on the timing this assumption may be false
when a hibernated VM starts again (the clock counter starts from 0
again) and is resuming back (Note: hv_init_tsc_clocksource() is not
called during hibernation/resume); consequently,
read_hv_sched_clock_tsc() may return a negative integer (which is
interpreted as a huge positive integer since the return type is u64)
and new kernel messages are prefixed with huge timestamps before
read_hv_sched_clock_tsc() grows big enough (which typically takes
several seconds).
Fix the issue by saving the Hyper-V clock counter just before the
suspend, and using it to correct the hv_sched_clock_offset in
resume. This makes hv tsc page based sched_clock continuous and ensures
that post resume, it starts from where it left off during suspend.
Override x86_platform.save_sched_clock_state and
x86_platform.restore_sched_clock_state routines to correct this as soon
as possible.
Note: if Invariant TSC is available, the issue doesn't happen because
1) we don't register read_hv_sched_clock_tsc() for sched clock:
See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework
clocksource and sched clock setup");
2) the common x86 code adjusts TSC similarly: see
__restore_processor_state() -> tsc_verify_tsc_adjust(true) and
x86_platform.restore_sched_clock_state().
Cc: stable(a)vger.kernel.org
Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation")
Co-developed-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com>
Reviewed-by: Michael Kelley <mhklinux(a)outlook.com>
Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu(a)kernel.org>
Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com>
diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
index d18078834ded..dc12fe5ef3ca 100644
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs)
hyperv_cleanup();
}
#endif /* CONFIG_CRASH_DUMP */
+
+static u64 hv_ref_counter_at_suspend;
+static void (*old_save_sched_clock_state)(void);
+static void (*old_restore_sched_clock_state)(void);
+
+/*
+ * Hyper-V clock counter resets during hibernation. Save and restore clock
+ * offset during suspend/resume, while also considering the time passed
+ * before suspend. This is to make sure that sched_clock using hv tsc page
+ * based clocksource, proceeds from where it left off during suspend and
+ * it shows correct time for the timestamps of kernel messages after resume.
+ */
+static void save_hv_clock_tsc_state(void)
+{
+ hv_ref_counter_at_suspend = hv_read_reference_counter();
+}
+
+static void restore_hv_clock_tsc_state(void)
+{
+ /*
+ * Adjust the offsets used by hv tsc clocksource to
+ * account for the time spent before hibernation.
+ * adjusted value = reference counter (time) at suspend
+ * - reference counter (time) now.
+ */
+ hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter());
+}
+
+/*
+ * Functions to override save_sched_clock_state and restore_sched_clock_state
+ * functions of x86_platform. The Hyper-V clock counter is reset during
+ * suspend-resume and the offset used to measure time needs to be
+ * corrected, post resume.
+ */
+static void hv_save_sched_clock_state(void)
+{
+ old_save_sched_clock_state();
+ save_hv_clock_tsc_state();
+}
+
+static void hv_restore_sched_clock_state(void)
+{
+ restore_hv_clock_tsc_state();
+ old_restore_sched_clock_state();
+}
+
+static void __init x86_setup_ops_for_tsc_pg_clock(void)
+{
+ if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE))
+ return;
+
+ old_save_sched_clock_state = x86_platform.save_sched_clock_state;
+ x86_platform.save_sched_clock_state = hv_save_sched_clock_state;
+
+ old_restore_sched_clock_state = x86_platform.restore_sched_clock_state;
+ x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state;
+}
#endif /* CONFIG_HYPERV */
static uint32_t __init ms_hyperv_platform(void)
@@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void)
/* Register Hyper-V specific clocksource */
hv_init_clocksource();
+ x86_setup_ops_for_tsc_pg_clock();
hv_vtl_init_platform();
#endif
/*
diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c
index 99177835cade..b39dee7b93af 100644
--- a/drivers/clocksource/hyperv_timer.c
+++ b/drivers/clocksource/hyperv_timer.c
@@ -27,7 +27,8 @@
#include <asm/mshyperv.h>
static struct clock_event_device __percpu *hv_clock_event;
-static u64 hv_sched_clock_offset __ro_after_init;
+/* Note: offset can hold negative values after hibernation. */
+static u64 hv_sched_clock_offset __read_mostly;
/*
* If false, we're using the old mechanism for stimer0 interrupts
@@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg)
hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64);
}
+/*
+ * Called during resume from hibernation, from overridden
+ * x86_platform.restore_sched_clock_state routine. This is to adjust offsets
+ * used to calculate time for hv tsc page based sched_clock, to account for
+ * time spent before hibernation.
+ */
+void hv_adj_sched_clock_offset(u64 offset)
+{
+ hv_sched_clock_offset -= offset;
+}
+
#ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK
static int hv_cs_enable(struct clocksource *cs)
{
diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h
index 6cdc873ac907..aa5233b1eba9 100644
--- a/include/clocksource/hyperv_timer.h
+++ b/include/clocksource/hyperv_timer.h
@@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void);
extern unsigned long hv_get_tsc_pfn(void);
extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void);
+extern void hv_adj_sched_clock_offset(u64 offset);
+
static __always_inline bool
hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg,
u64 *cur_tsc, u64 *time)
3 months, 4 weeks
- 3
- 2
[PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
by jianqi.ren.cn@windriver.com
From: Kaixin Wang <kxwang23(a)m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23(a)m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index b9cfda6ae9ae..4473c0b1ae2e 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
int ret;
+ cancel_work_sync(&master->hj_work);
ret = i3c_master_unregister(&master->base);
if (ret)
return ret;
--
2.25.1
3 months, 4 weeks
- 3
- 3
FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 5.15-stable tree
by gregkh@linuxfoundation.org
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122326-eraser-perennial-6b59@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001
From: Naman Jain <namjain(a)linux.microsoft.com>
Date: Tue, 17 Sep 2024 11:09:17 +0530
Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation
read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is
bigger than the variable hv_sched_clock_offset, which is cached during
early boot, but depending on the timing this assumption may be false
when a hibernated VM starts again (the clock counter starts from 0
again) and is resuming back (Note: hv_init_tsc_clocksource() is not
called during hibernation/resume); consequently,
read_hv_sched_clock_tsc() may return a negative integer (which is
interpreted as a huge positive integer since the return type is u64)
and new kernel messages are prefixed with huge timestamps before
read_hv_sched_clock_tsc() grows big enough (which typically takes
several seconds).
Fix the issue by saving the Hyper-V clock counter just before the
suspend, and using it to correct the hv_sched_clock_offset in
resume. This makes hv tsc page based sched_clock continuous and ensures
that post resume, it starts from where it left off during suspend.
Override x86_platform.save_sched_clock_state and
x86_platform.restore_sched_clock_state routines to correct this as soon
as possible.
Note: if Invariant TSC is available, the issue doesn't happen because
1) we don't register read_hv_sched_clock_tsc() for sched clock:
See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework
clocksource and sched clock setup");
2) the common x86 code adjusts TSC similarly: see
__restore_processor_state() -> tsc_verify_tsc_adjust(true) and
x86_platform.restore_sched_clock_state().
Cc: stable(a)vger.kernel.org
Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation")
Co-developed-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Dexuan Cui <decui(a)microsoft.com>
Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com>
Reviewed-by: Michael Kelley <mhklinux(a)outlook.com>
Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu(a)kernel.org>
Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com>
diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
index d18078834ded..dc12fe5ef3ca 100644
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs)
hyperv_cleanup();
}
#endif /* CONFIG_CRASH_DUMP */
+
+static u64 hv_ref_counter_at_suspend;
+static void (*old_save_sched_clock_state)(void);
+static void (*old_restore_sched_clock_state)(void);
+
+/*
+ * Hyper-V clock counter resets during hibernation. Save and restore clock
+ * offset during suspend/resume, while also considering the time passed
+ * before suspend. This is to make sure that sched_clock using hv tsc page
+ * based clocksource, proceeds from where it left off during suspend and
+ * it shows correct time for the timestamps of kernel messages after resume.
+ */
+static void save_hv_clock_tsc_state(void)
+{
+ hv_ref_counter_at_suspend = hv_read_reference_counter();
+}
+
+static void restore_hv_clock_tsc_state(void)
+{
+ /*
+ * Adjust the offsets used by hv tsc clocksource to
+ * account for the time spent before hibernation.
+ * adjusted value = reference counter (time) at suspend
+ * - reference counter (time) now.
+ */
+ hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter());
+}
+
+/*
+ * Functions to override save_sched_clock_state and restore_sched_clock_state
+ * functions of x86_platform. The Hyper-V clock counter is reset during
+ * suspend-resume and the offset used to measure time needs to be
+ * corrected, post resume.
+ */
+static void hv_save_sched_clock_state(void)
+{
+ old_save_sched_clock_state();
+ save_hv_clock_tsc_state();
+}
+
+static void hv_restore_sched_clock_state(void)
+{
+ restore_hv_clock_tsc_state();
+ old_restore_sched_clock_state();
+}
+
+static void __init x86_setup_ops_for_tsc_pg_clock(void)
+{
+ if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE))
+ return;
+
+ old_save_sched_clock_state = x86_platform.save_sched_clock_state;
+ x86_platform.save_sched_clock_state = hv_save_sched_clock_state;
+
+ old_restore_sched_clock_state = x86_platform.restore_sched_clock_state;
+ x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state;
+}
#endif /* CONFIG_HYPERV */
static uint32_t __init ms_hyperv_platform(void)
@@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void)
/* Register Hyper-V specific clocksource */
hv_init_clocksource();
+ x86_setup_ops_for_tsc_pg_clock();
hv_vtl_init_platform();
#endif
/*
diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c
index 99177835cade..b39dee7b93af 100644
--- a/drivers/clocksource/hyperv_timer.c
+++ b/drivers/clocksource/hyperv_timer.c
@@ -27,7 +27,8 @@
#include <asm/mshyperv.h>
static struct clock_event_device __percpu *hv_clock_event;
-static u64 hv_sched_clock_offset __ro_after_init;
+/* Note: offset can hold negative values after hibernation. */
+static u64 hv_sched_clock_offset __read_mostly;
/*
* If false, we're using the old mechanism for stimer0 interrupts
@@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg)
hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64);
}
+/*
+ * Called during resume from hibernation, from overridden
+ * x86_platform.restore_sched_clock_state routine. This is to adjust offsets
+ * used to calculate time for hv tsc page based sched_clock, to account for
+ * time spent before hibernation.
+ */
+void hv_adj_sched_clock_offset(u64 offset)
+{
+ hv_sched_clock_offset -= offset;
+}
+
#ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK
static int hv_cs_enable(struct clocksource *cs)
{
diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h
index 6cdc873ac907..aa5233b1eba9 100644
--- a/include/clocksource/hyperv_timer.h
+++ b/include/clocksource/hyperv_timer.h
@@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void);
extern unsigned long hv_get_tsc_pfn(void);
extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void);
+extern void hv_adj_sched_clock_offset(u64 offset);
+
static __always_inline bool
hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg,
u64 *cur_tsc, u64 *time)
3 months, 4 weeks
- 3
- 2