- Linux-stable-mirror - lists.linaro.org

zram: Regression in at least linux-6.1.y tree

by Kenneth Van Alstyne

Greetings and apologies if this isn't the proper process for reporting an issue in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html. Happy to follow another process if more appropriate. Kernel 6.1.122 introduced a regression via commit ac3b5366b9b7c9d97b606532ceab43d2329a22f3 (backport of upstream commit 74363ec674cb172d8856de25776c8f3103f05e2f) in drivers/block/zram/zram_drv.c where attempting to set the size of /dev/zram0 after loading the zram kernel module results in a kernel NULL pointer dereference. That patch removed the following block from zram_reset_device(): - if (!init_done(zram)) { - up_write(&zram->init_lock); - return; - } However, without that, zram_reset_device subsequently calls zcomp_destroy on a device that has not been initialized, leading to the OOPS. Adding that block back does resolve the issue. In addition, the latest mainline kernel does not appear to exhibit these symptoms, but zram_drv.c seems to have been changed fairly substantially since kernel 6.1. Steps to reproduce: modprobe zram zramctl /dev/zram0 --algorithm zstd --size 83886080k Kernel log: [ 184.410082] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 184.416305] #PF: supervisor read access in kernel mode [ 184.418201] #PF: error_code(0x0000) - not-present page [ 184.418201] PGD 170d0b067 P4D 170d0b067 PUD 1718af067 PMD 0 [ 184.418201] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 184.418201] CPU: 2 PID: 3584 Comm: zramctl Tainted: G O K 6.1.122 #1 [ 184.418201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014 [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram] [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246 [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010 [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000 [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0 [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20 [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000 [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0 [ 184.418201] Call Trace: [ 184.418201] <TASK> [ 184.418201] ? __die_body+0x1a/0x60 [ 184.418201] ? page_fault_oops+0xae/0x260 [ 184.418201] ? exc_page_fault+0x67/0x140 [ 184.418201] ? asm_exc_page_fault+0x22/0x30 [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] [ 184.418201] ? zcomp_cpu_dead+0x7/0x30 [zram] [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] [ 184.418201] cpuhp_invoke_callback+0xb4/0x4c0 [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] [ 184.418201] cpuhp_issue_call+0xeb/0x140 [ 184.418201] __cpuhp_state_remove_instance+0xdb/0x1a0 [ 184.418201] zcomp_destroy+0x1c/0x30 [zram] [ 184.418201] zram_reset_device+0xf3/0x120 [zram] [ 184.418201] reset_store+0x9d/0x100 [zram] [ 184.418201] kernfs_fop_write_iter+0x11e/0x1b0 [ 184.418201] vfs_write+0x2ae/0x3c0 [ 184.418201] ksys_write+0x5c/0xe0 [ 184.418201] do_syscall_64+0x32/0x80 [ 184.552119] python3 (3612) used greatest stack depth: 11736 bytes left [ 184.418201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 184.418201] RIP: 0033:0x7fa6d2506d00 [ 184.418201] Code: 40 00 48 8b 15 29 91 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb af 0f 1f 00 80 3d e1 18 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 184.418201] RSP: 002b:00007ffec8315ec8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 [ 184.418201] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fa6d2506d00 [ 184.418201] RDX: 0000000000000001 RSI: 00007ffec8315ee0 RDI: 0000000000000003 [ 184.418201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001 [ 184.418201] R10: 0000000000000004 R11: 0000000000000202 R12: 00007fa6d240d6c0 [ 184.418201] R13: 00007ffec8315ee0 R14: 0000000000000003 R15: 00007ffec8315ed0 [ 184.418201] </TASK> [ 184.418201] Modules linked in: zram zsmalloc bcache crc64 ip6table_filter ip6_tables iptable_filter xt_conntrack iptable_mangle xt_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables x_tables vfat fat btrfs blake2b_generic xor raid6_pq libcrc32c dm_multipath dm_mod bridge stp llc bonding nfs lockd grace sunrpc fscache torch(O) ipmi_devintf ipmi_msghandler sr_mod kvm_amd mousedev cdrom virtio_blk kvm ata_generic pata_acpi irqbypass crc32c_intel aesni_intel ata_piix crypto_simd virtio_pci virtio_pci_legacy_dev psmouse virtio_pci_modern_dev i6300esb e1000 libata cryptd i2c_piix4 evdev procmemro(OK) noptrace(OK) [ 184.418201] CR2: 0000000000000000 [ 184.418201] ---[ end trace 0000000000000000 ]--- [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram] [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246 [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010 [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000 [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0 [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20 [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000 [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0 [ 184.418201] Kernel panic - not syncing: Fatal exception [ 184.418201] Kernel Offset: 0x2c800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 184.418201] Rebooting in 120 seconds.. Thanks, -- Kenneth Van Alstyne, Jr.

5 months, 2 weeks

2
1
0 0

+ mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: fix avoid_reserve to allow taking folio from subpool has been added to the -mm mm-unstable branch. Its filename is mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Peter Xu <peterx(a)redhat.com> Subject: mm/hugetlb: fix avoid_reserve to allow taking folio from subpool Date: Tue, 7 Jan 2025 15:39:56 -0500 Patch series "mm/hugetlb: Refactor hugetlb allocation resv accounting", v2. This is a follow up on Ackerley's series here as replacement: https://lore.kernel.org/r/cover.1728684491.git.ackerleytng@google.com The goal of this series is to cleanup hugetlb resv accounting, especially during folio allocation, to decouple a few things: - Hugetlb folios v.s. Hugetlbfs: IOW, the hope is in the future hugetlb folios can be allocated completely without hugetlbfs. - Decouple VMA v.s. hugetlb folio allocations: allocating a hugetlb folio should not always require a hugetlbfs VMA. For example, either it got allocated from the inode level (see hugetlbfs_fallocate() where it used a pesudo VMA for allocation), or it can be allocated by other kernel subsystems. It paves way for other users to allocate hugetlb folios out of either system reservations, or subpools (instead of hugetlbfs, as a file system). For longer term, this prepares hugetlb as a separate concept versus hugetlbfs, so that hugetlb folios can be allocated by not only hugetlbfs and other things. Tests I've done: - I had a reproducer in patch 1 for the bug I found, this will start to work after patch 1 or the whole set applied. - Hugetlb regression tests (on x86_64 2MBs), includes: - All vmtests on hugetlbfs - libhugetlbfs test suite (which may fail some tests, but no new failures will be introduced by this series, so all such failures happen before this series so shouldn't be relevant). This patch (of 7): Since commit 04f2cbe35699 ("hugetlb: guarantee that COW faults for a process that called mmap(MAP_PRIVATE) on hugetlbfs will succeed"), avoid_reserve was introduced for a special case of CoW on hugetlb private mappings, and only if the owner VMA is trying to allocate yet another hugetlb folio that is not reserved within the private vma reserved map. Later on, in commit d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate"), alloc_huge_page() enforced to not consume any global reservation as long as avoid_reserve=true. This operation doesn't look correct, because even if it will enforce the allocation to not use global reservation at all, it will still try to take one reservation from the spool (if the subpool existed). Then since the spool reserved pages take from global reservation, it'll also take one reservation globally. Logically it can cause global reservation to go wrong. I wrote a reproducer below, trigger this special path, and every run of such program will cause global reservation count to increment by one, until it hits the number of free pages: #define _GNU_SOURCE /* See feature_test_macros(7) */ #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> #include <stdlib.h> #include <sys/mman.h> #define MSIZE (2UL << 20) int main(int argc, char *argv[]) { const char *path; int *buf; int fd, ret; pid_t child; if (argc < 2) { printf("usage: %s <hugetlb_file>\n", argv[0]); return -1; } path = argv[1]; fd = open(path, O_RDWR | O_CREAT, 0666); if (fd < 0) { perror("open failed"); return -1; } ret = fallocate(fd, 0, 0, MSIZE); if (ret != 0) { perror("fallocate"); return -1; } buf = mmap(NULL, MSIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0); if (buf == MAP_FAILED) { perror("mmap() failed"); return -1; } /* Allocate a page */ *buf = 1; child = fork(); if (child == 0) { /* child doesn't need to do anything */ exit(0); } /* Trigger CoW from owner */ *buf = 2; munmap(buf, MSIZE); close(fd); unlink(path); return 0; } It can only reproduce with a sub-mount when there're reserved pages on the spool, like: # sysctl vm.nr_hugepages=128 # mkdir ./hugetlb-pool # mount -t hugetlbfs -o min_size=8M,pagesize=2M none ./hugetlb-pool Then run the reproducer on the mountpoint: # ./reproducer ./hugetlb-pool/test Fix it by taking the reservation from spool if available. In general, avoid_reserve is IMHO more about "avoid vma resv map", not spool's. I copied stable, however I have no intention for backporting if it's not a clean cherry-pick, because private hugetlb mapping, and then fork() on top is too rare to hit. Link: https://lkml.kernel.org/r/20250107204002.2683356-1-peterx@redhat.com Link: https://lkml.kernel.org/r/20250107204002.2683356-2-peterx@redhat.com Fixes: d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Ackerley Tng <ackerleytng(a)google.com> Tested-by: Ackerley Tng <ackerleytng(a)google.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Rik van Riel <riel(a)surriel.com> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool +++ a/mm/hugetlb.c @@ -1394,8 +1394,7 @@ static unsigned long available_huge_page static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h, struct vm_area_struct *vma, - unsigned long address, int avoid_reserve, - long chg) + unsigned long address, long chg) { struct folio *folio = NULL; struct mempolicy *mpol; @@ -1411,10 +1410,6 @@ static struct folio *dequeue_hugetlb_fol if (!vma_has_reserves(vma, chg) && !available_huge_pages(h)) goto err; - /* If reserves cannot be used, ensure enough pages are in the pool */ - if (avoid_reserve && !available_huge_pages(h)) - goto err; - gfp_mask = htlb_alloc_mask(h); nid = huge_node(vma, address, gfp_mask, &mpol, &nodemask); @@ -1430,7 +1425,7 @@ static struct folio *dequeue_hugetlb_fol folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask, nid, nodemask); - if (folio && !avoid_reserve && vma_has_reserves(vma, chg)) { + if (folio && vma_has_reserves(vma, chg)) { folio_set_hugetlb_restore_reserve(folio); h->resv_huge_pages--; } @@ -3047,17 +3042,6 @@ struct folio *alloc_hugetlb_folio(struct gbl_chg = hugepage_subpool_get_pages(spool, 1); if (gbl_chg < 0) goto out_end_reservation; - - /* - * Even though there was no reservation in the region/reserve - * map, there could be reservations associated with the - * subpool that can be used. This would be indicated if the - * return value of hugepage_subpool_get_pages() is zero. - * However, if avoid_reserve is specified we still avoid even - * the subpool reservations. - */ - if (avoid_reserve) - gbl_chg = 1; } /* If this allocation is not consuming a reservation, charge it now. @@ -3080,7 +3064,7 @@ struct folio *alloc_hugetlb_folio(struct * from the global free pool (global change). gbl_chg == 0 indicates * a reservation exists for the allocation. */ - folio = dequeue_hugetlb_folio_vma(h, vma, addr, avoid_reserve, gbl_chg); + folio = dequeue_hugetlb_folio_vma(h, vma, addr, gbl_chg); if (!folio) { spin_unlock_irq(&hugetlb_lock); folio = alloc_buddy_hugetlb_folio_with_mpol(h, vma, addr); _ Patches currently in -mm which might be from peterx(a)redhat.com are mm-hugetlb-fix-avoid_reserve-to-allow-taking-folio-from-subpool.patch mm-hugetlb-stop-using-avoid_reserve-flag-in-fork.patch mm-hugetlb-rename-avoid_reserve-to-cow_from_owner.patch mm-hugetlb-clean-up-map-global-resv-accounting-when-allocate.patch mm-hugetlb-simplify-vma_has_reserves.patch mm-hugetlb-drop-vma_has_reserves.patch mm-hugetlb-unify-restore-reserve-accounting-for-new-allocations.patch

5 months, 2 weeks

1
0
0 0

[PATCH v2] PCI: fix reference leak in pci_alloc_child_bus()

by Ma Ke

When device_register(&child->dev) failed, calling put_device() to explicitly release child->dev. Otherwise, it could cause double free problem. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - added the bug description about the comment of device_add(); - fixed the patch as suggestions; - added Cc and Fixes table. --- drivers/pci/probe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 2e81ab0f5a25..51b78fcda4eb 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -1174,7 +1174,10 @@ static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent, add_dev: pci_set_bus_msi_domain(child); ret = device_register(&child->dev); - WARN_ON(ret < 0); + if (WARN_ON(ret < 0)) { + put_device(&child->dev); + return NULL; + } pcibios_add_bus(child); -- 2.25.1

5 months, 2 weeks

1
0
0 0

[PATCH 5.4 00/66] 5.4.286-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.286 release. There are 66 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 17 Nov 2024 06:37:07 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.286-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.286-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> 9p: fix slab cache name creation for real Christoph Hellwig <hch(a)lst.de> mm: add remap_pfn_range_notrack Alex Zhang <zhangalex(a)google.com> mm/memory.c: make remap_pfn_range() reject unaligned addr chenqiwu <chenqiwu(a)xiaomi.com> mm: fix ambiguous comments for better code readability WANG Wenhu <wenhu.wang(a)vivo.com> mm: clarify a confusing comment for remap_pfn_range() Li Nan <linan122(a)huawei.com> md/raid10: improve code of mrdev in raid10_sync_request Reinhard Speyerer <rspmn(a)arcor.de> net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition Alessandro Zanni <alessandro.zanni87(a)gmail.com> fs: Fix uninitialized value issue in from_kuid and from_kgid Michael Ellerman <mpe(a)ellerman.id.au> powerpc/powernv: Free name on error in opal_event_init() Julian Vetter <jvetter(a)kalrayinc.com> sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML Rik van Riel <riel(a)surriel.com> bpf: use kvzmalloc to allocate BPF verifier environment WangYuli <wangyuli(a)uniontech.com> HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad Pedro Falcato <pedro.falcato(a)gmail.com> 9p: Avoid creating multiple slab caches with the same name Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Add endianness annotations Hyunwoo Kim <v4bel(a)theori.io> vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Zheng Yejian <zhengyejian1(a)huawei.com> ftrace: Fix possible use-after-free issue in ftrace_location() Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Add quirks for Dell WD19 dock Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Support jack detection on Dell dock Andrew Kanner <andrew.kanner(a)gmail.com> ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v3: Force propagation of the active state with a read-back Benoît Monin <benoit.monin(a)gmx.fr> USB: serial: option: add Quectel RG650V Reinhard Speyerer <rspmn(a)arcor.de> USB: serial: option: add Fibocom FG132 0x0112 composition Jack Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add support for Sierra Wireless EM86xx Dan Carpenter <dan.carpenter(a)linaro.org> USB: serial: io_edgeport: fix use after free in debug printk Zijun Hu <quic_zijuhu(a)quicinc.com> usb: musb: sunxi: Fix accessing an released usb phy Qi Xi <xiqi2(a)huawei.com> fs/proc: fix compile warning about variable 'vmcore_mmap_ops' Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: xmit: make sure we have at least eth header len bytes Michael Walle <michael(a)walle.cc> spi: fix use-after-free of the add_lock mutex Mark Brown <broonie(a)kernel.org> spi: Fix deadlock when adding SPI controllers on SPI buses Sean Nyekjaer <sean(a)geanix.com> mtd: rawnand: protect access to rawnand devices while in suspend Filipe Manana <fdmanana(a)suse.com> btrfs: reinitialize delayed ref list after deleting it from the list Roberto Sassu <roberto.sassu(a)huawei.com> nfs: Fix KMSAN warning in decode_getfattr_attrs() Zichen Xie <zichenxie0106(a)gmail.com> dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix potential out-of-bounds access on the first resume Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: optimize dirty bit checking with find_next_bit when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix out-of-bounds access to the dirty bitset when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: correct the number of origin blocks to match the target length Antonio Quartulli <antonio(a)mandelbit.com> drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Erik Schumacher <erik.schumacher(a)iris-sensing.com> pwm: imx-tpm: Use correct MODULO value for EPWM mode Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: v4l2-tpg: prevent the risk of a division by zero Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: s5p-jpeg: prevent buffer overflows Murad Masimov <m.masimov(a)maxima.ru> ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: adv7604: prevent underflow condition when reporting colorspace Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: stb0899_algo: initialize cfr before using it Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: fix kernel crash when uninstalling driver Dario Binacchi <dario.binacchi(a)amarulasolutions.com> can: c_can: fix {rx,tx}_errors statistics Xin Long <lucien.xin(a)gmail.com> sctp: properly validate chunk size in sctp_sf_ootb() Wei Fang <wei.fang(a)nxp.com> net: enetc: set MAC address to the VF net_device Qinglang Miao <miaoqinglang(a)huawei.com> enetc: simplify the return expression of enetc_vf_set_mac_addr() Chen Ridong <chenridong(a)huawei.com> security/keys: fix slab-out-of-bounds in key_task_permission Jiri Kosina <jkosina(a)suse.com> HID: core: zero-initialize the report buffer Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the spi controller on rk3036 Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: drop grf reference from rk3036 hdmi Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: fix rk3036 acodec node Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328 Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/rk3036-kylin.dts | 4 +- arch/arm/boot/dts/rk3036.dtsi | 14 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 3 +- arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 1 - arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi | 2 +- .../dts/rockchip/rk3399-sapphire-excavator.dts | 2 +- arch/powerpc/platforms/powernv/opal-irqchip.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- drivers/hid/hid-core.c | 2 +- drivers/hid/hid-multitouch.c | 5 + drivers/irqchip/irq-gic-v3.c | 7 + drivers/md/dm-cache-target.c | 35 ++--- drivers/md/dm-unstripe.c | 4 +- drivers/md/raid10.c | 23 +-- drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 + drivers/media/dvb-core/dvb_frontend.c | 4 +- drivers/media/dvb-core/dvbdev.c | 17 ++- drivers/media/dvb-frontends/cx24116.c | 7 +- drivers/media/dvb-frontends/stb0899_algo.c | 2 +- drivers/media/i2c/adv7604.c | 26 ++-- drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 ++- drivers/media/usb/uvc/uvc_driver.c | 2 +- drivers/mtd/nand/raw/nand_base.c | 44 +++--- drivers/net/can/c_can/c_can.c | 7 +- drivers/net/ethernet/freescale/enetc/enetc_vf.c | 2 + drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/pwm/pwm-imx-tpm.c | 4 +- drivers/spi/spi.c | 27 ++-- drivers/usb/musb/sunxi.c | 2 - drivers/usb/serial/io_edgeport.c | 8 +- drivers/usb/serial/option.c | 6 + drivers/usb/serial/qcserial.c | 2 + fs/btrfs/delayed-ref.c | 2 +- fs/nfs/inode.c | 1 + fs/nfsd/nfs4xdr.c | 10 +- fs/ocfs2/file.c | 9 +- fs/ocfs2/xattr.c | 3 +- fs/proc/vmcore.c | 9 +- include/linux/mm.h | 2 + include/linux/mm_types.h | 4 +- include/linux/mtd/rawnand.h | 2 + include/linux/spi/spi.h | 3 + kernel/bpf/verifier.c | 4 +- kernel/trace/ftrace.c | 30 ++-- mm/memory.c | 56 ++++--- net/9p/client.c | 12 +- net/bridge/br_device.c | 5 + net/sctp/sm_statefuns.c | 2 +- net/vmw_vsock/hyperv_transport.c | 1 + net/vmw_vsock/virtio_transport_common.c | 1 + security/keys/keyring.c | 7 +- sound/Kconfig | 2 +- sound/firewire/tascam/amdtp-tascam.c | 2 +- sound/usb/mixer_quirks.c | 170 +++++++++++++++++++++ 57 files changed, 453 insertions(+), 183 deletions(-)

5 months, 2 weeks

5
76
0 0

[PATCH] clk: qcom: gcc-x1e80100: Do not turn off usb_2 controller GDSC

by Abel Vesa

Allowing the usb_2 controller GDSC to be turned off during system suspend renders the controller unable to resume. So use PWRSTS_RET_ON instead in order to make sure this the GDSC doesn't go down. Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100") Cc: stable(a)vger.kernel.org # 6.8 Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- drivers/clk/qcom/gcc-x1e80100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c index 8ea25aa25dff043ab4a81fee78b6173139f871b6..7288af845434d824eb91489ab97be25d665cad3a 100644 --- a/drivers/clk/qcom/gcc-x1e80100.c +++ b/drivers/clk/qcom/gcc-x1e80100.c @@ -6083,7 +6083,7 @@ static struct gdsc gcc_usb20_prim_gdsc = { .pd = { .name = "gcc_usb20_prim_gdsc", }, - .pwrsts = PWRSTS_OFF_ON, + .pwrsts = PWRSTS_RET_ON, .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE, }; --- base-commit: 7b4b9bf203da94fbeac75ed3116c84aa03e74578 change-id: 20250107-x1e80100-clk-gcc-fix-usb2-gdsc-pwrsts-a8eae668c7d2 Best regards, -- Abel Vesa <abel.vesa(a)linaro.org>

5 months, 2 weeks

3
2
0 0

[PATCH] arm64: dts: qcom: x1e80100: Fix usb_2 controller interrupts

by Abel Vesa

Back when the CRD support was brought up, the usb_2 controller didn't have anything connected to it in order to test it properly, so it was never enabled. On the Lenovo ThinkPad T14s, the usb_2 controller has the fingerprint controller connected to it. So enabling it, proved that the interrupts lines were wrong from the start. Fix both the pwr_event and the DWC ctrl_irq lines, according to documentation. Fixes: 4af46b7bd66f ("arm64: dts: qcom: x1e80100: Add USB nodes") Cc: stable(a)vger.kernel.org # 6.9 Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi index e2f1873296ec7b7ffdb4c57b5c9d5b09368de168..1c3ad5ae0a41ea235cb176095cd49de7fa89ae4a 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi @@ -4631,7 +4631,7 @@ usb_2: usb@a2f8800 { <&gcc GCC_USB20_MASTER_CLK>; assigned-clock-rates = <19200000>, <200000000>; - interrupts-extended = <&intc GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>, + interrupts-extended = <&intc GIC_SPI 245 IRQ_TYPE_LEVEL_HIGH>, <&pdc 50 IRQ_TYPE_EDGE_BOTH>, <&pdc 49 IRQ_TYPE_EDGE_BOTH>; interrupt-names = "pwr_event", @@ -4657,7 +4657,7 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, usb_2_dwc3: usb@a200000 { compatible = "snps,dwc3"; reg = <0 0x0a200000 0 0xcd00>; - interrupts = <GIC_SPI 241 IRQ_TYPE_LEVEL_HIGH>; + interrupts = <GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>; iommus = <&apps_smmu 0x14e0 0x0>; phys = <&usb_2_hsphy>; phy-names = "usb2-phy"; --- base-commit: 7b4b9bf203da94fbeac75ed3116c84aa03e74578 change-id: 20250107-x1e80100-fix-usb2-controller-irqs-b226a747f73a Best regards, -- Abel Vesa <abel.vesa(a)linaro.org>

5 months, 2 weeks

3
2
0 0

[PATCH] usb: dwc3: Skip resume if pm_runtime_set_active() fails

by Ray Chi

When the system begins to enter suspend mode, dwc3_suspend() is called by PM suspend. There is a problem that if someone interrupt the system suspend process between dwc3_suspend() and pm_suspend() of its parent device, PM suspend will be canceled and attempt to resume suspended devices so that dwc3_resume() will be called. However, dwc3 and its parent device (like the power domain or glue driver) may already be suspended by runtime PM in fact. If this sutiation happened, the pm_runtime_set_active() in dwc3_resume() will return an error since parent device was suspended. This can lead to unexpected behavior if DWC3 proceeds to execute dwc3_resume_common(). EX. RPM suspend: ... -> dwc3_runtime_suspend() -> rpm_suspend() of parent device ... PM suspend: ... -> dwc3_suspend() -> pm_suspend of parent device ^ interrupt, so resume suspended device ... <- dwc3_resume() <-/ ^ pm_runtime_set_active() returns error To prevent the problem, this commit will skip dwc3_resume_common() and return the error if pm_runtime_set_active() fails. Fixes: 68c26fe58182 ("usb: dwc3: set pm runtime active before resume common") Cc: stable(a)vger.kernel.org Signed-off-by: Ray Chi <raychi(a)google.com> --- drivers/usb/dwc3/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index c22b8678e02e..7578c5133568 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2609,12 +2609,15 @@ static int dwc3_resume(struct device *dev) pinctrl_pm_select_default_state(dev); pm_runtime_disable(dev); - pm_runtime_set_active(dev); + ret = pm_runtime_set_active(dev); + if (ret) + goto out; ret = dwc3_resume_common(dwc, PMSG_RESUME); if (ret) pm_runtime_set_suspended(dev); +out: pm_runtime_enable(dev); return ret; -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

2
2
0 0

[tip: x86/urgent] x86/fpu: Ensure shadow stack is active before "getting" registers

by tip-bot2 for Rick Edgecombe

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: a9d9c33132d49329ada647e4514d210d15e31d81 Gitweb: https://git.kernel.org/tip/a9d9c33132d49329ada647e4514d210d15e31d81 Author: Rick Edgecombe <rick.p.edgecombe(a)intel.com> AuthorDate: Tue, 07 Jan 2025 15:30:56 -08:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 07 Jan 2025 15:55:51 -08:00 x86/fpu: Ensure shadow stack is active before "getting" registers The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can not touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI for XSAVE state. Thus, there is a new ptrace get/set interface for it. The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the thread struct. The ->active() handler is checked from some call sites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place. As a result, both the set/get handlers can be called with XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an ssp_active() check to avoid surprising the kernel with shadow stack behavior when the kernel is not ready for it (ARCH_SHSTK_SHSTK==0). That check just happened to avoid the warning. But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe: WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 [...] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? ssp_get+0x89/0xa0 ? __warn+0x91/0x150 ? ssp_get+0x89/0xa0 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? __pfx_ssp_get+0x10/0x10 ? ssp_get+0x89/0xa0 ? ssp_get+0x52/0xa0 __regset_get+0xad/0xf0 copy_regset_to_user+0x52/0xc0 ptrace_regset+0x119/0x140 ptrace_request+0x13c/0x850 ? wait_task_inactive+0x142/0x1d0 ? do_syscall_64+0x6d/0x90 arch_ptrace+0x102/0x300 [...] Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer. [ dhansen: changelog/subject tweaks ] Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack") Reported-by: Christina Schimpe <christina.schimpe(a)intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Tested-by: Christina Schimpe <christina.schimpe(a)intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250107233056.235536-1-rick.p.edgecombe%40inte… --- arch/x86/kernel/fpu/regset.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c index 6bc1eb2..887b0b8 100644 --- a/arch/x86/kernel/fpu/regset.c +++ b/arch/x86/kernel/fpu/regset.c @@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, const struct user_regset *regset, struct fpu *fpu = &target->thread.fpu; struct cet_user_state *cetregs; - if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) || + !ssp_active(target, regset)) return -ENODEV; sync_fpstate(fpu);

5 months, 2 weeks

1
0
0 0

[PATCH v2] x86: Check if shadow stack is active for ssp_get()

by Rick Edgecombe

The x86 shadow stack support has its own set of registers. Those registers are XSAVE-managed, but they are "supervisor state components" which means that userspace can't touch them with XSAVE/XRSTOR. It also means that they are not accessible from the existing ptrace ABI like the FPU register or GPRs. Thus, there is a new ptrace get/set interface for it. The regset code that ptrace uses provides an ->active() handler in addition to the get/set ones. For shadow stack this ->active() handler verifies that shadow stack is enabled via the ARCH_SHSTK_SHSTK bit in the thread struct. The ->active() handler is checked from some callsites of the regset get/set handlers, but not the ptrace ones. This was not understood when shadow stack support was put in place. As a result, both the set/get handlers can be called with XFEATURE_CET_USER in its init state, which would cause get_xsave_addr() to return NULL and trigger a WARN_ON(). The ssp_set() handler luckily has an ssp_active() check to avoid surprising the kernel with shadow stack behavior when the kernel is not read for it (ARCH_SHSTK_SHSTK==0). That check just happened to avoid the warning. But the ->get() side wasn't so lucky. It can be called with shadow stacks disabled, triggering the warning in practice, as reported by Christina Schimpe: WARNING: CPU: 5 PID: 1773 at arch/x86/kernel/fpu/regset.c:198 ssp_get+0x89/0xa0 [...] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? ssp_get+0x89/0xa0 ? __warn+0x91/0x150 ? ssp_get+0x89/0xa0 ? report_bug+0x19d/0x1b0 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x1d/0x80 ? asm_exc_invalid_op+0x1f/0x30 ? __pfx_ssp_get+0x10/0x10 ? ssp_get+0x89/0xa0 ? ssp_get+0x52/0xa0 __regset_get+0xad/0xf0 copy_regset_to_user+0x52/0xc0 ptrace_regset+0x119/0x140 ptrace_request+0x13c/0x850 ? wait_task_inactive+0x142/0x1d0 ? do_syscall_64+0x6d/0x90 arch_ptrace+0x102/0x300 [...] Ensure that shadow stacks are active in a thread before looking them up in the XSAVE buffer. Since ARCH_SHSTK_SHSTK and user_ssp[SHSTK_EN] are set at the same time, the active check ensures that there will be something to find in the XSAVE buffer. Fixes: 2fab02b25ae7 ("x86: Add PTRACE interface for shadow stack") Reported-by: Christina Schimpe <christina.schimpe(a)intel.com> Tested-by: Christina Schimpe <christina.schimpe(a)intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Cc: stable(a)vger.kernel.org --- v2: - Incorporate log feedback from Dave here: https://lore.kernel.org/lkml/81d3af8f-bad8-4559-8a0f-3271dd7f0abc@intel.com/ arch/x86/kernel/fpu/regset.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c index 6bc1eb2a21bd..887b0b8e21e3 100644 --- a/arch/x86/kernel/fpu/regset.c +++ b/arch/x86/kernel/fpu/regset.c @@ -190,7 +190,8 @@ int ssp_get(struct task_struct *target, const struct user_regset *regset, struct fpu *fpu = &target->thread.fpu; struct cet_user_state *cetregs; - if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK)) + if (!cpu_feature_enabled(X86_FEATURE_USER_SHSTK) || + !ssp_active(target, regset)) return -ENODEV; sync_fpstate(fpu); -- 2.47.1

5 months, 2 weeks

1
0
0 0

Re: zram: Regression in at least linux-6.1.y tree

by Kenneth Van Alstyne

Somehow I missed this on my first search through lore.kernel.org, but this appears to be the same issue: https://lore.kernel.org/stable/Z3ytcILx4S1v_ueJ@codewreck.org/T/#u Thanks, -- Kenneth Van Alstyne, Jr. > On Jan 7, 2025, at 15:48, Kenneth Van Alstyne <kvanals(a)kvanals.org> wrote: > > Greetings and apologies if this isn't the proper process for reporting an issue in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html. Happy to follow another process if more appropriate. > > Kernel 6.1.122 introduced a regression via commit ac3b5366b9b7c9d97b606532ceab43d2329a22f3 (backport of upstream commit 74363ec674cb172d8856de25776c8f3103f05e2f) in drivers/block/zram/zram_drv.c where attempting to set the size of /dev/zram0 after loading the zram kernel module results in a kernel NULL pointer dereference. > > That patch removed the following block from zram_reset_device(): > - if (!init_done(zram)) { > - up_write(&zram->init_lock); > - return; > - } > > However, without that, zram_reset_device subsequently calls zcomp_destroy on a device that has not been initialized, leading to the OOPS. Adding that block back does resolve the issue. In addition, the latest mainline kernel does not appear to exhibit these symptoms, but zram_drv.c seems to have been changed fairly substantially since kernel 6.1. > > Steps to reproduce: > > modprobe zram > zramctl /dev/zram0 --algorithm zstd --size 83886080k > > Kernel log: > > [ 184.410082] BUG: kernel NULL pointer dereference, address: 0000000000000000 > [ 184.416305] #PF: supervisor read access in kernel mode > [ 184.418201] #PF: error_code(0x0000) - not-present page > [ 184.418201] PGD 170d0b067 P4D 170d0b067 PUD 1718af067 PMD 0 > [ 184.418201] Oops: 0000 [#1] PREEMPT SMP NOPTI > [ 184.418201] CPU: 2 PID: 3584 Comm: zramctl Tainted: G O K 6.1.122 #1 > [ 184.418201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014 > [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram] > [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd > [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246 > [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010 > [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000 > [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 > [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0 > [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20 > [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000 > [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0 > [ 184.418201] Call Trace: > [ 184.418201] <TASK> > [ 184.418201] ? __die_body+0x1a/0x60 > [ 184.418201] ? page_fault_oops+0xae/0x260 > [ 184.418201] ? exc_page_fault+0x67/0x140 > [ 184.418201] ? asm_exc_page_fault+0x22/0x30 > [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] > [ 184.418201] ? zcomp_cpu_dead+0x7/0x30 [zram] > [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] > [ 184.418201] cpuhp_invoke_callback+0xb4/0x4c0 > [ 184.418201] ? zcomp_cpu_up_prepare+0x90/0x90 [zram] > [ 184.418201] cpuhp_issue_call+0xeb/0x140 > [ 184.418201] __cpuhp_state_remove_instance+0xdb/0x1a0 > [ 184.418201] zcomp_destroy+0x1c/0x30 [zram] > [ 184.418201] zram_reset_device+0xf3/0x120 [zram] > [ 184.418201] reset_store+0x9d/0x100 [zram] > [ 184.418201] kernfs_fop_write_iter+0x11e/0x1b0 > [ 184.418201] vfs_write+0x2ae/0x3c0 > [ 184.418201] ksys_write+0x5c/0xe0 > [ 184.418201] do_syscall_64+0x32/0x80 > [ 184.552119] python3 (3612) used greatest stack depth: 11736 bytes left > [ 184.418201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 > [ 184.418201] RIP: 0033:0x7fa6d2506d00 > [ 184.418201] Code: 40 00 48 8b 15 29 91 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb af 0f 1f 00 80 3d e1 18 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 > [ 184.418201] RSP: 002b:00007ffec8315ec8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 > [ 184.418201] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fa6d2506d00 > [ 184.418201] RDX: 0000000000000001 RSI: 00007ffec8315ee0 RDI: 0000000000000003 > [ 184.418201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001 > [ 184.418201] R10: 0000000000000004 R11: 0000000000000202 R12: 00007fa6d240d6c0 > [ 184.418201] R13: 00007ffec8315ee0 R14: 0000000000000003 R15: 00007ffec8315ed0 > [ 184.418201] </TASK> > [ 184.418201] Modules linked in: zram zsmalloc bcache crc64 ip6table_filter ip6_tables iptable_filter xt_conntrack iptable_mangle xt_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables x_tables vfat fat btrfs blake2b_generic xor raid6_pq libcrc32c dm_multipath dm_mod bridge stp llc bonding nfs lockd grace sunrpc fscache torch(O) ipmi_devintf ipmi_msghandler sr_mod kvm_amd mousedev cdrom virtio_blk kvm ata_generic pata_acpi irqbypass crc32c_intel aesni_intel ata_piix crypto_simd virtio_pci virtio_pci_legacy_dev psmouse virtio_pci_modern_dev i6300esb e1000 libata cryptd i2c_piix4 evdev procmemro(OK) noptrace(OK) > [ 184.418201] CR2: 0000000000000000 > [ 184.418201] ---[ end trace 0000000000000000 ]--- > [ 184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram] > [ 184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd > [ 184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246 > [ 184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010 > [ 184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000 > [ 184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 > [ 184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0 > [ 184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20 > [ 184.418201] FS: 00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000 > [ 184.418201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0 > [ 184.418201] Kernel panic - not syncing: Fatal exception > [ 184.418201] Kernel Offset: 0x2c800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) > [ 184.418201] Rebooting in 120 seconds.. > > Thanks, > > -- > Kenneth Van Alstyne, Jr.

5 months, 2 weeks

1
0
0 0

[PATCH v4 4/5] arm64: cputype: Add MIDR_CORTEX_A76AE

by Douglas Anderson

From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an implementor of 0x41 (ARM). Add the values. Cc: stable(a)vger.kernel.org # dependency of the next fix in the series Signed-off-by: Douglas Anderson <dianders(a)chromium.org> --- (no changes since v3) Changes in v3: - New arch/arm64/include/asm/cputype.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h index 488f8e751349..a345628fce51 100644 --- a/arch/arm64/include/asm/cputype.h +++ b/arch/arm64/include/asm/cputype.h @@ -75,6 +75,7 @@ #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N1 0xD0C #define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_CORTEX_A76AE 0xD0E #define ARM_CPU_PART_NEOVERSE_V1 0xD40 #define ARM_CPU_PART_CORTEX_A78 0xD41 #define ARM_CPU_PART_CORTEX_A78AE 0xD42 @@ -158,6 +159,7 @@ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

1
0
0 0

[PATCH] nfs: Make NFS_FSCACHE select NETFS_SUPPORT instead of depending on it

by Dragan Simic

Having the NFS_FSCACHE option depend on the NETFS_SUPPORT options makes selecting NFS_FSCACHE impossible unless another option that additionally selects NETFS_SUPPORT is already selected. As a result, for example, being able to reach and select the NFS_FSCACHE option requires the CEPH_FS or CIFS option to be selected beforehand, which obviously doesn't make much sense. Let's correct this by making the NFS_FSCACHE option actually select the NETFS_SUPPORT option, instead of depending on it. Fixes: 915cd30cdea8 ("netfs, fscache: Combine fscache with netfs") Cc: stable(a)vger.kernel.org Reported-by: Diederik de Haas <didi.debian(a)cknow.org> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> --- fs/nfs/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig index 0eb20012792f..d3f76101ad4b 100644 --- a/fs/nfs/Kconfig +++ b/fs/nfs/Kconfig @@ -170,7 +170,8 @@ config ROOT_NFS config NFS_FSCACHE bool "Provide NFS client caching support" - depends on NFS_FS=m && NETFS_SUPPORT || NFS_FS=y && NETFS_SUPPORT=y + depends on NFS_FS + select NETFS_SUPPORT select FSCACHE help Say Y here if you want NFS data to be cached locally on disc through

5 months, 2 weeks

1
1
0 0

[PATCH] KEYS: trusted: dcp: fix improper sg use with CONFIG_VMAP_STACK=y

by David Gstir

With vmalloc stack addresses enabled (CONFIG_VMAP_STACK=y) DCP trusted keys can crash during en- and decryption of the blob encryption key via the DCP crypto driver. This is caused by improperly using sg_init_one() with vmalloc'd stack buffers (plain_key_blob). Fix this by always using kmalloc() for buffers we give to the DCP crypto driver. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 0e28bf61a5f9 ("KEYS: trusted: dcp: fix leak of blob encryption key") Signed-off-by: David Gstir <david(a)sigma-star.at> --- security/keys/trusted-keys/trusted_dcp.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/security/keys/trusted-keys/trusted_dcp.c b/security/keys/trusted-keys/trusted_dcp.c index e908c53a803c..7b6eb655df0c 100644 --- a/security/keys/trusted-keys/trusted_dcp.c +++ b/security/keys/trusted-keys/trusted_dcp.c @@ -201,12 +201,16 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob) { struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob; int blen, ret; - u8 plain_blob_key[AES_KEYSIZE_128]; + u8 *plain_blob_key; blen = calc_blob_len(p->key_len); if (blen > MAX_BLOB_SIZE) return -E2BIG; + plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL); + if (!plain_blob_key) + return -ENOMEM; + b->fmt_version = DCP_BLOB_VERSION; get_random_bytes(b->nonce, AES_KEYSIZE_128); get_random_bytes(plain_blob_key, AES_KEYSIZE_128); @@ -229,7 +233,8 @@ static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob) ret = 0; out: - memzero_explicit(plain_blob_key, sizeof(plain_blob_key)); + memzero_explicit(plain_blob_key, AES_KEYSIZE_128); + kfree(plain_blob_key); return ret; } @@ -238,7 +243,7 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob) { struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob; int blen, ret; - u8 plain_blob_key[AES_KEYSIZE_128]; + u8 *plain_blob_key = NULL; if (b->fmt_version != DCP_BLOB_VERSION) { pr_err("DCP blob has bad version: %i, expected %i\n", @@ -256,6 +261,12 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob) goto out; } + plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL); + if (!plain_blob_key) { + ret = -ENOMEM; + goto out; + } + ret = decrypt_blob_key(b->blob_key, plain_blob_key); if (ret) { pr_err("Unable to decrypt blob key: %i\n", ret); @@ -271,7 +282,10 @@ static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob) ret = 0; out: - memzero_explicit(plain_blob_key, sizeof(plain_blob_key)); + if (plain_blob_key) { + memzero_explicit(plain_blob_key, AES_KEYSIZE_128); + kfree(plain_blob_key); + } return ret; } -- 2.47.0

5 months, 2 weeks

2
3
0 0

[PATCH] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]

by Hans de Goede

The TongFang GM5HG0A is a TongFang barebone design which is sold under various brand names. The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen laptops in order for the IRQ to work. At least on the SKIKK Vanaheim variant the DMI product- and board-name strings have been replaced by the OEM with "Vanaheim" so checking that board-name contains "GM5HG0A" as is usually done for TongFang barebones quirks does not work. The DMI OEM strings do contain "GM5HG0A". I have looked at the dmidecode for a few other TongFang devices and the TongFang code-name string being in the OEM strings seems to be something which is consistently true. Add a quirk checking one of the DMI_OEM_STRING(s) is "GM5HG0A" in the hope that this will work for other OEM versions of the "GM5HG0A" too. Link: https://www.skikk.eu/en/laptops/vanaheim-15-rtx-4060 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219614 Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/acpi/resource.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 7d6537ea176f..90aaec923889 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -653,6 +653,17 @@ static const struct dmi_system_id irq1_edge_low_force_override[] = { DMI_MATCH(DMI_BOARD_NAME, "GMxHGxx"), }, }, + { + /* + * TongFang GM5HG0A in case of the SKIKK Vanaheim relabel the + * board-name is changed, so check OEM strings instead. Note + * OEM string matches are always exact matches. + * https://bugzilla.kernel.org/show_bug.cgi?id=219614 + */ + .matches = { + DMI_EXACT_MATCH(DMI_OEM_STRING, "GM5HG0A"), + }, + }, { } }; -- 2.47.1

5 months, 2 weeks

2
1
0 0

[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]

by Hans de Goede

Like the Vivobook X1704VAP the X1504VAP has its keyboard IRQ (1) described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which breaks the keyboard. Add the X1504VAP to the irq1_level_low_skip_override[] quirk table to fix this. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224 Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/acpi/resource.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 821867de43be..ab4c0e0b6b8e 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -440,6 +440,13 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"), }, }, + { + /* Asus Vivobook X1504VAP */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_BOARD_NAME, "X1504VAP"), + }, + }, { /* Asus Vivobook X1704VAP */ .matches = { -- 2.47.1

5 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

by Alva Lan

From: Qun-Wei Lin <qun-wei.lin(a)mediatek.com> [ Upstream commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58 ] When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the object_is_on_stack() function may produce incorrect results due to the presence of tags in the obj pointer, while the stack pointer does not have tags. This discrepancy can lead to incorrect stack object detection and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. Example of the warning: ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4 Hardware name: linux,dummy-virt (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __debug_object_init+0x330/0x364 lr : __debug_object_init+0x330/0x364 sp : ffff800082ea7b40 x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534 x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0 x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418 x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000 x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800 x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001 x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4 x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050 Call trace: __debug_object_init+0x330/0x364 debug_object_init_on_stack+0x30/0x3c schedule_hrtimeout_range_clock+0xac/0x26c schedule_hrtimeout+0x1c/0x30 wait_task_inactive+0x1d4/0x25c kthread_bind_mask+0x28/0x98 init_rescuer+0x1e8/0x280 workqueue_init+0x1a0/0x3cc kernel_init_freeable+0x118/0x200 kernel_init+0x28/0x1f0 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ Link: https://lkml.kernel.org/r/20241113042544.19095-1-qun-wei.lin@mediatek.com Signed-off-by: Qun-Wei Lin <qun-wei.lin(a)mediatek.com> Cc: Andrew Yang <andrew.yang(a)mediatek.com> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Cc: Casper Li <casper.li(a)mediatek.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Chinwen Chang <chinwen.chang(a)mediatek.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Matthias Brugger <matthias.bgg(a)gmail.com> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- include/linux/sched/task_stack.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h index f158b025c175..d2117e1c8fa5 100644 --- a/include/linux/sched/task_stack.h +++ b/include/linux/sched/task_stack.h @@ -8,6 +8,7 @@ #include <linux/sched.h> #include <linux/magic.h> +#include <linux/kasan.h> #ifdef CONFIG_THREAD_INFO_IN_TASK @@ -88,6 +89,7 @@ static inline int object_is_on_stack(const void *obj) { void *stack = task_stack_page(current); + obj = kasan_reset_tag(obj); return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -- 2.39.4

5 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity

by Kuan-Wei Chiu

The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_REG_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90) Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- scripts/sorttable.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/sorttable.h b/scripts/sorttable.h index a2baa2fefb13..fb385d0f3cc2 100644 --- a/scripts/sorttable.h +++ b/scripts/sorttable.h @@ -103,7 +103,7 @@ static inline unsigned long orc_ip(const int *ip) static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -120,8 +120,12 @@ static int orc_sort_cmp(const void *_a, const void *_b) * These terminator entries exist to handle any gaps created by * whitelisted .o files which didn't get objtool generation. */ - orc_a = g_orc_table + (a - g_orc_ip_table); - return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1; + orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end && + orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end) + return 0; + return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1; } static void *sort_orctable(void *arg) -- 2.34.1

5 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity

by Kuan-Wei Chiu

The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_REG_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90) Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- scripts/sorttable.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/sorttable.h b/scripts/sorttable.h index deb7c1d3e979..f0ba2bf5a886 100644 --- a/scripts/sorttable.h +++ b/scripts/sorttable.h @@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const int *ip) static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -128,6 +128,10 @@ static int orc_sort_cmp(const void *_a, const void *_b) * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end && + orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end) + return 0; return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1; } -- 2.34.1

5 months, 2 weeks

2
1
0 0

[PATCH stable 6.6 1/1] Revert "bpf: support non-r10 register spill/fill to/from stack in precision tracking"

by Shung-Hsi Yu

Levi reported that commit ecc2aeeaa08a ("bpf: support non-r10 register spill/fill to/from stack in precision tracking") cause eBPF program that previously loads successfully in stable 6.6 now fails to load, when the same program also loads successfully in v6.13-rc5. Revert ecc2aeeaa08a until the problem has been probably figured out and resolved. Fixes: ecc2aeeaa08a ("bpf: support non-r10 register spill/fill to/from stack in precision tracking") Reported-by: Levi Zim <rsworktech(a)outlook.com> Link: https://lore.kernel.org/stable/MEYP282MB2312C3C8801476C4F262D6E1C6162@MEYP2… Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- include/linux/bpf_verifier.h | 31 +--- kernel/bpf/verifier.c | 175 ++++++++---------- .../bpf/progs/verifier_subprog_precision.c | 23 +-- .../testing/selftests/bpf/verifier/precise.c | 38 ++-- 4 files changed, 98 insertions(+), 169 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index cb8e97665eaa..92919d52f7e1 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -319,34 +319,12 @@ struct bpf_func_state { struct bpf_stack_state *stack; }; -#define MAX_CALL_FRAMES 8 - -/* instruction history flags, used in bpf_jmp_history_entry.flags field */ -enum { - /* instruction references stack slot through PTR_TO_STACK register; - * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8) - * and accessed stack slot's index in next 6 bits (MAX_BPF_STACK is 512, - * 8 bytes per slot, so slot index (spi) is [0, 63]) - */ - INSN_F_FRAMENO_MASK = 0x7, /* 3 bits */ - - INSN_F_SPI_MASK = 0x3f, /* 6 bits */ - INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */ - - INSN_F_STACK_ACCESS = BIT(9), /* we need 10 bits total */ -}; - -static_assert(INSN_F_FRAMENO_MASK + 1 >= MAX_CALL_FRAMES); -static_assert(INSN_F_SPI_MASK + 1 >= MAX_BPF_STACK / 8); - -struct bpf_jmp_history_entry { +struct bpf_idx_pair { + u32 prev_idx; u32 idx; - /* insn idx can't be bigger than 1 million */ - u32 prev_idx : 22; - /* special flags, e.g., whether insn is doing register stack spill/load */ - u32 flags : 10; }; +#define MAX_CALL_FRAMES 8 /* Maximum number of register states that can exist at once */ #define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES) struct bpf_verifier_state { @@ -429,7 +407,7 @@ struct bpf_verifier_state { * For most states jmp_history_cnt is [0-3]. * For loops can go up to ~40. */ - struct bpf_jmp_history_entry *jmp_history; + struct bpf_idx_pair *jmp_history; u32 jmp_history_cnt; u32 dfs_depth; u32 callback_unroll_depth; @@ -662,7 +640,6 @@ struct bpf_verifier_env { int cur_stack; } cfg; struct backtrack_state bt; - struct bpf_jmp_history_entry *cur_hist_ent; u32 pass_cnt; /* number of times do_check() was called */ u32 subprog_cnt; /* number of instructions analyzed by the verifier */ diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a3c3c66ca047..d6a4102312fa 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1762,8 +1762,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state, int i, err; dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history, - src->jmp_history_cnt, sizeof(*dst_state->jmp_history), - GFP_USER); + src->jmp_history_cnt, sizeof(struct bpf_idx_pair), + GFP_USER); if (!dst_state->jmp_history) return -ENOMEM; dst_state->jmp_history_cnt = src->jmp_history_cnt; @@ -3397,21 +3397,6 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, return __check_reg_arg(env, state->regs, regno, t); } -static int insn_stack_access_flags(int frameno, int spi) -{ - return INSN_F_STACK_ACCESS | (spi << INSN_F_SPI_SHIFT) | frameno; -} - -static int insn_stack_access_spi(int insn_flags) -{ - return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK; -} - -static int insn_stack_access_frameno(int insn_flags) -{ - return insn_flags & INSN_F_FRAMENO_MASK; -} - static void mark_jmp_point(struct bpf_verifier_env *env, int idx) { env->insn_aux_data[idx].jmp_point = true; @@ -3423,51 +3408,28 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx) } /* for any branch, call, exit record the history of jmps in the given state */ -static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur, - int insn_flags) +static int push_jmp_history(struct bpf_verifier_env *env, + struct bpf_verifier_state *cur) { u32 cnt = cur->jmp_history_cnt; - struct bpf_jmp_history_entry *p; + struct bpf_idx_pair *p; size_t alloc_size; - /* combine instruction flags if we already recorded this instruction */ - if (env->cur_hist_ent) { - /* atomic instructions push insn_flags twice, for READ and - * WRITE sides, but they should agree on stack slot - */ - WARN_ONCE((env->cur_hist_ent->flags & insn_flags) && - (env->cur_hist_ent->flags & insn_flags) != insn_flags, - "verifier insn history bug: insn_idx %d cur flags %x new flags %x\n", - env->insn_idx, env->cur_hist_ent->flags, insn_flags); - env->cur_hist_ent->flags |= insn_flags; + if (!is_jmp_point(env, env->insn_idx)) return 0; - } cnt++; alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p))); p = krealloc(cur->jmp_history, alloc_size, GFP_USER); if (!p) return -ENOMEM; + p[cnt - 1].idx = env->insn_idx; + p[cnt - 1].prev_idx = env->prev_insn_idx; cur->jmp_history = p; - - p = &cur->jmp_history[cnt - 1]; - p->idx = env->insn_idx; - p->prev_idx = env->prev_insn_idx; - p->flags = insn_flags; cur->jmp_history_cnt = cnt; - env->cur_hist_ent = p; - return 0; } -static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st, - u32 hist_end, int insn_idx) -{ - if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx) - return &st->jmp_history[hist_end - 1]; - return NULL; -} - /* Backtrack one insn at a time. If idx is not at the top of recorded * history then previous instruction came from straight line execution. * Return -ENOENT if we exhausted all instructions within given state. @@ -3629,14 +3591,9 @@ static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg) return bt->reg_masks[bt->frame] & (1 << reg); } -static inline bool bt_is_frame_slot_set(struct backtrack_state *bt, u32 frame, u32 slot) -{ - return bt->stack_masks[frame] & (1ull << slot); -} - static inline bool bt_is_slot_set(struct backtrack_state *bt, u32 slot) { - return bt_is_frame_slot_set(bt, bt->frame, slot); + return bt->stack_masks[bt->frame] & (1ull << slot); } /* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */ @@ -3690,7 +3647,7 @@ static bool calls_callback(struct bpf_verifier_env *env, int insn_idx); * - *was* processed previously during backtracking. */ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, - struct bpf_jmp_history_entry *hist, struct backtrack_state *bt) + struct backtrack_state *bt) { const struct bpf_insn_cbs cbs = { .cb_call = disasm_kfunc_name, @@ -3703,7 +3660,7 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, u8 mode = BPF_MODE(insn->code); u32 dreg = insn->dst_reg; u32 sreg = insn->src_reg; - u32 spi, i, fr; + u32 spi, i; if (insn->code == 0) return 0; @@ -3766,15 +3723,20 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, * by 'precise' mark in corresponding register of this state. * No further tracking necessary. */ - if (!hist || !(hist->flags & INSN_F_STACK_ACCESS)) + if (insn->src_reg != BPF_REG_FP) return 0; + /* dreg = *(u64 *)[fp - off] was a fill from the stack. * that [fp - off] slot contains scalar that needs to be * tracked with precision */ - spi = insn_stack_access_spi(hist->flags); - fr = insn_stack_access_frameno(hist->flags); - bt_set_frame_slot(bt, fr, spi); + spi = (-insn->off - 1) / BPF_REG_SIZE; + if (spi >= 64) { + verbose(env, "BUG spi %d\n", spi); + WARN_ONCE(1, "verifier backtracking bug"); + return -EFAULT; + } + bt_set_slot(bt, spi); } else if (class == BPF_STX || class == BPF_ST) { if (bt_is_reg_set(bt, dreg)) /* stx & st shouldn't be using _scalar_ dst_reg @@ -3783,13 +3745,17 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, */ return -ENOTSUPP; /* scalars can only be spilled into stack */ - if (!hist || !(hist->flags & INSN_F_STACK_ACCESS)) + if (insn->dst_reg != BPF_REG_FP) return 0; - spi = insn_stack_access_spi(hist->flags); - fr = insn_stack_access_frameno(hist->flags); - if (!bt_is_frame_slot_set(bt, fr, spi)) + spi = (-insn->off - 1) / BPF_REG_SIZE; + if (spi >= 64) { + verbose(env, "BUG spi %d\n", spi); + WARN_ONCE(1, "verifier backtracking bug"); + return -EFAULT; + } + if (!bt_is_slot_set(bt, spi)) return 0; - bt_clear_frame_slot(bt, fr, spi); + bt_clear_slot(bt, spi); if (class == BPF_STX) bt_set_reg(bt, sreg); } else if (class == BPF_JMP || class == BPF_JMP32) { @@ -3833,14 +3799,10 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, WARN_ONCE(1, "verifier backtracking bug"); return -EFAULT; } - /* we are now tracking register spills correctly, - * so any instance of leftover slots is a bug - */ - if (bt_stack_mask(bt) != 0) { - verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt)); - WARN_ONCE(1, "verifier backtracking bug (subprog leftover stack slots)"); - return -EFAULT; - } + /* we don't track register spills perfectly, + * so fallback to force-precise instead of failing */ + if (bt_stack_mask(bt) != 0) + return -ENOTSUPP; /* propagate r1-r5 to the caller */ for (i = BPF_REG_1; i <= BPF_REG_5; i++) { if (bt_is_reg_set(bt, i)) { @@ -3865,11 +3827,8 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, WARN_ONCE(1, "verifier backtracking bug"); return -EFAULT; } - if (bt_stack_mask(bt) != 0) { - verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt)); - WARN_ONCE(1, "verifier backtracking bug (callback leftover stack slots)"); - return -EFAULT; - } + if (bt_stack_mask(bt) != 0) + return -ENOTSUPP; /* clear r1-r5 in callback subprog's mask */ for (i = BPF_REG_1; i <= BPF_REG_5; i++) bt_clear_reg(bt, i); @@ -4306,7 +4265,6 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) for (;;) { DECLARE_BITMAP(mask, 64); u32 history = st->jmp_history_cnt; - struct bpf_jmp_history_entry *hist; if (env->log.level & BPF_LOG_LEVEL2) { verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n", @@ -4370,8 +4328,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) err = 0; skip_first = false; } else { - hist = get_jmp_hist_entry(st, history, i); - err = backtrack_insn(env, i, subseq_idx, hist, bt); + err = backtrack_insn(env, i, subseq_idx, bt); } if (err == -ENOTSUPP) { mark_all_scalars_precise(env, env->cur_state); @@ -4424,10 +4381,22 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr)); for_each_set_bit(i, mask, 64) { if (i >= func->allocated_stack / BPF_REG_SIZE) { - verbose(env, "BUG backtracking (stack slot %d, total slots %d)\n", - i, func->allocated_stack / BPF_REG_SIZE); - WARN_ONCE(1, "verifier backtracking bug (stack slot out of bounds)"); - return -EFAULT; + /* the sequence of instructions: + * 2: (bf) r3 = r10 + * 3: (7b) *(u64 *)(r3 -8) = r0 + * 4: (79) r4 = *(u64 *)(r10 -8) + * doesn't contain jmps. It's backtracked + * as a single block. + * During backtracking insn 3 is not recognized as + * stack access, so at the end of backtracking + * stack slot fp-8 is still marked in stack_mask. + * However the parent state may not have accessed + * fp-8 and it's "unallocated" stack space. + * In such case fallback to conservative. + */ + mark_all_scalars_precise(env, env->cur_state); + bt_reset(bt); + return 0; } if (!is_spilled_scalar_reg(&func->stack[i])) { @@ -4592,7 +4561,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; struct bpf_insn *insn = &env->prog->insnsi[insn_idx]; struct bpf_reg_state *reg = NULL; - int insn_flags = insn_stack_access_flags(state->frameno, spi); + u32 dst_reg = insn->dst_reg; /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, * so it's aligned access and [off, off + size) are within stack limits @@ -4631,6 +4600,17 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, mark_stack_slot_scratched(env, spi); if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) && !register_is_null(reg) && env->bpf_capable) { + if (dst_reg != BPF_REG_FP) { + /* The backtracking logic can only recognize explicit + * stack slot address like [fp - 8]. Other spill of + * scalar via different register has to be conservative. + * Backtrack from here and mark all registers as precise + * that contributed into 'reg' being a constant. + */ + err = mark_chain_precision(env, value_regno); + if (err) + return err; + } save_register_state(state, spi, reg, size); /* Break the relation on a narrowing spill. */ if (fls64(reg->umax_value) > BITS_PER_BYTE * size) @@ -4642,7 +4622,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, __mark_reg_known(&fake_reg, insn->imm); fake_reg.type = SCALAR_VALUE; save_register_state(state, spi, &fake_reg, size); - insn_flags = 0; /* not a register spill */ } else if (reg && is_spillable_regtype(reg->type)) { /* register containing pointer is being spilled into stack */ if (size != BPF_REG_SIZE) { @@ -4688,12 +4667,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, /* Mark slots affected by this stack write. */ for (i = 0; i < size; i++) - state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type; - insn_flags = 0; /* not a register spill */ + state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = + type; } - - if (insn_flags) - return push_jmp_history(env, env->cur_state, insn_flags); return 0; } @@ -4882,7 +4858,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; struct bpf_reg_state *reg; u8 *stype, type; - int insn_flags = insn_stack_access_flags(reg_state->frameno, spi); stype = reg_state->stack[spi].slot_type; reg = &reg_state->stack[spi].spilled_ptr; @@ -4928,10 +4903,12 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, return -EACCES; } mark_reg_unknown(env, state->regs, dst_regno); - insn_flags = 0; /* not restoring original register state */ } state->regs[dst_regno].live |= REG_LIVE_WRITTEN; - } else if (dst_regno >= 0) { + return 0; + } + + if (dst_regno >= 0) { /* restore register state from stack */ copy_register_state(&state->regs[dst_regno], reg); /* mark reg as written since spilled pointer state likely @@ -4967,10 +4944,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); if (dst_regno >= 0) mark_reg_stack_read(env, reg_state, off, off + size, dst_regno); - insn_flags = 0; /* we are not restoring spilled register */ } - if (insn_flags) - return push_jmp_history(env, env->cur_state, insn_flags); return 0; } @@ -7054,6 +7028,7 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i BPF_SIZE(insn->code), BPF_WRITE, -1, true, false); if (err) return err; + return 0; } @@ -16802,8 +16777,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) * the precision needs to be propagated back in * the current state. */ - if (is_jmp_point(env, env->insn_idx)) - err = err ? : push_jmp_history(env, cur, 0); + err = err ? : push_jmp_history(env, cur); err = err ? : propagate_precision(env, &sl->state); if (err) return err; @@ -17027,9 +17001,6 @@ static int do_check(struct bpf_verifier_env *env) u8 class; int err; - /* reset current history entry on each new instruction */ - env->cur_hist_ent = NULL; - env->prev_insn_idx = prev_insn_idx; if (env->insn_idx >= insn_cnt) { verbose(env, "invalid insn idx %d insn_cnt %d\n", @@ -17069,7 +17040,7 @@ static int do_check(struct bpf_verifier_env *env) } if (is_jmp_point(env, env->insn_idx)) { - err = push_jmp_history(env, state, 0); + err = push_jmp_history(env, state); if (err) return err; } diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c index f87365f7599b..f61d623b1ce8 100644 --- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c +++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c @@ -541,24 +541,11 @@ static __u64 subprog_spill_reg_precise(void) SEC("?raw_tp") __success __log_level(2) -__msg("10: (0f) r1 += r7") -__msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1") -__msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8") -__msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4") -__msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)") -__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(map=.data.vals,ks=4,vs=16) R10=fp0 fp-8_rw=P1") -__msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7") -__msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit") -__msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2") -__msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)") -__msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)") -__msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2") -__msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2") -__msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6") -__msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6") -__msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8") -__msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10") -__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1") +/* precision backtracking can't currently handle stack access not through r10, + * so we won't be able to mark stack slot fp-8 as precise, and so will + * fallback to forcing all as precise + */ +__msg("mark_precise: frame0: falling back to forcing all scalars precise") __naked int subprog_spill_into_parent_stack_slot_precise(void) { asm volatile ( diff --git a/tools/testing/selftests/bpf/verifier/precise.c b/tools/testing/selftests/bpf/verifier/precise.c index 8a2ff81d8350..0d84dd1f38b6 100644 --- a/tools/testing/selftests/bpf/verifier/precise.c +++ b/tools/testing/selftests/bpf/verifier/precise.c @@ -140,11 +140,10 @@ .result = REJECT, }, { - "precise: ST zero to stack insn is supported", + "precise: ST insn causing spi > allocated_stack", .insns = { BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), - /* not a register spill, so we stop precision propagation for R4 here */ BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0), BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), BPF_MOV64_IMM(BPF_REG_0, -1), @@ -158,11 +157,11 @@ mark_precise: frame0: last_idx 4 first_idx 2\ mark_precise: frame0: regs=r4 stack= before 4\ mark_precise: frame0: regs=r4 stack= before 3\ + mark_precise: frame0: regs= stack=-8 before 2\ + mark_precise: frame0: falling back to forcing all scalars precise\ + force_precise: frame0: forcing r0 to be precise\ mark_precise: frame0: last_idx 5 first_idx 5\ - mark_precise: frame0: parent state regs=r0 stack=:\ - mark_precise: frame0: last_idx 4 first_idx 2\ - mark_precise: frame0: regs=r0 stack= before 4\ - 5: R0=-1 R4=0", + mark_precise: frame0: parent state regs= stack=:", .result = VERBOSE_ACCEPT, .retval = -1, }, @@ -170,8 +169,6 @@ "precise: STX insn causing spi > allocated_stack", .insns = { BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), - /* make later reg spill more interesting by having somewhat known scalar */ - BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff), BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8), @@ -182,21 +179,18 @@ }, .prog_type = BPF_PROG_TYPE_XDP, .flags = BPF_F_TEST_STATE_FREQ, - .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\ + .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\ mark_precise: frame0: parent state regs=r4 stack=:\ - mark_precise: frame0: last_idx 6 first_idx 4\ - mark_precise: frame0: regs=r4 stack= before 6: (b7) r0 = -1\ - mark_precise: frame0: regs=r4 stack= before 5: (79) r4 = *(u64 *)(r10 -8)\ - mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\ - mark_precise: frame0: parent state regs=r0 stack=:\ - mark_precise: frame0: last_idx 3 first_idx 3\ - mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\ - mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\ - mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\ - mark_precise: frame0: parent state regs=r0 stack=:\ - mark_precise: frame0: last_idx 0 first_idx 0\ - mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\ - mark_precise: frame0: last_idx 7 first_idx 7\ + mark_precise: frame0: last_idx 5 first_idx 3\ + mark_precise: frame0: regs=r4 stack= before 5\ + mark_precise: frame0: regs=r4 stack= before 4\ + mark_precise: frame0: regs= stack=-8 before 3\ + mark_precise: frame0: falling back to forcing all scalars precise\ + force_precise: frame0: forcing r0 to be precise\ + force_precise: frame0: forcing r0 to be precise\ + force_precise: frame0: forcing r0 to be precise\ + force_precise: frame0: forcing r0 to be precise\ + mark_precise: frame0: last_idx 6 first_idx 6\ mark_precise: frame0: parent state regs= stack=:", .result = VERBOSE_ACCEPT, .retval = -1, -- 2.47.1

5 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity

by Kuan-Wei Chiu

The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_REG_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_REG_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit 0210d251162f4033350a94a43f95b1c39ec84a90) Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- scripts/sorttable.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/sorttable.h b/scripts/sorttable.h index a2baa2fefb13..9013b6984d68 100644 --- a/scripts/sorttable.h +++ b/scripts/sorttable.h @@ -103,7 +103,7 @@ static inline unsigned long orc_ip(const int *ip) static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -121,6 +121,10 @@ static int orc_sort_cmp(const void *_a, const void *_b) * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end && + orc_b->sp_reg == ORC_REG_UNDEFINED && !orc_b->end) + return 0; return orc_a->sp_reg == ORC_REG_UNDEFINED && !orc_a->end ? -1 : 1; } -- 2.34.1

5 months, 2 weeks

2
1
0 0

[PATCH] misc: microchip: pci1xxxx: Fix possible double free in error handling path

by Ma Ke

When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), the callback function gp_auxiliary_device_release() calls kfree() to free memory. Do not call kfree() again in the error handling path. Fix this by skipping the redundant kfree(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c index 32af2b14ff34..fbd712938bdc 100644 --- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c +++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c @@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id err_aux_dev_add_1: auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev); + goto err_aux_dev_add_0; err_aux_dev_init_1: ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id); @@ -120,6 +121,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id err_aux_dev_add_0: auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev); + goto err_ret; err_aux_dev_init_0: ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id); -- 2.25.1

5 months, 2 weeks

2
3
0 0

[PATCH v3] [ARM] fix reference leak in locomo_init_one_child()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - modified the patch as suggestions; Changes in v2: - modified the patch as suggestions. --- arch/arm/common/locomo.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..9e275b2105c2 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -220,13 +220,11 @@ static int locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) { struct locomo_dev *dev; - int ret; + int ret = 0; dev = kzalloc(sizeof(struct locomo_dev), GFP_KERNEL); - if (!dev) { - ret = -ENOMEM; - goto out; - } + if (!dev) + return -ENOMEM; /* * If the parent device has a DMA mask associated with it, @@ -254,10 +252,9 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) NO_IRQ : lchip->irq_base + info->irq[0]; ret = device_register(&dev->dev); - if (ret) { - out: - kfree(dev); - } + if (ret) + put_device(&dev->dev); + return ret; } -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH v3 00/23] arm64: dts: qcom: Fix remoteproc memory base and length

by Krzysztof Kozlowski

Changes in v3: - Add Rb tags - Add four new patches (at the end) for sdx75 and sm6115 - Link to v2: https://lore.kernel.org/r/20241209-dts-qcom-cdsp-mpss-base-address-v2-0-d85… Changes in v2: - arm64: dts: qcom: x1e80100: Fix ADSP...: Commit msg corrections, second paragraph (Johan) - Add tags - Link to v1: https://lore.kernel.org/r/20241206-dts-qcom-cdsp-mpss-base-address-v1-0-2f3… Konrad pointed out during SM8750 review, that numbers are odd, so I looked at datasheets and downstream DTS for all previous platforms. Most numbers are odd. Older platforms like SM8150, SM8250, SC7280, SC8180X seem fine. I could not check few like SDX75 or SM6115, due to lack of access to datasheets. SM8350, SM8450, SM8550 tested on hardware. Others not, but I don't expect any failures because PAS drivers do not use the address space. Which also explains why odd numbers did not result in any failures. Best regards, Krzysztof --- Krzysztof Kozlowski (23): arm64: dts: qcom: sm8350: Fix ADSP memory base and length arm64: dts: qcom: sm8350: Fix CDSP memory base and length arm64: dts: qcom: sm8350: Fix MPSS memory length arm64: dts: qcom: sm8450: Fix ADSP memory base and length arm64: dts: qcom: sm8450: Fix CDSP memory length arm64: dts: qcom: sm8450: Fix MPSS memory length arm64: dts: qcom: sm8550: Fix ADSP memory base and length arm64: dts: qcom: sm8550: Fix CDSP memory length arm64: dts: qcom: sm8550: Fix MPSS memory length arm64: dts: qcom: sm8650: Fix ADSP memory base and length arm64: dts: qcom: sm8650: Fix CDSP memory length arm64: dts: qcom: sm8650: Fix MPSS memory length arm64: dts: qcom: x1e80100: Fix ADSP memory base and length arm64: dts: qcom: x1e80100: Fix CDSP memory length arm64: dts: qcom: sm6350: Fix ADSP memory length arm64: dts: qcom: sm6350: Fix MPSS memory length [RFT] arm64: dts: qcom: sm6375: Fix ADSP memory length [RFT] arm64: dts: qcom: sm6375: Fix CDSP memory base and length [RFT] arm64: dts: qcom: sm6375: Fix MPSS memory base and length arm64: dts: qcom: sdx75: Fix MPSS memory length arm64: dts: qcom: sm6115: Fix MPSS memory length arm64: dts: qcom: sm6115: Fix CDSP memory length arm64: dts: qcom: sm6115: Fix ADSP memory base and length arch/arm64/boot/dts/qcom/sdx75.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm6115.dtsi | 8 +- arch/arm64/boot/dts/qcom/sm6350.dtsi | 4 +- arch/arm64/boot/dts/qcom/sm6375.dtsi | 10 +- arch/arm64/boot/dts/qcom/sm8350.dtsi | 492 ++++++++++++++++----------------- arch/arm64/boot/dts/qcom/sm8450.dtsi | 216 +++++++-------- arch/arm64/boot/dts/qcom/sm8550.dtsi | 266 +++++++++--------- arch/arm64/boot/dts/qcom/sm8650.dtsi | 300 ++++++++++---------- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 276 +++++++++--------- 9 files changed, 787 insertions(+), 787 deletions(-) --- base-commit: c245a7a79602ccbee780c004c1e4abcda66aec32 change-id: 20241206-dts-qcom-cdsp-mpss-base-address-ae7c406ac9ac Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

5 months, 2 weeks

5
40
0 0

[PATCH v2 0/6] firmware: qcom: scm: Fixes for concurrency

by Krzysztof Kozlowski

Changes in v2: - Patch #2: Extend commit msg - Patch #4: Store NULL - Add Rb tags - Link to v1: https://lore.kernel.org/r/20241119-qcom-scm-missing-barriers-and-all-sort-o… Description =========== SCM driver looks messy in terms of handling concurrency of probe. The driver exports interface which is guarded by global '__scm' variable but: 1. Lacks proper read barrier (commit adding write barriers mixed up READ_ONCE with a read barrier). 2. Lacks barriers or checks for '__scm' in multiple places. 3. Lacks probe error cleanup. All the issues here are non-urgent, IOW, they were here for some time (v6.10-rc1 and earlier). Best regards, Krzysztof --- Krzysztof Kozlowski (6): firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available() firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool() firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem() firmware: qcom: scm: Cleanup global '__scm' on probe failures firmware: qcom: scm: smc: Handle missing SCM device firmware: qcom: scm: smc: Narrow 'mempool' variable scope drivers/firmware/qcom/qcom_scm-smc.c | 6 +++- drivers/firmware/qcom/qcom_scm.c | 55 +++++++++++++++++++++++++----------- 2 files changed, 44 insertions(+), 17 deletions(-) --- base-commit: d1486dca38afd08ca279ae94eb3a397f10737824 change-id: 20241119-qcom-scm-missing-barriers-and-all-sort-of-srap-a25d59074882 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

5 months, 2 weeks

2
3
0 0

[PATCH v1 1/4] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages

by David Hildenbrand

We try to reuse the same vsie page when re-executing the vsie with a given SCB address. The result is that we use the same shadow SCB -- residing in the vsie page -- and can avoid flushing the TLB when re-running the vsie on a CPU. So, when we allocate a fresh vsie page, or when we reuse a vsie page for a different SCB address -- reusing the shadow SCB in different context -- we set ihcpu=0xffff to trigger the flush. However, after we looked up the SCB address in the radix tree, but before we grabbed the vsie page by raising the refcount to 2, someone could reuse the vsie page for a different SCB address, adjusting page->index and the radix tree. In that case, we would be reusing the vsie page with a wrong page->index. Another corner case is that we might set the SCB address for a vsie page, but fail the insertion into the radix tree. Whoever would reuse that page would remove the corresponding radix tree entry -- which might now be a valid entry pointing at another page, resulting in the wrong vsie page getting removed from the radix tree. Let's handle such races better, by validating that the SCB address of a vsie page didn't change after we grabbed it (not reuse for a different SCB; the alternative would be performing another tree lookup), and by setting the SCB address to invalid until the insertion in the tree succeeded (SCB addresses are aligned to 512, so ULONG_MAX is invalid). These scenarios are rare, the effects a bit unclear, and these issues were only found by code inspection. Let's CC stable to be safe. Fixes: a3508fbe9dc6 ("KVM: s390: vsie: initial support for nested virtualization") Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> --- arch/s390/kvm/vsie.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c index 150b9387860ad..0fb527b33734c 100644 --- a/arch/s390/kvm/vsie.c +++ b/arch/s390/kvm/vsie.c @@ -1362,8 +1362,14 @@ static struct vsie_page *get_vsie_page(struct kvm *kvm, unsigned long addr) page = radix_tree_lookup(&kvm->arch.vsie.addr_to_page, addr >> 9); rcu_read_unlock(); if (page) { - if (page_ref_inc_return(page) == 2) - return page_to_virt(page); + if (page_ref_inc_return(page) == 2) { + if (page->index == addr) + return page_to_virt(page); + /* + * We raced with someone reusing + putting this vsie + * page before we grabbed it. + */ + } page_ref_dec(page); } @@ -1393,15 +1399,20 @@ static struct vsie_page *get_vsie_page(struct kvm *kvm, unsigned long addr) kvm->arch.vsie.next++; kvm->arch.vsie.next %= nr_vcpus; } - radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9); + if (page->index != ULONG_MAX) + radix_tree_delete(&kvm->arch.vsie.addr_to_page, + page->index >> 9); } - page->index = addr; - /* double use of the same address */ + /* Mark it as invalid until it resides in the tree. */ + page->index = ULONG_MAX; + + /* Double use of the same address or allocation failure. */ if (radix_tree_insert(&kvm->arch.vsie.addr_to_page, addr >> 9, page)) { page_ref_dec(page); mutex_unlock(&kvm->arch.vsie.mutex); return NULL; } + page->index = addr; mutex_unlock(&kvm->arch.vsie.mutex); vsie_page = page_to_virt(page); @@ -1496,7 +1507,9 @@ void kvm_s390_vsie_destroy(struct kvm *kvm) vsie_page = page_to_virt(page); release_gmap_shadow(vsie_page); /* free the radix tree entry */ - radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9); + if (page->index != ULONG_MAX) + radix_tree_delete(&kvm->arch.vsie.addr_to_page, + page->index >> 9); __free_page(page); } kvm->arch.vsie.page_count = 0; -- 2.47.1

5 months, 2 weeks

1
0
0 0

[PATCH 08/24] drm/amd/display: Reduce accessing remote DPCD overhead

by Tom Chung

From: Wayne Lin <Wayne.Lin(a)amd.com> [Why] Observed frame rate get dropped by tool like glxgear. Even though the output to monitor is 60Hz, the rendered frame rate drops to 30Hz lower. It's due to code path in some cases will trigger dm_dp_mst_is_port_support_mode() to read out remote Link status to assess the available bandwidth for dsc maniplation. Overhead of keep reading remote DPCD is considerable. [How] Store the remote link BW in mst_local_bw and use end-to-end full_pbn as an indicator to decide whether update the remote link bw or not. Whenever we need the info to assess the BW, visit the stored one first. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3720 Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> --- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 ++ .../display/amdgpu_dm/amdgpu_dm_mst_types.c | 34 ++++++++++++++----- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h index e46e1365fe91..e7963158a147 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h @@ -697,6 +697,8 @@ struct amdgpu_dm_connector { struct drm_dp_mst_port *mst_output_port; struct amdgpu_dm_connector *mst_root; struct drm_dp_aux *dsc_aux; + uint32_t mst_local_bw; + uint16_t vc_full_pbn; struct mutex handle_mst_msg_ready; /* TODO see if we can merge with ddc_bus or make a dm_connector */ diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index a504aa1243e9..e096fb562122 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -155,6 +155,17 @@ amdgpu_dm_mst_connector_late_register(struct drm_connector *connector) return 0; } + +static inline void +amdgpu_dm_mst_reset_mst_connector_setting(struct amdgpu_dm_connector *aconnector) +{ + aconnector->drm_edid = NULL; + aconnector->dsc_aux = NULL; + aconnector->mst_output_port->passthrough_aux = NULL; + aconnector->mst_local_bw = 0; + aconnector->vc_full_pbn = 0; +} + static void amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector) { @@ -182,9 +193,7 @@ amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector) dc_sink_release(dc_sink); aconnector->dc_sink = NULL; - aconnector->drm_edid = NULL; - aconnector->dsc_aux = NULL; - port->passthrough_aux = NULL; + amdgpu_dm_mst_reset_mst_connector_setting(aconnector); } aconnector->mst_status = MST_STATUS_DEFAULT; @@ -504,9 +513,7 @@ dm_dp_mst_detect(struct drm_connector *connector, dc_sink_release(aconnector->dc_sink); aconnector->dc_sink = NULL; - aconnector->drm_edid = NULL; - aconnector->dsc_aux = NULL; - port->passthrough_aux = NULL; + amdgpu_dm_mst_reset_mst_connector_setting(aconnector); amdgpu_dm_set_mst_status(&aconnector->mst_status, MST_REMOTE_EDID | MST_ALLOCATE_NEW_PAYLOAD | MST_CLEAR_ALLOCATED_PAYLOAD, @@ -1819,9 +1826,18 @@ enum dc_status dm_dp_mst_is_port_support_mode( struct drm_dp_mst_port *immediate_upstream_port = NULL; uint32_t end_link_bw = 0; - /*Get last DP link BW capability*/ - if (dp_get_link_current_set_bw(&aconnector->mst_output_port->aux, &end_link_bw)) { - if (stream_kbps > end_link_bw) { + /*Get last DP link BW capability. Mode shall be supported by Legacy peer*/ + if (aconnector->mst_output_port->pdt != DP_PEER_DEVICE_DP_LEGACY_CONV && + aconnector->mst_output_port->pdt != DP_PEER_DEVICE_NONE) { + if (aconnector->vc_full_pbn != aconnector->mst_output_port->full_pbn) { + dp_get_link_current_set_bw(&aconnector->mst_output_port->aux, &end_link_bw); + aconnector->vc_full_pbn = aconnector->mst_output_port->full_pbn; + aconnector->mst_local_bw = end_link_bw; + } else { + end_link_bw = aconnector->mst_local_bw; + } + + if (end_link_bw > 0 && stream_kbps > end_link_bw) { DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link." "Mode required bw can't fit into last link\n"); return DC_FAIL_BANDWIDTH_VALIDATE; -- 2.34.1

5 months, 2 weeks

1
0
0 0

[PATCH 07/24] drm/amd/display: Validate mdoe under MST LCT=1 case as well

by Tom Chung

From: Wayne Lin <Wayne.Lin(a)amd.com> [Why & How] Currently in dm_dp_mst_is_port_support_mode(), when valdidating mode under dsc decoding at the last DP link config, we only validate the case when there is an UFP. However, if the MSTB LCT=1, there is no UFP. Under this case, use root_link_bw_in_kbps as the available bw to compare. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3720 Fixes: fa57924c76d9 ("drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode()") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com> Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> --- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index ca864f71ae66..a504aa1243e9 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -1835,11 +1835,15 @@ enum dc_status dm_dp_mst_is_port_support_mode( if (immediate_upstream_port) { virtual_channel_bw_in_kbps = kbps_from_pbn(immediate_upstream_port->full_pbn); virtual_channel_bw_in_kbps = min(root_link_bw_in_kbps, virtual_channel_bw_in_kbps); - if (bw_range.min_kbps > virtual_channel_bw_in_kbps) { - DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link." - "Max dsc compression can't fit into MST available bw\n"); - return DC_FAIL_BANDWIDTH_VALIDATE; - } + } else { + /* For topology LCT 1 case - only one mstb*/ + virtual_channel_bw_in_kbps = root_link_bw_in_kbps; + } + + if (bw_range.min_kbps > virtual_channel_bw_in_kbps) { + DRM_DEBUG_DRIVER("MST_DSC dsc decode at last link." + "Max dsc compression can't fit into MST available bw\n"); + return DC_FAIL_BANDWIDTH_VALIDATE; } } -- 2.34.1

5 months, 2 weeks

1
0
0 0

[PATCH 1/3] Revert "staging: remove rts5139 driver code"

by Sean Rhodes

This reverts commit 00d8521dcd236d1b8f664f54a0309e96bfdcb4f9. The staging driver that was removed, `rts5139`, worked well with multiple Realtek card readers and provided more comprehensive functionality than `rtsx_usb`. It supported features like interrupts, SSC, speed modes, suspend, secure erase, TRIM, and more. Additionally, its error recovery mechanisms were superior. Notable issues with the `rtsx_usb` driver include delayed S3 entry until `mmc_rescan` was frozen and data corruption on SDR104 cards. Over 100 bugs related to the `rtsx_usb` driver are reported on Bugzilla, with additional reports downstream. As a result, several forks of `rts5139` exist on GitHub and other repositories, which users rely on to mitigate these problems. Reintroducing `rts5139` addresses these deficiencies until the current `rtsx_usb` driver achieves feature parity and stability. Fixes: 00d8521dcd23 ("staging: remove rts5139 driver code") Cc: stable(a)vger.kernel.org Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sean Rhodes <sean(a)starlabs.systems> --- drivers/staging/Kconfig | 2 + drivers/staging/Makefile | 1 + drivers/staging/rts5139/Kconfig | 16 + drivers/staging/rts5139/Makefile | 43 + drivers/staging/rts5139/TODO | 9 + drivers/staging/rts5139/debug.h | 46 + drivers/staging/rts5139/ms.c | 4182 ++++++++++++++++++++ drivers/staging/rts5139/ms.h | 261 ++ drivers/staging/rts5139/ms_mg.c | 643 +++ drivers/staging/rts5139/ms_mg.h | 42 + drivers/staging/rts5139/rts51x.c | 846 ++++ drivers/staging/rts5139/rts51x.h | 194 + drivers/staging/rts5139/rts51x_card.c | 940 +++++ drivers/staging/rts5139/rts51x_card.h | 870 ++++ drivers/staging/rts5139/rts51x_chip.c | 1014 +++++ drivers/staging/rts5139/rts51x_chip.h | 821 ++++ drivers/staging/rts5139/rts51x_fop.c | 295 ++ drivers/staging/rts5139/rts51x_fop.h | 57 + drivers/staging/rts5139/rts51x_scsi.c | 2135 ++++++++++ drivers/staging/rts5139/rts51x_scsi.h | 154 + drivers/staging/rts5139/rts51x_transport.c | 738 ++++ drivers/staging/rts5139/rts51x_transport.h | 67 + drivers/staging/rts5139/sd.c | 3274 +++++++++++++++ drivers/staging/rts5139/sd.h | 275 ++ drivers/staging/rts5139/sd_cprm.c | 1056 +++++ drivers/staging/rts5139/sd_cprm.h | 54 + drivers/staging/rts5139/trace.h | 95 + drivers/staging/rts5139/xd.c | 2145 ++++++++++ drivers/staging/rts5139/xd.h | 191 + 29 files changed, 20466 insertions(+) create mode 100644 drivers/staging/rts5139/Kconfig create mode 100644 drivers/staging/rts5139/Makefile create mode 100644 drivers/staging/rts5139/TODO create mode 100644 drivers/staging/rts5139/debug.h create mode 100644 drivers/staging/rts5139/ms.c create mode 100644 drivers/staging/rts5139/ms.h create mode 100644 drivers/staging/rts5139/ms_mg.c create mode 100644 drivers/staging/rts5139/ms_mg.h create mode 100644 drivers/staging/rts5139/rts51x.c create mode 100644 drivers/staging/rts5139/rts51x.h create mode 100644 drivers/staging/rts5139/rts51x_card.c create mode 100644 drivers/staging/rts5139/rts51x_card.h create mode 100644 drivers/staging/rts5139/rts51x_chip.c create mode 100644 drivers/staging/rts5139/rts51x_chip.h create mode 100644 drivers/staging/rts5139/rts51x_fop.c create mode 100644 drivers/staging/rts5139/rts51x_fop.h create mode 100644 drivers/staging/rts5139/rts51x_scsi.c create mode 100644 drivers/staging/rts5139/rts51x_scsi.h create mode 100644 drivers/staging/rts5139/rts51x_transport.c create mode 100644 drivers/staging/rts5139/rts51x_transport.h create mode 100644 drivers/staging/rts5139/sd.c create mode 100644 drivers/staging/rts5139/sd.h create mode 100644 drivers/staging/rts5139/sd_cprm.c create mode 100644 drivers/staging/rts5139/sd_cprm.h create mode 100644 drivers/staging/rts5139/trace.h create mode 100644 drivers/staging/rts5139/xd.c create mode 100644 drivers/staging/rts5139/xd.h diff --git a/drivers/staging/Kconfig b/drivers/staging/Kconfig index 3fb68d60dfc1..732afa01a31e 100644 --- a/drivers/staging/Kconfig +++ b/drivers/staging/Kconfig @@ -32,6 +32,8 @@ source "drivers/staging/rtl8723bs/Kconfig" source "drivers/staging/rtl8712/Kconfig" +source "drivers/staging/rts5139/Kconfig" + source "drivers/staging/rts5208/Kconfig" source "drivers/staging/octeon/Kconfig" diff --git a/drivers/staging/Makefile b/drivers/staging/Makefile index c977aa13fad4..9212c4a003f8 100644 --- a/drivers/staging/Makefile +++ b/drivers/staging/Makefile @@ -6,6 +6,7 @@ obj-$(CONFIG_FB_OLPC_DCON) += olpc_dcon/ obj-$(CONFIG_RTL8192E) += rtl8192e/ obj-$(CONFIG_RTL8723BS) += rtl8723bs/ obj-$(CONFIG_R8712U) += rtl8712/ +obj-$(CONFIG_RTS5139) += rts5139/ obj-$(CONFIG_RTS5208) += rts5208/ obj-$(CONFIG_OCTEON_ETHERNET) += octeon/ obj-$(CONFIG_VT6655) += vt6655/ diff --git a/drivers/staging/rts5139/Kconfig b/drivers/staging/rts5139/Kconfig new file mode 100644 index 000000000000..afd526bf422a --- /dev/null +++ b/drivers/staging/rts5139/Kconfig @@ -0,0 +1,16 @@ +config RTS5139 + tristate "Realtek RTS5139 USB card reader support" + depends on USB && SCSI + help + Say Y here to include driver code to support the Realtek + RTS5139 USB card readers. + + If this driver is compiled as a module, it will be named rts5139. + +config RTS5139_DEBUG + bool "Realtek RTS5139 Card Reader verbose debug" + depends on RTS5139 + help + Say Y here in order to have the rts5139 code generate + verbose debugging messages. + diff --git a/drivers/staging/rts5139/Makefile b/drivers/staging/rts5139/Makefile new file mode 100644 index 000000000000..75dd31224e62 --- /dev/null +++ b/drivers/staging/rts5139/Makefile @@ -0,0 +1,43 @@ +# Driver for Realtek RTS51xx USB card reader +# +# Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2, or (at your option) any +# later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, see <http://www.gnu.org/licenses/>. +# +# Author: +# wwang (wei_wang(a)realsil.com.cn) +# No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China +# Maintainer: +# Edwin Rong (edwin_rong(a)realsil.com.cn) +# No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China +# +# Makefile for the RTS51xx USB Card Reader drivers. +# + +obj-$(CONFIG_RTS5139) := rts5139.o + +ccflags-y := -Idrivers/scsi + +rts5139-y := \ + rts51x_transport.o \ + rts51x_scsi.o \ + rts51x_fop.o \ + rts51x.o \ + rts51x_chip.o \ + rts51x_card.o \ + xd.o \ + sd.o \ + ms.o \ + sd_cprm.o \ + ms_mg.o diff --git a/drivers/staging/rts5139/TODO b/drivers/staging/rts5139/TODO new file mode 100644 index 000000000000..dd5fabb8ea70 --- /dev/null +++ b/drivers/staging/rts5139/TODO @@ -0,0 +1,9 @@ +TODO: +- support more USB card reader of Realtek family +- use kernel coding style +- checkpatch.pl fixes +- stop having thousands of lines of code duplicated with staging/rts_pstor +- This driver contains an entire SD/MMC stack -- it should use the stack in + drivers/mmc instead, as a host driver e.g. drivers/mmc/host/realtek-usb.c; + see drivers/mmc/host/ushc.c as an example. +- This driver presents cards as SCSI devices, but they should be MMC devices. diff --git a/drivers/staging/rts5139/debug.h b/drivers/staging/rts5139/debug.h new file mode 100644 index 000000000000..73dec133a1bf --- /dev/null +++ b/drivers/staging/rts5139/debug.h @@ -0,0 +1,46 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_DEBUG_H +#define __RTS51X_DEBUG_H + +#include <linux/kernel.h> + +#define RTS51X_TIP "rts51x: " + +#ifdef CONFIG_RTS5139_DEBUG +#define RTS51X_DEBUGP(x...) printk(KERN_DEBUG RTS51X_TIP x) +#define RTS51X_DEBUGPN(x...) printk(KERN_DEBUG x) +#define RTS51X_DEBUGPX(x...) printk(x) +#define RTS51X_DEBUG(x) x +#else +#define RTS51X_DEBUGP(x...) +#define RTS51X_DEBUGPN(x...) +#define RTS51X_DEBUGPX(x...) +#define RTS51X_DEBUG(x) +#endif + +#endif /* __RTS51X_DEBUG_H */ diff --git a/drivers/staging/rts5139/ms.c b/drivers/staging/rts5139/ms.c new file mode 100644 index 000000000000..a843a2f4392b --- /dev/null +++ b/drivers/staging/rts5139/ms.c @@ -0,0 +1,4182 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/slab.h> +#include <linux/vmalloc.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_transport.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "ms.h" +#include "ms_mg.h" + +static inline void ms_set_err_code(struct rts51x_chip *chip, u8 err_code) +{ + struct ms_info *ms_card = &(chip->ms_card); + + ms_card->err_code = err_code; +} + +static inline int ms_check_err_code(struct rts51x_chip *chip, u8 err_code) +{ + struct ms_info *ms_card = &(chip->ms_card); + + return ms_card->err_code == err_code; +} + +static int ms_parse_err_code(struct rts51x_chip *chip) +{ + TRACE_RET(chip, STATUS_FAIL); +} + +static int ms_transfer_tpc(struct rts51x_chip *chip, u8 trans_mode, u8 tpc, + u8 cnt, u8 cfg) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + RTS51X_DEBUGP("ms_transfer_tpc: tpc = 0x%x\n", tpc); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | trans_mode); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + rts51x_add_cmd(chip, READ_REG_CMD, MS_TRANS_CFG, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 2, 5000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + rts51x_clear_ms_error(chip); + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + if (!(tpc & 0x08)) { /* Read Packet */ + /* Check CRC16 & Ready Timeout */ + if (chip->rsp_buf[1] & MS_CRC16_ERR) { + ms_set_err_code(chip, MS_CRC16_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + } else { /* Write Packet */ + if (CHK_MSPRO(ms_card) && !(chip->rsp_buf[1] & 0x80)) { + if (chip->rsp_buf[1] & (MS_INT_ERR | MS_INT_CMDNK)) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + } + } + + /* Check Timeout of Ready Signal */ + if (chip->rsp_buf[1] & MS_RDY_TIMEOUT) { + rts51x_clear_ms_error(chip); + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + return STATUS_SUCCESS; +} + +int ms_transfer_data(struct rts51x_chip *chip, u8 trans_mode, u8 tpc, + u16 sec_cnt, u8 cfg, int mode_2k, int use_sg, void *buf, + int buf_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 val, err_code = 0, flag = 0; + enum dma_data_direction dir; + unsigned int pipe; + + if (!buf || !buf_len) + TRACE_RET(chip, STATUS_FAIL); + + if (trans_mode == MS_TM_AUTO_READ) { + pipe = RCV_BULK_PIPE(chip); + dir = DMA_FROM_DEVICE; + flag = MODE_CDIR; + err_code = MS_FLASH_READ_ERROR; + } else if (trans_mode == MS_TM_AUTO_WRITE) { + pipe = SND_BULK_PIPE(chip); + dir = DMA_TO_DEVICE; + flag = MODE_CDOR; + err_code = MS_FLASH_WRITE_ERROR; + } else { + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF, + (u8) (sec_cnt >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF, + (u8) sec_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + + if (mode_2k) + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, MS_2K_SECTOR_MODE, + MS_2K_SECTOR_MODE); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, MS_2K_SECTOR_MODE, + 0); + + rts51x_trans_dma_enable(dir, chip, sec_cnt * 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | trans_mode); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, flag | STAGE_MS_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_rcc(chip, pipe, buf, buf_len, use_sg, NULL, + 15000, flag); + if (retval != STATUS_SUCCESS) { + ms_set_err_code(chip, err_code); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + + retval = rts51x_get_rsp(chip, 3, 15000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + ms_set_err_code(chip, err_code); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + ms_card->last_rw_int = val = chip->rsp_buf[1]; + if (val & (MS_INT_CMDNK | MS_INT_ERR | MS_CRC16_ERR | MS_RDY_TIMEOUT)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +int ms_write_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data, + int data_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + + if (!data || (data_len < cnt)) + TRACE_RET(chip, STATUS_ERROR); + + rts51x_init_cmd(chip); + + for (i = 0; i < cnt; i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i, 0xFF, + data[i]); + } + if (cnt % 2) + rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i, + 0xFF, 0xFF); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_WRITE_BYTES); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, 5000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + u8 val = 0; + + rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val); + RTS51X_DEBUGP("MS_TRANS_CFG: 0x%02x\n", val); + + rts51x_clear_ms_error(chip); + + if (!(tpc & 0x08)) { /* Read Packet */ + /* Check CRC16 & Ready Timeout */ + if (val & MS_CRC16_ERR) { + ms_set_err_code(chip, MS_CRC16_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + } else { /* Write Packet */ + if (CHK_MSPRO(ms_card) && !(val & 0x80)) { + if (val & (MS_INT_ERR | MS_INT_CMDNK)) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, + ms_parse_err_code(chip)); + } + } + } + + /* Check Timeout of Ready Signal */ + if (val & MS_RDY_TIMEOUT) { + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + return STATUS_SUCCESS; +} + +int ms_read_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data, + int data_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + + if (!data) + TRACE_RET(chip, STATUS_ERROR); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, tpc); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BYTE_CNT, 0xFF, cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_READ_BYTES); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + for (i = 0; i < data_len - 1; i++) + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + i, 0, 0); + + if (data_len % 2) + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + data_len, 0, + 0); + else + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + data_len - 1, + 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, data_len + 1, 5000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + u8 val = 0; + + rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val); + RTS51X_DEBUGP("MS_TRANS_CFG: 0x%02x\n", val); + + rts51x_clear_ms_error(chip); + + if (!(tpc & 0x08)) { /* Read Packet */ + /* Check CRC16 & Ready Timeout */ + if (val & MS_CRC16_ERR) { + ms_set_err_code(chip, MS_CRC16_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + } else { /* Write Packet */ + if (CHK_MSPRO(ms_card) && !(val & 0x80)) { + if (val & (MS_INT_ERR | MS_INT_CMDNK)) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, + ms_parse_err_code(chip)); + } + } + } + + /* Check Timeout of Ready Signal */ + if (val & MS_RDY_TIMEOUT) { + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + ms_set_err_code(chip, MS_TO_ERROR); + TRACE_RET(chip, ms_parse_err_code(chip)); + } + + rts51x_read_rsp_buf(chip, 1, data, data_len); + + return STATUS_SUCCESS; +} + +int ms_set_rw_reg_addr(struct rts51x_chip *chip, + u8 read_start, u8 read_cnt, u8 write_start, u8 write_cnt) +{ + int retval, i; + u8 data[4]; + + data[0] = read_start; + data[1] = read_cnt; + data[2] = write_start; + data[3] = write_cnt; + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, SET_RW_REG_ADRS, 4, NO_WAIT_INT, data, + 4); + if (retval == STATUS_SUCCESS) + return STATUS_SUCCESS; + rts51x_clear_ms_error(chip); + } + + TRACE_RET(chip, STATUS_FAIL); +} + +static int ms_send_cmd(struct rts51x_chip *chip, u8 cmd, u8 cfg) +{ + u8 data[2]; + + data[0] = cmd; + data[1] = 0; + + return ms_write_bytes(chip, PRO_SET_CMD, 1, cfg, data, 1); +} + +static int ms_set_cmd(struct rts51x_chip *chip, + u8 read_start, u8 read_count, + u8 write_start, u8 write_count, + u8 cmd, u8 cfg, u8 *data, int data_len, u8 *int_stat) +{ + int retval, i; + u8 val; + + if (!data || (data_len <= 0) || (data_len > 128)) { + RTS51X_DEBUGP("ms_set_cmd (data_len = %d)\n", data_len); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = + ms_set_rw_reg_addr(chip, read_start, read_count, write_start, + write_count); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, WRITE_REG, write_count, NO_WAIT_INT, + data, data_len); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + ms_set_err_code(chip, MS_NO_ERROR); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = ms_send_cmd(chip, cmd, WAIT_INT); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + /* GET_INT Register */ + ms_set_err_code(chip, MS_NO_ERROR); + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (int_stat) + *int_stat = val; + + return STATUS_SUCCESS; +} + +#ifdef MS_SPEEDUP +static int ms_auto_set_cmd(struct rts51x_chip *chip, + u8 read_start, u8 read_count, + u8 write_start, u8 write_count, + u8 cmd, u8 cfg, u8 *data, int data_len, + u8 *int_stat) +{ + int retval; + int i; + + if (!data || (data_len <= 0) || (data_len > 128)) { + RTS51X_DEBUGP("ms_auto_set_cmd (data_len = %d)\n", data_len); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_READ_START, 0xFF, read_start); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_READ_COUNT, 0xFF, read_count); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_WRITE_START, 0xFF, write_start); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_WRITE_COUNT, 0xFF, write_count); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_COMMAND, 0xFF, cmd); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, cfg); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + + for (i = 0; i < data_len; i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, PPBUF_BASE2 + i, 0xFF, + data[i]); + } + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_SET_CMD); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR | STAGE_MS_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 3, 5000); + + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + if (int_stat) + *int_stat = chip->rsp_buf[2]; + + return STATUS_SUCCESS; +} +#endif + +static int ms_set_init_para(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + if (CHK_HG8BIT(ms_card)) { + if (chip->asic_code) + ms_card->ms_clock = chip->option.asic_ms_hg_clk; + else + ms_card->ms_clock = chip->option.fpga_ms_hg_clk; + } else if (CHK_MSPRO(ms_card) || CHK_MS4BIT(ms_card)) { + if (chip->asic_code) + ms_card->ms_clock = chip->option.asic_ms_4bit_clk; + else + ms_card->ms_clock = chip->option.fpga_ms_4bit_clk; + } else { + if (chip->asic_code) + ms_card->ms_clock = 38; + else + ms_card->ms_clock = CLK_40; + } + + retval = switch_clock(chip, ms_card->ms_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_select_card(chip, MS_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int ms_switch_clock(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + retval = rts51x_select_card(chip, MS_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = switch_clock(chip, ms_card->ms_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static void ms_pull_ctl_disable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59); + } +} + +static void ms_pull_ctl_enable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59); + } +} + +static int ms_prepare_reset(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + ms_card->ms_type = 0; + ms_card->check_ms_flow = 0; + ms_card->switch_8bit_fail = 0; + ms_card->delay_write.delay_write_flag = 0; + + ms_card->pro_under_formatting = 0; + + rts51x_init_cmd(chip); + + if (chip->asic_code) { + ms_pull_ctl_enable(chip); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, + FPGA_MS_PULL_CTL_BIT | 0x20, 0); + } + /* Tri-state MS output */ + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0); + + if (!chip->option.FT2_fast_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + } + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!chip->option.FT2_fast_mode) { + wait_timeout(250); + + rts51x_card_power_on(chip, MS_CARD); + wait_timeout(150); + +#ifdef SUPPORT_OCP + rts51x_get_card_status(chip, &(chip->card_status)); + /* get OCP status */ + chip->ocp_stat = (chip->card_status >> 4) & 0x03; + + if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) { + RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n", + chip->ocp_stat); + TRACE_RET(chip, STATUS_FAIL); + } +#endif + } + + rts51x_init_cmd(chip); + + /* Enable MS Output */ + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, + MS_OUTPUT_EN); + + /* Reset Registers */ + if (chip->asic_code) + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, 0xFF, + SAMPLE_TIME_RISING | PUSH_TIME_DEFAULT | + NO_EXTEND_TOGGLE | MS_BUS_WIDTH_1); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_CFG, 0xFF, + SAMPLE_TIME_FALLING | PUSH_TIME_DEFAULT | + NO_EXTEND_TOGGLE | MS_BUS_WIDTH_1); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, + NO_WAIT_INT | NO_AUTO_READ_INT_REG); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return ms_set_init_para(chip); +} + +static int ms_identify_media_type(struct rts51x_chip *chip, int switch_8bit_bus) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 val; + + retval = ms_set_rw_reg_addr(chip, Pro_StatusReg, 6, SystemParm, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* Get Register form MS-PRO card */ + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_transfer_tpc(chip, MS_TM_READ_BYTES, READ_REG, 6, + NO_WAIT_INT); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_READ_REG(chip, PPBUF_BASE2 + 2, &val); + RTS51X_DEBUGP("Type register: 0x%x\n", val); + if (val != 0x01) { + if (val != 0x02) + ms_card->check_ms_flow = 1; + TRACE_RET(chip, STATUS_FAIL); + } + /* Category Register */ + RTS51X_READ_REG(chip, PPBUF_BASE2 + 4, &val); + RTS51X_DEBUGP("Category register: 0x%x\n", val); + if (val != 0) { + ms_card->check_ms_flow = 1; + TRACE_RET(chip, STATUS_FAIL); + } + /* Class Register */ + RTS51X_READ_REG(chip, PPBUF_BASE2 + 5, &val); + RTS51X_DEBUGP("Class register: 0x%x\n", val); + if (val == 0) { + RTS51X_READ_REG(chip, PPBUF_BASE2, &val); + if (val & WRT_PRTCT) + chip->card_wp |= MS_CARD; + else + chip->card_wp &= ~MS_CARD; + } else if ((val == 0x01) || (val == 0x02) || (val == 0x03)) { + chip->card_wp |= MS_CARD; + } else { + ms_card->check_ms_flow = 1; + TRACE_RET(chip, STATUS_FAIL); + } + + ms_card->ms_type |= TYPE_MSPRO; + + /* Check MSPro-HG Card, use IF Mode Register to distinguish */ + RTS51X_READ_REG(chip, PPBUF_BASE2 + 3, &val); + RTS51X_DEBUGP("IF Mode register: 0x%x\n", val); + if (val == 0) { + ms_card->ms_type &= 0x0F; + } else if (val == 7) { + if (switch_8bit_bus) + ms_card->ms_type |= MS_HG; + else + ms_card->ms_type &= 0x0F; + } else { + TRACE_RET(chip, STATUS_FAIL); + } + + /* end Procedure to identify Media Type */ + return STATUS_SUCCESS; +} + +static int ms_confirm_cpu_startup(struct rts51x_chip *chip) +{ + int retval, i, k; + u8 val; + + /* Confirm CPU StartUp */ + k = 0; + do { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, + 1); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + if (k > 100) + TRACE_RET(chip, STATUS_FAIL); + k++; + wait_timeout(100); + } while (!(val & INT_REG_CED)); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + if (val & INT_REG_ERR) { + if (val & INT_REG_CMDNK) { /* CMDNK = 1 */ + chip->card_wp |= (MS_CARD); + } else { /* CMDNK = 0 */ + TRACE_RET(chip, STATUS_FAIL); + } + } + /*-- end confirm CPU startup */ + + return STATUS_SUCCESS; +} + +static int ms_switch_parallel_bus(struct rts51x_chip *chip) +{ + int retval, i; + u8 data[2]; + + data[0] = PARALLEL_4BIT_IF; + data[1] = 0; + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, WRITE_REG, 1, NO_WAIT_INT, data, 2); + if (retval == STATUS_SUCCESS) + break; + } + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int ms_switch_8bit_bus(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 data[2]; + + data[0] = PARALLEL_8BIT_IF; + data[1] = 0; + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, WRITE_REG, 1, NO_WAIT_INT, data, 2); + if (retval == STATUS_SUCCESS) + break; + } + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_WRITE_REG(chip, MS_CFG, 0x98, + MS_BUS_WIDTH_8 | SAMPLE_TIME_FALLING); + ms_card->ms_type |= MS_8BIT; + + retval = ms_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_transfer_tpc(chip, MS_TM_READ_BYTES, GET_INT, 1, + NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int ms_pro_reset_flow(struct rts51x_chip *chip, int switch_8bit_bus) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + + for (i = 0; i < 3; i++) { + retval = ms_prepare_reset(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_identify_media_type(chip, switch_8bit_bus); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_confirm_cpu_startup(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_switch_parallel_bus(chip); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + continue; + } else { + break; + } + } + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_WRITE_REG(chip, MS_CFG, 0x18, MS_BUS_WIDTH_4); + + RTS51X_WRITE_REG(chip, MS_CFG, PUSH_TIME_ODD, PUSH_TIME_ODD); + + retval = ms_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_MSHG(ms_card) && switch_8bit_bus) { + retval = ms_switch_8bit_bus(chip); + if (retval != STATUS_SUCCESS) { + ms_card->switch_8bit_fail = 1; + TRACE_RET(chip, retval); + } + } + + return STATUS_SUCCESS; +} + +#ifdef XC_POWERCLASS +static int msxc_change_power(struct rts51x_chip *chip, u8 mode) +{ + int retval; + u8 buf[6]; + + rts51x_ms_cleanup_work(chip); + + /* Set Parameter Register */ + retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_DataCount1, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf[0] = 0; + buf[1] = mode; + buf[2] = 0; + buf[3] = 0; + buf[4] = 0; + buf[5] = 0; + + retval = ms_write_bytes(chip, PRO_WRITE_REG, 6, NO_WAIT_INT, buf, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_send_cmd(chip, XC_CHG_POWER, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, MS_TRANS_CFG, buf); + if (buf[0] & (MS_INT_CMDNK | MS_INT_ERR)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} +#endif + +static int ms_read_attribute_info(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 val, *buf, class_code, device_type, sub_class, data[16]; + u16 total_blk = 0, blk_size = 0; +#ifdef SUPPORT_MSXC + u32 xc_total_blk = 0, xc_blk_size = 0; +#endif + u32 sys_info_addr = 0, sys_info_size; +#ifdef SUPPORT_PCGL_1P18 + u32 model_name_addr = 0, model_name_size; + int found_sys_info = 0, found_model_name = 0; +#endif + + retval = ms_set_rw_reg_addr(chip, Pro_IntReg, 2, Pro_SystemParm, 7); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_MS8BIT(ms_card)) + data[0] = PARALLEL_8BIT_IF; + else + data[0] = PARALLEL_4BIT_IF; + data[1] = 0; + + data[2] = 0x40; + data[3] = 0; + data[4] = 0; + data[5] = 0; + /* Start address 0 */ + data[6] = 0; + data[7] = 0; + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, PRO_WRITE_REG, 7, NO_WAIT_INT, data, + 8); + if (retval == STATUS_SUCCESS) + break; + } + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf = kmalloc(64 * 512, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, STATUS_NOMEM); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = ms_send_cmd(chip, PRO_READ_ATRB, WAIT_INT); + if (retval != STATUS_SUCCESS) + continue; + + retval = rts51x_read_register(chip, MS_TRANS_CFG, &val); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + if (!(val & MS_INT_BREQ)) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = + ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA, + 0x40, WAIT_INT, 0, 0, buf, 64 * 512); + if (retval == STATUS_SUCCESS) + break; + else + rts51x_clear_ms_error(chip); + } + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_RET(chip, retval); + } + + i = 0; + do { + retval = rts51x_read_register(chip, MS_TRANS_CFG, &val); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_RET(chip, retval); + } + + if ((val & MS_INT_CED) || !(val & MS_INT_BREQ)) + break; + + retval = + ms_transfer_tpc(chip, MS_TM_NORMAL_READ, PRO_READ_LONG_DATA, + 0, WAIT_INT); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_RET(chip, retval); + } + + i++; + } while (i < 1024); + + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_RET(chip, retval); + } + + if ((buf[0] != 0xa5) && (buf[1] != 0xc3)) { + /* Signature code is wrong */ + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + if ((buf[4] < 1) || (buf[4] > 12)) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + for (i = 0; i < buf[4]; i++) { + int cur_addr_off = 16 + i * 12; + +#ifdef SUPPORT_MSXC + if ((buf[cur_addr_off + 8] == 0x10) + || (buf[cur_addr_off + 8] == 0x13)) { +#else + if (buf[cur_addr_off + 8] == 0x10) { +#endif + sys_info_addr = ((u32) buf[cur_addr_off + 0] << 24) | + ((u32) buf[cur_addr_off + 1] << 16) | + ((u32) buf[cur_addr_off + 2] << 8) | + buf[cur_addr_off + 3]; + sys_info_size = + ((u32) buf[cur_addr_off + 4] << 24) | + ((u32) buf[cur_addr_off + 5] << 16) | + ((u32) buf[cur_addr_off + 6] << 8) | + buf[cur_addr_off + 7]; + RTS51X_DEBUGP("sys_info_addr = 0x%x, sys_info_size = 0x%x\n", + sys_info_addr, sys_info_size); + if (sys_info_size != 96) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + if (sys_info_addr < 0x1A0) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + if ((sys_info_size + sys_info_addr) > 0x8000) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } +#ifdef SUPPORT_MSXC + if (buf[cur_addr_off + 8] == 0x13) + ms_card->ms_type |= MS_XC; +#endif +#ifdef SUPPORT_PCGL_1P18 + found_sys_info = 1; +#else + break; +#endif + } +#ifdef SUPPORT_PCGL_1P18 + if (buf[cur_addr_off + 8] == 0x15) { + model_name_addr = ((u32) buf[cur_addr_off + 0] << 24) | + ((u32) buf[cur_addr_off + 1] << 16) | + ((u32) buf[cur_addr_off + 2] << 8) | + buf[cur_addr_off + 3]; + model_name_size = + ((u32) buf[cur_addr_off + 4] << 24) | + ((u32) buf[cur_addr_off + 5] << 16) | + ((u32) buf[cur_addr_off + 6] << 8) | + buf[cur_addr_off + 7]; + RTS51X_DEBUGP("model_name_addr = 0x%x, model_name_size = 0x%x\n", + model_name_addr, model_name_size); + if (model_name_size != 48) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + if (model_name_addr < 0x1A0) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + if ((model_name_size + model_name_addr) > 0x8000) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + found_model_name = 1; + } + + if (found_sys_info && found_model_name) + break; +#endif + } + + if (i == buf[4]) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + class_code = buf[sys_info_addr + 0]; + device_type = buf[sys_info_addr + 56]; + sub_class = buf[sys_info_addr + 46]; +#ifdef SUPPORT_MSXC + if (CHK_MSXC(ms_card)) { + xc_total_blk = ((u32) buf[sys_info_addr + 6] << 24) | + ((u32) buf[sys_info_addr + 7] << 16) | + ((u32) buf[sys_info_addr + 8] << 8) | + buf[sys_info_addr + 9]; + xc_blk_size = ((u32) buf[sys_info_addr + 32] << 24) | + ((u32) buf[sys_info_addr + 33] << 16) | + ((u32) buf[sys_info_addr + 34] << 8) | + buf[sys_info_addr + 35]; + RTS51X_DEBUGP("xc_total_blk = 0x%x, xc_blk_size = 0x%x\n", + xc_total_blk, xc_blk_size); + } else { + total_blk = + ((u16) buf[sys_info_addr + 6] << 8) | buf[sys_info_addr + + 7]; + blk_size = + ((u16) buf[sys_info_addr + 2] << 8) | buf[sys_info_addr + + 3]; + RTS51X_DEBUGP("total_blk = 0x%x, blk_size = 0x%x\n", total_blk, + blk_size); + } +#else + total_blk = + ((u16) buf[sys_info_addr + 6] << 8) | buf[sys_info_addr + 7]; + blk_size = ((u16) buf[sys_info_addr + 2] << 8) | buf[sys_info_addr + 3]; + RTS51X_DEBUGP("total_blk = 0x%x, blk_size = 0x%x\n", total_blk, + blk_size); +#endif + + RTS51X_DEBUGP("class_code = 0x%x, device_type = 0x%x," + "sub_class = 0x%x\n", + class_code, device_type, sub_class); + + memcpy(ms_card->raw_sys_info, buf + sys_info_addr, 96); +#ifdef SUPPORT_PCGL_1P18 + memcpy(ms_card->raw_model_name, buf + model_name_addr, 48); +#endif + + kfree(buf); + + /* Confirm System Information */ +#ifdef SUPPORT_MSXC + if (CHK_MSXC(ms_card)) { + if (class_code != 0x03) + TRACE_RET(chip, STATUS_FAIL); + } else { + if (class_code != 0x02) + TRACE_RET(chip, STATUS_FAIL); + } +#else + if (class_code != 0x02) + TRACE_RET(chip, STATUS_FAIL); +#endif + + if (device_type != 0x00) { + if ((device_type == 0x01) || (device_type == 0x02) + || (device_type == 0x03)) + chip->card_wp |= MS_CARD; + else + TRACE_RET(chip, STATUS_FAIL); + } + if (sub_class & 0xC0) + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_DEBUGP("class_code: 0x%x, device_type: 0x%x, sub_class: 0x%x\n", + class_code, device_type, sub_class); + +#ifdef SUPPORT_MSXC + if (CHK_MSXC(ms_card)) { + chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity = + xc_total_blk * xc_blk_size; + } else { + chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity = + total_blk * blk_size; + } +#else + chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity = + total_blk * blk_size; +#endif + + return STATUS_SUCCESS; +} + +static int reset_ms_pro(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; +#ifdef XC_POWERCLASS + u8 change_power_class = 2; +#endif + +#ifdef XC_POWERCLASS +Retry: +#endif + retval = ms_pro_reset_flow(chip, 1); + if (retval != STATUS_SUCCESS) { + if (ms_card->switch_8bit_fail) { + retval = ms_pro_reset_flow(chip, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + TRACE_RET(chip, retval); + } + } + + retval = ms_read_attribute_info(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#ifdef XC_POWERCLASS + if (CHK_HG8BIT(ms_card)) + change_power_class = 0; + + if (change_power_class && CHK_MSXC(ms_card)) { + u8 power_class_mode = (ms_card->raw_sys_info[46] & 0x18) >> 3; + RTS51X_DEBUGP("power_class_mode = 0x%x", power_class_mode); + if (change_power_class > power_class_mode) + change_power_class = power_class_mode; + if (change_power_class) { + retval = msxc_change_power(chip, change_power_class); + if (retval != STATUS_SUCCESS) { + change_power_class--; + goto Retry; + } + } + } +#endif + +#ifdef SUPPORT_MAGIC_GATE + retval = rts51x_mg_set_tpc_para_sub(chip, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#endif + + if (CHK_HG8BIT(ms_card)) + chip->card_bus_width[chip->card2lun[MS_CARD]] = 8; + else + chip->card_bus_width[chip->card2lun[MS_CARD]] = 4; + + return STATUS_SUCCESS; +} + +static int ms_read_status_reg(struct rts51x_chip *chip) +{ + int retval; + u8 val[2]; + + retval = ms_set_rw_reg_addr(chip, StatusReg0, 2, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_read_bytes(chip, READ_REG, 2, NO_WAIT_INT, val, 2); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (val[1] & (STS_UCDT | STS_UCEX | STS_UCFG)) { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int ms_check_boot_block(struct rts51x_chip *chip, u16 block_addr) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 extra[MS_EXTRA_SIZE], data[10], val = 0; + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (block_addr >> 8); + data[3] = (u8) block_addr; + /* Page Number + * Extra data access mode */ + data[4] = 0x40; + data[5] = 0; + + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_READ, WAIT_INT, data, 6, &val); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, + MS_EXTRA_SIZE, SystemParm, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + } + + retval = + ms_read_bytes(chip, READ_REG, MS_EXTRA_SIZE, NO_WAIT_INT, extra, + MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!(extra[0] & BLOCK_OK) || (extra[1] & NOT_BOOT_BLOCK)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int ms_read_extra_data(struct rts51x_chip *chip, + u16 block_addr, u8 page_num, u8 *buf, + int buf_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 val = 0, data[10]; + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (block_addr >> 8); + data[3] = (u8) block_addr; + /* Page Number + * Extra data access mode */ + data[4] = 0x40; + data[5] = page_num; + +#ifdef MS_SPEEDUP + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_READ, WAIT_INT, data, 6, &val); +#else + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_READ, WAIT_INT, data, 6, &val); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, + MS_EXTRA_SIZE, SystemParm, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + } + + retval = + ms_read_bytes(chip, READ_REG, MS_EXTRA_SIZE, NO_WAIT_INT, data, + MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (buf && buf_len) { + if (buf_len > MS_EXTRA_SIZE) + buf_len = MS_EXTRA_SIZE; + memcpy(buf, data, buf_len); + } + + return STATUS_SUCCESS; +} + +static int ms_write_extra_data(struct rts51x_chip *chip, + u16 block_addr, u8 page_num, u8 *buf, + int buf_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 val = 0, data[16]; + + if (!buf || (buf_len < MS_EXTRA_SIZE)) + TRACE_RET(chip, STATUS_FAIL); + /* Write REG */ + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (block_addr >> 8); + data[3] = (u8) block_addr; + /* Page Number + * Extra data access mode */ + data[4] = 0x40; + data[5] = page_num; + + for (i = 6; i < MS_EXTRA_SIZE + 6; i++) + data[i] = buf[i - 6]; + +#ifdef MS_SPEEDUP + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + 6 + MS_EXTRA_SIZE, BLOCK_WRITE, WAIT_INT, data, 16, + &val); +#else + retval = + ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + 6 + MS_EXTRA_SIZE, BLOCK_WRITE, WAIT_INT, data, 16, + &val); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + return STATUS_SUCCESS; +} + +static int ms_read_page(struct rts51x_chip *chip, u16 block_addr, u8 page_num) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 val = 0, data[6]; + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (block_addr >> 8); + data[3] = (u8) block_addr; + /* Page Number + * Single page access mode */ + data[4] = 0x20; + data[5] = page_num; + + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_READ, WAIT_INT, data, 6, &val); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + if (!(val & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + } else { + if (!(val & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + retval = + ms_transfer_tpc(chip, MS_TM_NORMAL_READ, READ_PAGE_DATA, 0, + NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (ms_check_err_code(chip, MS_FLASH_WRITE_ERROR)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int ms_set_bad_block(struct rts51x_chip *chip, u16 phy_blk) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 val = 0, data[8], extra[MS_EXTRA_SIZE]; + + retval = ms_read_extra_data(chip, phy_blk, 0, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (phy_blk >> 8); + data[3] = (u8) phy_blk; + data[4] = 0x80; + data[5] = 0; + data[6] = extra[0] & 0x7F; + data[7] = 0xFF; + +#ifdef MS_SPEEDUP + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 7, + BLOCK_WRITE, WAIT_INT, data, 7, &val); +#else + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 7, + BLOCK_WRITE, WAIT_INT, data, 7, &val); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + return STATUS_SUCCESS; +} + +static int ms_erase_block(struct rts51x_chip *chip, u16 phy_blk) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i = 0; + u8 val = 0, data[6]; + + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (phy_blk >> 8); + data[3] = (u8) phy_blk; + data[4] = 0; + data[5] = 0; + +ERASE_RTY: +#ifdef MS_SPEEDUP + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_ERASE, WAIT_INT, data, 6, &val); +#else + retval = ms_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_ERASE, WAIT_INT, data, 6, &val); +#endif + + if (val & INT_REG_CMDNK) { + if (i < 3) { + i++; + goto ERASE_RTY; + } + ms_set_err_code(chip, MS_CMD_NK); + ms_set_bad_block(chip, phy_blk); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + return STATUS_SUCCESS; +} + +static void ms_set_page_status(u16 log_blk, u8 type, u8 *extra, int extra_len) +{ + if (!extra || (extra_len < MS_EXTRA_SIZE)) + return; + + memset(extra, 0xFF, MS_EXTRA_SIZE); + + if (type == setPS_NG) + extra[0] = 0xB8; + else + extra[0] = 0x98; + + extra[2] = (u8) (log_blk >> 8); + extra[3] = (u8) log_blk; +} + +static int ms_init_page(struct rts51x_chip *chip, u16 phy_blk, u16 log_blk, + u8 start_page, u8 end_page) +{ + int retval; + u8 extra[MS_EXTRA_SIZE], i; + + memset(extra, 0xff, MS_EXTRA_SIZE); + + extra[0] = 0xf8; /* Block, page OK, data erased */ + extra[1] = 0xff; + extra[2] = (u8) (log_blk >> 8); + extra[3] = (u8) log_blk; + + for (i = start_page; i < end_page; i++) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + retval = + ms_write_extra_data(chip, phy_blk, i, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int ms_copy_page(struct rts51x_chip *chip, u16 old_blk, u16 new_blk, + u16 log_blk, u8 start_page, u8 end_page) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, rty_cnt, uncorrect_flag = 0; + u8 extra[MS_EXTRA_SIZE], val, i, j, data[16]; + + RTS51X_DEBUGP("Copy page from 0x%x to 0x%x, logical block is 0x%x\n", + old_blk, new_blk, log_blk); + RTS51X_DEBUGP("start_page = %d, end_page = %d\n", start_page, + end_page); + + retval = ms_read_extra_data(chip, new_blk, 0, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, PPBUF_BASE2, &val); + + if (val & BUF_FULL) { + /* Clear Buffer */ + retval = ms_send_cmd(chip, CLEAR_BUF, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* GET_INT Register */ + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!(val & INT_REG_CED)) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + for (i = start_page; i < end_page; i++) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + ms_read_extra_data(chip, old_blk, i, extra, MS_EXTRA_SIZE); + + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, + SystemParm, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Write REG */ + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (old_blk >> 8); + data[3] = (u8) old_blk; + data[4] = 0x20; + data[5] = i; + + retval = + ms_write_bytes(chip, WRITE_REG, 6, NO_WAIT_INT, data, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_send_cmd(chip, BLOCK_READ, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) { + uncorrect_flag = 1; + RTS51X_DEBUGP("Uncorrectable error\n"); + } else { + uncorrect_flag = 0; + } + + retval = + ms_transfer_tpc(chip, MS_TM_NORMAL_READ, + READ_PAGE_DATA, 0, NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (uncorrect_flag) { + ms_set_page_status(log_blk, setPS_NG, + extra, MS_EXTRA_SIZE); + if (i == 0) + extra[0] &= 0xEF; + ms_write_extra_data(chip, old_blk, i, + extra, + MS_EXTRA_SIZE); + RTS51X_DEBUGP("page %d : extra[0] = 0x%x\n", + i, extra[0]); + MS_SET_BAD_BLOCK_FLG(ms_card); + + ms_set_page_status(log_blk, setPS_Error, + extra, MS_EXTRA_SIZE); + ms_write_extra_data(chip, new_blk, i, + extra, MS_EXTRA_SIZE); + continue; + } + + for (rty_cnt = 0; rty_cnt < MS_MAX_RETRY_COUNT; + rty_cnt++) { + retval = + ms_transfer_tpc(chip, + MS_TM_NORMAL_WRITE, + WRITE_PAGE_DATA, 0, + NO_WAIT_INT); + if (retval == STATUS_SUCCESS) + break; + } + if (rty_cnt == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + } + + if (!(val & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + retval = ms_set_rw_reg_addr(chip, OverwriteFlag, + MS_EXTRA_SIZE, SystemParm, + (6 + MS_EXTRA_SIZE)); + + /* Write REG */ + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (new_blk >> 8); + data[3] = (u8) new_blk; + data[4] = 0x20; + data[5] = i; + + /* for MS check procedure */ + if ((extra[0] & 0x60) != 0x60) + data[6] = extra[0]; + else + data[6] = 0xF8; + + data[6 + 1] = 0xFF; + data[6 + 2] = (u8) (log_blk >> 8); + data[6 + 3] = (u8) log_blk; + + for (j = 4; j <= MS_EXTRA_SIZE; j++) + data[6 + j] = 0xFF; + + retval = + ms_write_bytes(chip, WRITE_REG, (6 + MS_EXTRA_SIZE), + NO_WAIT_INT, data, 16); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* GET_INT Register */ + ms_set_err_code(chip, MS_NO_ERROR); + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + if (i == 0) { + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, + MS_EXTRA_SIZE, SystemParm, 7); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (old_blk >> 8); + data[3] = (u8) old_blk; + data[4] = 0x80; + data[5] = 0; + data[6] = 0xEF; + data[7] = 0xFF; + + retval = + ms_write_bytes(chip, WRITE_REG, 7, NO_WAIT_INT, + data, 8); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + retval = + ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, + 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CED) { + if (val & INT_REG_ERR) { + ms_set_err_code(chip, + MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + } + + return STATUS_SUCCESS; +} + +#ifdef MS_SPEEDUP +static int ms_auto_copy_page(struct rts51x_chip *chip, u16 old_blk, u16 new_blk, + u16 log_blk, u8 start_page, u8 end_page) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 page_len, bus_width, val = 0; + u8 extra[MS_EXTRA_SIZE]; + + RTS51X_DEBUGP("Auto copy page from 0x%x to 0x%x, logical block is 0x%x\n", + old_blk, new_blk, log_blk); + RTS51X_DEBUGP("start_page = %d, end_page = %d\n", start_page, + end_page); + + page_len = end_page - start_page; + + retval = ms_read_extra_data(chip, new_blk, 0, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, PPBUF_BASE2, &val); + + if (val & BUF_FULL) { + retval = ms_send_cmd(chip, CLEAR_BUF, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!(val & INT_REG_CED)) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + bus_width = 0x88; + } else { + /* Serial interface */ + bus_width = 0x80; + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_OLD_BLOCK_0, 0xFF, (u8) old_blk); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_OLD_BLOCK_1, 0xFF, + (u8) (old_blk >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_NEW_BLOCK_0, 0xFF, (u8) new_blk); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_NEW_BLOCK_1, 0xFF, + (u8) (new_blk >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_LOG_BLOCK_0, 0xFF, (u8) log_blk); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_LOG_BLOCK_1, 0xFF, + (u8) (log_blk >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_PAGE_START, 0xFF, start_page); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_PAGE_LENGTH, 0xFF, page_len); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BUS_WIDTH, 0xFF, bus_width); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_COPY_PAGE); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) { + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + + retval = rts51x_get_rsp(chip, 1, 5000); + + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + rts51x_clear_ms_error(chip); + if (retval == STATUS_TIMEDOUT) + TRACE_RET(chip, retval); + TRACE_GOTO(chip, Fail); + } + + return STATUS_SUCCESS; + +Fail: + retval = ms_erase_block(chip, new_blk); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + ms_copy_page(chip, old_blk, new_blk, log_blk, start_page, end_page); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} +#endif + +static int reset_ms(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u16 i, reg_addr, block_size; + u8 val, j, *ptr; +#ifndef SUPPORT_MAGIC_GATE + u16 eblock_cnt; +#endif + + retval = ms_prepare_reset(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_card->ms_type |= TYPE_MS; + + retval = ms_send_cmd(chip, MS_RESET, NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, PPBUF_BASE2, &val); + if (val & WRT_PRTCT) + chip->card_wp |= MS_CARD; + else + chip->card_wp &= ~MS_CARD; + + i = 0; + +RE_SEARCH: + /* Search For Boot Block */ + while (i < (MAX_DEFECTIVE_BLOCK + 2)) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + retval = ms_check_boot_block(chip, i); + if (retval != STATUS_SUCCESS) { + i++; + continue; + } + + ms_card->boot_block = i; + break; + } + + if (i == (MAX_DEFECTIVE_BLOCK + 2)) { + RTS51X_DEBUGP("No boot block found!"); + TRACE_RET(chip, STATUS_FAIL); + } + for (j = 0; j < 3; j++) { + retval = ms_read_page(chip, ms_card->boot_block, j); + if (retval != STATUS_SUCCESS) { + if (ms_check_err_code(chip, MS_FLASH_WRITE_ERROR)) { + i = ms_card->boot_block + 1; + ms_set_err_code(chip, MS_NO_ERROR); + goto RE_SEARCH; + } + } + } + + /* Read boot block contents */ + retval = ms_read_page(chip, ms_card->boot_block, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Read MS system information as sys_info */ + retval = + rts51x_seq_read_register(chip, PPBUF_BASE2 + 0x1A0, 96, + ms_card->raw_sys_info); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Read useful block contents */ + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, READ_REG_CMD, HEADER_ID0, 0, 0); + rts51x_add_cmd(chip, READ_REG_CMD, HEADER_ID1, 0, 0); + + for (reg_addr = DISABLED_BLOCK0; reg_addr <= DISABLED_BLOCK3; + reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, 0); + } + + for (reg_addr = BLOCK_SIZE_0; reg_addr <= PAGE_SIZE_1; reg_addr++) + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, 0); + + rts51x_add_cmd(chip, READ_REG_CMD, MS_Device_Type, 0, 0); + rts51x_add_cmd(chip, READ_REG_CMD, MS_4bit_Support, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 16, 100); + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ptr = rts51x_get_rsp_data(chip); + + RTS51X_DEBUGP("Boot block data:\n"); + RTS51X_DUMP(ptr, 16); + + if (ptr[0] != 0x00 || ptr[1] != 0x01) { + i = ms_card->boot_block + 1; + goto RE_SEARCH; + } + if (ptr[12] != 0x02 || ptr[13] != 0x00) { + i = ms_card->boot_block + 1; + goto RE_SEARCH; + } + if ((ptr[14] == 1) || (ptr[14] == 3)) + chip->card_wp |= MS_CARD; + block_size = ((u16) ptr[6] << 8) | ptr[7]; + if (block_size == 0x0010) { + ms_card->block_shift = 5; + ms_card->page_off = 0x1F; + } else if (block_size == 0x0008) { + ms_card->block_shift = 4; + ms_card->page_off = 0x0F; + } + ms_card->total_block = ((u16) ptr[8] << 8) | ptr[9]; + +#ifdef SUPPORT_MAGIC_GATE + j = ptr[10]; + + if (ms_card->block_shift == 4) { + if (j < 2) + ms_card->capacity = 0x1EE0; + else + ms_card->capacity = 0x3DE0; + } else { + if (j < 5) + ms_card->capacity = 0x7BC0; + else if (j < 0xA) + ms_card->capacity = 0xF7C0; + else if (j < 0x11) + ms_card->capacity = 0x1EF80; + else + ms_card->capacity = 0x3DF00; + } +#else + eblock_cnt = ((u16) ptr[10] << 8) | ptr[11]; + + ms_card->capacity = ((u32) eblock_cnt - 2) << ms_card->block_shift; +#endif + + chip->capacity[chip->card2lun[MS_CARD]] = ms_card->capacity; + + if (ptr[15]) { + retval = ms_set_rw_reg_addr(chip, 0, 0, SystemParm, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + RTS51X_WRITE_REG(chip, PPBUF_BASE2, 0xFF, 0x88); + RTS51X_WRITE_REG(chip, PPBUF_BASE2 + 1, 0xFF, 0); + + retval = + ms_transfer_tpc(chip, MS_TM_WRITE_BYTES, WRITE_REG, 1, + NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + RTS51X_WRITE_REG(chip, MS_CFG, 0x58 | MS_NO_CHECK_INT, + MS_BUS_WIDTH_4 | PUSH_TIME_ODD | + MS_NO_CHECK_INT); + + ms_card->ms_type |= MS_4BIT; + } + + if (CHK_MS4BIT(ms_card)) + chip->card_bus_width[chip->card2lun[MS_CARD]] = 4; + else + chip->card_bus_width[chip->card2lun[MS_CARD]] = 1; + + return STATUS_SUCCESS; +} + +static int ms_init_l2p_tbl(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int size, i, seg_no, retval; + u16 defect_block, reg_addr; + u8 val1, val2; + + ms_card->segment_cnt = ms_card->total_block >> 9; + RTS51X_DEBUGP("ms_card->segment_cnt = %d\n", ms_card->segment_cnt); + + size = ms_card->segment_cnt * sizeof(struct zone_entry); + ms_card->segment = vmalloc(size); + if (ms_card->segment == NULL) + TRACE_RET(chip, STATUS_FAIL); + memset(ms_card->segment, 0, size); + + retval = ms_read_page(chip, ms_card->boot_block, 1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, INIT_FAIL); + + reg_addr = PPBUF_BASE2; + for (i = 0; i < (((ms_card->total_block >> 9) * 10) + 1); i++) { + retval = rts51x_read_register(chip, reg_addr++, &val1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, INIT_FAIL); + retval = rts51x_read_register(chip, reg_addr++, &val2); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, INIT_FAIL); + + defect_block = ((u16) val1 << 8) | val2; + if (defect_block == 0xFFFF) + break; + seg_no = defect_block / 512; + ms_card->segment[seg_no].defect_list[ms_card->segment[seg_no]. + disable_count++] = + defect_block; + } + + for (i = 0; i < ms_card->segment_cnt; i++) { + ms_card->segment[i].build_flag = 0; + ms_card->segment[i].l2p_table = NULL; + ms_card->segment[i].free_table = NULL; + ms_card->segment[i].get_index = 0; + ms_card->segment[i].set_index = 0; + ms_card->segment[i].unused_blk_cnt = 0; + + RTS51X_DEBUGP("defective block count of segment %d is %d\n", + i, ms_card->segment[i].disable_count); + } + + return STATUS_SUCCESS; + +INIT_FAIL: + if (ms_card->segment) { + vfree(ms_card->segment); + ms_card->segment = NULL; + } + + return STATUS_FAIL; +} + +static u16 ms_get_l2p_tbl(struct rts51x_chip *chip, int seg_no, u16 log_off) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + + if (ms_card->segment == NULL) + return 0xFFFF; + + segment = &(ms_card->segment[seg_no]); + + if (segment->l2p_table) + return segment->l2p_table[log_off]; + + return 0xFFFF; +} + +static void ms_set_l2p_tbl(struct rts51x_chip *chip, int seg_no, u16 log_off, + u16 phy_blk) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + + if (ms_card->segment == NULL) + return; + + segment = &(ms_card->segment[seg_no]); + if (segment->l2p_table) + segment->l2p_table[log_off] = phy_blk; +} + +static void ms_set_unused_block(struct rts51x_chip *chip, u16 phy_blk) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + int seg_no; + + seg_no = (int)phy_blk >> 9; + segment = &(ms_card->segment[seg_no]); + + segment->free_table[segment->set_index++] = phy_blk; + if (segment->set_index >= MS_FREE_TABLE_CNT) + segment->set_index = 0; + segment->unused_blk_cnt++; +} + +static u16 ms_get_unused_block(struct rts51x_chip *chip, int seg_no) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + u16 phy_blk; + + segment = &(ms_card->segment[seg_no]); + + if (segment->unused_blk_cnt <= 0) + return 0xFFFF; + + phy_blk = segment->free_table[segment->get_index]; + segment->free_table[segment->get_index++] = 0xFFFF; + if (segment->get_index >= MS_FREE_TABLE_CNT) + segment->get_index = 0; + segment->unused_blk_cnt--; + + return phy_blk; +} + +static const unsigned short ms_start_idx[] = { + 0, 494, 990, 1486, 1982, 2478, 2974, 3470, + 3966, 4462, 4958, 5454, 5950, 6446, 6942, 7438, 7934 +}; + +static int ms_arbitrate_l2p(struct rts51x_chip *chip, u16 phy_blk, u16 log_off, + u8 us1, u8 us2) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + int seg_no; + u16 tmp_blk; + + seg_no = (int)phy_blk >> 9; + segment = &(ms_card->segment[seg_no]); + tmp_blk = segment->l2p_table[log_off]; + + if (us1 != us2) { + if (us1 == 0) { + if (!(chip->card_wp & MS_CARD)) + ms_erase_block(chip, tmp_blk); + ms_set_unused_block(chip, tmp_blk); + segment->l2p_table[log_off] = phy_blk; + } else { + if (!(chip->card_wp & MS_CARD)) + ms_erase_block(chip, phy_blk); + ms_set_unused_block(chip, phy_blk); + } + } else { + if (phy_blk < tmp_blk) { + if (!(chip->card_wp & MS_CARD)) + ms_erase_block(chip, phy_blk); + ms_set_unused_block(chip, phy_blk); + } else { + if (!(chip->card_wp & MS_CARD)) + ms_erase_block(chip, tmp_blk); + ms_set_unused_block(chip, tmp_blk); + segment->l2p_table[log_off] = phy_blk; + } + } + + return STATUS_SUCCESS; +} + +static int ms_build_l2p_tbl(struct rts51x_chip *chip, int seg_no) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct zone_entry *segment; + int retval, table_size, disable_cnt, defect_flag, i; + u16 start, end, phy_blk, log_blk, tmp_blk; + u8 extra[MS_EXTRA_SIZE], us1, us2; + + RTS51X_DEBUGP("ms_build_l2p_tbl: %d\n", seg_no); + + if (ms_card->segment == NULL) { + retval = ms_init_l2p_tbl(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + if (ms_card->segment[seg_no].build_flag) { + RTS51X_DEBUGP("l2p table of segment %d has been built\n", + seg_no); + return STATUS_SUCCESS; + } + + if (seg_no == 0) + table_size = 494; + else + table_size = 496; + + segment = &(ms_card->segment[seg_no]); + + if (segment->l2p_table == NULL) { + segment->l2p_table = vmalloc(table_size * 2); + if (segment->l2p_table == NULL) + TRACE_GOTO(chip, BUILD_FAIL); + } + memset((u8 *) (segment->l2p_table), 0xff, table_size * 2); + + if (segment->free_table == NULL) { + segment->free_table = vmalloc(MS_FREE_TABLE_CNT * 2); + if (segment->free_table == NULL) + TRACE_GOTO(chip, BUILD_FAIL); + } + memset((u8 *) (segment->free_table), 0xff, MS_FREE_TABLE_CNT * 2); + + start = (u16) seg_no << 9; + end = (u16) (seg_no + 1) << 9; + + disable_cnt = segment->disable_count; + + segment->get_index = segment->set_index = 0; + segment->unused_blk_cnt = 0; + + for (phy_blk = start; phy_blk < end; phy_blk++) { + if (disable_cnt) { + defect_flag = 0; + for (i = 0; i < segment->disable_count; i++) { + if (phy_blk == segment->defect_list[i]) { + defect_flag = 1; + break; + } + } + if (defect_flag) { + disable_cnt--; + continue; + } + } + + retval = + ms_read_extra_data(chip, phy_blk, 0, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) { + RTS51X_DEBUGP("read extra data fail\n"); + ms_set_bad_block(chip, phy_blk); + continue; + } + + if (seg_no == ms_card->segment_cnt - 1) { + if (!(extra[1] & NOT_TRANSLATION_TABLE)) { + if (!(chip->card_wp & MS_CARD)) { + retval = ms_erase_block(chip, phy_blk); + if (retval != STATUS_SUCCESS) + continue; + extra[2] = 0xff; + extra[3] = 0xff; + } + } + } + + if (!(extra[0] & BLOCK_OK)) + continue; + if (!(extra[1] & NOT_BOOT_BLOCK)) + continue; + if ((extra[0] & PAGE_OK) != PAGE_OK) + continue; + + log_blk = ((u16) extra[2] << 8) | extra[3]; + + if (log_blk == 0xFFFF) { + if (!(chip->card_wp & MS_CARD)) { + retval = ms_erase_block(chip, phy_blk); + if (retval != STATUS_SUCCESS) + continue; + } + ms_set_unused_block(chip, phy_blk); + continue; + } + + if ((log_blk < ms_start_idx[seg_no]) || + (log_blk >= ms_start_idx[seg_no + 1])) { + if (!(chip->card_wp & MS_CARD)) { + retval = ms_erase_block(chip, phy_blk); + if (retval != STATUS_SUCCESS) + continue; + } + ms_set_unused_block(chip, phy_blk); + continue; + } + + if (segment->l2p_table[log_blk - ms_start_idx[seg_no]] == + 0xFFFF) { + segment->l2p_table[log_blk - ms_start_idx[seg_no]] = + phy_blk; + continue; + } + + us1 = extra[0] & 0x10; + tmp_blk = segment->l2p_table[log_blk - ms_start_idx[seg_no]]; + retval = + ms_read_extra_data(chip, tmp_blk, 0, extra, MS_EXTRA_SIZE); + if (retval != STATUS_SUCCESS) + continue; + us2 = extra[0] & 0x10; + + (void)ms_arbitrate_l2p(chip, phy_blk, + log_blk - ms_start_idx[seg_no], us1, + us2); + continue; + } + + segment->build_flag = 1; + + RTS51X_DEBUGP("unused block count: %d\n", segment->unused_blk_cnt); + + if (seg_no == ms_card->segment_cnt - 1) { + if (segment->unused_blk_cnt < 2) + chip->card_wp |= MS_CARD; + } else { + if (segment->unused_blk_cnt < 1) + chip->card_wp |= MS_CARD; + } + + if (chip->card_wp & MS_CARD) + return STATUS_SUCCESS; + + for (log_blk = ms_start_idx[seg_no]; log_blk < ms_start_idx[seg_no + 1]; + log_blk++) { + if (segment->l2p_table[log_blk - ms_start_idx[seg_no]] == + 0xFFFF) { + phy_blk = ms_get_unused_block(chip, seg_no); + if (phy_blk == 0xFFFF) { + chip->card_wp |= MS_CARD; + return STATUS_SUCCESS; + } + retval = ms_init_page(chip, phy_blk, log_blk, 0, 1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, BUILD_FAIL); + segment->l2p_table[log_blk - ms_start_idx[seg_no]] = + phy_blk; + if (seg_no == ms_card->segment_cnt - 1) { + if (segment->unused_blk_cnt < 2) { + chip->card_wp |= MS_CARD; + return STATUS_SUCCESS; + } + } else { + if (segment->unused_blk_cnt < 1) { + chip->card_wp |= MS_CARD; + return STATUS_SUCCESS; + } + } + } + } + + if (seg_no == 0) { + for (log_blk = 0; log_blk < 494; log_blk++) { + tmp_blk = segment->l2p_table[log_blk]; + if (tmp_blk < ms_card->boot_block) { + RTS51X_DEBUGP("Boot block is not the first normal block.\n"); + + if (chip->card_wp & MS_CARD) + break; + + phy_blk = ms_get_unused_block(chip, 0); +#ifdef MS_SPEEDUP + retval = + ms_auto_copy_page(chip, tmp_blk, phy_blk, + log_blk, 0, + ms_card->page_off + 1); +#else + retval = ms_copy_page(chip, tmp_blk, phy_blk, + log_blk, 0, + ms_card->page_off + 1); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + segment->l2p_table[log_blk] = phy_blk; + + retval = ms_set_bad_block(chip, tmp_blk); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + } + } + + return STATUS_SUCCESS; + +BUILD_FAIL: + segment->build_flag = 0; + if (segment->l2p_table) { + vfree(segment->l2p_table); + segment->l2p_table = NULL; + } + if (segment->free_table) { + vfree(segment->free_table); + segment->free_table = NULL; + } + + return STATUS_FAIL; +} + +int rts51x_reset_ms_card(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + memset(ms_card, 0, sizeof(struct ms_info)); + + rts51x_enable_card_clock(chip, MS_CARD); + + retval = rts51x_select_card(chip, MS_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_card->ms_type = 0; + ms_card->last_rw_int = 0; + + retval = reset_ms_pro(chip); + if (retval != STATUS_SUCCESS) { + if (ms_card->check_ms_flow) { + retval = reset_ms(chip); + if (retval != STATUS_SUCCESS) { + if (chip->option.reset_or_rw_fail_set_pad_drive) { + rts51x_write_register(chip, + CARD_DRIVE_SEL, SD20_DRIVE_MASK, + DRIVE_8mA); + } + TRACE_RET(chip, retval); + } + } else { + if (chip->option.reset_or_rw_fail_set_pad_drive) { + rts51x_write_register(chip, CARD_DRIVE_SEL, + SD20_DRIVE_MASK, + DRIVE_8mA); + } + TRACE_RET(chip, retval); + } + } + + retval = ms_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!CHK_MSPRO(ms_card)) { + retval = ms_build_l2p_tbl(chip, ms_card->total_block / 512 - 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + RTS51X_DEBUGP("ms_card->ms_type = 0x%x\n", ms_card->ms_type); + + return STATUS_SUCCESS; +} + +static int mspro_set_rw_cmd(struct rts51x_chip *chip, u32 start_sec, + u16 sec_cnt, u8 cmd) +{ + int retval, i; + u8 data[8]; + + data[0] = cmd; + data[1] = (u8) (sec_cnt >> 8); + data[2] = (u8) sec_cnt; + data[3] = (u8) (start_sec >> 24); + data[4] = (u8) (start_sec >> 16); + data[5] = (u8) (start_sec >> 8); + data[6] = (u8) start_sec; + data[7] = 0; + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, PRO_EX_SET_CMD, 7, WAIT_INT, data, 8); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static void mspro_stop_seq_mode(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + if (ms_card->seq_mode) { + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + return; + + ms_card->seq_mode = 0; + ms_card->total_sec_cnt = 0; + ms_card->last_rw_int = 0; + ms_send_cmd(chip, PRO_STOP, WAIT_INT); + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, + FIFO_FLUSH); + } +} + +static inline int ms_auto_tune_clock(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + if (chip->asic_code) { + if (ms_card->ms_clock > 30) + ms_card->ms_clock -= 20; + } else { + if (ms_card->ms_clock == CLK_80) + ms_card->ms_clock = CLK_60; + else if (ms_card->ms_clock == CLK_60) + ms_card->ms_clock = CLK_40; + } + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int mspro_rw_multi_sector(struct scsi_cmnd *srb, + struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, mode_2k = 0; + u16 count; + u8 val, trans_mode, rw_tpc, rw_cmd; + + ms_set_err_code(chip, MS_NO_ERROR); + + ms_card->counter = 0; + + if (CHK_MSHG(ms_card)) { + if ((start_sector % 4) || (sector_cnt % 4)) { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + rw_tpc = PRO_READ_LONG_DATA; + rw_cmd = PRO_READ_DATA; + } else { + rw_tpc = PRO_WRITE_LONG_DATA; + rw_cmd = PRO_WRITE_DATA; + } + } else { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + rw_tpc = PRO_READ_QUAD_DATA; + rw_cmd = PRO_READ_2K_DATA; + } else { + rw_tpc = PRO_WRITE_QUAD_DATA; + rw_cmd = PRO_WRITE_2K_DATA; + } + mode_2k = 1; + } + } else { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + rw_tpc = PRO_READ_LONG_DATA; + rw_cmd = PRO_READ_DATA; + } else { + rw_tpc = PRO_WRITE_LONG_DATA; + rw_cmd = PRO_WRITE_DATA; + } + } + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (srb->sc_data_direction == DMA_FROM_DEVICE) + trans_mode = MS_TM_AUTO_READ; + else + trans_mode = MS_TM_AUTO_WRITE; + + val = ms_card->last_rw_int; + + if (ms_card->seq_mode) { + if ((ms_card->pre_dir != srb->sc_data_direction) + || ((ms_card->pre_sec_addr + ms_card->pre_sec_cnt) != + start_sector) + || (mode_2k && (ms_card->seq_mode & MODE_512_SEQ)) + || (!mode_2k && (ms_card->seq_mode & MODE_2K_SEQ)) + || !(val & MS_INT_BREQ) + || ((ms_card->total_sec_cnt + sector_cnt) > 0xFE00)) { + ms_card->seq_mode = 0; + ms_card->total_sec_cnt = 0; + ms_card->last_rw_int = 0; + if (val & MS_INT_BREQ) { + retval = ms_send_cmd(chip, PRO_STOP, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, + FIFO_FLUSH, FIFO_FLUSH); + } + } + } + + if (!ms_card->seq_mode) { + ms_card->total_sec_cnt = 0; + if (sector_cnt >= 0x80) { + if ((ms_card->capacity - start_sector) > 0xFE00) + count = 0xFE00; + else + count = + (u16) (ms_card->capacity - start_sector); + if (count > sector_cnt) { + if (mode_2k) + ms_card->seq_mode |= MODE_2K_SEQ; + else + ms_card->seq_mode |= MODE_512_SEQ; + } + } else { + count = sector_cnt; + } + retval = mspro_set_rw_cmd(chip, start_sector, count, rw_cmd); + if (retval != STATUS_SUCCESS) { + ms_card->seq_mode = 0; + TRACE_RET(chip, retval); + } + } + + retval = + ms_transfer_data(chip, trans_mode, rw_tpc, sector_cnt, WAIT_INT, + mode_2k, scsi_sg_count(srb), scsi_sglist(srb), + scsi_bufflen(srb)); + if (retval != STATUS_SUCCESS) { + ms_card->seq_mode = 0; + rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val); + rts51x_clear_ms_error(chip); + if (val & MS_INT_BREQ) + ms_send_cmd(chip, PRO_STOP, WAIT_INT); + if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) { + RTS51X_DEBUGP("MSPro CRC error, tune clock!\n"); + ms_auto_tune_clock(chip); + } + + TRACE_RET(chip, retval); + } + + ms_card->pre_sec_addr = start_sector; + ms_card->pre_sec_cnt = sector_cnt; + ms_card->pre_dir = srb->sc_data_direction; + ms_card->total_sec_cnt += sector_cnt; + + return STATUS_SUCCESS; +} + +static int mspro_read_format_progress(struct rts51x_chip *chip, + const int short_data_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u32 total_progress, cur_progress; + u8 cnt, tmp; + u8 data[8]; + + ms_card->format_status = FORMAT_FAIL; + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp); + + if ((tmp & (MS_INT_CED | MS_INT_CMDNK | MS_INT_ERR)) == MS_INT_CED) { + ms_card->format_status = FORMAT_SUCCESS; + ms_card->pro_under_formatting = 0; + return STATUS_SUCCESS; + } + if (! + ((tmp & (MS_INT_BREQ | MS_INT_CED | MS_INT_CMDNK | MS_INT_ERR)) == + MS_INT_BREQ)) { + ms_card->pro_under_formatting = 0; + TRACE_RET(chip, STATUS_FAIL); + } + + if (short_data_len >= 256) + cnt = 0; + else + cnt = (u8) short_data_len; + + retval = + ms_read_bytes(chip, PRO_READ_SHORT_DATA, cnt, WAIT_INT, data, 8); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + total_progress = + (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + cur_progress = + (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7]; + + RTS51X_DEBUGP("total_progress = %d, cur_progress = %d\n", + total_progress, cur_progress); + + if (total_progress == 0) { + ms_card->progress = 0; + } else { + u64 ulltmp = (u64) cur_progress * (u64) 65535; + do_div(ulltmp, total_progress); + ms_card->progress = (u16) ulltmp; + } + RTS51X_DEBUGP("progress = %d\n", ms_card->progress); + + for (i = 0; i < 2500; i++) { + RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp); + if (tmp & + (MS_INT_CED | MS_INT_CMDNK | MS_INT_BREQ | MS_INT_ERR)) + break; + + wait_timeout(1); + } + + if (i == 2500) + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_DEBUGP("MSPro format tmp:%d\n", tmp); + + if (tmp & (MS_INT_CMDNK | MS_INT_ERR)) + TRACE_RET(chip, STATUS_FAIL); + if (tmp & MS_INT_CED) { + ms_card->format_status = FORMAT_SUCCESS; + ms_card->pro_under_formatting = 0; + } else if (tmp & MS_INT_BREQ) { + ms_card->format_status = FORMAT_IN_PROGRESS; + } else { + ms_card->format_status = FORMAT_FAIL; + ms_card->pro_under_formatting = 0; + TRACE_RET(chip, STATUS_FAIL); + } + + RTS51X_DEBUGP("MSPro format format_status:%d\n", + ms_card->format_status); + + return STATUS_SUCCESS; +} + +void rts51x_mspro_polling_format_status(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int i; + + if (ms_card->pro_under_formatting) { + for (i = 0; i < 65535; i++) { + mspro_read_format_progress(chip, MS_SHORT_DATA_LEN); + if (ms_card->format_status != FORMAT_IN_PROGRESS) + break; + } + } + + return; +} + +void rts51x_mspro_format_sense(struct rts51x_chip *chip, unsigned int lun) +{ + struct ms_info *ms_card = &(chip->ms_card); + + if (CHK_FORMAT_STATUS(ms_card, FORMAT_SUCCESS)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE); + ms_card->pro_under_formatting = 0; + ms_card->progress = 0; + } else if (CHK_FORMAT_STATUS(ms_card, FORMAT_IN_PROGRESS)) { + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x04, 0x04, + 0, (u16) (ms_card->progress)); + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_FORMAT_CMD_FAILED); + ms_card->pro_under_formatting = 0; + ms_card->progress = 0; + } +} + +int rts51x_mspro_format(struct scsi_cmnd *srb, struct rts51x_chip *chip, + int short_data_len, int quick_format) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 buf[8], tmp; + u16 para; + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_set_rw_reg_addr(chip, 0x00, 0x00, Pro_TPCParm, 0x01); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + memset(buf, 0, 2); + switch (short_data_len) { + case 32: + buf[0] = 0; + break; + case 64: + buf[0] = 1; + break; + case 128: + buf[0] = 2; + break; + case 256: + default: + buf[0] = 3; + break; + } + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, PRO_WRITE_REG, 1, NO_WAIT_INT, buf, 2); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + /* Format command */ + if (quick_format) + para = 0x0000; + else + para = 0x0001; + retval = mspro_set_rw_cmd(chip, 0, para, PRO_FORMAT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Check INT */ + RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp); + if (tmp & (MS_INT_CMDNK | MS_INT_ERR)) + TRACE_RET(chip, STATUS_FAIL); + + if ((tmp & (MS_INT_BREQ | MS_INT_CED)) == MS_INT_BREQ) { + ms_card->pro_under_formatting = 1; + ms_card->progress = 0; + ms_card->format_status = FORMAT_IN_PROGRESS; + return STATUS_SUCCESS; + } + + if (tmp & MS_INT_CED) { + ms_card->pro_under_formatting = 0; + ms_card->progress = 0; + ms_card->format_status = FORMAT_SUCCESS; + rts51x_set_sense_type(chip, SCSI_LUN(srb), SENSE_TYPE_NO_SENSE); + return STATUS_SUCCESS; + } + + TRACE_RET(chip, STATUS_FAIL); +} + +#ifdef MS_SPEEDUP +static int ms_read_multiple_pages(struct rts51x_chip *chip, u16 phy_blk, + u16 log_blk, u8 start_page, u8 end_page, + u8 *buf, void **ptr, unsigned int *offset) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + int send_blkend; + u8 extra[MS_EXTRA_SIZE], val1, val2, data[6]; + u8 page_cnt = end_page - start_page, page_addr, sec_cnt; + + if (end_page != (ms_card->page_off + 1)) + send_blkend = 1; + else + send_blkend = 0; + + retval = + ms_read_extra_data(chip, phy_blk, start_page, extra, MS_EXTRA_SIZE); + if (retval == STATUS_SUCCESS) { + if ((extra[1] & 0x30) != 0x30) { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (phy_blk >> 8); + data[3] = (u8) phy_blk; + /* Page Number + * Extra data access mode */ + data[4] = 0; + data[5] = start_page; + + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, 6, + BLOCK_READ, WAIT_INT, data, 6, &val1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_init_cmd(chip); + + if (send_blkend) + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, + SET_BLKEND); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, WAIT_INT, + NO_WAIT_INT); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF, + (u8) page_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, READ_PAGE_DATA); + + rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, 512 * page_cnt, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_MULTI_READ); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDIR | STAGE_MS_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip), (void *)buf, + ptr, offset, 512 * page_cnt, + scsi_sg_count(chip->srb), NULL, 2000); + if (retval != STATUS_SUCCESS) { + rts51x_clear_ms_error(chip); + if (retval == STATUS_TIMEDOUT) + TRACE_RET(chip, retval); + TRACE_GOTO(chip, Fail); + } + retval = rts51x_get_rsp(chip, 3, 200); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + rts51x_clear_ms_error(chip); + if (retval == STATUS_TIMEDOUT) + TRACE_RET(chip, retval); + TRACE_GOTO(chip, Fail); + } + + return STATUS_SUCCESS; + +Fail: + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, READ_REG_CMD, MS_SECTOR_CNT_L, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR | STAGE_MS_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 3, 200); + + if (CHECK_MS_TRANS_FAIL(chip, retval)) + TRACE_RET(chip, STATUS_FAIL); + + sec_cnt = chip->rsp_buf[0]; + RTS51X_DEBUGP("%d pages need be transferred, %d pages remained\n", + (int)page_cnt, (int)sec_cnt); + page_addr = start_page + (page_cnt - sec_cnt); + + if (CHK_MS4BIT(ms_card)) { + val1 = chip->rsp_buf[1]; + RTS51X_DEBUGP("MS_TRANS_CFG: 0x%x\n", val1); + } else { + val1 = 0; + } + + val2 = chip->rsp_buf[2]; + RTS51X_DEBUGP("GET_INT: 0x%x\n", val2); + + if ((val1 & INT_CMDNK) || (val2 & INT_REG_CMDNK)) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + + if ((val1 & INT_ERR) || (val2 & INT_REG_ERR)) { + if ((val1 & INT_BREQ) || (val2 & INT_REG_BREQ)) { + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) { + if (!(chip->card_wp & MS_CARD)) { + reset_ms(chip); + ms_set_page_status(log_blk, setPS_NG, + extra, MS_EXTRA_SIZE); + ms_write_extra_data(chip, phy_blk, + page_addr, extra, + MS_EXTRA_SIZE); + } + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + if (CHK_MS4BIT(ms_card)) { + if (!(val1 & INT_BREQ) && !(val2 & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + if (!(val2 & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + TRACE_RET(chip, STATUS_FAIL); +} + +static int ms_write_multiple_pages(struct rts51x_chip *chip, u16 old_blk, + u16 new_blk, u16 log_blk, u8 start_page, + u8 end_page, u8 *buf, void **ptr, + unsigned int *offset) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + int send_blkend; + u8 val, data[16]; + u8 page_cnt = end_page - start_page; + + if ((end_page == (ms_card->page_off + 1)) || (page_cnt == 1)) + send_blkend = 0; + else + send_blkend = 1; + + if (!start_page) { + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (old_blk >> 8); + data[3] = (u8) old_blk; + data[4] = 0x80; + data[5] = 0; + data[6] = 0xEF; + data[7] = 0xFF; + + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, + SystemParm, 7, BLOCK_WRITE, WAIT_INT, data, + 7, &val); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + (6 + MS_EXTRA_SIZE)); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (new_blk >> 8); + data[3] = (u8) new_blk; + /* Page Number + * Extra data access mode */ + if (page_cnt == 1) { + /* Single page access mode */ + data[4] = 0x20; + } else { + /* Block access mode */ + data[4] = 0; + } + data[5] = start_page; + data[6] = 0xF8; + data[7] = 0xFF; + data[8] = (u8) (log_blk >> 8); + data[9] = (u8) log_blk; + + for (i = 0x0A; i < 0x10; i++) { + /* ECC */ + data[i] = 0xFF; + } + + retval = + ms_auto_set_cmd(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + (6 + MS_EXTRA_SIZE), BLOCK_WRITE, WAIT_INT, data, + 16, &val); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_init_cmd(chip); + + if (send_blkend) + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, + SET_BLKEND); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_BLKEND, SET_BLKEND, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, WAIT_INT, + NO_WAIT_INT); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_L, 0xFF, + (u8) page_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_SECTOR_CNT_H, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, WRITE_PAGE_DATA); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + + rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512 * page_cnt, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_MULTI_WRITE); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, MS_TRANSFER_END, + MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR | STAGE_MS_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip), (void *)buf, + ptr, offset, 512 * page_cnt, + scsi_sg_count(chip->srb), NULL, 2000); + if (retval != STATUS_SUCCESS) { + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + + retval = rts51x_get_rsp(chip, 3, 2000); + + + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +#else + +static int ms_read_multiple_pages(struct rts51x_chip *chip, u16 phy_blk, + u16 log_blk, u8 start_page, u8 end_page, + u8 *buf, void **ptr, unsigned int *offset) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 extra[MS_EXTRA_SIZE], page_addr, val, trans_cfg, data[6]; + + retval = + ms_read_extra_data(chip, phy_blk, start_page, extra, MS_EXTRA_SIZE); + if (retval == STATUS_SUCCESS) { + if ((extra[1] & 0x30) != 0x30) { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Write REG */ + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (phy_blk >> 8); + data[3] = (u8) phy_blk; + /* Page Number + * Extra data access mode */ + data[4] = 0; + data[5] = start_page; + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, WRITE_REG, 6, NO_WAIT_INT, data, 6); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + ms_set_err_code(chip, MS_NO_ERROR); + + retval = ms_send_cmd(chip, BLOCK_READ, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + for (page_addr = start_page; page_addr < end_page; page_addr++) { + ms_set_err_code(chip, MS_NO_ERROR); + + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) { + ms_set_err_code(chip, MS_NO_CARD); + chip->card_exist &= ~MS_CARD; + chip->card_ready &= ~MS_CARD; + TRACE_RET(chip, STATUS_FAIL); + } + /* GET_INT Register */ + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & INT_REG_ERR) { + if (val & INT_REG_BREQ) { + retval = ms_read_status_reg(chip); + if (retval != STATUS_SUCCESS) { + if (!(chip->card_wp & MS_CARD)) { + reset_ms(chip); + ms_set_page_status(log_blk, + setPS_NG, extra, + MS_EXTRA_SIZE); + ms_write_extra_data(chip, + phy_blk, page_addr, + extra, MS_EXTRA_SIZE); + } + ms_set_err_code(chip, + MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + if (!(val & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + if (page_addr == (end_page - 1)) { + if (!(val & INT_REG_CED)) { + retval = ms_send_cmd(chip, BLOCK_END, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + retval = + ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, + 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (!(val & INT_REG_CED)) { + ms_set_err_code(chip, MS_FLASH_READ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + + trans_cfg = NO_WAIT_INT; + } else { + trans_cfg = WAIT_INT; + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, + READ_PAGE_DATA); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, + trans_cfg); + + rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_NORMAL_READ); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, + MS_TRANSFER_END, MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDIR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip), + (void *)buf, ptr, offset, 512, + scsi_sg_count(chip->srb), NULL, + 2000); + if (retval != STATUS_SUCCESS) { + if (retval == STATUS_TIMEDOUT) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + + retval = + rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val); + if (retval != STATUS_SUCCESS) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) { + ms_set_err_code(chip, MS_CRC16_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + } + + retval = rts51x_get_rsp(chip, 1, 2000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + if (retval == STATUS_TIMEDOUT) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + + retval = + rts51x_ep0_read_register(chip, MS_TRANS_CFG, &val); + if (retval != STATUS_SUCCESS) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, retval); + } + if (val & (MS_CRC16_ERR | MS_RDY_TIMEOUT)) { + ms_set_err_code(chip, MS_CRC16_ERROR); + rts51x_clear_ms_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + return STATUS_SUCCESS; +} + +static int ms_write_multiple_pages(struct rts51x_chip *chip, u16 old_blk, + u16 new_blk, u16 log_blk, u8 start_page, + u8 end_page, u8 *buf, void **ptr, + unsigned int *offset) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + u8 page_addr, val, data[16]; + + if (!start_page) { + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, + SystemParm, 7); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (old_blk >> 8); + data[3] = (u8) old_blk; + data[4] = 0x80; + data[5] = 0; + data[6] = 0xEF; + data[7] = 0xFF; + + retval = + ms_write_bytes(chip, WRITE_REG, 7, NO_WAIT_INT, data, 8); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* GET_INT Register */ + ms_set_err_code(chip, MS_NO_ERROR); + retval = + ms_transfer_tpc(chip, MS_TM_READ_BYTES, GET_INT, 1, + NO_WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + retval = + ms_set_rw_reg_addr(chip, OverwriteFlag, MS_EXTRA_SIZE, SystemParm, + (6 + MS_EXTRA_SIZE)); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + ms_set_err_code(chip, MS_NO_ERROR); + + if (CHK_MS4BIT(ms_card)) { + /* Parallel interface */ + data[0] = 0x88; + } else { + /* Serial interface */ + data[0] = 0x80; + } + /* Block Address */ + data[1] = 0; + data[2] = (u8) (new_blk >> 8); + data[3] = (u8) new_blk; + /* Page Number + * Extra data access mode */ + if ((end_page - start_page) == 1) { + /* Single page access mode */ + data[4] = 0x20; + } else { + /* Block access mode */ + data[4] = 0; + } + data[5] = start_page; + data[6] = 0xF8; + data[7] = 0xFF; + data[8] = (u8) (log_blk >> 8); + data[9] = (u8) log_blk; + + for (i = 0x0A; i < 0x10; i++) { + /* ECC */ + data[i] = 0xFF; + } + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, WRITE_REG, 6 + MS_EXTRA_SIZE, + NO_WAIT_INT, data, 16); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = ms_send_cmd(chip, BLOCK_WRITE, WAIT_INT); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + /* GET_INT Register */ + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + for (page_addr = start_page; page_addr < end_page; page_addr++) { + ms_set_err_code(chip, MS_NO_ERROR); + + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) { + ms_set_err_code(chip, MS_NO_CARD); + TRACE_RET(chip, STATUS_FAIL); + } + + if (val & INT_REG_CMDNK) { + ms_set_err_code(chip, MS_CMD_NK); + TRACE_RET(chip, STATUS_FAIL); + } + if (val & INT_REG_ERR) { + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + if (!(val & INT_REG_BREQ)) { + ms_set_err_code(chip, MS_BREQ_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + + udelay(30); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, + WRITE_PAGE_DATA); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, + WAIT_INT); + + rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_NORMAL_WRITE); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, + MS_TRANSFER_END, MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip), + (void *)buf, ptr, offset, 512, + scsi_sg_count(chip->srb), NULL, + 2000); + if (retval != STATUS_SUCCESS) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + + if (retval == STATUS_TIMEDOUT) + TRACE_RET(chip, STATUS_TIMEDOUT); + else + TRACE_RET(chip, STATUS_FAIL); + } + + retval = rts51x_get_rsp(chip, 1, 2000); + if (CHECK_MS_TRANS_FAIL(chip, retval)) { + ms_set_err_code(chip, MS_TO_ERROR); + rts51x_clear_ms_error(chip); + + if (retval == STATUS_TIMEDOUT) + TRACE_RET(chip, STATUS_TIMEDOUT); + else + TRACE_RET(chip, STATUS_FAIL); + } + /* GET_INT Register */ + retval = ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if ((end_page - start_page) == 1) { + if (!(val & INT_REG_CED)) { + /* Command can not be executed */ + ms_set_err_code(chip, MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + if (page_addr == (end_page - 1)) { + if (!(val & INT_REG_CED)) { + retval = + ms_send_cmd(chip, BLOCK_END, + WAIT_INT); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + /* GET_INT Register */ + retval = + ms_read_bytes(chip, GET_INT, 1, NO_WAIT_INT, + &val, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + if ((page_addr == (end_page - 1)) + || (page_addr == ms_card->page_off)) { + if (!(val & INT_REG_CED)) { + ms_set_err_code(chip, + MS_FLASH_WRITE_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + } + + return STATUS_SUCCESS; +} +#endif + +static int ms_finish_write(struct rts51x_chip *chip, u16 old_blk, u16 new_blk, + u16 log_blk, u8 page_off) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, seg_no; + +#ifdef MS_SPEEDUP + retval = ms_auto_copy_page(chip, old_blk, new_blk, log_blk, + page_off, ms_card->page_off + 1); +#else + retval = ms_copy_page(chip, old_blk, new_blk, log_blk, + page_off, ms_card->page_off + 1); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + seg_no = old_blk >> 9; + + if (MS_TST_BAD_BLOCK_FLG(ms_card)) { + MS_CLR_BAD_BLOCK_FLG(ms_card); + ms_set_bad_block(chip, old_blk); + } else { + retval = ms_erase_block(chip, old_blk); + if (retval == STATUS_SUCCESS) + ms_set_unused_block(chip, old_blk); + } + + ms_set_l2p_tbl(chip, seg_no, log_blk - ms_start_idx[seg_no], new_blk); + + return STATUS_SUCCESS; +} + +static int ms_prepare_write(struct rts51x_chip *chip, u16 old_blk, u16 new_blk, + u16 log_blk, u8 start_page) +{ + int retval; + + if (start_page) { +#ifdef MS_SPEEDUP + retval = + ms_auto_copy_page(chip, old_blk, new_blk, log_blk, 0, + start_page); +#else + retval = + ms_copy_page(chip, old_blk, new_blk, log_blk, 0, + start_page); +#endif + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +int rts51x_ms_delay_write(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + struct rts51x_ms_delay_write_tag *delay_write = &(ms_card->delay_write); + int retval; + + if (delay_write->delay_write_flag) { + retval = ms_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + delay_write->delay_write_flag = 0; + retval = ms_finish_write(chip, + delay_write->old_phyblock, + delay_write->new_phyblock, + delay_write->logblock, + delay_write->pageoff); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static inline void rts51x_ms_rw_fail(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + if (srb->sc_data_direction == DMA_FROM_DEVICE) + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + else + rts51x_set_sense_type(chip, SCSI_LUN(srb), SENSE_TYPE_MEDIA_WRITE_ERR); +} + +static int rts51x_ms_rw_multi_sector(struct scsi_cmnd *srb, struct rts51x_chip *chip, + u32 start_sector, u16 sector_cnt) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + int retval, seg_no; + unsigned int offset = 0; + u16 old_blk = 0, new_blk = 0, log_blk, total_sec_cnt = sector_cnt; + u8 start_page, end_page = 0, page_cnt; + u8 *buf; + void *ptr = NULL; + struct rts51x_ms_delay_write_tag *delay_write = &(ms_card->delay_write); + + ms_set_err_code(chip, MS_NO_ERROR); + + ms_card->counter = 0; + + buf = (u8 *) scsi_sglist(srb); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) { + rts51x_ms_rw_fail(srb, chip); + TRACE_RET(chip, retval); + } + + log_blk = (u16) (start_sector >> ms_card->block_shift); + start_page = (u8) (start_sector & ms_card->page_off); + + for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; seg_no++) { + if (log_blk < ms_start_idx[seg_no + 1]) + break; + } + + if (ms_card->segment[seg_no].build_flag == 0) { + retval = ms_build_l2p_tbl(chip, seg_no); + if (retval != STATUS_SUCCESS) { + chip->card_fail |= MS_CARD; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, retval); + } + } + + if (srb->sc_data_direction == DMA_TO_DEVICE) { + if (delay_write->delay_write_flag && + (delay_write->logblock == log_blk) && + (start_page > delay_write->pageoff)) { + delay_write->delay_write_flag = 0; +#ifdef MS_SPEEDUP + retval = ms_auto_copy_page(chip, + delay_write->old_phyblock, + delay_write->new_phyblock, + log_blk, + delay_write->pageoff, + start_page); +#else + retval = ms_copy_page(chip, + delay_write->old_phyblock, + delay_write->new_phyblock, + log_blk, delay_write->pageoff, + start_page); +#endif + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + old_blk = delay_write->old_phyblock; + new_blk = delay_write->new_phyblock; + } else if (delay_write->delay_write_flag && + (delay_write->logblock == log_blk) && + (start_page == delay_write->pageoff)) { + delay_write->delay_write_flag = 0; + old_blk = delay_write->old_phyblock; + new_blk = delay_write->new_phyblock; + } else { + retval = rts51x_ms_delay_write(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + old_blk = + ms_get_l2p_tbl(chip, seg_no, + log_blk - ms_start_idx[seg_no]); + new_blk = ms_get_unused_block(chip, seg_no); + if ((old_blk == 0xFFFF) || (new_blk == 0xFFFF)) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = + ms_prepare_write(chip, old_blk, new_blk, log_blk, + start_page); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, MS_CARD) == + CD_NOT_EXIST) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + } + } else { + retval = rts51x_ms_delay_write(chip); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, retval); + } + old_blk = + ms_get_l2p_tbl(chip, seg_no, + log_blk - ms_start_idx[seg_no]); + if (old_blk == 0xFFFF) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + RTS51X_DEBUGP("seg_no = %d, old_blk = 0x%x, new_blk = 0x%x\n", seg_no, + old_blk, new_blk); + + while (total_sec_cnt) { + if ((start_page + total_sec_cnt) > (ms_card->page_off + 1)) + end_page = ms_card->page_off + 1; + else + end_page = start_page + (u8) total_sec_cnt; + page_cnt = end_page - start_page; + + RTS51X_DEBUGP("start_page = %d, end_page = %d, page_cnt = %d\n", + start_page, end_page, page_cnt); + + if (srb->sc_data_direction == DMA_FROM_DEVICE) + retval = ms_read_multiple_pages(chip, + old_blk, log_blk, + start_page, end_page, + buf, &ptr, &offset); + else + retval = ms_write_multiple_pages(chip, old_blk, + new_blk, log_blk, + start_page, end_page, + buf, &ptr, &offset); + + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, MS_CARD) == CD_NOT_EXIST) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_ms_rw_fail(srb, chip); + TRACE_RET(chip, retval); + } + /* Update L2P table if need */ + if (srb->sc_data_direction == DMA_TO_DEVICE) { + if (end_page == (ms_card->page_off + 1)) { + retval = ms_erase_block(chip, old_blk); + if (retval == STATUS_SUCCESS) + ms_set_unused_block(chip, old_blk); + ms_set_l2p_tbl(chip, seg_no, + log_blk - ms_start_idx[seg_no], + new_blk); + } + } + + total_sec_cnt -= page_cnt; + + if (total_sec_cnt == 0) + break; + + log_blk++; + + for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; + seg_no++) { + if (log_blk < ms_start_idx[seg_no + 1]) + break; + } + + if (ms_card->segment[seg_no].build_flag == 0) { + retval = ms_build_l2p_tbl(chip, seg_no); + if (retval != STATUS_SUCCESS) { + chip->card_fail |= MS_CARD; + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, retval); + } + } + + old_blk = + ms_get_l2p_tbl(chip, seg_no, + log_blk - ms_start_idx[seg_no]); + if (old_blk == 0xFFFF) { + rts51x_ms_rw_fail(srb, chip); + TRACE_RET(chip, STATUS_FAIL); + } + + if (srb->sc_data_direction == DMA_TO_DEVICE) { + new_blk = ms_get_unused_block(chip, seg_no); + if (new_blk == 0xFFFF) { + rts51x_ms_rw_fail(srb, chip); + TRACE_RET(chip, STATUS_FAIL); + } + } + + RTS51X_DEBUGP("seg_no = %d, old_blk = 0x%x, new_blk = 0x%x\n", + seg_no, old_blk, new_blk); + + start_page = 0; + } + + if (srb->sc_data_direction == DMA_TO_DEVICE) { + if (end_page < (ms_card->page_off + 1)) { + delay_write->delay_write_flag = 1; + delay_write->old_phyblock = old_blk; + delay_write->new_phyblock = new_blk; + delay_write->logblock = log_blk; + delay_write->pageoff = end_page; + } + } + + scsi_set_resid(srb, 0); + + return STATUS_SUCCESS; +} + +int rts51x_ms_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + if (CHK_MSPRO(ms_card)) + retval = + mspro_rw_multi_sector(srb, chip, start_sector, sector_cnt); + else + retval = + rts51x_ms_rw_multi_sector(srb, chip, start_sector, sector_cnt); + + return retval; +} + +void rts51x_ms_free_l2p_tbl(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int i = 0; + + if (ms_card->segment != NULL) { + for (i = 0; i < ms_card->segment_cnt; i++) { + if (ms_card->segment[i].l2p_table != NULL) { + vfree(ms_card->segment[i].l2p_table); + ms_card->segment[i].l2p_table = NULL; + } + if (ms_card->segment[i].free_table != NULL) { + vfree(ms_card->segment[i].free_table); + ms_card->segment[i].free_table = NULL; + } + } + vfree(ms_card->segment); + ms_card->segment = NULL; + } +} + +void rts51x_ms_cleanup_work(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + + if (CHK_MSPRO(ms_card)) { + if (ms_card->seq_mode) { + RTS51X_DEBUGP("MS Pro: stop transmission\n"); + mspro_stop_seq_mode(chip); + ms_card->counter = 0; + } + if (CHK_MSHG(ms_card)) { + u8 value; + rts51x_read_register(chip, MS_CFG, &value); + if (value & MS_2K_SECTOR_MODE) + rts51x_write_register(chip, MS_CFG, + MS_2K_SECTOR_MODE, 0x00); + } + } else if ((!CHK_MSPRO(ms_card)) + && ms_card->delay_write.delay_write_flag) { + RTS51X_DEBUGP("MS: delay write\n"); + rts51x_ms_delay_write(chip); + ms_card->counter = 0; + } +} + +static int ms_power_off_card3v3(struct rts51x_chip *chip) +{ + int retval; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, MS_CLK_EN, 0); + if (chip->asic_code) + ms_pull_ctl_disable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, + FPGA_MS_PULL_CTL_BIT | 0x20, + FPGA_MS_PULL_CTL_BIT); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0); + if (!chip->option.FT2_fast_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + } + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_release_ms_card(struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + + RTS51X_DEBUGP("rts51x_release_ms_card\n"); + + ms_card->delay_write.delay_write_flag = 0; + ms_card->pro_under_formatting = 0; + + chip->card_ready &= ~MS_CARD; + chip->card_fail &= ~MS_CARD; + chip->card_wp &= ~MS_CARD; + + rts51x_ms_free_l2p_tbl(chip); + + rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP); + + memset(ms_card->raw_sys_info, 0, 96); +#ifdef SUPPORT_PCGL_1P18 + memset(ms_card->raw_model_name, 0, 48); +#endif + + retval = ms_power_off_card3v3(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} diff --git a/drivers/staging/rts5139/ms.h b/drivers/staging/rts5139/ms.h new file mode 100644 index 000000000000..857c1974ef24 --- /dev/null +++ b/drivers/staging/rts5139/ms.h @@ -0,0 +1,261 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_MS_H +#define __RTS51X_MS_H + +#include "rts51x_chip.h" + +#define MS_MAX_RETRY_COUNT 3 + +#define MS_EXTRA_SIZE 0x9 + +#define WRT_PRTCT 0x01 + +/* Error Code */ +#define MS_NO_ERROR 0x00 +#define MS_CRC16_ERROR 0x80 +#define MS_TO_ERROR 0x40 +#define MS_NO_CARD 0x20 +#define MS_NO_MEMORY 0x10 +#define MS_CMD_NK 0x08 +#define MS_FLASH_READ_ERROR 0x04 +#define MS_FLASH_WRITE_ERROR 0x02 +#define MS_BREQ_ERROR 0x01 +#define MS_NOT_FOUND 0x03 + +/* Transfer Protocol Command */ +#define READ_PAGE_DATA 0x02 +#define READ_REG 0x04 +#define GET_INT 0x07 +#define WRITE_PAGE_DATA 0x0D +#define WRITE_REG 0x0B +#define SET_RW_REG_ADRS 0x08 +#define SET_CMD 0x0E + +#define PRO_READ_LONG_DATA 0x02 +#define PRO_READ_SHORT_DATA 0x03 +#define PRO_READ_REG 0x04 +#define PRO_READ_QUAD_DATA 0x05 +#define PRO_GET_INT 0x07 +#define PRO_WRITE_LONG_DATA 0x0D +#define PRO_WRITE_SHORT_DATA 0x0C +#define PRO_WRITE_QUAD_DATA 0x0A +#define PRO_WRITE_REG 0x0B +#define PRO_SET_RW_REG_ADRS 0x08 +#define PRO_SET_CMD 0x0E +#define PRO_EX_SET_CMD 0x09 + +#ifdef SUPPORT_MAGIC_GATE +#define MG_GET_ID 0x40 +#define MG_SET_LID 0x41 +#define MG_GET_LEKB 0x42 +#define MG_SET_RD 0x43 +#define MG_MAKE_RMS 0x44 +#define MG_MAKE_KSE 0x45 +#define MG_SET_IBD 0x46 +#define MG_GET_IBD 0x47 +#endif + +#ifdef XC_POWERCLASS +#define XC_CHG_POWER 0x16 +#endif + +/* ++ CMD over Memory Stick */ +/* Flash CMD */ +#define BLOCK_READ 0xAA +#define BLOCK_WRITE 0x55 +#define BLOCK_END 0x33 +#define BLOCK_ERASE 0x99 +#define FLASH_STOP 0xCC + +/* Function CMD */ +#define SLEEP 0x5A +#define CLEAR_BUF 0xC3 +#define MS_RESET 0x3C +/* -- CMD over Memory Stick */ + +/* ++ CMD over Memory Stick Pro */ +/* Flash CMD */ +#define PRO_READ_DATA 0x20 +#define PRO_WRITE_DATA 0x21 +#define PRO_READ_ATRB 0x24 +#define PRO_STOP 0x25 +#define PRO_ERASE 0x26 +#define PRO_READ_2K_DATA 0x27 +#define PRO_WRITE_2K_DATA 0x28 + +/* Function CMD */ +#define PRO_FORMAT 0x10 +#define PRO_SLEEP 0x11 +/* -- CMD over Memory Stick Pro */ + +/* register inside memory stick */ +#define IntReg 0x01 +#define StatusReg0 0x02 +#define StatusReg1 0x03 + +#define SystemParm 0x10 +#define BlockAdrs 0x11 +#define CMDParm 0x14 +#define PageAdrs 0x15 + +#define OverwriteFlag 0x16 +#define ManagemenFlag 0x17 +#define LogicalAdrs 0x18 +#define ReserveArea 0x1A + +/* register inside memory pro */ +#define Pro_IntReg 0x01 +#define Pro_StatusReg 0x02 +#define Pro_TypeReg 0x04 +#define Pro_IFModeReg 0x05 +#define Pro_CatagoryReg 0x06 +#define Pro_ClassReg 0x07 + +#define Pro_SystemParm 0x10 +#define Pro_DataCount1 0x11 +#define Pro_DataCount0 0x12 +#define Pro_DataAddr3 0x13 +#define Pro_DataAddr2 0x14 +#define Pro_DataAddr1 0x15 +#define Pro_DataAddr0 0x16 + +#define Pro_TPCParm 0x17 +#define Pro_CMDParm 0x18 + +/* define for INT Register */ +#define INT_REG_CED 0x80 +#define INT_REG_ERR 0x40 +#define INT_REG_BREQ 0x20 +#define INT_REG_CMDNK 0x01 + +/* INT signal */ +#define INT_CED 0x01 +#define INT_ERR 0x02 +#define INT_BREQ 0x04 +#define INT_CMDNK 0x08 + +/* define for OverwriteFlag Register */ +#define BLOCK_BOOT 0xC0 +#define BLOCK_OK 0x80 +#define PAGE_OK 0x60 +#define DATA_COMPL 0x10 + +/* define for ManagemenFlag Register */ +#define NOT_BOOT_BLOCK 0x4 +#define NOT_TRANSLATION_TABLE 0x8 + +/* Header */ +#define HEADER_ID0 (PPBUF_BASE2) /* 0 */ +#define HEADER_ID1 (PPBUF_BASE2 + 1) /* 1 */ +/* System Entry */ +#define DISABLED_BLOCK0 (PPBUF_BASE2 + 0x170 + 4) /* 2 */ +#define DISABLED_BLOCK1 (PPBUF_BASE2 + 0x170 + 5) /* 3 */ +#define DISABLED_BLOCK2 (PPBUF_BASE2 + 0x170 + 6) /* 4 */ +#define DISABLED_BLOCK3 (PPBUF_BASE2 + 0x170 + 7) /* 5 */ +/* Boot & Attribute Information */ +#define BLOCK_SIZE_0 (PPBUF_BASE2 + 0x1a0 + 2) /* 6 */ +#define BLOCK_SIZE_1 (PPBUF_BASE2 + 0x1a0 + 3) /* 7 */ +#define BLOCK_COUNT_0 (PPBUF_BASE2 + 0x1a0 + 4) /* 8 */ +#define BLOCK_COUNT_1 (PPBUF_BASE2 + 0x1a0 + 5) /* 9 */ +#define EBLOCK_COUNT_0 (PPBUF_BASE2 + 0x1a0 + 6) /* 10 */ +#define EBLOCK_COUNT_1 (PPBUF_BASE2 + 0x1a0 + 7) /* 11 */ +#define PAGE_SIZE_0 (PPBUF_BASE2 + 0x1a0 + 8) /* 12 */ +#define PAGE_SIZE_1 (PPBUF_BASE2 + 0x1a0 + 9) /* 13 */ + +/* joey 2004-08-07 for MS check Procedure */ +#define MS_Device_Type (PPBUF_BASE2 + 0x1D8) /* 14 */ +/* end */ + +/* joey 2004-05-03 */ +#define MS_4bit_Support (PPBUF_BASE2 + 0x1D3) /* 15 */ +/* end */ + +#define setPS_NG 1 +#define setPS_Error 0 + +/* define for Pro_SystemParm Register */ +#define PARALLEL_8BIT_IF 0x40 +#define PARALLEL_4BIT_IF 0x00 +#define SERIAL_IF 0x80 + +/* define for StatusReg0 Register */ +#define BUF_FULL 0x10 +#define BUF_EMPTY 0x20 + +/* define for StatusReg1 Register */ +#define MEDIA_BUSY 0x80 +#define FLASH_BUSY 0x40 +#define DATA_ERROR 0x20 +#define STS_UCDT 0x10 +#define EXTRA_ERROR 0x08 +#define STS_UCEX 0x04 +#define FLAG_ERROR 0x02 +#define STS_UCFG 0x01 + +#define MS_SHORT_DATA_LEN 32 + +#define FORMAT_SUCCESS 0 +#define FORMAT_FAIL 1 +#define FORMAT_IN_PROGRESS 2 + +#define MS_SET_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag |= 0x80) +#define MS_CLR_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag &= 0x7F) +#define MS_TST_BAD_BLOCK_FLG(ms_card) ((ms_card)->multi_flag & 0x80) + +#define CHECK_MS_TRANS_FAIL(chip, retval) \ + (((retval) != STATUS_SUCCESS) || \ + (chip->rsp_buf[0] & MS_TRANSFER_ERR)) + +void rts51x_mspro_polling_format_status(struct rts51x_chip *chip); +void rts51x_mspro_format_sense(struct rts51x_chip *chip, unsigned int lun); + +int rts51x_reset_ms_card(struct rts51x_chip *chip); +int rts51x_ms_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt); +int rts51x_mspro_format(struct scsi_cmnd *srb, struct rts51x_chip *chip, + int short_data_len, int quick_format); +void rts51x_ms_free_l2p_tbl(struct rts51x_chip *chip); +void rts51x_ms_cleanup_work(struct rts51x_chip *chip); +int rts51x_release_ms_card(struct rts51x_chip *chip); +int rts51x_ms_delay_write(struct rts51x_chip *chip); + +#ifdef SUPPORT_MAGIC_GATE + +int ms_switch_clock(struct rts51x_chip *chip); +int ms_write_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data, + int data_len); +int ms_read_bytes(struct rts51x_chip *chip, u8 tpc, u8 cnt, u8 cfg, u8 *data, + int data_len); +int ms_set_rw_reg_addr(struct rts51x_chip *chip, u8 read_start, u8 read_cnt, + u8 write_start, u8 write_cnt); +int ms_transfer_data(struct rts51x_chip *chip, u8 trans_mode, u8 tpc, + u16 sec_cnt, u8 cfg, int mode_2k, int use_sg, void *buf, + int buf_len); +#endif + +#endif /* __RTS51X_MS_H */ diff --git a/drivers/staging/rts5139/ms_mg.c b/drivers/staging/rts5139/ms_mg.c new file mode 100644 index 000000000000..c8f26062c682 --- /dev/null +++ b/drivers/staging/rts5139/ms_mg.c @@ -0,0 +1,643 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/slab.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_transport.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "ms.h" +#include "ms_mg.h" + +#ifdef SUPPORT_MAGIC_GATE + +static int mg_check_int_error(struct rts51x_chip *chip) +{ + u8 value; + + rts51x_read_register(chip, MS_TRANS_CFG, &value); + if (value & (INT_ERR | INT_CMDNK)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int mg_send_ex_cmd(struct rts51x_chip *chip, u8 cmd, u8 entry_num) +{ + int retval, i; + u8 data[8]; + + data[0] = cmd; + data[1] = 0; + data[2] = 0; + data[3] = 0; + data[4] = 0; + data[5] = 0; + data[6] = entry_num; + data[7] = 0; + + for (i = 0; i < MS_MAX_RETRY_COUNT; i++) { + retval = + ms_write_bytes(chip, PRO_EX_SET_CMD, 7, WAIT_INT, data, 8); + if (retval == STATUS_SUCCESS) + break; + } + if (i == MS_MAX_RETRY_COUNT) + TRACE_RET(chip, STATUS_FAIL); + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +int rts51x_mg_set_tpc_para_sub(struct rts51x_chip *chip, int type, u8 mg_entry_num) +{ + int retval; + u8 buf[6]; + + RTS51X_DEBUGP("--%s--\n", __func__); + + if (type == 0) + retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_TPCParm, 1); + else + retval = ms_set_rw_reg_addr(chip, 0, 0, Pro_DataCount1, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf[0] = 0; + buf[1] = 0; + if (type == 1) { + buf[2] = 0; + buf[3] = 0; + buf[4] = 0; + buf[5] = mg_entry_num; + } + retval = + ms_write_bytes(chip, PRO_WRITE_REG, (type == 0) ? 1 : 6, + NO_WAIT_INT, buf, 6); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +/** + * Get MagciGate ID and set Leaf ID to medium. + + * After receiving this SCSI command, adapter shall fulfill 2 tasks + * below in order: + * 1. send GET_ID TPC command to get MagicGate ID and hold it till + * Response&challenge CMD. + * 2. send SET_ID TPC command to medium with Leaf ID released by host + * in this SCSI CMD. + */ +int rts51x_mg_set_leaf_id(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval; + int i; + unsigned int lun = SCSI_LUN(srb); + u8 buf1[32], buf2[12]; + + RTS51X_DEBUGP("--%s--\n", __func__); + + if (scsi_bufflen(srb) < 12) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, STATUS_FAIL); + } + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = mg_send_ex_cmd(chip, MG_SET_LID, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + TRACE_RET(chip, retval); + } + + memset(buf1, 0, 32); + rts51x_get_xfer_buf(buf2, min(12, (int)scsi_bufflen(srb)), srb); + for (i = 0; i < 8; i++) + buf1[8 + i] = buf2[4 + i]; + retval = + ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf1, 32); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + TRACE_RET(chip, retval); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +/** + * Send Local EKB to host. + + * After receiving this SCSI command, adapter shall read the divided + * data(1536 bytes totally) from medium by using READ_LONG_DATA TPC + * for 3 times, and report data to host with data-length is 1052 bytes. + */ +int rts51x_mg_get_local_EKB(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval = STATUS_FAIL; + int bufflen; + unsigned int lun = SCSI_LUN(srb); + u8 *buf = NULL; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf = kmalloc(1540, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, STATUS_NOMEM); + + buf[0] = 0x04; + buf[1] = 0x1A; + buf[2] = 0x00; + buf[3] = 0x00; + + retval = mg_send_ex_cmd(chip, MG_GET_LEKB, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_GOTO(chip, GetEKBFinish); + } + + retval = ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA, + 3, WAIT_INT, 0, 0, buf + 4, 1536); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + rts51x_write_register(chip, CARD_STOP, MS_STOP | MS_CLR_ERR, + MS_STOP | MS_CLR_ERR); + TRACE_GOTO(chip, GetEKBFinish); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_GOTO(chip, GetEKBFinish); + } + + bufflen = min(1052, (int)scsi_bufflen(srb)); + rts51x_set_xfer_buf(buf, bufflen, srb); + +GetEKBFinish: + kfree(buf); + return retval; +} + +/** + * Send challenge(host) to medium. + + * After receiving this SCSI command, adapter shall sequentially issues + * TPC commands to the medium for writing 8-bytes data as challenge + * by host within a short data packet. + */ +int rts51x_mg_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + int bufflen; + int i; + unsigned int lun = SCSI_LUN(srb); + u8 buf[32], tmp; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = mg_send_ex_cmd(chip, MG_GET_ID, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + + retval = + ms_read_bytes(chip, PRO_READ_SHORT_DATA, 32, WAIT_INT, buf, 32); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + + memcpy(ms_card->magic_gate_id, buf, 16); + + for (i = 0; i < 2500; i++) { + RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp); + if (tmp & + (MS_INT_CED | MS_INT_CMDNK | MS_INT_BREQ | MS_INT_ERR)) + break; + + wait_timeout(1); + } + + if (i == 2500) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = mg_send_ex_cmd(chip, MG_SET_RD, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + + bufflen = min(12, (int)scsi_bufflen(srb)); + rts51x_get_xfer_buf(buf, bufflen, srb); + + for (i = 0; i < 8; i++) + buf[i] = buf[4 + i]; + for (i = 0; i < 24; i++) + buf[8 + i] = 0; + retval = + ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf, 32); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, retval); + } + + ms_card->mg_auth = 0; + + return STATUS_SUCCESS; +} + +/** + * Send Response and Challenge data to host. + + * After receiving this SCSI command, adapter shall communicates with + * the medium, get parameters(HRd, Rms, MagicGateID) by using READ_SHORT_DATA + * TPC and send the data to host according to certain format required by + * MG-R specification. + * The paremeter MagicGateID is the one that adapter has obtained from + * the medium by TPC commands in Set Leaf ID command phase previously. + */ +int rts51x_mg_get_rsp_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval, i; + int bufflen; + unsigned int lun = SCSI_LUN(srb); + u8 buf1[32], buf2[36], tmp; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = mg_send_ex_cmd(chip, MG_MAKE_RMS, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + + retval = + ms_read_bytes(chip, PRO_READ_SHORT_DATA, 32, WAIT_INT, buf1, 32); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + + buf2[0] = 0x00; + buf2[1] = 0x22; + buf2[2] = 0x00; + buf2[3] = 0x00; + + memcpy(buf2 + 4, ms_card->magic_gate_id, 16); + memcpy(buf2 + 20, buf1, 16); + + bufflen = min(36, (int)scsi_bufflen(srb)); + rts51x_set_xfer_buf(buf2, bufflen, srb); + + for (i = 0; i < 2500; i++) { + RTS51X_READ_REG(chip, MS_TRANS_CFG, &tmp); + if (tmp & (MS_INT_CED | MS_INT_CMDNK | + MS_INT_BREQ | MS_INT_ERR)) + break; + + wait_timeout(1); + } + + if (i == 2500) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +/** + * Send response(host) to medium. + + * After receiving this SCSI command, adapter shall sequentially + * issues TPC commands to the medium for writing 8-bytes data as + * challenge by host within a short data packet. + */ +int rts51x_mg_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + int i; + int bufflen; + unsigned int lun = SCSI_LUN(srb); + u8 buf[32]; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = mg_send_ex_cmd(chip, MG_MAKE_KSE, 0); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + + bufflen = min(12, (int)scsi_bufflen(srb)); + rts51x_get_xfer_buf(buf, bufflen, srb); + + for (i = 0; i < 8; i++) + buf[i] = buf[4 + i]; + for (i = 0; i < 24; i++) + buf[8 + i] = 0; + retval = + ms_write_bytes(chip, PRO_WRITE_SHORT_DATA, 32, WAIT_INT, buf, 32); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN); + TRACE_RET(chip, retval); + } + + ms_card->mg_auth = 1; + + return STATUS_SUCCESS; +} + +/** * Send ICV data to host. + + * After receiving this SCSI command, adapter shall read the divided + * data(1024 bytes totally) from medium by using READ_LONG_DATA TPC + * for 2 times, and report data to host with data-length is 1028 bytes. + * + * Since the extra 4 bytes data is just only a prefix to original data + * that read from medium, so that the 4-byte data pushed into Ring buffer + * precedes data transmission from medium to Ring buffer by DMA mechanism + * in order to get maximum performance and minimum code size simultaneously. + */ +int rts51x_mg_get_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + int bufflen; + unsigned int lun = SCSI_LUN(srb); + u8 *buf = NULL; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf = kmalloc(1028, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, STATUS_NOMEM); + + buf[0] = 0x04; + buf[1] = 0x02; + buf[2] = 0x00; + buf[3] = 0x00; + + retval = mg_send_ex_cmd(chip, MG_GET_IBD, ms_card->mg_entry_num); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_GOTO(chip, GetICVFinish); + } + + retval = ms_transfer_data(chip, MS_TM_AUTO_READ, PRO_READ_LONG_DATA, + 2, WAIT_INT, 0, 0, buf + 4, 1024); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + rts51x_write_register(chip, CARD_STOP, MS_STOP | MS_CLR_ERR, + MS_STOP | MS_CLR_ERR); + TRACE_GOTO(chip, GetICVFinish); + } + retval = mg_check_int_error(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_GOTO(chip, GetICVFinish); + } + + bufflen = min(1028, (int)scsi_bufflen(srb)); + rts51x_set_xfer_buf(buf, bufflen, srb); + +GetICVFinish: + kfree(buf); + return retval; +} + +/** + * Send ICV data to medium. + + * After receiving this SCSI command, adapter shall receive 1028 bytes + * and write the later 1024 bytes to medium by WRITE_LONG_DATA TPC + * consecutively. + * + * Since the first 4-bytes data is just only a prefix to original data + * that sent by host, and it should be skipped by shifting DMA pointer + * before writing 1024 bytes to medium. + */ +int rts51x_mg_set_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + int retval; + int bufflen; +#ifdef MG_SET_ICV_SLOW + int i; +#endif + unsigned int lun = SCSI_LUN(srb); + u8 *buf = NULL; + + RTS51X_DEBUGP("--%s--\n", __func__); + + rts51x_ms_cleanup_work(chip); + + retval = ms_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + buf = kmalloc(1028, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, STATUS_NOMEM); + + bufflen = min(1028, (int)scsi_bufflen(srb)); + rts51x_get_xfer_buf(buf, bufflen, srb); + + retval = mg_send_ex_cmd(chip, MG_SET_IBD, ms_card->mg_entry_num); + if (retval != STATUS_SUCCESS) { + if (ms_card->mg_auth == 0) { + if ((buf[5] & 0xC0) != 0) + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + else + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR); + } + TRACE_GOTO(chip, SetICVFinish); + } + +#ifdef MG_SET_ICV_SLOW + for (i = 0; i < 2; i++) { + udelay(50); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TPC, 0xFF, + PRO_WRITE_LONG_DATA); + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANS_CFG, 0xFF, + WAIT_INT); + + rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MS_TRANSFER, 0xFF, + MS_TRANSFER_START | MS_TM_NORMAL_WRITE); + rts51x_add_cmd(chip, CHECK_REG_CMD, MS_TRANSFER, + MS_TRANSFER_END, MS_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR, 100); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR); + TRACE_GOTO(chip, SetICVFinish); + } + + retval = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip), + buf + 4 + i * 512, 512, 0, + NULL, 3000, STAGE_DO); + if (retval != STATUS_SUCCESS) { + rts51x_clear_ms_error(chip); + if (ms_card->mg_auth == 0) { + if ((buf[5] & 0xC0) != 0) + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + else + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } + retval = STATUS_FAIL; + TRACE_GOTO(chip, SetICVFinish); + } + + retval = rts51x_get_rsp(chip, 1, 3000); + if (CHECK_MS_TRANS_FAIL(chip, retval) + || mg_check_int_error(chip)) { + rts51x_clear_ms_error(chip); + if (ms_card->mg_auth == 0) { + if ((buf[5] & 0xC0) != 0) + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + else + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } + retval = STATUS_FAIL; + TRACE_GOTO(chip, SetICVFinish); + } + } +#else + retval = ms_transfer_data(chip, MS_TM_AUTO_WRITE, PRO_WRITE_LONG_DATA, + 2, WAIT_INT, 0, 0, buf + 4, 1024); + if (retval != STATUS_SUCCESS) { + rts51x_clear_ms_error(chip); + if (ms_card->mg_auth == 0) { + if ((buf[5] & 0xC0) != 0) + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB); + else + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MG_WRITE_ERR); + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_WRITE_ERR); + } + TRACE_GOTO(chip, SetICVFinish); + } +#endif + +SetICVFinish: + kfree(buf); + return retval; +} + +#endif /* SUPPORT_MAGIC_GATE */ diff --git a/drivers/staging/rts5139/ms_mg.h b/drivers/staging/rts5139/ms_mg.h new file mode 100644 index 000000000000..109c71290953 --- /dev/null +++ b/drivers/staging/rts5139/ms_mg.h @@ -0,0 +1,42 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_MS_MG_H +#define __RTS51X_MS_MG_H + +#include "rts51x_chip.h" +#include "ms.h" + +int rts51x_mg_set_tpc_para_sub(struct rts51x_chip *chip, int type, u8 mg_entry_num); +int rts51x_mg_set_leaf_id(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_get_local_EKB(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_get_rsp_chg(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_get_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_mg_set_ICV(struct scsi_cmnd *srb, struct rts51x_chip *chip); + +#endif /* __RTS51X_MS_MG_H */ diff --git a/drivers/staging/rts5139/rts51x.c b/drivers/staging/rts5139/rts51x.c new file mode 100644 index 000000000000..8529cbabc554 --- /dev/null +++ b/drivers/staging/rts5139/rts51x.c @@ -0,0 +1,846 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/workqueue.h> +#include <linux/errno.h> +#include <linux/freezer.h> +#include <linux/module.h> +#include <linux/slab.h> +#include <linux/mutex.h> +#include <linux/utsname.h> +#include <linux/usb.h> + +#include <scsi/scsi.h> +#include <scsi/scsi_cmnd.h> +#include <scsi/scsi_device.h> +#include <scsi/scsi_devinfo.h> +#include <scsi/scsi_eh.h> +#include <scsi/scsi_host.h> + +#include "debug.h" +#include "ms.h" +#include "rts51x.h" +#include "rts51x_chip.h" +#include "rts51x_card.h" +#include "rts51x_scsi.h" +#include "rts51x_transport.h" +#include "rts51x_fop.h" + +MODULE_DESCRIPTION(RTS51X_DESC); +MODULE_LICENSE("GPL"); +MODULE_VERSION(DRIVER_VERSION); + +static int auto_delink_en; +module_param(auto_delink_en, int, S_IRUGO | S_IWUSR); +MODULE_PARM_DESC(auto_delink_en, "enable auto delink"); + +static int ss_en; +module_param(ss_en, int, S_IRUGO | S_IWUSR); +MODULE_PARM_DESC(ss_en, "enable selective suspend"); + +static int ss_delay = 50; +module_param(ss_delay, int, S_IRUGO | S_IWUSR); +MODULE_PARM_DESC(ss_delay, + "seconds to delay before entering selective suspend"); + +static int needs_remote_wakeup; +module_param(needs_remote_wakeup, int, S_IRUGO | S_IWUSR); +MODULE_PARM_DESC(needs_remote_wakeup, "ss state needs remote wakeup supported"); + +#ifdef SUPPORT_FILE_OP +static const struct file_operations rts51x_fops = { + .owner = THIS_MODULE, + .read = rts51x_read, + .write = rts51x_write, + .unlocked_ioctl = rts51x_ioctl, + .open = rts51x_open, + .release = rts51x_release, +}; + +/* + * usb class driver info in order to get a minor number from the usb core, + * and to have the device registered with the driver core + */ +static struct usb_class_driver rts51x_class = { + .name = "rts51x%d", + .fops = &rts51x_fops, + .minor_base = 192, +}; +#endif + +#ifdef CONFIG_PM /* Minimal support for suspend and resume */ + +static inline void usb_autopm_enable(struct usb_interface *intf) +{ + atomic_set(&intf->pm_usage_cnt, 1); + usb_autopm_put_interface(intf); +} + +static inline void usb_autopm_disable(struct usb_interface *intf) +{ + atomic_set(&intf->pm_usage_cnt, 0); + usb_autopm_get_interface(intf); +} + +static void rts51x_try_to_enter_ss(struct rts51x_chip *chip) +{ + pr_debug("Ready to enter SS state\n"); + usb_autopm_enable(chip->usb->pusb_intf); +} + +void rts51x_try_to_exit_ss(struct rts51x_chip *chip) +{ + pr_debug("Exit from SS state\n"); + usb_autopm_disable(chip->usb->pusb_intf); +} + +int rts51x_suspend(struct usb_interface *iface, pm_message_t message) +{ + struct rts51x_chip *chip = usb_get_intfdata(iface); + + pr_debug("%s, message.event = 0x%x\n", __func__, message.event); + + /* Wait until no command is running */ + mutex_lock(&chip->usb->dev_mutex); + + chip->fake_card_ready = chip->card_ready; + rts51x_do_before_power_down(chip); + + if (message.event == PM_EVENT_AUTO_SUSPEND) { + pr_debug("Enter SS state"); + chip->resume_from_scsi = 0; + RTS51X_SET_STAT(chip, STAT_SS); + } else { + pr_debug("Enter SUSPEND state"); + RTS51X_SET_STAT(chip, STAT_SUSPEND); + } + + /* When runtime PM is working, we'll set a flag to indicate + * whether we should autoresume when a SCSI request arrives. */ + + mutex_unlock(&chip->usb->dev_mutex); + return 0; +} + +int rts51x_resume(struct usb_interface *iface) +{ + struct rts51x_chip *chip = usb_get_intfdata(iface); + + pr_debug("%s\n", __func__); + + if (!RTS51X_CHK_STAT(chip, STAT_SS) || !chip->resume_from_scsi) { + mutex_lock(&chip->usb->dev_mutex); + + if (chip->option.ss_en) { + if (GET_PM_USAGE_CNT(chip) <= 0) { + /* Remote wake up, increase pm_usage_cnt */ + pr_debug("Incr pm_usage_cnt\n"); + SET_PM_USAGE_CNT(chip, 1); + } + } + + RTS51X_SET_STAT(chip, STAT_RUN); + + rts51x_init_chip(chip); + rts51x_init_cards(chip); + + mutex_unlock(&chip->usb->dev_mutex); + } + + return 0; +} + +int rts51x_reset_resume(struct usb_interface *iface) +{ + struct rts51x_chip *chip = usb_get_intfdata(iface); + + pr_debug("%s\n", __func__); + + mutex_lock(&chip->usb->dev_mutex); + + RTS51X_SET_STAT(chip, STAT_RUN); + + if (chip->option.ss_en) + SET_PM_USAGE_CNT(chip, 1); + + rts51x_init_chip(chip); + rts51x_init_cards(chip); + + mutex_unlock(&chip->usb->dev_mutex); + + /* FIXME: Notify the subdrivers that they need to reinitialize + * the device */ + return 0; +} + +#else /* CONFIG_PM */ + +static void rts51x_try_to_enter_ss(struct rts51x_chip *chip) +{ +} + +void rts51x_try_to_exit_ss(struct rts51x_chip *chip) +{ +} + +#endif /* CONFIG_PM */ + +/* + * The next two routines get called just before and just after + * a USB port reset, whether from this driver or a different one. + */ + +static int rts51x_pre_reset(struct usb_interface *iface) +{ + struct rts51x_chip *chip = usb_get_intfdata(iface); + + pr_debug("%s\n", __func__); + + /* Make sure no command runs during the reset */ + mutex_lock(&chip->usb->dev_mutex); + return 0; +} + +static int rts51x_post_reset(struct usb_interface *iface) +{ + struct rts51x_chip *chip = usb_get_intfdata(iface); + + pr_debug("%s\n", __func__); + + /* Report the reset to the SCSI core */ + /* usb_stor_report_bus_reset(us); */ + + /* FIXME: Notify the subdrivers that they need to reinitialize + * the device */ + + mutex_unlock(&chip->usb->dev_mutex); + return 0; +} + +static int rts51x_control_thread(void *__chip) +{ + struct rts51x_chip *chip = (struct rts51x_chip *)__chip; + struct Scsi_Host *host = rts51x_to_host(chip); + + for (;;) { + if (wait_for_completion_interruptible(&chip->usb->cmnd_ready)) + break; + + if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) { + pr_debug("-- exiting from rts51x-control\n"); + break; + } + + /* lock the device pointers */ + mutex_lock(&(chip->usb->dev_mutex)); + + /* lock access to the state */ + scsi_lock(host); + + /* When we are called with no command pending, we're done */ + if (chip->srb == NULL) { + scsi_unlock(host); + mutex_unlock(&chip->usb->dev_mutex); + pr_debug("-- exiting from control thread\n"); + break; + } + + /* has the command timed out *already* ? */ + if (test_bit(FLIDX_TIMED_OUT, &chip->usb->dflags)) { + chip->srb->result = DID_ABORT << 16; + goto abort; + } + + scsi_unlock(host); + + /* reject the command if the direction indicator + * is UNKNOWN + */ + if (chip->srb->sc_data_direction == DMA_BIDIRECTIONAL) { + pr_debug("UNKNOWN data direction\n"); + chip->srb->result = DID_ERROR << 16; + } + + /* reject if target != 0 or if LUN is higher than + * the maximum known LUN + */ + else if (chip->srb->device->id) { + pr_debug("Bad target number (%d:%d)\n", + chip->srb->device->id, + chip->srb->device->lun); + chip->srb->result = DID_BAD_TARGET << 16; + } + + else if (chip->srb->device->lun > chip->max_lun) { + pr_debug("Bad LUN (%d:%d)\n", + chip->srb->device->id, + chip->srb->device->lun); + chip->srb->result = DID_BAD_TARGET << 16; + } + + /* we've got a command, let's do it! */ + else { + RTS51X_DEBUG(rts51x_scsi_show_command(chip->srb)); + rts51x_invoke_transport(chip->srb, chip); + } + + /* lock access to the state */ + scsi_lock(host); + + /* indicate that the command is done */ + if (chip->srb->result != DID_ABORT << 16) + chip->srb->scsi_done(chip->srb); + else +abort : + pr_debug("scsi command aborted\n"); + + /* If an abort request was received we need to signal that + * the abort has finished. The proper test for this is + * the TIMED_OUT flag, not srb->result == DID_ABORT, because + * the timeout might have occurred after the command had + * already completed with a different result code. */ + if (test_bit(FLIDX_TIMED_OUT, &chip->usb->dflags)) { + complete(&(chip->usb->notify)); + + /* Allow USB transfers to resume */ + clear_bit(FLIDX_ABORTING, &chip->usb->dflags); + clear_bit(FLIDX_TIMED_OUT, &chip->usb->dflags); + } + + /* finished working on this command */ + chip->srb = NULL; + scsi_unlock(host); + + /* unlock the device pointers */ + mutex_unlock(&chip->usb->dev_mutex); + } /* for (;;) */ + + complete(&chip->usb->control_exit); + + /* Wait until we are told to stop */ +/* for (;;) { + set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + schedule(); + } + __set_current_state(TASK_RUNNING);*/ + return 0; +} + +static int rts51x_polling_thread(void *__chip) +{ + struct rts51x_chip *chip = (struct rts51x_chip *)__chip; + + for (;;) { + wait_timeout(POLLING_INTERVAL); + + /* if the device has disconnected, we are free to exit */ + if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) { + pr_debug("-- exiting from rts51x-polling\n"); + break; + } + + /* if the device has disconnected, we are free to exit */ + /* if (kthread_should_stop()) { + printk(KERN_INFO "Stop polling thread!\n"); + break; + } */ + +#ifdef CONFIG_PM + if (RTS51X_CHK_STAT(chip, STAT_SS) || + RTS51X_CHK_STAT(chip, STAT_SS_PRE) || + RTS51X_CHK_STAT(chip, STAT_SUSPEND)) { + continue; + } + + if (ss_en) { + if (RTS51X_CHK_STAT(chip, STAT_IDLE)) { + if (chip->ss_counter < + (ss_delay * 1000 / POLLING_INTERVAL)) { + chip->ss_counter++; + } else { + /* Prepare SS state */ + RTS51X_SET_STAT(chip, STAT_SS_PRE); + rts51x_try_to_enter_ss(chip); + continue; + } + } else { + chip->ss_counter = 0; + } + } +#endif + + rts51x_mspro_polling_format_status(chip); + + /* lock the device pointers */ + mutex_lock(&(chip->usb->dev_mutex)); + + rts51x_polling_func(chip); + + /* unlock the device pointers */ + mutex_unlock(&chip->usb->dev_mutex); + } /* for (;;) */ + + complete(&chip->usb->polling_exit); + + /* Wait until we are told to stop */ + /* for (;;) { + set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + schedule(); + } + __set_current_state(TASK_RUNNING); */ + return 0; +} + +/* Associate our private data with the USB device */ +static int associate_dev(struct rts51x_chip *chip, struct usb_interface *intf) +{ + struct rts51x_usb *rts51x = chip->usb; +#ifdef SUPPORT_FILE_OP + int retval; +#endif + + /* Fill in the device-related fields */ + rts51x->pusb_dev = interface_to_usbdev(intf); + rts51x->pusb_intf = intf; + rts51x->ifnum = intf->cur_altsetting->desc.bInterfaceNumber; + pr_debug("Vendor: 0x%04x, Product: 0x%04x, Revision: 0x%04x\n", + le16_to_cpu(rts51x->pusb_dev->descriptor.idVendor), + le16_to_cpu(rts51x->pusb_dev->descriptor.idProduct), + le16_to_cpu(rts51x->pusb_dev->descriptor.bcdDevice)); + pr_debug("Interface Subclass: 0x%02x, Protocol: 0x%02x\n", + intf->cur_altsetting->desc.bInterfaceSubClass, + intf->cur_altsetting->desc.bInterfaceProtocol); + + /* Store our private data in the interface */ + usb_set_intfdata(intf, chip); + +#ifdef SUPPORT_FILE_OP + /* we can register the device now, as it is ready */ + retval = usb_register_dev(intf, &rts51x_class); + if (retval) { + /* something prevented us from registering this driver */ + pr_debug("Not able to get a minor for this device."); + usb_set_intfdata(intf, NULL); + return -ENOMEM; + } +#endif + + /* Allocate the device-related DMA-mapped buffers */ + rts51x->cr = usb_buffer_alloc(rts51x->pusb_dev, sizeof(*rts51x->cr), + GFP_KERNEL, &rts51x->cr_dma); + if (!rts51x->cr) { + usb_set_intfdata(intf, NULL); + return -ENOMEM; + } + + rts51x->iobuf = usb_buffer_alloc(rts51x->pusb_dev, RTS51X_IOBUF_SIZE, + GFP_KERNEL, &rts51x->iobuf_dma); + if (!rts51x->iobuf) { + usb_set_intfdata(intf, NULL); + return -ENOMEM; + } + return 0; +} + +static void rts51x_init_options(struct rts51x_chip *chip) +{ + struct rts51x_option *option = &(chip->option); + + option->rts51x_mspro_formatter_enable = 1; + + option->fpga_sd_sdr104_clk = CLK_100; + option->fpga_sd_sdr50_clk = CLK_100; + option->fpga_sd_ddr50_clk = CLK_100; + option->fpga_sd_hs_clk = CLK_100; + option->fpga_mmc_52m_clk = CLK_80; + option->fpga_ms_hg_clk = CLK_80; + option->fpga_ms_4bit_clk = CLK_80; + + option->asic_sd_sdr104_clk = 98; + option->asic_sd_sdr50_clk = 98; + option->asic_sd_ddr50_clk = 98; + option->asic_sd_hs_clk = 97; + option->asic_mmc_52m_clk = 95; + option->asic_ms_hg_clk = 116; + option->asic_ms_4bit_clk = 77; + + option->sd_ddr_tx_phase = 0; + option->mmc_ddr_tx_phase = 1; + + option->sd_speed_prior = 0; + option->sd_ctl = + SD_PUSH_POINT_AUTO | SD_SAMPLE_POINT_AUTO | SUPPORT_UHS50_MMC44; + + option->ss_en = ss_en; + option->ss_delay = ss_delay; + + option->auto_delink_en = auto_delink_en; + + option->FT2_fast_mode = 0; + option->pwr_delay = 800; + option->rts51x_xd_rw_step = 0; + option->D3318_off_delay = 50; + option->delink_delay = 100; + option->rts5129_D3318_off_enable = 0; + option->sd20_pad_drive = 0; + option->reset_or_rw_fail_set_pad_drive = 1; + option->debounce_num = 2; + option->led_toggle_interval = 6; + option->rts51x_xd_rwn_step = 0; + option->sd_send_status_en = 0; + option->sdr50_tx_phase = 0x01; + option->sdr50_rx_phase = 0x05; + option->ddr50_tx_phase = 0x09; + option->ddr50_rx_phase = 0x06; + option->sdr50_phase_sel = 0; + option->sd30_pad_drive = 1; + option->ms_errreg_fix = 0; + option->reset_mmc_first = 0; + option->speed_mmc = 1; + option->led_always_on = 0; +} + +/* Get the pipe settings */ +static int get_pipes(struct rts51x_chip *chip) +{ + struct rts51x_usb *rts51x = chip->usb; + struct usb_host_interface *altsetting = + rts51x->pusb_intf->cur_altsetting; + int i; + struct usb_endpoint_descriptor *ep; + struct usb_endpoint_descriptor *ep_in = NULL; + struct usb_endpoint_descriptor *ep_out = NULL; + struct usb_endpoint_descriptor *ep_int = NULL; + + /* + * Find the first endpoint of each type we need. + * We are expecting a minimum of 2 endpoints - in and out (bulk). + * An optional interrupt-in is OK (necessary for CBI protocol). + * We will ignore any others. + */ + for (i = 0; i < altsetting->desc.bNumEndpoints; i++) { + ep = &altsetting->endpoint[i].desc; + + if (usb_endpoint_xfer_bulk(ep)) { + if (usb_endpoint_dir_in(ep)) { + if (!ep_in) + ep_in = ep; + } else { + if (!ep_out) + ep_out = ep; + } + } + + else if (usb_endpoint_is_int_in(ep)) { + if (!ep_int) + ep_int = ep; + } + } + + if (!ep_in || !ep_out) { + pr_debug("Endpoint sanity check failed! Rejecting dev.\n"); + return -EIO; + } + + /* Calculate and store the pipe values */ + rts51x->send_ctrl_pipe = usb_sndctrlpipe(rts51x->pusb_dev, 0); + rts51x->recv_ctrl_pipe = usb_rcvctrlpipe(rts51x->pusb_dev, 0); + rts51x->send_bulk_pipe = usb_sndbulkpipe(rts51x->pusb_dev, + usb_endpoint_num(ep_out)); + rts51x->recv_bulk_pipe = usb_rcvbulkpipe(rts51x->pusb_dev, + usb_endpoint_num(ep_in)); + if (ep_int) { + rts51x->recv_intr_pipe = usb_rcvintpipe(rts51x->pusb_dev, + usb_endpoint_num + (ep_int)); + rts51x->ep_bInterval = ep_int->bInterval; + } + return 0; +} + +/* Initialize all the dynamic resources we need */ +static int rts51x_acquire_resources(struct rts51x_chip *chip) +{ + struct rts51x_usb *rts51x = chip->usb; + int retval; + + rts51x->current_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!rts51x->current_urb) + return -ENOMEM; + + rts51x->intr_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!rts51x->intr_urb) + return -ENOMEM; + + chip->cmd_buf = rts51x->iobuf; + chip->rsp_buf = rts51x->iobuf; + + rts51x_init_options(chip); + + /* Init rts51xx device */ + retval = rts51x_init_chip(chip); + if (retval != STATUS_SUCCESS) + return -EIO; + + return 0; +} + +/* Release all our dynamic resources */ +static void rts51x_release_resources(struct rts51x_chip *chip) +{ + pr_debug("-- %s\n", __func__); + + /* Tell the control thread to exit. The SCSI host must + * already have been removed and the DISCONNECTING flag set + * so that we won't accept any more commands. + */ + pr_debug("-- sending exit command to thread\n"); + complete(&chip->usb->cmnd_ready); + if (chip->usb->ctl_thread) + wait_for_completion(&chip->usb->control_exit); + /* kthread_stop(chip->usb->ctl_thread); */ + if (chip->usb->polling_thread) + wait_for_completion(&chip->usb->polling_exit); + + /* if (chip->usb->polling_thread) + kthread_stop(chip->usb->polling_thread); */ + + wait_timeout(200); + + /* Release rts51xx device here */ + rts51x_release_chip(chip); + + usb_free_urb(chip->usb->current_urb); + usb_free_urb(chip->usb->intr_urb); +} + +/* Dissociate from the USB device */ +static void dissociate_dev(struct rts51x_chip *chip) +{ + struct rts51x_usb *rts51x = chip->usb; + + pr_debug("-- %s\n", __func__); + + /* Free the device-related DMA-mapped buffers */ + if (rts51x->cr) + usb_buffer_free(rts51x->pusb_dev, sizeof(*rts51x->cr), + rts51x->cr, rts51x->cr_dma); + if (rts51x->iobuf) + usb_buffer_free(rts51x->pusb_dev, RTS51X_IOBUF_SIZE, + rts51x->iobuf, rts51x->iobuf_dma); + + /* Remove our private data from the interface */ + usb_set_intfdata(rts51x->pusb_intf, NULL); + +#ifdef SUPPORT_FILE_OP + /* give back our minor */ + usb_deregister_dev(rts51x->pusb_intf, &rts51x_class); +#endif + + kfree(rts51x); + chip->usb = NULL; +} + +/* First stage of disconnect processing: stop SCSI scanning, + * remove the host, and stop accepting new commands + */ +static void quiesce_and_remove_host(struct rts51x_chip *chip) +{ + struct rts51x_usb *rts51x = chip->usb; + struct Scsi_Host *host = rts51x_to_host(chip); + + /* If the device is really gone, cut short reset delays */ + if (rts51x->pusb_dev->state == USB_STATE_NOTATTACHED) + set_bit(FLIDX_DISCONNECTING, &rts51x->dflags); + + /* Removing the host will perform an orderly shutdown: caches + * synchronized, disks spun down, etc. + */ + scsi_remove_host(host); + + /* Prevent any new commands from being accepted and cut short + * reset delays. + */ + scsi_lock(host); + set_bit(FLIDX_DISCONNECTING, &rts51x->dflags); + scsi_unlock(host); +} + +/* Second stage of disconnect processing: deallocate all resources */ +static void release_everything(struct rts51x_chip *chip) +{ + rts51x_release_resources(chip); + dissociate_dev(chip); + + /* Drop our reference to the host; the SCSI core will free it + * (and "chip" along with it) when the refcount becomes 0. */ + scsi_host_put(rts51x_to_host(chip)); +} + +static int rts51x_probe(struct usb_interface *intf, + const struct usb_device_id *id) +{ + struct Scsi_Host *host; + struct rts51x_chip *chip; + struct rts51x_usb *rts51x; + int result; + struct task_struct *th; + + pr_debug("%s detected\n", RTS51X_NAME); + + rts51x = kzalloc(sizeof(*rts51x), GFP_KERNEL); + if (!rts51x) + return -ENOMEM; + + /* + * Ask the SCSI layer to allocate a host structure, with extra + * space at the end for our private us_data structure. + */ + host = scsi_host_alloc(&rts51x_host_template, sizeof(*chip)); + if (!host) { + kfree(rts51x); + return -ENOMEM; + } + + /* + * Allow 16-byte CDBs and thus > 2TB + */ + host->max_cmd_len = 16; + chip = host_to_rts51x(host); + memset(chip, 0, sizeof(struct rts51x_chip)); + + chip->vendor_id = id->idVendor; + chip->product_id = id->idProduct; + + mutex_init(&(rts51x->dev_mutex)); + init_completion(&rts51x->cmnd_ready); + init_completion(&rts51x->control_exit); + init_completion(&rts51x->polling_exit); + init_completion(&(rts51x->notify)); + + chip->usb = rts51x; + + /* Associate the us_data structure with the USB device */ + result = associate_dev(chip, intf); + if (result) + goto bad_device; + + /* Find the endpoints and calculate pipe values */ + result = get_pipes(chip); + if (result) + goto bad_device; + + /* Acquire all the other resources and add the host */ + result = rts51x_acquire_resources(chip); + if (result) + goto bad_device; + + /* Start up our control thread */ + th = kthread_run(rts51x_control_thread, chip, RTS51X_CTL_THREAD); + if (IS_ERR(th)) { + pr_warn("Unable to start control thread\n"); + result = PTR_ERR(th); + goto bad_device; + } + rts51x->ctl_thread = th; + + result = scsi_add_host(rts51x_to_host(chip), &rts51x->pusb_intf->dev); + if (result) { + pr_warn("Unable to add the scsi host\n"); + goto bad_device; + } + scsi_scan_host(rts51x_to_host(chip)); + + /* Start up our polling thread */ + th = kthread_run(rts51x_polling_thread, chip, RTS51X_POLLING_THREAD); + if (IS_ERR(th)) { + pr_warn("Unable to start polling thread\n"); + result = PTR_ERR(th); + goto bad_device; + } + rts51x->polling_thread = th; + +#ifdef CONFIG_PM + if (ss_en) { + rts51x->pusb_intf->needs_remote_wakeup = needs_remote_wakeup; + SET_PM_USAGE_CNT(chip, 1); + pr_debug("pm_usage_cnt = %d\n", GET_PM_USAGE_CNT(chip)); + } +#endif + + return 0; + + /* We come here if there are any problems */ +bad_device: + pr_debug("rts51x_probe() failed\n"); + release_everything(chip); + return result; +} + +static void rts51x_disconnect(struct usb_interface *intf) +{ + struct rts51x_chip *chip = (struct rts51x_chip *)usb_get_intfdata(intf); + + pr_debug("rts51x_disconnect() called\n"); + quiesce_and_remove_host(chip); + release_everything(chip); +} + +/*********************************************************************** + * Initialization and registration + ***********************************************************************/ + +static struct usb_device_id rts5139_usb_ids[] = { + {USB_DEVICE(0x0BDA, 0x0139)}, + {USB_DEVICE(0x0BDA, 0x0129)}, + {} /* Terminating entry */ +}; +EXPORT_SYMBOL_GPL(rts5139_usb_ids); + +MODULE_DEVICE_TABLE(usb, rts5139_usb_ids); + +struct usb_driver rts51x_driver = { + .name = RTS51X_NAME, + .probe = rts51x_probe, + .disconnect = rts51x_disconnect, + .suspend = rts51x_suspend, + .resume = rts51x_resume, + .reset_resume = rts51x_reset_resume, + .pre_reset = rts51x_pre_reset, + .post_reset = rts51x_post_reset, + .id_table = rts5139_usb_ids, + .soft_unbind = 1, +}; + +module_usb_driver(rts51x_driver); diff --git a/drivers/staging/rts5139/rts51x.h b/drivers/staging/rts5139/rts51x.h new file mode 100644 index 000000000000..ecc0109a5b1a --- /dev/null +++ b/drivers/staging/rts5139/rts51x.h @@ -0,0 +1,194 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_H +#define __RTS51X_H + +#include <linux/usb.h> +#include <linux/usb_usual.h> +#include <linux/blkdev.h> +#include <linux/completion.h> +#include <linux/mutex.h> +#include <linux/cdrom.h> +#include <linux/kernel.h> + +#include <scsi/scsi.h> +#include <scsi/scsi_cmnd.h> +#include <scsi/scsi_device.h> +#include <scsi/scsi_devinfo.h> +#include <scsi/scsi_eh.h> +#include <scsi/scsi_host.h> + +#define DRIVER_VERSION "v1.04" + +#define RTS51X_DESC "Realtek RTS5139/29 USB card reader driver" +#define RTS51X_NAME "rts5139" +#define RTS51X_CTL_THREAD "rts5139-control" +#define RTS51X_POLLING_THREAD "rts5139-polling" + +#define POLLING_IN_THREAD +#define SUPPORT_FILE_OP + +#define wait_timeout_x(task_state, msecs) \ +do { \ + set_current_state((task_state)); \ + schedule_timeout((msecs) * HZ / 1000); \ +} while (0) + +#define wait_timeout(msecs) wait_timeout_x(TASK_INTERRUPTIBLE, (msecs)) + +#define SCSI_LUN(srb) ((srb)->device->lun) + +/* Size of the DMA-mapped I/O buffer */ +#define RTS51X_IOBUF_SIZE 1024 + +/* Dynamic bitflag definitions (dflags): used in set_bit() etc. */ +#define FLIDX_URB_ACTIVE 0 /* current_urb is in use */ +#define FLIDX_SG_ACTIVE 1 /* current_sg is in use */ +#define FLIDX_ABORTING 2 /* abort is in progress */ +#define FLIDX_DISCONNECTING 3 /* disconnect in progress */ +#define FLIDX_RESETTING 4 /* device reset in progress */ +#define FLIDX_TIMED_OUT 5 /* SCSI midlayer timed out */ + +struct rts51x_chip; + +struct rts51x_usb { + /* The device we're working with + * It's important to note: + * (o) you must hold dev_mutex to change pusb_dev + */ + struct mutex dev_mutex; /* protect pusb_dev */ + struct usb_device *pusb_dev; /* this usb_device */ + struct usb_interface *pusb_intf; /* this interface */ + + unsigned long dflags; /* dynamic atomic bitflags */ + + unsigned int send_bulk_pipe; /* cached pipe values */ + unsigned int recv_bulk_pipe; + unsigned int send_ctrl_pipe; + unsigned int recv_ctrl_pipe; + unsigned int recv_intr_pipe; + + u8 ifnum; /* interface number */ + u8 ep_bInterval; /* interrupt interval */ + + /* control and bulk communications data */ + struct urb *current_urb; /* USB requests */ + struct urb *intr_urb; /* Interrupt USB request */ + struct usb_ctrlrequest *cr; /* control requests */ + struct usb_sg_request current_sg; /* scatter-gather req. */ + unsigned char *iobuf; /* I/O buffer */ + dma_addr_t cr_dma; /* buffer DMA addresses */ + dma_addr_t iobuf_dma; + struct task_struct *ctl_thread; /* the control thread */ + struct task_struct *polling_thread; /* the polling thread */ + + /* mutual exclusion and synchronization structures */ + struct completion cmnd_ready; /* to sleep thread on */ + struct completion control_exit; /* control thread exit */ + struct completion polling_exit; /* polling thread exit */ + struct completion notify; /* thread begin/end */ +}; + +extern struct usb_driver rts51x_driver; + +static inline void get_current_time(u8 *timeval_buf, int buf_len) +{ + struct timeval tv; + + if (!timeval_buf || (buf_len < 8)) + return; + + do_gettimeofday(&tv); + + timeval_buf[0] = (u8) (tv.tv_sec >> 24); + timeval_buf[1] = (u8) (tv.tv_sec >> 16); + timeval_buf[2] = (u8) (tv.tv_sec >> 8); + timeval_buf[3] = (u8) (tv.tv_sec); + timeval_buf[4] = (u8) (tv.tv_usec >> 24); + timeval_buf[5] = (u8) (tv.tv_usec >> 16); + timeval_buf[6] = (u8) (tv.tv_usec >> 8); + timeval_buf[7] = (u8) (tv.tv_usec); +} + +#define SND_CTRL_PIPE(chip) ((chip)->usb->send_ctrl_pipe) +#define RCV_CTRL_PIPE(chip) ((chip)->usb->recv_ctrl_pipe) +#define SND_BULK_PIPE(chip) ((chip)->usb->send_bulk_pipe) +#define RCV_BULK_PIPE(chip) ((chip)->usb->recv_bulk_pipe) +#define RCV_INTR_PIPE(chip) ((chip)->usb->recv_intr_pipe) + +/* The scsi_lock() and scsi_unlock() macros protect the sm_state and the + * single queue element srb for write access */ +#define scsi_unlock(host) spin_unlock_irq(host->host_lock) +#define scsi_lock(host) spin_lock_irq(host->host_lock) + +#define GET_PM_USAGE_CNT(chip) \ + atomic_read(&((chip)->usb->pusb_intf->pm_usage_cnt)) +#define SET_PM_USAGE_CNT(chip, cnt) \ + atomic_set(&((chip)->usb->pusb_intf->pm_usage_cnt), (cnt)) + +/* Compatible macros while we switch over */ +static inline void *usb_buffer_alloc(struct usb_device *dev, size_t size, + gfp_t mem_flags, dma_addr_t *dma) +{ + return usb_alloc_coherent(dev, size, mem_flags, dma); +} + +static inline void usb_buffer_free(struct usb_device *dev, size_t size, + void *addr, dma_addr_t dma) +{ + return usb_free_coherent(dev, size, addr, dma); +} + +/* Convert between us_data and the corresponding Scsi_Host */ +static inline struct Scsi_Host *rts51x_to_host(struct rts51x_chip *chip) +{ + return container_of((void *)chip, struct Scsi_Host, hostdata); +} + +static inline struct rts51x_chip *host_to_rts51x(struct Scsi_Host *host) +{ + return (struct rts51x_chip *)(host->hostdata); +} + +/* struct scsi_cmnd transfer buffer access utilities */ +enum xfer_buf_dir { TO_XFER_BUF, FROM_XFER_BUF }; + +/* General routines provided by the usb-storage standard core */ +#ifdef CONFIG_PM +void rts51x_try_to_exit_ss(struct rts51x_chip *chip); +int rts51x_suspend(struct usb_interface *iface, pm_message_t message); +int rts51x_resume(struct usb_interface *iface); +int rts51x_reset_resume(struct usb_interface *iface); +#else +#define rts51x_suspend NULL +#define rts51x_resume NULL +#define rts51x_reset_resume NULL +#endif + +extern struct scsi_host_template rts51x_host_template; + +#endif /* __RTS51X_H */ diff --git a/drivers/staging/rts5139/rts51x_card.c b/drivers/staging/rts5139/rts51x_card.c new file mode 100644 index 000000000000..03456d9873e5 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_card.c @@ -0,0 +1,940 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/workqueue.h> + +#include <scsi/scsi.h> +#include <scsi/scsi_eh.h> +#include <scsi/scsi_device.h> + +#include "debug.h" +#include "rts51x.h" +#include "rts51x_chip.h" +#include "rts51x_card.h" +#include "rts51x_transport.h" +#include "xd.h" +#include "sd.h" +#include "ms.h" + +void rts51x_do_remaining_work(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + struct xd_info *xd_card = &(chip->xd_card); + struct ms_info *ms_card = &(chip->ms_card); + + if (chip->card_ready & SD_CARD) { + if (sd_card->seq_mode) { + RTS51X_SET_STAT(chip, STAT_RUN); + sd_card->counter++; + } else { + sd_card->counter = 0; + } + } + + if (chip->card_ready & XD_CARD) { + if (xd_card->delay_write.delay_write_flag) { + RTS51X_SET_STAT(chip, STAT_RUN); + xd_card->counter++; + } else { + xd_card->counter = 0; + } + } + + if (chip->card_ready & MS_CARD) { + if (CHK_MSPRO(ms_card)) { + if (ms_card->seq_mode) { + RTS51X_SET_STAT(chip, STAT_RUN); + ms_card->counter++; + } else { + ms_card->counter = 0; + } + } else { + if (ms_card->delay_write.delay_write_flag) { + RTS51X_SET_STAT(chip, STAT_RUN); + ms_card->counter++; + } else { + ms_card->counter = 0; + } + } + } + + if (sd_card->counter > POLLING_WAIT_CNT) + rts51x_sd_cleanup_work(chip); + + if (xd_card->counter > POLLING_WAIT_CNT) + rts51x_xd_cleanup_work(chip); + + if (ms_card->counter > POLLING_WAIT_CNT) + rts51x_ms_cleanup_work(chip); +} + +static void do_rts51x_reset_xd_card(struct rts51x_chip *chip) +{ + int retval; + + if (chip->card2lun[XD_CARD] >= MAX_ALLOWED_LUN_CNT) + return; + + retval = rts51x_reset_xd_card(chip); + if (retval == STATUS_SUCCESS) { + chip->card_ready |= XD_CARD; + chip->card_fail &= ~XD_CARD; + chip->rw_card[chip->card2lun[XD_CARD]] = rts51x_xd_rw; + } else { + chip->card_ready &= ~XD_CARD; + chip->card_fail |= XD_CARD; + chip->capacity[chip->card2lun[XD_CARD]] = 0; + chip->rw_card[chip->card2lun[XD_CARD]] = NULL; + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, XD_CLK_EN, 0); + rts51x_send_cmd(chip, MODE_C, 100); + } +} + +void rts51x_do_rts51x_reset_sd_card(struct rts51x_chip *chip) +{ + int retval; + + if (chip->card2lun[SD_CARD] >= MAX_ALLOWED_LUN_CNT) + return; + + retval = rts51x_reset_sd_card(chip); + if (retval == STATUS_SUCCESS) { + chip->card_ready |= SD_CARD; + chip->card_fail &= ~SD_CARD; + chip->rw_card[chip->card2lun[SD_CARD]] = rts51x_sd_rw; + } else { + chip->card_ready &= ~SD_CARD; + chip->card_fail |= SD_CARD; + chip->capacity[chip->card2lun[SD_CARD]] = 0; + chip->rw_card[chip->card2lun[SD_CARD]] = NULL; + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, SD_CLK_EN, 0); + rts51x_send_cmd(chip, MODE_C, 100); + } +} + +static void do_rts51x_reset_ms_card(struct rts51x_chip *chip) +{ + int retval; + + if (chip->card2lun[MS_CARD] >= MAX_ALLOWED_LUN_CNT) + return; + + retval = rts51x_reset_ms_card(chip); + if (retval == STATUS_SUCCESS) { + chip->card_ready |= MS_CARD; + chip->card_fail &= ~MS_CARD; + chip->rw_card[chip->card2lun[MS_CARD]] = rts51x_ms_rw; + } else { + chip->card_ready &= ~MS_CARD; + chip->card_fail |= MS_CARD; + chip->capacity[chip->card2lun[MS_CARD]] = 0; + chip->rw_card[chip->card2lun[MS_CARD]] = NULL; + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, MS_OUTPUT_EN, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, MS_CLK_EN, 0); + rts51x_send_cmd(chip, MODE_C, 100); + } +} + +static void card_cd_debounce(struct rts51x_chip *chip, u8 *need_reset, + u8 *need_release) +{ + int retval; + u8 release_map = 0, reset_map = 0; + u8 value; + + retval = rts51x_get_card_status(chip, &(chip->card_status)); +#ifdef SUPPORT_OCP + chip->ocp_stat = (chip->card_status >> 4) & 0x03; +#endif + + if (retval != STATUS_SUCCESS) + goto Exit_Debounce; + + if (chip->card_exist) { + retval = rts51x_read_register(chip, CARD_INT_PEND, &value); + if (retval != STATUS_SUCCESS) { + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, + FIFO_FLUSH); + rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8); + value = 0; + } + + if (chip->card_exist & XD_CARD) { + if (!(chip->card_status & XD_CD)) + release_map |= XD_CARD; + } else if (chip->card_exist & SD_CARD) { + /* if (!(chip->card_status & SD_CD)) { */ + if (!(chip->card_status & SD_CD) || (value & SD_INT)) + release_map |= SD_CARD; + } else if (chip->card_exist & MS_CARD) { + /* if (!(chip->card_status & MS_CD)) { */ + if (!(chip->card_status & MS_CD) || (value & MS_INT)) + release_map |= MS_CARD; + } + } else { + if (chip->card_status & XD_CD) + reset_map |= XD_CARD; + else if (chip->card_status & SD_CD) + reset_map |= SD_CARD; + else if (chip->card_status & MS_CD) + reset_map |= MS_CARD; + } + + if (CHECK_PKG(chip, QFN24) && reset_map) { + if (chip->card_exist & XD_CARD) { + reset_map = 0; + goto Exit_Debounce; + } + } + + if (reset_map) { + int xd_cnt = 0, sd_cnt = 0, ms_cnt = 0; + int i; + + for (i = 0; i < (chip->option.debounce_num); i++) { + retval = + rts51x_get_card_status(chip, &(chip->card_status)); + if (retval != STATUS_SUCCESS) { + reset_map = release_map = 0; + goto Exit_Debounce; + } + if (chip->card_status & XD_CD) + xd_cnt++; + else + xd_cnt = 0; + if (chip->card_status & SD_CD) + sd_cnt++; + else + sd_cnt = 0; + if (chip->card_status & MS_CD) + ms_cnt++; + else + ms_cnt = 0; + wait_timeout(30); + } + + reset_map = 0; + if (!(chip->card_exist & XD_CARD) + && (xd_cnt > (chip->option.debounce_num - 1))) { + reset_map |= XD_CARD; + } + if (!(chip->card_exist & SD_CARD) + && (sd_cnt > (chip->option.debounce_num - 1))) { + reset_map |= SD_CARD; + } + if (!(chip->card_exist & MS_CARD) + && (ms_cnt > (chip->option.debounce_num - 1))) { + reset_map |= MS_CARD; + } + } + rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT, + XD_INT | MS_INT | SD_INT); + +Exit_Debounce: + if (need_reset) + *need_reset = reset_map; + if (need_release) + *need_release = release_map; +} + +void rts51x_init_cards(struct rts51x_chip *chip) +{ + u8 need_reset = 0, need_release = 0; + + card_cd_debounce(chip, &need_reset, &need_release); + + if (need_release) { + RTS51X_DEBUGP("need_release = 0x%x\n", need_release); + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + +#ifdef SUPPORT_OCP + if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) { + rts51x_write_register(chip, OCPCTL, MS_OCP_CLEAR, + MS_OCP_CLEAR); + chip->ocp_stat = 0; + RTS51X_DEBUGP("Clear OCP status.\n"); + } +#endif + + if (need_release & XD_CARD) { + chip->card_exist &= ~XD_CARD; + chip->card_ejected = 0; + if (chip->card_ready & XD_CARD) { + rts51x_release_xd_card(chip); + chip->rw_card[chip->card2lun[XD_CARD]] = NULL; + clear_bit(chip->card2lun[XD_CARD], + &(chip->lun_mc)); + } + } + + if (need_release & SD_CARD) { + chip->card_exist &= ~SD_CARD; + chip->card_ejected = 0; + if (chip->card_ready & SD_CARD) { + rts51x_release_sd_card(chip); + chip->rw_card[chip->card2lun[SD_CARD]] = NULL; + clear_bit(chip->card2lun[SD_CARD], + &(chip->lun_mc)); + } + } + + if (need_release & MS_CARD) { + chip->card_exist &= ~MS_CARD; + chip->card_ejected = 0; + if (chip->card_ready & MS_CARD) { + rts51x_release_ms_card(chip); + chip->rw_card[chip->card2lun[MS_CARD]] = NULL; + clear_bit(chip->card2lun[MS_CARD], + &(chip->lun_mc)); + } + } + } + + if (need_reset && !chip->card_ready) { + RTS51X_DEBUGP("need_reset = 0x%x\n", need_reset); + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + if (need_reset & XD_CARD) { + chip->card_exist |= XD_CARD; + do_rts51x_reset_xd_card(chip); + } else if (need_reset & SD_CARD) { + chip->card_exist |= SD_CARD; + rts51x_do_rts51x_reset_sd_card(chip); + } else if (need_reset & MS_CARD) { + chip->card_exist |= MS_CARD; + do_rts51x_reset_ms_card(chip); + } + } +} + +void rts51x_release_cards(struct rts51x_chip *chip) +{ + if (chip->card_ready & SD_CARD) { + rts51x_sd_cleanup_work(chip); + rts51x_release_sd_card(chip); + chip->card_ready &= ~SD_CARD; + } + + if (chip->card_ready & XD_CARD) { + rts51x_xd_cleanup_work(chip); + rts51x_release_xd_card(chip); + chip->card_ready &= ~XD_CARD; + } + + if (chip->card_ready & MS_CARD) { + rts51x_ms_cleanup_work(chip); + rts51x_release_ms_card(chip); + chip->card_ready &= ~MS_CARD; + } +} + +static inline u8 double_depth(u8 depth) +{ + return (depth > 1) ? (depth - 1) : depth; +} + +int rts51x_switch_ssc_clock(struct rts51x_chip *chip, int clk) +{ + struct sd_info *sd_card = &(chip->sd_card); + struct ms_info *ms_card = &(chip->ms_card); + int retval; + u8 N = (u8) (clk - 2), min_N, max_N; + u8 mcu_cnt, div, max_div, ssc_depth; + int sd_vpclk_phase_reset = 0; + + if (chip->cur_clk == clk) + return STATUS_SUCCESS; + + min_N = 60; + max_N = 120; + max_div = CLK_DIV_4; + + RTS51X_DEBUGP("Switch SSC clock to %dMHz\n", clk); + + if ((clk <= 2) || (N > max_N)) + TRACE_RET(chip, STATUS_FAIL); + + mcu_cnt = (u8) (60 / clk + 3); + if (mcu_cnt > 15) + mcu_cnt = 15; + /* To make sure that the SSC clock div_n is + * equal or greater than min_N */ + div = CLK_DIV_1; + while ((N < min_N) && (div < max_div)) { + N = (N + 2) * 2 - 2; + div++; + } + RTS51X_DEBUGP("N = %d, div = %d\n", N, div); + + if (chip->option.ssc_en) { + if (chip->cur_card == SD_CARD) { + if (CHK_SD_SDR104(sd_card)) { + ssc_depth = chip->option.ssc_depth_sd_sdr104; + } else if (CHK_SD_SDR50(sd_card)) { + ssc_depth = chip->option.ssc_depth_sd_sdr50; + } else if (CHK_SD_DDR50(sd_card)) { + ssc_depth = + double_depth(chip->option. + ssc_depth_sd_ddr50); + } else if (CHK_SD_HS(sd_card)) { + ssc_depth = + double_depth(chip->option.ssc_depth_sd_hs); + } else if (CHK_MMC_52M(sd_card) + || CHK_MMC_DDR52(sd_card)) { + ssc_depth = + double_depth(chip->option. + ssc_depth_mmc_52m); + } else { + ssc_depth = + double_depth(chip->option. + ssc_depth_low_speed); + } + } else if (chip->cur_card == MS_CARD) { + if (CHK_MSPRO(ms_card)) { + if (CHK_HG8BIT(ms_card)) { + ssc_depth = + double_depth(chip->option. + ssc_depth_ms_hg); + } else { + ssc_depth = + double_depth(chip->option. + ssc_depth_ms_4bit); + } + } else { + if (CHK_MS4BIT(ms_card)) { + ssc_depth = + double_depth(chip->option. + ssc_depth_ms_4bit); + } else { + ssc_depth = + double_depth(chip->option. + ssc_depth_low_speed); + } + } + } else { + ssc_depth = + double_depth(chip->option.ssc_depth_low_speed); + } + + if (ssc_depth) { + if (div == CLK_DIV_2) { + /* If clock divided by 2, ssc depth must + * be multiplied by 2 */ + if (ssc_depth > 1) + ssc_depth -= 1; + else + ssc_depth = SSC_DEPTH_2M; + } else if (div == CLK_DIV_4) { + /* If clock divided by 4, ssc depth must + * be multiplied by 4 */ + if (ssc_depth > 2) + ssc_depth -= 2; + else + ssc_depth = SSC_DEPTH_2M; + } + } + } else { + /* Disable SSC */ + ssc_depth = 0; + } + + RTS51X_DEBUGP("ssc_depth = %d\n", ssc_depth); + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, CLK_CHANGE); + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F, + (div << 4) | mcu_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CTL1, SSC_RSTB, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CTL2, SSC_DEPTH_MASK, + ssc_depth); + rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_DIV_N_0, 0xFF, N); + if (sd_vpclk_phase_reset) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL, + PHASE_NOT_RESET, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL, + PHASE_NOT_RESET, PHASE_NOT_RESET); + } + + retval = rts51x_send_cmd(chip, MODE_C, 2000); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (chip->option.ssc_en && ssc_depth) + rts51x_write_register(chip, SSC_CTL1, 0xff, 0xD0); + else + rts51x_write_register(chip, SSC_CTL1, 0xff, 0x50); + udelay(100); + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0); + + chip->cur_clk = clk; + + return STATUS_SUCCESS; +} + +int rts51x_switch_normal_clock(struct rts51x_chip *chip, int clk) +{ + int retval; + u8 sel, div, mcu_cnt; + int sd_vpclk_phase_reset = 0; + + if (chip->cur_clk == clk) + return STATUS_SUCCESS; + + if (chip->cur_card == SD_CARD) { + struct sd_info *sd_card = &(chip->sd_card); + if (CHK_SD30_SPEED(sd_card) || CHK_MMC_DDR52(sd_card)) + sd_vpclk_phase_reset = 1; + } + + switch (clk) { + case CLK_20: + RTS51X_DEBUGP("Switch clock to 20MHz\n"); + sel = SSC_80; + div = CLK_DIV_4; + mcu_cnt = 5; + break; + + case CLK_30: + RTS51X_DEBUGP("Switch clock to 30MHz\n"); + sel = SSC_60; + div = CLK_DIV_2; + mcu_cnt = 4; + break; + + case CLK_40: + RTS51X_DEBUGP("Switch clock to 40MHz\n"); + sel = SSC_80; + div = CLK_DIV_2; + mcu_cnt = 3; + break; + + case CLK_50: + RTS51X_DEBUGP("Switch clock to 50MHz\n"); + sel = SSC_100; + div = CLK_DIV_2; + mcu_cnt = 3; + break; + + case CLK_60: + RTS51X_DEBUGP("Switch clock to 60MHz\n"); + sel = SSC_60; + div = CLK_DIV_1; + mcu_cnt = 3; + break; + + case CLK_80: + RTS51X_DEBUGP("Switch clock to 80MHz\n"); + sel = SSC_80; + div = CLK_DIV_1; + mcu_cnt = 2; + break; + + case CLK_100: + RTS51X_DEBUGP("Switch clock to 100MHz\n"); + sel = SSC_100; + div = CLK_DIV_1; + mcu_cnt = 2; + break; + + /* case CLK_120: + RTS51X_DEBUGP("Switch clock to 120MHz\n"); + sel = SSC_120; + div = CLK_DIV_1; + mcu_cnt = 2; + break; + + case CLK_150: + RTS51X_DEBUGP("Switch clock to 150MHz\n"); + sel = SSC_150; + div = CLK_DIV_1; + mcu_cnt = 2; + break; */ + + default: + RTS51X_DEBUGP("Try to switch to an illegal clock (%d)\n", + clk); + TRACE_RET(chip, STATUS_FAIL); + } + + if (!sd_vpclk_phase_reset) { + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, + CLK_CHANGE); + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F, + (div << 4) | mcu_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CLK_FPGA_SEL, 0xFF, + sel); + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, 0); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, CLK_CHANGE, + CLK_CHANGE); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL, + PHASE_NOT_RESET, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK1_CTL, + PHASE_NOT_RESET, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, CLK_DIV, 0x3F, + (div << 4) | mcu_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SSC_CLK_FPGA_SEL, 0xFF, + sel); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + udelay(200); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK0_CTL, + PHASE_NOT_RESET, PHASE_NOT_RESET); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_VPCLK1_CTL, + PHASE_NOT_RESET, PHASE_NOT_RESET); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + udelay(200); + + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0); + } + + chip->cur_clk = clk; + + return STATUS_SUCCESS; +} + +int rts51x_card_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, + u32 sec_addr, u16 sec_cnt) +{ + int retval; + unsigned int lun = SCSI_LUN(srb); + int i; + + if (chip->rw_card[lun] == NULL) + return STATUS_FAIL; + + RTS51X_DEBUGP("%s card, sector addr: 0x%x, sector cnt: %d\n", + (srb->sc_data_direction == + DMA_TO_DEVICE) ? "Write" : "Read", sec_addr, sec_cnt); + + chip->rw_need_retry = 0; + for (i = 0; i < 3; i++) { + retval = chip->rw_card[lun] (srb, chip, sec_addr, sec_cnt); + if (retval != STATUS_SUCCESS) { + CATCH_TRIGGER(chip); + if (chip->option.reset_or_rw_fail_set_pad_drive) { + rts51x_write_register(chip, CARD_DRIVE_SEL, + SD20_DRIVE_MASK, + DRIVE_8mA); + } + } + + if (!chip->rw_need_retry) + break; + + RTS51X_DEBUGP("Retry RW, (i = %d\n)", i); + } + + return retval; +} + +u8 rts51x_get_lun_card(struct rts51x_chip *chip, unsigned int lun) +{ + if ((chip->card_ready & chip->lun2card[lun]) == XD_CARD) + return (u8) XD_CARD; + else if ((chip->card_ready & chip->lun2card[lun]) == SD_CARD) + return (u8) SD_CARD; + else if ((chip->card_ready & chip->lun2card[lun]) == MS_CARD) + return (u8) MS_CARD; + + return 0; +} + +static int card_share_mode(struct rts51x_chip *chip, int card) +{ + u8 value; + + if (card == SD_CARD) + value = CARD_SHARE_SD; + else if (card == MS_CARD) + value = CARD_SHARE_MS; + else if (card == XD_CARD) + value = CARD_SHARE_XD; + else + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_WRITE_REG(chip, CARD_SHARE_MODE, CARD_SHARE_MASK, value); + + return STATUS_SUCCESS; +} + +int rts51x_select_card(struct rts51x_chip *chip, int card) +{ + int retval; + + if (chip->cur_card != card) { + u8 mod; + + if (card == SD_CARD) + mod = SD_MOD_SEL; + else if (card == MS_CARD) + mod = MS_MOD_SEL; + else if (card == XD_CARD) + mod = XD_MOD_SEL; + else + TRACE_RET(chip, STATUS_FAIL); + RTS51X_WRITE_REG(chip, CARD_SELECT, 0x07, mod); + chip->cur_card = card; + + retval = card_share_mode(chip, card); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +void rts51x_eject_card(struct rts51x_chip *chip, unsigned int lun) +{ + RTS51X_DEBUGP("eject card\n"); + RTS51X_SET_STAT(chip, STAT_RUN); + rts51x_do_remaining_work(chip); + + if ((chip->card_ready & chip->lun2card[lun]) == SD_CARD) { + rts51x_release_sd_card(chip); + chip->card_ejected |= SD_CARD; + chip->card_ready &= ~SD_CARD; + chip->capacity[lun] = 0; + } else if ((chip->card_ready & chip->lun2card[lun]) == XD_CARD) { + rts51x_release_xd_card(chip); + chip->card_ejected |= XD_CARD; + chip->card_ready &= ~XD_CARD; + chip->capacity[lun] = 0; + } else if ((chip->card_ready & chip->lun2card[lun]) == MS_CARD) { + rts51x_release_ms_card(chip); + chip->card_ejected |= MS_CARD; + chip->card_ready &= ~MS_CARD; + chip->capacity[lun] = 0; + } + rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT, + XD_INT | MS_INT | SD_INT); +} + +void rts51x_trans_dma_enable(enum dma_data_direction dir, + struct rts51x_chip *chip, u32 byte_cnt, u8 pack_size) +{ + if (pack_size > DMA_1024) + pack_size = DMA_512; + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC3, 0xFF, + (u8) (byte_cnt >> 24)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC2, 0xFF, + (u8) (byte_cnt >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC1, 0xFF, + (u8) (byte_cnt >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_TC0, 0xFF, (u8) byte_cnt); + + if (dir == DMA_FROM_DEVICE) { + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_CTL, + 0x03 | DMA_PACK_SIZE_MASK, + DMA_DIR_FROM_CARD | DMA_EN | pack_size); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, MC_DMA_CTL, + 0x03 | DMA_PACK_SIZE_MASK, + DMA_DIR_TO_CARD | DMA_EN | pack_size); + } +} + +int rts51x_enable_card_clock(struct rts51x_chip *chip, u8 card) +{ + u8 clk_en = 0; + + if (card & XD_CARD) + clk_en |= XD_CLK_EN; + if (card & SD_CARD) + clk_en |= SD_CLK_EN; + if (card & MS_CARD) + clk_en |= MS_CLK_EN; + + RTS51X_WRITE_REG(chip, CARD_CLK_EN, clk_en, clk_en); + + return STATUS_SUCCESS; +} + +int rts51x_card_power_on(struct rts51x_chip *chip, u8 card) +{ + u8 mask, val1, val2; + + mask = POWER_MASK; + val1 = PARTIAL_POWER_ON; + val2 = POWER_ON; + +#ifdef SD_XD_IO_FOLLOW_PWR + if ((card == SD_CARD) || (card == XD_CARD)) { + RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask | LDO3318_PWR_MASK, + val1 | LDO_SUSPEND); + } else { +#endif + RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask, val1); +#ifdef SD_XD_IO_FOLLOW_PWR + } +#endif + udelay(chip->option.pwr_delay); + RTS51X_WRITE_REG(chip, CARD_PWR_CTL, mask, val2); +#ifdef SD_XD_IO_FOLLOW_PWR + if (card == SD_CARD) { + rts51x_write_register(chip, CARD_PWR_CTL, LDO3318_PWR_MASK, + LDO_ON); + } +#endif + + return STATUS_SUCCESS; +} + +int monitor_card_cd(struct rts51x_chip *chip, u8 card) +{ + int retval; + u8 card_cd[32] = { 0 }; + + card_cd[SD_CARD] = SD_CD; + card_cd[XD_CARD] = XD_CD; + card_cd[MS_CARD] = MS_CD; + + retval = rts51x_get_card_status(chip, &(chip->card_status)); + if (retval != STATUS_SUCCESS) + return CD_NOT_EXIST; + + if (chip->card_status & card_cd[card]) + return CD_EXIST; + + return CD_NOT_EXIST; +} + +int rts51x_toggle_gpio(struct rts51x_chip *chip, u8 gpio) +{ + int retval; + u8 temp_reg; + u8 gpio_output[4] = { + 0x01, + }; + u8 gpio_oe[4] = { + 0x02, + }; + if (chip->rts5179) { + retval = rts51x_ep0_read_register(chip, CARD_GPIO, &temp_reg); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + temp_reg ^= gpio_oe[gpio]; + temp_reg &= 0xfe; /* bit 0 always set 0 */ + retval = + rts51x_ep0_write_register(chip, CARD_GPIO, 0x03, temp_reg); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + } else { + retval = rts51x_ep0_read_register(chip, CARD_GPIO, &temp_reg); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + temp_reg ^= gpio_output[gpio]; + retval = + rts51x_ep0_write_register(chip, CARD_GPIO, 0xFF, + temp_reg | gpio_oe[gpio]); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +int rts51x_turn_on_led(struct rts51x_chip *chip, u8 gpio) +{ + int retval; + u8 gpio_oe[4] = { + 0x02, + }; + u8 gpio_mask[4] = { + 0x03, + }; + + retval = + rts51x_ep0_write_register(chip, CARD_GPIO, gpio_mask[gpio], + gpio_oe[gpio]); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +int rts51x_turn_off_led(struct rts51x_chip *chip, u8 gpio) +{ + int retval; + u8 gpio_output[4] = { + 0x01, + }; + u8 gpio_oe[4] = { + 0x02, + }; + u8 gpio_mask[4] = { + 0x03, + }; + + retval = + rts51x_ep0_write_register(chip, CARD_GPIO, gpio_mask[gpio], + gpio_oe[gpio] | gpio_output[gpio]); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} diff --git a/drivers/staging/rts5139/rts51x_card.h b/drivers/staging/rts5139/rts51x_card.h new file mode 100644 index 000000000000..df8816e0f840 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_card.h @@ -0,0 +1,870 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_CARD_H +#define __RTS51X_CARD_H + +#include "rts51x_chip.h" + +/* Register bit definition */ + +/* Card Power Control Register */ +#define POWER_OFF 0x03 +#define PARTIAL_POWER_ON 0x02 +#define POWER_ON 0x00 +#define POWER_MASK 0x03 +#define LDO3318_PWR_MASK 0x0C +#define LDO_ON 0x00 +#define LDO_SUSPEND 0x08 +#define LDO_OFF 0x0C +#define DV3318_AUTO_PWR_OFF 0x10 +#define FORCE_LDO_POWERB 0x60 + +/* Card Output Enable Register */ +#define XD_OUTPUT_EN 0x02 +#define SD_OUTPUT_EN 0x04 +#define MS_OUTPUT_EN 0x08 + +/* System Clock Control Register */ + +/* System Clock Divider Register */ +#define CLK_CHANGE 0x80 +#define CLK_DIV_1 0x00 +#define CLK_DIV_2 0x01 +#define CLK_DIV_4 0x02 +#define CLK_DIV_8 0x03 + +/* System Clock Select Register */ +#define SSC_60 0 +#define SSC_80 1 +#define SSC_100 2 +#define SSC_120 3 +#define SSC_150 4 + +/* Card Clock Enable Register */ +#define XD_CLK_EN 0x02 +#define SD_CLK_EN 0x04 +#define MS_CLK_EN 0x08 + +/* Card Select Register */ +#define XD_MOD_SEL 1 +#define SD_MOD_SEL 2 +#define MS_MOD_SEL 3 + +/* Card Transfer Reset Register */ +#define XD_STOP 0x02 +#define SD_STOP 0x04 +#define MS_STOP 0x08 +#define XD_CLR_ERR 0x20 +#define SD_CLR_ERR 0x40 +#define MS_CLR_ERR 0x80 + +/* SD30_drive_sel */ +#define SD30_DRIVE_MASK 0x07 + +/* CARD_DRIVE_SEL */ +#define SD20_DRIVE_MASK 0x03 +#define DRIVE_4mA 0x00 +#define DRIVE_8mA 0x01 +#define DRIVE_12mA 0x02 + +/* FPGA_PULL_CTL */ +#define FPGA_MS_PULL_CTL_EN 0xEF +#define FPGA_SD_PULL_CTL_EN 0xF7 +#define FPGA_XD_PULL_CTL_EN1 0xFE +#define FPGA_XD_PULL_CTL_EN2 0xFD +#define FPGA_XD_PULL_CTL_EN3 0xFB + +#define FPGA_MS_PULL_CTL_BIT 0x10 +#define FPGA_SD_PULL_CTL_BIT 0x08 + +/* Card Data Source Register */ +#define PINGPONG_BUFFER 0x01 +#define RING_BUFFER 0x00 + +/* SFSM_ED */ +#define HW_CMD_STOP 0x80 +#define CLR_STAGE_STALL 0x08 +#define CARD_ERR 0x10 + +/* CARD_SHARE_MODE */ +#define CARD_SHARE_LQFP48 0x04 +#define CARD_SHARE_QFN24 0x00 +#define CARD_SHARE_LQFP_SEL 0x04 +#define CARD_SHARE_XD 0x00 +#define CARD_SHARE_SD 0x01 +#define CARD_SHARE_MS 0x02 +#define CARD_SHARE_MASK 0x03 + +/* CARD_AUTO_BLINK */ +#define BLINK_ENABLE 0x08 +#define BLINK_SPEED_MASK 0x07 + +/* CARD_GPIO */ +#define GPIO_OE 0x02 +#define GPIO_OUTPUT 0x01 + +/* CARD_CLK_SOURCE */ +#define CRC_FIX_CLK (0x00 << 0) +#define CRC_VAR_CLK0 (0x01 << 0) +#define CRC_VAR_CLK1 (0x02 << 0) +#define SD30_FIX_CLK (0x00 << 2) +#define SD30_VAR_CLK0 (0x01 << 2) +#define SD30_VAR_CLK1 (0x02 << 2) +#define SAMPLE_FIX_CLK (0x00 << 4) +#define SAMPLE_VAR_CLK0 (0x01 << 4) +#define SAMPLE_VAR_CLK1 (0x02 << 4) + +/* DCM_DRP_CTL */ +#define DCM_RESET 0x08 +#define DCM_LOCKED 0x04 +#define DCM_208M 0x00 +#define DCM_TX 0x01 +#define DCM_RX 0x02 + +/* DCM_DRP_TRIG */ +#define DRP_START 0x80 +#define DRP_DONE 0x40 + +/* DCM_DRP_CFG */ +#define DRP_WRITE 0x80 +#define DRP_READ 0x00 +#define DCM_WRITE_ADDRESS_50 0x50 +#define DCM_WRITE_ADDRESS_51 0x51 +#define DCM_READ_ADDRESS_00 0x00 +#define DCM_READ_ADDRESS_51 0x51 + +/* HW_VERSION */ +#define FPGA_VER 0x80 +#define HW_VER_MASK 0x0F + +/* CD_DEGLITCH_EN */ +#define DISABLE_SD_CD 0x08 +#define DISABLE_MS_CD 0x10 +#define DISABLE_XD_CD 0x20 +#define SD_CD_DEGLITCH_EN 0x01 +#define MS_CD_DEGLITCH_EN 0x02 +#define XD_CD_DEGLITCH_EN 0x04 + +/* OCPCTL */ +#define CARD_OC_DETECT_EN 0x08 +#define CARD_OC_CLR 0x01 + +/* CARD_DMA1_CTL */ +#define EXTEND_DMA1_ASYNC_SIGNAL 0x02 + +/* HS_USB_STAT */ +#define USB_HI_SPEED 0x01 + +/* CFG_MODE_1 */ +#define RTS5179 0x02 + +/* SYS_DUMMY0 */ +#define NYET_EN 0x01 +#define NYET_MSAK 0x01 + +/* SSC_CTL1 */ +#define SSC_RSTB 0x80 +#define SSC_8X_EN 0x40 +#define SSC_FIX_FRAC 0x20 +#define SSC_SEL_1M 0x00 +#define SSC_SEL_2M 0x08 +#define SSC_SEL_4M 0x10 +#define SSC_SEL_8M 0x18 + +/* SSC_CTL2 */ +#define SSC_DEPTH_MASK 0x03 +#define SSC_DEPTH_DISALBE 0x00 +#define SSC_DEPTH_2M 0x01 +#define SSC_DEPTH_1M 0x02 +#define SSC_DEPTH_512K 0x03 + +/* LDO_POWER_CFG */ +#define TUNE_SD18_MASK 0x1C +#define TUNE_SD18_1V8 (0x01 << 2) +#define TUNE_SD18_3V3 (0x07 << 2) + +/* XD_CP_WAITTIME */ +#define WAIT_1F 0x00 +#define WAIT_3F 0x01 +#define WAIT_7F 0x02 +#define WAIT_FF 0x03 + +/* XD_INIT */ +#define XD_PWR_OFF_DELAY0 0x00 +#define XD_PWR_OFF_DELAY1 0x02 +#define XD_PWR_OFF_DELAY2 0x04 +#define XD_PWR_OFF_DELAY3 0x06 +#define XD_AUTO_PWR_OFF_EN 0xF7 +#define XD_NO_AUTO_PWR_OFF 0x08 + +/* XD_DTCTL */ +/* XD_CATCTL */ +#define XD_TIME_RWN_1 0x00 +#define XD_TIME_RWN_STEP 0x20 +#define XD_TIME_RW_1 0x00 +#define XD_TIME_RW_STEP 0x04 +#define XD_TIME_SETUP_1 0x00 +#define XD_TIME_SETUP_STEP 0x01 + +/* XD_CTL */ +#define XD_ECC2_UNCORRECTABLE 0x80 +#define XD_ECC2_ERROR 0x40 +#define XD_ECC1_UNCORRECTABLE 0x20 +#define XD_ECC1_ERROR 0x10 +#define XD_RDY 0x04 +#define XD_CE_EN 0xFD +#define XD_CE_DISEN 0x02 +#define XD_WP_EN 0xFE +#define XD_WP_DISEN 0x01 + +/* XD_TRANSFER */ +#define XD_TRANSFER_START 0x80 +#define XD_TRANSFER_END 0x40 +#define XD_PPB_EMPTY 0x20 +#define XD_ERR 0x10 +#define XD_RESET 0x00 +#define XD_ERASE 0x01 +#define XD_READ_STATUS 0x02 +#define XD_READ_ID 0x03 +#define XD_READ_REDUNDANT 0x04 +#define XD_READ_PAGES 0x05 +#define XD_SET_CMD 0x06 +#define XD_NORMAL_READ 0x07 +#define XD_WRITE_PAGES 0x08 +#define XD_NORMAL_WRITE 0x09 +#define XD_WRITE_REDUNDANT 0x0A +#define XD_SET_ADDR 0x0B +#define XD_COPY_PAGES 0x0C + +/* XD_CFG */ +#define XD_PPB_TO_SIE 0x80 +#define XD_TO_PPB_ONLY 0x00 +#define XD_BA_TRANSFORM 0x40 +#define XD_BA_NO_TRANSFORM 0x00 +#define XD_NO_CALC_ECC 0x20 +#define XD_CALC_ECC 0x00 +#define XD_IGNORE_ECC 0x10 +#define XD_CHECK_ECC 0x00 +#define XD_DIRECT_TO_RB 0x08 +#define XD_ADDR_MASK 0x07 +#define XD_ADDR_LENGTH_0 0x00 +#define XD_ADDR_LENGTH_1 0x01 +#define XD_ADDR_LENGTH_2 0x02 +#define XD_ADDR_LENGTH_3 0x03 +#define XD_ADDR_LENGTH_4 0x04 + +/* XD_PAGE_STATUS */ +#define XD_GPG 0xFF +#define XD_BPG 0x00 + +/* XD_BLOCK_STATUS */ +#define XD_GBLK 0xFF +#define XD_LATER_BBLK 0xF0 + +/* XD_PARITY */ +#define XD_ECC2_ALL1 0x80 +#define XD_ECC1_ALL1 0x40 +#define XD_BA2_ALL0 0x20 +#define XD_BA1_ALL0 0x10 +#define XD_BA1_BA2_EQL 0x04 +#define XD_BA2_VALID 0x02 +#define XD_BA1_VALID 0x01 + +/* XD_CHK_DATA_STATUS */ +#define XD_PGSTS_ZEROBIT_OVER4 0x00 +#define XD_PGSTS_NOT_FF 0x02 +#define XD_AUTO_CHK_DATA_STATUS 0x01 + +/* SD_CFG1 */ +#define SD_CLK_DIVIDE_0 0x00 +#define SD_CLK_DIVIDE_256 0xC0 +#define SD_CLK_DIVIDE_128 0x80 +#define SD_CLK_DIVIDE_MASK 0xC0 +#define SD_BUS_WIDTH_1 0x00 +#define SD_BUS_WIDTH_4 0x01 +#define SD_BUS_WIDTH_8 0x02 +#define SD_ASYNC_FIFO_RST 0x10 +#define SD_20_MODE 0x00 +#define SD_DDR_MODE 0x04 +#define SD_30_MODE 0x08 + +/* SD_CFG2 */ +#define SD_CALCULATE_CRC7 0x00 +#define SD_NO_CALCULATE_CRC7 0x80 +#define SD_CHECK_CRC16 0x00 +#define SD_NO_CHECK_CRC16 0x40 +#define SD_WAIT_CRC_TO_EN 0x20 +#define SD_WAIT_BUSY_END 0x08 +#define SD_NO_WAIT_BUSY_END 0x00 +#define SD_CHECK_CRC7 0x00 +#define SD_NO_CHECK_CRC7 0x04 +#define SD_RSP_LEN_0 0x00 +#define SD_RSP_LEN_6 0x01 +#define SD_RSP_LEN_17 0x02 +/* SD/MMC Response Type Definition */ +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7, + * SD_RSP_LEN_0 */ +#define SD_RSP_TYPE_R0 0x04 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R1 0x01 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R1b 0x09 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_17 */ +#define SD_RSP_TYPE_R2 0x02 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R3 0x05 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_NO_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R4 0x05 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R5 0x01 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R6 0x01 +/* SD_CALCULATE_CRC7, SD_CHECK_CRC16, + * SD_NO_WAIT_BUSY_END, SD_CHECK_CRC7, + * SD_RSP_LEN_6 */ +#define SD_RSP_TYPE_R7 0x01 + +/* SD_CFG3 */ +#define SD_RSP_80CLK_TIMEOUT_EN 0x01 + +/* SD_STAT1 */ +#define SD_CRC7_ERR 0x80 +#define SD_CRC16_ERR 0x40 +#define SD_CRC_WRITE_ERR 0x20 +#define SD_CRC_WRITE_ERR_MASK 0x1C +#define GET_CRC_TIME_OUT 0x02 +#define SD_TUNING_COMPARE_ERR 0x01 + +/* SD_STAT2 */ +#define SD_RSP_80CLK_TIMEOUT 0x01 + +/* SD_BUS_STAT */ +#define SD_CLK_TOGGLE_EN 0x80 +#define SD_CLK_FORCE_STOP 0x40 +#define SD_DAT3_STATUS 0x10 +#define SD_DAT2_STATUS 0x08 +#define SD_DAT1_STATUS 0x04 +#define SD_DAT0_STATUS 0x02 +#define SD_CMD_STATUS 0x01 + +/* SD_PAD_CTL */ +#define SD_IO_USING_1V8 0x80 +#define SD_IO_USING_3V3 0x7F +#define TYPE_A_DRIVING 0x00 +#define TYPE_B_DRIVING 0x01 +#define TYPE_C_DRIVING 0x02 +#define TYPE_D_DRIVING 0x03 + +/* SD_SAMPLE_POINT_CTL */ +#define DDR_FIX_RX_DAT 0x00 +#define DDR_VAR_RX_DAT 0x80 +#define DDR_FIX_RX_DAT_EDGE 0x00 +#define DDR_FIX_RX_DAT_14_DELAY 0x40 +#define DDR_FIX_RX_CMD 0x00 +#define DDR_VAR_RX_CMD 0x20 +#define DDR_FIX_RX_CMD_POS_EDGE 0x00 +#define DDR_FIX_RX_CMD_14_DELAY 0x10 +#define SD20_RX_POS_EDGE 0x00 +#define SD20_RX_14_DELAY 0x08 +#define SD20_RX_SEL_MASK 0x08 + +/* SD_PUSH_POINT_CTL */ +#define DDR_FIX_TX_CMD_DAT 0x00 +#define DDR_VAR_TX_CMD_DAT 0x80 +#define DDR_FIX_TX_DAT_14_TSU 0x00 +#define DDR_FIX_TX_DAT_12_TSU 0x40 +#define DDR_FIX_TX_CMD_NEG_EDGE 0x00 +#define DDR_FIX_TX_CMD_14_AHEAD 0x20 +#define SD20_TX_NEG_EDGE 0x00 +#define SD20_TX_14_AHEAD 0x10 +#define SD20_TX_SEL_MASK 0x10 +#define DDR_VAR_SDCLK_POL_SWAP 0x01 + +/* SD_TRANSFER */ +#define SD_TRANSFER_START 0x80 +#define SD_TRANSFER_END 0x40 +#define SD_STAT_IDLE 0x20 +#define SD_TRANSFER_ERR 0x10 +/* SD Transfer Mode definition */ +#define SD_TM_NORMAL_WRITE 0x00 +#define SD_TM_AUTO_WRITE_3 0x01 +#define SD_TM_AUTO_WRITE_4 0x02 +#define SD_TM_AUTO_READ_3 0x05 +#define SD_TM_AUTO_READ_4 0x06 +#define SD_TM_CMD_RSP 0x08 +#define SD_TM_AUTO_WRITE_1 0x09 +#define SD_TM_AUTO_WRITE_2 0x0A +#define SD_TM_NORMAL_READ 0x0C +#define SD_TM_AUTO_READ_1 0x0D +#define SD_TM_AUTO_READ_2 0x0E +#define SD_TM_AUTO_TUNING 0x0F + +/* SD_VPTX_CTL / SD_VPRX_CTL */ +#define PHASE_CHANGE 0x80 +#define PHASE_NOT_RESET 0x40 + +/* SD_DCMPS_TX_CTL / SD_DCMPS_RX_CTL */ +#define DCMPS_CHANGE 0x80 +#define DCMPS_CHANGE_DONE 0x40 +#define DCMPS_ERROR 0x20 +#define DCMPS_CURRENT_PHASE 0x1F + +/* SD_CMD_STATE */ +#define SD_CMD_IDLE 0x80 + +/* SD_DATA_STATE */ +#define SD_DATA_IDLE 0x80 + +/* MS_BLKEND */ +#define SET_BLKEND 0x01 + +/* MS_CFG */ +#define SAMPLE_TIME_RISING 0x00 +#define SAMPLE_TIME_FALLING 0x80 +#define PUSH_TIME_DEFAULT 0x00 +#define PUSH_TIME_ODD 0x40 +#define NO_EXTEND_TOGGLE 0x00 +#define EXTEND_TOGGLE_CHK 0x20 +#define MS_BUS_WIDTH_1 0x00 +#define MS_BUS_WIDTH_4 0x10 +#define MS_BUS_WIDTH_8 0x18 +#define MS_2K_SECTOR_MODE 0x04 +#define MS_512_SECTOR_MODE 0x00 +#define MS_TOGGLE_TIMEOUT_EN 0x00 +#define MS_TOGGLE_TIMEOUT_DISEN 0x01 +#define MS_NO_CHECK_INT 0x02 + +/* MS_TRANS_CFG */ +#define WAIT_INT 0x80 +#define NO_WAIT_INT 0x00 +#define NO_AUTO_READ_INT_REG 0x00 +#define AUTO_READ_INT_REG 0x40 +#define MS_CRC16_ERR 0x20 +#define MS_RDY_TIMEOUT 0x10 +#define MS_INT_CMDNK 0x08 +#define MS_INT_BREQ 0x04 +#define MS_INT_ERR 0x02 +#define MS_INT_CED 0x01 + +/* MS_TRANSFER */ +#define MS_TRANSFER_START 0x80 +#define MS_TRANSFER_END 0x40 +#define MS_TRANSFER_ERR 0x20 +#define MS_BS_STATE 0x10 +#define MS_TM_READ_BYTES 0x00 +#define MS_TM_NORMAL_READ 0x01 +#define MS_TM_WRITE_BYTES 0x04 +#define MS_TM_NORMAL_WRITE 0x05 +#define MS_TM_AUTO_READ 0x08 +#define MS_TM_AUTO_WRITE 0x0C +#define MS_TM_SET_CMD 0x06 +#define MS_TM_COPY_PAGE 0x07 +#define MS_TM_MULTI_READ 0x02 +#define MS_TM_MULTI_WRITE 0x03 + +/* MC_DMA_CTL */ +#define DMA_TC_EQ_0 0x80 +#define DMA_DIR_TO_CARD 0x00 +#define DMA_DIR_FROM_CARD 0x02 +#define DMA_EN 0x01 +#define DMA_128 (0 << 2) +#define DMA_256 (1 << 2) +#define DMA_512 (2 << 2) +#define DMA_1024 (3 << 2) +#define DMA_PACK_SIZE_MASK 0x0C + +/* CARD_INT_PEND */ +#define XD_INT 0x10 +#define MS_INT 0x08 +#define SD_INT 0x04 + +/* MC_FIFO_CTL */ +#define FIFO_FLUSH 0x01 + +/* AUTO_DELINK_EN */ +#define AUTO_DELINK 0x02 +#define FORCE_DELINK 0x01 + +/* MC_DMA_RST */ +#define DMA_RESET 0x01 + +#define SSC_POWER_MASK 0x01 +#define SSC_POWER_DOWN 0x01 +#define SSC_POWER_ON 0x00 + +/* OCPCTL */ +#define MS_OCP_DETECT_EN 0x08 +#define MS_OCP_INT_EN 0x04 +#define MS_OCP_INT_CLR 0x02 +#define MS_OCP_CLEAR 0x01 + +/* OCPSTAT */ +#define MS_OCP_DETECT 0x80 +#define MS_OCP_NOW 0x02 +#define MS_OCP_EVER 0x01 + +/* MC_FIFO_STAT */ +#define FIFO_FULL 0x01 +#define FIFO_EMPTY 0x02 + +/* RCCTL */ +#define U_HW_CMD_EN_MASK 0x02 +#define U_HW_CMD_EN 0x02 +#define U_HW_CMD_DIS 0x00 + +/* Register address */ +#define FPDCTL 0xFC00 +#define SSC_DIV_N_0 0xFC07 +#define SSC_CTL1 0xFC09 +#define SSC_CTL2 0xFC0A +#define CFG_MODE_1 0xFC0F +#define RCCTL 0xFC14 +#define SYS_DUMMY0 0xFC30 +#define XD_CP_WAITTIME 0xFD00 +#define XD_CP_PAGELEN 0xFD01 +#define XD_CP_READADDR0 0xFD02 +#define XD_CP_READADDR1 0xFD03 +#define XD_CP_READADDR2 0xFD04 +#define XD_CP_READADDR3 0xFD05 +#define XD_CP_READADDR4 0xFD06 +#define XD_CP_WRITEADDR0 0xFD07 +#define XD_CP_WRITEADDR1 0xFD08 +#define XD_CP_WRITEADDR2 0xFD09 +#define XD_CP_WRITEADDR3 0xFD0A +#define XD_CP_WRITEADDR4 0xFD0B +#define XD_INIT 0xFD10 +#define XD_DTCTL 0xFD11 +#define XD_CTL 0xFD12 +#define XD_TRANSFER 0xFD13 +#define XD_CFG 0xFD14 +#define XD_ADDRESS0 0xFD15 +#define XD_ADDRESS1 0xFD16 +#define XD_ADDRESS2 0xFD17 +#define XD_ADDRESS3 0xFD18 +#define XD_ADDRESS4 0xFD19 +#define XD_DAT 0xFD1A +#define XD_PAGE_CNT 0xFD1B +#define XD_PAGE_STATUS 0xFD1C +#define XD_BLOCK_STATUS 0xFD1D +#define XD_BLOCK_ADDR1_L 0xFD1E +#define XD_BLOCK_ADDR1_H 0xFD1F +#define XD_BLOCK_ADDR2_L 0xFD20 +#define XD_BLOCK_ADDR2_H 0xFD21 +#define XD_BYTE_CNT_L 0xFD22 +#define XD_BYTE_CNT_H 0xFD23 +#define XD_PARITY 0xFD24 +#define XD_ECC_BIT1 0xFD25 +#define XD_ECC_BYTE1 0xFD26 +#define XD_ECC_BIT2 0xFD27 +#define XD_ECC_BYTE2 0xFD28 +#define XD_RESERVED0 0xFD29 +#define XD_RESERVED1 0xFD2A +#define XD_RESERVED2 0xFD2B +#define XD_RESERVED3 0xFD2C +#define XD_CHK_DATA_STATUS 0xFD2D +#define XD_CATCTL 0xFD2E + +#define MS_BLKEND 0xFD30 +#define MS_READ_START 0xFD31 +#define MS_READ_COUNT 0xFD32 +#define MS_WRITE_START 0xFD33 +#define MS_WRITE_COUNT 0xFD34 +#define MS_COMMAND 0xFD35 +#define MS_OLD_BLOCK_0 0xFD36 +#define MS_OLD_BLOCK_1 0xFD37 +#define MS_NEW_BLOCK_0 0xFD38 +#define MS_NEW_BLOCK_1 0xFD39 +#define MS_LOG_BLOCK_0 0xFD3A +#define MS_LOG_BLOCK_1 0xFD3B +#define MS_BUS_WIDTH 0xFD3C +#define MS_PAGE_START 0xFD3D +#define MS_PAGE_LENGTH 0xFD3E +#define MS_CFG 0xFD40 +#define MS_TPC 0xFD41 +#define MS_TRANS_CFG 0xFD42 +#define MS_TRANSFER 0xFD43 +#define MS_INT_REG 0xFD44 +#define MS_BYTE_CNT 0xFD45 +#define MS_SECTOR_CNT_L 0xFD46 +#define MS_SECTOR_CNT_H 0xFD47 +#define MS_DBUS_H 0xFD48 + +#define CARD_DMA1_CTL 0xFD5C +#define CARD_PULL_CTL1 0xFD60 +#define CARD_PULL_CTL2 0xFD61 +#define CARD_PULL_CTL3 0xFD62 +#define CARD_PULL_CTL4 0xFD63 +#define CARD_PULL_CTL5 0xFD64 +#define CARD_PULL_CTL6 0xFD65 +#define CARD_EXIST 0xFD6F +#define CARD_INT_PEND 0xFD71 + +#define LDO_POWER_CFG 0xFD7B + +#define SD_CFG1 0xFDA0 +#define SD_CFG2 0xFDA1 +#define SD_CFG3 0xFDA2 +#define SD_STAT1 0xFDA3 +#define SD_STAT2 0xFDA4 +#define SD_BUS_STAT 0xFDA5 +#define SD_PAD_CTL 0xFDA6 +#define SD_SAMPLE_POINT_CTL 0xFDA7 +#define SD_PUSH_POINT_CTL 0xFDA8 +#define SD_CMD0 0xFDA9 +#define SD_CMD1 0xFDAA +#define SD_CMD2 0xFDAB +#define SD_CMD3 0xFDAC +#define SD_CMD4 0xFDAD +#define SD_CMD5 0xFDAE +#define SD_BYTE_CNT_L 0xFDAF +#define SD_BYTE_CNT_H 0xFDB0 +#define SD_BLOCK_CNT_L 0xFDB1 +#define SD_BLOCK_CNT_H 0xFDB2 +#define SD_TRANSFER 0xFDB3 +#define SD_CMD_STATE 0xFDB5 +#define SD_DATA_STATE 0xFDB6 +#define SD_VPCLK0_CTL 0xFC2A +#define SD_VPCLK1_CTL 0xFC2B +#define SD_DCMPS0_CTL 0xFC2C +#define SD_DCMPS1_CTL 0xFC2D + +#define CARD_DMA1_CTL 0xFD5C + +#define HW_VERSION 0xFC01 + +#define SSC_CLK_FPGA_SEL 0xFC02 +#define CLK_DIV 0xFC03 +#define SFSM_ED 0xFC04 + +#define CD_DEGLITCH_WIDTH 0xFC20 +#define CD_DEGLITCH_EN 0xFC21 +#define AUTO_DELINK_EN 0xFC23 + +#define FPGA_PULL_CTL 0xFC1D +#define CARD_CLK_SOURCE 0xFC2E + +#define CARD_SHARE_MODE 0xFD51 +#define CARD_DRIVE_SEL 0xFD52 +#define CARD_STOP 0xFD53 +#define CARD_OE 0xFD54 +#define CARD_AUTO_BLINK 0xFD55 +#define CARD_GPIO 0xFD56 +#define SD30_DRIVE_SEL 0xFD57 + +#define CARD_DATA_SOURCE 0xFD5D +#define CARD_SELECT 0xFD5E + +#define CARD_CLK_EN 0xFD79 +#define CARD_PWR_CTL 0xFD7A + +#define OCPCTL 0xFD80 +#define OCPPARA1 0xFD81 +#define OCPPARA2 0xFD82 +#define OCPSTAT 0xFD83 + +#define HS_USB_STAT 0xFE01 +#define HS_VCONTROL 0xFE26 +#define HS_VSTAIN 0xFE27 +#define HS_VLOADM 0xFE28 +#define HS_VSTAOUT 0xFE29 + +#define MC_IRQ 0xFF00 +#define MC_IRQEN 0xFF01 +#define MC_FIFO_CTL 0xFF02 +#define MC_FIFO_BC0 0xFF03 +#define MC_FIFO_BC1 0xFF04 +#define MC_FIFO_STAT 0xFF05 +#define MC_FIFO_MODE 0xFF06 +#define MC_FIFO_RD_PTR0 0xFF07 +#define MC_FIFO_RD_PTR1 0xFF08 +#define MC_DMA_CTL 0xFF10 +#define MC_DMA_TC0 0xFF11 +#define MC_DMA_TC1 0xFF12 +#define MC_DMA_TC2 0xFF13 +#define MC_DMA_TC3 0xFF14 +#define MC_DMA_RST 0xFF15 + +/* Memory mapping */ +#define RBUF_SIZE_MASK 0xFBFF +#define RBUF_BASE 0xF000 +#define PPBUF_BASE1 0xF800 +#define PPBUF_BASE2 0xFA00 + +/* int monitor_card_cd */ +#define CD_EXIST 0 +#define CD_NOT_EXIST 1 + +#define DEBOUNCE_CNT 5 + +int monitor_card_cd(struct rts51x_chip *chip, u8 card); + +void rts51x_do_remaining_work(struct rts51x_chip *chip); +void rts51x_do_rts51x_reset_sd_card(struct rts51x_chip *chip); +void rts51x_init_cards(struct rts51x_chip *chip); +void rts51x_release_cards(struct rts51x_chip *chip); +int rts51x_switch_ssc_clock(struct rts51x_chip *chip, int clk); +int rts51x_switch_normal_clock(struct rts51x_chip *chip, int clk); +int rts51x_card_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, + u32 sec_addr, u16 sec_cnt); +u8 rts51x_get_lun_card(struct rts51x_chip *chip, unsigned int lun); +int rts51x_select_card(struct rts51x_chip *chip, int card); +void rts51x_eject_card(struct rts51x_chip *chip, unsigned int lun); +void rts51x_trans_dma_enable(enum dma_data_direction dir, + struct rts51x_chip *chip, u32 byte_cnt, u8 pack_size); +int rts51x_enable_card_clock(struct rts51x_chip *chip, u8 card); +int rts51x_card_power_on(struct rts51x_chip *chip, u8 card); +int rts51x_toggle_gpio(struct rts51x_chip *chip, u8 gpio); +int rts51x_turn_on_led(struct rts51x_chip *chip, u8 gpio); +int rts51x_turn_off_led(struct rts51x_chip *chip, u8 gpio); + +static inline int check_card_ready(struct rts51x_chip *chip, unsigned int lun) +{ + if (chip->card_ready & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline int check_card_exist(struct rts51x_chip *chip, unsigned int lun) +{ + if (chip->card_exist & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline int check_card_wp(struct rts51x_chip *chip, unsigned int lun) +{ + if (chip->card_wp & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline int check_card_fail(struct rts51x_chip *chip, unsigned int lun) +{ + if (chip->card_fail & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline int check_card_ejected(struct rts51x_chip *chip, unsigned int lun) +{ + if (chip->card_ejected & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline int check_fake_card_ready(struct rts51x_chip *chip, + unsigned int lun) +{ + if (chip->fake_card_ready & chip->lun2card[lun]) + return 1; + + return 0; +} + +static inline u8 get_lun2card(struct rts51x_chip *chip, unsigned int lun) +{ + return chip->lun2card[lun]; +} + +static inline int check_lun_mc(struct rts51x_chip *chip, unsigned int lun) +{ + return CHK_BIT(chip->lun_mc, lun); +} + +static inline void set_lun_mc(struct rts51x_chip *chip, unsigned int lun) +{ + SET_BIT(chip->lun_mc, lun); +} + +static inline void clear_lun_mc(struct rts51x_chip *chip, unsigned int lun) +{ + CLR_BIT(chip->lun_mc, lun); +} + +static inline int switch_clock(struct rts51x_chip *chip, int clk) +{ + int retval = 0; + + if (chip->asic_code) + retval = rts51x_switch_ssc_clock(chip, clk); + else + retval = rts51x_switch_normal_clock(chip, clk); + + return retval; +} + +static inline void rts51x_clear_xd_error(struct rts51x_chip *chip) +{ + rts51x_ep0_write_register(chip, CARD_STOP, + XD_STOP | XD_CLR_ERR, XD_STOP | XD_CLR_ERR); + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH); + rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET); + rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8); +} + +static inline void rts51x_clear_sd_error(struct rts51x_chip *chip) +{ + rts51x_ep0_write_register(chip, CARD_STOP, + SD_STOP | SD_CLR_ERR, SD_STOP | SD_CLR_ERR); + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH); + rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET); + rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8); +} + +static inline void rts51x_clear_ms_error(struct rts51x_chip *chip) +{ + rts51x_ep0_write_register(chip, CARD_STOP, + MS_STOP | MS_CLR_ERR, MS_STOP | MS_CLR_ERR); + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH); + rts51x_ep0_write_register(chip, MC_DMA_RST, DMA_RESET, DMA_RESET); + rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8); +} + +#endif /* __RTS51X_CARD_H */ diff --git a/drivers/staging/rts5139/rts51x_chip.c b/drivers/staging/rts5139/rts51x_chip.c new file mode 100644 index 000000000000..7d7510de170c --- /dev/null +++ b/drivers/staging/rts5139/rts51x_chip.c @@ -0,0 +1,1014 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/workqueue.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_chip.h" +#include "rts51x_card.h" +#include "rts51x_transport.h" +#include "xd.h" +#include "ms.h" +#include "sd.h" + +static int check_sd_speed_prior(u32 sd_speed_prior) +{ + int i, fake_para = 0; + + /* Check the legality of sd_speed_prior */ + for (i = 0; i < 4; i++) { + u8 tmp = (u8) (sd_speed_prior >> (i * 8)); + if ((tmp < 0x01) || (tmp > 0x04)) { + fake_para = 1; + break; + } + } + + return !fake_para; +} + +int rts51x_reset_chip(struct rts51x_chip *chip) +{ + int retval; + + if (CHECK_PKG(chip, LQFP48)) { + RTS51X_WRITE_REG(chip, CARD_PWR_CTL, LDO3318_PWR_MASK, + LDO_SUSPEND); + RTS51X_WRITE_REG(chip, CARD_PWR_CTL, FORCE_LDO_POWERB, + FORCE_LDO_POWERB); + RTS51X_WRITE_REG(chip, CARD_PULL_CTL1, 0x30, 0x10); + RTS51X_WRITE_REG(chip, CARD_PULL_CTL5, 0x03, 0x01); + RTS51X_WRITE_REG(chip, CARD_PULL_CTL6, 0x0C, 0x04); + } + if (chip->asic_code) { + RTS51X_WRITE_REG(chip, SYS_DUMMY0, NYET_MSAK, NYET_EN); + RTS51X_WRITE_REG(chip, CD_DEGLITCH_WIDTH, 0xFF, 0x08); + rts51x_write_register(chip, CD_DEGLITCH_EN, XD_CD_DEGLITCH_EN, + 0x00); + rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK, + chip->option.sd30_pad_drive); + rts51x_write_register(chip, CARD_DRIVE_SEL, SD20_DRIVE_MASK, + chip->option.sd20_pad_drive); + if (chip->rts5179) + rts51x_write_register(chip, CARD_PULL_CTL5, 0x03, 0x01); + if (CHECK_PKG(chip, LQFP48)) { + rts51x_write_register(chip, CARD_PULL_CTL3, + 0x80, 0x80); + rts51x_write_register(chip, CARD_PULL_CTL6, + 0xf0, 0xA0); + } else { + rts51x_write_register(chip, CARD_PULL_CTL1, + 0x30, 0x20); + rts51x_write_register(chip, CARD_PULL_CTL3, + 0x80, 0x80); + rts51x_write_register(chip, CARD_PULL_CTL6, + 0x0c, 0x08); + } + } + if (chip->option.sd_ctl & SUPPORT_UHS50_MMC44) { + SET_UHS50(chip); + RTS51X_DEBUGP("option enable UHS50&MMC44,sd_ctl:0x%x\n", + chip->option.sd_ctl); + } else { + /* if(CHECK_PID(chip, 0x0139)&&CHECK_PKG(chip, LQFP48)) */ + if ((CHECK_PID(chip, 0x0139) && CHECK_PKG(chip, LQFP48)) + || chip->rts5179) { + SET_UHS50(chip); + RTS51X_DEBUGP("PID enable UHS50&MMC44\n"); + } else { + CLEAR_UHS50(chip); + RTS51X_DEBUGP("PID disable UHS50&MMC44\n"); + } + } + + if (chip->option.ms_errreg_fix && (chip->ic_version > 1)) + rts51x_write_register(chip, 0xFD4D, 0x01, 0x01); + retval = rts51x_write_phy_register(chip, 0xC2, 0x7C); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_init_cmd(chip); + + /* GPIO OE */ + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_GPIO, GPIO_OE, GPIO_OE); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL, + EXTEND_DMA1_ASYNC_SIGNAL, EXTEND_DMA1_ASYNC_SIGNAL); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#ifdef SUPPORT_OCP + if (chip->asic_code) { + rts51x_write_register(chip, OCPCTL, MS_OCP_DETECT_EN, + MS_OCP_DETECT_EN); + RTS51X_DEBUGP("Enable OCP detect!\n"); + } +#endif + if (chip->option.FT2_fast_mode) { + rts51x_card_power_on(chip, SD_CARD | MS_CARD | XD_CARD); + wait_timeout(10); + } + + return STATUS_SUCCESS; +} + +int rts51x_init_chip(struct rts51x_chip *chip) +{ + int retval; + u8 val; + + chip->max_lun = 0; + chip->cur_clk = 0; + chip->cur_card = 0; + + chip->card2lun[XD_CARD] = 0; + chip->card2lun[SD_CARD] = 0; + chip->card2lun[MS_CARD] = 0; + chip->card_ejected = 0; + + chip->lun2card[0] = XD_CARD | SD_CARD | MS_CARD; +#ifdef CLOSE_SSC_POWER + rts51x_write_register(chip, FPDCTL, SSC_POWER_MASK, SSC_POWER_ON); + udelay(100); + rts51x_write_register(chip, CLK_DIV, CLK_CHANGE, 0x00); +#endif + RTS51X_SET_STAT(chip, STAT_RUN); + + RTS51X_READ_REG(chip, HW_VERSION, &val); + RTS51X_DEBUGP("HW_VERSION: 0x%x\n", val); + if (val & FPGA_VER) { + chip->asic_code = 0; + RTS51X_DEBUGP("FPGA!\n"); + } else { + chip->asic_code = 1; + RTS51X_DEBUGP("ASIC!\n"); + } + chip->ic_version = val & HW_VER_MASK; + + if (!check_sd_speed_prior(chip->option.sd_speed_prior)) + chip->option.sd_speed_prior = 0x01020403; + RTS51X_DEBUGP("sd_speed_prior = 0x%08x\n", + chip->option.sd_speed_prior); + + RTS51X_READ_REG(chip, CARD_SHARE_MODE, &val); + if (val & CARD_SHARE_LQFP_SEL) { + chip->package = LQFP48; + RTS51X_DEBUGP("Package: LQFP48\n"); + } else { + chip->package = QFN24; + RTS51X_DEBUGP("Package: QFN24\n"); + } + + RTS51X_READ_REG(chip, HS_USB_STAT, &val); + if (val & USB_HI_SPEED) { + chip->usb_speed = USB_20; + RTS51X_DEBUGP("USB High Speed\n"); + } else { + chip->usb_speed = USB_11; + RTS51X_DEBUGP("USB Full Speed\n"); + } + + RTS51X_READ_REG(chip, CFG_MODE_1, &val); + if (val & RTS5179) { + chip->rts5179 = 1; + RTS51X_DEBUGP("device is rts5179\n"); + } else { + chip->rts5179 = 0; + } + + retval = rts51x_reset_chip(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +int rts51x_release_chip(struct rts51x_chip *chip) +{ + rts51x_xd_free_l2p_tbl(chip); + rts51x_ms_free_l2p_tbl(chip); + chip->card_ready = 0; + return STATUS_SUCCESS; +} + +static inline void rts51x_blink_led(struct rts51x_chip *chip) +{ + /* Read/Write */ + if (chip->card_ready) { + if (chip->led_toggle_counter < + chip->option.led_toggle_interval) { + chip->led_toggle_counter++; + } else { + chip->led_toggle_counter = 0; + rts51x_toggle_gpio(chip, LED_GPIO); + } + } +} + +static void rts51x_auto_delink_cmd(struct rts51x_chip *chip) +{ + rts51x_write_register(chip, AUTO_DELINK_EN, + AUTO_DELINK, AUTO_DELINK); +} + +static void rts51x_auto_delink_force_cmd(struct rts51x_chip *chip) +{ + rts51x_write_register(chip, AUTO_DELINK_EN, + AUTO_DELINK | FORCE_DELINK, + AUTO_DELINK | FORCE_DELINK); +} + +#ifdef USING_POLLING_CYCLE_DELINK +/* using polling cycle as delink time */ +static void rts51x_auto_delink_polling_cycle(struct rts51x_chip *chip) +{ + if (chip->auto_delink_counter <= + chip->option.delink_delay * 2) { + if (chip->auto_delink_counter == + chip->option.delink_delay) { + if (chip->card_exist) { + /* False card */ + if (!chip->card_ejected) { + /* if card is not ejected or safely + * remove,then do force delink */ + RTS51X_DEBUGP("False card inserted," + "do force delink\n"); + rts51x_auto_delink_force_cmd(chip); + chip->auto_delink_counter = + chip->option.delink_delay * 2 + 1; + } + } else { + RTS51X_DEBUGP("No card inserted, do delink\n"); + /* rts51x_write_register(chip, CARD_PWR_CTL, + DV3318_AUTO_PWR_OFF, 0); */ + rts51x_auto_delink_cmd(chip); + } + } + if (chip->auto_delink_counter == + chip->option.delink_delay * 2) { + RTS51X_DEBUGP("Try to do force delink\n"); + rts51x_auto_delink_force_cmd(chip); + } + chip->auto_delink_counter++; + } +} + +static void rts51x_auto_delink(struct rts51x_chip *chip) +{ + rts51x_auto_delink_polling_cycle(chip); +} +#else +/* some of called funcs are not implemented, so comment it out */ +static void rts51x_auto_delink(struct rts51x_chip *chip) +{ +} +#endif + +void rts51x_polling_func(struct rts51x_chip *chip) +{ + + rts51x_init_cards(chip); + +#ifdef SUPPORT_OCP + /* if OCP happen and card exist, then close card OE */ + if ((chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) && + (chip->card_exist)) { + + rts51x_prepare_run(chip); + + if (chip->card_exist & SD_CARD) + rts51x_write_register(chip, CARD_OE, SD_OUTPUT_EN, 0); + else if (chip->card_exist & MS_CARD) + rts51x_write_register(chip, CARD_OE, MS_OUTPUT_EN, 0); + else if (chip->card_exist & XD_CARD) + rts51x_write_register(chip, CARD_OE, XD_OUTPUT_EN, 0); + } +#endif + + if (chip->idle_counter < IDLE_MAX_COUNT) { + chip->idle_counter++; + } else { + if (!RTS51X_CHK_STAT(chip, STAT_IDLE)) { + RTS51X_DEBUGP("Idle state!\n"); + RTS51X_SET_STAT(chip, STAT_IDLE); + chip->led_toggle_counter = 0; + /* Idle state, turn off LED + * to reduce power consumption */ + if (chip->option.led_always_on + && (chip->card_exist & + (SD_CARD | MS_CARD | XD_CARD)) + && (!chip->card_ejected)) { + rts51x_turn_on_led(chip, LED_GPIO); + } else { + if (chip->rts5179) { + rts51x_ep0_write_register(chip, + CARD_GPIO, + 0x03, 0x00); + } else { + rts51x_turn_off_led(chip, LED_GPIO); + } + + } + +#ifdef CLOSE_SSC_POWER + if (!chip->card_ready) { + rts51x_write_register(chip, CLK_DIV, CLK_CHANGE, + CLK_CHANGE); + rts51x_write_register(chip, FPDCTL, + SSC_POWER_MASK, + SSC_POWER_DOWN); + RTS51X_DEBUGP("Close SSC clock power!\n"); + } +#endif + } + } + + switch (RTS51X_GET_STAT(chip)) { + case STAT_RUN: + rts51x_blink_led(chip); + rts51x_do_remaining_work(chip); + break; + + case STAT_IDLE: + break; + + default: + break; + } + + if (chip->option.auto_delink_en && !chip->card_ready) + rts51x_auto_delink(chip); + else + chip->auto_delink_counter = 0; +} + +void rts51x_add_cmd(struct rts51x_chip *chip, + u8 cmd_type, u16 reg_addr, u8 mask, u8 data) +{ + int i; + + if (chip->cmd_idx < ((CMD_BUF_LEN - CMD_OFFSET) / 4)) { + i = CMD_OFFSET + chip->cmd_idx * 4; + chip->cmd_buf[i++] = + ((cmd_type & 0x03) << 6) | (u8) ((reg_addr >> 8) & 0x3F); + chip->cmd_buf[i++] = (u8) reg_addr; + chip->cmd_buf[i++] = mask; + chip->cmd_buf[i++] = data; + chip->cmd_idx++; + } +} + +int rts51x_send_cmd(struct rts51x_chip *chip, u8 flag, int timeout) +{ + int result; + + chip->cmd_buf[CNT_H] = (u8) (chip->cmd_idx >> 8); + chip->cmd_buf[CNT_L] = (u8) (chip->cmd_idx); + chip->cmd_buf[STAGE_FLAG] = flag; + + result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip), + (void *)(chip->cmd_buf), + chip->cmd_idx * 4 + CMD_OFFSET, + 0, NULL, timeout, MODE_C); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, result); + + return STATUS_SUCCESS; +} + +int rts51x_get_rsp(struct rts51x_chip *chip, int rsp_len, int timeout) +{ + int result; + + if (rsp_len <= 0) + TRACE_RET(chip, STATUS_ERROR); + /* rsp_len must aligned to dword */ + if (rsp_len % 4) + rsp_len += (4 - rsp_len % 4); + + result = rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip), + (void *)chip->rsp_buf, rsp_len, + 0, NULL, timeout, STAGE_R); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, result); + + return STATUS_SUCCESS; +} + +int rts51x_get_card_status(struct rts51x_chip *chip, u16 *status) +{ + int retval; + u16 val; + +#ifdef GET_CARD_STATUS_USING_EPC + retval = rts51x_get_epc_status(chip, &val); + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#else + retval = rts51x_ctrl_transfer(chip, RCV_CTRL_PIPE(chip), 0x02, 0xC0, + 0, 0, &val, 2, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#endif + + if (status) + *status = val; + + return STATUS_SUCCESS; +} + +int rts51x_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, u8 data) +{ + int retval; + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, addr, mask, data); + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +int rts51x_read_register(struct rts51x_chip *chip, u16 addr, u8 *data) +{ + int retval; + + if (data) + *data = 0; + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, READ_REG_CMD, addr, 0, 0); + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + retval = rts51x_get_rsp(chip, 1, 100); + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + if (data) + *data = chip->rsp_buf[0]; + + return STATUS_SUCCESS; +} + +int rts51x_ep0_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, + u8 data) +{ + int retval; + u16 value = 0, index = 0; + + value |= (u16) (3 & 0x03) << 14; + value |= (u16) (addr & 0x3FFF); + index |= (u16) mask << 8; + index |= (u16) data; + + retval = rts51x_ctrl_transfer(chip, SND_CTRL_PIPE(chip), 0x00, 0x40, + cpu_to_be16(value), cpu_to_be16(index), + NULL, 0, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_ep0_read_register(struct rts51x_chip *chip, u16 addr, u8 *data) +{ + int retval; + u16 value = 0; + u8 val; + + if (data) + *data = 0; + + value |= (u16) (2 & 0x03) << 14; + value |= (u16) (addr & 0x3FFF); + + retval = rts51x_ctrl_transfer(chip, RCV_CTRL_PIPE(chip), 0x00, 0xC0, + cpu_to_be16(value), 0, &val, 1, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (data) + *data = val; + + return STATUS_SUCCESS; +} + +int rts51x_seq_write_register(struct rts51x_chip *chip, u16 addr, u16 len, + u8 *data) +{ + int result; + u16 cmd_len = len + 12; + + if (!data) + TRACE_RET(chip, STATUS_ERROR); + + cmd_len = (cmd_len <= CMD_BUF_LEN) ? cmd_len : CMD_BUF_LEN; + + /* cmd_len must aligned to dword */ + if (cmd_len % 4) + cmd_len += (4 - cmd_len % 4); + + chip->cmd_buf[0] = 'R'; + chip->cmd_buf[1] = 'T'; + chip->cmd_buf[2] = 'C'; + chip->cmd_buf[3] = 'R'; + chip->cmd_buf[PACKET_TYPE] = SEQ_WRITE; + chip->cmd_buf[5] = (u8) (len >> 8); + chip->cmd_buf[6] = (u8) len; + chip->cmd_buf[STAGE_FLAG] = 0; + chip->cmd_buf[8] = (u8) (addr >> 8); + chip->cmd_buf[9] = (u8) addr; + + memcpy(chip->cmd_buf + 12, data, len); + + result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip), + (void *)(chip->cmd_buf), cmd_len, 0, + NULL, 100, MODE_C); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, result); + + return STATUS_SUCCESS; +} + +int rts51x_seq_read_register(struct rts51x_chip *chip, u16 addr, u16 len, + u8 *data) +{ + int result; + u16 rsp_len; + + if (!data) + TRACE_RET(chip, STATUS_ERROR); + /* rsp_len must aligned to dword */ + if (len % 4) + rsp_len = len + (4 - len % 4); + else + rsp_len = len; + + chip->cmd_buf[0] = 'R'; + chip->cmd_buf[1] = 'T'; + chip->cmd_buf[2] = 'C'; + chip->cmd_buf[3] = 'R'; + chip->cmd_buf[PACKET_TYPE] = SEQ_READ; + chip->cmd_buf[5] = (u8) (rsp_len >> 8); + chip->cmd_buf[6] = (u8) rsp_len; + chip->cmd_buf[STAGE_FLAG] = STAGE_R; + chip->cmd_buf[8] = (u8) (addr >> 8); + chip->cmd_buf[9] = (u8) addr; + + result = rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip), + (void *)(chip->cmd_buf), 12, 0, NULL, + 100, MODE_C); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, result); + + result = rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip), + (void *)data, rsp_len, 0, NULL, 100, + STAGE_DI); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, result); + + return STATUS_SUCCESS; +} + +int rts51x_read_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len) +{ + int retval; + + if (!buf) + TRACE_RET(chip, STATUS_ERROR); + + retval = + rts51x_seq_read_register(chip, PPBUF_BASE2, (u16) buf_len, buf); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_write_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len) +{ + int retval; + + if (!buf) + TRACE_RET(chip, STATUS_ERROR); + + retval = + rts51x_seq_write_register(chip, PPBUF_BASE2, (u16) buf_len, buf); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_write_phy_register(struct rts51x_chip *chip, u8 addr, u8 val) +{ + int retval; + + RTS51X_DEBUGP("Write 0x%x to phy register 0x%x\n", val, addr); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VSTAIN, 0xFF, val); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, addr & 0x0F); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, + (addr >> 4) & 0x0F); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_read_phy_register(struct rts51x_chip *chip, u8 addr, u8 *val) +{ + int retval; + + RTS51X_DEBUGP("Read from phy register 0x%x\n", addr); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, 0x07); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, + (addr >> 4) & 0x0F); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VCONTROL, 0xFF, addr & 0x0F); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, HS_VLOADM, 0xFF, 0x01); + rts51x_add_cmd(chip, READ_REG_CMD, HS_VSTAOUT, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, 100); + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (val) + *val = chip->rsp_buf[0]; + + RTS51X_DEBUGP("Return value: 0x%x\n", chip->rsp_buf[0]); + + return STATUS_SUCCESS; +} + +void rts51x_do_before_power_down(struct rts51x_chip *chip) +{ + RTS51X_DEBUGP("rts51x_do_before_power_down\n"); + + rts51x_prepare_run(chip); + + rts51x_release_cards(chip); + if (chip->rts5179) + rts51x_ep0_write_register(chip, CARD_GPIO, 0x03, 0x00); + else + rts51x_turn_off_led(chip, LED_GPIO); + + chip->cur_clk = 0; + chip->card_exist = 0; + chip->cur_card = 0; + if (chip->asic_code) { + if (CHECK_PKG(chip, LQFP48)) { + rts51x_write_register(chip, CARD_PULL_CTL3, 0x80, 0x00); + rts51x_write_register(chip, CARD_PULL_CTL6, 0xf0, 0x50); + } else { + rts51x_write_register(chip, CARD_PULL_CTL1, 0x30, 0x10); + rts51x_write_register(chip, CARD_PULL_CTL3, 0x80, 0x00); + rts51x_write_register(chip, CARD_PULL_CTL6, 0x0c, 0x04); + } + } + if (CHECK_PKG(chip, LQFP48)) + rts51x_write_register(chip, CARD_PWR_CTL, LDO3318_PWR_MASK, + LDO_OFF); +} + +void rts51x_clear_hw_error(struct rts51x_chip *chip) +{ + rts51x_ep0_write_register(chip, SFSM_ED, 0xf8, 0xf8); +} + +void rts51x_prepare_run(struct rts51x_chip *chip) +{ +#ifdef CLOSE_SSC_POWER + if (RTS51X_CHK_STAT(chip, STAT_IDLE) && (!chip->card_ready)) { + rts51x_write_register(chip, FPDCTL, SSC_POWER_MASK, + SSC_POWER_ON); + udelay(100); + RTS51X_DEBUGP("Open SSC clock power.\n"); + + rts51x_write_register(chip, CLK_DIV, CLK_CHANGE, 0x00); + } +#endif +} + +#ifdef _MSG_TRACE +void rts51x_trace_msg(struct rts51x_chip *chip, unsigned char *buf, int clear) +{ + unsigned char *ptr; + int i, msg_cnt; + + if (!buf) + return; + + ptr = buf; + + if (chip->trace_msg[chip->msg_idx].valid) + msg_cnt = TRACE_ITEM_CNT; + else + msg_cnt = chip->msg_idx; + *(ptr++) = (u8) (msg_cnt >> 24); + *(ptr++) = (u8) (msg_cnt >> 16); + *(ptr++) = (u8) (msg_cnt >> 8); + *(ptr++) = (u8) msg_cnt; + RTS51X_DEBUGP("Trace message count is %d\n", msg_cnt); + + for (i = 1; i <= msg_cnt; i++) { + int j, idx; + + idx = chip->msg_idx - i; + if (idx < 0) + idx += TRACE_ITEM_CNT; + + *(ptr++) = (u8) (chip->trace_msg[idx].line >> 8); + *(ptr++) = (u8) (chip->trace_msg[idx].line); + for (j = 0; j < MSG_FUNC_LEN; j++) + *(ptr++) = chip->trace_msg[idx].func[j]; + for (j = 0; j < MSG_FILE_LEN; j++) + *(ptr++) = chip->trace_msg[idx].file[j]; + for (j = 0; j < TIME_VAL_LEN; j++) + *(ptr++) = chip->trace_msg[idx].timeval_buf[j]; + } + + if (clear) { + chip->msg_idx = 0; + for (i = 0; i < TRACE_ITEM_CNT; i++) + chip->trace_msg[i].valid = 0; + } +} +#endif + +void rts51x_pp_status(struct rts51x_chip *chip, unsigned int lun, u8 *status, + u8 status_len) +{ + struct sd_info *sd_card = &(chip->sd_card); + struct ms_info *ms_card = &(chip->ms_card); + u8 card = rts51x_get_lun_card(chip, lun); +#ifdef SUPPORT_OC + u8 oc_now_mask = 0, oc_ever_mask = 0; +#endif + + if (!status || (status_len < 32)) + return; + /* IC Version */ + status[0] = (u8) RTS51X_GET_PID(chip); + status[1] = (u8) (chip->ic_version); + + /* Auto delink mode */ + if (chip->option.auto_delink_en) + status[2] = 0x10; + else + status[2] = 0x00; + + /* Spec version */ + status[3] = 20; + status[4] = 10; + status[5] = 05; + status[6] = 21; + + /* Card WP */ + if (chip->card_wp) + status[7] = 0x20; + else + status[7] = 0x00; + +#ifdef SUPPORT_OC + /* Over current status */ + status[8] = 0; + oc_now_mask = MS_OCP_NOW; + oc_ever_mask = MS_OCP_EVER; + + if (chip->ocp_stat & oc_now_mask) + status[8] |= 0x02; + if (chip->ocp_stat & oc_ever_mask) + status[8] |= 0x01; +#endif + + if (card == SD_CARD) { + if (CHK_SD(sd_card)) { + if (CHK_SD_HCXC(sd_card)) { + if (sd_card->capacity > 0x4000000) + /* SDXC */ + status[0x0E] = 0x02; + else /* SDHC */ + status[0x0E] = 0x01; + } else { /* SDSC */ + status[0x0E] = 0x00; + } + + if (CHK_SD_SDR104(sd_card)) + status[0x0F] = 0x03; + else if (CHK_SD_DDR50(sd_card)) + status[0x0F] = 0x04; + else if (CHK_SD_SDR50(sd_card)) + status[0x0F] = 0x02; + else if (CHK_SD_HS(sd_card)) + status[0x0F] = 0x01; + else + status[0x0F] = 0x00; /* Normal speed */ + } else { + if (CHK_MMC_SECTOR_MODE(sd_card)) + status[0x0E] = 0x01; /* High capacity */ + else + status[0x0E] = 0x00; /* Normal capacity */ + + if (CHK_MMC_DDR52(sd_card)) + status[0x0F] = 0x03; /* DDR 52M */ + else if (CHK_MMC_52M(sd_card)) + status[0x0F] = 0x02; /* SDR 52M */ + else if (CHK_MMC_26M(sd_card)) + status[0x0F] = 0x01; /* SDR 26M */ + else + status[0x0F] = 0x00; /* Normal speed */ + } + } else if (card == MS_CARD) { + if (CHK_MSPRO(ms_card)) { + if (CHK_MSXC(ms_card)) + status[0x0E] = 0x01; /* XC */ + else + status[0x0E] = 0x00; + + if (CHK_HG8BIT(ms_card)) + status[0x0F] = 0x01; + else + status[0x0F] = 0x00; + } + } + + /* Function 0 + * Support Magic Gate, CPRM and PhyRegister R/W */ + status[0x18] = 0x8A; + + /* Function 2 + * Support OC LUN status & WP LUN status */ + status[0x1A] = 0x28; + + /* Function 2 + * Support OC LUN status & WP LUN status */ + status[0x1A] = 0x28; +} + +void rts51x_read_status(struct rts51x_chip *chip, unsigned int lun, + u8 *rts51x_status, u8 status_len) +{ + if (!rts51x_status || (status_len < 16)) + return; + /* VID */ + rts51x_status[0] = (u8) (RTS51X_GET_VID(chip) >> 8); + rts51x_status[1] = (u8) RTS51X_GET_VID(chip); + + /* PID */ + rts51x_status[2] = (u8) (RTS51X_GET_PID(chip) >> 8); + rts51x_status[3] = (u8) RTS51X_GET_PID(chip); + + /* gbLUN */ + rts51x_status[4] = (u8) lun; + + /* Lun Card Number */ + if (chip->card_exist) { + if (chip->card_exist & XD_CARD) + rts51x_status[5] = 4; /* xD Card */ + else if (chip->card_exist & SD_CARD) + rts51x_status[5] = 2; /* SD Card */ + else if (chip->card_exist & MS_CARD) + rts51x_status[5] = 3; /* MS Card */ + else + rts51x_status[5] = 7; /* Multi */ + } else { + rts51x_status[5] = 7; /* Multi */ + } + + /* Total LUNs */ + rts51x_status[6] = 1; + + /* IC Version */ + rts51x_status[7] = (u8) RTS51X_GET_PID(chip); + rts51x_status[8] = chip->ic_version; + + /* Physical Exist */ + if (check_card_exist(chip, lun)) + rts51x_status[9] = 1; + else + rts51x_status[9] = 0; + + /* Multi Flag */ + rts51x_status[10] = 1; + + /* LUN Valid Map */ + rts51x_status[11] = XD_CARD | SD_CARD | MS_CARD; + + /* Logical Exist */ + if (check_card_ready(chip, lun)) + rts51x_status[12] = 1; + else + rts51x_status[12] = 0; + + /* Detailed Type */ + if (rts51x_get_lun_card(chip, lun) == XD_CARD) { + rts51x_status[13] = 0x40; + } else if (rts51x_get_lun_card(chip, lun) == SD_CARD) { + struct sd_info *sd_card = &(chip->sd_card); + + rts51x_status[13] = 0x20; + if (CHK_SD(sd_card)) { + if (CHK_SD_HCXC(sd_card)) + rts51x_status[13] |= 0x04; /* Hi capacity SD */ + if (CHK_SD_HS(sd_card)) + rts51x_status[13] |= 0x02; /* Hi speed SD */ + } else { + rts51x_status[13] |= 0x08; /* MMC card */ + if (CHK_MMC_52M(sd_card)) + rts51x_status[13] |= 0x02; /* Hi speed */ + if (CHK_MMC_SECTOR_MODE(sd_card)) + rts51x_status[13] |= 0x04; /* Hi capacity */ + } + } else if (rts51x_get_lun_card(chip, lun) == MS_CARD) { + struct ms_info *ms_card = &(chip->ms_card); + + if (CHK_MSPRO(ms_card)) { + rts51x_status[13] = 0x38; /* MS Pro */ + if (CHK_HG8BIT(ms_card)) + rts51x_status[13] |= 0x04; /* HG */ +#ifdef SUPPORT_MSXC + if (CHK_MSXC(ms_card)) + rts51x_status[13] |= 0x01; /* MSXC */ +#endif + } else { + rts51x_status[13] = 0x30; + } + } else { + rts51x_status[13] = 0x70; + } +/* Support OC, auto delink, vendor r/w, get bus width */ + rts51x_status[14] = 0x78; + + rts51x_status[15] = 0x82; +} + +int rts51x_transfer_data_rcc(struct rts51x_chip *chip, unsigned int pipe, + void *buf, unsigned int len, int use_sg, + unsigned int *act_len, int timeout, u8 stage_flag) +{ + int retval; + + retval = + rts51x_transfer_data(chip, pipe, buf, len, use_sg, act_len, + timeout); + + return retval; + +} diff --git a/drivers/staging/rts5139/rts51x_chip.h b/drivers/staging/rts5139/rts51x_chip.h new file mode 100644 index 000000000000..12deb24cfbbe --- /dev/null +++ b/drivers/staging/rts5139/rts51x_chip.h @@ -0,0 +1,821 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_CHIP_H +#define __RTS51X_CHIP_H + +#include <linux/usb.h> +#include <linux/usb_usual.h> +#include <linux/blkdev.h> +#include <linux/completion.h> +#include <linux/mutex.h> +#include <scsi/scsi_host.h> + +#include "trace.h" + +#define SUPPORT_CPRM +#define SUPPORT_MAGIC_GATE +#define SUPPORT_MSXC +#define USING_POLLING_CYCLE_DELINK + +#ifdef SUPPORT_MAGIC_GA +/* Using NORMAL_WRITE instead of AUTO_WRITE to set ICVTE */ +#define MG_SET_ICV_SLOW +#endif + +#ifdef SUPPORT_MSXC +#define XC_POWERCLASS +#define SUPPORT_PCGL_1P18 +#endif + +#define GET_CARD_STATUS_USING_EPC + +#define CLOSE_SSC_POWER + +#define SUPPORT_OCP + +#define MS_SPEEDUP + +#define SD_XD_IO_FOLLOW_PWR + +#define SD_NR 2 +#define MS_NR 3 +#define XD_NR 4 +#define SD_CARD (1 << SD_NR) +#define MS_CARD (1 << MS_NR) +#define XD_CARD (1 << XD_NR) + +#define SD_CD 0x01 +#define MS_CD 0x02 +#define XD_CD 0x04 +#define SD_WP 0x08 + +#define MAX_ALLOWED_LUN_CNT 8 +#define CMD_BUF_LEN 1024 +#define POLLING_INTERVAL 50 /* 50ms */ + +#define XD_FREE_TABLE_CNT 1200 +#define MS_FREE_TABLE_CNT 512 + +/* Bit Operation */ +#define SET_BIT(data, idx) ((data) |= 1 << (idx)) +#define CLR_BIT(data, idx) ((data) &= ~(1 << (idx))) +#define CHK_BIT(data, idx) ((data) & (1 << (idx))) + +/* Command type */ +#define READ_REG_CMD 0 +#define WRITE_REG_CMD 1 +#define CHECK_REG_CMD 2 + +#define PACKET_TYPE 4 +#define CNT_H 5 +#define CNT_L 6 +#define STAGE_FLAG 7 +#define CMD_OFFSET 8 + +/* Packet type */ +#define BATCH_CMD 0 +#define SEQ_READ 1 +#define SEQ_WRITE 2 + +/* Stage flag */ +#define STAGE_R 0x01 +#define STAGE_DI 0x02 +#define STAGE_DO 0x04 +/* Return MS_TRANS_CFG, GET_INT */ +#define STAGE_MS_STATUS 0x08 +/* Return XD_CFG, XD_CTL, XD_PAGE_STATUS */ +#define STAGE_XD_STATUS 0x10 +/* Command stage mode */ +#define MODE_C 0x00 +#define MODE_CR (STAGE_R) +#define MODE_CDIR (STAGE_R | STAGE_DI) +#define MODE_CDOR (STAGE_R | STAGE_DO) + +/* Function return code */ +#ifndef STATUS_SUCCESS +#define STATUS_SUCCESS 0 +#endif + +#define STATUS_FAIL 1 +#define STATUS_TIMEDOUT 4 +#define STATUS_NOMEM 5 +#define STATUS_TRANS_SHORT 6 +#define STATUS_TRANS_LONG 7 +#define STATUS_STALLED 8 +#define STATUS_ERROR 10 + +#define IDLE_MAX_COUNT 10 +#define POLLING_WAIT_CNT 1 +#define LED_GPIO 0 + +/* package */ +#define QFN24 0 +#define LQFP48 1 + +#define USB_11 0 +#define USB_20 1 + +/* + * Transport return codes + */ +/* Transport good, command good */ +#define TRANSPORT_GOOD 0 +/* Transport good, command failed */ +#define TRANSPORT_FAILED 1 +/* Transport bad (i.e. device dead) */ +#define TRANSPORT_ERROR 3 + +/* Supported Clock */ +enum card_clock { CLK_20 = 1, CLK_30, CLK_40, CLK_50, CLK_60, CLK_80, CLK_100 }; + +#ifdef _MSG_TRACE + +#define TRACE_ITEM_CNT 64 + +struct trace_msg_t { + u16 line; +#define MSG_FUNC_LEN 64 + char func[MSG_FUNC_LEN]; +#define MSG_FILE_LEN 32 + char file[MSG_FILE_LEN]; +#define TIME_VAL_LEN 16 + u8 timeval_buf[TIME_VAL_LEN]; + u8 valid; +}; + +#endif /* _MSG_TRACE */ + +/* Size of the autosense data buffer */ +#define SENSE_SIZE 18 + +/* Sense type */ +#define SENSE_TYPE_NO_SENSE 0 +#define SENSE_TYPE_MEDIA_CHANGE 1 +#define SENSE_TYPE_MEDIA_NOT_PRESENT 2 +#define SENSE_TYPE_MEDIA_LBA_OVER_RANGE 3 +#define SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT 4 +#define SENSE_TYPE_MEDIA_WRITE_PROTECT 5 +#define SENSE_TYPE_MEDIA_INVALID_CMD_FIELD 6 +#define SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR 7 +#define SENSE_TYPE_MEDIA_WRITE_ERR 8 +#define SENSE_TYPE_FORMAT_CMD_FAILED 10 +#ifdef SUPPORT_MAGIC_GATE +/* COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED */ +#define SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB 0x0b +/* COPY PROTECTION KEY EXCHANGE FAILURE - AUTHENTICATION FAILURE */ +#define SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN 0x0c +/* INCOMPATIBLE MEDIUM INSTALLED */ +#define SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM 0x0d +/* WRITE ERROR */ +#define SENSE_TYPE_MG_WRITE_ERR 0x0e +#endif + +/*---- sense key ----*/ +#define ILGAL_REQ 0x05 /* CDB/parameter/identify msg error */ + +/*----------------------------------- + SENSE_DATA +-----------------------------------*/ + +/*---- error code ----*/ +#define CUR_ERR 0x70 /* current error */ + +/*---- sense key Information ----*/ + +#define SKSV 0x80 +#define CDB_ILLEGAL 0x40 + +/*---- ASC ----*/ +#define ASC_INVLD_CDB 0x24 + +/*---- ASQC ----*/ +#define ASCQ_INVLD_CDB 0x00 + +struct sense_data_t { + unsigned char err_code; /* error code */ + /* bit7 : valid */ + /* (1 : SCSI2) */ + /* (0 : Vendor specific) */ + /* bit6-0 : error code */ + /* (0x70 : current error) */ + /* (0x71 : specific command error) */ + unsigned char seg_no; /* segment No. */ + unsigned char sense_key; /* byte5 : ILI */ + /* bit3-0 : sense key */ + unsigned char info[4]; /* information */ + unsigned char ad_sense_len; /* additional sense data length */ + unsigned char cmd_info[4]; /* command specific information */ + unsigned char asc; /* ASC */ + unsigned char ascq; /* ASCQ */ + unsigned char rfu; /* FRU */ + unsigned char sns_key_info[3]; /* sense key specific information */ +}; + +/* sd_ctl bit map */ +/* SD push point control, bit 0, 1 */ +#define SD_PUSH_POINT_CTL_MASK 0x03 +#define SD_PUSH_POINT_DELAY 0x01 +#define SD_PUSH_POINT_AUTO 0x02 +/* SD sample point control, bit 2, 3 */ +#define SD_SAMPLE_POINT_CTL_MASK 0x0C +#define SD_SAMPLE_POINT_DELAY 0x04 +#define SD_SAMPLE_POINT_AUTO 0x08 +/* SD DDR Tx phase set by user, bit 4 */ +#define SD_DDR_TX_PHASE_SET_BY_USER 0x10 +/* MMC DDR Tx phase set by user, bit 5 */ +#define MMC_DDR_TX_PHASE_SET_BY_USER 0x20 +/* Support MMC DDR mode, bit 6 */ +/*#define SUPPORT_MMC_DDR_MODE 0x40 */ +#define SUPPORT_UHS50_MMC44 0x40 + +struct rts51x_option { + int rts51x_mspro_formatter_enable; + + /* card clock expected by user for fpga platform */ + int fpga_sd_sdr104_clk; + int fpga_sd_ddr50_clk; + int fpga_sd_sdr50_clk; + int fpga_sd_hs_clk; + int fpga_mmc_52m_clk; + int fpga_ms_hg_clk; + int fpga_ms_4bit_clk; + + /* card clock expected by user for asic platform */ + int asic_sd_sdr104_clk; + int asic_sd_ddr50_clk; + int asic_sd_sdr50_clk; + int asic_sd_hs_clk; + int asic_mmc_52m_clk; + int asic_ms_hg_clk; + int asic_ms_4bit_clk; + + u8 ssc_depth_sd_sdr104; /* sw */ + u8 ssc_depth_sd_ddr50; /* sw */ + u8 ssc_depth_sd_sdr50; /* sw */ + u8 ssc_depth_sd_hs; /* sw */ + u8 ssc_depth_mmc_52m; /* sw */ + u8 ssc_depth_ms_hg; /* sw */ + u8 ssc_depth_ms_4bit; /* sw */ + u8 ssc_depth_low_speed; /* sw */ + + /* SD/MMC Tx phase */ + int sd_ddr_tx_phase; /* Enabled by bit 4 of sd_ctl */ + int mmc_ddr_tx_phase; /* Enabled by bit 5 of sd_ctl */ + + /* priority of choosing sd speed funciton */ + u32 sd_speed_prior; + + /* sd card control */ + u32 sd_ctl; + + /* Enable Selective Suspend */ + int ss_en; + /* Interval to enter SS from IDLE state (second) */ + int ss_delay; + + /* Enable SSC clock */ + int ssc_en; + + int auto_delink_en; + + /* sangdy2010-07-13:add FT2 fast mode */ + int FT2_fast_mode; + /* sangdy2010-07-15: + * add for config delay between 1/4 PMOS and 3/4 PMOS */ + int pwr_delay; + + int rts51x_xd_rw_step; /* add to tune xd tRP */ + int D3318_off_delay; /* add to tune D3318 off delay time */ + int delink_delay; /* add to tune delink delay time */ + /* add for rts5129 to enable/disable D3318 off */ + u8 rts5129_D3318_off_enable; + u8 sd20_pad_drive; /* add to config SD20 PAD drive */ + u8 sd30_pad_drive; /* add to config SD30 pad drive */ + /*if reset or rw fail,then set SD20 pad drive again */ + u8 reset_or_rw_fail_set_pad_drive; + + u8 debounce_num; /* debounce number */ + u8 led_toggle_interval; /* used to control led toggle speed */ + int rts51x_xd_rwn_step; + u8 sd_send_status_en; + /* used to store default phase which is + * used when phase tune all pass. */ + u8 ddr50_tx_phase; + u8 ddr50_rx_phase; + u8 sdr50_tx_phase; + u8 sdr50_rx_phase; + /* used to enable select sdr50 tx phase according to proportion. */ + u8 sdr50_phase_sel; + u8 ms_errreg_fix; + u8 reset_mmc_first; + u8 speed_mmc; /* when set, then try CMD55 only twice */ + u8 led_always_on; /* if set, then led always on when card exist */ + u8 dv18_voltage; /* add to tune dv18 voltage */ +}; + +#define MS_FORMATTER_ENABLED(chip) ((chip)->option.rts51x_mspro_formatter_enable) + +struct rts51x_chip; + +typedef int (*rts51x_card_rw_func) (struct scsi_cmnd *srb, struct rts51x_chip *chip, + u32 sec_addr, u16 sec_cnt); + +/* For MS Card */ +#define MAX_DEFECTIVE_BLOCK 10 + +struct zone_entry { + u16 *l2p_table; + u16 *free_table; + u16 defect_list[MAX_DEFECTIVE_BLOCK]; /* For MS card only */ + int set_index; + int get_index; + int unused_blk_cnt; + int disable_count; + /* To indicate whether the L2P table of this zone has been built. */ + int build_flag; +}; + +struct xd_delay_write_tag { + u32 old_phyblock; + u32 new_phyblock; + u32 logblock; + u8 pageoff; + u8 delay_write_flag; +}; + +struct xd_info { + u8 maker_code; + u8 device_code; + u8 block_shift; + u8 page_off; + u8 addr_cycle; + u16 cis_block; + u8 multi_flag; + u8 err_code; + u32 capacity; + + struct zone_entry *zone; + int zone_cnt; + + struct xd_delay_write_tag delay_write; + + int counter; + + int xd_clock; +}; + +#define TYPE_SD 0x0000 +#define TYPE_MMC 0x0001 + +/* TYPE_SD */ +#define SD_HS 0x0100 +#define SD_SDR50 0x0200 +#define SD_DDR50 0x0400 +#define SD_SDR104 0x0800 +#define SD_HCXC 0x1000 + +/* TYPE_MMC */ +#define MMC_26M 0x0100 +#define MMC_52M 0x0200 +#define MMC_4BIT 0x0400 +#define MMC_8BIT 0x0800 +#define MMC_SECTOR_MODE 0x1000 +#define MMC_DDR52 0x2000 + +/* SD card */ +#define CHK_SD(sd_card) (((sd_card)->sd_type & 0xFF) == TYPE_SD) +#define CHK_SD_HS(sd_card) \ + (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_HS)) +#define CHK_SD_SDR50(sd_card) \ + (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_SDR50)) +#define CHK_SD_DDR50(sd_card) \ + (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_DDR50)) +#define CHK_SD_SDR104(sd_card) \ + (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_SDR104)) +#define CHK_SD_HCXC(sd_card) \ + (CHK_SD(sd_card) && ((sd_card)->sd_type & SD_HCXC)) +#define CHK_SD30_SPEED(sd_card) \ + (CHK_SD_SDR50(sd_card) || CHK_SD_DDR50(sd_card) ||\ + CHK_SD_SDR104(sd_card)) + +#define SET_SD(sd_card) ((sd_card)->sd_type = TYPE_SD) +#define SET_SD_HS(sd_card) ((sd_card)->sd_type |= SD_HS) +#define SET_SD_SDR50(sd_card) ((sd_card)->sd_type |= SD_SDR50) +#define SET_SD_DDR50(sd_card) ((sd_card)->sd_type |= SD_DDR50) +#define SET_SD_SDR104(sd_card) ((sd_card)->sd_type |= SD_SDR104) +#define SET_SD_HCXC(sd_card) ((sd_card)->sd_type |= SD_HCXC) + +#define CLR_SD_HS(sd_card) ((sd_card)->sd_type &= ~SD_HS) +#define CLR_SD_SDR50(sd_card) ((sd_card)->sd_type &= ~SD_SDR50) +#define CLR_SD_DDR50(sd_card) ((sd_card)->sd_type &= ~SD_DDR50) +#define CLR_SD_SDR104(sd_card) ((sd_card)->sd_type &= ~SD_SDR104) +#define CLR_SD_HCXC(sd_card) ((sd_card)->sd_type &= ~SD_HCXC) +#define CLR_SD30_SPEED(sd_card) \ + ((sd_card)->sd_type &= ~(SD_SDR50|SD_DDR50|SD_SDR104)) + +/* MMC card */ +#define CHK_MMC(sd_card) \ + (((sd_card)->sd_type & 0xFF) == TYPE_MMC) +#define CHK_MMC_26M(sd_card) \ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_26M)) +#define CHK_MMC_52M(sd_card) \ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_52M)) +#define CHK_MMC_4BIT(sd_card) \ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_4BIT)) +#define CHK_MMC_8BIT(sd_card) \ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_8BIT)) +#define CHK_MMC_SECTOR_MODE(sd_card)\ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_SECTOR_MODE)) +#define CHK_MMC_DDR52(sd_card) \ + (CHK_MMC(sd_card) && ((sd_card)->sd_type & MMC_DDR52)) + +#define SET_MMC(sd_card) ((sd_card)->sd_type = TYPE_MMC) +#define SET_MMC_26M(sd_card) ((sd_card)->sd_type |= MMC_26M) +#define SET_MMC_52M(sd_card) ((sd_card)->sd_type |= MMC_52M) +#define SET_MMC_4BIT(sd_card) ((sd_card)->sd_type |= MMC_4BIT) +#define SET_MMC_8BIT(sd_card) ((sd_card)->sd_type |= MMC_8BIT) +#define SET_MMC_SECTOR_MODE(sd_card) ((sd_card)->sd_type |= MMC_SECTOR_MODE) +#define SET_MMC_DDR52(sd_card) ((sd_card)->sd_type |= MMC_DDR52) + +#define CLR_MMC_26M(sd_card) ((sd_card)->sd_type &= ~MMC_26M) +#define CLR_MMC_52M(sd_card) ((sd_card)->sd_type &= ~MMC_52M) +#define CLR_MMC_4BIT(sd_card) ((sd_card)->sd_type &= ~MMC_4BIT) +#define CLR_MMC_8BIT(sd_card) ((sd_card)->sd_type &= ~MMC_8BIT) +#define CLR_MMC_SECTOR_MODE(sd_card) ((sd_card)->sd_type &= ~MMC_SECTOR_MODE) +#define CLR_MMC_DDR52(sd_card) ((sd_card)->sd_type &= ~MMC_DDR52) + +#define CHK_MMC_HS(sd_card) \ + (CHK_MMC_52M(sd_card) && CHK_MMC_26M(sd_card)) +#define CLR_MMC_HS(sd_card) \ +do { \ + CLR_MMC_DDR52(sd_card); \ + CLR_MMC_52M(sd_card); \ + CLR_MMC_26M(sd_card); \ +} while (0) + +#define SD_SUPPORT_CLASS_TEN 0x01 +#define SD_SUPPORT_1V8 0x02 + +#define SD_SET_CLASS_TEN(sd_card) \ + ((sd_card)->sd_setting |= SD_SUPPORT_CLASS_TEN) +#define SD_CHK_CLASS_TEN(sd_card) \ + ((sd_card)->sd_setting & SD_SUPPORT_CLASS_TEN) +#define SD_CLR_CLASS_TEN(sd_card) \ + ((sd_card)->sd_setting &= ~SD_SUPPORT_CLASS_TEN) +#define SD_SET_1V8(sd_card) \ + ((sd_card)->sd_setting |= SD_SUPPORT_1V8) +#define SD_CHK_1V8(sd_card) \ + ((sd_card)->sd_setting & SD_SUPPORT_1V8) +#define SD_CLR_1V8(sd_card) \ + ((sd_card)->sd_setting &= ~SD_SUPPORT_1V8) +#define CLR_RETRY_SD20_MODE(sd_card) \ + ((sd_card)->retry_SD20_mode = 0) +#define SET_RETRY_SD20_MODE(sd_card) \ + ((sd_card)->retry_SD20_mode = 1) +#define CHK_RETRY_SD20_MODE(sd_card) \ + ((sd_card)->retry_SD20_mode == 1) + +struct sd_info { + u16 sd_type; + u8 err_code; + u8 sd_data_buf_ready; + u32 sd_addr; + u32 capacity; + + u8 raw_csd[16]; + u8 raw_scr[8]; + + /* Sequential RW */ + int seq_mode; + enum dma_data_direction pre_dir; + u32 pre_sec_addr; + u16 pre_sec_cnt; + + int counter; + + int sd_clock; + +#ifdef SUPPORT_CPRM + int sd_pass_thru_en; + int pre_cmd_err; + u8 last_rsp_type; + u8 rsp[17]; +#endif + + u8 func_group1_mask; + u8 func_group2_mask; + u8 func_group3_mask; + u8 func_group4_mask; + + u8 sd_switch_fail; + u8 sd_read_phase; + u8 retry_SD20_mode; /* sangdy2010-06-10 */ + u8 sd_reset_fail; /* sangdy2010-07-01 */ + u8 sd_send_status_en; + +}; + +#define MODE_512_SEQ 0x01 +#define MODE_2K_SEQ 0x02 + +#define TYPE_MS 0x0000 +#define TYPE_MSPRO 0x0001 + +#define MS_4BIT 0x0100 +#define MS_8BIT 0x0200 +#define MS_HG 0x0400 +#define MS_XC 0x0800 + +#define HG8BIT (MS_HG | MS_8BIT) + +#define CHK_MSPRO(ms_card) \ + (((ms_card)->ms_type & 0xFF) == TYPE_MSPRO) +#define CHK_HG8BIT(ms_card) \ + (CHK_MSPRO(ms_card) && (((ms_card)->ms_type & HG8BIT) == HG8BIT)) +#define CHK_MSXC(ms_card) \ + (CHK_MSPRO(ms_card) && ((ms_card)->ms_type & MS_XC)) +#define CHK_MSHG(ms_card) \ + (CHK_MSPRO(ms_card) && ((ms_card)->ms_type & MS_HG)) + +#define CHK_MS8BIT(ms_card) (((ms_card)->ms_type & MS_8BIT)) +#define CHK_MS4BIT(ms_card) (((ms_card)->ms_type & MS_4BIT)) + +struct rts51x_ms_delay_write_tag { + u16 old_phyblock; + u16 new_phyblock; + u16 logblock; + u8 pageoff; + u8 delay_write_flag; +}; + +struct ms_info { + u16 ms_type; + u8 block_shift; + u8 page_off; + u16 total_block; + u16 boot_block; + u32 capacity; + + u8 check_ms_flow; + u8 switch_8bit_fail; + u8 err_code; + + struct zone_entry *segment; + int segment_cnt; + + int pro_under_formatting; + int format_status; + u16 progress; + u8 raw_sys_info[96]; +#ifdef SUPPORT_PCGL_1P18 + u8 raw_model_name[48]; +#endif + + u8 multi_flag; + + /* Sequential RW */ + u8 seq_mode; + enum dma_data_direction pre_dir; + u32 pre_sec_addr; + u16 pre_sec_cnt; + u32 total_sec_cnt; + u8 last_rw_int; + + struct rts51x_ms_delay_write_tag delay_write; + + int counter; + + int ms_clock; + +#ifdef SUPPORT_MAGIC_GATE + u8 magic_gate_id[16]; + u8 mg_entry_num; + int mg_auth; /* flag to indicate authentication process */ +#endif +}; + +#define PRO_UNDER_FORMATTING(ms_card) \ + ((ms_card)->pro_under_formatting) +#define SET_FORMAT_STATUS(ms_card, status) \ + ((ms_card)->format_status = (status)) +#define CHK_FORMAT_STATUS(ms_card, status) \ + ((ms_card)->format_status == (status)) + +struct scsi_cmnd; + +enum CHIP_STAT { STAT_INIT, STAT_IDLE, STAT_RUN, STAT_SS_PRE, STAT_SS, + STAT_SUSPEND }; + +struct rts51x_chip { + u16 vendor_id; + u16 product_id; + char max_lun; + + struct scsi_cmnd *srb; + struct sense_data_t sense_buffer[MAX_ALLOWED_LUN_CNT]; + + int led_toggle_counter; + + int ss_counter; + int idle_counter; + int auto_delink_counter; + enum CHIP_STAT chip_stat; + + int resume_from_scsi; + + /* Card information */ + struct xd_info xd_card; + struct sd_info sd_card; + struct ms_info ms_card; + + int cur_clk; /* current card clock */ + int cur_card; /* Current card module */ + + u8 card_exist; /* card exist bit map (physical exist) */ + u8 card_ready; /* card ready bit map (reset successfully) */ + u8 card_fail; /* card reset fail bit map */ + u8 card_ejected; /* card ejected bit map */ + u8 card_wp; /* card write protected bit map */ + + u8 fake_card_ready; + /* flag to indicate whether to answer MediaChange */ + unsigned long lun_mc; + + /* card bus width */ + u8 card_bus_width[MAX_ALLOWED_LUN_CNT]; + /* card capacity */ + u32 capacity[MAX_ALLOWED_LUN_CNT]; + + /* read/write card function pointer */ + rts51x_card_rw_func rw_card[MAX_ALLOWED_LUN_CNT]; + /* read/write capacity, used for GPIO Toggle */ + u32 rw_cap[MAX_ALLOWED_LUN_CNT]; + /* card to lun mapping table */ + u8 card2lun[32]; + /* lun to card mapping table */ + u8 lun2card[MAX_ALLOWED_LUN_CNT]; + +#ifdef _MSG_TRACE + struct trace_msg_t trace_msg[TRACE_ITEM_CNT]; + int msg_idx; +#endif + + int rw_need_retry; + + /* ASIC or FPGA */ + int asic_code; + + /* QFN24 or LQFP48 */ + int package; + + /* Full Speed or High Speed */ + int usb_speed; + + /*sangdy:enable or disable UHS50 and MMC4.4 */ + int uhs50_mmc44_en; + + u8 ic_version; + + /* Command buffer */ + u8 *cmd_buf; + unsigned int cmd_idx; + /* Response buffer */ + u8 *rsp_buf; + + u16 card_status; + +#ifdef SUPPORT_OCP + u16 ocp_stat; +#endif + + struct rts51x_option option; + struct rts51x_usb *usb; + + u8 rcc_read_response; + int reset_need_retry; + u8 rts5179; +}; + +#define UHS50_EN 0x0001 +#define UHS50_DIS 0x0000 +#define SET_UHS50(chip) ((chip)->uhs50_mmc44_en = UHS50_EN) +#define CLEAR_UHS50(chip) ((chip)->uhs50_mmc44_en = UHS50_DIS) +#define CHECK_UHS50(chip) (((chip)->uhs50_mmc44_en&0xff) == UHS50_EN) + +#define RTS51X_GET_VID(chip) ((chip)->vendor_id) +#define RTS51X_GET_PID(chip) ((chip)->product_id) + +#define RTS51X_SET_STAT(chip, stat) \ +do { \ + if ((stat) != STAT_IDLE) { \ + (chip)->idle_counter = 0; \ + } \ + (chip)->chip_stat = (enum CHIP_STAT)(stat); \ +} while (0) +#define RTS51X_CHK_STAT(chip, stat) ((chip)->chip_stat == (stat)) +#define RTS51X_GET_STAT(chip) ((chip)->chip_stat) + +#define CHECK_PID(chip, pid) (RTS51X_GET_PID(chip) == (pid)) +#define CHECK_PKG(chip, pkg) ((chip)->package == (pkg)) +#define CHECK_USB(chip, speed) ((chip)->usb_speed == (speed)) + +int rts51x_reset_chip(struct rts51x_chip *chip); +int rts51x_init_chip(struct rts51x_chip *chip); +int rts51x_release_chip(struct rts51x_chip *chip); +void rts51x_polling_func(struct rts51x_chip *chip); + +static inline void rts51x_init_cmd(struct rts51x_chip *chip) +{ + chip->cmd_idx = 0; + chip->cmd_buf[0] = 'R'; + chip->cmd_buf[1] = 'T'; + chip->cmd_buf[2] = 'C'; + chip->cmd_buf[3] = 'R'; + chip->cmd_buf[PACKET_TYPE] = BATCH_CMD; +} + +void rts51x_add_cmd(struct rts51x_chip *chip, + u8 cmd_type, u16 reg_addr, u8 mask, u8 data); +int rts51x_send_cmd(struct rts51x_chip *chip, u8 flag, int timeout); +int rts51x_get_rsp(struct rts51x_chip *chip, int rsp_len, int timeout); + +static inline void rts51x_read_rsp_buf(struct rts51x_chip *chip, int offset, + u8 *buf, int buf_len) +{ + memcpy(buf, chip->rsp_buf + offset, buf_len); +} + +static inline u8 *rts51x_get_rsp_data(struct rts51x_chip *chip) +{ + return chip->rsp_buf; +} + +int rts51x_get_card_status(struct rts51x_chip *chip, u16 *status); +int rts51x_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, u8 data); +int rts51x_read_register(struct rts51x_chip *chip, u16 addr, u8 *data); +int rts51x_ep0_write_register(struct rts51x_chip *chip, u16 addr, u8 mask, + u8 data); +int rts51x_ep0_read_register(struct rts51x_chip *chip, u16 addr, u8 *data); +int rts51x_seq_write_register(struct rts51x_chip *chip, u16 addr, u16 len, + u8 *data); +int rts51x_seq_read_register(struct rts51x_chip *chip, u16 addr, u16 len, + u8 *data); +int rts51x_read_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len); +int rts51x_write_ppbuf(struct rts51x_chip *chip, u8 *buf, int buf_len); +int rts51x_write_phy_register(struct rts51x_chip *chip, u8 addr, u8 val); +int rts51x_read_phy_register(struct rts51x_chip *chip, u8 addr, u8 *val); +void rts51x_do_before_power_down(struct rts51x_chip *chip); +void rts51x_clear_hw_error(struct rts51x_chip *chip); +void rts51x_prepare_run(struct rts51x_chip *chip); +void rts51x_trace_msg(struct rts51x_chip *chip, unsigned char *buf, int clear); +void rts51x_pp_status(struct rts51x_chip *chip, unsigned int lun, u8 *status, + u8 status_len); +void rts51x_read_status(struct rts51x_chip *chip, unsigned int lun, + u8 *rts51x_status, u8 status_len); +int rts51x_transfer_data_rcc(struct rts51x_chip *chip, unsigned int pipe, + void *buf, unsigned int len, int use_sg, + unsigned int *act_len, int timeout, u8 stage_flag); + +#define RTS51X_WRITE_REG(chip, addr, mask, data) \ +do { \ + int _retval = rts51x_write_register((chip), \ + (addr), (mask), (data)); \ + if (_retval != STATUS_SUCCESS) { \ + TRACE_RET((chip), _retval); \ + } \ +} while (0) + +#define RTS51X_READ_REG(chip, addr, data) \ +do { \ + int _retval = rts51x_read_register((chip), \ + (addr), (data)); \ + if (_retval != STATUS_SUCCESS) { \ + TRACE_RET((chip), _retval); \ + } \ +} while (0) + +#endif /* __RTS51X_CHIP_H */ diff --git a/drivers/staging/rts5139/rts51x_fop.c b/drivers/staging/rts5139/rts51x_fop.c new file mode 100644 index 000000000000..cf4e675aea69 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_fop.c @@ -0,0 +1,295 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include "rts51x.h" + +#ifdef SUPPORT_FILE_OP + +#include <linux/types.h> +#include <linux/stat.h> +#include <linux/kref.h> +#include <linux/slab.h> + +#include "rts51x_chip.h" +#include "rts51x_card.h" +#include "rts51x_fop.h" +#include "sd_cprm.h" + +#define RTS5139_IOC_MAGIC 0x39 + +#define RTS5139_IOC_SD_DIRECT _IOWR(RTS5139_IOC_MAGIC, 0xA0, int) +#define RTS5139_IOC_SD_GET_RSP _IOWR(RTS5139_IOC_MAGIC, 0xA1, int) + +static int rts51x_sd_direct_cmnd(struct rts51x_chip *chip, + struct sd_direct_cmnd *cmnd) +{ + int retval; + u8 dir, cmd12, standby, acmd, cmd_idx, rsp_code; + u8 *buf; + u32 arg, len; + + dir = (cmnd->cmnd[0] >> 3) & 0x03; + cmd12 = (cmnd->cmnd[0] >> 2) & 0x01; + standby = (cmnd->cmnd[0] >> 1) & 0x01; + acmd = cmnd->cmnd[0] & 0x01; + cmd_idx = cmnd->cmnd[1]; + arg = ((u32) (cmnd->cmnd[2]) << 24) | ((u32) (cmnd->cmnd[3]) << 16) | + ((u32) (cmnd->cmnd[4]) << 8) | cmnd->cmnd[5]; + len = + ((u32) (cmnd->cmnd[6]) << 16) | ((u32) (cmnd->cmnd[7]) << 8) | + cmnd->cmnd[8]; + rsp_code = cmnd->cmnd[9]; + + if (dir) { + if (!cmnd->buf || (cmnd->buf_len < len)) + TRACE_RET(chip, STATUS_FAIL); + } + + switch (dir) { + case 0: + /* No data */ + retval = ext_rts51x_sd_execute_no_data(chip, + chip->card2lun[SD_CARD], + cmd_idx, standby, acmd, + rsp_code, arg); + if (retval != TRANSPORT_GOOD) + TRACE_RET(chip, STATUS_FAIL); + break; + + case 1: + /* Read from card */ + buf = kzalloc(cmnd->buf_len, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, STATUS_NOMEM); + + retval = ext_rts51x_sd_execute_read_data(chip, + chip->card2lun[SD_CARD], + cmd_idx, cmd12, standby, acmd, + rsp_code, arg, len, buf, + cmnd->buf_len, 0); + if (retval != TRANSPORT_GOOD) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = + copy_to_user(cmnd->buf, (void *)buf, cmnd->buf_len); + if (retval) { + kfree(buf); + TRACE_RET(chip, STATUS_NOMEM); + } + + kfree(buf); + break; + + case 2: + /* Write to card */ + buf = kmalloc(cmnd->buf_len, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, STATUS_NOMEM); + + retval = + copy_from_user((void *)buf, cmnd->buf, + cmnd->buf_len); + if (retval) { + kfree(buf); + TRACE_RET(chip, STATUS_NOMEM); + } + + retval = + ext_rts51x_sd_execute_write_data(chip, + chip->card2lun[SD_CARD], + cmd_idx, cmd12, standby, acmd, + rsp_code, arg, len, buf, + cmnd->buf_len, 0); + if (retval != TRANSPORT_GOOD) { + kfree(buf); + TRACE_RET(chip, STATUS_FAIL); + } + + kfree(buf); + + break; + + default: + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int rts51x_sd_get_rsp(struct rts51x_chip *chip, struct sd_rsp *rsp) +{ + struct sd_info *sd_card = &(chip->sd_card); + int count = 0, retval; + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + TRACE_RET(chip, STATUS_FAIL); + } + + if (sd_card->last_rsp_type == SD_RSP_TYPE_R0) + TRACE_RET(chip, STATUS_FAIL); + else if (sd_card->last_rsp_type == SD_RSP_TYPE_R2) + count = (rsp->rsp_len < 17) ? rsp->rsp_len : 17; + else + count = (rsp->rsp_len < 6) ? rsp->rsp_len : 6; + + retval = copy_to_user(rsp->rsp, (void *)sd_card->rsp, count); + if (retval) + TRACE_RET(chip, STATUS_NOMEM); + + RTS51X_DEBUGP("Response length: %d\n", count); + RTS51X_DEBUGP("Response: 0x%x 0x%x 0x%x 0x%x\n", + sd_card->rsp[0], sd_card->rsp[1], sd_card->rsp[2], + sd_card->rsp[3]); + + return STATUS_SUCCESS; +} + +int rts51x_open(struct inode *inode, struct file *filp) +{ + struct rts51x_chip *chip; + struct usb_interface *interface; + int subminor; + int retval = 0; + + subminor = iminor(inode); + + interface = usb_find_interface(&rts51x_driver, subminor); + if (!interface) { + RTS51X_DEBUGP("%s - error, can't find device for minor %d\n", + __func__, subminor); + retval = -ENODEV; + goto exit; + } + + chip = (struct rts51x_chip *)usb_get_intfdata(interface); + if (!chip) { + RTS51X_DEBUGP("Can't find chip\n"); + retval = -ENODEV; + goto exit; + } + + /* Increase our reference to the host */ + scsi_host_get(rts51x_to_host(chip)); + + /* lock the device pointers */ + mutex_lock(&(chip->usb->dev_mutex)); + + /* save our object in the file's private structure */ + filp->private_data = chip; + + /* unlock the device pointers */ + mutex_unlock(&chip->usb->dev_mutex); + +exit: + return retval; +} + +int rts51x_release(struct inode *inode, struct file *filp) +{ + struct rts51x_chip *chip; + + chip = (struct rts51x_chip *)filp->private_data; + if (chip == NULL) + return -ENODEV; + + /* Drop our reference to the host; the SCSI core will free it + * (and "chip" along with it) when the refcount becomes 0. */ + scsi_host_put(rts51x_to_host(chip)); + + return 0; +} + +ssize_t rts51x_read(struct file *filp, char __user *buf, size_t count, + loff_t *f_pos) +{ + return 0; +} + +ssize_t rts51x_write(struct file *filp, const char __user *buf, size_t count, + loff_t *f_pos) +{ + return 0; +} + +long rts51x_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) +{ + struct rts51x_chip *chip; + struct sd_direct_cmnd cmnd; + struct sd_rsp rsp; + int retval = 0; + + chip = (struct rts51x_chip *)filp->private_data; + if (chip == NULL) + return -ENODEV; + + /* lock the device pointers */ + mutex_lock(&(chip->usb->dev_mutex)); + + switch (cmd) { + case RTS5139_IOC_SD_DIRECT: + retval = + copy_from_user((void *)&cmnd, (void __user *)arg, + sizeof(struct sd_direct_cmnd)); + if (retval) { + retval = -ENOMEM; + TRACE_GOTO(chip, exit); + } + retval = rts51x_sd_direct_cmnd(chip, &cmnd); + if (retval != STATUS_SUCCESS) { + retval = -EIO; + TRACE_GOTO(chip, exit); + } + break; + + case RTS5139_IOC_SD_GET_RSP: + retval = + copy_from_user(&rsp, (void __user *)arg, + sizeof(struct sd_rsp)); + if (retval) { + retval = -ENOMEM; + TRACE_GOTO(chip, exit); + } + retval = rts51x_sd_get_rsp(chip, &rsp); + if (retval != STATUS_SUCCESS) { + retval = -EIO; + TRACE_GOTO(chip, exit); + } + break; + + default: + break; + } + +exit: + /* unlock the device pointers */ + mutex_unlock(&chip->usb->dev_mutex); + + return retval; +} + +#endif diff --git a/drivers/staging/rts5139/rts51x_fop.h b/drivers/staging/rts5139/rts51x_fop.h new file mode 100644 index 000000000000..c691ee99720e --- /dev/null +++ b/drivers/staging/rts5139/rts51x_fop.h @@ -0,0 +1,57 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_FOP_H +#define __RTS51X_FOP_H + +#include "rts51x.h" + +#ifdef SUPPORT_FILE_OP + +#include <linux/fs.h> +#include <linux/types.h> + +struct sd_direct_cmnd { + u8 cmnd[12]; + void __user *buf; + int buf_len; +}; + +struct sd_rsp { + void __user *rsp; + int rsp_len; +}; + +int rts51x_open(struct inode *inode, struct file *filp); +int rts51x_release(struct inode *inode, struct file *filp); +ssize_t rts51x_read(struct file *filp, char __user *buf, size_t count, + loff_t *f_pos); +ssize_t rts51x_write(struct file *filp, const char __user *buf, size_t count, + loff_t *f_pos); +long rts51x_ioctl(struct file *filp, unsigned int cmd, unsigned long arg); + +#endif + +#endif /* __RTS51X_FOP_H */ diff --git a/drivers/staging/rts5139/rts51x_scsi.c b/drivers/staging/rts5139/rts51x_scsi.c new file mode 100644 index 000000000000..75282fea38f7 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_scsi.c @@ -0,0 +1,2135 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/slab.h> +#include <linux/vmalloc.h> +#include <linux/export.h> + +#include <scsi/scsi.h> +#include <scsi/scsi_eh.h> +#include <scsi/scsi_device.h> + +#include "debug.h" +#include "rts51x.h" +#include "rts51x_chip.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "rts51x_transport.h" +#include "sd_cprm.h" +#include "ms_mg.h" +#include "trace.h" + +void rts51x_scsi_show_command(struct scsi_cmnd *srb) +{ + char *what = NULL; + int i, unknown_cmd = 0; + + switch (srb->cmnd[0]) { + case TEST_UNIT_READY: + what = (char *)"TEST_UNIT_READY"; + break; + case REZERO_UNIT: + what = (char *)"REZERO_UNIT"; + break; + case REQUEST_SENSE: + what = (char *)"REQUEST_SENSE"; + break; + case FORMAT_UNIT: + what = (char *)"FORMAT_UNIT"; + break; + case READ_BLOCK_LIMITS: + what = (char *)"READ_BLOCK_LIMITS"; + break; + case 0x07: + what = (char *)"REASSIGN_BLOCKS"; + break; + case READ_6: + what = (char *)"READ_6"; + break; + case WRITE_6: + what = (char *)"WRITE_6"; + break; + case SEEK_6: + what = (char *)"SEEK_6"; + break; + case READ_REVERSE: + what = (char *)"READ_REVERSE"; + break; + case WRITE_FILEMARKS: + what = (char *)"WRITE_FILEMARKS"; + break; + case SPACE: + what = (char *)"SPACE"; + break; + case INQUIRY: + what = (char *)"INQUIRY"; + break; + case RECOVER_BUFFERED_DATA: + what = (char *)"RECOVER_BUFFERED_DATA"; + break; + case MODE_SELECT: + what = (char *)"MODE_SELECT"; + break; + case RESERVE: + what = (char *)"RESERVE"; + break; + case RELEASE: + what = (char *)"RELEASE"; + break; + case COPY: + what = (char *)"COPY"; + break; + case ERASE: + what = (char *)"ERASE"; + break; + case MODE_SENSE: + what = (char *)"MODE_SENSE"; + break; + case START_STOP: + what = (char *)"START_STOP"; + break; + case RECEIVE_DIAGNOSTIC: + what = (char *)"RECEIVE_DIAGNOSTIC"; + break; + case SEND_DIAGNOSTIC: + what = (char *)"SEND_DIAGNOSTIC"; + break; + case ALLOW_MEDIUM_REMOVAL: + what = (char *)"ALLOW_MEDIUM_REMOVAL"; + break; + case SET_WINDOW: + what = (char *)"SET_WINDOW"; + break; + case READ_CAPACITY: + what = (char *)"READ_CAPACITY"; + break; + case READ_10: + what = (char *)"READ_10"; + break; + case WRITE_10: + what = (char *)"WRITE_10"; + break; + case SEEK_10: + what = (char *)"SEEK_10"; + break; + case WRITE_VERIFY: + what = (char *)"WRITE_VERIFY"; + break; + case VERIFY: + what = (char *)"VERIFY"; + break; + case SEARCH_HIGH: + what = (char *)"SEARCH_HIGH"; + break; + case SEARCH_EQUAL: + what = (char *)"SEARCH_EQUAL"; + break; + case SEARCH_LOW: + what = (char *)"SEARCH_LOW"; + break; + case SET_LIMITS: + what = (char *)"SET_LIMITS"; + break; + case READ_POSITION: + what = (char *)"READ_POSITION"; + break; + case SYNCHRONIZE_CACHE: + what = (char *)"SYNCHRONIZE_CACHE"; + break; + case LOCK_UNLOCK_CACHE: + what = (char *)"LOCK_UNLOCK_CACHE"; + break; + case READ_DEFECT_DATA: + what = (char *)"READ_DEFECT_DATA"; + break; + case MEDIUM_SCAN: + what = (char *)"MEDIUM_SCAN"; + break; + case COMPARE: + what = (char *)"COMPARE"; + break; + case COPY_VERIFY: + what = (char *)"COPY_VERIFY"; + break; + case WRITE_BUFFER: + what = (char *)"WRITE_BUFFER"; + break; + case READ_BUFFER: + what = (char *)"READ_BUFFER"; + break; + case UPDATE_BLOCK: + what = (char *)"UPDATE_BLOCK"; + break; + case READ_LONG: + what = (char *)"READ_LONG"; + break; + case WRITE_LONG: + what = (char *)"WRITE_LONG"; + break; + case CHANGE_DEFINITION: + what = (char *)"CHANGE_DEFINITION"; + break; + case WRITE_SAME: + what = (char *)"WRITE_SAME"; + break; + case GPCMD_READ_SUBCHANNEL: + what = (char *)"READ SUBCHANNEL"; + break; + case READ_TOC: + what = (char *)"READ_TOC"; + break; + case GPCMD_READ_HEADER: + what = (char *)"READ HEADER"; + break; + case GPCMD_PLAY_AUDIO_10: + what = (char *)"PLAY AUDIO (10)"; + break; + case GPCMD_PLAY_AUDIO_MSF: + what = (char *)"PLAY AUDIO MSF"; + break; + case GPCMD_GET_EVENT_STATUS_NOTIFICATION: + what = (char *)"GET EVENT/STATUS NOTIFICATION"; + break; + case GPCMD_PAUSE_RESUME: + what = (char *)"PAUSE/RESUME"; + break; + case LOG_SELECT: + what = (char *)"LOG_SELECT"; + break; + case LOG_SENSE: + what = (char *)"LOG_SENSE"; + break; + case GPCMD_STOP_PLAY_SCAN: + what = (char *)"STOP PLAY/SCAN"; + break; + case GPCMD_READ_DISC_INFO: + what = (char *)"READ DISC INFORMATION"; + break; + case GPCMD_READ_TRACK_RZONE_INFO: + what = (char *)"READ TRACK INFORMATION"; + break; + case GPCMD_RESERVE_RZONE_TRACK: + what = (char *)"RESERVE TRACK"; + break; + case GPCMD_SEND_OPC: + what = (char *)"SEND OPC"; + break; + case MODE_SELECT_10: + what = (char *)"MODE_SELECT_10"; + break; + case GPCMD_REPAIR_RZONE_TRACK: + what = (char *)"REPAIR TRACK"; + break; + case 0x59: + what = (char *)"READ MASTER CUE"; + break; + case MODE_SENSE_10: + what = (char *)"MODE_SENSE_10"; + break; + case GPCMD_CLOSE_TRACK: + what = (char *)"CLOSE TRACK/SESSION"; + break; + case 0x5C: + what = (char *)"READ BUFFER CAPACITY"; + break; + case 0x5D: + what = (char *)"SEND CUE SHEET"; + break; + case GPCMD_BLANK: + what = (char *)"BLANK"; + break; + case REPORT_LUNS: + what = (char *)"REPORT LUNS"; + break; + case MOVE_MEDIUM: + what = (char *)"MOVE_MEDIUM or PLAY AUDIO (12)"; + break; + case READ_12: + what = (char *)"READ_12"; + break; + case WRITE_12: + what = (char *)"WRITE_12"; + break; + case WRITE_VERIFY_12: + what = (char *)"WRITE_VERIFY_12"; + break; + case SEARCH_HIGH_12: + what = (char *)"SEARCH_HIGH_12"; + break; + case SEARCH_EQUAL_12: + what = (char *)"SEARCH_EQUAL_12"; + break; + case SEARCH_LOW_12: + what = (char *)"SEARCH_LOW_12"; + break; + case SEND_VOLUME_TAG: + what = (char *)"SEND_VOLUME_TAG"; + break; + case READ_ELEMENT_STATUS: + what = (char *)"READ_ELEMENT_STATUS"; + break; + case GPCMD_READ_CD_MSF: + what = (char *)"READ CD MSF"; + break; + case GPCMD_SCAN: + what = (char *)"SCAN"; + break; + case GPCMD_SET_SPEED: + what = (char *)"SET CD SPEED"; + break; + case GPCMD_MECHANISM_STATUS: + what = (char *)"MECHANISM STATUS"; + break; + case GPCMD_READ_CD: + what = (char *)"READ CD"; + break; + case 0xE1: + what = (char *)"WRITE CONTINUE"; + break; + case WRITE_LONG_2: + what = (char *)"WRITE_LONG_2"; + break; + case VENDOR_CMND: + what = (char *)"Realtek's vendor command"; + break; + default: + what = (char *)"(unknown command)"; + unknown_cmd = 1; + break; + } + + if (srb->cmnd[0] != TEST_UNIT_READY) + RTS51X_DEBUGP("Command %s (%d bytes)\n", what, srb->cmd_len); + if (unknown_cmd) { + RTS51X_DEBUGP(""); + for (i = 0; i < srb->cmd_len && i < 16; i++) + RTS51X_DEBUGPN(" %02x", srb->cmnd[i]); + RTS51X_DEBUGPN("\n"); + } +} + +void rts51x_set_sense_type(struct rts51x_chip *chip, unsigned int lun, int sense_type) +{ + switch (sense_type) { + case SENSE_TYPE_MEDIA_CHANGE: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x06, 0, 0x28, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_NOT_PRESENT: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x3A, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_LBA_OVER_RANGE: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x21, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x25, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_WRITE_PROTECT: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x07, 0, 0x27, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x11, 0, 0, 0); + break; + + case SENSE_TYPE_MEDIA_WRITE_ERR: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x0C, 0x02, 0, 0); + break; + + case SENSE_TYPE_MEDIA_INVALID_CMD_FIELD: + rts51x_set_sense_data(chip, lun, CUR_ERR, ILGAL_REQ, 0, + ASC_INVLD_CDB, ASCQ_INVLD_CDB, CDB_ILLEGAL, 1); + break; + + case SENSE_TYPE_FORMAT_CMD_FAILED: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x31, 0x01, 0, 0); + break; + +#ifdef SUPPORT_MAGIC_GATE + case SENSE_TYPE_MG_KEY_FAIL_NOT_ESTAB: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x6F, 0x02, 0, 0); + break; + + case SENSE_TYPE_MG_KEY_FAIL_NOT_AUTHEN: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x05, 0, 0x6F, 0x00, 0, 0); + break; + + case SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x30, 0x00, 0, 0); + break; + + case SENSE_TYPE_MG_WRITE_ERR: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x03, 0, 0x0C, 0x00, 0, 0); + break; +#endif + + case SENSE_TYPE_NO_SENSE: + default: + rts51x_set_sense_data(chip, lun, CUR_ERR, 0, 0, 0, 0, 0, 0); + break; + } +} + +void rts51x_set_sense_data(struct rts51x_chip *chip, unsigned int lun, u8 err_code, + u8 sense_key, u32 info, u8 asc, u8 ascq, u8 sns_key_info0, + u16 sns_key_info1) +{ + struct sense_data_t *sense = &(chip->sense_buffer[lun]); + + sense->err_code = err_code; + sense->sense_key = sense_key; + sense->info[0] = (u8) (info >> 24); + sense->info[1] = (u8) (info >> 16); + sense->info[2] = (u8) (info >> 8); + sense->info[3] = (u8) info; + + sense->ad_sense_len = sizeof(struct sense_data_t) - 8; + sense->asc = asc; + sense->ascq = ascq; + if (sns_key_info0 != 0) { + sense->sns_key_info[0] = SKSV | sns_key_info0; + sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 8; + sense->sns_key_info[2] = sns_key_info1 & 0x0f; + } +} + +static int test_unit_ready(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + + rts51x_init_cards(chip); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + return TRANSPORT_FAILED; + } + + if (!check_lun_mc(chip, lun)) { + set_lun_mc(chip, lun); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + return TRANSPORT_FAILED; + } + + return TRANSPORT_GOOD; +} + +static unsigned char formatter_inquiry_str[20] = { + 'M', 'E', 'M', 'O', 'R', 'Y', 'S', 'T', 'I', 'C', 'K', + '-', 'M', 'G', /* Byte[47:49] */ + 0x0B, /* Byte[50]: MG, MS, MSPro, MSXC */ + 0x00, /* Byte[51]: Category Specific Commands */ + 0x00, /* Byte[52]: Access Control and feature */ + 0x20, 0x20, 0x20, /* Byte[53:55] */ +}; + +static int inquiry(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + char *inquiry_default = (char *)"Generic-xD/SD/M.S. 1.00 "; + char *inquiry_string; + unsigned char sendbytes; + unsigned char *buf; + u8 card = rts51x_get_lun_card(chip, lun); + int pro_formatter_flag = 0; + unsigned char inquiry_buf[] = { + QULIFIRE | DRCT_ACCESS_DEV, + RMB_DISC | 0x0D, + 0x00, + 0x01, + 0x1f, + 0x02, + 0, + REL_ADR | WBUS_32 | WBUS_16 | SYNC | LINKED | CMD_QUE | SFT_RE, + }; + + inquiry_string = inquiry_default; + + buf = vmalloc(scsi_bufflen(srb)); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + if (MS_FORMATTER_ENABLED(chip) && (get_lun2card(chip, lun) & MS_CARD)) { + if (!card || (card == MS_CARD)) + pro_formatter_flag = 1; + } + + if (pro_formatter_flag) { + if (scsi_bufflen(srb) < 56) + sendbytes = (unsigned char)(scsi_bufflen(srb)); + else + sendbytes = 56; + } else { + if (scsi_bufflen(srb) < 36) + sendbytes = (unsigned char)(scsi_bufflen(srb)); + else + sendbytes = 36; + } + + if (sendbytes > 8) { + memcpy(buf, inquiry_buf, 8); + memcpy(buf + 8, inquiry_string, sendbytes - 8); + if (pro_formatter_flag) + buf[4] = 0x33; /* Additional Length */ + } else { + memcpy(buf, inquiry_buf, sendbytes); + } + + if (pro_formatter_flag) { + if (sendbytes > 36) + memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36); + } + + scsi_set_resid(srb, 0); + + rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb); + vfree(buf); + + return TRANSPORT_GOOD; +} + +static int start_stop_unit(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + + scsi_set_resid(srb, scsi_bufflen(srb)); + + if (srb->cmnd[1] == 1) + return TRANSPORT_GOOD; + + switch (srb->cmnd[0x4]) { + case STOP_MEDIUM: + /* Media disabled */ + return TRANSPORT_GOOD; + + case UNLOAD_MEDIUM: + /* Media shall be unload */ + if (check_card_ready(chip, lun)) + rts51x_eject_card(chip, lun); + return TRANSPORT_GOOD; + + case MAKE_MEDIUM_READY: + case LOAD_MEDIUM: + if (check_card_ready(chip, lun)) { + return TRANSPORT_GOOD; + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + break; + } + + TRACE_RET(chip, TRANSPORT_ERROR); +} + +static int allow_medium_removal(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int prevent; + + prevent = srb->cmnd[4] & 0x1; + + scsi_set_resid(srb, 0); + + if (prevent) { + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + return TRANSPORT_GOOD; +} + +static void ms_mode_sense(struct rts51x_chip *chip, u8 cmd, + int lun, u8 *buf, int buf_len) +{ + struct ms_info *ms_card = &(chip->ms_card); + int sys_info_offset; + int data_size = buf_len; + int support_format = 0; + int i = 0; + + if (cmd == MODE_SENSE) { + sys_info_offset = 8; + if (data_size > 0x68) + data_size = 0x68; + buf[i++] = 0x67; /* Mode Data Length */ + } else { + sys_info_offset = 12; + if (data_size > 0x6C) + data_size = 0x6C; + buf[i++] = 0x00; /* Mode Data Length (MSB) */ + buf[i++] = 0x6A; /* Mode Data Length (LSB) */ + } + + /* Medium Type Code */ + if (check_card_ready(chip, lun)) { + if (CHK_MSXC(ms_card)) { + support_format = 1; + buf[i++] = 0x40; + } else if (CHK_MSPRO(ms_card)) { + support_format = 1; + buf[i++] = 0x20; + } else { + buf[i++] = 0x10; + } + + /* WP */ + if (check_card_wp(chip, lun)) + buf[i++] = 0x80; + else + buf[i++] = 0x00; + } else { + buf[i++] = 0x00; /* MediaType */ + buf[i++] = 0x00; /* WP */ + } + + buf[i++] = 0x00; /* Reserved */ + + if (cmd == MODE_SENSE_10) { + buf[i++] = 0x00; /* Reserved */ + buf[i++] = 0x00; /* Block descriptor length(MSB) */ + buf[i++] = 0x00; /* Block descriptor length(LSB) */ + + /* The Following Data is the content of "Page 0x20" */ + if (data_size >= 9) + buf[i++] = 0x20; /* Page Code */ + if (data_size >= 10) + buf[i++] = 0x62; /* Page Length */ + if (data_size >= 11) + buf[i++] = 0x00; /* No Access Control */ + if (data_size >= 12) { + if (support_format) + buf[i++] = 0xC0; /* SF, SGM */ + else + buf[i++] = 0x00; + } + } else { + /* The Following Data is the content of "Page 0x20" */ + if (data_size >= 5) + buf[i++] = 0x20; /* Page Code */ + if (data_size >= 6) + buf[i++] = 0x62; /* Page Length */ + if (data_size >= 7) + buf[i++] = 0x00; /* No Access Control */ + if (data_size >= 8) { + if (support_format) + buf[i++] = 0xC0; /* SF, SGM */ + else + buf[i++] = 0x00; + } + } + + if (data_size > sys_info_offset) { + /* 96 Bytes Attribute Data */ + int len = data_size - sys_info_offset; + len = (len < 96) ? len : 96; + + memcpy(buf + sys_info_offset, ms_card->raw_sys_info, len); + } +} + +static int mode_sense(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + unsigned int dataSize; + int status; + int pro_formatter_flag; + unsigned char pageCode, *buf; + u8 card = rts51x_get_lun_card(chip, lun); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + scsi_set_resid(srb, scsi_bufflen(srb)); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + pro_formatter_flag = 0; + dataSize = 8; + /* In Combo mode, device responses ModeSense command as a MS LUN + * when no card is inserted */ + if ((get_lun2card(chip, lun) & MS_CARD)) { + if (!card || (card == MS_CARD)) { + dataSize = 108; + if (chip->option.rts51x_mspro_formatter_enable) + pro_formatter_flag = 1; + } + } + + buf = kmalloc(dataSize, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + pageCode = srb->cmnd[2] & 0x3f; + + if ((pageCode == 0x3F) || (pageCode == 0x1C) || + (pageCode == 0x00) || (pro_formatter_flag && (pageCode == 0x20))) { + if (srb->cmnd[0] == MODE_SENSE) { + if ((pageCode == 0x3F) || (pageCode == 0x20)) { + ms_mode_sense(chip, srb->cmnd[0], lun, buf, + dataSize); + } else { + dataSize = 4; + buf[0] = 0x03; + buf[1] = 0x00; + if (check_card_wp(chip, lun)) + buf[2] = 0x80; + else + buf[3] = 0x00; + } + } else { + if ((pageCode == 0x3F) || (pageCode == 0x20)) { + ms_mode_sense(chip, srb->cmnd[0], lun, buf, + dataSize); + } else { + dataSize = 8; + buf[0] = 0x00; + buf[1] = 0x06; + buf[2] = 0x00; + if (check_card_wp(chip, lun)) + buf[3] = 0x80; + else + buf[3] = 0x00; + buf[4] = 0x00; + buf[5] = 0x00; + buf[6] = 0x00; + buf[7] = 0x00; + } + } + status = TRANSPORT_GOOD; + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + scsi_set_resid(srb, scsi_bufflen(srb)); + status = TRANSPORT_FAILED; + } + + if (status == TRANSPORT_GOOD) { + unsigned int len = min(scsi_bufflen(srb), dataSize); + rts51x_set_xfer_buf(buf, len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - len); + } + kfree(buf); + + return status; +} + +static int request_sense(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sense_data_t *sense; + unsigned int lun = SCSI_LUN(srb); + struct ms_info *ms_card = &(chip->ms_card); + unsigned char *tmp, *buf; + + sense = &(chip->sense_buffer[lun]); + + if ((rts51x_get_lun_card(chip, lun) == MS_CARD) + && PRO_UNDER_FORMATTING(ms_card)) { + rts51x_mspro_format_sense(chip, lun); + } + + buf = vmalloc(scsi_bufflen(srb)); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + tmp = (unsigned char *)sense; + memcpy(buf, tmp, scsi_bufflen(srb)); + + rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb); + vfree(buf); + + scsi_set_resid(srb, 0); + /* Reset Sense Data */ + rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE); + return TRANSPORT_GOOD; +} + +static int read_write(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + int retval; + u32 start_sec; + u16 sec_cnt; + + if (!check_card_ready(chip, lun) || (chip->capacity[lun] == 0)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (!check_lun_mc(chip, lun)) { + set_lun_mc(chip, lun); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + return TRANSPORT_FAILED; + } + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + if ((srb->cmnd[0] == READ_10) || (srb->cmnd[0] == WRITE_10)) { + start_sec = + ((u32) srb->cmnd[2] << 24) | + ((u32) srb->cmnd[3] << 16) | + ((u32) srb->cmnd[4] << 8) | + ((u32) srb->cmnd[5]); + sec_cnt = ((u16) (srb->cmnd[7]) << 8) | srb->cmnd[8]; + } else if ((srb->cmnd[0] == READ_6) || (srb->cmnd[0] == WRITE_6)) { + start_sec = ((u32) (srb->cmnd[1] & 0x1F) << 16) | + ((u32) srb->cmnd[2] << 8) | ((u32) srb->cmnd[3]); + sec_cnt = srb->cmnd[4]; + } else if ((srb->cmnd[0] == VENDOR_CMND) && + (srb->cmnd[1] == SCSI_APP_CMD) && + ((srb->cmnd[2] == PP_READ10) || + (srb->cmnd[2] == PP_WRITE10))) { + start_sec = ((u32) srb->cmnd[4] << 24) | + ((u32) srb->cmnd[5] << 16) | + ((u32) srb->cmnd[6] << 8) | + ((u32) srb->cmnd[7]); + sec_cnt = ((u16) (srb->cmnd[9]) << 8) | srb->cmnd[10]; + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if ((start_sec > chip->capacity[lun]) || + ((start_sec + sec_cnt) > chip->capacity[lun])) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LBA_OVER_RANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (sec_cnt == 0) { + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; + } + + if ((srb->sc_data_direction == DMA_TO_DEVICE) + && check_card_wp(chip, lun)) { + RTS51X_DEBUGP("Write protected card!\n"); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + retval = rts51x_card_rw(srb, chip, start_sec, sec_cnt); + if (retval != STATUS_SUCCESS) { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR); + } + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + + return TRANSPORT_GOOD; +} + +static int read_format_capacity(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned char *buf; + unsigned int lun = SCSI_LUN(srb); + unsigned int buf_len; + u8 card = rts51x_get_lun_card(chip, lun); + int desc_cnt; + int i = 0; + + if (!check_card_ready(chip, lun)) { + if (!chip->option.rts51x_mspro_formatter_enable) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + buf_len = (scsi_bufflen(srb) > 12) ? 0x14 : 12; + + buf = kmalloc(buf_len, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + buf[i++] = 0; + buf[i++] = 0; + buf[i++] = 0; + + /* Capacity List Length */ + if ((buf_len > 12) && chip->option.rts51x_mspro_formatter_enable && + (chip->lun2card[lun] & MS_CARD) && (!card || (card == MS_CARD))) { + buf[i++] = 0x10; + desc_cnt = 2; + } else { + buf[i++] = 0x08; + desc_cnt = 1; + } + + while (desc_cnt) { + if (check_card_ready(chip, lun)) { + buf[i++] = (unsigned char)((chip->capacity[lun]) >> 24); + buf[i++] = (unsigned char)((chip->capacity[lun]) >> 16); + buf[i++] = (unsigned char)((chip->capacity[lun]) >> 8); + buf[i++] = (unsigned char)(chip->capacity[lun]); + + if (desc_cnt == 2) + /* Byte[8]: Descriptor Type: Formatted medium */ + buf[i++] = 2; + else + buf[i++] = 0; /* Byte[16] */ + } else { + buf[i++] = 0xFF; + buf[i++] = 0xFF; + buf[i++] = 0xFF; + buf[i++] = 0xFF; + + if (desc_cnt == 2) + /* Byte[8]: Descriptor Type: No medium */ + buf[i++] = 3; + else + buf[i++] = 0; /*Byte[16] */ + } + + buf[i++] = 0x00; + buf[i++] = 0x02; + buf[i++] = 0x00; + + desc_cnt--; + } + + buf_len = min(scsi_bufflen(srb), buf_len); + rts51x_set_xfer_buf(buf, buf_len, srb); + kfree(buf); + + scsi_set_resid(srb, scsi_bufflen(srb) - buf_len); + + return TRANSPORT_GOOD; +} + +static int read_capacity(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned char *buf; + unsigned int lun = SCSI_LUN(srb); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (!check_lun_mc(chip, lun)) { + set_lun_mc(chip, lun); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + return TRANSPORT_FAILED; + } + + buf = kmalloc(8, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + buf[0] = (unsigned char)((chip->capacity[lun] - 1) >> 24); + buf[1] = (unsigned char)((chip->capacity[lun] - 1) >> 16); + buf[2] = (unsigned char)((chip->capacity[lun] - 1) >> 8); + buf[3] = (unsigned char)(chip->capacity[lun] - 1); + + buf[4] = 0x00; + buf[5] = 0x00; + buf[6] = 0x02; + buf[7] = 0x00; + + rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb); + kfree(buf); + + scsi_set_resid(srb, 0); + + return TRANSPORT_GOOD; +} + +static int get_dev_status(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + unsigned int buf_len; + u8 status[32] = { 0 }; + + rts51x_pp_status(chip, lun, status, 32); + + buf_len = min_t(unsigned int, scsi_bufflen(srb), sizeof(status)); + rts51x_set_xfer_buf(status, buf_len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - buf_len); + + return TRANSPORT_GOOD; +} + +static int read_status(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + u8 rts51x_status[16]; + unsigned int buf_len; + unsigned int lun = SCSI_LUN(srb); + + rts51x_read_status(chip, lun, rts51x_status, 16); + + buf_len = min_t(unsigned int, scsi_bufflen(srb), sizeof(rts51x_status)); + rts51x_set_xfer_buf(rts51x_status, buf_len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - buf_len); + + return TRANSPORT_GOOD; +} + +static int read_mem(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + unsigned short addr, len, i; + int retval; + u8 *buf; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + addr = ((u16) srb->cmnd[2] << 8) | srb->cmnd[3]; + len = ((u16) srb->cmnd[4] << 8) | srb->cmnd[5]; + + if (addr < 0xe000) { + RTS51X_DEBUGP("filter!addr=0x%x\n", addr); + return TRANSPORT_GOOD; + } + + buf = vmalloc(len); + if (!buf) + TRACE_RET(chip, TRANSPORT_ERROR); + + for (i = 0; i < len; i++) { + retval = rts51x_ep0_read_register(chip, addr + i, buf + i); + if (retval != STATUS_SUCCESS) { + vfree(buf); + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + len = (unsigned short)min(scsi_bufflen(srb), (unsigned int)len); + rts51x_set_xfer_buf(buf, len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - len); + + vfree(buf); + + return TRANSPORT_GOOD; +} + +static int write_mem(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + unsigned short addr, len, i; + int retval; + u8 *buf; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + addr = ((u16) srb->cmnd[2] << 8) | srb->cmnd[3]; + len = ((u16) srb->cmnd[4] << 8) | srb->cmnd[5]; + + if (addr < 0xe000) { + RTS51X_DEBUGP("filter!addr=0x%x\n", addr); + return TRANSPORT_GOOD; + } + + len = (unsigned short)min(scsi_bufflen(srb), (unsigned int)len); + buf = vmalloc(len); + if (!buf) + TRACE_RET(chip, TRANSPORT_ERROR); + + rts51x_get_xfer_buf(buf, len, srb); + + for (i = 0; i < len; i++) { + retval = + rts51x_ep0_write_register(chip, addr + i, 0xFF, buf[i]); + if (retval != STATUS_SUCCESS) { + vfree(buf); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + vfree(buf); + scsi_set_resid(srb, scsi_bufflen(srb) - len); + + return TRANSPORT_GOOD; +} + +static int get_sd_csd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + unsigned int lun = SCSI_LUN(srb); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (rts51x_get_lun_card(chip, lun) != SD_CARD) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + rts51x_set_xfer_buf(sd_card->raw_csd, scsi_bufflen(srb), srb); + + return TRANSPORT_GOOD; +} + +static int read_phy_register(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval; + u8 addr, len, i; + u8 *buf; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + addr = srb->cmnd[5]; + len = srb->cmnd[7]; + + if (len) { + buf = vmalloc(len); + if (!buf) + TRACE_RET(chip, TRANSPORT_ERROR); + + for (i = 0; i < len; i++) { + retval = + rts51x_read_phy_register(chip, addr + i, buf + i); + if (retval != STATUS_SUCCESS) { + vfree(buf); + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + len = min(scsi_bufflen(srb), (unsigned int)len); + rts51x_set_xfer_buf(buf, len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - len); + + vfree(buf); + } + + return TRANSPORT_GOOD; +} + +static int write_phy_register(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval; + u8 addr, len, i; + u8 *buf; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + addr = srb->cmnd[5]; + len = srb->cmnd[7]; + + if (len) { + len = min(scsi_bufflen(srb), (unsigned int)len); + + buf = vmalloc(len); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + rts51x_get_xfer_buf(buf, len, srb); + scsi_set_resid(srb, scsi_bufflen(srb) - len); + + for (i = 0; i < len; i++) { + retval = + rts51x_write_phy_register(chip, addr + i, buf[i]); + if (retval != STATUS_SUCCESS) { + vfree(buf); + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + vfree(buf); + } + + return TRANSPORT_GOOD; +} + +static int get_card_bus_width(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + u8 card, bus_width; + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + card = rts51x_get_lun_card(chip, lun); + if ((card == SD_CARD) || (card == MS_CARD)) { + bus_width = chip->card_bus_width[lun]; + } else { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + rts51x_set_xfer_buf(&bus_width, scsi_bufflen(srb), srb); + + return TRANSPORT_GOOD; +} + +#ifdef _MSG_TRACE +static int trace_msg_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned char *buf = NULL; + u8 clear; + unsigned int buf_len; + + buf_len = + 4 + + ((2 + MSG_FUNC_LEN + MSG_FILE_LEN + TIME_VAL_LEN) * TRACE_ITEM_CNT); + + if ((scsi_bufflen(srb) < buf_len) || (scsi_sglist(srb) == NULL)) { + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + clear = srb->cmnd[2]; + + buf = vmalloc(scsi_bufflen(srb)); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + rts51x_trace_msg(chip, buf, clear); + + rts51x_set_xfer_buf(buf, scsi_bufflen(srb), srb); + vfree(buf); + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} +#endif + +static int rw_mem_cmd_buf(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval = STATUS_SUCCESS; + unsigned int lun = SCSI_LUN(srb); + u8 cmd_type, mask, value, idx, mode, len; + u16 addr; + u32 timeout; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + switch (srb->cmnd[3]) { + case INIT_BATCHCMD: + rts51x_init_cmd(chip); + break; + + case ADD_BATCHCMD: + cmd_type = srb->cmnd[4]; + if (cmd_type > 2) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + addr = (srb->cmnd[5] << 8) | srb->cmnd[6]; + mask = srb->cmnd[7]; + value = srb->cmnd[8]; + rts51x_add_cmd(chip, cmd_type, addr, mask, value); + break; + + case SEND_BATCHCMD: + mode = srb->cmnd[4]; + len = srb->cmnd[5]; + timeout = + ((u32) srb->cmnd[6] << 24) | ((u32) srb-> + cmnd[7] << 16) | ((u32) srb-> + cmnd[8] << + 8) | ((u32) + srb-> + cmnd + [9]); + retval = rts51x_send_cmd(chip, mode, 1000); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if (mode & STAGE_R) { + retval = rts51x_get_rsp(chip, len, timeout); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + break; + + case GET_BATCHRSP: + idx = srb->cmnd[4]; + value = chip->rsp_buf[idx]; + if (scsi_bufflen(srb) < 1) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + rts51x_set_xfer_buf(&value, 1, srb); + scsi_set_resid(srb, 0); + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + return TRANSPORT_GOOD; +} + +static int suit_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int result; + + switch (srb->cmnd[3]) { + case INIT_BATCHCMD: + case ADD_BATCHCMD: + case SEND_BATCHCMD: + case GET_BATCHRSP: + result = rw_mem_cmd_buf(srb, chip); + break; + default: + result = TRANSPORT_ERROR; + } + + return result; +} + +static int app_cmd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int result; + + switch (srb->cmnd[2]) { + case PP_READ10: + case PP_WRITE10: + result = read_write(srb, chip); + break; + + case SUIT_CMD: + result = suit_cmd(srb, chip); + break; + + case READ_PHY: + result = read_phy_register(srb, chip); + break; + + case WRITE_PHY: + result = write_phy_register(srb, chip); + break; + + case GET_DEV_STATUS: + result = get_dev_status(srb, chip); + break; + + default: + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + return result; +} + +static int vendor_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int result = TRANSPORT_GOOD; + + switch (srb->cmnd[1]) { + case READ_STATUS: + result = read_status(srb, chip); + break; + + case READ_MEM: + result = read_mem(srb, chip); + break; + + case WRITE_MEM: + result = write_mem(srb, chip); + break; + + case GET_BUS_WIDTH: + result = get_card_bus_width(srb, chip); + break; + + case GET_SD_CSD: + result = get_sd_csd(srb, chip); + break; + +#ifdef _MSG_TRACE + case TRACE_MSG: + result = trace_msg_cmd(srb, chip); + break; +#endif + + case SCSI_APP_CMD: + result = app_cmd(srb, chip); + break; + + default: + rts51x_set_sense_type(chip, SCSI_LUN(srb), + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + return result; +} + +static int ms_format_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + int retval, quick_format; + + if (rts51x_get_lun_card(chip, lun) != MS_CARD) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if ((srb->cmnd[3] != 0x4D) || (srb->cmnd[4] != 0x47) + || (srb->cmnd[5] != 0x66) || (srb->cmnd[6] != 0x6D) + || (srb->cmnd[7] != 0x74)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (srb->cmnd[8] & 0x01) + quick_format = 0; + else + quick_format = 1; + + if (!(chip->card_ready & MS_CARD)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (chip->card_wp & MS_CARD) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (!CHK_MSPRO(ms_card)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + retval = rts51x_mspro_format(srb, chip, MS_SHORT_DATA_LEN, quick_format); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_FORMAT_CMD_FAILED); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} + +#ifdef SUPPORT_PCGL_1P18 +static int get_ms_information(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + u8 dev_info_id, data_len; + u8 *buf; + unsigned int buf_len; + int i; + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if ((srb->cmnd[2] != 0xB0) || (srb->cmnd[4] != 0x4D) || + (srb->cmnd[5] != 0x53) || (srb->cmnd[6] != 0x49) || + (srb->cmnd[7] != 0x44)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + dev_info_id = srb->cmnd[3]; + if ((CHK_MSXC(ms_card) && (dev_info_id == 0x10)) || + (!CHK_MSXC(ms_card) && (dev_info_id == 0x13)) || + !CHK_MSPRO(ms_card)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (dev_info_id == 0x15) + buf_len = data_len = 0x3A; + else + buf_len = data_len = 0x6A; + + buf = kmalloc(buf_len, GFP_KERNEL); + if (!buf) + TRACE_RET(chip, TRANSPORT_ERROR); + + i = 0; + /* GET Memory Stick Media Information Response Header */ + buf[i++] = 0x00; /* Data length MSB */ + buf[i++] = data_len; /* Data length LSB */ + /* Device Information Type Code */ + if (CHK_MSXC(ms_card)) + buf[i++] = 0x03; + else + buf[i++] = 0x02; + /* SGM bit */ + buf[i++] = 0x01; + /* Reserved */ + buf[i++] = 0x00; + buf[i++] = 0x00; + buf[i++] = 0x00; + /* Number of Device Information */ + buf[i++] = 0x01; + + /* Device Information Body + * Device Information ID Number */ + buf[i++] = dev_info_id; + /* Device Information Length */ + if (dev_info_id == 0x15) + data_len = 0x31; + else + data_len = 0x61; + buf[i++] = 0x00; /* Data length MSB */ + buf[i++] = data_len; /* Data length LSB */ + /* Valid Bit */ + buf[i++] = 0x80; + if ((dev_info_id == 0x10) || (dev_info_id == 0x13)) { + /* System Information */ + memcpy(buf + i, ms_card->raw_sys_info, 96); + } else { + /* Model Name */ + memcpy(buf + i, ms_card->raw_model_name, 48); + } + + rts51x_set_xfer_buf(buf, buf_len, srb); + + if (dev_info_id == 0x15) + scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C); + else + scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C); + + kfree(buf); + return STATUS_SUCCESS; +} +#endif + +static int ms_sp_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int retval = TRANSPORT_ERROR; + + if (srb->cmnd[2] == MS_FORMAT) + retval = ms_format_cmnd(srb, chip); +#ifdef SUPPORT_PCGL_1P18 + else if (srb->cmnd[2] == GET_MS_INFORMATION) + retval = get_ms_information(srb, chip); +#endif + + return retval; +} + +#ifdef SUPPORT_CPRM +static int sd_extention_cmnd(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + unsigned int lun = SCSI_LUN(srb); + int result; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + rts51x_sd_cleanup_work(chip); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if ((rts51x_get_lun_card(chip, lun) != SD_CARD)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + switch (srb->cmnd[0]) { + case SD_PASS_THRU_MODE: + result = rts51x_sd_pass_thru_mode(srb, chip); + break; + + case SD_EXECUTE_NO_DATA: + result = rts51x_sd_execute_no_data(srb, chip); + break; + + case SD_EXECUTE_READ: + result = rts51x_sd_execute_read_data(srb, chip); + break; + + case SD_EXECUTE_WRITE: + result = rts51x_sd_execute_write_data(srb, chip); + break; + + case SD_GET_RSP: + result = rts51x_sd_get_cmd_rsp(srb, chip); + break; + + case SD_HW_RST: + result = rts51x_sd_hw_rst(srb, chip); + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + return result; +} +#endif + +#ifdef SUPPORT_MAGIC_GATE +static int mg_report_key(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + int retval; + u8 key_format; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + rts51x_ms_cleanup_work(chip); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (srb->cmnd[7] != KC_MG_R_PRO) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (!CHK_MSPRO(ms_card)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + key_format = srb->cmnd[10] & 0x3F; + + switch (key_format) { + case KF_GET_LOC_EKB: + if ((scsi_bufflen(srb) == 0x41C) && + (srb->cmnd[8] == 0x04) && (srb->cmnd[9] == 0x1C)) { + retval = rts51x_mg_get_local_EKB(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case KF_RSP_CHG: + if ((scsi_bufflen(srb) == 0x24) && + (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x24)) { + retval = rts51x_mg_get_rsp_chg(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case KF_GET_ICV: + ms_card->mg_entry_num = srb->cmnd[5]; + if ((scsi_bufflen(srb) == 0x404) && + (srb->cmnd[8] == 0x04) && + (srb->cmnd[9] == 0x04) && + (srb->cmnd[2] == 0x00) && + (srb->cmnd[3] == 0x00) && + (srb->cmnd[4] == 0x00) && (srb->cmnd[5] < 32)) { + retval = rts51x_mg_get_ICV(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} + +static int mg_send_key(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + int retval; + u8 key_format; + + rts51x_prepare_run(chip); + RTS51X_SET_STAT(chip, STAT_RUN); + + rts51x_ms_cleanup_work(chip); + + if (!check_card_ready(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if (check_card_wp(chip, lun)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_PROTECT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + if ((rts51x_get_lun_card(chip, lun) != MS_CARD)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_LUN_NOT_SUPPORT); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (srb->cmnd[7] != KC_MG_R_PRO) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (!CHK_MSPRO(ms_card)) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MG_INCOMPATIBLE_MEDIUM); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + key_format = srb->cmnd[10] & 0x3F; + + switch (key_format) { + case KF_SET_LEAF_ID: + if ((scsi_bufflen(srb) == 0x0C) && + (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) { + retval = rts51x_mg_set_leaf_id(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case KF_CHG_HOST: + if ((scsi_bufflen(srb) == 0x0C) && + (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) { + retval = rts51x_mg_chg(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case KF_RSP_HOST: + if ((scsi_bufflen(srb) == 0x0C) && + (srb->cmnd[8] == 0x00) && (srb->cmnd[9] == 0x0C)) { + retval = rts51x_mg_rsp(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case KF_SET_ICV: + ms_card->mg_entry_num = srb->cmnd[5]; + if ((scsi_bufflen(srb) == 0x404) && + (srb->cmnd[8] == 0x04) && + (srb->cmnd[9] == 0x04) && + (srb->cmnd[2] == 0x00) && + (srb->cmnd[3] == 0x00) && + (srb->cmnd[4] == 0x00) && (srb->cmnd[5] < 32)) { + retval = rts51x_mg_set_ICV(srb, chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} +#endif + +int rts51x_scsi_handler(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct ms_info *ms_card = &(chip->ms_card); + unsigned int lun = SCSI_LUN(srb); + int result = TRANSPORT_GOOD; + + if ((rts51x_get_lun_card(chip, lun) == MS_CARD) && + (ms_card->format_status == FORMAT_IN_PROGRESS)) { + if ((srb->cmnd[0] != REQUEST_SENSE) + && (srb->cmnd[0] != INQUIRY)) { + /* Logical Unit Not Ready Format in Progress */ + rts51x_set_sense_data(chip, lun, CUR_ERR, 0x02, 0, 0x04, 0x04, + 0, (u16) (ms_card->progress)); + TRACE_RET(chip, TRANSPORT_FAILED); + } + } + + switch (srb->cmnd[0]) { + case READ_10: + case WRITE_10: + case READ_6: + case WRITE_6: + result = read_write(srb, chip); + break; + + case TEST_UNIT_READY: + result = test_unit_ready(srb, chip); + break; + + case INQUIRY: + result = inquiry(srb, chip); + break; + + case READ_CAPACITY: + result = read_capacity(srb, chip); + break; + + case START_STOP: + result = start_stop_unit(srb, chip); + break; + + case ALLOW_MEDIUM_REMOVAL: + result = allow_medium_removal(srb, chip); + break; + + case REQUEST_SENSE: + result = request_sense(srb, chip); + break; + + case MODE_SENSE: + case MODE_SENSE_10: + result = mode_sense(srb, chip); + break; + + case 0x23: + result = read_format_capacity(srb, chip); + break; + + case VENDOR_CMND: + result = vendor_cmnd(srb, chip); + break; + + case MS_SP_CMND: + result = ms_sp_cmnd(srb, chip); + break; + +#ifdef SUPPORT_CPRM + case SD_PASS_THRU_MODE: + case SD_EXECUTE_NO_DATA: + case SD_EXECUTE_READ: + case SD_EXECUTE_WRITE: + case SD_GET_RSP: + case SD_HW_RST: + result = sd_extention_cmnd(srb, chip); + break; +#endif + +#ifdef SUPPORT_MAGIC_GATE + case CMD_MSPRO_MG_RKEY: + result = mg_report_key(srb, chip); + break; + + case CMD_MSPRO_MG_SKEY: + result = mg_send_key(srb, chip); + break; +#endif + + case FORMAT_UNIT: + case MODE_SELECT: + case VERIFY: + result = TRANSPORT_GOOD; + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + result = TRANSPORT_FAILED; + } + + return result; +} + +/*********************************************************************** + * Host functions + ***********************************************************************/ + +int slave_alloc(struct scsi_device *sdev) +{ + /* + * Set the INQUIRY transfer length to 36. We don't use any of + * the extra data and many devices choke if asked for more or + * less than 36 bytes. + */ + sdev->inquiry_len = 36; + return 0; +} + +int slave_configure(struct scsi_device *sdev) +{ + /* Scatter-gather buffers (all but the last) must have a length + * divisible by the bulk maxpacket size. Otherwise a data packet + * would end up being short, causing a premature end to the data + * transfer. Since high-speed bulk pipes have a maxpacket size + * of 512, we'll use that as the scsi device queue's DMA alignment + * mask. Guaranteeing proper alignment of the first buffer will + * have the desired effect because, except at the beginning and + * the end, scatter-gather buffers follow page boundaries. */ + blk_queue_dma_alignment(sdev->request_queue, (512 - 1)); + + /* Set the SCSI level to at least 2. We'll leave it at 3 if that's + * what is originally reported. We need this to avoid confusing + * the SCSI layer with devices that report 0 or 1, but need 10-byte + * commands (ala ATAPI devices behind certain bridges, or devices + * which simply have broken INQUIRY data). + * + * NOTE: This means /dev/sg programs (ala cdrecord) will get the + * actual information. This seems to be the preference for + * programs like that. + * + * NOTE: This also means that /proc/scsi/scsi and sysfs may report + * the actual value or the modified one, depending on where the + * data comes from. + */ + if (sdev->scsi_level < SCSI_2) + sdev->scsi_level = sdev->sdev_target->scsi_level = SCSI_2; + + return 0; +} + +/*********************************************************************** + * /proc/scsi/ functions + ***********************************************************************/ + +/* we use this macro to help us write into the buffer */ +#undef SPRINTF +#define SPRINTF(args...) seq_printf(m, ##args) + +static int write_info(struct Scsi_Host *host, char *buffer, int length) +{ + /* if someone is sending us data, just throw it away */ + return length; +} + +static int show_info(struct seq_file *m, struct Scsi_Host *host) +{ + /* print the controller name */ + SPRINTF(" Host scsi%d: %s\n", host->host_no, RTS51X_NAME); + + /* print product, vendor, and driver version strings */ + SPRINTF(" Vendor: Realtek Corp.\n"); + SPRINTF(" Product: RTS51xx USB Card Reader\n"); + SPRINTF(" Version: %s\n", DRIVER_VERSION); + return 0; +} + +/* queue a command */ +/* This is always called with scsi_lock(host) held */ +static int queuecommand_lck(struct scsi_cmnd *srb, void (*done) (struct scsi_cmnd *)) +{ + struct rts51x_chip *chip = host_to_rts51x(srb->device->host); + + /* check for state-transition errors */ + if (chip->srb != NULL) { + RTS51X_DEBUGP("Error in %s: chip->srb = %p\n", + __func__, chip->srb); + return SCSI_MLQUEUE_HOST_BUSY; + } + + /* fail the command if we are disconnecting */ + if (test_bit(FLIDX_DISCONNECTING, &chip->usb->dflags)) { + RTS51X_DEBUGP("Fail command during disconnect\n"); + srb->result = DID_NO_CONNECT << 16; + done(srb); + return 0; + } + + /* enqueue the command and wake up the control thread */ + srb->scsi_done = done; + chip->srb = srb; + complete(&chip->usb->cmnd_ready); + + return 0; +} + +DEF_SCSI_QCMD(queuecommand) +/*********************************************************************** + * Error handling functions + ***********************************************************************/ +/* Command timeout and abort */ +int command_abort(struct scsi_cmnd *srb) +{ + struct rts51x_chip *chip = host_to_rts51x(srb->device->host); + + RTS51X_DEBUGP("%s called\n", __func__); + + /* us->srb together with the TIMED_OUT, RESETTING, and ABORTING + * bits are protected by the host lock. */ + scsi_lock(rts51x_to_host(chip)); + + /* Is this command still active? */ + if (chip->srb != srb) { + scsi_unlock(rts51x_to_host(chip)); + RTS51X_DEBUGP("-- nothing to abort\n"); + return FAILED; + } + + /* Set the TIMED_OUT bit. Also set the ABORTING bit, but only if + * a device reset isn't already in progress (to avoid interfering + * with the reset). Note that we must retain the host lock while + * calling usb_stor_stop_transport(); otherwise it might interfere + * with an auto-reset that begins as soon as we release the lock. */ + set_bit(FLIDX_TIMED_OUT, &chip->usb->dflags); + if (!test_bit(FLIDX_RESETTING, &chip->usb->dflags)) { + set_bit(FLIDX_ABORTING, &chip->usb->dflags); + /* rts51x_stop_transport(us); */ + } + scsi_unlock(rts51x_to_host(chip)); + + /* Wait for the aborted command to finish */ + wait_for_completion(&chip->usb->notify); + return SUCCESS; +} + +/* This invokes the transport reset mechanism to reset the state of the + * device */ +static int device_reset(struct scsi_cmnd *srb) +{ + int result = 0; + + RTS51X_DEBUGP("%s called\n", __func__); + + return result < 0 ? FAILED : SUCCESS; +} + +/* Simulate a SCSI bus reset by resetting the device's USB port. */ +int bus_reset(struct scsi_cmnd *srb) +{ + int result = 0; + + RTS51X_DEBUGP("%s called\n", __func__); + + return result < 0 ? FAILED : SUCCESS; +} + +static const char *rts5139_info(struct Scsi_Host *host) +{ + return "SCSI emulation for RTS5139 USB card reader"; +} + +struct scsi_host_template rts51x_host_template = { + /* basic userland interface stuff */ + .name = RTS51X_NAME, + .proc_name = RTS51X_NAME, + .show_info = show_info, + .write_info = write_info, + .info = rts5139_info, + + /* command interface -- queued only */ + .queuecommand = queuecommand, + + /* error and abort handlers */ + .eh_abort_handler = command_abort, + .eh_device_reset_handler = device_reset, + .eh_bus_reset_handler = bus_reset, + + /* queue commands only, only one command per LUN */ + .can_queue = 1, + .cmd_per_lun = 1, + + /* unknown initiator id */ + .this_id = -1, + + .slave_alloc = slave_alloc, + .slave_configure = slave_configure, + + /* lots of sg segments can be handled */ + .sg_tablesize = SG_ALL, + + /* limit the total size of a transfer to 120 KB */ + .max_sectors = 240, + + /* merge commands... this seems to help performance, but + * periodically someone should test to see which setting is more + * optimal. + */ + .use_clustering = 1, + + /* emulated HBA */ + .emulated = 1, + + /* we do our own delay after a device or bus reset */ + .skip_settle_delay = 1, + + /* sysfs device attributes */ + /* .sdev_attrs = sysfs_device_attr_list, */ + + /* module management */ + .module = THIS_MODULE +}; + diff --git a/drivers/staging/rts5139/rts51x_scsi.h b/drivers/staging/rts5139/rts51x_scsi.h new file mode 100644 index 000000000000..1a0d70566186 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_scsi.h @@ -0,0 +1,154 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_SCSI_H +#define __RTS51X_SCSI_H + +#include <linux/usb.h> +#include <linux/usb_usual.h> +#include <linux/blkdev.h> +#include <linux/completion.h> +#include <linux/mutex.h> +#include <scsi/scsi_host.h> + +#include "rts51x_chip.h" + +#define MS_SP_CMND 0xFA +#define MS_FORMAT 0xA0 +#define GET_MS_INFORMATION 0xB0 + +#define VENDOR_CMND 0xF0 + +#define READ_STATUS 0x09 + +#define READ_MEM 0x0D +#define WRITE_MEM 0x0E +#define GET_BUS_WIDTH 0x13 +#define GET_SD_CSD 0x14 +#define TOGGLE_GPIO 0x15 +#define TRACE_MSG 0x18 + +#define SCSI_APP_CMD 0x10 + +#define PP_READ10 0x1A +#define PP_WRITE10 0x0A +#define READ_HOST_REG 0x1D +#define WRITE_HOST_REG 0x0D +#define SET_VAR 0x05 +#define GET_VAR 0x15 +#define DMA_READ 0x16 +#define DMA_WRITE 0x06 +#define GET_DEV_STATUS 0x10 +#define SET_CHIP_MODE 0x27 +#define SUIT_CMD 0xE0 +#define WRITE_PHY 0x07 +#define READ_PHY 0x17 + +#define INIT_BATCHCMD 0x41 +#define ADD_BATCHCMD 0x42 +#define SEND_BATCHCMD 0x43 +#define GET_BATCHRSP 0x44 + +#ifdef SUPPORT_CPRM +/* SD Pass Through Command Extension */ +#define SD_PASS_THRU_MODE 0xD0 +#define SD_EXECUTE_NO_DATA 0xD1 +#define SD_EXECUTE_READ 0xD2 +#define SD_EXECUTE_WRITE 0xD3 +#define SD_GET_RSP 0xD4 +#define SD_HW_RST 0xD6 +#endif + +#ifdef SUPPORT_MAGIC_GATE +#define CMD_MSPRO_MG_RKEY 0xA4 /* Report Key Command */ +#define CMD_MSPRO_MG_SKEY 0xA3 /* Send Key Command */ + +/* CBWCB field: key class */ +#define KC_MG_R_PRO 0xBE /* MG-R PRO */ + +/* CBWCB field: key format */ +#define KF_SET_LEAF_ID 0x31 /* Set Leaf ID */ +#define KF_GET_LOC_EKB 0x32 /* Get Local EKB */ +#define KF_CHG_HOST 0x33 /* Challenge (host) */ +#define KF_RSP_CHG 0x34 /* Response and Challenge (device) */ +#define KF_RSP_HOST 0x35 /* Response (host) */ +#define KF_GET_ICV 0x36 /* Get ICV */ +#define KF_SET_ICV 0x37 /* SSet ICV */ +#endif + +struct rts51x_chip; + +/*----------------------------------- + Start-Stop-Unit +-----------------------------------*/ +#define STOP_MEDIUM 0x00 /* access disable */ +#define MAKE_MEDIUM_READY 0x01 /* access enable */ +#define UNLOAD_MEDIUM 0x02 /* unload */ +#define LOAD_MEDIUM 0x03 /* load */ + +/*----------------------------------- + STANDARD_INQUIRY +-----------------------------------*/ +#define QULIFIRE 0x00 +#define AENC_FNC 0x00 +#define TRML_IOP 0x00 +#define REL_ADR 0x00 +#define WBUS_32 0x00 +#define WBUS_16 0x00 +#define SYNC 0x00 +#define LINKED 0x00 +#define CMD_QUE 0x00 +#define SFT_RE 0x00 + +#define VEN_ID_LEN 8 /* Vendor ID Length */ +#define PRDCT_ID_LEN 16 /* Product ID Length */ +#define PRDCT_REV_LEN 4 /* Product LOT Length */ + +#define DRCT_ACCESS_DEV 0x00 /* Direct Access Device */ +#define RMB_DISC 0x80 /* The Device is Removable */ +#define ANSI_SCSI2 0x02 /* Based on ANSI-SCSI2 */ + +#define SCSI 0x00 /* Interface ID */ + +void rts51x_scsi_show_command(struct scsi_cmnd *srb); +void rts51x_set_sense_type(struct rts51x_chip *chip, unsigned int lun, int sense_type); +void rts51x_set_sense_data(struct rts51x_chip *chip, unsigned int lun, u8 err_code, + u8 sense_key, u32 info, u8 asc, u8 ascq, u8 sns_key_info0, + u16 sns_key_info1); + +int rts51x_scsi_handler(struct scsi_cmnd *srb, struct rts51x_chip *chip); + +struct Scsi_Host; +struct scsi_device; +struct scsi_cmnd; + +int slave_alloc(struct scsi_device *sdev); +int slave_configure(struct scsi_device *sdev); +int queuecommand(struct Scsi_Host *, struct scsi_cmnd *); +int command_abort(struct scsi_cmnd *srb); +int bus_reset(struct scsi_cmnd *srb); + +#endif /* __RTS51X_SCSI_H */ diff --git a/drivers/staging/rts5139/rts51x_transport.c b/drivers/staging/rts5139/rts51x_transport.c new file mode 100644 index 000000000000..0db1345df94e --- /dev/null +++ b/drivers/staging/rts5139/rts51x_transport.c @@ -0,0 +1,738 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/slab.h> + +#include <scsi/scsi.h> +#include <scsi/scsi_eh.h> +#include <scsi/scsi_device.h> + +#include "debug.h" +#include "rts51x.h" +#include "rts51x_chip.h" +#include "rts51x_card.h" +#include "rts51x_scsi.h" +#include "rts51x_transport.h" +#include "trace.h" + +/*********************************************************************** + * Scatter-gather transfer buffer access routines + ***********************************************************************/ + +/* Copy a buffer of length buflen to/from the srb's transfer buffer. + * Update the **sgptr and *offset variables so that the next copy will + * pick up from where this one left off. + */ + +unsigned int rts51x_access_sglist(unsigned char *buffer, + unsigned int buflen, void *sglist, + void **sgptr, unsigned int *offset, + enum xfer_buf_dir dir) +{ + unsigned int cnt; + struct scatterlist *sg = (struct scatterlist *)*sgptr; + + /* We have to go through the list one entry + * at a time. Each s-g entry contains some number of pages, and + * each page has to be kmap()'ed separately. If the page is already + * in kernel-addressable memory then kmap() will return its address. + * If the page is not directly accessible -- such as a user buffer + * located in high memory -- then kmap() will map it to a temporary + * position in the kernel's virtual address space. + */ + + if (!sg) + sg = (struct scatterlist *)sglist; + + /* This loop handles a single s-g list entry, which may + * include multiple pages. Find the initial page structure + * and the starting offset within the page, and update + * the *offset and **sgptr values for the next loop. + */ + cnt = 0; + while (cnt < buflen && sg) { + struct page *page = sg_page(sg) + + ((sg->offset + *offset) >> PAGE_SHIFT); + unsigned int poff = (sg->offset + *offset) & (PAGE_SIZE - 1); + unsigned int sglen = sg->length - *offset; + + if (sglen > buflen - cnt) { + + /* Transfer ends within this s-g entry */ + sglen = buflen - cnt; + *offset += sglen; + } else { + + /* Transfer continues to next s-g entry */ + *offset = 0; + sg = sg_next(sg); + } + + /* Transfer the data for all the pages in this + * s-g entry. For each page: call kmap(), do the + * transfer, and call kunmap() immediately after. */ + while (sglen > 0) { + unsigned int plen = min(sglen, (unsigned int) + PAGE_SIZE - poff); + unsigned char *ptr = kmap(page); + + if (dir == TO_XFER_BUF) + memcpy(ptr + poff, buffer + cnt, plen); + else + memcpy(buffer + cnt, ptr + poff, plen); + kunmap(page); + + /* Start at the beginning of the next page */ + poff = 0; + ++page; + cnt += plen; + sglen -= plen; + } + } + *sgptr = sg; + + /* Return the amount actually transferred */ + return cnt; +} + +static unsigned int rts51x_access_xfer_buf(unsigned char *buffer, + unsigned int buflen, struct scsi_cmnd *srb, + struct scatterlist **sgptr, + unsigned int *offset, enum xfer_buf_dir dir) +{ + return rts51x_access_sglist(buffer, buflen, (void *)scsi_sglist(srb), + (void **)sgptr, offset, dir); +} + +/* Store the contents of buffer into srb's transfer buffer and set the + * SCSI residue. + */ +void rts51x_set_xfer_buf(unsigned char *buffer, + unsigned int buflen, struct scsi_cmnd *srb) +{ + unsigned int offset = 0; + struct scatterlist *sg = NULL; + + buflen = min(buflen, scsi_bufflen(srb)); + buflen = rts51x_access_xfer_buf(buffer, buflen, srb, &sg, &offset, + TO_XFER_BUF); + if (buflen < scsi_bufflen(srb)) + scsi_set_resid(srb, scsi_bufflen(srb) - buflen); +} + +void rts51x_get_xfer_buf(unsigned char *buffer, + unsigned int buflen, struct scsi_cmnd *srb) +{ + unsigned int offset = 0; + struct scatterlist *sg = NULL; + + buflen = min(buflen, scsi_bufflen(srb)); + buflen = rts51x_access_xfer_buf(buffer, buflen, srb, &sg, &offset, + FROM_XFER_BUF); + if (buflen < scsi_bufflen(srb)) + scsi_set_resid(srb, scsi_bufflen(srb) - buflen); +} + +/* This is the completion handler which will wake us up when an URB + * completes. + */ +static void urb_done_completion(struct urb *urb) +{ + struct completion *urb_done_ptr = urb->context; + + if (urb_done_ptr) + complete(urb_done_ptr); +} + +/* This is the common part of the URB message submission code + * + * All URBs from the driver involved in handling a queued scsi + * command _must_ pass through this function (or something like it) for the + * abort mechanisms to work properly. + */ +static int rts51x_msg_common(struct rts51x_chip *chip, struct urb *urb, + int timeout) +{ + struct rts51x_usb *rts51x = chip->usb; + struct completion urb_done; + long timeleft; + int status; + + /* don't submit URBs during abort processing */ + if (test_bit(FLIDX_ABORTING, &rts51x->dflags)) + TRACE_RET(chip, -EIO); + + /* set up data structures for the wakeup system */ + init_completion(&urb_done); + + /* fill the common fields in the URB */ + urb->context = &urb_done; + urb->actual_length = 0; + urb->error_count = 0; + urb->status = 0; + + /* we assume that if transfer_buffer isn't us->iobuf then it + * hasn't been mapped for DMA. Yes, this is clunky, but it's + * easier than always having the caller tell us whether the + * transfer buffer has already been mapped. */ + urb->transfer_flags = URB_NO_SETUP_DMA_MAP; + if (urb->transfer_buffer == rts51x->iobuf) { + urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + urb->transfer_dma = rts51x->iobuf_dma; + } + urb->setup_dma = rts51x->cr_dma; + + /* submit the URB */ + status = usb_submit_urb(urb, GFP_NOIO); + if (status) { + /* something went wrong */ + TRACE_RET(chip, status); + } + + /* since the URB has been submitted successfully, it's now okay + * to cancel it */ + set_bit(FLIDX_URB_ACTIVE, &rts51x->dflags); + + /* did an abort occur during the submission? */ + if (test_bit(FLIDX_ABORTING, &rts51x->dflags)) { + + /* cancel the URB, if it hasn't been cancelled already */ + if (test_and_clear_bit(FLIDX_URB_ACTIVE, &rts51x->dflags)) { + RTS51X_DEBUGP("-- cancelling URB\n"); + usb_unlink_urb(urb); + } + } + + /* wait for the completion of the URB */ + timeleft = + wait_for_completion_interruptible_timeout(&urb_done, + (timeout * HZ / + 1000) ? : + MAX_SCHEDULE_TIMEOUT); + + clear_bit(FLIDX_URB_ACTIVE, &rts51x->dflags); + + if (timeleft <= 0) { + RTS51X_DEBUGP("%s -- cancelling URB\n", + timeleft == 0 ? "Timeout" : "Signal"); + usb_kill_urb(urb); + if (timeleft == 0) + status = -ETIMEDOUT; + else + status = -EINTR; + } else { + status = urb->status; + } + + return status; +} + +static int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe); + +/* + * Interpret the results of a URB transfer + */ +static int interpret_urb_result(struct rts51x_chip *chip, unsigned int pipe, + unsigned int length, int result, + unsigned int partial) +{ + int retval = STATUS_SUCCESS; + + /* RTS51X_DEBUGP("Status code %d; transferred %u/%u\n", + result, partial, length); */ + switch (result) { + /* no error code; did we send all the data? */ + case 0: + if (partial != length) { + RTS51X_DEBUGP("-- short transfer\n"); + TRACE_RET(chip, STATUS_TRANS_SHORT); + } + /* RTS51X_DEBUGP("-- transfer complete\n"); */ + return STATUS_SUCCESS; + /* stalled */ + case -EPIPE: + /* for control endpoints, (used by CB[I]) a stall indicates + * a failed command */ + if (usb_pipecontrol(pipe)) { + RTS51X_DEBUGP("-- stall on control pipe\n"); + TRACE_RET(chip, STATUS_STALLED); + } + /* for other sorts of endpoint, clear the stall */ + RTS51X_DEBUGP("clearing endpoint halt for pipe 0x%x\n", pipe); + if (rts51x_clear_halt(chip, pipe) < 0) + TRACE_RET(chip, STATUS_ERROR); + retval = STATUS_STALLED; + TRACE_GOTO(chip, Exit); + + /* babble - the device tried to send more than + * we wanted to read */ + case -EOVERFLOW: + RTS51X_DEBUGP("-- babble\n"); + retval = STATUS_TRANS_LONG; + TRACE_GOTO(chip, Exit); + + /* the transfer was cancelled by abort, + * disconnect, or timeout */ + case -ECONNRESET: + RTS51X_DEBUGP("-- transfer cancelled\n"); + retval = STATUS_ERROR; + TRACE_GOTO(chip, Exit); + + /* short scatter-gather read transfer */ + case -EREMOTEIO: + RTS51X_DEBUGP("-- short read transfer\n"); + retval = STATUS_TRANS_SHORT; + TRACE_GOTO(chip, Exit); + + /* abort or disconnect in progress */ + case -EIO: + RTS51X_DEBUGP("-- abort or disconnect in progress\n"); + retval = STATUS_ERROR; + TRACE_GOTO(chip, Exit); + + case -ETIMEDOUT: + RTS51X_DEBUGP("-- time out\n"); + retval = STATUS_TIMEDOUT; + TRACE_GOTO(chip, Exit); + + /* the catch-all error case */ + default: + RTS51X_DEBUGP("-- unknown error\n"); + retval = STATUS_ERROR; + TRACE_GOTO(chip, Exit); + } + +Exit: + if ((retval != STATUS_SUCCESS) && !usb_pipecontrol(pipe)) + rts51x_clear_hw_error(chip); + + return retval; +} + +int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + u8 request, u8 requesttype, u16 value, u16 index, + void *data, u16 size, int timeout) +{ + struct rts51x_usb *rts51x = chip->usb; + int result; + + RTS51X_DEBUGP("%s: rq=%02x rqtype=%02x value=%04x index=%02x len=%u\n", + __func__, request, requesttype, value, index, size); + + /* fill in the devrequest structure */ + rts51x->cr->bRequestType = requesttype; + rts51x->cr->bRequest = request; + rts51x->cr->wValue = cpu_to_le16(value); + rts51x->cr->wIndex = cpu_to_le16(index); + rts51x->cr->wLength = cpu_to_le16(size); + + /* fill and submit the URB */ + usb_fill_control_urb(rts51x->current_urb, rts51x->pusb_dev, pipe, + (unsigned char *)rts51x->cr, data, size, + urb_done_completion, NULL); + result = rts51x_msg_common(chip, rts51x->current_urb, timeout); + + return interpret_urb_result(chip, pipe, size, result, + rts51x->current_urb->actual_length); +} + +static int rts51x_clear_halt(struct rts51x_chip *chip, unsigned int pipe) +{ + int result; + int endp = usb_pipeendpoint(pipe); + + if (usb_pipein(pipe)) + endp |= USB_DIR_IN; + + result = rts51x_ctrl_transfer(chip, SND_CTRL_PIPE(chip), + USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT, + USB_ENDPOINT_HALT, endp, NULL, 0, 3000); + if (result != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + usb_reset_endpoint(chip->usb->pusb_dev, endp); + + return STATUS_SUCCESS; +} + +static void rts51x_sg_clean(struct usb_sg_request *io) +{ + if (io->urbs) { + while (io->entries--) + usb_free_urb(io->urbs[io->entries]); + kfree(io->urbs); + io->urbs = NULL; + } + io->dev = NULL; +} + +static int rts51x_sg_init(struct usb_sg_request *io, struct usb_device *dev, + unsigned pipe, unsigned period, struct scatterlist *sg, + int nents, size_t length, gfp_t mem_flags) +{ + return usb_sg_init(io, dev, pipe, period, sg, nents, length, mem_flags); +} + +static int rts51x_sg_wait(struct usb_sg_request *io, int timeout) +{ + long timeleft; + int i; + int entries = io->entries; + + /* queue the urbs. */ + spin_lock_irq(&io->lock); + i = 0; + while (i < entries && !io->status) { + int retval; + + io->urbs[i]->dev = io->dev; + retval = usb_submit_urb(io->urbs[i], GFP_ATOMIC); + + /* after we submit, let completions or cancelations fire; + * we handshake using io->status. + */ + spin_unlock_irq(&io->lock); + switch (retval) { + /* maybe the retry will recover */ + case -ENXIO: /* hc didn't queue this one */ + case -EAGAIN: + case -ENOMEM: + io->urbs[i]->dev = NULL; + retval = 0; + yield(); + break; + + /* no error? continue immediately. + * + * NOTE: to work better with UHCI (4K I/O buffer may + * need 3K of TDs) it may be good to limit how many + * URBs are queued at once; N milliseconds? + */ + case 0: + ++i; + cpu_relax(); + break; + + /* fail any uncompleted urbs */ + default: + io->urbs[i]->dev = NULL; + io->urbs[i]->status = retval; + dev_dbg(&io->dev->dev, "%s, submit --> %d\n", + __func__, retval); + usb_sg_cancel(io); + } + spin_lock_irq(&io->lock); + if (retval && (io->status == 0 || io->status == -ECONNRESET)) + io->status = retval; + } + io->count -= entries - i; + if (io->count == 0) + complete(&io->complete); + spin_unlock_irq(&io->lock); + + timeleft = + wait_for_completion_interruptible_timeout(&io->complete, + (timeout * HZ / + 1000) ? : + MAX_SCHEDULE_TIMEOUT); + if (timeleft <= 0) { + RTS51X_DEBUGP("%s -- cancelling SG request\n", + timeleft == 0 ? "Timeout" : "Signal"); + usb_sg_cancel(io); + if (timeleft == 0) + io->status = -ETIMEDOUT; + else + io->status = -EINTR; + } + + rts51x_sg_clean(io); + return io->status; +} + +/* + * Transfer a scatter-gather list via bulk transfer + * + * This function does basically the same thing as usb_stor_bulk_transfer_buf() + * above, but it uses the usbcore scatter-gather library. + */ +static int rts51x_bulk_transfer_sglist(struct rts51x_chip *chip, + unsigned int pipe, + struct scatterlist *sg, int num_sg, + unsigned int length, + unsigned int *act_len, int timeout) +{ + int result; + + /* don't submit s-g requests during abort processing */ + if (test_bit(FLIDX_ABORTING, &chip->usb->dflags)) + TRACE_RET(chip, STATUS_ERROR); + + /* initialize the scatter-gather request block */ + RTS51X_DEBUGP("%s: xfer %u bytes, %d entries\n", __func__, + length, num_sg); + result = + rts51x_sg_init(&chip->usb->current_sg, chip->usb->pusb_dev, pipe, 0, + sg, num_sg, length, GFP_NOIO); + if (result) { + RTS51X_DEBUGP("rts51x_sg_init returned %d\n", result); + TRACE_RET(chip, STATUS_ERROR); + } + + /* since the block has been initialized successfully, it's now + * okay to cancel it */ + set_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags); + + /* did an abort occur during the submission? */ + if (test_bit(FLIDX_ABORTING, &chip->usb->dflags)) { + + /* cancel the request, if it hasn't been cancelled already */ + if (test_and_clear_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags)) { + RTS51X_DEBUGP("-- cancelling sg request\n"); + usb_sg_cancel(&chip->usb->current_sg); + } + } + + /* wait for the completion of the transfer */ + result = rts51x_sg_wait(&chip->usb->current_sg, timeout); + + clear_bit(FLIDX_SG_ACTIVE, &chip->usb->dflags); + + /* result = us->current_sg.status; */ + if (act_len) + *act_len = chip->usb->current_sg.bytes; + return interpret_urb_result(chip, pipe, length, result, + chip->usb->current_sg.bytes); +} + +static int rts51x_bulk_transfer_buf(struct rts51x_chip *chip, + unsigned int pipe, + void *buf, unsigned int length, + unsigned int *act_len, int timeout) +{ + int result; + + /* fill and submit the URB */ + usb_fill_bulk_urb(chip->usb->current_urb, chip->usb->pusb_dev, pipe, + buf, length, urb_done_completion, NULL); + result = rts51x_msg_common(chip, chip->usb->current_urb, timeout); + + /* store the actual length of the data transferred */ + if (act_len) + *act_len = chip->usb->current_urb->actual_length; + return interpret_urb_result(chip, pipe, length, result, + chip->usb->current_urb->actual_length); +} + +int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe, + void *buf, unsigned int len, int use_sg, + unsigned int *act_len, int timeout) +{ + int result; + + if (timeout < 600) + timeout = 600; + + if (use_sg) { + result = + rts51x_bulk_transfer_sglist(chip, pipe, + (struct scatterlist *)buf, + use_sg, len, act_len, timeout); + } else { + result = + rts51x_bulk_transfer_buf(chip, pipe, buf, len, act_len, + timeout); + } + + return result; +} + +int rts51x_transfer_data_partial(struct rts51x_chip *chip, unsigned int pipe, + void *buf, void **ptr, unsigned int *offset, + unsigned int len, int use_sg, + unsigned int *act_len, int timeout) +{ + int result; + + if (timeout < 600) + timeout = 600; + + if (use_sg) { + void *tmp_buf = kmalloc(len, GFP_KERNEL); + if (!tmp_buf) + TRACE_RET(chip, STATUS_NOMEM); + + if (usb_pipeout(pipe)) { + rts51x_access_sglist(tmp_buf, len, buf, ptr, offset, + FROM_XFER_BUF); + } + result = + rts51x_bulk_transfer_buf(chip, pipe, tmp_buf, len, act_len, + timeout); + if (result == STATUS_SUCCESS) { + if (usb_pipein(pipe)) { + rts51x_access_sglist(tmp_buf, len, buf, ptr, + offset, TO_XFER_BUF); + } + } + + kfree(tmp_buf); + } else { + unsigned int step = 0; + if (offset) + step = *offset; + result = + rts51x_bulk_transfer_buf(chip, pipe, buf + step, len, + act_len, timeout); + if (act_len) + step += *act_len; + else + step += len; + if (offset) + *offset = step; + } + + return result; +} + +int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status) +{ + unsigned int pipe = RCV_INTR_PIPE(chip); + struct usb_host_endpoint *ep; + struct completion urb_done; + int result; + + if (!status) + TRACE_RET(chip, STATUS_ERROR); + + /* set up data structures for the wakeup system */ + init_completion(&urb_done); + + ep = chip->usb->pusb_dev->ep_in[usb_pipeendpoint(pipe)]; + + /* fill and submit the URB */ + /* Set interval to 10 here to match the endpoint descriptor, + * the polling interval is controlled by the polling thread */ + usb_fill_int_urb(chip->usb->intr_urb, chip->usb->pusb_dev, pipe, + status, 2, urb_done_completion, &urb_done, 10); + + result = rts51x_msg_common(chip, chip->usb->intr_urb, 100); + + return interpret_urb_result(chip, pipe, 2, result, + chip->usb->intr_urb->actual_length); +} + +void rts51x_invoke_transport(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + int result; + +#ifdef CONFIG_PM + static const u8 media_not_present[] = { + 0x70, 0, 0x02, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0x3A, 0, 0, 0, 0, 0 + }; + static const u8 invalid_cmd_field[] = { + 0x70, 0, 0x05, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0x24, 0, 0, 0, 0, 0 + }; + + if (chip->option.ss_en) { + if (srb->cmnd[0] == TEST_UNIT_READY) { + if (RTS51X_CHK_STAT(chip, STAT_SS)) { + if (check_fake_card_ready(chip, + SCSI_LUN(srb))) { + srb->result = SAM_STAT_GOOD; + } else { + srb->result = SAM_STAT_CHECK_CONDITION; + memcpy(srb->sense_buffer, + media_not_present, SENSE_SIZE); + } + return; + } + } else if (srb->cmnd[0] == ALLOW_MEDIUM_REMOVAL) { + if (RTS51X_CHK_STAT(chip, STAT_SS)) { + int prevent = srb->cmnd[4] & 0x1; + + if (prevent) { + srb->result = SAM_STAT_CHECK_CONDITION; + memcpy(srb->sense_buffer, + invalid_cmd_field, SENSE_SIZE); + } else { + srb->result = SAM_STAT_GOOD; + } + return; + } + } else { + if (RTS51X_CHK_STAT(chip, STAT_SS) + || RTS51X_CHK_STAT(chip, STAT_SS_PRE)) { + /* Wake up device */ + RTS51X_DEBUGP("Try to wake up device\n"); + chip->resume_from_scsi = 1; + + rts51x_try_to_exit_ss(chip); + + if (RTS51X_CHK_STAT(chip, STAT_SS)) { + wait_timeout(3000); + + rts51x_init_chip(chip); + rts51x_init_cards(chip); + } + } + } + } +#endif + + result = rts51x_scsi_handler(srb, chip); + + /* if there is a transport error, reset and don't auto-sense */ + if (result == TRANSPORT_ERROR) { + RTS51X_DEBUGP("-- transport indicates error, resetting\n"); + srb->result = DID_ERROR << 16; + goto Handle_Errors; + } + + srb->result = SAM_STAT_GOOD; + + /* + * If we have a failure, we're going to do a REQUEST_SENSE + * automatically. Note that we differentiate between a command + * "failure" and an "error" in the transport mechanism. + */ + if (result == TRANSPORT_FAILED) { + /* set the result so the higher layers expect this data */ + srb->result = SAM_STAT_CHECK_CONDITION; + memcpy(srb->sense_buffer, + (unsigned char *)&(chip->sense_buffer[SCSI_LUN(srb)]), + sizeof(struct sense_data_t)); + } + + return; + + /* Error and abort processing: try to resynchronize with the device + * by issuing a port reset. If that fails, try a class-specific + * device reset. */ +Handle_Errors: + return; +} diff --git a/drivers/staging/rts5139/rts51x_transport.h b/drivers/staging/rts5139/rts51x_transport.h new file mode 100644 index 000000000000..024f115540a6 --- /dev/null +++ b/drivers/staging/rts5139/rts51x_transport.h @@ -0,0 +1,67 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_TRANSPORT_H +#define __RTS51X_TRANSPORT_H + +#include <linux/kernel.h> + +#include "rts51x.h" +#include "rts51x_chip.h" + +#if 1 /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 34) */ +#define URB_NO_SETUP_DMA_MAP 0 +#endif + +unsigned int rts51x_access_sglist(unsigned char *buffer, + unsigned int buflen, void *sglist, + void **sgptr, unsigned int *offset, + enum xfer_buf_dir dir); +void rts51x_set_xfer_buf(unsigned char *buffer, unsigned int buflen, + struct scsi_cmnd *srb); +void rts51x_get_xfer_buf(unsigned char *buffer, unsigned int buflen, + struct scsi_cmnd *srb); + +int rts51x_ctrl_transfer(struct rts51x_chip *chip, unsigned int pipe, + u8 request, u8 requesttype, u16 value, u16 index, + void *data, u16 size, int timeout); +int rts51x_transfer_data(struct rts51x_chip *chip, unsigned int pipe, + void *buf, unsigned int len, int use_sg, + unsigned int *act_len, int timeout); +int rts51x_transfer_data_partial(struct rts51x_chip *chip, unsigned int pipe, + void *buf, void **ptr, unsigned int *offset, + unsigned int len, int use_sg, + unsigned int *act_len, int timeout); + +#ifndef POLLING_IN_THREAD +int rts51x_start_epc_transfer(struct rts51x_chip *chip); +void rts51x_cancel_epc_transfer(struct rts51x_chip *chip); +#endif + +int rts51x_get_epc_status(struct rts51x_chip *chip, u16 *status); +void rts51x_invoke_transport(struct scsi_cmnd *srb, struct rts51x_chip *chip); + +#endif /* __RTS51X_TRANSPORT_H */ diff --git a/drivers/staging/rts5139/sd.c b/drivers/staging/rts5139/sd.c new file mode 100644 index 000000000000..da5a9b8fb69c --- /dev/null +++ b/drivers/staging/rts5139/sd.c @@ -0,0 +1,3274 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_transport.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "sd.h" + +static inline void sd_set_reset_fail(struct rts51x_chip *chip, u8 err_code) +{ + struct sd_info *sd_card = &(chip->sd_card); + + sd_card->sd_reset_fail |= err_code; +} + +static inline void sd_clear_reset_fail(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + + sd_card->sd_reset_fail = 0; +} + +static inline int sd_check_reset_fail(struct rts51x_chip *chip, u8 err_code) +{ + struct sd_info *sd_card = &(chip->sd_card); + + return sd_card->sd_reset_fail & err_code; +} + +static inline void sd_set_err_code(struct rts51x_chip *chip, u8 err_code) +{ + struct sd_info *sd_card = &(chip->sd_card); + + sd_card->err_code |= err_code; +} + +static inline void sd_clr_err_code(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + + sd_card->err_code = 0; +} + +static inline int sd_check_err_code(struct rts51x_chip *chip, u8 err_code) +{ + struct sd_info *sd_card = &(chip->sd_card); + + return sd_card->err_code & err_code; +} + +static int sd_parse_err_code(struct rts51x_chip *chip) +{ + TRACE_RET(chip, STATUS_FAIL); +} + +int sd_check_data0_status(struct rts51x_chip *chip) +{ + int retval; + u8 stat; + + retval = rts51x_ep0_read_register(chip, SD_BUS_STAT, &stat); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (!(stat & SD_DAT0_STATUS)) { + sd_set_err_code(chip, SD_BUSY); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int sd_send_cmd_get_rsp(struct rts51x_chip *chip, u8 cmd_idx, + u32 arg, u8 rsp_type, u8 *rsp, int rsp_len) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int timeout = 50; + u16 reg_addr; + u8 buf[17], stat; + int len = 2; + int rty_cnt = 0; + + sd_clr_err_code(chip); + + RTS51X_DEBUGP("SD/MMC CMD %d, arg = 0x%08x\n", cmd_idx, arg); + + if (rsp_type == SD_RSP_TYPE_R1b) + timeout = 3000; + +RTY_SEND_CMD: + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | cmd_idx); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, (u8) (arg >> 24)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, (u8) (arg >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, (u8) (arg >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_CMD_RSP | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END | SD_STAT_IDLE, + SD_TRANSFER_END | SD_STAT_IDLE); + + rts51x_add_cmd(chip, READ_REG_CMD, SD_STAT1, 0, 0); + + if (CHECK_USB(chip, USB_20)) { + if (rsp_type == SD_RSP_TYPE_R2) { + /* Read data from ping-pong buffer */ + for (reg_addr = PPBUF_BASE2; + reg_addr < PPBUF_BASE2 + 16; reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, + 0); + } + len = 18; + } else if (rsp_type != SD_RSP_TYPE_R0) { + /* Read data from SD_CMDx registers */ + for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4; + reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, + 0); + } + len = 7; + } else { + len = 2; + } + } else { + len = 2; + } + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, len, timeout); + + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + u8 val; + + rts51x_ep0_read_register(chip, SD_STAT1, &val); + RTS51X_DEBUGP("SD_STAT1: 0x%x\n", val); + + rts51x_ep0_read_register(chip, SD_STAT2, &val); + RTS51X_DEBUGP("SD_STAT2: 0x%x\n", val); + + if (val & SD_RSP_80CLK_TIMEOUT) + sd_set_err_code(chip, SD_RSP_TIMEOUT); + + rts51x_ep0_read_register(chip, SD_BUS_STAT, &val); + RTS51X_DEBUGP("SD_BUS_STAT: 0x%x\n", val); + + if (retval == STATUS_TIMEDOUT) { + if (rsp_type & SD_WAIT_BUSY_END) { + retval = sd_check_data0_status(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + sd_set_err_code(chip, SD_TO_ERR); + } + } + rts51x_clear_sd_error(chip); + + TRACE_RET(chip, STATUS_FAIL); + } + + if (rsp_type == SD_RSP_TYPE_R0) + return STATUS_SUCCESS; + + if (CHECK_USB(chip, USB_20)) { + rts51x_read_rsp_buf(chip, 2, buf, len - 2); + } else { + if (rsp_type == SD_RSP_TYPE_R2) { + reg_addr = PPBUF_BASE2; + len = 16; + } else { + reg_addr = SD_CMD0; + len = 5; + } + retval = rts51x_seq_read_register(chip, reg_addr, + (unsigned short)len, buf); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + stat = chip->rsp_buf[1]; + + /* Check (Start,Transmission) bit of Response */ + if ((buf[0] & 0xC0) != 0) { + sd_set_err_code(chip, SD_STS_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + /* Check CRC7 */ + if (!(rsp_type & SD_NO_CHECK_CRC7)) { + if (stat & SD_CRC7_ERR) { + if (cmd_idx == WRITE_MULTIPLE_BLOCK) { + sd_set_err_code(chip, SD_CRC_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + if (rty_cnt < SD_MAX_RETRY_COUNT) { + wait_timeout(20); + rty_cnt++; + goto RTY_SEND_CMD; + } else { + sd_set_err_code(chip, SD_CRC_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + /* Check Status */ + if ((rsp_type == SD_RSP_TYPE_R1) || (rsp_type == SD_RSP_TYPE_R1b)) { + if ((cmd_idx != SEND_RELATIVE_ADDR) + && (cmd_idx != SEND_IF_COND)) { + if (cmd_idx != STOP_TRANSMISSION) { + if (buf[1] & 0x80) + TRACE_RET(chip, STATUS_FAIL); + } + if (buf[1] & 0x7F) { + RTS51X_DEBUGP("buf[1]: 0x%02x\n", buf[1]); + TRACE_RET(chip, STATUS_FAIL); + } + if (buf[2] & 0xFF) { + RTS51X_DEBUGP("buf[2]: 0x%02x\n", buf[2]); + TRACE_RET(chip, STATUS_FAIL); + } + if (buf[3] & 0x80) { + RTS51X_DEBUGP("buf[3]: 0x%02x\n", buf[3]); + TRACE_RET(chip, STATUS_FAIL); + } + if (buf[3] & 0x01) { + /* Get "READY_FOR_DATA" bit */ + sd_card->sd_data_buf_ready = 1; + } else { + sd_card->sd_data_buf_ready = 0; + } + } + } + + if (rsp && rsp_len) + memcpy(rsp, buf, rsp_len); + + return STATUS_SUCCESS; +} + +static inline void sd_print_debug_reg(struct rts51x_chip *chip) +{ +#ifdef CONFIG_RTS5139_DEBUG + u8 val = 0; + + rts51x_ep0_read_register(chip, SD_STAT1, &val); + RTS51X_DEBUGP("SD_STAT1: 0x%x\n", val); + rts51x_ep0_read_register(chip, SD_STAT2, &val); + RTS51X_DEBUGP("SD_STAT2: 0x%x\n", val); + rts51x_ep0_read_register(chip, SD_BUS_STAT, &val); + RTS51X_DEBUGP("SD_BUS_STAT: 0x%x\n", val); +#endif +} + +int sd_read_data(struct rts51x_chip *chip, u8 trans_mode, u8 *cmd, int cmd_len, + u16 byte_cnt, u16 blk_cnt, u8 bus_width, u8 *buf, int buf_len, + int timeout) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i; + + sd_clr_err_code(chip); + + if (!buf) + buf_len = 0; + + if (buf_len > 512) + /* This function can't read data more than one page */ + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + if (cmd_len) { + RTS51X_DEBUGP("SD/MMC CMD %d\n", cmd[0] - 0x40); + for (i = 0; i < (cmd_len < 6 ? cmd_len : 6); i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0 + i, 0xFF, + cmd[i]); + } + } + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, (u8) byte_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, + (u8) (byte_cnt >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, (u8) blk_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, + (u8) (blk_cnt >> 8)); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | SD_NO_WAIT_BUSY_END + | SD_CHECK_CRC7 | SD_RSP_LEN_6); + if (trans_mode != SD_TM_AUTO_TUNING) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + } + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + trans_mode | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END, + SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, timeout); + + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + sd_print_debug_reg(chip); + if (retval == STATUS_TIMEDOUT) { + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + } + + TRACE_RET(chip, STATUS_FAIL); + } + + if (buf && buf_len) { + retval = rts51x_read_ppbuf(chip, buf, buf_len); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int sd_write_data(struct rts51x_chip *chip, u8 trans_mode, + u8 *cmd, int cmd_len, u16 byte_cnt, u16 blk_cnt, + u8 bus_width, u8 *buf, int buf_len, int timeout) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i; + + sd_clr_err_code(chip); + + if (!buf) + buf_len = 0; + + /* This function can't write data more than one page */ + if (buf_len > 512) + TRACE_RET(chip, STATUS_FAIL); + + if (buf && buf_len) { + retval = rts51x_write_ppbuf(chip, buf, buf_len); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + rts51x_init_cmd(chip); + + if (cmd_len) { + RTS51X_DEBUGP("SD/MMC CMD %d\n", cmd[0] - 0x40); + for (i = 0; i < (cmd_len < 6 ? cmd_len : 6); i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0 + i, 0xFF, + cmd[i]); + } + } + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, (u8) byte_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, + (u8) (byte_cnt >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, (u8) blk_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, + (u8) (blk_cnt >> 8)); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width); + + if (cmd_len) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | + SD_WAIT_BUSY_END | SD_CHECK_CRC7 | SD_RSP_LEN_6); + + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | + SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 | + SD_RSP_LEN_6); + } + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + trans_mode | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END, + SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, timeout); + + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + sd_print_debug_reg(chip); + + if (retval == STATUS_TIMEDOUT) + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int sd_check_csd(struct rts51x_chip *chip, char check_wp) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i; + u8 csd_ver, trans_speed; + u8 rsp[16]; + + for (i = 0; i < 6; i++) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = + sd_send_cmd_get_rsp(chip, SEND_CSD, sd_card->sd_addr, + SD_RSP_TYPE_R2, rsp, 16); + if (retval == STATUS_SUCCESS) + break; + } + + if (i == 6) + TRACE_RET(chip, STATUS_FAIL); + memcpy(sd_card->raw_csd, rsp + 1, 15); + /* Get CRC7 */ + RTS51X_READ_REG(chip, SD_CMD5, sd_card->raw_csd + 15); + + RTS51X_DEBUGP("CSD Response:\n"); + RTS51X_DUMP(rsp, 16); + + /* Get CSD Version */ + csd_ver = (rsp[1] & 0xc0) >> 6; + RTS51X_DEBUGP("csd_ver = %d\n", csd_ver); + + trans_speed = rsp[4]; + if ((trans_speed & 0x07) == 0x02) { /* 10Mbits/s */ + if ((trans_speed & 0xf8) >= 0x30) { /* >25Mbits/s */ + if (chip->asic_code) + sd_card->sd_clock = 46; + else + sd_card->sd_clock = CLK_50; + } else if ((trans_speed & 0xf8) == 0x28) { /* 20Mbits/s */ + if (chip->asic_code) + sd_card->sd_clock = 39; + else + sd_card->sd_clock = CLK_40; + } else if ((trans_speed & 0xf8) == 0x20) { /* 15Mbits/s */ + if (chip->asic_code) + sd_card->sd_clock = 29; + else + sd_card->sd_clock = CLK_30; + } else if ((trans_speed & 0xf8) >= 0x10) { /* 12Mbits/s */ + if (chip->asic_code) + sd_card->sd_clock = 23; + else + sd_card->sd_clock = CLK_20; + } else if ((trans_speed & 0x08) >= 0x08) { /* 10Mbits/s */ + if (chip->asic_code) + sd_card->sd_clock = 19; + else + sd_card->sd_clock = CLK_20; + } /*else { */ + /*If this ,then slow card will use 30M clock */ + /* TRACE_RET(chip, STATUS_FAIL); */ + /* } */ + } + /*else { + TRACE_RET(chip, STATUS_FAIL); + } */ + if (CHK_MMC_SECTOR_MODE(sd_card)) { + sd_card->capacity = 0; + } else { + /* For High-Capacity Card, CSD_STRUCTURE always be "0x1" */ + if ((!CHK_SD_HCXC(sd_card)) || (csd_ver == 0)) { + /* Calculate total sector according to C_SIZE, + * C_SIZE_MULT & READ_BL_LEN */ + u8 blk_size, c_size_mult; + u16 c_size; + /* Get READ_BL_LEN */ + blk_size = rsp[6] & 0x0F; + /* Get C_SIZE */ + c_size = ((u16) (rsp[7] & 0x03) << 10) + + ((u16) rsp[8] << 2) + + ((u16) (rsp[9] & 0xC0) >> 6); + /* Get C_SIZE_MUL */ + c_size_mult = (u8) ((rsp[10] & 0x03) << 1); + c_size_mult += (rsp[11] & 0x80) >> 7; + /* Calculate total Capacity */ + sd_card->capacity = + (((u32) (c_size + 1)) * + (1 << (c_size_mult + 2))) << (blk_size - 9); + } else { + /* High Capacity Card and Use CSD2.0 Version */ + u32 total_sector = 0; + total_sector = (((u32) rsp[8] & 0x3f) << 16) | + ((u32) rsp[9] << 8) | (u32) rsp[10]; + /* Total Capacity= (C_SIZE+1) * + * 512K Byte = (C_SIZE+1)K Sector,1K = 1024 Bytes */ + sd_card->capacity = (total_sector + 1) << 10; + } + } + + /* We need check Write-Protected Status by Field PERM WP or TEMP WP */ + if (check_wp) { + if (rsp[15] & 0x30) + chip->card_wp |= SD_CARD; + RTS51X_DEBUGP("CSD WP Status: 0x%x\n", rsp[15]); + } + + return STATUS_SUCCESS; +} + +static int sd_set_sample_push_timing(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + rts51x_init_cmd(chip); + + if (CHK_SD_SDR104(sd_card) || CHK_SD_SDR50(sd_card)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, + 0x0C | SD_ASYNC_FIFO_RST, + SD_30_MODE | SD_ASYNC_FIFO_RST); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF, + CRC_VAR_CLK0 | SD30_FIX_CLK | SAMPLE_VAR_CLK1); + } else if (CHK_SD_DDR50(sd_card) || CHK_MMC_DDR52(sd_card)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, + 0x0C | SD_ASYNC_FIFO_RST, + SD_DDR_MODE | SD_ASYNC_FIFO_RST); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF, + CRC_VAR_CLK0 | SD30_FIX_CLK | SAMPLE_VAR_CLK1); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL, + DDR_VAR_TX_CMD_DAT, DDR_VAR_TX_CMD_DAT); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL, + DDR_VAR_RX_DAT | DDR_VAR_RX_CMD, + DDR_VAR_RX_DAT | DDR_VAR_RX_CMD); + } else { + u8 val = 0; + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x0C, SD_20_MODE); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_SOURCE, 0xFF, + CRC_FIX_CLK | SD30_VAR_CLK0 | SAMPLE_VAR_CLK1); + + if ((chip->option.sd_ctl & SD_PUSH_POINT_CTL_MASK) == + SD_PUSH_POINT_AUTO) { + val = SD20_TX_NEG_EDGE; + } else if ((chip->option.sd_ctl & SD_PUSH_POINT_CTL_MASK) == + SD_PUSH_POINT_DELAY) { + val = SD20_TX_14_AHEAD; + } else { + val = SD20_TX_NEG_EDGE; + } + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL, + SD20_TX_SEL_MASK, val); + + if ((chip->option.sd_ctl & SD_SAMPLE_POINT_CTL_MASK) == + SD_SAMPLE_POINT_AUTO) { + if (chip->asic_code) { + if (CHK_SD_HS(sd_card) || CHK_MMC_52M(sd_card)) + val = SD20_RX_14_DELAY; + else + val = SD20_RX_POS_EDGE; + } else { + val = SD20_RX_14_DELAY; + } + } else if ((chip->option.sd_ctl & SD_SAMPLE_POINT_CTL_MASK) == + SD_SAMPLE_POINT_DELAY) { + val = SD20_RX_14_DELAY; + } else { + val = SD20_RX_POS_EDGE; + } + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL, + SD20_RX_SEL_MASK, val); + } + + if (CHK_MMC_DDR52(sd_card) && CHK_MMC_8BIT(sd_card)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL, + EXTEND_DMA1_ASYNC_SIGNAL, 0); + } + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static void sd_choose_proper_clock(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + + if (CHK_SD_SDR104(sd_card)) { + if (chip->asic_code) + sd_card->sd_clock = chip->option.asic_sd_sdr104_clk; + else + sd_card->sd_clock = chip->option.fpga_sd_sdr104_clk; + } else if (CHK_SD_DDR50(sd_card)) { + if (chip->asic_code) + sd_card->sd_clock = chip->option.asic_sd_ddr50_clk; + else + sd_card->sd_clock = chip->option.fpga_sd_ddr50_clk; + } else if (CHK_SD_SDR50(sd_card)) { + if (chip->asic_code) + sd_card->sd_clock = chip->option.asic_sd_sdr50_clk; + else + sd_card->sd_clock = chip->option.fpga_sd_sdr50_clk; + } else if (CHK_SD_HS(sd_card)) { + if (chip->asic_code) + sd_card->sd_clock = chip->option.asic_sd_hs_clk; + else + sd_card->sd_clock = chip->option.fpga_sd_hs_clk; + } else if (CHK_MMC_52M(sd_card) || CHK_MMC_DDR52(sd_card)) { + if (chip->asic_code) + sd_card->sd_clock = chip->option.asic_mmc_52m_clk; + else + sd_card->sd_clock = chip->option.fpga_mmc_52m_clk; + } else if (CHK_MMC_26M(sd_card)) { + if (chip->asic_code) { + sd_card->sd_clock = 46; + RTS51X_DEBUGP("Set MMC clock to 22.5MHz\n"); + } else { + sd_card->sd_clock = CLK_50; + } + } +} + +static int sd_set_init_para(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + retval = sd_set_sample_push_timing(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + sd_choose_proper_clock(chip); + + retval = switch_clock(chip, sd_card->sd_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_sd_select_card(struct rts51x_chip *chip, int select) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd_idx, cmd_type; + u32 addr; + + if (select) { + cmd_idx = SELECT_CARD; + cmd_type = SD_RSP_TYPE_R1; + addr = sd_card->sd_addr; + } else { + cmd_idx = DESELECT_CARD; + cmd_type = SD_RSP_TYPE_R0; + addr = 0; + } + + retval = sd_send_cmd_get_rsp(chip, cmd_idx, addr, cmd_type, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int sd_wait_currentstate_dataready(struct rts51x_chip *chip, u8 statechk, + u8 rdychk, u16 pollingcnt) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 rsp[5]; + u16 i; + + for (i = 0; i < pollingcnt; i++) { + + retval = + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, rsp, 5); + if (retval == STATUS_SUCCESS) { + if (((rsp[3] & 0x1E) == statechk) + && ((rsp[3] & 0x01) == rdychk)) { + return STATUS_SUCCESS; + } + } else { + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + } + + return STATUS_TIMEDOUT; +} + +static int sd_voltage_switch(struct rts51x_chip *chip) +{ + int retval; + u8 stat; + + RTS51X_WRITE_REG(chip, SD_BUS_STAT, + SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, + SD_CLK_TOGGLE_EN); + + retval = + sd_send_cmd_get_rsp(chip, VOLTAGE_SWITCH, 0, SD_RSP_TYPE_R1, NULL, + 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_READ_REG(chip, SD_BUS_STAT, &stat); + if (stat & (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS | + SD_DAT1_STATUS | SD_DAT0_STATUS)) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BUS_STAT, 0xFF, + SD_CLK_FORCE_STOP); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PAD_CTL, SD_IO_USING_1V8, + SD_IO_USING_1V8); + if (chip->asic_code) + rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG, + TUNE_SD18_MASK, TUNE_SD18_1V8); + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + wait_timeout(chip->option.D3318_off_delay); + + RTS51X_WRITE_REG(chip, SD_BUS_STAT, 0xFF, SD_CLK_TOGGLE_EN); + wait_timeout(10); + + RTS51X_READ_REG(chip, SD_BUS_STAT, &stat); + if ((stat & (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS | + SD_DAT1_STATUS | SD_DAT0_STATUS)) != + (SD_CMD_STATUS | SD_DAT3_STATUS | SD_DAT2_STATUS | + SD_DAT1_STATUS | SD_DAT0_STATUS)) { + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BUS_STAT, 0xFF, + SD_CLK_FORCE_STOP); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, 0xFF, 0); + rts51x_send_cmd(chip, MODE_C, 100); + TRACE_RET(chip, STATUS_FAIL); + } + RTS51X_WRITE_REG(chip, SD_BUS_STAT, + SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0); + + return STATUS_SUCCESS; +} + +static int sd_change_phase(struct rts51x_chip *chip, u8 sample_point, + u8 tune_dir) +{ + u16 SD_VP_CTL, SD_DCMPS_CTL; + u8 val; + int retval; + + RTS51X_DEBUGP("sd_change_phase (sample_point = %d, tune_dir = %d)\n", + sample_point, tune_dir); + + if (tune_dir == TUNE_RX) { + SD_VP_CTL = SD_VPCLK1_CTL; + SD_DCMPS_CTL = SD_DCMPS1_CTL; + } else { + SD_VP_CTL = SD_VPCLK0_CTL; + SD_DCMPS_CTL = SD_DCMPS0_CTL; + } + + if (chip->asic_code) { + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, CLK_CHANGE); + RTS51X_WRITE_REG(chip, SD_VP_CTL, 0x1F, sample_point); + RTS51X_WRITE_REG(chip, SD_VPCLK0_CTL, PHASE_NOT_RESET, 0); + RTS51X_WRITE_REG(chip, SD_VPCLK0_CTL, PHASE_NOT_RESET, + PHASE_NOT_RESET); + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0); + } else { +#ifdef CONFIG_RTS5139_DEBUG + RTS51X_READ_REG(chip, SD_VP_CTL, &val); + RTS51X_DEBUGP("SD_VP_CTL: 0x%x\n", val); + RTS51X_READ_REG(chip, SD_DCMPS_CTL, &val); + RTS51X_DEBUGP("SD_DCMPS_CTL: 0x%x\n", val); +#endif + + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, CLK_CHANGE); + udelay(100); + RTS51X_WRITE_REG(chip, SD_VP_CTL, 0xFF, + PHASE_NOT_RESET | sample_point); + udelay(200); + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_DCMPS_CTL, DCMPS_CHANGE, + DCMPS_CHANGE); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_DCMPS_CTL, + DCMPS_CHANGE_DONE, DCMPS_CHANGE_DONE); + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, Fail); + + retval = rts51x_get_rsp(chip, 1, 500); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, Fail); + + val = chip->rsp_buf[0]; + if (val & DCMPS_ERROR) + TRACE_GOTO(chip, Fail); + if ((val & DCMPS_CURRENT_PHASE) != sample_point) + TRACE_GOTO(chip, Fail); + RTS51X_WRITE_REG(chip, SD_DCMPS_CTL, DCMPS_CHANGE, 0); + RTS51X_WRITE_REG(chip, CLK_DIV, CLK_CHANGE, 0); + udelay(100); + } + + RTS51X_WRITE_REG(chip, SD_CFG1, SD_ASYNC_FIFO_RST, 0); + + return STATUS_SUCCESS; + +Fail: +#ifdef CONFIG_RTS5139_DEBUG + rts51x_ep0_read_register(chip, SD_VP_CTL, &val); + RTS51X_DEBUGP("SD_VP_CTL: 0x%x\n", val); + rts51x_ep0_read_register(chip, SD_DCMPS_CTL, &val); + RTS51X_DEBUGP("SD_DCMPS_CTL: 0x%x\n", val); +#endif + + RTS51X_WRITE_REG(chip, SD_DCMPS_CTL, DCMPS_CHANGE, 0); + RTS51X_WRITE_REG(chip, SD_VP_CTL, PHASE_CHANGE, 0); + wait_timeout(10); + + return STATUS_FAIL; +} + +static int sd_check_spec(struct rts51x_chip *chip, u8 bus_width) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd[5], buf[8]; + + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + cmd[0] = 0x40 | SEND_SCR; + cmd[1] = 0; + cmd[2] = 0; + cmd[3] = 0; + cmd[4] = 0; + + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 8, 1, bus_width, buf, + 8, 250); + if (retval != STATUS_SUCCESS) { + rts51x_clear_sd_error(chip); + TRACE_RET(chip, retval); + } + + memcpy(sd_card->raw_scr, buf, 8); + + if ((buf[0] & 0x0F) == 0) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int sd_query_switch_result(struct rts51x_chip *chip, u8 func_group, + u8 func_to_switch, u8 *buf, int buf_len) +{ + u8 support_mask = 0, query_switch = 0, switch_busy = 0; + int support_offset = 0, query_switch_offset = 0, check_busy_offset = 0; + + if (func_group == SD_FUNC_GROUP_1) { + support_offset = FUNCTION_GROUP1_SUPPORT_OFFSET; + query_switch_offset = FUNCTION_GROUP1_QUERY_SWITCH_OFFSET; + check_busy_offset = FUNCTION_GROUP1_CHECK_BUSY_OFFSET; + + switch (func_to_switch) { + case HS_SUPPORT: + support_mask = HS_SUPPORT_MASK; + query_switch = HS_QUERY_SWITCH_OK; + switch_busy = HS_SWITCH_BUSY; + break; + + case SDR50_SUPPORT: + support_mask = SDR50_SUPPORT_MASK; + query_switch = SDR50_QUERY_SWITCH_OK; + switch_busy = SDR50_SWITCH_BUSY; + break; + + case SDR104_SUPPORT: + support_mask = SDR104_SUPPORT_MASK; + query_switch = SDR104_QUERY_SWITCH_OK; + switch_busy = SDR104_SWITCH_BUSY; + break; + + case DDR50_SUPPORT: + support_mask = DDR50_SUPPORT_MASK; + query_switch = DDR50_QUERY_SWITCH_OK; + switch_busy = DDR50_SWITCH_BUSY; + break; + + default: + TRACE_RET(chip, STATUS_FAIL); + } + } else if (func_group == SD_FUNC_GROUP_3) { + support_offset = FUNCTION_GROUP3_SUPPORT_OFFSET; + query_switch_offset = FUNCTION_GROUP3_QUERY_SWITCH_OFFSET; + check_busy_offset = FUNCTION_GROUP3_CHECK_BUSY_OFFSET; + + switch (func_to_switch) { + case DRIVING_TYPE_A: + support_mask = DRIVING_TYPE_A_MASK; + query_switch = TYPE_A_QUERY_SWITCH_OK; + switch_busy = TYPE_A_SWITCH_BUSY; + break; + + case DRIVING_TYPE_C: + support_mask = DRIVING_TYPE_C_MASK; + query_switch = TYPE_C_QUERY_SWITCH_OK; + switch_busy = TYPE_C_SWITCH_BUSY; + break; + + case DRIVING_TYPE_D: + support_mask = DRIVING_TYPE_D_MASK; + query_switch = TYPE_D_QUERY_SWITCH_OK; + switch_busy = TYPE_D_SWITCH_BUSY; + break; + + default: + TRACE_RET(chip, STATUS_FAIL); + } + } else if (func_group == SD_FUNC_GROUP_4) { + support_offset = FUNCTION_GROUP4_SUPPORT_OFFSET; + query_switch_offset = FUNCTION_GROUP4_QUERY_SWITCH_OFFSET; + check_busy_offset = FUNCTION_GROUP4_CHECK_BUSY_OFFSET; + + switch (func_to_switch) { + case CURRENT_LIMIT_400: + support_mask = CURRENT_LIMIT_400_MASK; + query_switch = CURRENT_LIMIT_400_QUERY_SWITCH_OK; + switch_busy = CURRENT_LIMIT_400_SWITCH_BUSY; + break; + + case CURRENT_LIMIT_600: + support_mask = CURRENT_LIMIT_600_MASK; + query_switch = CURRENT_LIMIT_600_QUERY_SWITCH_OK; + switch_busy = CURRENT_LIMIT_600_SWITCH_BUSY; + break; + + case CURRENT_LIMIT_800: + support_mask = CURRENT_LIMIT_800_MASK; + query_switch = CURRENT_LIMIT_800_QUERY_SWITCH_OK; + switch_busy = CURRENT_LIMIT_800_SWITCH_BUSY; + break; + + default: + TRACE_RET(chip, STATUS_FAIL); + } + } else { + TRACE_RET(chip, STATUS_FAIL); + } + + if (func_group == SD_FUNC_GROUP_4) + buf[query_switch_offset] = + (buf[query_switch_offset] & 0xf0) >> 4; + if (!(buf[support_offset] & support_mask) || + ((buf[query_switch_offset] & 0x0F) != query_switch)) + TRACE_RET(chip, STATUS_FAIL); + + if ((buf[DATA_STRUCTURE_VER_OFFSET] == 0x01) && + ((buf[check_busy_offset] & switch_busy) == switch_busy)) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int sd_check_switch_mode(struct rts51x_chip *chip, u8 mode, + u8 func_group, u8 func_to_switch, u8 bus_width) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd[5], buf[64]; + + RTS51X_DEBUGP("sd_check_switch_mode (mode = %d, func_group = %d," + "func_to_switch = %d)\n", mode, func_group, func_to_switch); + + cmd[0] = 0x40 | SWITCH; + cmd[1] = mode; + + if (func_group == SD_FUNC_GROUP_1) { + cmd[2] = 0xFF; + cmd[3] = 0xFF; + cmd[4] = 0xF0 + func_to_switch; + } else if (func_group == SD_FUNC_GROUP_3) { + cmd[2] = 0xFF; + cmd[3] = 0xF0 + func_to_switch; + cmd[4] = 0xFF; + } else if (func_group == SD_FUNC_GROUP_4) { + cmd[2] = 0xFF; + cmd[3] = 0x0F + (func_to_switch << 4); + cmd[4] = 0xFF; + } else { + cmd[1] = SD_CHECK_MODE; + cmd[2] = 0xFF; + cmd[3] = 0xFF; + cmd[4] = 0xFF; + } + + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 64, 1, bus_width, buf, + 64, 250); + if (retval != STATUS_SUCCESS) { + rts51x_clear_sd_error(chip); + TRACE_RET(chip, retval); + } + + if (func_group == NO_ARGUMENT) { + sd_card->func_group1_mask = buf[0x0D]; + sd_card->func_group2_mask = buf[0x0B]; + sd_card->func_group3_mask = buf[0x09]; + sd_card->func_group4_mask = buf[0x07]; + + RTS51X_DEBUGP("func_group1_mask = 0x%02x\n", buf[0x0D]); + RTS51X_DEBUGP("func_group2_mask = 0x%02x\n", buf[0x0B]); + RTS51X_DEBUGP("func_group3_mask = 0x%02x\n", buf[0x09]); + RTS51X_DEBUGP("func_group4_mask = 0x%02x\n", buf[0x07]); + } else { + if ((buf[0] == 0) && (buf[1] == 0)) + TRACE_RET(chip, STATUS_FAIL); + retval = + sd_query_switch_result(chip, func_group, func_to_switch, + buf, 64); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int sd_check_switch(struct rts51x_chip *chip, + u8 func_group, u8 func_to_switch, u8 bus_width) +{ + int retval; + int i; + int switch_good = 0; + + for (i = 0; i < 3; i++) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = sd_check_switch_mode(chip, SD_CHECK_MODE, func_group, + func_to_switch, bus_width); + if (retval == STATUS_SUCCESS) { + u8 stat; + + retval = sd_check_switch_mode(chip, SD_SWITCH_MODE, + func_group, func_to_switch, bus_width); + if (retval == STATUS_SUCCESS) { + switch_good = 1; + break; + } + + RTS51X_READ_REG(chip, SD_STAT1, &stat); + + if (stat & SD_CRC16_ERR) { + RTS51X_DEBUGP("SD CRC16 error when switching" + "mode\n"); + TRACE_RET(chip, STATUS_FAIL); + } + } + + wait_timeout(20); + } + + if (!switch_good) + TRACE_RET(chip, STATUS_FAIL); + + return STATUS_SUCCESS; +} + +static int sd_switch_function(struct rts51x_chip *chip, u8 bus_width) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i; + u8 func_to_switch = 0; + + /* Get supported functions */ + retval = sd_check_switch_mode(chip, SD_CHECK_MODE, + NO_ARGUMENT, NO_ARGUMENT, bus_width); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + sd_card->func_group1_mask &= ~(sd_card->sd_switch_fail); + + for (i = 0; i < 4; i++) { + switch ((u8) (chip->option.sd_speed_prior >> (i * 8))) { + case DDR50_SUPPORT: + if ((sd_card->func_group1_mask & DDR50_SUPPORT_MASK) + && (CHECK_UHS50(chip))) + func_to_switch = DDR50_SUPPORT; + break; + + case SDR50_SUPPORT: + if ((sd_card->func_group1_mask & SDR50_SUPPORT_MASK) + && (CHECK_UHS50(chip))) + func_to_switch = SDR50_SUPPORT; + break; + + case HS_SUPPORT: + if (sd_card->func_group1_mask & HS_SUPPORT_MASK) + func_to_switch = HS_SUPPORT; + break; + + default: + continue; + } + + if (func_to_switch) + break; + } + RTS51X_DEBUGP("SD_FUNC_GROUP_1: func_to_switch = 0x%02x", + func_to_switch); + + if (func_to_switch) { + retval = + sd_check_switch(chip, SD_FUNC_GROUP_1, func_to_switch, + bus_width); + if (retval != STATUS_SUCCESS) { + if (func_to_switch == SDR104_SUPPORT) + sd_card->sd_switch_fail = SDR104_SUPPORT_MASK; + else if (func_to_switch == DDR50_SUPPORT) + sd_card->sd_switch_fail = DDR50_SUPPORT_MASK; + else if (func_to_switch == SDR50_SUPPORT) + sd_card->sd_switch_fail = SDR50_SUPPORT_MASK; + else if (func_to_switch == HS_SUPPORT) + sd_card->sd_switch_fail = HS_SUPPORT_MASK; + + TRACE_RET(chip, retval); + } + + if (func_to_switch == SDR104_SUPPORT) + SET_SD_SDR104(sd_card); + else if (func_to_switch == DDR50_SUPPORT) + SET_SD_DDR50(sd_card); + else if (func_to_switch == SDR50_SUPPORT) + SET_SD_SDR50(sd_card); + else + SET_SD_HS(sd_card); + } + + if (CHK_SD_DDR50(sd_card)) + RTS51X_WRITE_REG(chip, SD_CFG1, 0x0C, SD_DDR_MODE); + + func_to_switch = 0; + if (sd_card->func_group4_mask & CURRENT_LIMIT_400_MASK) + func_to_switch = CURRENT_LIMIT_400; + + if (func_to_switch) { + RTS51X_DEBUGP("Try to switch current_limit_400\n"); + retval = + sd_check_switch(chip, SD_FUNC_GROUP_4, func_to_switch, + bus_width); + RTS51X_DEBUGP("Switch current_limit_400 status: (%d)\n", + retval); + } + + return STATUS_SUCCESS; +} + +static int sd_wait_data_idle(struct rts51x_chip *chip) +{ + int retval = STATUS_TIMEDOUT; + int i; + u8 val = 0; + + for (i = 0; i < 100; i++) { + retval = rts51x_ep0_read_register(chip, SD_DATA_STATE, &val); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + if (val & SD_DATA_IDLE) { + retval = STATUS_SUCCESS; + break; + } + udelay(100); + } + RTS51X_DEBUGP("SD_DATA_STATE: 0x%02x\n", val); + + return retval; +} + +static int sd_sdr_tuning_rx_cmd(struct rts51x_chip *chip, u8 sample_point) +{ + int retval; + u8 cmd[5]; + + retval = sd_change_phase(chip, sample_point, TUNE_RX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + cmd[0] = 0x40 | SEND_TUNING_PATTERN; + cmd[1] = 0; + cmd[2] = 0; + cmd[3] = 0; + cmd[4] = 0; + + retval = sd_read_data(chip, SD_TM_AUTO_TUNING, + cmd, 5, 0x40, 1, SD_BUS_WIDTH_4, NULL, 0, 100); + if (retval != STATUS_SUCCESS) { + /* Wait till SD DATA IDLE */ + (void)sd_wait_data_idle(chip); + + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int sd_ddr_tuning_rx_cmd(struct rts51x_chip *chip, u8 sample_point) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd[5]; + + retval = sd_change_phase(chip, sample_point, TUNE_RX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_DEBUGP("sd ddr tuning rx\n"); + + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + cmd[0] = 0x40 | SD_STATUS; + cmd[1] = 0; + cmd[2] = 0; + cmd[3] = 0; + cmd[4] = 0; + + retval = sd_read_data(chip, SD_TM_NORMAL_READ, + cmd, 5, 64, 1, SD_BUS_WIDTH_4, NULL, 0, 100); + if (retval != STATUS_SUCCESS) { + /* Wait till SD DATA IDLE */ + (void)sd_wait_data_idle(chip); + + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int mmc_ddr_tunning_rx_cmd(struct rts51x_chip *chip, u8 sample_point) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd[5], bus_width; + + if (CHK_MMC_8BIT(sd_card)) + bus_width = SD_BUS_WIDTH_8; + else if (CHK_MMC_4BIT(sd_card)) + bus_width = SD_BUS_WIDTH_4; + else + bus_width = SD_BUS_WIDTH_1; + + retval = sd_change_phase(chip, sample_point, TUNE_RX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_DEBUGP("mmc ddr tuning rx\n"); + + cmd[0] = 0x40 | SEND_EXT_CSD; + cmd[1] = 0; + cmd[2] = 0; + cmd[3] = 0; + cmd[4] = 0; + + retval = sd_read_data(chip, SD_TM_NORMAL_READ, + cmd, 5, 0x200, 1, bus_width, NULL, 0, 100); + if (retval != STATUS_SUCCESS) { + /* Wait till SD DATA IDLE */ + (void)sd_wait_data_idle(chip); + + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int sd_sdr_tuning_tx_cmd(struct rts51x_chip *chip, u8 sample_point) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + retval = sd_change_phase(chip, sample_point, TUNE_TX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, + SD_RSP_80CLK_TIMEOUT_EN); + + retval = sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + if (retval != STATUS_SUCCESS) { + if (sd_check_err_code(chip, SD_RSP_TIMEOUT)) { + /* Tunning TX fail */ + rts51x_ep0_write_register(chip, SD_CFG3, + SD_RSP_80CLK_TIMEOUT_EN, 0); + TRACE_RET(chip, STATUS_FAIL); + } + } + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0); + + return STATUS_SUCCESS; +} + +static int sd_ddr_tuning_tx_cmd(struct rts51x_chip *chip, u8 sample_point) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 cmd[5], bus_width; + + retval = sd_change_phase(chip, sample_point, TUNE_TX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_SD(sd_card)) { + bus_width = SD_BUS_WIDTH_4; + } else { + if (CHK_MMC_8BIT(sd_card)) + bus_width = SD_BUS_WIDTH_8; + else if (CHK_MMC_4BIT(sd_card)) + bus_width = SD_BUS_WIDTH_4; + else + bus_width = SD_BUS_WIDTH_1; + } + retval = sd_wait_currentstate_dataready(chip, 0x08, 1, 20); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, + SD_RSP_80CLK_TIMEOUT_EN); + + cmd[0] = 0x40 | PROGRAM_CSD; + cmd[1] = 0; + cmd[2] = 0; + cmd[3] = 0; + cmd[4] = 0; + + retval = sd_write_data(chip, SD_TM_AUTO_WRITE_2, + cmd, 5, 16, 1, bus_width, sd_card->raw_csd, 16, 100); + if (retval != STATUS_SUCCESS) { + rts51x_clear_sd_error(chip); + /* Tunning TX fail */ + rts51x_ep0_write_register(chip, SD_CFG3, + SD_RSP_80CLK_TIMEOUT_EN, 0); + TRACE_RET(chip, STATUS_FAIL); + } + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0); + + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + + return STATUS_SUCCESS; +} + +static u8 sd_search_final_phase(struct rts51x_chip *chip, u32 phase_map, + u8 tune_dir) +{ + struct sd_info *sd_card = &(chip->sd_card); + struct timing_phase_path path[MAX_PHASE + 1]; + int i, j, cont_path_cnt; + int new_block, max_len; + u8 final_phase = 0xFF; + int final_path_idx; + + if (phase_map == 0xffff) { + if (CHK_SD_DDR50(sd_card)) { + if (tune_dir == TUNE_TX) + final_phase = chip->option.ddr50_tx_phase; + else + final_phase = chip->option.ddr50_rx_phase; + RTS51X_DEBUGP("DDR50 tuning dir:%d all pass," + "so select default phase:0x%x.\n", + tune_dir, final_phase); + } else { + if (tune_dir == TUNE_TX) + final_phase = chip->option.sdr50_tx_phase; + else + final_phase = chip->option.sdr50_rx_phase; + RTS51X_DEBUGP("SDR50 tuning dir:%d all pass," + "so select default phase:0x%x.\n", + tune_dir, final_phase); + } + goto Search_Finish; + } + + cont_path_cnt = 0; + new_block = 1; + j = 0; + for (i = 0; i < MAX_PHASE + 1; i++) { + if (phase_map & (1 << i)) { + if (new_block) { + new_block = 0; + j = cont_path_cnt++; + path[j].start = i; + path[j].end = i; + } else { + path[j].end = i; + } + } else { + new_block = 1; + if (cont_path_cnt) { + int idx = cont_path_cnt - 1; + path[idx].len = + path[idx].end - path[idx].start + 1; + path[idx].mid = + path[idx].start + path[idx].len / 2; + } + } + } + + if (cont_path_cnt == 0) { + RTS51X_DEBUGP("No continuous phase path\n"); + goto Search_Finish; + } else { + int idx = cont_path_cnt - 1; + path[idx].len = path[idx].end - path[idx].start + 1; + path[idx].mid = path[idx].start + path[idx].len / 2; + } + + if ((path[0].start == 0) && + (path[cont_path_cnt - 1].end == MAX_PHASE)) { + path[0].start = path[cont_path_cnt - 1].start - MAX_PHASE - 1; + path[0].len += path[cont_path_cnt - 1].len; + path[0].mid = path[0].start + path[0].len / 2; + if (path[0].mid < 0) + path[0].mid += MAX_PHASE + 1; + cont_path_cnt--; + } + max_len = 0; + final_phase = 0; + final_path_idx = 0; + for (i = 0; i < cont_path_cnt; i++) { + if (path[i].len > max_len) { + max_len = path[i].len; + final_phase = (u8) path[i].mid; + final_path_idx = i; + } + + RTS51X_DEBUGP("path[%d].start = %d\n", i, path[i].start); + RTS51X_DEBUGP("path[%d].end = %d\n", i, path[i].end); + RTS51X_DEBUGP("path[%d].len = %d\n", i, path[i].len); + RTS51X_DEBUGP("path[%d].mid = %d\n", i, path[i].mid); + RTS51X_DEBUGP("\n"); + } + + if ((tune_dir == TUNE_TX) && (CHK_SD_SDR50(sd_card)) + && chip->option.sdr50_phase_sel) { + if (max_len > 6) { + int temp_mid = (max_len - 6) / 2; + int temp_final_phase = + path[final_path_idx].end - (max_len - + (3 + temp_mid)); + + if (temp_final_phase < 0) + final_phase = temp_final_phase + MAX_PHASE + 1; + else + final_phase = (u8) temp_final_phase; + } + } + +Search_Finish: + RTS51X_DEBUGP("Final chosen phase: %d\n", final_phase); + return final_phase; +} + +static int sd_tuning_rx(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i, j; + u32 raw_phase_map[3], phase_map; + u8 final_phase; + int (*tuning_cmd)(struct rts51x_chip *chip, u8 sample_point); + + if (CHK_SD(sd_card)) { + if (CHK_SD_DDR50(sd_card)) + tuning_cmd = sd_ddr_tuning_rx_cmd; + else + tuning_cmd = sd_sdr_tuning_rx_cmd; + } else { + if (CHK_MMC_DDR52(sd_card)) + tuning_cmd = mmc_ddr_tunning_rx_cmd; + else + TRACE_RET(chip, STATUS_FAIL); + } + + for (i = 0; i < 3; i++) { + raw_phase_map[i] = 0; + for (j = MAX_PHASE; j >= 0; j--) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = tuning_cmd(chip, (u8) j); + if (retval == STATUS_SUCCESS) + raw_phase_map[i] |= 1 << j; + else + RTS51X_DEBUGP("Tuning phase %d fail\n", j); + } + } + + phase_map = raw_phase_map[0] & raw_phase_map[1] & raw_phase_map[2]; + for (i = 0; i < 3; i++) + RTS51X_DEBUGP("RX raw_phase_map[%d] = 0x%04x\n", i, + raw_phase_map[i]); + RTS51X_DEBUGP("RX phase_map = 0x%04x\n", phase_map); + + final_phase = sd_search_final_phase(chip, phase_map, TUNE_RX); + if (final_phase == 0xFF) + TRACE_RET(chip, STATUS_FAIL); + + retval = tuning_cmd(chip, final_phase); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int sd_ddr_pre_tuning_tx(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 i; + u8 pre_tune_tx_phase; + u32 pre_tune_phase_map; + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, + SD_RSP_80CLK_TIMEOUT_EN); + + pre_tune_tx_phase = 0xFF; + pre_tune_phase_map = 0x0000; + for (i = 0; i < MAX_PHASE + 1; i++) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = sd_change_phase(chip, (u8) i, TUNE_TX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + if ((retval == STATUS_SUCCESS) + || !sd_check_err_code(chip, SD_RSP_TIMEOUT)) + pre_tune_phase_map |= (u32) 1 << i; + } + + RTS51X_WRITE_REG(chip, SD_CFG3, SD_RSP_80CLK_TIMEOUT_EN, 0); + + pre_tune_tx_phase = + sd_search_final_phase(chip, pre_tune_phase_map, TUNE_TX); + if (pre_tune_tx_phase == 0xFF) + TRACE_RET(chip, STATUS_FAIL); + + sd_change_phase(chip, pre_tune_tx_phase, TUNE_TX); + RTS51X_DEBUGP("DDR TX pre tune phase: %d\n", (int)pre_tune_tx_phase); + + return STATUS_SUCCESS; +} + +static int sd_tuning_tx(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i, j; + u32 raw_phase_map[3], phase_map; + u8 final_phase; + int (*tuning_cmd)(struct rts51x_chip *chip, u8 sample_point); + + if (CHK_SD(sd_card)) { + if (CHK_SD_DDR50(sd_card)) + tuning_cmd = sd_ddr_tuning_tx_cmd; + else + tuning_cmd = sd_sdr_tuning_tx_cmd; + } else { + if (CHK_MMC_DDR52(sd_card)) + tuning_cmd = sd_ddr_tuning_tx_cmd; + else + TRACE_RET(chip, STATUS_FAIL); + } + + for (i = 0; i < 3; i++) { + raw_phase_map[i] = 0; + for (j = MAX_PHASE; j >= 0; j--) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = tuning_cmd(chip, (u8) j); + if (retval == STATUS_SUCCESS) + raw_phase_map[i] |= 1 << j; + else + RTS51X_DEBUGP("Tuning phase %d fail\n", j); + } + } + + phase_map = raw_phase_map[0] & raw_phase_map[1] & raw_phase_map[2]; + for (i = 0; i < 3; i++) + RTS51X_DEBUGP("TX raw_phase_map[%d] = 0x%04x\n", i, + raw_phase_map[i]); + RTS51X_DEBUGP("TX phase_map = 0x%04x\n", phase_map); + + final_phase = sd_search_final_phase(chip, phase_map, TUNE_TX); + if (final_phase == 0xFF) + TRACE_RET(chip, STATUS_FAIL); + + retval = tuning_cmd(chip, final_phase); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int sd_sdr_tuning(struct rts51x_chip *chip) +{ + int retval; + + retval = sd_tuning_tx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = sd_tuning_rx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int sd_ddr_tuning(struct rts51x_chip *chip) +{ + int retval; + + if (!(chip->option.sd_ctl & SD_DDR_TX_PHASE_SET_BY_USER)) { + retval = sd_ddr_pre_tuning_tx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + retval = + sd_change_phase(chip, (u8) chip->option.sd_ddr_tx_phase, + TUNE_TX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + retval = sd_tuning_rx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!(chip->option.sd_ctl & SD_DDR_TX_PHASE_SET_BY_USER)) { + retval = sd_tuning_tx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int mmc_ddr_tuning(struct rts51x_chip *chip) +{ + int retval; + + if (!(chip->option.sd_ctl & MMC_DDR_TX_PHASE_SET_BY_USER)) { + retval = sd_ddr_pre_tuning_tx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + retval = + sd_change_phase(chip, (u8) chip->option.mmc_ddr_tx_phase, + TUNE_TX); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + retval = sd_tuning_rx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (!(chip->option.sd_ctl & MMC_DDR_TX_PHASE_SET_BY_USER)) { + retval = sd_tuning_tx(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +int rts51x_sd_switch_clock(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int re_tuning = 0; + + retval = rts51x_select_card(chip, SD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_SD30_SPEED(sd_card) || CHK_MMC_DDR52(sd_card)) { + if (sd_card->sd_clock != chip->cur_clk) + re_tuning = 1; + } + + retval = switch_clock(chip, sd_card->sd_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (re_tuning) { + if (CHK_SD(sd_card)) { + if (CHK_SD_DDR50(sd_card)) + retval = sd_ddr_tuning(chip); + else + retval = sd_sdr_tuning(chip); + } else { + if (CHK_MMC_DDR52(sd_card)) + retval = mmc_ddr_tuning(chip); + } + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int sd_prepare_reset(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + if (chip->asic_code) + sd_card->sd_clock = 29; + else + sd_card->sd_clock = CLK_30; + + /* Set SD Clocks */ + retval = sd_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0xFF, + SD_CLK_DIVIDE_128 | SD_20_MODE | SD_BUS_WIDTH_1); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_SAMPLE_POINT_CTL, 0xFF, + SD20_RX_POS_EDGE); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PUSH_POINT_CTL, 0xFF, 0); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_select_card(chip, SD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static void sd_pull_ctl_disable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59); + } +} + +static void sd_pull_ctl_enable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xAA); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0xAA); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0xA9); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xA5); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x9A); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0xA5); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x9A); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x65); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x5A); + } +} + +static int sd_init_power(struct rts51x_chip *chip) +{ + int retval; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, LDO3318_PWR_MASK, + LDO_ON); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_PAD_CTL, SD_IO_USING_1V8, + SD_IO_USING_3V3); + if (chip->asic_code) + rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG, + TUNE_SD18_MASK, TUNE_SD18_3V3); + if (chip->asic_code) + sd_pull_ctl_disable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, + FPGA_SD_PULL_CTL_BIT | 0x20, + FPGA_SD_PULL_CTL_BIT); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0); + if (!chip->option.FT2_fast_mode) + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (!chip->option.FT2_fast_mode) { +#ifdef SD_XD_IO_FOLLOW_PWR + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) + rts51x_write_register(chip, CARD_PWR_CTL, + LDO_OFF, LDO_OFF); +#endif + wait_timeout(250); + +#ifdef SD_XD_IO_FOLLOW_PWR + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) { + rts51x_init_cmd(chip); + if (chip->asic_code) + sd_pull_ctl_enable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, + FPGA_PULL_CTL, + FPGA_SD_PULL_CTL_BIT | 0x20, 0); + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + if (chip->asic_code) + rts51x_write_register(chip, CARD_PULL_CTL6, + 0x03, 0x00); + } +#endif + + /* Power on card */ + retval = rts51x_card_power_on(chip, SD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + wait_timeout(260); + +#ifdef SUPPORT_OCP + rts51x_get_card_status(chip, &(chip->card_status)); + chip->ocp_stat = (chip->card_status >> 4) & 0x03; + + if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) { + RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n", + chip->ocp_stat); + TRACE_RET(chip, STATUS_FAIL); + } +#endif + } + + rts51x_init_cmd(chip); + if (chip->asic_code) { + sd_pull_ctl_enable(chip); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, + FPGA_SD_PULL_CTL_BIT | 0x20, 0); + } + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#ifdef SD_XD_IO_FOLLOW_PWR + rts51x_write_register(chip, CARD_INT_PEND, XD_INT | MS_INT | SD_INT, + XD_INT | MS_INT | SD_INT); +#endif + + RTS51X_WRITE_REG(chip, CARD_OE, SD_OUTPUT_EN, SD_OUTPUT_EN); + + return STATUS_SUCCESS; +} + +static int sd_dummy_clock(struct rts51x_chip *chip) +{ + RTS51X_WRITE_REG(chip, SD_BUS_STAT, SD_CLK_TOGGLE_EN, SD_CLK_TOGGLE_EN); + wait_timeout(5); + RTS51X_WRITE_REG(chip, SD_BUS_STAT, SD_CLK_TOGGLE_EN, 0x00); + + return STATUS_SUCCESS; +} + +int reset_sd(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval, i = 0, j = 0, k = 0, hi_cap_flow = 0; + int sd_dont_switch = 0; + int support_1v8 = 0; + u8 rsp[16]; + u8 switch_bus_width; + u32 voltage = 0; + u8 cmd[5], buf[64]; + u16 sd_card_type; + + SET_SD(sd_card); + CLR_RETRY_SD20_MODE(sd_card); +Switch_Fail: + i = 0; + j = 0; + k = 0; + hi_cap_flow = 0; + support_1v8 = 0; + + retval = sd_prepare_reset(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + sd_dummy_clock(chip); + + /* Start Initialization Process of SD Card */ +RTY_SD_RST: + retval = + sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0, NULL, + 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + wait_timeout(20); + + retval = + sd_send_cmd_get_rsp(chip, SEND_IF_COND, 0x000001AA, SD_RSP_TYPE_R7, + rsp, 5); + if (retval == STATUS_SUCCESS) { + if ((rsp[4] == 0xAA) && ((rsp[3] & 0x0f) == 0x01)) { + hi_cap_flow = 1; + if (CHK_RETRY_SD20_MODE(sd_card)) { + voltage = + SUPPORT_VOLTAGE | + SUPPORT_HIGH_AND_EXTENDED_CAPACITY; + } else { + voltage = + SUPPORT_VOLTAGE | + SUPPORT_HIGH_AND_EXTENDED_CAPACITY | + SUPPORT_MAX_POWER_PERMANCE | SUPPORT_1V8; + } + } + } + + if (!hi_cap_flow) { + voltage = SUPPORT_VOLTAGE; + + retval = + sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + wait_timeout(20); + } + + /* ACMD41 */ + do { + { + u8 temp = 0; + rts51x_read_register(chip, CARD_INT_PEND, &temp); + RTS51X_DEBUGP("CARD_INT_PEND:%x\n", temp); + if (temp & SD_INT) { + chip->reset_need_retry = 1; + rts51x_write_register(chip, CARD_INT_PEND, + XD_INT | SD_INT | MS_INT, + XD_INT | SD_INT | MS_INT); + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + } + +RTY_CMD55: + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, 0, SD_RSP_TYPE_R1, NULL, + 0); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, SD_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + j++; + if (chip->option.speed_mmc) { + if (j < 2) + goto RTY_CMD55; + else + TRACE_RET(chip, STATUS_FAIL); + } else { + if (j < 3) + goto RTY_SD_RST; + else + TRACE_RET(chip, STATUS_FAIL); + } + } + + retval = + sd_send_cmd_get_rsp(chip, SD_APP_OP_COND, voltage, + SD_RSP_TYPE_R3, rsp, 5); + if (retval != STATUS_SUCCESS) { + k++; + if (k < 3) + goto RTY_SD_RST; + else + TRACE_RET(chip, STATUS_FAIL); + } + + i++; + wait_timeout(20); + } while (!(rsp[1] & 0x80) && (i < 255)); /* Not complete power on */ + + if (i == 255) { + /* Time out */ + TRACE_RET(chip, STATUS_FAIL); + } + + if (hi_cap_flow) { + if (rsp[1] & 0x40) + SET_SD_HCXC(sd_card); + else + CLR_SD_HCXC(sd_card); + if (!CHK_RETRY_SD20_MODE(sd_card)) { + if ((CHK_SD_HCXC(sd_card)) && (CHECK_UHS50(chip))) { + support_1v8 = (rsp[1] & 0x01) ? 1 : 0; + RTS51X_DEBUGP("support_1v8 = %d\n", + support_1v8); + } + } + } else { + CLR_SD_HCXC(sd_card); + support_1v8 = 0; + } + + /* CMD11: Switch Voltage */ + if (support_1v8 && CHECK_UHS50(chip) + && !(((u8) chip->option.sd_speed_prior & SDR104_SUPPORT) == + HS_SUPPORT)) { + retval = sd_voltage_switch(chip); + if (retval != STATUS_SUCCESS) { + SET_RETRY_SD20_MODE(sd_card); + sd_init_power(chip); + RTS51X_DEBUGP("1.8v switch fail\n"); + goto Switch_Fail; + } + } + + /* CMD 2 */ + retval = + sd_send_cmd_get_rsp(chip, ALL_SEND_CID, 0, SD_RSP_TYPE_R2, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* CMD 3 */ + retval = + sd_send_cmd_get_rsp(chip, SEND_RELATIVE_ADDR, 0, SD_RSP_TYPE_R6, + rsp, 5); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + sd_card->sd_addr = (u32) rsp[1] << 24; + sd_card->sd_addr += (u32) rsp[2] << 16; + + /* Get CSD register for Calculating Timing,Capacity, + * Check CSD to determine as if this is the SD ROM card */ + retval = sd_check_csd(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Select SD card */ + retval = rts51x_sd_select_card(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* ACMD42 */ + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + sd_send_cmd_get_rsp(chip, SET_CLR_CARD_DETECT, 0, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (support_1v8) { + /* ACMD6 */ + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Enable 4 bit data bus */ + retval = + sd_send_cmd_get_rsp(chip, SET_BUS_WIDTH, 2, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + switch_bus_width = SD_BUS_WIDTH_4; + } else { + switch_bus_width = SD_BUS_WIDTH_1; + } + + /* Set block length 512 bytes for all block commands */ + retval = sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, + 0x200, SD_RSP_TYPE_R1, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_WRITE_REG(chip, SD_CFG1, SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0); + + if (!(sd_card->raw_csd[4] & 0x40)) { + sd_dont_switch = 1; + RTS51X_DEBUGP("Not support class ten\n"); + } + + if (!sd_dont_switch) { + /* Check the card whether flow SD1.1 spec or higher */ + retval = sd_check_spec(chip, switch_bus_width); + if (retval == STATUS_SUCCESS) { + retval = sd_switch_function(chip, switch_bus_width); + if (retval != STATUS_SUCCESS) { + if ((sd_card->sd_switch_fail == + SDR104_SUPPORT_MASK) + || (sd_card->sd_switch_fail == + DDR50_SUPPORT_MASK) + || (sd_card->sd_switch_fail == + SDR50_SUPPORT_MASK)) { + sd_init_power(chip); + SET_RETRY_SD20_MODE(sd_card); + } else if (sd_card->sd_switch_fail == + HS_SUPPORT_MASK) { + sd_dont_switch = 1; + } + goto Switch_Fail; + } + } else { + if (support_1v8) { + SET_RETRY_SD20_MODE(sd_card); + sd_init_power(chip); + sd_dont_switch = 1; + + goto Switch_Fail; + } + } + } + + if (!support_1v8) { + /* ACMD6 */ + retval = + sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Enable 4 bit data bus */ + retval = + sd_send_cmd_get_rsp(chip, SET_BUS_WIDTH, 2, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + if (CHK_SD30_SPEED(sd_card)) { + rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK, + 0x03); + + retval = sd_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (CHK_SD_DDR50(sd_card)) + retval = sd_ddr_tuning(chip); + else + retval = sd_sdr_tuning(chip); + + if (retval != STATUS_SUCCESS) { + SET_RETRY_SD20_MODE(sd_card); + RTS51X_DEBUGP("tuning phase fail,goto SD20 mode\n"); + sd_init_power(chip); + CLR_SD30_SPEED(sd_card); + goto Switch_Fail; + } + if (STATUS_SUCCESS == + sd_wait_currentstate_dataready(chip, 0x08, 1, 20)) { + cmd[0] = 0x40 | READ_SINGLE_BLOCK; + cmd[1] = 0x00; + cmd[2] = 0x00; + cmd[3] = 0x00; + cmd[4] = 0x00; + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 512, + 1, SD_BUS_WIDTH_4, NULL, 0, 600); + if (retval != STATUS_SUCCESS) { + SET_RETRY_SD20_MODE(sd_card); + RTS51X_DEBUGP("read lba0 fail," + "goto SD20 mode\n"); + sd_init_power(chip); + CLR_SD30_SPEED(sd_card); + goto Switch_Fail; + } + } + } + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + + retval = sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + if (retval == STATUS_SUCCESS) { + int ret; + cmd[0] = 0x40 | SEND_STATUS; + cmd[1] = 0x00; + cmd[2] = 0x00; + cmd[3] = 0x00; + cmd[4] = 0x00; + ret = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, 64, 1, + SD_BUS_WIDTH_4, buf, 64, 600); + if (ret == STATUS_SUCCESS) { + sd_card_type = ((u16) buf[2] << 8) | (u16) buf[3]; + RTS51X_DEBUGP("sd_card_type:0x%4x\n", sd_card_type); + if ((sd_card_type == 0x0001) + || (sd_card_type == 0x0002)) + chip->card_wp |= SD_CARD; + } else { + rts51x_clear_sd_error(chip); + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + } + } else { + rts51x_clear_sd_error(chip); + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + } + + /* Check SD Machanical Write-Protect Switch */ + retval = rts51x_get_card_status(chip, &(chip->card_status)); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (chip->card_status & SD_WP) + chip->card_wp |= SD_CARD; + + chip->card_bus_width[chip->card2lun[SD_CARD]] = 4; + + return STATUS_SUCCESS; +} + +static int mmc_test_switch_bus(struct rts51x_chip *chip, u8 width) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 buf[8] = { 0 }, bus_width; + u16 byte_cnt; + int len; + + retval = + sd_send_cmd_get_rsp(chip, BUSTEST_W, 0, SD_RSP_TYPE_R1, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (width == MMC_8BIT_BUS) { + buf[0] = 0x55; + buf[1] = 0xAA; + len = 8; + byte_cnt = 8; + bus_width = SD_BUS_WIDTH_8; + } else { + buf[0] = 0x5A; + len = 4; + byte_cnt = 4; + bus_width = SD_BUS_WIDTH_4; + } + + retval = sd_write_data(chip, SD_TM_AUTO_WRITE_3, + NULL, 0, byte_cnt, 1, bus_width, buf, len, 100); + if (retval != STATUS_SUCCESS) { + u8 val1 = 0, val2 = 0; + rts51x_ep0_read_register(chip, SD_STAT1, &val1); + rts51x_ep0_read_register(chip, SD_STAT2, &val2); + rts51x_clear_sd_error(chip); + if ((val1 & 0xE0) || val2) + TRACE_RET(chip, STATUS_FAIL); + } + RTS51X_DEBUGP("SD/MMC CMD %d\n", BUSTEST_R); + + rts51x_init_cmd(chip); + + /* CMD14 */ + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | BUSTEST_R); + + if (width == MMC_8BIT_BUS) + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x08); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x04); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 1); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_NO_CHECK_CRC16 | + SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 | SD_RSP_LEN_6); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_NORMAL_READ | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END, + SD_TRANSFER_END); + + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2, 0, 0); + if (width == MMC_8BIT_BUS) { + len = 3; + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 1, 0, 0); + } else { + len = 2; + } + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, len, 100); + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_read_rsp_buf(chip, 1, buf, 2); + + if (width == MMC_8BIT_BUS) { + RTS51X_DEBUGP("BUSTEST_R [8bits]: 0x%02x 0x%02x\n", + buf[0], buf[1]); + if ((buf[0] == 0xAA) && (buf[1] == 0x55)) { + u8 rsp[5]; + u32 arg; + + if (CHK_MMC_DDR52(sd_card)) + arg = 0x03B70600; + else + arg = 0x03B70200; + /* Switch MMC to 8-bit mode */ + retval = + sd_send_cmd_get_rsp(chip, SWITCH, arg, + SD_RSP_TYPE_R1b, rsp, 5); + if ((retval == STATUS_SUCCESS) + && !(rsp[4] & MMC_SWITCH_ERR)) + return STATUS_SUCCESS; + } + } else { + RTS51X_DEBUGP("BUSTEST_R [4bits]: 0x%02x\n", buf[0]); + if (buf[0] == 0xA5) { + u8 rsp[5]; + u32 arg; + + if (CHK_MMC_DDR52(sd_card)) + arg = 0x03B70500; + else + arg = 0x03B70100; + /* Switch MMC to 4-bit mode */ + retval = + sd_send_cmd_get_rsp(chip, SWITCH, arg, + SD_RSP_TYPE_R1b, rsp, 5); + if ((retval == STATUS_SUCCESS) + && !(rsp[4] & MMC_SWITCH_ERR)) + return STATUS_SUCCESS; + } + } + + TRACE_RET(chip, STATUS_FAIL); +} + +static int mmc_switch_timing_bus(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + u8 card_type, card_type_mask = 0; + u8 buf[6]; + + CLR_MMC_HS(sd_card); + + RTS51X_DEBUGP("SD/MMC CMD %d\n", SEND_EXT_CSD); + + rts51x_init_cmd(chip); + + /* SEND_EXT_CSD command */ + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, + 0x40 | SEND_EXT_CSD); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, 0); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 2); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 1); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | SD_NO_WAIT_BUSY_END + | SD_CHECK_CRC7 | SD_RSP_LEN_6); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_NORMAL_READ | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END, + SD_TRANSFER_END); + + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 196, 0xFF, 0); + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 212, 0xFF, 0); + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 213, 0xFF, 0); + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 214, 0xFF, 0); + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + 215, 0xFF, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 6, 1000); + + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + if (retval == STATUS_TIMEDOUT) { + rts51x_clear_sd_error(chip); + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + } + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_read_rsp_buf(chip, 0, buf, 6); + + if (buf[0] & SD_TRANSFER_ERR) { + sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + TRACE_RET(chip, STATUS_FAIL); + } + if (CHK_MMC_SECTOR_MODE(sd_card)) + sd_card->capacity = + ((u32) buf[5] << 24) | ((u32) buf[4] << 16) | + ((u32) buf[3] << 8) | ((u32) buf[2]); + if (CHECK_UHS50(chip)) + card_type_mask = 0x07; + else + card_type_mask = 0x03; + + card_type = buf[1] & card_type_mask; + if (card_type) { + /* CARD TYPE FIELD = DDR52MHz, 52MHz or 26MHz */ + u8 rsp[5]; + + if (card_type & 0x04) + SET_MMC_DDR52(sd_card); + else if (card_type & 0x02) + SET_MMC_52M(sd_card); + else + SET_MMC_26M(sd_card); + + retval = + sd_send_cmd_get_rsp(chip, SWITCH, 0x03B90100, + SD_RSP_TYPE_R1b, rsp, 5); + if ((retval != STATUS_SUCCESS) || (rsp[4] & MMC_SWITCH_ERR)) + CLR_MMC_HS(sd_card); + } + sd_choose_proper_clock(chip); + retval = switch_clock(chip, sd_card->sd_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* Test Bus Procedure */ + if (mmc_test_switch_bus(chip, MMC_8BIT_BUS) == STATUS_SUCCESS) { + SET_MMC_8BIT(sd_card); + chip->card_bus_width[chip->card2lun[SD_CARD]] = 8; + } else if (mmc_test_switch_bus(chip, MMC_4BIT_BUS) == STATUS_SUCCESS) { + SET_MMC_4BIT(sd_card); + chip->card_bus_width[chip->card2lun[SD_CARD]] = 4; + } else { + CLR_MMC_8BIT(sd_card); + CLR_MMC_4BIT(sd_card); + } + + return STATUS_SUCCESS; +} + +static int reset_mmc(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval, i = 0, j = 0, k = 0; + u8 rsp[16]; + u8 spec_ver = 0; + u8 change_to_ddr52 = 1; + u8 cmd[5]; + +MMC_DDR_FAIL: + + retval = sd_prepare_reset(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + SET_MMC(sd_card); + +RTY_MMC_RST: + retval = + sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0, NULL, + 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + do { + { + u8 temp = 0; + rts51x_read_register(chip, CARD_INT_PEND, &temp); + if (temp & SD_INT) { + chip->reset_need_retry = 1; + rts51x_write_register(chip, CARD_INT_PEND, + XD_INT | SD_INT | MS_INT, + XD_INT | SD_INT | MS_INT); + sd_set_reset_fail(chip, MMC_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + } + + /* CMD 1 */ + retval = sd_send_cmd_get_rsp(chip, SEND_OP_COND, + (SUPPORT_VOLTAGE | 0x40000000), + SD_RSP_TYPE_R3, rsp, 5); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + sd_set_reset_fail(chip, MMC_RESET_FAIL); + TRACE_RET(chip, STATUS_FAIL); + } + + if (sd_check_err_code(chip, SD_BUSY) + || sd_check_err_code(chip, SD_TO_ERR)) { + k++; + if (k < 20) { + sd_clr_err_code(chip); + goto RTY_MMC_RST; + } else { + TRACE_RET(chip, STATUS_FAIL); + } + } else { + j++; + if (j < 100) { + sd_clr_err_code(chip); + goto RTY_MMC_RST; + } else { + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + wait_timeout(20); + i++; + } while (!(rsp[1] & 0x80) && (i < 100)); /* Not complete power on */ + + if (i == 100) { + /* Time out */ + TRACE_RET(chip, STATUS_FAIL); + } + + if ((rsp[1] & 0x60) == 0x40) + SET_MMC_SECTOR_MODE(sd_card); + else + CLR_MMC_SECTOR_MODE(sd_card); + + /* CMD 2 */ + retval = + sd_send_cmd_get_rsp(chip, ALL_SEND_CID, 0, SD_RSP_TYPE_R2, NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* CMD 3 */ + sd_card->sd_addr = 0x00100000; + retval = + sd_send_cmd_get_rsp(chip, SET_RELATIVE_ADDR, sd_card->sd_addr, + SD_RSP_TYPE_R6, rsp, 5); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* Get CSD register for Calculating Timing,Capacity + * Check CSD to determine as if this is the SD ROM card */ + retval = sd_check_csd(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + /* Get MMC Spec_Ver in the CSD register */ + spec_ver = (sd_card->raw_csd[0] & 0x3C) >> 2; + + /* Select MMC card */ + retval = rts51x_sd_select_card(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + /* Set block length 512 bytes for all block commands */ + retval = + sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200, SD_RSP_TYPE_R1, NULL, + 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_WRITE_REG(chip, SD_CFG1, SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0); + + if (chip->ic_version < 2) + rts51x_write_register(chip, SD30_DRIVE_SEL, SD30_DRIVE_MASK, + 0x02); + rts51x_write_register(chip, CARD_DRIVE_SEL, SD20_DRIVE_MASK, DRIVE_8mA); + + chip->card_bus_width[chip->card2lun[SD_CARD]] = 1; + if (spec_ver == 4) { + /* MMC 4.x Cards */ + (void)mmc_switch_timing_bus(chip); + } + + if (CHK_MMC_SECTOR_MODE(sd_card) && (sd_card->capacity == 0)) + TRACE_RET(chip, STATUS_FAIL); + + if (CHK_MMC_DDR52(sd_card) && change_to_ddr52) { + /* Card is extracted while identifying */ + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + retval = sd_set_init_para(chip); + if (retval != STATUS_SUCCESS) { + CLR_MMC_DDR52(sd_card); + sd_init_power(chip); + change_to_ddr52 = 0; + goto MMC_DDR_FAIL; + } + + retval = mmc_ddr_tuning(chip); + if (retval != STATUS_SUCCESS) { + CLR_MMC_DDR52(sd_card); + sd_init_power(chip); + change_to_ddr52 = 0; + goto MMC_DDR_FAIL; + } + + if (STATUS_SUCCESS == + sd_wait_currentstate_dataready(chip, 0x08, 1, 20)) { + cmd[0] = 0x40 | READ_SINGLE_BLOCK; + cmd[1] = 0x00; + cmd[2] = 0x00; + cmd[3] = 0x00; + cmd[4] = 0x00; + if (CHK_MMC_8BIT(sd_card)) { + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, + 5, 512, 1, SD_BUS_WIDTH_8, + NULL, 0, 600); + } else if (CHK_MMC_4BIT(sd_card)) { + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, + 5, 512, 1, SD_BUS_WIDTH_4, + NULL, 0, 600); + } else { + retval = + sd_read_data(chip, SD_TM_NORMAL_READ, cmd, + 5, 512, 1, SD_BUS_WIDTH_1, + NULL, 0, 600); + } + + if (retval != STATUS_SUCCESS) { + CLR_MMC_DDR52(sd_card); + change_to_ddr52 = 0; + RTS51X_DEBUGP("read lba0 fail," + "goto SD20 mode\n"); + sd_init_power(chip); + goto MMC_DDR_FAIL; + } + } + } + + retval = rts51x_get_card_status(chip, &(chip->card_status)); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (chip->card_status & SD_WP) + chip->card_wp |= SD_CARD; + + return STATUS_SUCCESS; +} + +int rts51x_reset_sd_card(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + int i; + + memset(sd_card, 0, sizeof(struct sd_info)); + + /* Init variables */ + sd_card->sd_type = 0; + sd_card->seq_mode = 0; + sd_card->sd_data_buf_ready = 0; + sd_card->capacity = 0; + sd_card->sd_switch_fail = 0; + + sd_clear_reset_fail(chip); + rts51x_enable_card_clock(chip, SD_CARD); + + sd_init_power(chip); + + chip->reset_need_retry = 0; + for (i = 0; i < 3; i++) { + if (!chip->option.reset_mmc_first) { /* reset sd first */ + retval = reset_sd(chip); + if (retval != STATUS_SUCCESS) { + /* Switch SD bus to 3V3 signal */ + RTS51X_WRITE_REG(chip, SD_PAD_CTL, + SD_IO_USING_1V8, 0); + if (sd_check_reset_fail(chip, SD_RESET_FAIL)) + sd_clear_reset_fail(chip); + else + retval = reset_mmc(chip); + } + } else { /* reset MMC first */ + retval = reset_mmc(chip); + if (retval != STATUS_SUCCESS) { + if (sd_check_reset_fail(chip, MMC_RESET_FAIL)) { + sd_clear_reset_fail(chip); + } else { + retval = reset_sd(chip); + if (retval != STATUS_SUCCESS) { + /* Switch SD bus to + * 3V3 signal */ + RTS51X_WRITE_REG(chip, + SD_PAD_CTL, + SD_IO_USING_1V8, 0); + } + } + } + } + + if ((retval == STATUS_SUCCESS) || (!chip->reset_need_retry)) { + /* if reset success or don't need retry,then break */ + break; + } + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) { + /* card is extracted */ + break; + } + RTS51X_DEBUGP("retry reset sd card,%d\n", i); + chip->reset_need_retry = 0; + } + + sd_clear_reset_fail(chip); + chip->reset_need_retry = 0; + + if (retval == STATUS_SUCCESS) { + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, SD_CLK_DIVIDE_MASK, + SD_CLK_DIVIDE_0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 2); + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + chip->capacity[chip->card2lun[SD_CARD]] = sd_card->capacity = 0; + if (chip->option.reset_or_rw_fail_set_pad_drive) { + rts51x_write_register(chip, CARD_DRIVE_SEL, + SD20_DRIVE_MASK, DRIVE_8mA); + } + TRACE_RET(chip, STATUS_FAIL); + } + + chip->capacity[chip->card2lun[SD_CARD]] = sd_card->capacity; + + if (chip->option.sd_send_status_en) { + sd_card->sd_send_status_en = 1; + } else { + if (sd_card->capacity > 0x20000) { /* 64MB */ + sd_card->sd_send_status_en = 0; + } else { + sd_card->sd_send_status_en = 1; + } + } + RTS51X_DEBUGP("sd_card->sd_send_status = %d\n", + sd_card->sd_send_status_en); + + retval = sd_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_DEBUGP("sd_card->sd_type = 0x%x\n", sd_card->sd_type); + + return STATUS_SUCCESS; +} + +#define WAIT_DATA_READY_RTY_CNT 255 + +static int wait_data_buf_ready(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int i, retval; + + for (i = 0; i < WAIT_DATA_READY_RTY_CNT; i++) { + if (monitor_card_cd(chip, SD_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + sd_card->sd_data_buf_ready = 0; + + retval = sd_send_cmd_get_rsp(chip, SEND_STATUS, + sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (sd_card->sd_data_buf_ready) + return sd_send_cmd_get_rsp(chip, SEND_STATUS, + sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0); + } + + sd_set_err_code(chip, SD_TO_ERR); + + TRACE_RET(chip, STATUS_FAIL); +} + +static void sd_stop_seq_mode(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + if (sd_card->seq_mode) { + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + return; + + retval = sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0, + SD_RSP_TYPE_R1b, NULL, 0); + if (retval != STATUS_SUCCESS) + sd_set_err_code(chip, SD_STS_ERR); + sd_card->seq_mode = 0; + + rts51x_ep0_write_register(chip, MC_FIFO_CTL, FIFO_FLUSH, + FIFO_FLUSH); + } +} + +static inline int sd_auto_tune_clock(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + if (chip->asic_code) { + if (sd_card->sd_clock > 30) + sd_card->sd_clock -= 20; + } else { + if (sd_card->sd_clock == CLK_100) + sd_card->sd_clock = CLK_80; + else if (sd_card->sd_clock == CLK_80) + sd_card->sd_clock = CLK_60; + else if (sd_card->sd_clock == CLK_60) + sd_card->sd_clock = CLK_50; + } + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_sd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt) +{ + struct sd_info *sd_card = &(chip->sd_card); + u32 data_addr; + int retval; + u8 flag; + unsigned int pipe; + u8 stageflag; + + sd_card->counter = 0; + + if (!CHK_SD_HCXC(sd_card) && !CHK_MMC_SECTOR_MODE(sd_card)) + data_addr = start_sector << 9; + else + data_addr = start_sector; + + RTS51X_DEBUGP("rts51x_sd_rw, data_addr = 0x%x\n", data_addr); + + sd_clr_err_code(chip); + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (sd_card->seq_mode && ((sd_card->pre_dir != srb->sc_data_direction) + || + ((sd_card->pre_sec_addr + + sd_card->pre_sec_cnt) != start_sector))) { + if ((sd_card->pre_dir == DMA_FROM_DEVICE) + && !CHK_SD30_SPEED(sd_card) + && !CHK_SD_HS(sd_card) + && !CHK_MMC_HS(sd_card) + && sd_card->sd_send_status_en) { + sd_send_cmd_get_rsp(chip, SEND_STATUS, + sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + } + + retval = + sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0, + SD_RSP_TYPE_R1b, NULL, 0); + if (retval != STATUS_SUCCESS) { + sd_set_err_code(chip, SD_STS_ERR); + TRACE_RET(chip, sd_parse_err_code(chip)); + } + + sd_card->seq_mode = 0; + + RTS51X_WRITE_REG(chip, MC_FIFO_CTL, FIFO_FLUSH, FIFO_FLUSH); + + if (!CHK_SD30_SPEED(sd_card) + && !CHK_SD_HS(sd_card) + && !CHK_MMC_HS(sd_card) + && sd_card->sd_send_status_en) { + /* random rw, so pre_sec_cnt < 0x80 */ + sd_send_cmd_get_rsp(chip, SEND_STATUS, + sd_card->sd_addr, SD_RSP_TYPE_R1, + NULL, 0); + } + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, + (u8) sector_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, + (u8) (sector_cnt >> 8)); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + + if (CHK_MMC_8BIT(sd_card)) + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, + SD_BUS_WIDTH_8); + else if (CHK_MMC_4BIT(sd_card) || CHK_SD(sd_card)) + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, + SD_BUS_WIDTH_4); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, + SD_BUS_WIDTH_1); + + if (sd_card->seq_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_NO_CALCULATE_CRC7 | SD_CHECK_CRC16 | + SD_NO_WAIT_BUSY_END | SD_NO_CHECK_CRC7 | + SD_RSP_LEN_0); + + rts51x_trans_dma_enable(srb->sc_data_direction, chip, sector_cnt * 512, + DMA_512); + + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + flag = MODE_CDIR; + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_READ_3 | SD_TRANSFER_START); + } else { + flag = MODE_CDOR; + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START); + } + + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, flag, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + RTS51X_DEBUGP("SD/MMC CMD %d\n", READ_MULTIPLE_BLOCK); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, + 0x40 | READ_MULTIPLE_BLOCK); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, + (u8) (data_addr >> 24)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, + (u8) (data_addr >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, + (u8) (data_addr >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, + (u8) data_addr); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_CALCULATE_CRC7 | SD_CHECK_CRC16 | + SD_NO_WAIT_BUSY_END | SD_CHECK_CRC7 | + SD_RSP_LEN_6); + + rts51x_trans_dma_enable(srb->sc_data_direction, chip, + sector_cnt * 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_READ_2 | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDIR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } else { + retval = rts51x_send_cmd(chip, MODE_C, 50); + if (retval != STATUS_SUCCESS) { + rts51x_clear_sd_error(chip); + + sd_set_err_code(chip, SD_TO_ERR); + TRACE_RET(chip, sd_parse_err_code(chip)); + } + + retval = wait_data_buf_ready(chip); + if (retval != STATUS_SUCCESS) { + sd_set_err_code(chip, SD_TO_ERR); + TRACE_RET(chip, sd_parse_err_code(chip)); + } + + retval = sd_send_cmd_get_rsp(chip, WRITE_MULTIPLE_BLOCK, + data_addr, SD_RSP_TYPE_R1, + NULL, 0); + if (retval != STATUS_SUCCESS) { + sd_set_err_code(chip, SD_CRC_ERR); + TRACE_RET(chip, sd_parse_err_code(chip)); + } + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, + SD_NO_CALCULATE_CRC7 | SD_CHECK_CRC16 | + SD_NO_WAIT_BUSY_END | SD_NO_CHECK_CRC7 | + SD_RSP_LEN_0); + + rts51x_trans_dma_enable(srb->sc_data_direction, chip, + sector_cnt * 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + sd_card->seq_mode = 1; + } + + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + pipe = RCV_BULK_PIPE(chip); + stageflag = STAGE_DI; + } else { + pipe = SND_BULK_PIPE(chip); + stageflag = STAGE_DO; + } + + retval = + rts51x_transfer_data_rcc(chip, pipe, scsi_sglist(srb), + scsi_bufflen(srb), scsi_sg_count(srb), + NULL, 10000, stageflag); + if (retval != STATUS_SUCCESS) { + u8 stat = 0; + int err = retval; + + sd_print_debug_reg(chip); + + rts51x_ep0_read_register(chip, SD_STAT1, &stat); + RTS51X_DEBUGP("SD_STAT1: 0x%x\n", stat); + + rts51x_clear_sd_error(chip); + + retval = + sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, 0, + SD_RSP_TYPE_R1b, NULL, 0); + if (retval != STATUS_SUCCESS) { + sd_set_err_code(chip, SD_STS_ERR); + TRACE_RET(chip, retval); + } + + if (stat & (SD_CRC7_ERR | SD_CRC16_ERR | SD_CRC_WRITE_ERR)) { + RTS51X_DEBUGP("SD CRC error, tune clock!\n"); + sd_auto_tune_clock(chip); + } + + sd_card->seq_mode = 0; + + TRACE_RET(chip, err); + } + retval = rts51x_get_rsp(chip, 1, 2000); + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + rts51x_clear_sd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + sd_card->pre_sec_addr = start_sector; + sd_card->pre_sec_cnt = sector_cnt; + sd_card->pre_dir = srb->sc_data_direction; + + return STATUS_SUCCESS; +} + +void rts51x_sd_cleanup_work(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + + if (sd_card->seq_mode) { + RTS51X_DEBUGP("SD: stop transmission\n"); + sd_stop_seq_mode(chip); + sd_card->counter = 0; + } +} + +static inline void sd_fill_power_off_card3v3(struct rts51x_chip *chip) +{ + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, SD_CLK_EN, 0); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, SD_OUTPUT_EN, 0); + if (!chip->option.FT2_fast_mode) { +#ifdef SD_XD_IO_FOLLOW_PWR + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, + POWER_MASK | LDO_OFF, + POWER_OFF | LDO_OFF); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, + POWER_MASK, POWER_OFF); +#else + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); +#endif + } +} + +static int sd_power_off_card3v3(struct rts51x_chip *chip) +{ + int retval; + + rts51x_init_cmd(chip); + + sd_fill_power_off_card3v3(chip); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#ifdef SD_XD_IO_FOLLOW_PWR + if (!chip->option.FT2_fast_mode) + wait_timeout(chip->option.D3318_off_delay); +#endif + + return STATUS_SUCCESS; +} + +int rts51x_release_sd_card(struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + + RTS51X_DEBUGP("rts51x_release_sd_card\n"); + + chip->card_ready &= ~SD_CARD; + chip->card_fail &= ~SD_CARD; + chip->card_wp &= ~SD_CARD; + + memset(sd_card->raw_csd, 0, 16); + memset(sd_card->raw_scr, 0, 8); + + rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP); + rts51x_write_register(chip, SD_PAD_CTL, SD_IO_USING_1V8, 0); + if (CHECK_PKG(chip, LQFP48) || chip->option.rts5129_D3318_off_enable) + sd_power_off_card3v3(chip); + + rts51x_init_cmd(chip); + if (!(CHECK_PKG(chip, LQFP48) || chip->option.rts5129_D3318_off_enable)) + sd_fill_power_off_card3v3(chip); + + if (chip->asic_code) + sd_pull_ctl_disable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, + FPGA_SD_PULL_CTL_BIT | 0x20, + FPGA_SD_PULL_CTL_BIT); + + /* Switch LDO3318 to 3.3V */ + rts51x_add_cmd(chip, WRITE_REG_CMD, LDO_POWER_CFG, TUNE_SD18_MASK, + TUNE_SD18_3V3); + + if (CHK_MMC_DDR52(sd_card) && CHK_MMC_8BIT(sd_card)) + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DMA1_CTL, + EXTEND_DMA1_ASYNC_SIGNAL, + EXTEND_DMA1_ASYNC_SIGNAL); + if (CHK_SD30_SPEED(sd_card) || CHK_MMC(sd_card)) + rts51x_add_cmd(chip, WRITE_REG_CMD, SD30_DRIVE_SEL, + SD30_DRIVE_MASK, chip->option.sd30_pad_drive); + /* Suspend LDO3318 */ + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, LDO3318_PWR_MASK, + LDO_SUSPEND); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + wait_timeout(20); + + return STATUS_SUCCESS; +} diff --git a/drivers/staging/rts5139/sd.h b/drivers/staging/rts5139/sd.h new file mode 100644 index 000000000000..7dd943f54c74 --- /dev/null +++ b/drivers/staging/rts5139/sd.h @@ -0,0 +1,275 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_SD_H +#define __RTS51X_SD_H + +#include "rts51x_chip.h" + +#define SD_MAX_RETRY_COUNT 3 + +#define SUPPORT_VOLTAGE 0x003C0000 + +#define SD_RESET_FAIL 0x01 +#define MMC_RESET_FAIL 0x02 + +/* Error Code */ +#define SD_NO_ERROR 0x0 +#define SD_CRC_ERR 0x80 +#define SD_TO_ERR 0x40 +#define SD_NO_CARD 0x20 +#define SD_BUSY 0x10 +#define SD_STS_ERR 0x08 +#define SD_RSP_TIMEOUT 0x04 + +/* MMC/SD Command Index */ +/* Basic command (class 0) */ +#define GO_IDLE_STATE 0 +#define SEND_OP_COND 1 /* reserved for SD */ +#define ALL_SEND_CID 2 +#define SET_RELATIVE_ADDR 3 +#define SEND_RELATIVE_ADDR 3 +#define SET_DSR 4 +#define IO_SEND_OP_COND 5 +#define SWITCH 6 +#define SELECT_CARD 7 +#define DESELECT_CARD 7 +/* CMD8 is "SEND_EXT_CSD" for MMC4.x Spec + * while is "SEND_IF_COND" for SD 2.0 */ +#define SEND_EXT_CSD 8 +#define SEND_IF_COND 8 +/* end */ +#define SEND_CSD 9 +#define SEND_CID 10 +#define VOLTAGE_SWITCH 11 +#define READ_DAT_UTIL_STOP 11 /* reserved for SD */ +#define STOP_TRANSMISSION 12 +#define SEND_STATUS 13 +#define GO_INACTIVE_STATE 15 + +/* Block oriented read commands (class 2) */ +#define SET_BLOCKLEN 16 +#define READ_SINGLE_BLOCK 17 +#define READ_MULTIPLE_BLOCK 18 +#define SEND_TUNING_PATTERN 19 + +/* Bus Width Test */ +#define BUSTEST_R 14 +#define BUSTEST_W 19 +/* end */ + +/* Block oriented write commands (class 4) */ +#define WRITE_BLOCK 24 +#define WRITE_MULTIPLE_BLOCK 25 +#define PROGRAM_CSD 27 + +/* Erase commands */ +#define ERASE_WR_BLK_START 32 +#define ERASE_WR_BLK_END 33 +#define ERASE_CMD 38 + +/* Block Oriented Write Protection Commands */ +#define LOCK_UNLOCK 42 + +#define IO_RW_DIRECT 52 + +/* Application specific commands (class 8) */ +#define APP_CMD 55 +#define GEN_CMD 56 + +/* SD Application command Index */ +#define SET_BUS_WIDTH 6 +#define SD_STATUS 13 +#define SEND_NUM_WR_BLOCKS 22 +#define SET_WR_BLK_ERASE_COUNT 23 +#define SD_APP_OP_COND 41 +#define SET_CLR_CARD_DETECT 42 +#define SEND_SCR 51 + +/* SD TIMEOUT function return error */ +#define SD_READ_COMPLETE 0x00 +#define SD_READ_TO 0x01 +#define SD_READ_ADVENCE 0x02 + +/* SD v1.1 CMD6 SWITCH function */ +#define SD_CHECK_MODE 0x00 +#define SD_SWITCH_MODE 0x80 +#define SD_FUNC_GROUP_1 0x01 +#define SD_FUNC_GROUP_2 0x02 +#define SD_FUNC_GROUP_3 0x03 +#define SD_FUNC_GROUP_4 0x04 +#define SD_CHECK_SPEC_V1_1 0xFF + +/* SD Command Argument */ +#define NO_ARGUMENT 0x00 +#define CHECK_PATTERN 0x000000AA +#define VOLTAGE_SUPPLY_RANGE 0x00000100 /* 2.7~3.6V */ +#define SUPPORT_HIGH_AND_EXTENDED_CAPACITY 0x40000000 +#define SUPPORT_MAX_POWER_PERMANCE 0x10000000 +#define SUPPORT_1V8 0x01000000 + +/* Switch Command Error Code */ +#define SWTICH_NO_ERR 0x00 +#define CARD_NOT_EXIST 0x01 +#define SPEC_NOT_SUPPORT 0x02 +#define CHECK_MODE_ERR 0x03 +#define CHECK_NOT_READY 0x04 +#define SWITCH_CRC_ERR 0x05 +#define SWITCH_MODE_ERR 0x06 +#define SWITCH_PASS 0x07 + +/* Function Group Definition */ +/* Function Group 1 */ +#define HS_SUPPORT 0x01 +#define SDR50_SUPPORT 0x02 +#define SDR104_SUPPORT 0x03 +#define DDR50_SUPPORT 0x04 +#define HS_SUPPORT_MASK 0x02 +#define SDR50_SUPPORT_MASK 0x04 +#define SDR104_SUPPORT_MASK 0x08 +#define DDR50_SUPPORT_MASK 0x10 +#define HS_QUERY_SWITCH_OK 0x01 +#define SDR50_QUERY_SWITCH_OK 0x02 +#define SDR104_QUERY_SWITCH_OK 0x03 +#define DDR50_QUERY_SWITCH_OK 0x04 +#define HS_SWITCH_BUSY 0x02 +#define SDR50_SWITCH_BUSY 0x04 +#define SDR104_SWITCH_BUSY 0x08 +#define DDR50_SWITCH_BUSY 0x10 +#define FUNCTION_GROUP1_SUPPORT_OFFSET 0x0D +#define FUNCTION_GROUP1_QUERY_SWITCH_OFFSET 0x10 +#define FUNCTION_GROUP1_CHECK_BUSY_OFFSET 0x1D +/* Function Group 3 */ +#define DRIVING_TYPE_A 0x01 +#define DRIVING_TYPE_B 0x00 +#define DRIVING_TYPE_C 0x02 +#define DRIVING_TYPE_D 0x03 +#define DRIVING_TYPE_A_MASK 0x02 +#define DRIVING_TYPE_B_MASK 0x01 +#define DRIVING_TYPE_C_MASK 0x04 +#define DRIVING_TYPE_D_MASK 0x08 +#define TYPE_A_QUERY_SWITCH_OK 0x01 +#define TYPE_B_QUERY_SWITCH_OK 0x00 +#define TYPE_C_QUERY_SWITCH_OK 0x02 +#define TYPE_D_QUERY_SWITCH_OK 0x03 +#define TYPE_A_SWITCH_BUSY 0x02 +#define TYPE_B_SWITCH_BUSY 0x01 +#define TYPE_C_SWITCH_BUSY 0x04 +#define TYPE_D_SWITCH_BUSY 0x08 +#define FUNCTION_GROUP3_SUPPORT_OFFSET 0x09 +#define FUNCTION_GROUP3_QUERY_SWITCH_OFFSET 0x0F +#define FUNCTION_GROUP3_CHECK_BUSY_OFFSET 0x19 +/* Function Group 4 */ +#define CURRENT_LIMIT_200 0x00 +#define CURRENT_LIMIT_400 0x01 +#define CURRENT_LIMIT_600 0x02 +#define CURRENT_LIMIT_800 0x03 +#define CURRENT_LIMIT_200_MASK 0x01 +#define CURRENT_LIMIT_400_MASK 0x02 +#define CURRENT_LIMIT_600_MASK 0x04 +#define CURRENT_LIMIT_800_MASK 0x08 +#define CURRENT_LIMIT_200_QUERY_SWITCH_OK 0x00 +#define CURRENT_LIMIT_400_QUERY_SWITCH_OK 0x01 +#define CURRENT_LIMIT_600_QUERY_SWITCH_OK 0x02 +#define CURRENT_LIMIT_800_QUERY_SWITCH_OK 0x03 +#define CURRENT_LIMIT_200_SWITCH_BUSY 0x01 +#define CURRENT_LIMIT_400_SWITCH_BUSY 0x02 +#define CURRENT_LIMIT_600_SWITCH_BUSY 0x04 +#define CURRENT_LIMIT_800_SWITCH_BUSY 0x08 +#define FUNCTION_GROUP4_SUPPORT_OFFSET 0x07 +#define FUNCTION_GROUP4_QUERY_SWITCH_OFFSET 0x0F +#define FUNCTION_GROUP4_CHECK_BUSY_OFFSET 0x17 +/* Switch Function Status Offset */ +#define DATA_STRUCTURE_VER_OFFSET 0x11 /* The high offset */ +#define MAX_PHASE 15 +/* #define TOTAL_READ_PHASE 0x20 */ +/* #define TOTAL_WRITE_PHASE 0x20 */ +/* MMC v4.0 */ +/* #define MMC_52MHZ_SPEED 0x0001 */ +/* #define MMC_26MHZ_SPEED 0x0002 */ +#define MMC_8BIT_BUS 0x0010 +#define MMC_4BIT_BUS 0x0020 +/* #define MMC_SECTOR_MODE 0x0100 */ +#define MMC_SWITCH_ERR 0x80 +/* Tuning direction RX or TX */ +#define TUNE_TX 0x00 +#define TUNE_RX 0x01 +/* For Change_DCM_FreqMode Function */ +#define CHANGE_TX 0x00 +#define CHANGE_RX 0x01 +#define DCM_HIGH_FREQUENCY_MODE 0x00 +#define DCM_LOW_FREQUENCY_MODE 0x01 +#define DCM_HIGH_FREQUENCY_MODE_SET 0x0C +#define DCM_Low_FREQUENCY_MODE_SET 0x00 +/* For Change_FPGA_SSCClock Function */ +#define MULTIPLY_BY_1 0x00 +#define MULTIPLY_BY_2 0x01 +#define MULTIPLY_BY_3 0x02 +#define MULTIPLY_BY_4 0x03 +#define MULTIPLY_BY_5 0x04 +#define MULTIPLY_BY_6 0x05 +#define MULTIPLY_BY_7 0x06 +#define MULTIPLY_BY_8 0x07 +#define MULTIPLY_BY_9 0x08 +#define MULTIPLY_BY_10 0x09 +#define DIVIDE_BY_2 0x01 +#define DIVIDE_BY_3 0x02 +#define DIVIDE_BY_4 0x03 +#define DIVIDE_BY_5 0x04 +#define DIVIDE_BY_6 0x05 +#define DIVIDE_BY_7 0x06 +#define DIVIDE_BY_8 0x07 +#define DIVIDE_BY_9 0x08 +#define DIVIDE_BY_10 0x09 +#define CHECK_SD_TRANS_FAIL(chip, retval) \ + (((retval) != STATUS_SUCCESS) || \ + (chip->rsp_buf[0] & SD_TRANSFER_ERR)) +/* SD Tuning Data Structure */ +/* Record continuous timing phase path */ +struct timing_phase_path { + int start; + int end; + int mid; + int len; +}; + +int rts51x_sd_select_card(struct rts51x_chip *chip, int select); +int rts51x_reset_sd_card(struct rts51x_chip *chip); +int rts51x_sd_switch_clock(struct rts51x_chip *chip); +int rts51x_sd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt); +void rts51x_sd_cleanup_work(struct rts51x_chip *chip); +int rts51x_release_sd_card(struct rts51x_chip *chip); + +#ifdef SUPPORT_CPRM +extern int reset_sd(struct rts51x_chip *chip); +extern int sd_check_data0_status(struct rts51x_chip *chip); +extern int sd_read_data(struct rts51x_chip *chip, u8 trans_mode, u8 *cmd, + int cmd_len, u16 byte_cnt, u16 blk_cnt, u8 bus_width, + u8 *buf, int buf_len, int timeout); +#endif + +#endif /* __RTS51X_SD_H */ diff --git a/drivers/staging/rts5139/sd_cprm.c b/drivers/staging/rts5139/sd_cprm.c new file mode 100644 index 000000000000..cede6c07394f --- /dev/null +++ b/drivers/staging/rts5139/sd_cprm.c @@ -0,0 +1,1056 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/slab.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_transport.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "rts51x_chip.h" +#include "sd_cprm.h" +#include "sd.h" + +#ifdef SUPPORT_CPRM + +static inline int get_rsp_type(u8 rsp_code, u8 *rsp_type, int *rsp_len) +{ + if (!rsp_type || !rsp_len) + return STATUS_FAIL; + + switch (rsp_code) { + case 0x03: + *rsp_type = SD_RSP_TYPE_R0; /* no response */ + *rsp_len = 0; + break; + + case 0x04: + *rsp_type = SD_RSP_TYPE_R1; /* R1,R6(,R4,R5) */ + *rsp_len = 6; + break; + + case 0x05: + *rsp_type = SD_RSP_TYPE_R1b; /* R1b */ + *rsp_len = 6; + break; + + case 0x06: + *rsp_type = SD_RSP_TYPE_R2; /* R2 */ + *rsp_len = 17; + break; + + case 0x07: + *rsp_type = SD_RSP_TYPE_R3; /* R3 */ + *rsp_len = 6; + break; + + default: + return STATUS_FAIL; + } + + return STATUS_SUCCESS; +} + +static int ext_sd_send_cmd_get_rsp(struct rts51x_chip *chip, u8 cmd_idx, + u32 arg, u8 rsp_type, u8 *rsp, int rsp_len, + int special_check) +{ + int retval; + int timeout = 50; + u16 reg_addr; + u8 buf[17], stat; + int len = 2; + int rty_cnt = 0; + + RTS51X_DEBUGP("EXT SD/MMC CMD %d\n", cmd_idx); + + if (rsp_type == SD_RSP_TYPE_R1b) + timeout = 3000; + +RTY_SEND_CMD: + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, 0x40 | cmd_idx); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, (u8) (arg >> 24)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, (u8) (arg >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, (u8) (arg >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, + 0x01, PINGPONG_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, + 0xFF, SD_TM_CMD_RSP | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, SD_TRANSFER_END, + SD_TRANSFER_END); + + rts51x_add_cmd(chip, READ_REG_CMD, SD_STAT1, 0, 0); + + if (CHECK_USB(chip, USB_20)) { + if (rsp_type == SD_RSP_TYPE_R2) { + for (reg_addr = PPBUF_BASE2; + reg_addr < PPBUF_BASE2 + 16; reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, + 0); + } + len = 19; + } else if (rsp_type != SD_RSP_TYPE_R0) { + /* Read data from SD_CMDx registers */ + for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4; + reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0, + 0); + } + len = 8; + } else { + len = 3; + } + rts51x_add_cmd(chip, READ_REG_CMD, SD_CMD5, 0, 0); + } else { + len = 2; + } + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, len, timeout); + + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + rts51x_clear_sd_error(chip); + + if (retval == STATUS_TIMEDOUT) { + if (rsp_type & SD_WAIT_BUSY_END) { + retval = sd_check_data0_status(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + } + TRACE_RET(chip, STATUS_FAIL); + } + + if (rsp_type == SD_RSP_TYPE_R0) + return STATUS_SUCCESS; + + if (CHECK_USB(chip, USB_20)) { + rts51x_read_rsp_buf(chip, 2, buf, len - 2); + } else { + if (rsp_type == SD_RSP_TYPE_R2) { + reg_addr = PPBUF_BASE2; + len = 16; + } else { + reg_addr = SD_CMD0; + len = 5; + } + retval = + rts51x_seq_read_register(chip, reg_addr, + (unsigned short)len, buf); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + RTS51X_READ_REG(chip, SD_CMD5, buf + len); + } + stat = chip->rsp_buf[1]; + + if ((buf[0] & 0xC0) != 0) + TRACE_RET(chip, STATUS_FAIL); + + if (!(rsp_type & SD_NO_CHECK_CRC7)) { + if (stat & SD_CRC7_ERR) { + if (cmd_idx == WRITE_MULTIPLE_BLOCK) + TRACE_RET(chip, STATUS_FAIL); + if (rty_cnt < SD_MAX_RETRY_COUNT) { + wait_timeout(20); + rty_cnt++; + goto RTY_SEND_CMD; + } else { + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + if ((cmd_idx == SELECT_CARD) || (cmd_idx == APP_CMD) || + (cmd_idx == SEND_STATUS) || (cmd_idx == STOP_TRANSMISSION)) { + if ((cmd_idx != STOP_TRANSMISSION) && (special_check == 0)) { + if (buf[1] & 0x80) + TRACE_RET(chip, STATUS_FAIL); + } + if (buf[1] & 0x7F) + TRACE_RET(chip, STATUS_FAIL); + if (buf[2] & 0xF8) + TRACE_RET(chip, STATUS_FAIL); + + if (cmd_idx == SELECT_CARD) { + if (rsp_type == SD_RSP_TYPE_R2) { + if ((buf[3] & 0x1E) != 0x04) + TRACE_RET(chip, STATUS_FAIL); + } else if (rsp_type == SD_RSP_TYPE_R2) { + if ((buf[3] & 0x1E) != 0x03) + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + if (rsp && rsp_len) + memcpy(rsp, buf, rsp_len); + + return STATUS_SUCCESS; +} + +static int ext_sd_get_rsp(struct rts51x_chip *chip, int len, + u8 *rsp, u8 rsp_type) +{ + int retval, rsp_len; + u16 reg_addr; + + if (rsp_type == SD_RSP_TYPE_R0) + return STATUS_SUCCESS; + + rts51x_init_cmd(chip); + + if (rsp_type == SD_RSP_TYPE_R2) { + for (reg_addr = PPBUF_BASE2; reg_addr < PPBUF_BASE2 + 16; + reg_addr++) { + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0xFF, 0); + } + rsp_len = 17; + } else if (rsp_type != SD_RSP_TYPE_R0) { + for (reg_addr = SD_CMD0; reg_addr <= SD_CMD4; reg_addr++) + rts51x_add_cmd(chip, READ_REG_CMD, reg_addr, 0xFF, 0); + rsp_len = 6; + } + rts51x_add_cmd(chip, READ_REG_CMD, SD_CMD5, 0xFF, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, rsp_len, 100); + + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (rsp) { + int min_len = (rsp_len < len) ? rsp_len : len; + + memcpy(rsp, rts51x_get_rsp_data(chip), min_len); + + RTS51X_DEBUGP("min_len = %d\n", min_len); + RTS51X_DEBUGP("Response in cmd buf: 0x%x 0x%x 0x%x 0x%x\n", + rsp[0], rsp[1], rsp[2], rsp[3]); + } + + return STATUS_SUCCESS; +} + +int ext_rts51x_sd_execute_no_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 standby, u8 acmd, u8 rsp_code, + u32 arg) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval, rsp_len; + u8 rsp_type; + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + sd_card->last_rsp_type = rsp_type; + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + /* Set H/W SD/MMC Bus Width */ + rts51x_write_register(chip, SD_CFG1, 0x03, SD_BUS_WIDTH_4); + + if (standby) { + retval = rts51x_sd_select_card(chip, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Cmd_Failed); + } + + if (acmd) { + retval = + ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Cmd_Failed); + } + + retval = ext_sd_send_cmd_get_rsp(chip, cmd_idx, arg, rsp_type, + sd_card->rsp, rsp_len, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Cmd_Failed); + + if (standby) { + retval = rts51x_sd_select_card(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Cmd_Failed); + } + + return TRANSPORT_GOOD; + +SD_Execute_Cmd_Failed: + sd_card->pre_cmd_err = 1; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE); + rts51x_release_sd_card(chip); + rts51x_do_rts51x_reset_sd_card(chip); + if (!(chip->card_ready & SD_CARD)) + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + + TRACE_RET(chip, TRANSPORT_FAILED); +} + +int ext_rts51x_sd_execute_read_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 cmd12, u8 standby, + u8 acmd, u8 rsp_code, u32 arg, u32 data_len, + void *data_buf, unsigned int buf_len, int use_sg) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval, rsp_len, i; + int cmd13_checkbit = 0, read_err = 0; + u8 rsp_type, bus_width; + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + sd_card->last_rsp_type = rsp_type; + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + bus_width = SD_BUS_WIDTH_4; + + if (data_len < 512) { + retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, data_len, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + if (standby) { + retval = rts51x_sd_select_card(chip, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + if (acmd) { + retval = + ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + if (data_len <= 512) { + int min_len; + u8 *buf; + u16 byte_cnt, blk_cnt; + u8 cmd[5]; + unsigned int offset = 0; + void *sg = NULL; + + byte_cnt = (u16) (data_len & 0x3FF); + blk_cnt = 1; + + cmd[0] = 0x40 | cmd_idx; + cmd[1] = (u8) (arg >> 24); + cmd[2] = (u8) (arg >> 16); + cmd[3] = (u8) (arg >> 8); + cmd[4] = (u8) arg; + + buf = kmalloc(data_len, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + retval = sd_read_data(chip, SD_TM_NORMAL_READ, cmd, 5, byte_cnt, + blk_cnt, bus_width, buf, data_len, 2000); + if (retval != STATUS_SUCCESS) { + read_err = 1; + kfree(buf); + rts51x_write_register(chip, CARD_STOP, + SD_STOP | SD_CLR_ERR, + SD_STOP | SD_CLR_ERR); + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + min_len = min(data_len, buf_len); + if (use_sg) + rts51x_access_sglist(buf, min_len, (void *)data_buf, + &sg, &offset, TO_XFER_BUF); + else + memcpy(data_buf, buf, min_len); + + kfree(buf); + } else if (!(data_len & 0x1FF)) { + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, + 0xFF, (u8) (data_len >> 17)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, + 0xFF, (u8) ((data_len & 0x0001FE00) >> 9)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD0, 0xFF, + 0x40 | cmd_idx); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD1, 0xFF, + (u8) (arg >> 24)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD2, 0xFF, + (u8) (arg >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD3, 0xFF, + (u8) (arg >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CMD4, 0xFF, (u8) arg); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG1, 0x03, bus_width); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_CFG2, 0xFF, rsp_type); + rts51x_trans_dma_enable(DMA_FROM_DEVICE, chip, data_len, DMA_512); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_READ_2 | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + retval = rts51x_send_cmd(chip, MODE_CDIR, 100); + if (retval != STATUS_SUCCESS) { + read_err = 1; + rts51x_ep0_write_register(chip, CARD_STOP, + SD_STOP | SD_CLR_ERR, + SD_STOP | SD_CLR_ERR); + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + retval = + rts51x_transfer_data_rcc(chip, RCV_BULK_PIPE(chip), + data_buf, buf_len, use_sg, NULL, + 10000, STAGE_DI); + if (retval != STATUS_SUCCESS) { + read_err = 1; + rts51x_ep0_write_register(chip, CARD_STOP, + SD_STOP | SD_CLR_ERR, + SD_STOP | SD_CLR_ERR); + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + retval = rts51x_get_rsp(chip, 1, 500); + if (CHECK_SD_TRANS_FAIL(chip, retval)) { + read_err = 1; + rts51x_ep0_write_register(chip, CARD_STOP, + SD_STOP | SD_CLR_ERR, + SD_STOP | SD_CLR_ERR); + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + } else { + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + retval = ext_sd_get_rsp(chip, rsp_len, sd_card->rsp, rsp_type); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + + if (standby) { + retval = rts51x_sd_select_card(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + if (cmd12) { + retval = ext_sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, + 0, SD_RSP_TYPE_R1b, NULL, 0, + 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + } + + if (data_len < 512) { + retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + + rts51x_write_register(chip, SD_BYTE_CNT_H, 0xFF, 0x02); + rts51x_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); + } + + if (standby || cmd12) + cmd13_checkbit = 1; + + for (i = 0; i < 3; i++) { + retval = + ext_sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0, + cmd13_checkbit); + if (retval == STATUS_SUCCESS) + break; + } + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Read_Cmd_Failed); + + return TRANSPORT_GOOD; + +SD_Execute_Read_Cmd_Failed: + sd_card->pre_cmd_err = 1; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE); + if (read_err) + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + rts51x_release_sd_card(chip); + rts51x_do_rts51x_reset_sd_card(chip); + if (!(chip->card_ready & SD_CARD)) + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + + TRACE_RET(chip, TRANSPORT_FAILED); +} + +int ext_rts51x_sd_execute_write_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd, + u8 rsp_code, u32 arg, u32 data_len, + void *data_buf, unsigned int buf_len, int use_sg) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval, rsp_len; + int cmd13_checkbit = 0, write_err = 0; + u8 rsp_type; + u32 i; + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + retval = get_rsp_type(rsp_code, &rsp_type, &rsp_len); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + sd_card->last_rsp_type = rsp_type; + + retval = rts51x_sd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, TRANSPORT_FAILED); + rts51x_write_register(chip, SD_CFG1, 0x03, SD_BUS_WIDTH_4); + + if (data_len < 512) { + retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, data_len, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (standby) { + retval = rts51x_sd_select_card(chip, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (acmd) { + retval = + ext_sd_send_cmd_get_rsp(chip, APP_CMD, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + retval = ext_sd_send_cmd_get_rsp(chip, cmd_idx, arg, rsp_type, + sd_card->rsp, rsp_len, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + if (data_len <= 512) { + u8 *buf; + unsigned int offset = 0; + void *sg = NULL; + + buf = kmalloc(data_len, GFP_KERNEL); + if (buf == NULL) + TRACE_RET(chip, TRANSPORT_ERROR); + + if (use_sg) + rts51x_access_sglist(buf, data_len, (void *)data_buf, + &sg, &offset, FROM_XFER_BUF); + else + memcpy(buf, data_buf, data_len); + + + if (data_len > 256) { + rts51x_init_cmd(chip); + for (i = 0; i < 256; i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, + (u16) (PPBUF_BASE2 + i), 0xFF, + buf[i]); + } + retval = rts51x_send_cmd(chip, MODE_C, 250); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + rts51x_init_cmd(chip); + for (i = 256; i < data_len; i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, + (u16) (PPBUF_BASE2 + i), 0xFF, + buf[i]); + } + retval = rts51x_send_cmd(chip, MODE_C, 250); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + } else { + rts51x_init_cmd(chip); + for (i = 0; i < data_len; i++) { + rts51x_add_cmd(chip, WRITE_REG_CMD, + (u16) (PPBUF_BASE2 + i), 0xFF, + buf[i]); + } + retval = rts51x_send_cmd(chip, MODE_C, 250); + if (retval != STATUS_SUCCESS) { + kfree(buf); + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + } + + kfree(buf); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, + (u8) ((data_len >> 8) & 0x03)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, + (u8) data_len); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, 0xFF, 0x01); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + retval = rts51x_get_rsp(chip, 1, 250); + if (CHECK_SD_TRANS_FAIL(chip, retval)) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } else if (!(data_len & 0x1FF)) { + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_H, 0xFF, 0x02); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BYTE_CNT_L, 0xFF, 0x00); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_H, + 0xFF, (u8) (data_len >> 17)); + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_BLOCK_CNT_L, + 0xFF, (u8) ((data_len & 0x0001FE00) >> 9)); + + rts51x_trans_dma_enable(DMA_TO_DEVICE, chip, data_len, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, SD_TRANSFER, 0xFF, + SD_TM_AUTO_WRITE_3 | SD_TRANSFER_START); + rts51x_add_cmd(chip, CHECK_REG_CMD, SD_TRANSFER, + SD_TRANSFER_END, SD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR, 100); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + retval = + rts51x_transfer_data_rcc(chip, SND_BULK_PIPE(chip), + data_buf, buf_len, use_sg, NULL, + 10000, STAGE_DO); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + retval = rts51x_get_rsp(chip, 1, 10000); + if (CHECK_SD_TRANS_FAIL(chip, retval)) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + } else { + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (retval < 0) { + write_err = 1; + rts51x_write_register(chip, CARD_STOP, SD_STOP | SD_CLR_ERR, + SD_STOP | SD_CLR_ERR); + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (standby) { + retval = rts51x_sd_select_card(chip, 1); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (cmd12) { + retval = ext_sd_send_cmd_get_rsp(chip, STOP_TRANSMISSION, + 0, SD_RSP_TYPE_R1b, NULL, 0, + 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + } + + if (data_len < 512) { + retval = ext_sd_send_cmd_get_rsp(chip, SET_BLOCKLEN, 0x200, + SD_RSP_TYPE_R1, NULL, 0, 0); + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + rts51x_write_register(chip, SD_BYTE_CNT_H, 0xFF, 0x02); + rts51x_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); + } + + if (cmd12 || standby) { + /* There is CMD7 or CMD12 sent before CMD13 */ + cmd13_checkbit = 1; + } + + for (i = 0; i < 3; i++) { + retval = + ext_sd_send_cmd_get_rsp(chip, SEND_STATUS, sd_card->sd_addr, + SD_RSP_TYPE_R1, NULL, 0, + cmd13_checkbit); + if (retval == STATUS_SUCCESS) + break; + } + if (retval != STATUS_SUCCESS) + TRACE_GOTO(chip, SD_Execute_Write_Cmd_Failed); + + return TRANSPORT_GOOD; + +SD_Execute_Write_Cmd_Failed: + sd_card->pre_cmd_err = 1; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_NO_SENSE); + if (write_err) + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_WRITE_ERR); + rts51x_release_sd_card(chip); + rts51x_do_rts51x_reset_sd_card(chip); + if (!(chip->card_ready & SD_CARD)) + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + + TRACE_RET(chip, TRANSPORT_FAILED); +} + +int rts51x_sd_pass_thru_mode(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + unsigned int lun = SCSI_LUN(srb); + int len; + u8 buf[18] = { + 0x00, + 0x00, + 0x00, + 0x0E, + 0x00, /* Version Number */ + 0x00, /* WP | Media Type */ + 0x00, /* RCA (Low byte) */ + 0x00, /* RCA (High byte) */ + 0x53, /* 'S' */ + 0x44, /* 'D' */ + 0x20, /* ' ' */ + 0x43, /* 'C' */ + 0x61, /* 'a' */ + 0x72, /* 'r' */ + 0x64, /* 'd' */ + 0x00, /* Max LUN Number */ + 0x00, + 0x00, + }; + + sd_card->pre_cmd_err = 0; + + if (!(CHK_BIT(chip->lun_mc, lun))) { + SET_BIT(chip->lun_mc, lun); + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if ((0x53 != srb->cmnd[2]) || (0x44 != srb->cmnd[3]) + || (0x20 != srb->cmnd[4]) || (0x43 != srb->cmnd[5]) + || (0x61 != srb->cmnd[6]) || (0x72 != srb->cmnd[7]) + || (0x64 != srb->cmnd[8])) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + switch (srb->cmnd[1] & 0x0F) { + case 0: + sd_card->sd_pass_thru_en = 0; + break; + + case 1: + sd_card->sd_pass_thru_en = 1; + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + /* 0x01:SD Memory Card; 0x02:Other Media; 0x03:Illegal Media; */ + buf[5] = (1 == CHK_SD(sd_card)) ? 0x01 : 0x02; + if (chip->card_wp & SD_CARD) + buf[5] |= 0x80; + + buf[6] = (u8) (sd_card->sd_addr >> 16); + buf[7] = (u8) (sd_card->sd_addr >> 24); + + buf[15] = chip->max_lun; + + len = min_t(unsigned, 18, scsi_bufflen(srb)); + rts51x_set_xfer_buf(buf, len, srb); + + return TRANSPORT_GOOD; +} + +int rts51x_sd_execute_no_data(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + unsigned int lun = SCSI_LUN(srb); + int retval; + u8 cmd_idx, rsp_code; + u8 standby = 0, acmd = 0; + u32 arg; + + if (!sd_card->sd_pass_thru_en) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + cmd_idx = srb->cmnd[2] & 0x3F; + if (srb->cmnd[1] & 0x02) + standby = 1; + if (srb->cmnd[1] & 0x01) + acmd = 1; + + arg = ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) | + ((u32) srb->cmnd[5] << 8) | srb->cmnd[6]; + + rsp_code = srb->cmnd[10]; + + retval = + ext_rts51x_sd_execute_no_data(chip, lun, cmd_idx, standby, acmd, rsp_code, + arg); + scsi_set_resid(srb, 0); + return retval; +} + +int rts51x_sd_execute_read_data(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + unsigned int lun = SCSI_LUN(srb); + u8 cmd_idx, rsp_code, send_cmd12 = 0, standby = 0, acmd = 0; + u32 arg, data_len; + + if (!sd_card->sd_pass_thru_en) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + cmd_idx = srb->cmnd[2] & 0x3F; + if (srb->cmnd[1] & 0x04) + send_cmd12 = 1; + if (srb->cmnd[1] & 0x02) + standby = 1; + if (srb->cmnd[1] & 0x01) + acmd = 1; + + arg = ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) | + ((u32) srb->cmnd[5] << 8) | srb->cmnd[6]; + + data_len = + ((u32) srb->cmnd[7] << 16) | ((u32) srb->cmnd[8] << 8) | + srb->cmnd[9]; + rsp_code = srb->cmnd[10]; + + retval = + ext_rts51x_sd_execute_read_data(chip, lun, cmd_idx, send_cmd12, standby, + acmd, rsp_code, arg, data_len, + scsi_sglist(srb), scsi_bufflen(srb), + scsi_sg_count(srb)); + scsi_set_resid(srb, 0); + return retval; +} + +int rts51x_sd_execute_write_data(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + int retval; + unsigned int lun = SCSI_LUN(srb); + u8 cmd_idx, rsp_code, send_cmd12 = 0, standby = 0, acmd = 0; + u32 data_len, arg; + + if (!sd_card->sd_pass_thru_en) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + cmd_idx = srb->cmnd[2] & 0x3F; + if (srb->cmnd[1] & 0x04) + send_cmd12 = 1; + if (srb->cmnd[1] & 0x02) + standby = 1; + if (srb->cmnd[1] & 0x01) + acmd = 1; + + data_len = + ((u32) srb->cmnd[7] << 16) | ((u32) srb->cmnd[8] << 8) | + srb->cmnd[9]; + arg = + ((u32) srb->cmnd[3] << 24) | ((u32) srb->cmnd[4] << 16) | + ((u32) srb->cmnd[5] << 8) | srb->cmnd[6]; + rsp_code = srb->cmnd[10]; + + retval = + ext_rts51x_sd_execute_write_data(chip, lun, cmd_idx, send_cmd12, standby, + acmd, rsp_code, arg, data_len, + scsi_sglist(srb), scsi_bufflen(srb), + scsi_sg_count(srb)); + scsi_set_resid(srb, 0); + return retval; +} + +int rts51x_sd_get_cmd_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + unsigned int lun = SCSI_LUN(srb); + int count; + u16 data_len; + + if (!sd_card->sd_pass_thru_en) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + data_len = ((u16) srb->cmnd[7] << 8) | srb->cmnd[8]; + + if (sd_card->last_rsp_type == SD_RSP_TYPE_R0) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } else if (sd_card->last_rsp_type == SD_RSP_TYPE_R2) { + count = (data_len < 17) ? data_len : 17; + } else { + count = (data_len < 6) ? data_len : 6; + } + rts51x_set_xfer_buf(sd_card->rsp, count, srb); + + RTS51X_DEBUGP("Response length: %d\n", data_len); + RTS51X_DEBUGP("Response: 0x%x 0x%x 0x%x 0x%x\n", + sd_card->rsp[0], sd_card->rsp[1], sd_card->rsp[2], + sd_card->rsp[3]); + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} + +int rts51x_sd_hw_rst(struct scsi_cmnd *srb, struct rts51x_chip *chip) +{ + struct sd_info *sd_card = &(chip->sd_card); + unsigned int lun = SCSI_LUN(srb); + int retval; + + if (!sd_card->sd_pass_thru_en) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if (sd_card->pre_cmd_err) { + sd_card->pre_cmd_err = 0; + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_CHANGE); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + if ((0x53 != srb->cmnd[2]) || (0x44 != srb->cmnd[3]) + || (0x20 != srb->cmnd[4]) || (0x43 != srb->cmnd[5]) + || (0x61 != srb->cmnd[6]) || (0x72 != srb->cmnd[7]) + || (0x64 != srb->cmnd[8])) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + switch (srb->cmnd[1] & 0x0F) { + case 0: + /* SD Card Power Off -> ON and Initialization */ + retval = rts51x_reset_sd_card(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + sd_card->pre_cmd_err = 1; + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + case 1: + /* reset CMD(CMD0) and Initialization + * (without SD Card Power Off -> ON) */ + retval = reset_sd(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_NOT_PRESENT); + sd_card->pre_cmd_err = 1; + TRACE_RET(chip, TRANSPORT_FAILED); + } + break; + + default: + rts51x_set_sense_type(chip, lun, SENSE_TYPE_MEDIA_INVALID_CMD_FIELD); + TRACE_RET(chip, TRANSPORT_FAILED); + } + + scsi_set_resid(srb, 0); + return TRANSPORT_GOOD; +} +#endif diff --git a/drivers/staging/rts5139/sd_cprm.h b/drivers/staging/rts5139/sd_cprm.h new file mode 100644 index 000000000000..79dfd27db41a --- /dev/null +++ b/drivers/staging/rts5139/sd_cprm.h @@ -0,0 +1,54 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_SD_CPRM_H +#define __RTS51X_SD_CPRM_H + +#include "rts51x_chip.h" +#include "sd.h" + +#ifdef SUPPORT_CPRM +int ext_rts51x_sd_execute_no_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 standby, u8 acmd, u8 rsp_code, + u32 arg); +int ext_rts51x_sd_execute_read_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd, + u8 rsp_code, u32 arg, u32 data_len, void *data_buf, + unsigned int buf_len, int use_sg); +int ext_rts51x_sd_execute_write_data(struct rts51x_chip *chip, unsigned int lun, + u8 cmd_idx, u8 cmd12, u8 standby, u8 acmd, + u8 rsp_code, u32 arg, u32 data_len, + void *data_buf, unsigned int buf_len, int use_sg); + +int rts51x_sd_pass_thru_mode(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_sd_execute_no_data(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_sd_execute_read_data(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_sd_execute_write_data(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_sd_get_cmd_rsp(struct scsi_cmnd *srb, struct rts51x_chip *chip); +int rts51x_sd_hw_rst(struct scsi_cmnd *srb, struct rts51x_chip *chip); +#endif + +#endif /* __RTS51X_SD_CPRM_H */ diff --git a/drivers/staging/rts5139/trace.h b/drivers/staging/rts5139/trace.h new file mode 100644 index 000000000000..ac58b452ecb8 --- /dev/null +++ b/drivers/staging/rts5139/trace.h @@ -0,0 +1,95 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_TRACE_H +#define __RTS51X_TRACE_H + +#include <linux/string.h> + +#include "debug.h" + +#define _MSG_TRACE + +#ifdef _MSG_TRACE +#define TRACE_RET(chip, ret) \ +do { \ + const char *_file = kbasename(__FILE__); \ + RTS51X_DEBUGP("[%s][%s]:[%d]\n", _file, __func__, __LINE__); \ + (chip)->trace_msg[(chip)->msg_idx].line = (u16)(__LINE__); \ + strncpy((chip)->trace_msg[(chip)->msg_idx].func, \ + __func__, MSG_FUNC_LEN-1); \ + strncpy((chip)->trace_msg[(chip)->msg_idx].file, \ + _file, MSG_FILE_LEN-1); \ + get_current_time((chip)->trace_msg[(chip)->msg_idx].timeval_buf,\ + TIME_VAL_LEN); \ + (chip)->trace_msg[(chip)->msg_idx].valid = 1; \ + (chip)->msg_idx++; \ + if ((chip)->msg_idx >= TRACE_ITEM_CNT) { \ + (chip)->msg_idx = 0; \ + } \ + return ret; \ +} while (0) + +#define TRACE_GOTO(chip, label) \ +do { \ + const char *_file = kbasename(__FILE__); \ + RTS51X_DEBUGP("[%s][%s]:[%d]\n", _file, __func__, __LINE__); \ + (chip)->trace_msg[(chip)->msg_idx].line = (u16)(__LINE__); \ + strncpy((chip)->trace_msg[(chip)->msg_idx].func, \ + __func__, MSG_FUNC_LEN-1); \ + strncpy((chip)->trace_msg[(chip)->msg_idx].file, \ + _file, MSG_FILE_LEN-1); \ + get_current_time((chip)->trace_msg[(chip)->msg_idx].timeval_buf,\ + TIME_VAL_LEN); \ + (chip)->trace_msg[(chip)->msg_idx].valid = 1; \ + (chip)->msg_idx++; \ + if ((chip)->msg_idx >= TRACE_ITEM_CNT) { \ + (chip)->msg_idx = 0; \ + } \ + goto label; \ +} while (0) +#else +#define TRACE_RET(chip, ret) return (ret) +#define TRACE_GOTO(chip, label) goto label +#endif + +#ifdef CONFIG_RTS5139_DEBUG +#define RTS51X_DUMP(buf, buf_len) \ + print_hex_dump(KERN_DEBUG, RTS51X_TIP, DUMP_PREFIX_NONE, \ + 16, 1, (buf), (buf_len), false) + +#define CATCH_TRIGGER(chip) \ +do { \ + rts51x_ep0_write_register((chip), 0xFC31, 0x01, 0x01); \ + RTS51X_DEBUGP("Catch trigger!\n"); \ +} while (0) + +#else +#define RTS51X_DUMP(buf, buf_len) +#define CATCH_TRIGGER(chip) +#endif + +#endif /* __RTS51X_TRACE_H */ diff --git a/drivers/staging/rts5139/xd.c b/drivers/staging/rts5139/xd.c new file mode 100644 index 000000000000..be432351be86 --- /dev/null +++ b/drivers/staging/rts5139/xd.c @@ -0,0 +1,2145 @@ +/* Driver for Realtek RTS51xx USB card reader + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#include <linux/blkdev.h> +#include <linux/kthread.h> +#include <linux/sched.h> +#include <linux/vmalloc.h> + +#include "debug.h" +#include "trace.h" +#include "rts51x.h" +#include "rts51x_transport.h" +#include "rts51x_scsi.h" +#include "rts51x_card.h" +#include "xd.h" + +static int xd_build_l2p_tbl(struct rts51x_chip *chip, int zone_no); +static int xd_init_page(struct rts51x_chip *chip, u32 phy_blk, u16 logoff, + u8 start_page, u8 end_page); + +static inline void xd_set_err_code(struct rts51x_chip *chip, u8 err_code) +{ + struct xd_info *xd_card = &(chip->xd_card); + + xd_card->err_code = err_code; +} + +static int xd_set_init_para(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + + if (chip->asic_code) + xd_card->xd_clock = 47; + else + xd_card->xd_clock = CLK_50; + + retval = switch_clock(chip, xd_card->xd_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int xd_switch_clock(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + + retval = rts51x_select_card(chip, XD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = switch_clock(chip, xd_card->xd_clock); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int xd_read_id(struct rts51x_chip *chip, u8 id_cmd, u8 *id_buf, + u8 buf_len) +{ + int retval, i; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DAT, 0xFF, id_cmd); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_READ_ID); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + for (i = 0; i < 4; i++) { + rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_ADDRESS1 + i), 0, + 0); + } + + retval = rts51x_send_cmd(chip, MODE_CR, 20); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 5, 20); + + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + if (id_buf && buf_len) { + if (buf_len > 4) + buf_len = 4; + rts51x_read_rsp_buf(chip, 1, id_buf, buf_len); + } + + return STATUS_SUCCESS; +} + +static void xd_assign_phy_addr(struct rts51x_chip *chip, u32 addr, u8 mode) +{ + struct xd_info *xd_card = &(chip->xd_card); + + switch (mode) { + case XD_RW_ADDR: + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS0, 0xFF, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS1, 0xFF, + (u8) addr); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS2, 0xFF, + (u8) (addr >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS3, 0xFF, + (u8) (addr >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, 0xFF, + xd_card->addr_cycle | XD_CALC_ECC | + XD_BA_NO_TRANSFORM); + break; + + case XD_ERASE_ADDR: + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS0, 0xFF, + (u8) addr); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS1, 0xFF, + (u8) (addr >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_ADDRESS2, 0xFF, + (u8) (addr >> 16)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, 0xFF, + (xd_card->addr_cycle - 1) | + XD_CALC_ECC | XD_BA_NO_TRANSFORM); + break; + + default: + break; + } +} + +static int xd_read_redundant(struct rts51x_chip *chip, u32 page_addr, u8 *buf, + int buf_len) +{ + int retval, i; + + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_READ_REDUNDANT); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + for (i = 0; i < 6; i++) { + rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_PAGE_STATUS + i), + 0, 0); + } + for (i = 0; i < 4; i++) { + rts51x_add_cmd(chip, READ_REG_CMD, (u16) (XD_RESERVED0 + i), 0, + 0); + } + rts51x_add_cmd(chip, READ_REG_CMD, XD_PARITY, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 11, 500); + + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + if (buf && buf_len) { + if (buf_len > 11) + buf_len = 11; + rts51x_read_rsp_buf(chip, 1, buf, buf_len); + } + + return STATUS_SUCCESS; +} + +static int xd_read_data_from_ppb(struct rts51x_chip *chip, int offset, u8 *buf, + int buf_len) +{ + int retval, i; + + if (!buf || (buf_len <= 0)) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + for (i = 0; i < buf_len; i++) { + rts51x_add_cmd(chip, READ_REG_CMD, PPBUF_BASE2 + offset + i, 0, + 0); + } + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, buf_len, 200); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_read_rsp_buf(chip, 0, buf, buf_len); + + return STATUS_SUCCESS; +} + +static int xd_read_cis(struct rts51x_chip *chip, u32 page_addr, u8 *buf, + int buf_len) +{ + int retval; + u8 reg; + + if (!buf || (buf_len < 10)) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + PINGPONG_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS, + XD_AUTO_CHK_DATA_STATUS, XD_AUTO_CHK_DATA_STATUS); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_READ_PAGES); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END | XD_PPB_EMPTY, + XD_TRANSFER_END | XD_PPB_EMPTY); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, 500); + if (retval == STATUS_TIMEDOUT) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + RTS51X_READ_REG(chip, XD_PAGE_STATUS, &reg); + if (reg != XD_GPG) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + RTS51X_READ_REG(chip, XD_CTL, &reg); + + if (!(reg & XD_ECC1_ERROR) || !(reg & XD_ECC1_UNCORRECTABLE)) { + retval = xd_read_data_from_ppb(chip, 0, buf, buf_len); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (reg & XD_ECC1_ERROR) { /* correctable error */ + u8 ecc_bit, ecc_byte; + + RTS51X_READ_REG(chip, XD_ECC_BIT1, &ecc_bit); + RTS51X_READ_REG(chip, XD_ECC_BYTE1, &ecc_byte); + + RTS51X_DEBUGP("ECC_BIT1 = 0x%x, ECC_BYTE1 = 0x%x\n", + ecc_bit, ecc_byte); + if (ecc_byte < buf_len) { + RTS51X_DEBUGP("Before correct: 0x%x\n", + buf[ecc_byte]); + buf[ecc_byte] ^= (1 << ecc_bit); + RTS51X_DEBUGP("After correct: 0x%x\n", + buf[ecc_byte]); + } + } + } else if (!(reg & XD_ECC2_ERROR) || !(reg & XD_ECC2_UNCORRECTABLE)) { + RTS51X_WRITE_REG(chip, CARD_STOP, XD_STOP | XD_CLR_ERR, + XD_STOP | XD_CLR_ERR); + + retval = xd_read_data_from_ppb(chip, 256, buf, buf_len); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (reg & XD_ECC2_ERROR) { + u8 ecc_bit, ecc_byte; + + RTS51X_READ_REG(chip, XD_ECC_BIT2, &ecc_bit); + RTS51X_READ_REG(chip, XD_ECC_BYTE2, &ecc_byte); + + RTS51X_DEBUGP("ECC_BIT2 = 0x%x, ECC_BYTE2 = 0x%x\n", + ecc_bit, ecc_byte); + if (ecc_byte < buf_len) { + RTS51X_DEBUGP("Before correct: 0x%x\n", + buf[ecc_byte]); + buf[ecc_byte] ^= (1 << ecc_bit); + RTS51X_DEBUGP("After correct: 0x%x\n", + buf[ecc_byte]); + } + } + } else { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static void xd_pull_ctl_disable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0x65); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x56); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59); + } +} + +static void xd_pull_ctl_enable(struct rts51x_chip *chip) +{ + if (CHECK_PKG(chip, LQFP48)) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xAA); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0xA5); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL1, 0xFF, 0xA5); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL2, 0xFF, 0x59); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL3, 0xFF, 0x95); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL4, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL5, 0xFF, 0x55); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PULL_CTL6, 0xFF, 0x59); + } +} + +static int reset_xd(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval, i, j; + u8 id_buf[4], redunt[11]; + + retval = rts51x_select_card(chip, XD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS, 0xFF, + XD_PGSTS_NOT_FF); + if (chip->asic_code) + xd_pull_ctl_disable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF, + (FPGA_XD_PULL_CTL_EN1 & FPGA_XD_PULL_CTL_EN3)); + + if (!chip->option.FT2_fast_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_INIT, XD_NO_AUTO_PWR_OFF, + 0); + if (CHECK_PKG(chip, LQFP48) || + chip->option.rts5129_D3318_off_enable) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, + DV3318_AUTO_PWR_OFF, + DV3318_AUTO_PWR_OFF); + } + } + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0); + if (!chip->option.FT2_fast_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + } + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + if (!chip->option.FT2_fast_mode) { +#ifdef SD_XD_IO_FOLLOW_PWR + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) { + rts51x_write_register(chip, CARD_PWR_CTL, + LDO_OFF, LDO_OFF); + } +#endif + + wait_timeout(250); + +#ifdef SD_XD_IO_FOLLOW_PWR + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) { + rts51x_init_cmd(chip); + if (chip->asic_code) { + xd_pull_ctl_enable(chip); + } else { + rts51x_add_cmd(chip, WRITE_REG_CMD, + FPGA_PULL_CTL, 0xFF, + (FPGA_XD_PULL_CTL_EN1 & + FPGA_XD_PULL_CTL_EN2)); + } + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + } +#endif + + retval = rts51x_card_power_on(chip, XD_CARD); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); +#ifdef SUPPORT_OCP + wait_timeout(50); + rts51x_get_card_status(chip, &(chip->card_status)); + chip->ocp_stat = (chip->card_status >> 4) & 0x03; + + if (chip->ocp_stat & (MS_OCP_NOW | MS_OCP_EVER)) { + RTS51X_DEBUGP("Over current, OCPSTAT is 0x%x\n", + chip->ocp_stat); + TRACE_RET(chip, STATUS_FAIL); + } +#endif + } + + rts51x_init_cmd(chip); + + if (chip->asic_code) + xd_pull_ctl_enable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF, + (FPGA_XD_PULL_CTL_EN1 & FPGA_XD_PULL_CTL_EN2)); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, + XD_OUTPUT_EN); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CTL, XD_CE_DISEN, XD_CE_DISEN); + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + if (!chip->option.FT2_fast_mode) + wait_timeout(200); + + retval = xd_set_init_para(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + /* Read ID to check if the timing setting is right */ + for (i = 0; i < 4; i++) { + u8 xd_dat, xd_ctl; + + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DTCTL, 0xFF, + XD_TIME_SETUP_STEP * 3 + XD_TIME_RW_STEP * + (2 + i + chip->option.rts51x_xd_rw_step) + + XD_TIME_RWN_STEP * + (i + chip->option.rts51x_xd_rwn_step)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CATCTL, 0xFF, + XD_TIME_SETUP_STEP * 3 + XD_TIME_RW_STEP * (4 + + i) + XD_TIME_RWN_STEP * (3 + i)); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_RESET); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END, XD_TRANSFER_END); + + rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0); + rts51x_add_cmd(chip, READ_REG_CMD, XD_CTL, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + retval = rts51x_get_rsp(chip, 3, 100); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + xd_dat = chip->rsp_buf[1]; + xd_ctl = chip->rsp_buf[2]; + RTS51X_DEBUGP("XD_DAT: 0x%x, XD_CTL: 0x%x\n", xd_dat, xd_ctl); + + if (((xd_dat & READY_FLAG) != READY_STATE) + || !(xd_ctl & XD_RDY)) + continue; + + retval = xd_read_id(chip, READ_ID, id_buf, 4); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + RTS51X_DEBUGP("READ_ID: 0x%x 0x%x 0x%x 0x%x\n", + id_buf[0], id_buf[1], id_buf[2], id_buf[3]); + + xd_card->device_code = id_buf[1]; + + switch (xd_card->device_code) { + case XD_4M_X8_512_1: + case XD_4M_X8_512_2: + xd_card->block_shift = 4; /* 16 pages per block */ + xd_card->page_off = 0x0F; + xd_card->addr_cycle = 3; + xd_card->zone_cnt = 1; + xd_card->capacity = 8000; /* 500 * 2 ^ 4 */ + XD_SET_4MB(xd_card); + break; + case XD_8M_X8_512: + xd_card->block_shift = 4; + xd_card->page_off = 0x0F; + xd_card->addr_cycle = 3; + xd_card->zone_cnt = 1; + xd_card->capacity = 16000; /* 1000 * 2 ^ 4 */ + break; + case XD_16M_X8_512: + XD_PAGE_512(xd_card); /* 32 pages per block */ + xd_card->addr_cycle = 3; + xd_card->zone_cnt = 1; + xd_card->capacity = 32000; /* 1000 * 2 ^ 5 */ + break; + case XD_32M_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 3; + xd_card->zone_cnt = 2; + xd_card->capacity = 64000; /* 2000 * 2 ^ 5 */ + break; + case XD_64M_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 4; + xd_card->capacity = 128000; /* 4000 * 2 ^ 5 */ + break; + case XD_128M_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 8; + xd_card->capacity = 256000; /* 8000 * 2 ^ 5 */ + break; + case XD_256M_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 16; + xd_card->capacity = 512000; /* 16000 * 2 ^ 5 */ + break; + case XD_512M_X8: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 32; + xd_card->capacity = 1024000; /* 32000 * 2 ^ 5 */ + break; + case xD_1G_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 64; + xd_card->capacity = 2048000; /* 64000 * 2 ^ 5 */ + break; + case xD_2G_X8_512: + XD_PAGE_512(xd_card); + xd_card->addr_cycle = 4; + xd_card->zone_cnt = 128; + xd_card->capacity = 4096000; /* 128000 * 2 ^ 5 */ + break; + default: + continue; + } + + /* Confirm timing setting */ + for (j = 0; j < 10; j++) { + retval = xd_read_id(chip, READ_ID, id_buf, 4); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (id_buf[1] != xd_card->device_code) + break; + } + + /* Current timing pass */ + if (j == 10) + break; + } + + if (i == 4) { + xd_card->block_shift = 0; + xd_card->page_off = 0; + xd_card->addr_cycle = 0; + xd_card->capacity = 0; + + TRACE_RET(chip, STATUS_FAIL); + } + + retval = xd_read_id(chip, READ_xD_ID, id_buf, 4); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + RTS51X_DEBUGP("READ_xD_ID: 0x%x 0x%x 0x%x 0x%x\n", + id_buf[0], id_buf[1], id_buf[2], id_buf[3]); + if (id_buf[2] != XD_ID_CODE) + TRACE_RET(chip, STATUS_FAIL); + + /* Search CIS block */ + for (i = 0; i < 24; i++) { + u32 page_addr; + + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) + TRACE_RET(chip, STATUS_FAIL); + + page_addr = (u32) i << xd_card->block_shift; + + for (j = 0; j < 3; j++) { + retval = xd_read_redundant(chip, page_addr, redunt, 11); + if (retval == STATUS_SUCCESS) + break; + } + if (j == 3) + continue; + + if (redunt[BLOCK_STATUS] != XD_GBLK) + continue; + + j = 0; + /* Check page status */ + if (redunt[PAGE_STATUS] != XD_GPG) { + for (j = 1; j <= 8; j++) { + retval = + xd_read_redundant(chip, page_addr + j, + redunt, 11); + if (retval == STATUS_SUCCESS) { + if (redunt[PAGE_STATUS] == XD_GPG) + break; + } + } + + if (j == 9) + break; + } + + if ((redunt[BLOCK_STATUS] == XD_GBLK) + && (redunt[PARITY] & XD_BA1_ALL0)) { + u8 buf[10]; + + page_addr += j; + + retval = xd_read_cis(chip, page_addr, buf, 10); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if ((buf[0] == 0x01) && (buf[1] == 0x03) + && (buf[2] == 0xD9) + && (buf[3] == 0x01) && (buf[4] == 0xFF) + && (buf[5] == 0x18) && (buf[6] == 0x02) + && (buf[7] == 0xDF) && (buf[8] == 0x01) + && (buf[9] == 0x20)) { + xd_card->cis_block = (u16) i; + } + } + + break; + } + + RTS51X_DEBUGP("CIS block: 0x%x\n", xd_card->cis_block); + if (xd_card->cis_block == 0xFFFF) + TRACE_RET(chip, STATUS_FAIL); + + chip->capacity[chip->card2lun[XD_CARD]] = xd_card->capacity; + + return STATUS_SUCCESS; +} + +static int xd_check_data_blank(u8 *redunt) +{ + int i; + + for (i = 0; i < 6; i++) { + if (redunt[PAGE_STATUS + i] != 0xFF) + return 0; + } + + if ((redunt[PARITY] & (XD_ECC1_ALL1 | XD_ECC2_ALL1)) != + (XD_ECC1_ALL1 | XD_ECC2_ALL1)) + return 0; + + for (i = 0; i < 4; i++) { + if (redunt[RESERVED0 + i] != 0xFF) + return 0; + } + + return 1; +} + +static u16 xd_load_log_block_addr(u8 *redunt) +{ + u16 addr = 0xFFFF; + + if (redunt[PARITY] & XD_BA1_BA2_EQL) + addr = + ((u16) redunt[BLOCK_ADDR1_H] << 8) | redunt[BLOCK_ADDR1_L]; + else if (redunt[PARITY] & XD_BA1_VALID) + addr = + ((u16) redunt[BLOCK_ADDR1_H] << 8) | redunt[BLOCK_ADDR1_L]; + else if (redunt[PARITY] & XD_BA2_VALID) + addr = + ((u16) redunt[BLOCK_ADDR2_H] << 8) | redunt[BLOCK_ADDR2_L]; + + return addr; +} + +static int xd_init_l2p_tbl(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int size, i; + + RTS51X_DEBUGP("xd_init_l2p_tbl: zone_cnt = %d\n", xd_card->zone_cnt); + + if (xd_card->zone_cnt < 1) + TRACE_RET(chip, STATUS_FAIL); + + size = xd_card->zone_cnt * sizeof(struct zone_entry); + RTS51X_DEBUGP("Buffer size for l2p table is %d\n", size); + + xd_card->zone = vmalloc(size); + if (!xd_card->zone) + TRACE_RET(chip, STATUS_NOMEM); + + for (i = 0; i < xd_card->zone_cnt; i++) { + xd_card->zone[i].build_flag = 0; + xd_card->zone[i].l2p_table = NULL; + xd_card->zone[i].free_table = NULL; + xd_card->zone[i].get_index = 0; + xd_card->zone[i].set_index = 0; + xd_card->zone[i].unused_blk_cnt = 0; + } + + return STATUS_SUCCESS; +} + +static inline void free_zone(struct zone_entry *zone) +{ + RTS51X_DEBUGP("free_zone\n"); + if (!zone) + return; + zone->build_flag = 0; + zone->set_index = 0; + zone->get_index = 0; + zone->unused_blk_cnt = 0; + if (zone->l2p_table) { + vfree(zone->l2p_table); + zone->l2p_table = NULL; + } + if (zone->free_table) { + vfree(zone->free_table); + zone->free_table = NULL; + } +} + +static void xd_set_unused_block(struct rts51x_chip *chip, u32 phy_blk) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct zone_entry *zone; + int zone_no; + + zone_no = (int)phy_blk >> 10; + if (zone_no >= xd_card->zone_cnt) { + RTS51X_DEBUGP("Set unused block to invalid zone" + "(zone_no = %d, zone_cnt = %d)\n", + zone_no, xd_card->zone_cnt); + return; + } + zone = &(xd_card->zone[zone_no]); + + if (zone->free_table == NULL) { + if (xd_build_l2p_tbl(chip, zone_no) != STATUS_SUCCESS) + return; + } + + if ((zone->set_index >= XD_FREE_TABLE_CNT) + || (zone->set_index < 0)) { + free_zone(zone); + RTS51X_DEBUGP("Set unused block fail, invalid set_index\n"); + return; + } + + RTS51X_DEBUGP("Set unused block to index %d\n", zone->set_index); + + zone->free_table[zone->set_index++] = (u16) (phy_blk & 0x3ff); + if (zone->set_index >= XD_FREE_TABLE_CNT) + zone->set_index = 0; + zone->unused_blk_cnt++; +} + +static u32 xd_get_unused_block(struct rts51x_chip *chip, int zone_no) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct zone_entry *zone; + u32 phy_blk; + + if (zone_no >= xd_card->zone_cnt) { + RTS51X_DEBUGP("Get unused block from invalid zone" + "(zone_no = %d, zone_cnt = %d)\n", + zone_no, xd_card->zone_cnt); + TRACE_RET(chip, BLK_NOT_FOUND); + } + zone = &(xd_card->zone[zone_no]); + + if ((zone->unused_blk_cnt == 0) || + (zone->set_index == zone->get_index)) { + free_zone(zone); + RTS51X_DEBUGP("Get unused block fail," + "no unused block available\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + if ((zone->get_index >= XD_FREE_TABLE_CNT) || (zone->get_index < 0)) { + free_zone(zone); + RTS51X_DEBUGP("Get unused block fail, invalid get_index\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + + RTS51X_DEBUGP("Get unused block from index %d\n", zone->get_index); + + phy_blk = zone->free_table[zone->get_index]; + zone->free_table[zone->get_index++] = 0xFFFF; + if (zone->get_index >= XD_FREE_TABLE_CNT) + zone->get_index = 0; + zone->unused_blk_cnt--; + + phy_blk += ((u32) (zone_no) << 10); + return phy_blk; +} + +static void xd_set_l2p_tbl(struct rts51x_chip *chip, int zone_no, u16 log_off, + u16 phy_off) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct zone_entry *zone; + + zone = &(xd_card->zone[zone_no]); + zone->l2p_table[log_off] = phy_off; +} + +static int xd_delay_write(struct rts51x_chip *chip); + +static u32 xd_get_l2p_tbl(struct rts51x_chip *chip, int zone_no, u16 log_off) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct zone_entry *zone; + int retval; + + zone = &(xd_card->zone[zone_no]); + if (zone->l2p_table[log_off] == 0xFFFF) { + u32 phy_blk = 0; + int i; + + retval = xd_delay_write(chip); + if (retval != STATUS_SUCCESS) { + RTS51X_DEBUGP("In xd_get_l2p_tbl," + "delay write fail!\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + + if (zone->unused_blk_cnt <= 0) { + RTS51X_DEBUGP("No unused block!\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + + for (i = 0; i < zone->unused_blk_cnt; i++) { + phy_blk = xd_get_unused_block(chip, zone_no); + if (phy_blk == BLK_NOT_FOUND) { + RTS51X_DEBUGP("No unused block available!\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + + retval = + xd_init_page(chip, phy_blk, log_off, 0, + xd_card->page_off + 1); + if (retval == STATUS_SUCCESS) + break; + } + if (i >= zone->unused_blk_cnt) { + RTS51X_DEBUGP("No good unused block available!\n"); + TRACE_RET(chip, BLK_NOT_FOUND); + } + + xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (phy_blk & 0x3FF)); + return phy_blk; + } + + return (u32) zone->l2p_table[log_off] + ((u32) (zone_no) << 10); +} + +int rts51x_reset_xd_card(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + + memset(xd_card, 0, sizeof(struct xd_info)); + + xd_card->block_shift = 0; + xd_card->page_off = 0; + xd_card->addr_cycle = 0; + xd_card->capacity = 0; + xd_card->zone_cnt = 0; + xd_card->cis_block = 0xFFFF; + xd_card->delay_write.delay_write_flag = 0; + + rts51x_enable_card_clock(chip, XD_CARD); + + retval = reset_xd(chip); + if (retval != STATUS_SUCCESS) { + if (chip->option.reset_or_rw_fail_set_pad_drive) { + rts51x_write_register(chip, CARD_DRIVE_SEL, + SD20_DRIVE_MASK, DRIVE_8mA); + } + TRACE_RET(chip, retval); + } + + retval = xd_init_l2p_tbl(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +static int xd_mark_bad_block(struct rts51x_chip *chip, u32 phy_blk) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + u32 page_addr; + u8 reg = 0; + + RTS51X_DEBUGP("mark block 0x%x as bad block\n", phy_blk); + + if (phy_blk == BLK_NOT_FOUND) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, XD_GPG); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF, + XD_LATER_BBLK); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR2_H, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR2_L, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED0, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED1, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED2, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_RESERVED3, 0xFF, 0xFF); + + page_addr = phy_blk << xd_card->block_shift; + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + /* Specify page count */ + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, + xd_card->page_off + 1); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_WRITE_REDUNDANT); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + retval = rts51x_get_rsp(chip, 1, 100); + + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + rts51x_ep0_read_register(chip, XD_DAT, &reg); + if (reg & PROGRAM_ERROR) + xd_set_err_code(chip, XD_PRG_ERROR); + else + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int xd_init_page(struct rts51x_chip *chip, u32 phy_blk, u16 logoff, + u8 start_page, u8 end_page) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + u32 page_addr; + u8 reg = 0; + + RTS51X_DEBUGP("Init block 0x%x\n", phy_blk); + + if (start_page > end_page) + TRACE_RET(chip, STATUS_FAIL); + if (phy_blk == BLK_NOT_FOUND) + TRACE_RET(chip, STATUS_FAIL); + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF, 0xFF); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF, + (u8) (logoff >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF, + (u8) logoff); + + page_addr = (phy_blk << xd_card->block_shift) + start_page; + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_BA_TRANSFORM, + XD_BA_TRANSFORM); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, + (end_page - start_page)); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_WRITE_REDUNDANT); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, STATUS_FAIL); + + retval = rts51x_get_rsp(chip, 1, 500); + + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + rts51x_ep0_read_register(chip, XD_DAT, &reg); + if (reg & PROGRAM_ERROR) { + xd_mark_bad_block(chip, phy_blk); + xd_set_err_code(chip, XD_PRG_ERROR); + } else { + xd_set_err_code(chip, XD_TO_ERROR); + } + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; +} + +static int xd_copy_page(struct rts51x_chip *chip, + u32 old_blk, u32 new_blk, u8 start_page, u8 end_page) +{ + struct xd_info *xd_card = &(chip->xd_card); + u32 old_page, new_page; + u8 i, reg = 0; + int retval; + + RTS51X_DEBUGP("Copy page from block 0x%x to block 0x%x\n", old_blk, + new_blk); + + if (start_page > end_page) + TRACE_RET(chip, STATUS_FAIL); + + if ((old_blk == BLK_NOT_FOUND) || (new_blk == BLK_NOT_FOUND)) + TRACE_RET(chip, STATUS_FAIL); + + old_page = (old_blk << xd_card->block_shift) + start_page; + new_page = (new_blk << xd_card->block_shift) + start_page; + + XD_CLR_BAD_NEWBLK(xd_card); + + RTS51X_WRITE_REG(chip, CARD_DATA_SOURCE, 0x01, PINGPONG_BUFFER); + + for (i = start_page; i < end_page; i++) { + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) { + RTS51X_WRITE_REG(chip, CARD_STOP, XD_STOP | XD_CLR_ERR, + XD_STOP | XD_CLR_ERR); + xd_set_err_code(chip, XD_NO_CARD); + TRACE_RET(chip, STATUS_FAIL); + } + + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, old_page, XD_RW_ADDR); + + /* Single page read */ + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS, + XD_AUTO_CHK_DATA_STATUS, 0); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_READ_PAGES); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END, XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR | STAGE_XD_STATUS, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 4, 500); + if ((retval != STATUS_SUCCESS) || + (chip->rsp_buf[2] & (XD_ECC1_ERROR | XD_ECC2_ERROR))) { + rts51x_clear_xd_error(chip); + reg = 0; + rts51x_ep0_read_register(chip, XD_CTL, &reg); + if (reg & (XD_ECC1_ERROR | XD_ECC2_ERROR)) { + wait_timeout(100); + + if (monitor_card_cd(chip, XD_CARD) == + CD_NOT_EXIST) { + xd_set_err_code(chip, XD_NO_CARD); + TRACE_RET(chip, STATUS_FAIL); + } + + if (((reg & + (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE)) + == (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE)) + || ((reg & (XD_ECC2_ERROR | + XD_ECC2_UNCORRECTABLE)) == + (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE))) { + RTS51X_WRITE_REG(chip, XD_PAGE_STATUS, + 0xFF, XD_BPG); + RTS51X_WRITE_REG(chip, XD_BLOCK_STATUS, + 0xFF, XD_GBLK); + XD_SET_BAD_OLDBLK(xd_card); + RTS51X_DEBUGP("old block 0x%x" + "ecc error\n", old_blk); + } + } else { + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + } + if (XD_CHK_BAD_OLDBLK(xd_card)) + rts51x_clear_xd_error(chip); + + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, new_page, XD_RW_ADDR); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, 1); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_WRITE_PAGES); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END, XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, 300); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + reg = 0; + rts51x_ep0_read_register(chip, XD_DAT, &reg); + if (reg & PROGRAM_ERROR) { + xd_mark_bad_block(chip, new_blk); + xd_set_err_code(chip, XD_PRG_ERROR); + XD_SET_BAD_NEWBLK(xd_card); + } else { + xd_set_err_code(chip, XD_TO_ERROR); + } + TRACE_RET(chip, retval); + } + + old_page++; + new_page++; + } + + return STATUS_SUCCESS; +} + +static int xd_reset_cmd(struct rts51x_chip *chip) +{ + int retval; + u8 xd_dat, xd_ctl; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_RESET); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0); + rts51x_add_cmd(chip, READ_REG_CMD, XD_CTL, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 3, 100); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + xd_dat = chip->rsp_buf[1]; + xd_ctl = chip->rsp_buf[2]; + if (((xd_dat & READY_FLAG) == READY_STATE) && (xd_ctl & XD_RDY)) + return STATUS_SUCCESS; + + TRACE_RET(chip, STATUS_FAIL); +} + +static int xd_erase_block(struct rts51x_chip *chip, u32 phy_blk) +{ + struct xd_info *xd_card = &(chip->xd_card); + u32 page_addr; + u8 reg = 0, xd_dat; + int i, retval; + + if (phy_blk == BLK_NOT_FOUND) + TRACE_RET(chip, STATUS_FAIL); + + page_addr = phy_blk << xd_card->block_shift; + + for (i = 0; i < 3; i++) { + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, page_addr, XD_ERASE_ADDR); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_ERASE); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END, XD_TRANSFER_END); + rts51x_add_cmd(chip, READ_REG_CMD, XD_DAT, 0, 0); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 2, 300); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + rts51x_ep0_read_register(chip, XD_DAT, &reg); + if (reg & PROGRAM_ERROR) { + xd_mark_bad_block(chip, phy_blk); + xd_set_err_code(chip, XD_PRG_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } else { + xd_set_err_code(chip, XD_ERASE_FAIL); + } + retval = xd_reset_cmd(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + continue; + } + xd_dat = chip->rsp_buf[1]; + if (xd_dat & PROGRAM_ERROR) { + xd_mark_bad_block(chip, phy_blk); + xd_set_err_code(chip, XD_PRG_ERROR); + TRACE_RET(chip, STATUS_FAIL); + } + + return STATUS_SUCCESS; + } + + xd_mark_bad_block(chip, phy_blk); + xd_set_err_code(chip, XD_ERASE_FAIL); + TRACE_RET(chip, STATUS_FAIL); +} + +static int xd_build_l2p_tbl(struct rts51x_chip *chip, int zone_no) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct zone_entry *zone; + int retval; + u32 start, end, i; + u16 max_logoff, cur_fst_page_logoff, cur_lst_page_logoff, + ent_lst_page_logoff; + u8 redunt[11]; + + RTS51X_DEBUGP("xd_build_l2p_tbl: %d\n", zone_no); + + if (xd_card->zone == NULL) { + retval = xd_init_l2p_tbl(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + if (xd_card->zone[zone_no].build_flag) { + RTS51X_DEBUGP("l2p table of zone %d has been built\n", + zone_no); + return STATUS_SUCCESS; + } + + zone = &(xd_card->zone[zone_no]); + + if (zone->l2p_table == NULL) { + zone->l2p_table = vmalloc(2000); + if (zone->l2p_table == NULL) + TRACE_GOTO(chip, Build_Fail); + } + memset((u8 *) (zone->l2p_table), 0xff, 2000); + + if (zone->free_table == NULL) { + zone->free_table = vmalloc(XD_FREE_TABLE_CNT * 2); + if (zone->free_table == NULL) + TRACE_GOTO(chip, Build_Fail); + } + memset((u8 *) (zone->free_table), 0xff, XD_FREE_TABLE_CNT * 2); + + if (zone_no == 0) { + if (xd_card->cis_block == 0xFFFF) + start = 0; + else + start = xd_card->cis_block + 1; + if (XD_CHK_4MB(xd_card)) { + end = 0x200; + max_logoff = 499; + } else { + end = 0x400; + max_logoff = 999; + } + } else { + start = (u32) (zone_no) << 10; + end = (u32) (zone_no + 1) << 10; + max_logoff = 999; + } + + RTS51X_DEBUGP("start block 0x%x, end block 0x%x\n", start, end); + + zone->set_index = zone->get_index = 0; + zone->unused_blk_cnt = 0; + + for (i = start; i < end; i++) { + u32 page_addr = i << xd_card->block_shift; + u32 phy_block; + + retval = xd_read_redundant(chip, page_addr, redunt, 11); + if (retval != STATUS_SUCCESS) + continue; + + if (redunt[BLOCK_STATUS] != 0xFF) { + RTS51X_DEBUGP("bad block\n"); + continue; + } + + if (xd_check_data_blank(redunt)) { + RTS51X_DEBUGP("blank block\n"); + xd_set_unused_block(chip, i); + continue; + } + + cur_fst_page_logoff = xd_load_log_block_addr(redunt); + if ((cur_fst_page_logoff == 0xFFFF) + || (cur_fst_page_logoff > max_logoff)) { + retval = xd_erase_block(chip, i); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, i); + continue; + } + if ((zone_no == 0) && (cur_fst_page_logoff == 0) + && (redunt[PAGE_STATUS] != XD_GPG)) + XD_SET_MBR_FAIL(xd_card); + + if (zone->l2p_table[cur_fst_page_logoff] == 0xFFFF) { + zone->l2p_table[cur_fst_page_logoff] = + (u16) (i & 0x3FF); + continue; + } + + phy_block = + zone->l2p_table[cur_fst_page_logoff] + + ((u32) ((zone_no) << 10)); + + page_addr = ((i + 1) << xd_card->block_shift) - 1; + + retval = xd_read_redundant(chip, page_addr, redunt, 11); + if (retval != STATUS_SUCCESS) + continue; + + cur_lst_page_logoff = xd_load_log_block_addr(redunt); + if (cur_lst_page_logoff == cur_fst_page_logoff) { + int m; + + page_addr = + ((phy_block + 1) << xd_card->block_shift) - 1; + + for (m = 0; m < 3; m++) { + retval = + xd_read_redundant(chip, page_addr, redunt, + 11); + if (retval == STATUS_SUCCESS) + break; + } + + if (m == 3) { + zone->l2p_table[cur_fst_page_logoff] = + (u16) (i & 0x3FF); + retval = xd_erase_block(chip, phy_block); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, phy_block); + continue; + } + + ent_lst_page_logoff = xd_load_log_block_addr(redunt); + if (ent_lst_page_logoff != cur_fst_page_logoff) { + zone->l2p_table[cur_fst_page_logoff] = + (u16) (i & 0x3FF); + retval = xd_erase_block(chip, phy_block); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, phy_block); + continue; + } else { + retval = xd_erase_block(chip, i); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, i); + } + } else { + retval = xd_erase_block(chip, i); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, i); + } + } + + if (XD_CHK_4MB(xd_card)) + end = 500; + else + end = 1000; + + i = 0; + for (start = 0; start < end; start++) { + if (zone->l2p_table[start] == 0xFFFF) + i++; + } + + RTS51X_DEBUGP("Block count %d, invalid L2P entry %d\n", end, i); + RTS51X_DEBUGP("Total unused block: %d\n", zone->unused_blk_cnt); + + if ((zone->unused_blk_cnt - i) < 1) + chip->card_wp |= XD_CARD; + + zone->build_flag = 1; + + return STATUS_SUCCESS; + +Build_Fail: + if (zone->l2p_table) { + vfree(zone->l2p_table); + zone->l2p_table = NULL; + } + if (zone->free_table) { + vfree(zone->free_table); + zone->free_table = NULL; + } + + return STATUS_FAIL; +} + +static int xd_send_cmd(struct rts51x_chip *chip, u8 cmd) +{ + int retval; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_DAT, 0xFF, cmd); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_SET_CMD); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = rts51x_get_rsp(chip, 1, 200); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int xd_read_multiple_pages(struct rts51x_chip *chip, u32 phy_blk, + u32 log_blk, u8 start_page, u8 end_page, + u8 *buf, void **ptr, unsigned int *offset) +{ + struct xd_info *xd_card = &(chip->xd_card); + u32 page_addr, new_blk; + u16 log_off; + u8 reg_val, page_cnt; + int zone_no, retval, i; + + if (start_page > end_page) + TRACE_RET(chip, STATUS_FAIL); + + page_cnt = end_page - start_page; + zone_no = (int)(log_blk / 1000); + log_off = (u16) (log_blk % 1000); + + if ((phy_blk & 0x3FF) == 0x3FF) { + for (i = 0; i < 256; i++) { + page_addr = ((u32) i) << xd_card->block_shift; + + retval = xd_read_redundant(chip, page_addr, NULL, 0); + if (retval == STATUS_SUCCESS) + break; + + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) { + xd_set_err_code(chip, XD_NO_CARD); + TRACE_RET(chip, STATUS_FAIL); + } + } + } + + page_addr = (phy_blk << xd_card->block_shift) + start_page; + + rts51x_init_cmd(chip); + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_PPB_TO_SIE, + XD_PPB_TO_SIE); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, page_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CHK_DATA_STATUS, + XD_AUTO_CHK_DATA_STATUS, XD_AUTO_CHK_DATA_STATUS); + + rts51x_trans_dma_enable(chip->srb->sc_data_direction, chip, + page_cnt * 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_READ_PAGES); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, + XD_TRANSFER_END | XD_PPB_EMPTY, + XD_TRANSFER_END | XD_PPB_EMPTY); + + retval = rts51x_send_cmd(chip, MODE_CDIR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, RCV_BULK_PIPE(chip), (void *)buf, + ptr, offset, page_cnt * 512, + scsi_sg_count(chip->srb), NULL, 2000); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + + if (retval == STATUS_TIMEDOUT) { + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, retval); + } else { + TRACE_GOTO(chip, Fail); + } + } + retval = rts51x_get_rsp(chip, 1, 200); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + + if (retval == STATUS_TIMEDOUT) { + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, retval); + } else { + TRACE_GOTO(chip, Fail); + } + } + + return STATUS_SUCCESS; + +Fail: + rts51x_ep0_read_register(chip, XD_PAGE_STATUS, &reg_val); + RTS51X_DEBUGP("XD_PAGE_STATUS: 0x%x\n", reg_val); + + if (reg_val != XD_GPG) + xd_set_err_code(chip, XD_PRG_ERROR); + + rts51x_ep0_read_register(chip, XD_CTL, &reg_val); + RTS51X_DEBUGP("XD_CTL: 0x%x\n", reg_val); + + /* Handle uncorrectable ECC error */ + if (((reg_val & (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE)) + == (XD_ECC1_ERROR | XD_ECC1_UNCORRECTABLE)) + || ((reg_val & (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE)) + == (XD_ECC2_ERROR | XD_ECC2_UNCORRECTABLE))) { + wait_timeout(100); + + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) { + xd_set_err_code(chip, XD_NO_CARD); + TRACE_RET(chip, STATUS_FAIL); + } + + xd_set_err_code(chip, XD_ECC_ERROR); + + new_blk = xd_get_unused_block(chip, zone_no); + if (new_blk == NO_NEW_BLK) { + XD_CLR_BAD_OLDBLK(xd_card); + TRACE_RET(chip, STATUS_FAIL); + } + retval = + xd_copy_page(chip, phy_blk, new_blk, 0, + xd_card->page_off + 1); + if (retval != STATUS_SUCCESS) { + if (!XD_CHK_BAD_NEWBLK(xd_card)) { + retval = xd_erase_block(chip, new_blk); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, new_blk); + } else { + XD_CLR_BAD_NEWBLK(xd_card); + } + XD_CLR_BAD_OLDBLK(xd_card); + TRACE_RET(chip, STATUS_FAIL); + } + xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF)); + xd_erase_block(chip, phy_blk); + xd_mark_bad_block(chip, phy_blk); + XD_CLR_BAD_OLDBLK(xd_card); + } + + TRACE_RET(chip, STATUS_FAIL); +} + +static int xd_finish_write(struct rts51x_chip *chip, + u32 old_blk, u32 new_blk, u32 log_blk, u8 page_off) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval, zone_no; + u16 log_off; + + RTS51X_DEBUGP("xd_finish_write, old_blk = 0x%x, new_blk = 0x%x," + "log_blk = 0x%x\n", old_blk, new_blk, log_blk); + + if (page_off > xd_card->page_off) + TRACE_RET(chip, STATUS_FAIL); + + zone_no = (int)(log_blk / 1000); + log_off = (u16) (log_blk % 1000); + + if (old_blk == BLK_NOT_FOUND) { + retval = xd_init_page(chip, new_blk, log_off, + page_off, xd_card->page_off + 1); + if (retval != STATUS_SUCCESS) { + retval = xd_erase_block(chip, new_blk); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, new_blk); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + retval = xd_copy_page(chip, old_blk, new_blk, + page_off, xd_card->page_off + 1); + if (retval != STATUS_SUCCESS) { + if (!XD_CHK_BAD_NEWBLK(xd_card)) { + retval = xd_erase_block(chip, new_blk); + if (retval == STATUS_SUCCESS) + xd_set_unused_block(chip, new_blk); + } + XD_CLR_BAD_NEWBLK(xd_card); + TRACE_RET(chip, STATUS_FAIL); + } + + retval = xd_erase_block(chip, old_blk); + if (retval == STATUS_SUCCESS) { + if (XD_CHK_BAD_OLDBLK(xd_card)) { + xd_mark_bad_block(chip, old_blk); + XD_CLR_BAD_OLDBLK(xd_card); + } else { + /* Add source block to unused block */ + xd_set_unused_block(chip, old_blk); + } + } else { + xd_set_err_code(chip, XD_NO_ERROR); + XD_CLR_BAD_OLDBLK(xd_card); + } + } + + /* Add target block to L2P table */ + xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF)); + + return STATUS_SUCCESS; +} + +static int xd_prepare_write(struct rts51x_chip *chip, + u32 old_blk, u32 new_blk, u32 log_blk, u8 page_off) +{ + int retval; + + RTS51X_DEBUGP("xd_prepare_write, old_blk = 0x%x, new_blk = 0x%x," + "log_blk = 0x%x, page_off = %d\n", + old_blk, new_blk, log_blk, (int)page_off); + + if (page_off) { + retval = xd_copy_page(chip, old_blk, new_blk, 0, page_off); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +static int xd_write_multiple_pages(struct rts51x_chip *chip, u32 old_blk, + u32 new_blk, u32 log_blk, u8 start_page, + u8 end_page, u8 *buf, void **ptr, + unsigned int *offset) +{ + struct xd_info *xd_card = &(chip->xd_card); + u32 page_addr; + int zone_no, retval; + u16 log_off; + u8 page_cnt, reg_val; + + RTS51X_DEBUGP("xd_write_multiple_pages, old_blk = 0x%x," + "new_blk = 0x%x, log_blk = 0x%x\n", + old_blk, new_blk, log_blk); + + if (start_page > end_page) + TRACE_RET(chip, STATUS_FAIL); + + page_cnt = end_page - start_page; + zone_no = (int)(log_blk / 1000); + log_off = (u16) (log_blk % 1000); + + page_addr = (new_blk << xd_card->block_shift) + start_page; + + /* Send index command */ + retval = xd_send_cmd(chip, READ1_1); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + rts51x_init_cmd(chip); + + /* Prepare redundant field */ + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_H, 0xFF, + (u8) (log_off >> 8)); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_ADDR1_L, 0xFF, + (u8) log_off); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_BLOCK_STATUS, 0xFF, XD_GBLK); + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_STATUS, 0xFF, XD_GPG); + + xd_assign_phy_addr(chip, page_addr, XD_RW_ADDR); + + /* Transform the block address by hardware */ + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_CFG, XD_BA_TRANSFORM, + XD_BA_TRANSFORM); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_PAGE_CNT, 0xFF, page_cnt); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_DATA_SOURCE, 0x01, + RING_BUFFER); + + rts51x_trans_dma_enable(chip->srb->sc_data_direction, chip, + page_cnt * 512, DMA_512); + + rts51x_add_cmd(chip, WRITE_REG_CMD, XD_TRANSFER, 0xFF, + XD_TRANSFER_START | XD_WRITE_PAGES); + rts51x_add_cmd(chip, CHECK_REG_CMD, XD_TRANSFER, XD_TRANSFER_END, + XD_TRANSFER_END); + + retval = rts51x_send_cmd(chip, MODE_CDOR, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + retval = + rts51x_transfer_data_partial(chip, SND_BULK_PIPE(chip), (void *)buf, + ptr, offset, page_cnt * 512, + scsi_sg_count(chip->srb), NULL, 2000); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + + if (retval == STATUS_TIMEDOUT) { + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, retval); + } else { + TRACE_GOTO(chip, Fail); + } + } + retval = rts51x_get_rsp(chip, 1, 200); + if (retval != STATUS_SUCCESS) { + rts51x_clear_xd_error(chip); + + if (retval == STATUS_TIMEDOUT) { + xd_set_err_code(chip, XD_TO_ERROR); + TRACE_RET(chip, retval); + } else { + TRACE_GOTO(chip, Fail); + } + } + + if (end_page == (xd_card->page_off + 1)) { + xd_card->delay_write.delay_write_flag = 0; + + if (old_blk != BLK_NOT_FOUND) { + retval = xd_erase_block(chip, old_blk); + if (retval == STATUS_SUCCESS) { + if (XD_CHK_BAD_OLDBLK(xd_card)) { + xd_mark_bad_block(chip, old_blk); + XD_CLR_BAD_OLDBLK(xd_card); + } else { + xd_set_unused_block(chip, old_blk); + } + } else { + xd_set_err_code(chip, XD_NO_ERROR); + XD_CLR_BAD_OLDBLK(xd_card); + } + } + xd_set_l2p_tbl(chip, zone_no, log_off, (u16) (new_blk & 0x3FF)); + } + + return STATUS_SUCCESS; + +Fail: + rts51x_ep0_read_register(chip, XD_DAT, &reg_val); + RTS51X_DEBUGP("XD_DAT: 0x%x\n", reg_val); + + if (reg_val & PROGRAM_ERROR) { + xd_set_err_code(chip, XD_PRG_ERROR); + xd_mark_bad_block(chip, new_blk); + } + + TRACE_RET(chip, STATUS_FAIL); +} + +static int xd_delay_write(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + struct xd_delay_write_tag *delay_write = &(xd_card->delay_write); + int retval; + + if (delay_write->delay_write_flag) { + RTS51X_DEBUGP("xd_delay_write\n"); + retval = xd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + delay_write->delay_write_flag = 0; + retval = xd_finish_write(chip, + delay_write->old_phyblock, + delay_write->new_phyblock, + delay_write->logblock, + delay_write->pageoff); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + } + + return STATUS_SUCCESS; +} + +int rts51x_xd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, + u32 start_sector, u16 sector_cnt) +{ + struct xd_info *xd_card = &(chip->xd_card); + unsigned int lun = SCSI_LUN(srb); + struct xd_delay_write_tag *delay_write = &(xd_card->delay_write); + int retval, zone_no; + u32 log_blk, old_blk = 0, new_blk = 0; + u16 log_off, total_sec_cnt = sector_cnt; + u8 start_page, end_page = 0, page_cnt; + u8 *buf; + void *ptr = NULL; + unsigned int offset = 0; + + xd_set_err_code(chip, XD_NO_ERROR); + + xd_card->counter = 0; + + RTS51X_DEBUGP("rts51x_xd_rw: scsi_bufflen = %d, scsi_sg_count = %d\n", + scsi_bufflen(srb), scsi_sg_count(srb)); + RTS51X_DEBUGP("Data direction: %s\n", + (srb->sc_data_direction == + DMA_TO_DEVICE) ? "write" : "read"); + + buf = (u8 *) scsi_sglist(srb); + + retval = xd_switch_clock(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + log_blk = start_sector >> xd_card->block_shift; + start_page = (u8) start_sector & xd_card->page_off; + zone_no = (int)(log_blk / 1000); + log_off = (u16) (log_blk % 1000); + + RTS51X_DEBUGP("log_blk = 0x%x\n", log_blk); + + if (xd_card->zone[zone_no].build_flag == 0) { + retval = xd_build_l2p_tbl(chip, zone_no); + if (retval != STATUS_SUCCESS) { + chip->card_fail |= XD_CARD; + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, retval); + } + } + + if (srb->sc_data_direction == DMA_TO_DEVICE) { + if (delay_write->delay_write_flag && + (delay_write->logblock == log_blk) && + (start_page > delay_write->pageoff)) { + delay_write->delay_write_flag = 0; + if (delay_write->old_phyblock != BLK_NOT_FOUND) { + retval = xd_copy_page(chip, + delay_write->old_phyblock, + delay_write->new_phyblock, + delay_write->pageoff, + start_page); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + } + old_blk = delay_write->old_phyblock; + new_blk = delay_write->new_phyblock; + } else if (delay_write->delay_write_flag && + (delay_write->logblock == log_blk) && + (start_page == delay_write->pageoff)) { + delay_write->delay_write_flag = 0; + old_blk = delay_write->old_phyblock; + new_blk = delay_write->new_phyblock; + } else { + retval = xd_delay_write(chip); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + old_blk = xd_get_l2p_tbl(chip, zone_no, log_off); + new_blk = xd_get_unused_block(chip, zone_no); + if ((old_blk == BLK_NOT_FOUND) + || (new_blk == BLK_NOT_FOUND)) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + + retval = + xd_prepare_write(chip, old_blk, new_blk, log_blk, + start_page); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, XD_CARD) == + CD_NOT_EXIST) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, STATUS_FAIL); + } + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, retval); + } + } + } else { + retval = xd_delay_write(chip); + if (retval != STATUS_SUCCESS) { + if (monitor_card_cd(chip, XD_CARD) == CD_NOT_EXIST) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, STATUS_FAIL); + } + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, retval); + } + + old_blk = xd_get_l2p_tbl(chip, zone_no, log_off); + if (old_blk == BLK_NOT_FOUND) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + RTS51X_DEBUGP("old_blk = 0x%x\n", old_blk); + if (srb->sc_data_direction == DMA_TO_DEVICE) + RTS51X_DEBUGP("new_blk = 0x%x\n", new_blk); + + while (total_sec_cnt) { + if ((start_page + total_sec_cnt) > (xd_card->page_off + 1)) + end_page = xd_card->page_off + 1; + else + end_page = start_page + (u8) total_sec_cnt; + page_cnt = end_page - start_page; + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + retval = xd_read_multiple_pages(chip, old_blk, log_blk, + start_page, end_page, + buf, &ptr, &offset); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } else { + retval = + xd_write_multiple_pages(chip, old_blk, new_blk, + log_blk, start_page, + end_page, buf, &ptr, + &offset); + if (retval != STATUS_SUCCESS) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + total_sec_cnt -= page_cnt; + + if (total_sec_cnt == 0) + break; + + log_blk++; + zone_no = (int)(log_blk / 1000); + log_off = (u16) (log_blk % 1000); + + if (xd_card->zone[zone_no].build_flag == 0) { + retval = xd_build_l2p_tbl(chip, zone_no); + if (retval != STATUS_SUCCESS) { + chip->card_fail |= XD_CARD; + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_NOT_PRESENT); + TRACE_RET(chip, retval); + } + } + + old_blk = xd_get_l2p_tbl(chip, zone_no, log_off); + if (old_blk == BLK_NOT_FOUND) { + if (srb->sc_data_direction == DMA_FROM_DEVICE) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_UNRECOVER_READ_ERR); + } else { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + } + TRACE_RET(chip, STATUS_FAIL); + } + + if (srb->sc_data_direction == DMA_TO_DEVICE) { + new_blk = xd_get_unused_block(chip, zone_no); + if (new_blk == BLK_NOT_FOUND) { + rts51x_set_sense_type(chip, lun, + SENSE_TYPE_MEDIA_WRITE_ERR); + TRACE_RET(chip, STATUS_FAIL); + } + } + + start_page = 0; + } + + if ((srb->sc_data_direction == DMA_TO_DEVICE) && + (end_page != (xd_card->page_off + 1))) { + delay_write->delay_write_flag = 1; + delay_write->old_phyblock = old_blk; + delay_write->new_phyblock = new_blk; + delay_write->logblock = log_blk; + delay_write->pageoff = end_page; + } + + scsi_set_resid(srb, 0); + + return STATUS_SUCCESS; +} + +void rts51x_xd_free_l2p_tbl(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int i = 0; + + if (xd_card->zone != NULL) { + for (i = 0; i < xd_card->zone_cnt; i++) { + if (xd_card->zone[i].l2p_table != NULL) { + vfree(xd_card->zone[i].l2p_table); + xd_card->zone[i].l2p_table = NULL; + } + if (xd_card->zone[i].free_table != NULL) { + vfree(xd_card->zone[i].free_table); + xd_card->zone[i].free_table = NULL; + } + } + vfree(xd_card->zone); + xd_card->zone = NULL; + } +} + +void rts51x_xd_cleanup_work(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + + if (xd_card->delay_write.delay_write_flag) { + RTS51X_DEBUGP("xD: delay write\n"); + xd_delay_write(chip); + xd_card->counter = 0; + } +} + +static int xd_power_off_card3v3(struct rts51x_chip *chip) +{ + int retval; + + rts51x_init_cmd(chip); + + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_CLK_EN, XD_CLK_EN, 0); + + if (chip->asic_code) + xd_pull_ctl_disable(chip); + else + rts51x_add_cmd(chip, WRITE_REG_CMD, FPGA_PULL_CTL, 0xFF, 0xDF); + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_OE, XD_OUTPUT_EN, 0); + if (!chip->option.FT2_fast_mode) { + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, POWER_MASK, + POWER_OFF); + if (CHECK_PKG(chip, LQFP48) + || chip->option.rts5129_D3318_off_enable) + rts51x_add_cmd(chip, WRITE_REG_CMD, CARD_PWR_CTL, + DV3318_AUTO_PWR_OFF, 0); + } + + retval = rts51x_send_cmd(chip, MODE_C, 100); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + return STATUS_SUCCESS; +} + +int rts51x_release_xd_card(struct rts51x_chip *chip) +{ + struct xd_info *xd_card = &(chip->xd_card); + int retval; + + RTS51X_DEBUGP("rts51x_release_xd_card\n"); + + chip->card_ready &= ~XD_CARD; + chip->card_fail &= ~XD_CARD; + chip->card_wp &= ~XD_CARD; + + xd_card->delay_write.delay_write_flag = 0; + + rts51x_xd_free_l2p_tbl(chip); + + rts51x_write_register(chip, SFSM_ED, HW_CMD_STOP, HW_CMD_STOP); + + retval = xd_power_off_card3v3(chip); + if (retval != STATUS_SUCCESS) + TRACE_RET(chip, retval); + + if (chip->asic_code && CHECK_PKG(chip, QFN24)) + wait_timeout(20); + + return STATUS_SUCCESS; +} diff --git a/drivers/staging/rts5139/xd.h b/drivers/staging/rts5139/xd.h new file mode 100644 index 000000000000..695a0b4d7e52 --- /dev/null +++ b/drivers/staging/rts5139/xd.h @@ -0,0 +1,191 @@ +/* Driver for Realtek RTS51xx USB card reader + * Header file + * + * Copyright(c) 2009 Realtek Semiconductor Corp. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, see <http://www.gnu.org/licenses/>. + * + * Author: + * wwang (wei_wang(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + * Maintainer: + * Edwin Rong (edwin_rong(a)realsil.com.cn) + * No. 450, Shenhu Road, Suzhou Industry Park, Suzhou, China + */ + +#ifndef __RTS51X_XD_H +#define __RTS51X_XD_H + +/* Error Codes */ +#define XD_NO_ERROR 0x00 +#define XD_NO_MEMORY 0x80 +#define XD_PRG_ERROR 0x40 +#define XD_NO_CARD 0x20 +#define XD_READ_FAIL 0x10 +#define XD_ERASE_FAIL 0x08 +#define XD_WRITE_FAIL 0x04 +#define XD_ECC_ERROR 0x02 +#define XD_TO_ERROR 0x01 + +/* XD Commands */ +#define READ1_1 0x00 +#define READ1_2 0x01 +#define READ2 0x50 +#define READ_ID 0x90 +#define RESET 0xff +#define PAGE_PRG_1 0x80 +#define PAGE_PRG_2 0x10 +#define BLK_ERASE_1 0x60 +#define BLK_ERASE_2 0xD0 +#define READ_STS 0x70 +#define READ_xD_ID 0x9A +#define COPY_BACK_512 0x8A +#define COPY_BACK_2K 0x85 +#define READ1_1_2 0x30 +#define READ1_1_3 0x35 +#define CHG_DAT_OUT_1 0x05 +#define RDM_DAT_OUT_1 0x05 +#define CHG_DAT_OUT_2 0xE0 +#define RDM_DAT_OUT_2 0xE0 +#define CHG_DAT_OUT_2 0xE0 +#define CHG_DAT_IN_1 0x85 +#define CACHE_PRG 0x15 + +/* Redundant Area Related */ +#define XD_EXTRA_SIZE 0x10 +#define XD_2K_EXTRA_SIZE 0x40 + +/* Define for XD Status */ +#define NOT_WRITE_PROTECTED 0x80 +#define READY_STATE 0x40 +#define PROGRAM_ERROR 0x01 +#define PROGRAM_ERROR_N_1 0x02 +#define INTERNAL_READY 0x20 +#define READY_FLAG 0x5F + +/* Define for device code */ +#define XD_8M_X8_512 0xE6 +#define XD_16M_X8_512 0x73 +#define XD_32M_X8_512 0x75 +#define XD_64M_X8_512 0x76 +#define XD_128M_X8_512 0x79 +#define XD_256M_X8_512 0x71 +#define XD_128M_X8_2048 0xF1 +#define XD_256M_X8_2048 0xDA +#define XD_512M_X8 0xDC +#define XD_128M_X16_2048 0xC1 +#define XD_4M_X8_512_1 0xE3 +#define XD_4M_X8_512_2 0xE5 +#define xD_1G_X8_512 0xD3 +#define xD_2G_X8_512 0xD5 + +#define XD_ID_CODE 0xB5 + +#define VENDOR_BLOCK 0xEFFF +#define CIS_BLOCK 0xDFFF + +#define BLK_NOT_FOUND 0xFFFFFFFF + +#define NO_NEW_BLK 0xFFFFFFFF + +#define PAGE_CORRECTABLE 0x0 +#define PAGE_NOTCORRECTABLE 0x1 + +#define NO_OFFSET 0x0 +#define WITH_OFFSET 0x1 + +#define Sect_Per_Page 4 +#define XD_ADDR_MODE_2C XD_ADDR_MODE_2A + +#define ZONE0_BAD_BLOCK 23 +#define NOT_ZONE0_BAD_BLOCK 24 + +/* Assign address mode */ +#define XD_RW_ADDR 0x01 +#define XD_ERASE_ADDR 0x02 + +/* Macro Definition */ +#define XD_PAGE_512(xd_card) \ + do { \ + (xd_card)->block_shift = 5; \ + (xd_card)->page_off = 0x1F; \ + } while (0) + +#define XD_SET_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag |= 0x01) +#define XD_CLR_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag &= ~0x01) +#define XD_CHK_BAD_NEWBLK(xd_card) ((xd_card)->multi_flag & 0x01) + +#define XD_SET_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag |= 0x02) +#define XD_CLR_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag &= ~0x02) +#define XD_CHK_BAD_OLDBLK(xd_card) ((xd_card)->multi_flag & 0x02) + +#define XD_SET_MBR_FAIL(xd_card) ((xd_card)->multi_flag |= 0x04) +#define XD_CLR_MBR_FAIL(xd_card) ((xd_card)->multi_flag &= ~0x04) +#define XD_CHK_MBR_FAIL(xd_card) ((xd_card)->multi_flag & 0x04) + +#define XD_SET_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag |= 0x08) +#define XD_CLR_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag &= ~0x08) +#define XD_CHK_ECC_FLD_ERR(xd_card) ((xd_card)->multi_flag & 0x08) + +#define XD_SET_4MB(xd_card) ((xd_card)->multi_flag |= 0x10) +#define XD_CLR_4MB(xd_card) ((xd_card)->multi_flag &= ~0x10) +#define XD_CHK_4MB(xd_card) ((xd_card)->multi_flag & 0x10) + +#define XD_SET_ECC_ERR(xd_card) ((xd_card)->multi_flag |= 0x40) +#define XD_CLR_ECC_ERR(xd_card) ((xd_card)->multi_flag &= ~0x40) +#define XD_CHK_ECC_ERR(xd_card) ((xd_card)->multi_flag & 0x40) + +/* Offset in xD redundant buffer */ +#define PAGE_STATUS 0 +#define BLOCK_STATUS 1 +#define BLOCK_ADDR1_L 2 +#define BLOCK_ADDR1_H 3 +#define BLOCK_ADDR2_L 4 +#define BLOCK_ADDR2_H 5 +#define RESERVED0 6 +#define RESERVED1 7 +#define RESERVED2 8 +#define RESERVED3 9 +#define PARITY 10 + +/* For CIS block */ +#define CIS0_0 0 +#define CIS0_1 1 +#define CIS0_2 2 +#define CIS0_3 3 +#define CIS0_4 4 +#define CIS0_5 5 +#define CIS0_6 6 +#define CIS0_7 7 +#define CIS0_8 8 +#define CIS0_9 9 +#define CIS1_0 256 +#define CIS1_1 (256 + 1) +#define CIS1_2 (256 + 2) +#define CIS1_3 (256 + 3) +#define CIS1_4 (256 + 4) +#define CIS1_5 (256 + 5) +#define CIS1_6 (256 + 6) +#define CIS1_7 (256 + 7) +#define CIS1_8 (256 + 8) +#define CIS1_9 (256 + 9) + +int rts51x_reset_xd_card(struct rts51x_chip *chip); +int rts51x_xd_rw(struct scsi_cmnd *srb, struct rts51x_chip *chip, u32 start_sector, + u16 sector_cnt); +void rts51x_xd_free_l2p_tbl(struct rts51x_chip *chip); +void rts51x_xd_cleanup_work(struct rts51x_chip *chip); +int rts51x_release_xd_card(struct rts51x_chip *chip); + +#endif /* __RTS51X_XD_H */ -- 2.43.0

5 months, 2 weeks

2
2
0 0

[PATCH 1/2] soc: mediatek: mtk-devapc: Fix leaking IO map on error paths

by Krzysztof Kozlowski

Error paths of mtk_devapc_probe() should unmap the memory. Reported by Smatch: drivers/soc/mediatek/mtk-devapc.c:292 mtk_devapc_probe() warn: 'ctx->infra_base' from of_iomap() not released on lines: 277,281,286. Fixes: 0890beb22618 ("soc: mediatek: add mt6779 devapc driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/soc/mediatek/mtk-devapc.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/soc/mediatek/mtk-devapc.c b/drivers/soc/mediatek/mtk-devapc.c index 2a1adcb87d4e..500847b41b16 100644 --- a/drivers/soc/mediatek/mtk-devapc.c +++ b/drivers/soc/mediatek/mtk-devapc.c @@ -273,23 +273,31 @@ static int mtk_devapc_probe(struct platform_device *pdev) return -EINVAL; devapc_irq = irq_of_parse_and_map(node, 0); - if (!devapc_irq) - return -EINVAL; + if (!devapc_irq) { + ret = -EINVAL; + goto err; + } ctx->infra_clk = devm_clk_get_enabled(&pdev->dev, "devapc-infra-clock"); - if (IS_ERR(ctx->infra_clk)) - return -EINVAL; + if (IS_ERR(ctx->infra_clk)) { + ret = -EINVAL; + goto err; + } ret = devm_request_irq(&pdev->dev, devapc_irq, devapc_violation_irq, IRQF_TRIGGER_NONE, "devapc", ctx); if (ret) - return ret; + goto err; platform_set_drvdata(pdev, ctx); start_devapc(ctx); return 0; + +err: + iounmap(ctx->infra_base); + return ret; } static void mtk_devapc_remove(struct platform_device *pdev) -- 2.43.0

5 months, 2 weeks

2
3
0 0

[PATCH] media/mmp: Bring back registration of the device

by Lubomir Rintel

In commit 4af65141e38e ("media: marvell: cafe: Register V4L2 device earlier"), a call to v4l2_device_register() was moved away from mccic_register() into its caller, marvell/cafe's cafe_pci_probe(). This is not the only caller though -- there's also marvell/mmp. Add v4l2_device_register() into mmpcam_probe() to unbreak the MMP camera driver, in a fashion analogous to what's been done to the Cafe driver. Same for the teardown path. Fixes: 4af65141e38e ("media: marvell: cafe: Register V4L2 device earlier") Signed-off-by: Lubomir Rintel <lkundrak(a)v3.sk> Cc: stable(a)vger.kernel.org # v6.6+ --- drivers/media/platform/marvell/mmp-driver.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/marvell/mmp-driver.c b/drivers/media/platform/marvell/mmp-driver.c index 3fd4fc1b9c48..d3da7ebb4a2b 100644 --- a/drivers/media/platform/marvell/mmp-driver.c +++ b/drivers/media/platform/marvell/mmp-driver.c @@ -231,13 +231,23 @@ static int mmpcam_probe(struct platform_device *pdev) mcam_init_clk(mcam); + /* + * Register with V4L. + */ + + ret = v4l2_device_register(mcam->dev, &mcam->v4l2_dev); + if (ret) + return ret; + /* * Create a match of the sensor against its OF node. */ ep = fwnode_graph_get_next_endpoint(of_fwnode_handle(pdev->dev.of_node), NULL); - if (!ep) - return -ENODEV; + if (!ep) { + ret = -ENODEV; + goto out_v4l2_device_unregister; + } v4l2_async_nf_init(&mcam->notifier, &mcam->v4l2_dev); @@ -246,7 +256,7 @@ static int mmpcam_probe(struct platform_device *pdev) fwnode_handle_put(ep); if (IS_ERR(asd)) { ret = PTR_ERR(asd); - goto out; + goto out_v4l2_device_unregister; } /* @@ -254,7 +264,7 @@ static int mmpcam_probe(struct platform_device *pdev) */ ret = mccic_register(mcam); if (ret) - goto out; + goto out_v4l2_device_unregister; /* * Add OF clock provider. @@ -283,6 +293,8 @@ static int mmpcam_probe(struct platform_device *pdev) return 0; out: mccic_shutdown(mcam); +out_v4l2_device_unregister: + v4l2_device_unregister(&mcam->v4l2_dev); return ret; } @@ -293,6 +305,7 @@ static void mmpcam_remove(struct platform_device *pdev) struct mcam_camera *mcam = &cam->mcam; mccic_shutdown(mcam); + v4l2_device_unregister(&mcam->v4l2_dev); pm_runtime_force_suspend(mcam->dev); } -- 2.47.1

5 months, 2 weeks

3
4
0 0

[PATCH net] ptp: limit number of virtual clocks per physical clock

by Thomas Weißschuh

The sysfs interface can be used to trigger arbitrarily large memory allocations. This can induce pressure on the VM layer to satisfy the request only to fail anyways. Reported-by: cheung wall <zzqq0103.hey(a)gmail.com> Closes: https://lore.kernel.org/lkml/20250103091906.GD1977892@ZenIV/ Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- The limit is completely made up, let me know if there is something better. I'm also wondering about the point of the max_vclocks sysfs attribute. It could easily be removed and all its logic moved into the n_vclocks attribute, simplifying the UAPI. --- drivers/ptp/ptp_private.h | 1 + drivers/ptp/ptp_sysfs.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h index 18934e28469ee6e3bf9c9e6d1a1adb82808d88e6..07003339795e9c0fb813887e47eaee4ba0e20064 100644 --- a/drivers/ptp/ptp_private.h +++ b/drivers/ptp/ptp_private.h @@ -22,6 +22,7 @@ #define PTP_MAX_TIMESTAMPS 128 #define PTP_BUF_TIMESTAMPS 30 #define PTP_DEFAULT_MAX_VCLOCKS 20 +#define PTP_MAX_VCLOCKS_LIMIT 2048 #define PTP_MAX_CHANNELS 2048 struct timestamp_event_queue { diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c index 6b1b8f57cd9510f269c86dd89a7a74f277f6916b..200eaf50069681eecc87d63c0e0440f28cccab77 100644 --- a/drivers/ptp/ptp_sysfs.c +++ b/drivers/ptp/ptp_sysfs.c @@ -284,7 +284,7 @@ static ssize_t max_vclocks_store(struct device *dev, size_t size; u32 max; - if (kstrtou32(buf, 0, &max) || max == 0) + if (kstrtou32(buf, 0, &max) || max == 0 || max > PTP_MAX_VCLOCKS_LIMIT) return -EINVAL; if (max == ptp->max_vclocks) --- base-commit: 582ef8a0c406e0b17030b0773392595ec331a0d2 change-id: 20250103-ptp-max_vclocks-0dab5b03b006 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

5 months, 2 weeks

2
1
0 0

[PATCH v2] spi: atmel-qspi: Memory barriers after memory-mapped I/O

by Bence Csókás

The QSPI peripheral control and status registers are accessible via the SoC's APB bus, whereas MMIO transactions' data travels on the AHB bus. Microchip documentation and even sample code from Atmel emphasises the need for a memory barrier before the first MMIO transaction to the AHB-connected QSPI, and before the last write to its registers via APB. This is achieved by the following lines in `atmel_qspi_transfer()`: /* Dummy read of QSPI_IFR to synchronize APB and AHB accesses */ (void)atmel_qspi_read(aq, QSPI_IFR); However, the current documentation makes no mention to synchronization requirements in the other direction, i.e. after the last data written via AHB, and before the first register access on APB. In our case, we were facing an issue where the QSPI peripheral would cease to send any new CSR (nCS Rise) interrupts, leading to a timeout in `atmel_qspi_wait_for_completion()` and ultimately this panic in higher levels: ubi0 error: ubi_io_write: error -110 while writing 63108 bytes to PEB 491:128, written 63104 bytes After months of extensive research of the codebase, fiddling around the debugger with kgdb, and back-and-forth with Microchip, we came to the conclusion that the issue is probably that the peripheral is still busy receiving on AHB when the LASTXFER bit is written to its Control Register on APB, therefore this write gets lost, and the peripheral still thinks there is more data to come in the MMIO transfer. This was first formulated when we noticed that doubling the write() of QSPI_CR_LASTXFER seemed to solve the problem. Ultimately, the solution is to introduce memory barriers after the AHB-mapped MMIO transfers, to ensure ordering. Fixes: d5433def3153 ("mtd: spi-nor: atmel-quadspi: Add spi-mem support to atmel-quadspi") Cc: Hari.PrasathGE(a)microchip.com Cc: Mahesh.Abotula(a)microchip.com Cc: Marco.Cardellini(a)microchip.com Cc: <stable(a)vger.kernel.org> # c0a0203cf579: ("spi: atmel-quadspi: Create `atmel_qspi_ops`"...) Cc: <stable(a)vger.kernel.org> # 6.x.y Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu> --- Notes: Changes in v2: * dropping --- from commit msg drivers/spi/atmel-quadspi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c index 73cf0c3f1477..96fc1c56a221 100644 --- a/drivers/spi/atmel-quadspi.c +++ b/drivers/spi/atmel-quadspi.c @@ -625,13 +625,20 @@ static int atmel_qspi_transfer(struct spi_mem *mem, (void)atmel_qspi_read(aq, QSPI_IFR); /* Send/Receive data */ - if (op->data.dir == SPI_MEM_DATA_IN) + if (op->data.dir == SPI_MEM_DATA_IN) { memcpy_fromio(op->data.buf.in, aq->mem + offset, op->data.nbytes); - else + + /* Synchronize AHB and APB accesses again */ + rmb(); + } else { memcpy_toio(aq->mem + offset, op->data.buf.out, op->data.nbytes); + /* Synchronize AHB and APB accesses again */ + wmb(); + } + /* Release the chip-select */ atmel_qspi_write(QSPI_CR_LASTXFER, aq, QSPI_CR); -- 2.34.1

5 months, 2 weeks

2
1
0 0

[PATCH] media: lirc: Fix error handling in lirc_register()

by Ma Ke

When cdev_device_add() failed, calling put_device() to explicitly release dev->lirc_dev. Otherwise, it could cause the fault of the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/rc/lirc_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index a2257dc2f25d..ed839e15fa16 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -765,6 +765,7 @@ int lirc_register(struct rc_dev *dev) return 0; out_ida: + put_device(&dev->lirc_dev); ida_free(&lirc_ida, minor); return err; } -- 2.25.1

5 months, 2 weeks

2
3
0 0

[PATCH] [SCSI] raid class: Fix error handling in raid_component_add

by Ma Ke

The reference count of the device incremented in device_initialize() is not decremented when device_add() fails. Add a put_device() and delete kfree() before returning from the function to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_add() says, if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: ed542bed126c ("[SCSI] raid class: handle component-add errors") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/scsi/raid_class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/raid_class.c b/drivers/scsi/raid_class.c index 898a0bdf8df6..77c91dbf3b77 100644 --- a/drivers/scsi/raid_class.c +++ b/drivers/scsi/raid_class.c @@ -251,7 +251,7 @@ int raid_component_add(struct raid_template *r,struct device *raid_dev, list_del(&rc->node); rd->component_count--; put_device(component_dev); - kfree(rc); + put_device(&rc->dev); return err; } EXPORT_SYMBOL(raid_component_add); -- 2.25.1

5 months, 2 weeks

1
0
0 0

[PATCH] zram: fix potential UAF of zram table

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kairui Song <kasong(a)tencent.com> --- drivers/block/zram/zram_drv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 5b8e4f4171ab..70ecaee25c20 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1465,6 +1465,7 @@ static bool zram_meta_alloc(struct zram *zram, u64 disksize) zram->mem_pool = zs_create_pool(zram->disk->disk_name); if (!zram->mem_pool) { vfree(zram->table); + zram->table = NULL; return false; } -- 2.47.1

5 months, 2 weeks

2
1
0 0

[PATCH v3] arm64: mm: Populate vmemmap at the page level for hotplugged sections

by Zhenhua Huang

Commit c1cc1552616d ("arm64: MMU initialisation") optimizes the vmemmap to populate at the PMD section level which was suitable initially since hotplugging granule is always 128M. However, commit ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug") which added 2M hotplugging granule disrupted the arm64 assumptions. Considering the vmemmap_free -> unmap_hotplug_pmd_range path, when pmd_sect() is true, the entire PMD section is cleared, even if there is other effective subsection. For example pagemap1 and pagemap2 are part of a single PMD entry and they are hot-added sequentially. Then pagemap1 is removed, vmemmap_free() will clear the entire PMD entry freeing the struct page metadata for the whole section, even though pagemap2 is still active. To address the issue, we need to prevent PMD/PUD/CONT mappings for both linear and vmemmap for non-boot sections if the size exceeds 2MB (considering sub-section is 2MB). We only permit 2MB blocks in a 4KB page configuration. Cc: stable(a)vger.kernel.org # v5.4+ Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug") Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> --- Hi Catalin and Anshuman, Based on your review comments, I concluded below patch and tested with my setup. I have not folded patchset #2 since this patch seems to be enough for backporting.. Please see if you have further suggestions. arch/arm64/mm/mmu.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index e2739b69e11b..2b4d23f01d85 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -42,9 +42,11 @@ #include <asm/pgalloc.h> #include <asm/kfence.h> -#define NO_BLOCK_MAPPINGS BIT(0) +#define NO_PMD_BLOCK_MAPPINGS BIT(0) #define NO_CONT_MAPPINGS BIT(1) #define NO_EXEC_MAPPINGS BIT(2) /* assumes FEAT_HPDS is not used */ +#define NO_PUD_BLOCK_MAPPINGS BIT(3) /* Hotplug case: do not want block mapping for PUD */ +#define NO_BLOCK_MAPPINGS (NO_PMD_BLOCK_MAPPINGS | NO_PUD_BLOCK_MAPPINGS) u64 kimage_voffset __ro_after_init; EXPORT_SYMBOL(kimage_voffset); @@ -254,7 +256,7 @@ static void init_pmd(pmd_t *pmdp, unsigned long addr, unsigned long end, /* try section mapping first */ if (((addr | next | phys) & ~PMD_MASK) == 0 && - (flags & NO_BLOCK_MAPPINGS) == 0) { + (flags & NO_PMD_BLOCK_MAPPINGS) == 0) { pmd_set_huge(pmdp, phys, prot); /* @@ -356,10 +358,11 @@ static void alloc_init_pud(p4d_t *p4dp, unsigned long addr, unsigned long end, /* * For 4K granule only, attempt to put down a 1GB block + * Hotplug case: do not attempt 1GB block */ if (pud_sect_supported() && ((addr | next | phys) & ~PUD_MASK) == 0 && - (flags & NO_BLOCK_MAPPINGS) == 0) { + (flags & NO_PUD_BLOCK_MAPPINGS) == 0) { pud_set_huge(pudp, phys, prot); /* @@ -1175,9 +1178,16 @@ int __meminit vmemmap_check_pmd(pmd_t *pmdp, int node, int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node, struct vmem_altmap *altmap) { + unsigned long start_pfn; + struct mem_section *ms; + WARN_ON((start < VMEMMAP_START) || (end > VMEMMAP_END)); - if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES)) + start_pfn = page_to_pfn((struct page *)start); + ms = __pfn_to_section(start_pfn); + + /* Hotplugged section not support hugepages */ + if (!IS_ENABLED(CONFIG_ARM64_4K_PAGES) || !early_section(ms)) return vmemmap_populate_basepages(start, end, node, altmap); else return vmemmap_populate_hugepages(start, end, node, altmap); @@ -1339,9 +1349,24 @@ int arch_add_memory(int nid, u64 start, u64 size, struct mhp_params *params) { int ret, flags = NO_EXEC_MAPPINGS; + unsigned long start_pfn = page_to_pfn((struct page *)start); + struct mem_section *ms = __pfn_to_section(start_pfn); VM_BUG_ON(!mhp_range_allowed(start, size, true)); + /* Should not be invoked by early section */ + WARN_ON(early_section(ms)); + + if (IS_ENABLED(CONFIG_ARM64_4K_PAGES)) + /* + * As per subsection granule is 2M, allow PMD block mapping in + * case 4K PAGES. + * Other cases forbid section mapping. + */ + flags |= NO_PUD_BLOCK_MAPPINGS | NO_CONT_MAPPINGS; + else + flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS; + if (can_set_direct_map()) flags |= NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS; -- 2.25.1

5 months, 2 weeks

2
2
0 0

[merged] revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" has been removed from the -mm tree. Its filename was revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" Date: Mon Jan 6 06:24:12 PM PST 2025 Revert adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") due to "workqueue: work disable count underflowed" WARNings. Fixes: adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") Reported-by: Borislav Petkov <bp(a)alien8.de> Reported-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Greg KH <greg(a)kroah.com> Cc: Koichiro Den <koichiro.den(a)canonical.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmstat.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/mm/vmstat.c~revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep +++ a/mm/vmstat.c @@ -2148,14 +2148,13 @@ static int vmstat_cpu_online(unsigned in if (!node_state(cpu_to_node(cpu), N_CPU)) { node_set_state(cpu_to_node(cpu), N_CPU); } - enable_delayed_work(&per_cpu(vmstat_work, cpu)); return 0; } static int vmstat_cpu_down_prep(unsigned int cpu) { - disable_delayed_work_sync(&per_cpu(vmstat_work, cpu)); + cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu)); return 0; } _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are mm-swap_cgroup-allocate-swap_cgroup-map-using-vcalloc-fix.patch mm-page_alloc-add-some-detailed-comments-in-can_steal_fallback-fix.patch mm-introduce-mmap_lock_speculate_try_beginretry-fix.patch mm-damon-tests-vaddr-kunith-reduce-stack-consumption.patch mm-damon-tests-vaddr-kunith-reduce-stack-consumption-fix.patch mm-remove-an-avoidable-load-of-page-refcount-in-page_ref_add_unless-fix.patch mm-fix-outdated-incorrect-code-comments-for-handle_mm_fault-fix.patch mm-huge_memoryc-rename-shadowed-local.patch replace-free-hugepage-folios-after-migration-fix.patch xarray-port-tests-to-kunit-fix.patch checkpatch-check-return-of-git_commit_info-fix.patch fault-inject-use-prandom-where-cryptographically-secure-randomness-is-not-needed-fix.patch

5 months, 2 weeks

1
0
0 0

Re: Linux 6.13-rc6

by Borislav Petkov

On Sun, Jan 05, 2025 at 02:20:54PM -0800, Linus Torvalds wrote: > So we had a slight pickup in commits this last week, but as expected > and hoped for, things were still pretty quiet. About twice as many > commits as the holiday week, but that's still not all that many. > > I expect things will start becoming more normal now that people are > back from the holidays and are starting to recover and wake up from > their food comas. > > In the meantime, below is the shortlog for the last week. Nothing > particularly stands out, the changes are dominated by various driver > updates (gpu, rdma and networking), with a random smattering of fixes > elsewhere. Something not well baked managed to sneak in and it is tagged for stable: adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") Reverting it fixes the warn splat below. [ 0.310373] smpboot: x86: Booting SMP configuration: [ 0.311074] .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 #15 [ 0.313798] ------------[ cut here ]------------ [ 0.317530] workqueue: work disable count underflowed [ 0.317530] WARNING: CPU: 1 PID: 21 at kernel/workqueue.c:4317 enable_work+0xa4/0xb0 [ 0.317530] Modules linked in: [ 0.317530] CPU: 1 UID: 0 PID: 21 Comm: cpuhp/1 Not tainted 6.13.0-rc6 #11 [ 0.317530] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.11-8 02/21/2024 [ 0.317530] RIP: 0010:enable_work+0xa4/0xb0 [ 0.317530] Code: c0 48 83 c4 18 5b 5d e9 ca 25 9f 00 80 3d 0a c7 48 08 00 75 b3 c6 05 01 c7 48 08 01 90 48 c7 c7 c8 eb 1d 82 e8 5d 77 fd ff 90 <0f> 0b 90 90 eb 98 90 0f 0b 90 eb b1 90 90 90 90 90 90 90 90 90 90 [ 0.317530] RSP: 0018:ffffc90000137e18 EFLAGS: 00010082 [ 0.317530] RAX: 0000000000000029 RBX: ffff88807d66dda0 RCX: 00000000ffefffff [ 0.317530] RDX: 0000000000000001 RSI: ffffc90000137ce0 RDI: 0000000000000001 [ 0.317530] RBP: 0000000000000000 R08: 00000000ffefffff R09: 0000000000000058 [ 0.317530] R10: 0000000000000000 R11: ffffffff8244df00 R12: 0000000000000000 [ 0.317530] R13: ffff88807d6604e0 R14: ffffffff812439f0 R15: ffff88807d660508 [ 0.317530] FS: 0000000000000000(0000) GS:ffff88807d640000(0000) knlGS:0000000000000000 [ 0.317530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.317530] CR2: 0000000000000000 CR3: 0000000002c1a000 CR4: 00000000003506f0 [ 0.317530] Call Trace: [ 0.317530] <TASK> [ 0.317530] ? __warn+0xa0/0x160 [ 0.317530] ? enable_work+0xa4/0xb0 [ 0.317530] ? report_bug+0x18c/0x1c0 [ 0.317530] ? handle_bug+0x54/0x90 [ 0.317530] ? exc_invalid_op+0x1b/0x80 [ 0.317530] ? asm_exc_invalid_op+0x1a/0x20 [ 0.317530] ? __pfx_vmstat_cpu_online+0x10/0x10 [ 0.317530] ? enable_work+0xa4/0xb0 [ 0.317530] ? enable_work+0xa3/0xb0 [ 0.317530] vmstat_cpu_online+0x61/0x80 [ 0.317530] cpuhp_invoke_callback+0x10f/0x480 [ 0.317530] ? srso_return_thunk+0x5/0x5f [ 0.317530] cpuhp_thread_fun+0xd4/0x160 [ 0.317530] smpboot_thread_fn+0xdd/0x1f0 [ 0.317530] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 0.317530] kthread+0xca/0xf0 [ 0.317530] ? __pfx_kthread+0x10/0x10 [ 0.317530] ret_from_fork+0x50/0x60 [ 0.317530] ? __pfx_kthread+0x10/0x10 [ 0.317530] ret_from_fork_asm+0x1a/0x30 [ 0.317530] </TASK> [ 0.317530] ---[ end trace 0000000000000000 ]--- [ 0.377680] smp: Brought up 1 node, 16 CPUs [ 0.378345] smpboot: Total of 16 processors activated (118393.24 BogoMIPS) -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette

5 months, 2 weeks

6
6
0 0

[merged] fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc: do_task_stat: fix ESP not readable during coredump has been removed from the -mm tree. Its filename was fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Nam Cao <namcao(a)linutronix.de> Subject: fs/proc: do_task_stat: fix ESP not readable during coredump Date: Thu, 2 Jan 2025 09:22:56 +0100 The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Link: https://lkml.kernel.org/r/d89af63d478d6c64cc46a01420b46fd6eb147d6f.17358057… Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Kees Cook <kees(a)kernel.org> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: Dylan Hatch <dylanbhatch(a)google.com> Cc: John Ogness <john.ogness(a)linutronix.de> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/array.c~fs-proc-do_task_stat-fix-esp-not-readable-during-coredump +++ a/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); _ Patches currently in -mm which might be from namcao(a)linutronix.de are

5 months, 2 weeks

1
0
0 0

+ hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode has been added to the -mm mm-hotfixes-unstable branch. Its filename is hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Muchun Song <songmuchun(a)bytedance.com> Subject: hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode Date: Mon, 6 Jan 2025 11:31:17 +0800 hugetlb_file_setup() will pass a NULL @dir to hugetlbfs_get_inode(), so we will access a NULL pointer for @dir. Fix it and set __entry->dr to 0 if @dir is NULL. Because ->i_ino cannot be 0 (see get_next_ino()), there is no confusing if user sees a 0 inode number. Link: https://lkml.kernel.org/r/20250106033118.4640-1-songmuchun@bytedance.com Fixes: 318580ad7f28 ("hugetlbfs: support tracepoint") Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> Reported-by: Cheung Wall <zzqq0103.hey(a)gmail.com> Closes: https://lore.kernel.org/linux-mm/02858D60-43C1-4863-A84F-3C76A8AF1F15@linux… Reviewed-by: Hongbo Li <lihongbo22(a)huawei.com> Cc: cheung wall <zzqq0103.hey(a)gmail.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/trace/events/hugetlbfs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/trace/events/hugetlbfs.h~hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode +++ a/include/trace/events/hugetlbfs.h @@ -23,7 +23,7 @@ TRACE_EVENT(hugetlbfs_alloc_inode, TP_fast_assign( __entry->dev = inode->i_sb->s_dev; __entry->ino = inode->i_ino; - __entry->dir = dir->i_ino; + __entry->dir = dir ? dir->i_ino : 0; __entry->mode = mode; ), _ Patches currently in -mm which might be from songmuchun(a)bytedance.com are hugetlb-fix-null-pointer-dereference-in-trace_hugetlbfs_alloc_inode.patch

5 months, 2 weeks

1
0
0 0

+ revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: revert "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" Date: Mon Jan 6 06:24:12 PM PST 2025 Revert adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") due to "workqueue: work disable count underflowed" WARNings. Fixes: adcfb264c3ed ("vmstat: disable vmstat_work on vmstat_cpu_down_prep()") Reported-by: Borislav Petkov <bp(a)alien8.de> Reported-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Greg KH <greg(a)kroah.com> Cc: Koichiro Den <koichiro.den(a)canonical.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmstat.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/mm/vmstat.c~revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep +++ a/mm/vmstat.c @@ -2148,14 +2148,13 @@ static int vmstat_cpu_online(unsigned in if (!node_state(cpu_to_node(cpu), N_CPU)) { node_set_state(cpu_to_node(cpu), N_CPU); } - enable_delayed_work(&per_cpu(vmstat_work, cpu)); return 0; } static int vmstat_cpu_down_prep(unsigned int cpu) { - disable_delayed_work_sync(&per_cpu(vmstat_work, cpu)); + cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu)); return 0; } _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are revert-vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch mm-swap_cgroup-allocate-swap_cgroup-map-using-vcalloc-fix.patch mm-page_alloc-add-some-detailed-comments-in-can_steal_fallback-fix.patch mm-introduce-mmap_lock_speculate_try_beginretry-fix.patch mm-damon-tests-vaddr-kunith-reduce-stack-consumption.patch mm-damon-tests-vaddr-kunith-reduce-stack-consumption-fix.patch mm-remove-an-avoidable-load-of-page-refcount-in-page_ref_add_unless-fix.patch mm-fix-outdated-incorrect-code-comments-for-handle_mm_fault-fix.patch mm-huge_memoryc-rename-shadowed-local.patch replace-free-hugepage-folios-after-migration-fix.patch xarray-port-tests-to-kunit-fix.patch checkpatch-check-return-of-git_commit_info-fix.patch fault-inject-use-prandom-where-cryptographically-secure-randomness-is-not-needed-fix.patch

5 months, 2 weeks

1
0
0 0

[PATCH v2] misc: microchip: pci1xxxx: Fix possible double free in error handling path

by Ma Ke

When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), the callback function gp_auxiliary_device_release() calls kfree() to free memory. Do not call kfree() again in the error handling path. Fix this by skipping the redundant kfree(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch omitted. --- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c index 32af2b14ff34..de75d89ef53e 100644 --- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c +++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c @@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id err_aux_dev_add_1: auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev); + goto err_aux_dev_add_0; err_aux_dev_init_1: ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id); @@ -120,6 +121,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id err_aux_dev_add_0: auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev); + goto err_ret; err_aux_dev_init_0: ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id); @@ -127,6 +129,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id err_ida_alloc_0: kfree(aux_bus->aux_device_wrapper[0]); +err_ret: return retval; } -- 2.25.1

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010627-retry-detached-672f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosryahmed(a)google.com> Date: Thu, 19 Dec 2024 21:24:37 +0000 Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb23..5a27af8d86ea 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /*********************************

5 months, 2 weeks

2
1
0 0

[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug

by Yosry Ahmed

In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Cc: <stable(a)vger.kernel.org> Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb236..5a27af8d86ea9 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

1
1
0 0

[PATCH v3 1/3] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB

by Douglas Anderson

The code for detecting CPUs that are vulnerable to Spectre BHB was based on a hardcoded list of CPU IDs that were known to be affected. Unfortunately, the list mostly only contained the IDs of standard ARM cores. The IDs for many cores that are minor variants of the standard ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the code to assume that those variants were not affected. Flip the code on its head and instead assume that a core is vulnerable if it doesn't have CSV2_3 but is unrecognized as being safe. This involves creating a "Spectre BHB safe" list. As of right now, the only CPU IDs added to the "Spectre BHB safe" list are ARM Cortex A35, A53, A55, A510, and A520. This list was created by looking for cores that weren't listed in ARM's list [1] as per review feedback on v2 of this patch [2]. NOTE: this patch will not actually _mitigate_ anyone, it will simply cause them to report themselves as vulnerable. If any cores in the system are reported as vulnerable but not mitigated then the whole system will be reported as vulnerable though the system will attempt to mitigate with the information it has about the known cores. [1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB [2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") Cc: stable(a)vger.kernel.org Signed-off-by: Douglas Anderson <dianders(a)chromium.org> --- Changes in v3: - Don't guess the mitigation; just report unknown cores as vulnerable. - Restructure the code since is_spectre_bhb_affected() defaults to true Changes in v2: - New arch/arm64/include/asm/spectre.h | 1 - arch/arm64/kernel/proton-pack.c | 144 +++++++++++++++++-------------- 2 files changed, 77 insertions(+), 68 deletions(-) diff --git a/arch/arm64/include/asm/spectre.h b/arch/arm64/include/asm/spectre.h index 0c4d9045c31f..f1524cdeacf1 100644 --- a/arch/arm64/include/asm/spectre.h +++ b/arch/arm64/include/asm/spectre.h @@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown_state(void); enum mitigation_state arm64_get_spectre_bhb_state(void); bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); -u8 spectre_bhb_loop_affected(int scope); void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr); diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c index da53722f95d4..06e04c9e6480 100644 --- a/arch/arm64/kernel/proton-pack.c +++ b/arch/arm64/kernel/proton-pack.c @@ -845,52 +845,68 @@ static unsigned long system_bhb_mitigations; * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any * SCOPE_SYSTEM call will give the right answer. */ -u8 spectre_bhb_loop_affected(int scope) +static bool is_spectre_bhb_safe(int scope) +{ + static const struct midr_range spectre_bhb_safe_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A520), + {}, + }; + static bool all_safe = true; + + if (scope != SCOPE_LOCAL_CPU) + return all_safe; + + if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list)) + return true; + + all_safe = false; + + return false; +} + +static u8 spectre_bhb_loop_affected(void) { u8 k = 0; - static u8 max_bhb_k; - - if (scope == SCOPE_LOCAL_CPU) { - static const struct midr_range spectre_bhb_k32_list[] = { - MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), - MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), - MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), - MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), - MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), - MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), - MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), - MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), - {}, - }; - static const struct midr_range spectre_bhb_k24_list[] = { - MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), - MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), - MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), - {}, - }; - static const struct midr_range spectre_bhb_k11_list[] = { - MIDR_ALL_VERSIONS(MIDR_AMPERE1), - {}, - }; - static const struct midr_range spectre_bhb_k8_list[] = { - MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), - MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), - {}, - }; - - if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) - k = 32; - else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) - k = 24; - else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) - k = 11; - else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) - k = 8; - - max_bhb_k = max(max_bhb_k, k); - } else { - k = max_bhb_k; - } + + static const struct midr_range spectre_bhb_k32_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + {}, + }; + static const struct midr_range spectre_bhb_k24_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + {}, + }; + static const struct midr_range spectre_bhb_k11_list[] = { + MIDR_ALL_VERSIONS(MIDR_AMPERE1), + {}, + }; + static const struct midr_range spectre_bhb_k8_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), + {}, + }; + + if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) + k = 32; + else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) + k = 24; + else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) + k = 11; + else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) + k = 8; return k; } @@ -916,9 +932,8 @@ static enum mitigation_state spectre_bhb_get_cpu_fw_mitigation_state(void) } } -static bool is_spectre_bhb_fw_affected(int scope) +static bool is_spectre_bhb_fw_affected(void) { - static bool system_affected; enum mitigation_state fw_state; bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE; static const struct midr_range spectre_bhb_firmware_mitigated_list[] = { @@ -929,16 +944,8 @@ static bool is_spectre_bhb_fw_affected(int scope) bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(), spectre_bhb_firmware_mitigated_list); - if (scope != SCOPE_LOCAL_CPU) - return system_affected; - fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); - if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) { - system_affected = true; - return true; - } - - return false; + return cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED); } static bool supports_ecbhb(int scope) @@ -954,6 +961,8 @@ static bool supports_ecbhb(int scope) ID_AA64MMFR1_EL1_ECBHB_SHIFT); } +static u8 max_bhb_k; + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope) { @@ -962,16 +971,18 @@ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, if (supports_csv2p3(scope)) return false; - if (supports_clearbhb(scope)) - return true; - - if (spectre_bhb_loop_affected(scope)) - return true; + if (is_spectre_bhb_safe(scope)) + return false; - if (is_spectre_bhb_fw_affected(scope)) - return true; + /* + * At this point the core isn't known to be "safe" so we're going to + * assume it's vulnerable. We still need to update `max_bhb_k` though, + * but only if we aren't mitigating with clearbhb though. + */ + if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU)) + max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected()); - return false; + return true; } static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot) @@ -1028,7 +1039,7 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN); state = SPECTRE_MITIGATED; set_bit(BHB_INSN, &system_bhb_mitigations); - } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) { + } else if (spectre_bhb_loop_affected()) { /* * Ensure KVM uses the indirect vector which will have the * branchy-loop added. A57/A72-r0 will already have selected @@ -1041,7 +1052,7 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP); state = SPECTRE_MITIGATED; set_bit(BHB_LOOP, &system_bhb_mitigations); - } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) { + } else if (is_spectre_bhb_fw_affected()) { fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); if (fw_state == SPECTRE_MITIGATED) { /* @@ -1100,7 +1111,6 @@ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt, { u8 rd; u32 insn; - u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM); BUG_ON(nr_inst != 1); /* MOV -> MOV */ @@ -1109,7 +1119,7 @@ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt, insn = le32_to_cpu(*origptr); rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn); - insn = aarch64_insn_gen_movewide(rd, loop_count, 0, + insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0, AARCH64_INSN_VARIANT_64BIT, AARCH64_INSN_MOVEWIDE_ZERO); *updptr++ = cpu_to_le32(insn); -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

4
3
0 0

[PATCH v5] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by mapping the region when needed instead of copying. Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Suggested-by: Matthew Garrett <mjg59(a)srcf.ucam.org> Tested-by: Andy Liang <andy.liang(a)hpe.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: * Spotted this right after sending: remove extra acpi_os_unmap_iomem() call. v4: * Added tested-by from Andy Liang. v3: * Flag mapping code in tpm{1,2}.c with CONFIG_ACPI (nios2 compilation fix). v2: * There was some extra cruft (irrelevant diff), which is now wiped away. * Added missing tags (fixes, stable). --- drivers/char/tpm/eventlog/acpi.c | 27 ++++++--------------- drivers/char/tpm/eventlog/common.c | 25 +++++++++++++------- drivers/char/tpm/eventlog/common.h | 28 ++++++++++++++++++++++ drivers/char/tpm/eventlog/tpm1.c | 30 ++++++++++++++--------- drivers/char/tpm/eventlog/tpm2.c | 38 +++++++++++++++++------------- include/linux/tpm.h | 1 + 6 files changed, 94 insertions(+), 55 deletions(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..fb84dd3f6106 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -70,14 +70,11 @@ int tpm_read_log_acpi(struct tpm_chip *chip) acpi_status status; void __iomem *virt; u64 len, start; - struct tpm_bios_log *log; struct acpi_table_tpm2 *tbl; struct acpi_tpm2_phy *tpm2_phy; int format; int ret; - log = &chip->log; - /* Unfortuntely ACPI does not associate the event log with a specific * TPM, like PPI. Thus all ACPI TPMs will read the same log. */ @@ -135,36 +132,26 @@ int tpm_read_log_acpi(struct tpm_chip *chip) return -EIO; } - /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); - if (!log->bios_event_log) - return -ENOMEM; - - log->bios_event_log_end = log->bios_event_log + len; - virt = acpi_os_map_iomem(start, len); if (!virt) { dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__); /* try EFI log next */ - ret = -ENODEV; - goto err; + return -ENODEV; } - memcpy_fromio(log->bios_event_log, virt, len); - - acpi_os_unmap_iomem(virt, len); - - if (chip->flags & TPM_CHIP_FLAG_TPM2 && - !tpm_is_tpm2_log(log->bios_event_log, len)) { + if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_tpm2_log(virt, len)) { /* try EFI log next */ ret = -ENODEV; goto err; } + acpi_os_unmap_iomem(virt, len); + chip->flags |= TPM_CHIP_FLAG_ACPI_LOG; + chip->log.bios_event_log = (void *)start; + chip->log.bios_event_log_end = (void *)start + len; return format; err: - devm_kfree(&chip->dev, log->bios_event_log); - log->bios_event_log = NULL; + acpi_os_unmap_iomem(virt, len); return ret; } diff --git a/drivers/char/tpm/eventlog/common.c b/drivers/char/tpm/eventlog/common.c index 4c0bbba64ee5..44340ca6e2ac 100644 --- a/drivers/char/tpm/eventlog/common.c +++ b/drivers/char/tpm/eventlog/common.c @@ -27,6 +27,7 @@ static int tpm_bios_measurements_open(struct inode *inode, { int err; struct seq_file *seq; + struct tpm_measurements *priv; struct tpm_chip_seqops *chip_seqops; const struct seq_operations *seqops; struct tpm_chip *chip; @@ -42,13 +43,18 @@ static int tpm_bios_measurements_open(struct inode *inode, get_device(&chip->dev); inode_unlock(inode); - /* now register seq file */ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + priv->chip = chip; + err = seq_open(file, seqops); - if (!err) { - seq = file->private_data; - seq->private = chip; - } else { + if (err) { + kfree(priv); put_device(&chip->dev); + } else { + seq = file->private_data; + seq->private = priv; } return err; @@ -58,11 +64,14 @@ static int tpm_bios_measurements_release(struct inode *inode, struct file *file) { struct seq_file *seq = file->private_data; - struct tpm_chip *chip = seq->private; + struct tpm_measurements *priv = seq->private; + int ret; - put_device(&chip->dev); + put_device(&priv->chip->dev); + ret = seq_release(inode, file); + kfree(priv); - return seq_release(inode, file); + return ret; } static const struct file_operations tpm_bios_measurements_ops = { diff --git a/drivers/char/tpm/eventlog/common.h b/drivers/char/tpm/eventlog/common.h index 47ff8136ceb5..b98fd6d9a6e9 100644 --- a/drivers/char/tpm/eventlog/common.h +++ b/drivers/char/tpm/eventlog/common.h @@ -1,12 +1,40 @@ #ifndef __TPM_EVENTLOG_COMMON_H__ #define __TPM_EVENTLOG_COMMON_H__ +#include <linux/acpi.h> #include "../tpm.h" extern const struct seq_operations tpm1_ascii_b_measurements_seqops; extern const struct seq_operations tpm1_binary_b_measurements_seqops; extern const struct seq_operations tpm2_binary_b_measurements_seqops; +struct tpm_measurements { + struct tpm_chip *chip; + void *start; + void *end; +}; + +static inline bool tpm_measurements_map(struct tpm_measurements *measurements) +{ + struct tpm_chip *chip = measurements->chip; + struct tpm_bios_log *log = &chip->log; + size_t size; + + size = log->bios_event_log_end - log->bios_event_log; + measurements->start = log->bios_event_log; + +#ifdef CONFIG_ACPI + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + measurements->start = acpi_os_map_iomem((unsigned long)log->bios_event_log, size); +#endif + + if (!measurements->start) + return false; + + measurements->end = measurements->start + size; + return true; +} + #if defined(CONFIG_ACPI) int tpm_read_log_acpi(struct tpm_chip *chip); #else diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c index 12ee42a31c71..aef6ee39423a 100644 --- a/drivers/char/tpm/eventlog/tpm1.c +++ b/drivers/char/tpm/eventlog/tpm1.c @@ -70,20 +70,23 @@ static const char* tcpa_pc_event_id_strings[] = { static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) { loff_t i = 0; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcpa_event *event; u32 converted_event_size; u32 converted_event_type; + void *addr; + + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; /* read over *pos measurements */ do { event = addr; /* check if current entry is valid */ - if (addr + sizeof(struct tcpa_event) > limit) + if (addr + sizeof(struct tcpa_event) > priv->end) return NULL; converted_event_size = @@ -93,7 +96,7 @@ static void *tpm1_bios_measurements_start(struct seq_file *m, loff_t *pos) if (((converted_event_type == 0) && (converted_event_size == 0)) || ((addr + sizeof(struct tcpa_event) + converted_event_size) - > limit)) + > priv->end)) return NULL; if (i++ == *pos) @@ -109,9 +112,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, loff_t *pos) { struct tcpa_event *event = v; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; u32 converted_event_size; u32 converted_event_type; @@ -121,7 +122,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, v += sizeof(struct tcpa_event) + converted_event_size; /* now check if current entry is valid */ - if ((v + sizeof(struct tcpa_event)) > limit) + if ((v + sizeof(struct tcpa_event)) > priv->end) return NULL; event = v; @@ -130,7 +131,7 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, converted_event_type = do_endian_conversion(event->event_type); if (((converted_event_type == 0) && (converted_event_size == 0)) || - ((v + sizeof(struct tcpa_event) + converted_event_size) > limit)) + ((v + sizeof(struct tcpa_event) + converted_event_size) > priv->end)) return NULL; return v; @@ -138,6 +139,13 @@ static void *tpm1_bios_measurements_next(struct seq_file *m, void *v, static void tpm1_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int get_event_name(char *dest, struct tcpa_event *event, diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c index 37a05800980c..6289d8893e46 100644 --- a/drivers/char/tpm/eventlog/tpm2.c +++ b/drivers/char/tpm/eventlog/tpm2.c @@ -41,20 +41,22 @@ static size_t calc_tpm2_event_size(struct tcg_pcr_event2_head *event, static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *addr = log->bios_event_log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; size_t size; + void *addr; int i; + if (!tpm_measurements_map(priv)) + return NULL; + + addr = priv->start; event_header = addr; size = struct_size(event_header, event, event_header->event_size); if (*pos == 0) { - if (addr + size < limit) { + if (addr + size < priv->end) { if ((event_header->event_type == 0) && (event_header->event_size == 0)) return NULL; @@ -66,7 +68,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) addr += size; event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; } @@ -74,7 +76,7 @@ static void *tpm2_bios_measurements_start(struct seq_file *m, loff_t *pos) event = addr; size = calc_tpm2_event_size(event, event_header); - if ((addr + size >= limit) || (size == 0)) + if ((addr + size >= priv->end) || !size) return NULL; addr += size; } @@ -87,14 +89,12 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, { struct tcg_pcr_event *event_header; struct tcg_pcr_event2_head *event; - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - void *limit = log->bios_event_log_end; + struct tpm_measurements *priv = m->private; size_t event_size; void *marker; (*pos)++; - event_header = log->bios_event_log; + event_header = priv->start; if (v == SEQ_START_TOKEN) { event_size = struct_size(event_header, event, @@ -109,13 +109,13 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, } marker = marker + event_size; - if (marker >= limit) + if (marker >= priv->end) return NULL; v = marker; event = v; event_size = calc_tpm2_event_size(event, event_header); - if (((v + event_size) >= limit) || (event_size == 0)) + if (((v + event_size) >= priv->end) || !event_size) return NULL; return v; @@ -123,13 +123,19 @@ static void *tpm2_bios_measurements_next(struct seq_file *m, void *v, static void tpm2_bios_measurements_stop(struct seq_file *m, void *v) { +#ifdef CONFIG_ACPI + struct tpm_measurements *priv = m->private; + struct tpm_chip *chip = priv->chip; + + if (chip->flags & TPM_CHIP_FLAG_ACPI_LOG) + acpi_os_unmap_iomem(priv->start, priv->end - priv->start); +#endif } static int tpm2_binary_bios_measurements_show(struct seq_file *m, void *v) { - struct tpm_chip *chip = m->private; - struct tpm_bios_log *log = &chip->log; - struct tcg_pcr_event *event_header = log->bios_event_log; + struct tpm_measurements *priv = m->private; + struct tcg_pcr_event *event_header = priv->start; struct tcg_pcr_event2_head *event = v; void *temp_ptr; size_t size; diff --git a/include/linux/tpm.h b/include/linux/tpm.h index 20a40ade8030..f3d12738b93b 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -348,6 +348,7 @@ enum tpm_chip_flags { TPM_CHIP_FLAG_SUSPENDED = BIT(8), TPM_CHIP_FLAG_HWRNG_DISABLED = BIT(9), TPM_CHIP_FLAG_DISABLE = BIT(10), + TPM_CHIP_FLAG_ACPI_LOG = BIT(11), }; #define to_tpm_chip(d) container_of(d, struct tpm_chip, dev) -- 2.47.1

5 months, 2 weeks

2
5
0 0

6.12.7 stable new error: event xe_bo_move has unsafe dereference of argument 4

by Genes Lists

I have not had a chance to bisect this yet but since its in stable thought it best to share sooner than later. If noone spots anything, I will do a bisect soon as I can. Boot completes and aside from this error things seem fine. - Does not happen with 6.12.6. - Does happen with Mainline + patch for different drm bug mainline commit : d6ef8b40d075c425f548002d2f35ae3f06e9cf96 Patch: https://patchwork.freedesktop.org/series/141911/ Patch fixes drm bug reported here (patch not yet in mainline): https://lore.kernel.org/lkml/3b097dddd7095bccabe6791b90899c689f271a35.camel… Graphics h/w: 00:02.0 VGA compatible controller: Intel Corporation Raptor Lake-P [Iris Xe Graphics] (rev 04) Trace below and full dmesg attached. gene [ +0.143567] ------------[ cut here ]------------ [ +0.000003] WARNING: CPU: 6 PID: 344 at kernel/trace/trace_events.c:577 trace_event_raw_init+0x159/0x660 [ +0.000005] Modules linked in: xe(+) drm_ttm_helper gpu_sched drm_suballoc_helper drm_gpuvm drm_exec typec_displayport usbhid hid_sensor_custom hid_sensor_hub intel_ishtp_hid nvme spi_pxa2xx_platform hid_multitouch dw_dmac nvme_core 8250_dw spi_pxa2xx_core i915 crct10dif_pclmul crc32_pclmul i2c_algo_bit crc32c_intel psmouse polyval_clmulni serio_raw polyval_generic drm_buddy atkbd ghash_clmulni_intel libps2 vivaldi_fmap ttm sha512_ssse3 sha256_ssse3 intel_gtt sha1_ssse3 aesni_intel gf128mul drm_display_helper ucsi_acpi crypto_simd typec_ucsi intel_lpss_pci intel_ish_ipc cryptd intel_lpss roles intel_ishtp idma64 cec vmd typec i2c_hid_acpi i8042 video i2c_hid serio wmi pkcs8_key_parser wireguard curve25519_x86_64 libchacha20poly1305 chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel udp_tunnel libcurve25519_generic libchacha loop sg crypto_user [ +0.000022] CPU: 6 UID: 0 PID: 344 Comm: (udev-worker) Not tainted 6.12.7-stable-1 #16 8ef5eca39d52f9e2c5a50ace761c4a6858369a18 [ +0.000003] Hardware name: Dell Inc. XPS 9320/0CR6NC, BIOS 2.16.1 09/11/2024 [ +0.000001] RIP: 0010:trace_event_raw_init+0x159/0x660 [ +0.000002] Code: 89 ea 0f 83 3b 04 00 00 e8 84 db ff ff 84 c0 74 10 8b 0c 24 48 c7 c0 fe ff ff ff 48 d3 c0 49 21 c6 4d 85 f6 0f 84 d6 fe ff ff <0f> 0b bb 01 00 00 00 41 f6 c6 01 0f 85 f3 78 bf 00 66 0f 1f 44 00 [ +0.000001] RSP: 0018:ffffa3c8007bb980 EFLAGS: 00010206 [ +0.000001] RAX: ffffffffffffffdf RBX: ffffffffc0ef8731 RCX: 0000000000000005 [ +0.000001] RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffffffffc0ef8727 [ +0.000001] RBP: ffffffffc0ef8640 R08: 0000000000000039 R09: 0000000000000000 [ +0.000000] R10: 0000000000000076 R11: 000000000000004e R12: 00000000000000f2 [ +0.000001] R13: ffffffffc0ef9760 R14: 0000000000000018 R15: 0000000000000000 [ +0.000001] FS: 000075f6c10d0880(0000) GS:ffff96b92f500000(0000) knlGS:0000000000000000 [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000000] CR2: 00007be641f52f70 CR3: 000000010cffe000 CR4: 0000000000f50ef0 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace: [ +0.000001] <TASK> [ +0.000000] ? trace_event_raw_init+0x159/0x660 [ +0.000002] ? __warn.cold+0x93/0xf6 [ +0.000001] ? trace_event_raw_init+0x159/0x660 [ +0.000003] ? report_bug+0xff/0x140 [ +0.000002] ? handle_bug+0x58/0x90 [ +0.000001] ? exc_invalid_op+0x17/0x70 [ +0.000002] ? asm_exc_invalid_op+0x1a/0x20 [ +0.000003] ? trace_event_raw_init+0x159/0x660 [ +0.000002] event_init+0x28/0x70 [ +0.000002] trace_module_notify+0x19a/0x250 [ +0.000001] notifier_call_chain+0x5a/0xd0 [ +0.000002] blocking_notifier_call_chain_robust+0x65/0xc0 [ +0.000002] load_module+0x1818/0x1ce0 [ +0.000004] ? init_module_from_file+0x89/0xe0 [ +0.000001] init_module_from_file+0x89/0xe0 [ +0.000002] idempotent_init_module+0x11e/0x310 [ +0.000002] __x64_sys_finit_module+0x5e/0xb0 [ +0.000002] do_syscall_64+0x82/0x160 [ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200 [ +0.000001] ? do_syscall_64+0x8e/0x160 [ +0.000001] ? syscall_exit_to_user_mode+0x10/0x200 [ +0.000001] ? do_syscall_64+0x8e/0x160 [ +0.000001] ? do_sys_openat2+0x9c/0xe0 [ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200 [ +0.000001] ? do_syscall_64+0x8e/0x160 [ +0.000001] ? do_sys_openat2+0x9c/0xe0 [ +0.000002] ? syscall_exit_to_user_mode+0x10/0x200 [ +0.000001] ? do_syscall_64+0x8e/0x160 [ +0.000001] ? exc_page_fault+0x7e/0x180 [ +0.000001] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000002] RIP: 0033:0x75f6c18c71fd [ +0.000011] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 fa 0c 00 f7 d8 64 89 01 48 [ +0.000001] RSP: 002b:00007ffdec463948 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ +0.000001] RAX: ffffffffffffffda RBX: 000057194ec1c5c0 RCX: 000075f6c18c71fd [ +0.000001] RDX: 0000000000000004 RSI: 000075f6c10ca05d RDI: 000000000000002b [ +0.000000] RBP: 00007ffdec463a00 R08: 0000000000000001 R09: 00007ffdec463990 [ +0.000001] R10: 0000000000000040 R11: 0000000000000246 R12: 000075f6c10ca05d [ +0.000000] R13: 0000000000020000 R14: 000057194ec1dc40 R15: 000057194ec1e900 [ +0.000001] </TASK> [ +0.000001] ---[ end trace 0000000000000000 ]--- [ +0.000000] event xe_bo_move has unsafe dereference of argument 4 [ +0.000001] print_fmt: "move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", REC->move_lacks_source ? "yes" : "no", REC->bo, REC->size, xe_mem_type_to_name[REC->old_placement], xe_mem_type_to_name[REC->new_placement], __get_str(device_id) -- Gene

5 months, 2 weeks

4
12
0 0

[PATCH v8] tpm: Map the ACPI provided event log

by Jarkko Sakkinen

The following failure was reported: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 Above shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug with kvmalloc() and devm_add_action_or_reset(). Suggested-by: Ard Biesheuvel <ardb(a)kernel.org> Cc: stable(a)vger.kernel.org # v2.6.16+ Fixes: 55a82ab3181b ("[PATCH] tpm: add bios measurement log") Reported-by: Andy Liang <andy.liang(a)hpe.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219495 Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v8: * Reduced to only to this quick fix. Let HPE reserve 16 MiB if they want to. We have mapping approach backed up in lore. v7: * Use devm_add_action_or_reset(). * Fix tags. v6: * A new patch. --- drivers/char/tpm/eventlog/acpi.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c index 69533d0bfb51..394c8302cefd 100644 --- a/drivers/char/tpm/eventlog/acpi.c +++ b/drivers/char/tpm/eventlog/acpi.c @@ -63,6 +63,11 @@ static bool tpm_is_tpm2_log(void *bios_event_log, u64 len) return n == 0; } +static void tpm_bios_log_free(void *data) +{ + kvfree(data); +} + /* read binary bios log */ int tpm_read_log_acpi(struct tpm_chip *chip) { @@ -136,10 +141,16 @@ int tpm_read_log_acpi(struct tpm_chip *chip) } /* malloc EventLog space */ - log->bios_event_log = devm_kmalloc(&chip->dev, len, GFP_KERNEL); + log->bios_event_log = kvmalloc(len, GFP_KERNEL); if (!log->bios_event_log) return -ENOMEM; + ret = devm_add_action_or_reset(&chip->dev, tpm_bios_log_free, log->bios_event_log); + if (ret) { + log->bios_event_log = NULL; + return ret; + } + log->bios_event_log_end = log->bios_event_log + len; virt = acpi_os_map_iomem(start, len); -- 2.47.1

5 months, 2 weeks

2
2
0 0

[PATCH v3] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented

by Marc Zyngier

The hwcaps code that exposes SVE features to userspace only considers ID_AA64ZFR0_EL1, while this is only valid when ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported. The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the ID_AA64ZFR0_EL1 register is also 0. So far, so good. Things become a bit more interesting if the HW implements SME. In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME* features. And these fields overlap with their SVE interpretations. But the architecture says that the SME and SVE feature sets must match, so we're still hunky-dory. This goes wrong if the HW implements SME, but not SVE. In this case, we end-up advertising some SVE features to userspace, even if the HW has none. That's because we never consider whether SVE is actually implemented. Oh well. Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE being non-zero. The HWCAPS documentation is amended to reflect the actually checks performed by the kernel. Fixes: 06a916feca2b ("arm64: Expose SVE2 features for userspace") Reported-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- Documentation/arch/arm64/elf_hwcaps.rst | 39 ++++++++++++++++-------- arch/arm64/kernel/cpufeature.c | 40 +++++++++++++++++-------- 2 files changed, 53 insertions(+), 26 deletions(-) diff --git a/Documentation/arch/arm64/elf_hwcaps.rst b/Documentation/arch/arm64/elf_hwcaps.rst index 2ff922a406ad8..1a31723e79fd2 100644 --- a/Documentation/arch/arm64/elf_hwcaps.rst +++ b/Documentation/arch/arm64/elf_hwcaps.rst @@ -178,22 +178,28 @@ HWCAP2_DCPODP Functionality implied by ID_AA64ISAR1_EL1.DPB == 0b0010. HWCAP2_SVE2 - Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.SVEver == 0b0001. HWCAP2_SVEAES - Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.AES == 0b0001. HWCAP2_SVEPMULL - Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0010. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.AES == 0b0010. HWCAP2_SVEBITPERM - Functionality implied by ID_AA64ZFR0_EL1.BitPerm == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.BitPerm == 0b0001. HWCAP2_SVESHA3 - Functionality implied by ID_AA64ZFR0_EL1.SHA3 == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.SHA3 == 0b0001. HWCAP2_SVESM4 - Functionality implied by ID_AA64ZFR0_EL1.SM4 == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.SM4 == 0b0001. HWCAP2_FLAGM2 Functionality implied by ID_AA64ISAR0_EL1.TS == 0b0010. @@ -202,16 +208,20 @@ HWCAP2_FRINT Functionality implied by ID_AA64ISAR1_EL1.FRINTTS == 0b0001. HWCAP2_SVEI8MM - Functionality implied by ID_AA64ZFR0_EL1.I8MM == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.I8MM == 0b0001. HWCAP2_SVEF32MM - Functionality implied by ID_AA64ZFR0_EL1.F32MM == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.F32MM == 0b0001. HWCAP2_SVEF64MM - Functionality implied by ID_AA64ZFR0_EL1.F64MM == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.F64MM == 0b0001. HWCAP2_SVEBF16 - Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.BF16 == 0b0001. HWCAP2_I8MM Functionality implied by ID_AA64ISAR1_EL1.I8MM == 0b0001. @@ -277,7 +287,8 @@ HWCAP2_EBF16 Functionality implied by ID_AA64ISAR1_EL1.BF16 == 0b0010. HWCAP2_SVE_EBF16 - Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0010. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.BF16 == 0b0010. HWCAP2_CSSC Functionality implied by ID_AA64ISAR2_EL1.CSSC == 0b0001. @@ -286,7 +297,8 @@ HWCAP2_RPRFM Functionality implied by ID_AA64ISAR2_EL1.RPRFM == 0b0001. HWCAP2_SVE2P1 - Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0010. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.SVEver == 0b0010. HWCAP2_SME2 Functionality implied by ID_AA64SMFR0_EL1.SMEver == 0b0001. @@ -313,7 +325,8 @@ HWCAP2_HBC Functionality implied by ID_AA64ISAR2_EL1.BC == 0b0001. HWCAP2_SVE_B16B16 - Functionality implied by ID_AA64ZFR0_EL1.B16B16 == 0b0001. + Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and + ID_AA64ZFR0_EL1.B16B16 == 0b0001. HWCAP2_LRCPC3 Functionality implied by ID_AA64ISAR1_EL1.LRCPC == 0b0011. diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 6ce71f444ed84..6874aca5da9df 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3022,6 +3022,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .matches = match, \ } +#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \ + { \ + __HWCAP_CAP(#cap, cap_type, cap) \ + HWCAP_CPUID_MATCH(reg, field, min_value) \ + .matches = match, \ + } + #ifdef CONFIG_ARM64_PTR_AUTH static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = { { @@ -3050,6 +3057,13 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = { }; #endif +#ifdef CONFIG_ARM64_SVE +static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sve() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3092,19 +3106,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT), #ifdef CONFIG_ARM64_SVE HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), - HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), - HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), - HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), - HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), #endif #ifdef CONFIG_ARM64_GCS HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS), -- 2.39.2

5 months, 2 weeks

2
1
0 0

[PATCH AUTOSEL 5.4] nvmet: propagate npwg topology

by Sasha Levin

From: Luis Chamberlain <mcgrof(a)kernel.org> [ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] Ensure we propagate npwg to the target as well instead of assuming its the same logical blocks per physical block. This ensures devices with large IUs information properly propagated on the target. Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/nvme/target/io-cmd-bdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c index 32008d85172b..40afe3d0599d 100644 --- a/drivers/nvme/target/io-cmd-bdev.c +++ b/drivers/nvme/target/io-cmd-bdev.c @@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) */ id->nsfeat |= 1 << 4; /* NPWG = Namespace Preferred Write Granularity. 0's based */ - id->npwg = lpp0b; + id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); /* NPWA = Namespace Preferred Write Alignment. 0's based */ id->npwa = id->npwg; /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.10] nvmet: propagate npwg topology

by Sasha Levin

From: Luis Chamberlain <mcgrof(a)kernel.org> [ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] Ensure we propagate npwg to the target as well instead of assuming its the same logical blocks per physical block. This ensures devices with large IUs information properly propagated on the target. Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/nvme/target/io-cmd-bdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c index 6a9626ff0713..58dd91d2d71c 100644 --- a/drivers/nvme/target/io-cmd-bdev.c +++ b/drivers/nvme/target/io-cmd-bdev.c @@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) */ id->nsfeat |= 1 << 4; /* NPWG = Namespace Preferred Write Granularity. 0's based */ - id->npwg = lpp0b; + id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); /* NPWA = Namespace Preferred Write Alignment. 0's based */ id->npwa = id->npwg; /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.15] nvmet: propagate npwg topology

by Sasha Levin

From: Luis Chamberlain <mcgrof(a)kernel.org> [ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] Ensure we propagate npwg to the target as well instead of assuming its the same logical blocks per physical block. This ensures devices with large IUs information properly propagated on the target. Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/nvme/target/io-cmd-bdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c index 0fc2781ab970..58da949696c2 100644 --- a/drivers/nvme/target/io-cmd-bdev.c +++ b/drivers/nvme/target/io-cmd-bdev.c @@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) */ id->nsfeat |= 1 << 4; /* NPWG = Namespace Preferred Write Granularity. 0's based */ - id->npwg = lpp0b; + id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); /* NPWA = Namespace Preferred Write Alignment. 0's based */ id->npwa = id->npwg; /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.1] nvmet: propagate npwg topology

by Sasha Levin

From: Luis Chamberlain <mcgrof(a)kernel.org> [ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] Ensure we propagate npwg to the target as well instead of assuming its the same logical blocks per physical block. This ensures devices with large IUs information properly propagated on the target. Signed-off-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/nvme/target/io-cmd-bdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c index c2d6cea0236b..ada58a4d0d0c 100644 --- a/drivers/nvme/target/io-cmd-bdev.c +++ b/drivers/nvme/target/io-cmd-bdev.c @@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) */ id->nsfeat |= 1 << 4; /* NPWG = Namespace Preferred Write Granularity. 0's based */ - id->npwg = lpp0b; + id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); /* NPWA = Namespace Preferred Write Alignment. 0's based */ id->npwa = id->npwg; /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.6 1/2] RDMA/bnxt_re: Fix to export port num to ib_query_qp

by Sasha Levin

From: Hongguang Gao <hongguang.gao(a)broadcom.com> [ Upstream commit 34db8ec931b84d1426423f263b1927539e73b397 ] Current driver implementation doesn't populate the port_num field in query_qp. Adding the code to convert internal firmware port id to ibv defined port number and export it. Reviewed-by: Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Signed-off-by: Hongguang Gao <hongguang.gao(a)broadcom.com> Signed-off-by: Selvin Xavier <selvin.xavier(a)broadcom.com> Link: https://patch.msgid.link/20241211083931.968831-5-kalesh-anakkur.purayil@bro… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 ++++ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + 4 files changed, 7 insertions(+) diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index df5897260601..5f6b1d7278da 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -2214,6 +2214,7 @@ int bnxt_re_query_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr, qp_attr->retry_cnt = qplib_qp->retry_cnt; qp_attr->rnr_retry = qplib_qp->rnr_retry; qp_attr->min_rnr_timer = qplib_qp->min_rnr_timer; + qp_attr->port_num = __to_ib_port_num(qplib_qp->port_id); qp_attr->rq_psn = qplib_qp->rq.psn; qp_attr->max_rd_atomic = qplib_qp->max_rd_atomic; qp_attr->sq_psn = qplib_qp->sq.psn; diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.h b/drivers/infiniband/hw/bnxt_re/ib_verbs.h index 98baea98fc17..ef910e6e2ccb 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h @@ -245,6 +245,10 @@ void bnxt_re_dealloc_ucontext(struct ib_ucontext *context); int bnxt_re_mmap(struct ib_ucontext *context, struct vm_area_struct *vma); void bnxt_re_mmap_free(struct rdma_user_mmap_entry *rdma_entry); +static inline u32 __to_ib_port_num(u16 port_id) +{ + return (u32)port_id + 1; +} unsigned long bnxt_re_lock_cqs(struct bnxt_re_qp *qp); void bnxt_re_unlock_cqs(struct bnxt_re_qp *qp, unsigned long flags); diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c index b624c255eee6..00df8360dcd8 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c @@ -1451,6 +1451,7 @@ int bnxt_qplib_query_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) qp->dest_qpn = le32_to_cpu(sb->dest_qp_id); memcpy(qp->smac, sb->src_mac, 6); qp->vlan_id = le16_to_cpu(sb->vlan_pcp_vlan_dei_vlan_id); + qp->port_id = le16_to_cpu(sb->port_id); bail: dma_free_coherent(&rcfw->pdev->dev, sbuf.size, sbuf.sb, sbuf.dma_addr); diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h index 5d4c49089a20..0e0df5083ed3 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h @@ -297,6 +297,7 @@ struct bnxt_qplib_qp { u32 dest_qpn; u8 smac[6]; u16 vlan_id; + u16 port_id; u8 nw_type; struct bnxt_qplib_ah ah; -- 2.39.5

5 months, 2 weeks

1
1
0 0

[PATCH AUTOSEL 6.12 1/8] selftests/sched_ext: fix build after renames in sched_ext API

by Sasha Levin

From: Ihor Solodrai <ihor.solodrai(a)pm.me> [ Upstream commit ef7009decc30eb2515a64253791d61b72229c119 ] The selftests are falining to build on current tip of bpf-next and sched_ext [1]. This has broken BPF CI [2] after merge from upstream. Use appropriate function names in the selftests according to the recent changes in the sched_ext API [3]. [1] https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id… [2] https://github.com/kernel-patches/bpf/actions/runs/11959327258/job/33340923… [3] https://lore.kernel.org/all/20241109194853.580310-1-tj@kernel.org/ Signed-off-by: Ihor Solodrai <ihor.solodrai(a)pm.me> Acked-by: Andrea Righi <arighi(a)nvidia.com> Acked-by: David Vernet <void(a)manifault.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c | 2 +- .../selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c | 4 ++-- tools/testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 +- .../selftests/sched_ext/enq_select_cpu_fails.bpf.c | 2 +- tools/testing/selftests/sched_ext/exit.bpf.c | 4 ++-- tools/testing/selftests/sched_ext/maximal.bpf.c | 4 ++-- tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c | 2 +- .../selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c | 2 +- .../testing/selftests/sched_ext/select_cpu_dispatch.bpf.c | 2 +- .../selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c | 2 +- .../selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c | 4 ++-- tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c | 8 ++++---- 12 files changed, 19 insertions(+), 19 deletions(-) diff --git a/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c b/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c index 37d9bf6fb745..6f4c3f5a1c5d 100644 --- a/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c +++ b/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c @@ -20,7 +20,7 @@ s32 BPF_STRUCT_OPS(ddsp_bogus_dsq_fail_select_cpu, struct task_struct *p, * If we dispatch to a bogus DSQ that will fall back to the * builtin global DSQ, we fail gracefully. */ - scx_bpf_dispatch_vtime(p, 0xcafef00d, SCX_SLICE_DFL, + scx_bpf_dsq_insert_vtime(p, 0xcafef00d, SCX_SLICE_DFL, p->scx.dsq_vtime, 0); return cpu; } diff --git a/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c b/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c index dffc97d9cdf1..e4a55027778f 100644 --- a/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c +++ b/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c @@ -17,8 +17,8 @@ s32 BPF_STRUCT_OPS(ddsp_vtimelocal_fail_select_cpu, struct task_struct *p, if (cpu >= 0) { /* Shouldn't be allowed to vtime dispatch to a builtin DSQ. */ - scx_bpf_dispatch_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL, - p->scx.dsq_vtime, 0); + scx_bpf_dsq_insert_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL, + p->scx.dsq_vtime, 0); return cpu; } diff --git a/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c b/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c index 6a7db1502c29..6325bf76f47e 100644 --- a/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c +++ b/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c @@ -45,7 +45,7 @@ void BPF_STRUCT_OPS(dsp_local_on_dispatch, s32 cpu, struct task_struct *prev) target = bpf_get_prandom_u32() % nr_cpus; - scx_bpf_dispatch(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0); + scx_bpf_dsq_insert(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0); bpf_task_release(p); } diff --git a/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c b/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c index 1efb50d61040..a7cf868d5e31 100644 --- a/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c +++ b/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c @@ -31,7 +31,7 @@ void BPF_STRUCT_OPS(enq_select_cpu_fails_enqueue, struct task_struct *p, /* Can only call from ops.select_cpu() */ scx_bpf_select_cpu_dfl(p, 0, 0, &found); - scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); + scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); } SEC(".struct_ops.link") diff --git a/tools/testing/selftests/sched_ext/exit.bpf.c b/tools/testing/selftests/sched_ext/exit.bpf.c index d75d4faf07f6..4bc36182d3ff 100644 --- a/tools/testing/selftests/sched_ext/exit.bpf.c +++ b/tools/testing/selftests/sched_ext/exit.bpf.c @@ -33,7 +33,7 @@ void BPF_STRUCT_OPS(exit_enqueue, struct task_struct *p, u64 enq_flags) if (exit_point == EXIT_ENQUEUE) EXIT_CLEANLY(); - scx_bpf_dispatch(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); + scx_bpf_dsq_insert(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); } void BPF_STRUCT_OPS(exit_dispatch, s32 cpu, struct task_struct *p) @@ -41,7 +41,7 @@ void BPF_STRUCT_OPS(exit_dispatch, s32 cpu, struct task_struct *p) if (exit_point == EXIT_DISPATCH) EXIT_CLEANLY(); - scx_bpf_consume(DSQ_ID); + scx_bpf_dsq_move_to_local(DSQ_ID); } void BPF_STRUCT_OPS(exit_enable, struct task_struct *p) diff --git a/tools/testing/selftests/sched_ext/maximal.bpf.c b/tools/testing/selftests/sched_ext/maximal.bpf.c index 4d4cd8d966db..4c005fa71810 100644 --- a/tools/testing/selftests/sched_ext/maximal.bpf.c +++ b/tools/testing/selftests/sched_ext/maximal.bpf.c @@ -20,7 +20,7 @@ s32 BPF_STRUCT_OPS(maximal_select_cpu, struct task_struct *p, s32 prev_cpu, void BPF_STRUCT_OPS(maximal_enqueue, struct task_struct *p, u64 enq_flags) { - scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); + scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); } void BPF_STRUCT_OPS(maximal_dequeue, struct task_struct *p, u64 deq_flags) @@ -28,7 +28,7 @@ void BPF_STRUCT_OPS(maximal_dequeue, struct task_struct *p, u64 deq_flags) void BPF_STRUCT_OPS(maximal_dispatch, s32 cpu, struct task_struct *prev) { - scx_bpf_consume(SCX_DSQ_GLOBAL); + scx_bpf_dsq_move_to_local(SCX_DSQ_GLOBAL); } void BPF_STRUCT_OPS(maximal_runnable, struct task_struct *p, u64 enq_flags) diff --git a/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c index f171ac470970..13d0f5be788d 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c @@ -30,7 +30,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_enqueue, struct task_struct *p, } scx_bpf_put_idle_cpumask(idle_mask); - scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); + scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); } SEC(".struct_ops.link") diff --git a/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c index 9efdbb7da928..815f1d5d61ac 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c @@ -67,7 +67,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_nodispatch_enqueue, struct task_struct *p, saw_local = true; } - scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, enq_flags); + scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, enq_flags); } s32 BPF_STRUCT_OPS(select_cpu_dfl_nodispatch_init_task, diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c index 59bfc4f36167..4bb99699e920 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c @@ -29,7 +29,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_select_cpu, struct task_struct *p, cpu = prev_cpu; dispatch: - scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, 0); + scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, 0); return cpu; } diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c index 3bbd5fcdfb18..2a75de11b2cf 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c @@ -18,7 +18,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_bad_dsq_select_cpu, struct task_struct *p s32 prev_cpu, u64 wake_flags) { /* Dispatching to a random DSQ should fail. */ - scx_bpf_dispatch(p, 0xcafef00d, SCX_SLICE_DFL, 0); + scx_bpf_dsq_insert(p, 0xcafef00d, SCX_SLICE_DFL, 0); return prev_cpu; } diff --git a/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c index 0fda57fe0ecf..99d075695c97 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c @@ -18,8 +18,8 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_dbl_dsp_select_cpu, struct task_struct *p s32 prev_cpu, u64 wake_flags) { /* Dispatching twice in a row is disallowed. */ - scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); - scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); + scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); + scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); return prev_cpu; } diff --git a/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c b/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c index e6c67bcf5e6e..bfcb96cd4954 100644 --- a/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c +++ b/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c @@ -2,8 +2,8 @@ /* * A scheduler that validates that enqueue flags are properly stored and * applied at dispatch time when a task is directly dispatched from - * ops.select_cpu(). We validate this by using scx_bpf_dispatch_vtime(), and - * making the test a very basic vtime scheduler. + * ops.select_cpu(). We validate this by using scx_bpf_dsq_insert_vtime(), + * and making the test a very basic vtime scheduler. * * Copyright (c) 2024 Meta Platforms, Inc. and affiliates. * Copyright (c) 2024 David Vernet <dvernet(a)meta.com> @@ -47,13 +47,13 @@ s32 BPF_STRUCT_OPS(select_cpu_vtime_select_cpu, struct task_struct *p, cpu = prev_cpu; scx_bpf_test_and_clear_cpu_idle(cpu); ddsp: - scx_bpf_dispatch_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0); + scx_bpf_dsq_insert_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0); return cpu; } void BPF_STRUCT_OPS(select_cpu_vtime_dispatch, s32 cpu, struct task_struct *p) { - if (scx_bpf_consume(VTIME_DSQ)) + if (scx_bpf_dsq_move_to_local(VTIME_DSQ)) consumed = true; } -- 2.39.5

5 months, 2 weeks

1
7
0 0

[PATCH resubmit v2] spi: atmel-qspi: Memory barriers after memory-mapped I/O

by Bence Csókás

The QSPI peripheral control and status registers are accessible via the SoC's APB bus, whereas MMIO transactions' data travels on the AHB bus. Microchip documentation and even sample code from Atmel emphasises the need for a memory barrier before the first MMIO transaction to the AHB-connected QSPI, and before the last write to its registers via APB. This is achieved by the following lines in `atmel_qspi_transfer()`: /* Dummy read of QSPI_IFR to synchronize APB and AHB accesses */ (void)atmel_qspi_read(aq, QSPI_IFR); However, the current documentation makes no mention to synchronization requirements in the other direction, i.e. after the last data written via AHB, and before the first register access on APB. In our case, we were facing an issue where the QSPI peripheral would cease to send any new CSR (nCS Rise) interrupts, leading to a timeout in `atmel_qspi_wait_for_completion()` and ultimately this panic in higher levels: ubi0 error: ubi_io_write: error -110 while writing 63108 bytes to PEB 491:128, written 63104 bytes After months of extensive research of the codebase, fiddling around the debugger with kgdb, and back-and-forth with Microchip, we came to the conclusion that the issue is probably that the peripheral is still busy receiving on AHB when the LASTXFER bit is written to its Control Register on APB, therefore this write gets lost, and the peripheral still thinks there is more data to come in the MMIO transfer. This was first formulated when we noticed that doubling the write() of QSPI_CR_LASTXFER seemed to solve the problem. Ultimately, the solution is to introduce memory barriers after the AHB-mapped MMIO transfers, to ensure ordering. Fixes: d5433def3153 ("mtd: spi-nor: atmel-quadspi: Add spi-mem support to atmel-quadspi") Cc: Hari.PrasathGE(a)microchip.com Cc: Mahesh.Abotula(a)microchip.com Cc: Marco.Cardellini(a)microchip.com Cc: <stable(a)vger.kernel.org> # c0a0203cf579: ("spi: atmel-quadspi: Create `atmel_qspi_ops`"...) Cc: <stable(a)vger.kernel.org> # 6.x.y Signed-off-by: Bence Csókás <csokas.bence(a)prolan.hu> --- Notes: Changes in v2: * dropping --- from commit msg Resubmit: rebased on current spi-next drivers/spi/atmel-quadspi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c index f46da363574f..8fdc9d27a95e 100644 --- a/drivers/spi/atmel-quadspi.c +++ b/drivers/spi/atmel-quadspi.c @@ -661,13 +661,20 @@ static int atmel_qspi_transfer(struct spi_mem *mem, (void)atmel_qspi_read(aq, QSPI_IFR); /* Send/Receive data */ - if (op->data.dir == SPI_MEM_DATA_IN) + if (op->data.dir == SPI_MEM_DATA_IN) { memcpy_fromio(op->data.buf.in, aq->mem + offset, op->data.nbytes); - else + + /* Synchronize AHB and APB accesses again */ + rmb(); + } else { memcpy_toio(aq->mem + offset, op->data.buf.out, op->data.nbytes); + /* Synchronize AHB and APB accesses again */ + wmb(); + } + /* Release the chip-select */ atmel_qspi_write(QSPI_CR_LASTXFER, aq, QSPI_CR); -- 2.34.1

5 months, 2 weeks

1
0
0 0

[PATCH 0/5] clk: Fix simple video pipelines on i.MX8

by Miquel Raynal

Recent changes in the clock tree have set CLK_SET_RATE_PARENT to the two LCDIF pixel clocks. The idea is, instead of using assigned-clock properties to set upstream PLL rates to high frequencies and hoping that a single divisor (namely media_disp[12]_pix) will be close enough in most cases, we should tell the clock core to use the PLL to properly derive an accurate pixel clock rate in the first place. Here is the situation. [Before ff06ea04e4cf ("clk: imx: clk-imx8mp: Allow media_disp pixel clock reconfigure parent rate")] Before setting CLK_SET_RATE_PARENT to the media_disp[12]_pix clocks, the sequence of events was: - PLL is assigned to a high rate, - media_disp[12]_pix is set to approximately freq A by using a single divisor, - media_ldb is set to approximately freq 7*A by using another single divisor. => The display was working, but the pixel clock was inaccurate. [After ff06ea04e4cf ("clk: imx: clk-imx8mp: Allow media_disp pixel clock reconfigure parent rate")] After setting CLK_SET_RATE_PARENT to the media_disp[12]_pix clocks, the sequence of events became: - media_disp[12]_pix is set to freq A by using a divisor of 1 and setting video_pll1 to freq A. - media_ldb is trying to compute its divisor to set freq 7*A, but the upstream PLL is to low, it does not recompute it, so it ends up setting a divisor of 1 and being at freq A instead of 7*A. => The display is sadly no longer working [After applying PATCH "clk: imx: clk-imx8mp: Allow LDB serializer clock reconfigure parent rate"] This is a commit from Marek, which is, I believe going in the right direction, so I am including it. Just with this change, the situation is slightly different, but the result is the same: - media_disp[12]_pix is set to freq A by using a divisor of 1 and setting video_pll1 to freq A. - media_ldb is set to 7*A by using a divisor of 1 and setting video_pll1 to freq 7*A. /!\ This as the side effect of changing media_disp[12]_pix from freq A to freq 7*A. => The display is still not working [After applying this series] The goal of the following patches is to prevent clock subtree walks to "just recalculate" the pixel clocks, ignoring the fact that they should no longer change. They should adapt their divisors to the new upstream rates instead. As a result, the display pipeline is working again. Note: if more than one display is connected, we need the LDB driver to act accordingly, thus the LDB driver must be adapted. Also, if accurate pixel clocks are not possible with two different displays, we will still need (at least for now) to make sure one of them is reparented to another PLL, like the audio PLL (but audio PLL are of a different kind, and are slightly less accurate). So this series aims at fixing the i.MX8MP display pipeline for simple setups. Said otherwise, returning to the same level of support as before, but with (hopefully) more accurate frequencies. I believe this approach manages to fix both Marek situation and all people using a straightforward LCD based setup. For more complex setups, we need more smartness from DRM and clk, but this is gonna take a bit of time. --- Marek Vasut (1): clk: imx: clk-imx8mp: Allow LDB serializer clock reconfigure parent rate Miquel Raynal (4): clk: Add a helper to determine a clock rate clk: Split clk_calc_subtree() clk: Add flag to prevent frequency changes when walking subtrees clk: imx: imx8mp: Prevent media clocks to be incompatibly changed drivers/clk/clk.c | 39 ++++++++++++++++++++++++++++++++------- drivers/clk/imx/clk-imx8mp.c | 6 +++--- include/linux/clk-provider.h | 2 ++ 3 files changed, 37 insertions(+), 10 deletions(-) --- base-commit: 62facaf164585923d081eedcb6871f4ff3c2e953 change-id: 20241121-ge-ian-debug-imx8-clk-tree-bd325aa866f1 Best regards, -- Miquel Raynal <miquel.raynal(a)bootlin.com>

5 months, 2 weeks

3
9
0 0

Re: Patch "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" has been added to the 6.6-stable tree

by Peter Griffin

Hi Sasha, + cc stable(a)vger.kernel.org On Fri, 3 Jan 2025 at 00:45, Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > watchdog-s3c2410_wdt-use-exynos_get_pmu_regmap_by_ph.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. It doesn't make sense (to me at least) to add this patch and then also add the revert of it to v6.6 stable tree, as it becomes a no-op. The only reason I can think of is it somehow helps with your automated tooling? Additionally the hardware (Pixel 6 & gs101 SoC ) which these patches and APIs were added for wasn't merged until v6.8. The revert is also only applicable if the kernel has the corresponding enhancements made to syscon driver to register custom regmaps. See 769cb63166d9 ("mfd: syscon: Add of_syscon_register_regmap() API") Thanks, Peter

5 months, 2 weeks

2
3
0 0

Re: Patch "vmstat: disable vmstat_work on vmstat_cpu_down_prep()" has been added to the 6.12-stable tree

by Koichiro Den

On Mon, Jan 06, 2025 at 11:41:20AM +0100, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > vmstat: disable vmstat_work on vmstat_cpu_down_prep() > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi, could you hold off on adding this for now? It's broken [1] and needs to be fixed. Once a follow-up fix is ready, I'll make sure to notify you. [1] https://lore.kernel.org/linux-mm/7ed97096-859e-46d0-8f27-16a2298a8914@lucif… Thanks. -Koichiro Den > > > From adcfb264c3ed51fbbf5068ddf10d309a63683868 Mon Sep 17 00:00:00 2001 > From: Koichiro Den <koichiro.den(a)canonical.com> > Date: Sat, 21 Dec 2024 12:33:20 +0900 > Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep() > > From: Koichiro Den <koichiro.den(a)canonical.com> > > commit adcfb264c3ed51fbbf5068ddf10d309a63683868 upstream. > > Even after mm/vmstat:online teardown, shepherd may still queue work for > the dying cpu until the cpu is removed from online mask. While it's quite > rare, this means that after unbind_workers() unbinds a per-cpu kworker, it > potentially runs vmstat_update for the dying CPU on an irrelevant cpu > before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results > in the following error with the backtrace. > > BUG: using smp_processor_id() in preemptible [00000000] code: \ > kworker/7:3/1702 > caller is refresh_cpu_vm_stats+0x235/0x5f0 > CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G > Tainted: [N]=TEST > Workqueue: mm_percpu_wq vmstat_update > Call Trace: > <TASK> > dump_stack_lvl+0x8d/0xb0 > check_preemption_disabled+0xce/0xe0 > refresh_cpu_vm_stats+0x235/0x5f0 > vmstat_update+0x17/0xa0 > process_one_work+0x869/0x1aa0 > worker_thread+0x5e5/0x1100 > kthread+0x29e/0x380 > ret_from_fork+0x2d/0x70 > ret_from_fork_asm+0x1a/0x30 > </TASK> > > So, for mm/vmstat:online, disable vmstat_work reliably on teardown and > symmetrically enable it on startup. > > Link: https://lkml.kernel.org/r/20241221033321.4154409-1-koichiro.den@canonical.c… > Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> > Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> > Cc: <stable(a)vger.kernel.org> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > mm/vmstat.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > --- a/mm/vmstat.c > +++ b/mm/vmstat.c > @@ -2139,13 +2139,14 @@ static int vmstat_cpu_online(unsigned in > if (!node_state(cpu_to_node(cpu), N_CPU)) { > node_set_state(cpu_to_node(cpu), N_CPU); > } > + enable_delayed_work(&per_cpu(vmstat_work, cpu)); > > return 0; > } > > static int vmstat_cpu_down_prep(unsigned int cpu) > { > - cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu)); > + disable_delayed_work_sync(&per_cpu(vmstat_work, cpu)); > return 0; > } > > > > Patches currently in stable-queue which might be from koichiro.den(a)canonical.com are > > queue-6.12/vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch

5 months, 2 weeks

2
1
0 0

[PATCHv3 1/2] media: venus: destroy hfi session after m2m_ctx release

by Sergey Senozhatsky

This partially reverts commit that made hfi_session_destroy() the first step of vdec/venc close(). The reason being is a regression report when, supposedly, encode/decoder is closed with still active streaming (no ->stop_streaming() call before close()) and pending pkts, so isr_thread cannot find instance and fails to process those pending pkts. This was the idea behind the original patch - make it impossible to use instance under destruction, because this is racy, but apparently there are uses cases that depend on that unsafe pattern. Return to the old (unsafe) behaviour for the time being (until a better fix is found). Fixes: 45b1a1b348ec1 ("media: venus: sync with threaded IRQ during inst destruction") Cc: stable(a)vger.kernel.org Reported-by: Nathan Hebert <nhebert(a)google.com> Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> --- drivers/media/platform/qcom/venus/core.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c index 2d27c5167246..807487a1f536 100644 --- a/drivers/media/platform/qcom/venus/core.c +++ b/drivers/media/platform/qcom/venus/core.c @@ -506,18 +506,14 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev) void venus_close_common(struct venus_inst *inst) { /* - * First, remove the inst from the ->instances list, so that - * to_instance() will return NULL. - */ - hfi_session_destroy(inst); - /* - * Second, make sure we don't have IRQ/IRQ-thread currently running + * Make sure we don't have IRQ/IRQ-thread currently running * or pending execution, which would race with the inst destruction. */ synchronize_irq(inst->core->irq); v4l2_m2m_ctx_release(inst->m2m_ctx); v4l2_m2m_release(inst->m2m_dev); + hfi_session_destroy(inst); v4l2_fh_del(&inst->fh); v4l2_fh_exit(&inst->fh); v4l2_ctrl_handler_free(&inst->ctrl_handler); -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

2
2
0 0

[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]

by Gustavo Azor

Estimated people: Seems to me, I browse drivers/acpi/resources.c: the patch was not included in kernel versions stable 6.12.7 or long term 6.6.68. I hope will be include in mainline 6.13.-rc5 to inform if work in the ASUS Vivobook 15 X1504VAP_X1504VA keyboard. I have not idea how work with git diff or compiling kernels to try the patch, and need to try in installed kernel. Thanks.Regards. Sent: Friday, December 20, 2024 at 8:23 PM From: bugzilla-daemon(a)kernel.org To: gazo11(a)mail.com Subject: [Bug 219224] Laptop Internal Keyboard not working on ASUS VivoBook E1404GA on ubuntu 24.04. https://bugzilla.kernel.org/show_bug.cgi?id=219224 --- Comment #11 from Hans de Goede (jwrdegoede(a)fedoraproject.org) --- (In reply to gazo11 from comment #10) > Hello I have the same problem for dmidecode: > > > System Information > Manufacturer: ASUSTeK COMPUTER INC. > Product Name: ASUS Vivobook 15 X1504VAP_X1504VA > Version: 1.0 > Serial Number: S1N0CV02L86302G > UUID: cdc508f0-d3f1-f743-bce4-5eb9d4c06fda > Wake-up Type: Power Switch > SKU Number: > Family: ASUS Vivobook 15 > > Its possible to get this model listed in future kernels? Thanks! Thank you for reporting this, I've submitted a patch to add this to the irq1_level_low_skip_override[] list: https://lore.kernel.org/linux-acpi/20241220181352.25974-1-hdegoede@redhat.c… -- You may reply to this email to add a comment. You are receiving this mail because: You are on the CC list for the bug.

5 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: fix TCP options overflow." failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x cbb26f7d8451fe56ccac802c6db48d16240feebd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010636-stereo-friend-8023@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cbb26f7d8451fe56ccac802c6db48d16240feebd Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Sat, 21 Dec 2024 09:51:46 +0100 Subject: [PATCH] mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if the remaining space is large enough even when DSS is present. Since the ADD_ADDR infos and the DSS share the same union fields, adding first corrupts the latter. In the worst-case scenario, such corruption increases the DSS binary layout, exceeding the computed length and possibly overwriting the skb shared info. Address the issue by enforcing mutual exclusion in mptcp_established_options_add_addr(), too. Cc: stable(a)vger.kernel.org Reported-by: syzbot+38a095a81f30d82884c1(a)syzkaller.appspotmail.com Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538 Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.173477104… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 1603b3702e22..a62bc874bf1e 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -667,8 +667,15 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff * &echo, &drop_other_suboptions)) return false; + /* + * Later on, mptcp_write_options() will enforce mutually exclusion with + * DSS, bail out if such option is set and we can't drop it. + */ if (drop_other_suboptions) remaining += opt_size; + else if (opts->suboptions & OPTION_MPTCP_DSS) + return false; + len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port); if (remaining < len) return false;

5 months, 2 weeks

1
0
0 0

[PATCH v2] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented

by Marc Zyngier

The hwcaps code that exposes SVE features to userspace only considers ID_AA64ZFR0_EL1, while this is only valid when ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported. The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the ID_AA64ZFR0_EL1 register is also 0. So far, so good. Things become a bit more interesting if the HW implements SME. In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME* features. And these fields overlap with their SVE interpretations. But the architecture says that the SME and SVE feature sets must match, so we're still hunky-dory. This goes wrong if the HW implements SME, but not SVE. In this case, we end-up advertising some SVE features to userspace, even if the HW has none. That's because we never consider whether SVE is actually implemented. Oh well. Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE being non-zero. Fixes: 06a916feca2b ("arm64: Expose SVE2 features for userspace") Reported-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/cpufeature.c | 40 +++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 6ce71f444ed84..6874aca5da9df 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -3022,6 +3022,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .matches = match, \ } +#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \ + { \ + __HWCAP_CAP(#cap, cap_type, cap) \ + HWCAP_CPUID_MATCH(reg, field, min_value) \ + .matches = match, \ + } + #ifdef CONFIG_ARM64_PTR_AUTH static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = { { @@ -3050,6 +3057,13 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = { }; #endif +#ifdef CONFIG_ARM64_SVE +static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) +{ + return system_supports_sve() && has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3092,19 +3106,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT), #ifdef CONFIG_ARM64_SVE HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), - HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), - HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), - HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), - HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), + HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), #endif #ifdef CONFIG_ARM64_GCS HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS), -- 2.39.2

5 months, 2 weeks

3
5
0 0

FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010652-resemble-faceplate-702c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Thu, 28 Nov 2024 15:06:17 +0000 Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings read-only Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/memfd.h b/include/linux/memfd.h index 3f2cf339ceaf..d437e3070850 100644 --- a/include/linux/memfd.h +++ b/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ diff --git a/include/linux/mm.h b/include/linux/mm.h index 338a76ce9083..fb397918c43d 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {} */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; + if (!is_write_sealed(seals)) + return 0; - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } diff --git a/mm/memfd.c b/mm/memfd.c index c17c3ea701a1..35a370d75c9a 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping) return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; diff --git a/mm/mmap.c b/mm/mmap.c index d32b7e701058..16f8e8be01f8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ))

5 months, 2 weeks

3
3
0 0

FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010625-stopped-snowflake-603f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001 From: Liu Shixin <liushixin2(a)huawei.com> Date: Mon, 16 Dec 2024 15:11:47 +0800 Subject: [PATCH] mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mm.h b/include/linux/mm.h index fb397918c43d..b1c3db9cf355 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc) if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 7361a8f3ab68..332cee285662 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page)); const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..c498874a7170 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010623-platform-unmasked-77c7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001 From: Liu Shixin <liushixin2(a)huawei.com> Date: Mon, 16 Dec 2024 15:11:47 +0800 Subject: [PATCH] mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mm.h b/include/linux/mm.h index fb397918c43d..b1c3db9cf355 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc) if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 7361a8f3ab68..332cee285662 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page)); const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..c498874a7170 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010622-overflow-raffle-07fa@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001 From: Liu Shixin <liushixin2(a)huawei.com> Date: Mon, 16 Dec 2024 15:11:47 +0800 Subject: [PATCH] mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mm.h b/include/linux/mm.h index fb397918c43d..b1c3db9cf355 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc) if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 7361a8f3ab68..332cee285662 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page)); const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..c498874a7170 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010621-candy-fall-1396@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001 From: Liu Shixin <liushixin2(a)huawei.com> Date: Mon, 16 Dec 2024 15:11:47 +0800 Subject: [PATCH] mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mm.h b/include/linux/mm.h index fb397918c43d..b1c3db9cf355 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc) if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 7361a8f3ab68..332cee285662 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page)); const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..c498874a7170 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: hugetlb: independent PMD page table shared count" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 59d9094df3d79443937add8700b2ef1a866b1081 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010620-lethargic-backspin-e75d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001 From: Liu Shixin <liushixin2(a)huawei.com> Date: Mon, 16 Dec 2024 15:11:47 +0800 Subject: [PATCH] mm: hugetlb: independent PMD page table shared count The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mm.h b/include/linux/mm.h index fb397918c43d..b1c3db9cf355 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc) if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 7361a8f3ab68..332cee285662 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page)); const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..c498874a7170 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma, int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010657-rental-seltzer-1a53@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Thu, 28 Nov 2024 15:06:17 +0000 Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings read-only Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/memfd.h b/include/linux/memfd.h index 3f2cf339ceaf..d437e3070850 100644 --- a/include/linux/memfd.h +++ b/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ diff --git a/include/linux/mm.h b/include/linux/mm.h index 338a76ce9083..fb397918c43d 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {} */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; + if (!is_write_sealed(seals)) + return 0; - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } diff --git a/mm/memfd.c b/mm/memfd.c index c17c3ea701a1..35a370d75c9a 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping) return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; diff --git a/mm/mmap.c b/mm/mmap.c index d32b7e701058..16f8e8be01f8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ))

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010655-pliable-affection-87eb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Thu, 28 Nov 2024 15:06:17 +0000 Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings read-only Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/memfd.h b/include/linux/memfd.h index 3f2cf339ceaf..d437e3070850 100644 --- a/include/linux/memfd.h +++ b/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ diff --git a/include/linux/mm.h b/include/linux/mm.h index 338a76ce9083..fb397918c43d 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {} */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; + if (!is_write_sealed(seals)) + return 0; - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } diff --git a/mm/memfd.c b/mm/memfd.c index c17c3ea701a1..35a370d75c9a 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping) return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; diff --git a/mm/mmap.c b/mm/mmap.c index d32b7e701058..16f8e8be01f8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ))

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: reinstate ability to map write-sealed memfd mappings" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8ec396d05d1b737c87311fb7311f753b02c2a6b1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010654-streak-cornfield-7b88@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ec396d05d1b737c87311fb7311f753b02c2a6b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Thu, 28 Nov 2024 15:06:17 +0000 Subject: [PATCH] mm: reinstate ability to map write-sealed memfd mappings read-only Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/memfd.h b/include/linux/memfd.h index 3f2cf339ceaf..d437e3070850 100644 --- a/include/linux/memfd.h +++ b/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ diff --git a/include/linux/mm.h b/include/linux/mm.h index 338a76ce9083..fb397918c43d 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *object) {} */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; + if (!is_write_sealed(seals)) + return 0; - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } diff --git a/mm/memfd.c b/mm/memfd.c index c17c3ea701a1..35a370d75c9a 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct address_space *mapping) return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; diff --git a/mm/mmap.c b/mm/mmap.c index d32b7e701058..16f8e8be01f8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ))

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010631-rice-vocalize-bfc1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosryahmed(a)google.com> Date: Thu, 19 Dec 2024 21:24:37 +0000 Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb23..5a27af8d86ea 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /*********************************

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010630-chewable-chewer-e363@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosryahmed(a)google.com> Date: Thu, 19 Dec 2024 21:24:37 +0000 Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb23..5a27af8d86ea 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /*********************************

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x eaebeb93922ca6ab0dd92027b73d0112701706ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010629-undusted-massager-f7d9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eaebeb93922ca6ab0dd92027b73d0112701706ef Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosryahmed(a)google.com> Date: Thu, 19 Dec 2024 21:24:37 +0000 Subject: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/zswap.c b/mm/zswap.c index f6316b66fb23..5a27af8d86ea 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry, zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /*********************************

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] gve: clean XDP queues in gve_tx_stop_ring_gqi" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6321f5fb70d502d95de8a212a7b484c297ec9644 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010642-annually-shirt-b4e1@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6321f5fb70d502d95de8a212a7b484c297ec9644 Mon Sep 17 00:00:00 2001 From: Joshua Washington <joshwash(a)google.com> Date: Wed, 18 Dec 2024 05:34:11 -0800 Subject: [PATCH] gve: clean XDP queues in gve_tx_stop_ring_gqi When stopping XDP TX rings, the XDP clean function needs to be called to clean out the entire queue, similar to what happens in the normal TX queue case. Otherwise, the FIFO won't be cleared correctly, and xsk_tx_completed won't be reported. Fixes: 75eaae158b1b ("gve: Add XDP DROP and TX support for GQI-QPL format") Cc: stable(a)vger.kernel.org Signed-off-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com> Reviewed-by: Praveen Kaligineedi <pkaligineedi(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c index e7fb7d6d283d..83ad278ec91f 100644 --- a/drivers/net/ethernet/google/gve/gve_tx.c +++ b/drivers/net/ethernet/google/gve/gve_tx.c @@ -206,7 +206,10 @@ void gve_tx_stop_ring_gqi(struct gve_priv *priv, int idx) return; gve_remove_napi(priv, ntfy_idx); - gve_clean_tx_done(priv, tx, priv->tx_desc_cnt, false); + if (tx->q_num < priv->tx_cfg.num_queues) + gve_clean_tx_done(priv, tx, priv->tx_desc_cnt, false); + else + gve_clean_xdp_done(priv, tx, priv->tx_desc_cnt); netdev_tx_reset_queue(tx->netdev_txq); gve_tx_remove_from_block(priv, idx); }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010606-prude-geiger-28e3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Tue, 19 Nov 2024 19:20:29 +0000 Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..a13b3d8ab6ac 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010606-rifling-dreamily-f58e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Tue, 19 Nov 2024 19:20:29 +0000 Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..a13b3d8ab6ac 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010604-resilient-unpaired-7bb7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Tue, 19 Nov 2024 19:20:29 +0000 Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..a13b3d8ab6ac 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010605-quit-rockfish-a0e8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 Mon Sep 17 00:00:00 2001 From: Biju Das <biju.das.jz(a)bp.renesas.com> Date: Tue, 19 Nov 2024 19:20:29 +0000 Subject: [PATCH] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..a13b3d8ab6ac 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010656-establish-cleat-3ed7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Thu, 19 Dec 2024 09:30:30 +0000 Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo <tj(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 8b07576814a5..8336218ec4b8 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu) * check_flush_dependency - check for flush dependency sanity * @target_wq: workqueue being flushed * @target_work: work item being flushed (NULL for workqueue flushes) + * @from_cancel: are we called from the work cancel path * * %current is trying to flush the whole @target_wq or @target_work on it. - * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not - * reclaiming memory or running on a workqueue which doesn't have - * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to - * a deadlock. + * If this is not the cancel path (which implies work being flushed is either + * already running, or will not be at all), check if @target_wq doesn't have + * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running + * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward- + * progress guarantee leading to a deadlock. */ static void check_flush_dependency(struct workqueue_struct *target_wq, - struct work_struct *target_work) + struct work_struct *target_work, + bool from_cancel) { - work_func_t target_func = target_work ? target_work->func : NULL; + work_func_t target_func; struct worker *worker; - if (target_wq->flags & WQ_MEM_RECLAIM) + if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM) return; worker = current_wq_worker(); + target_func = target_work ? target_work->func : NULL; WARN_ONCE(current->flags & PF_MEMALLOC, "workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps", @@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq) list_add_tail(&this_flusher.list, &wq->flusher_overflow); } - check_flush_dependency(wq, NULL); + check_flush_dependency(wq, NULL, false); mutex_unlock(&wq->mutex); @@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, } wq = pwq->wq; - check_flush_dependency(wq, work); + check_flush_dependency(wq, work, from_cancel); insert_wq_barrier(pwq, barr, work, worker); raw_spin_unlock_irq(&pool->lock);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010655-risk-opacity-5ce7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Thu, 19 Dec 2024 09:30:30 +0000 Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo <tj(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 8b07576814a5..8336218ec4b8 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu) * check_flush_dependency - check for flush dependency sanity * @target_wq: workqueue being flushed * @target_work: work item being flushed (NULL for workqueue flushes) + * @from_cancel: are we called from the work cancel path * * %current is trying to flush the whole @target_wq or @target_work on it. - * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not - * reclaiming memory or running on a workqueue which doesn't have - * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to - * a deadlock. + * If this is not the cancel path (which implies work being flushed is either + * already running, or will not be at all), check if @target_wq doesn't have + * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running + * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward- + * progress guarantee leading to a deadlock. */ static void check_flush_dependency(struct workqueue_struct *target_wq, - struct work_struct *target_work) + struct work_struct *target_work, + bool from_cancel) { - work_func_t target_func = target_work ? target_work->func : NULL; + work_func_t target_func; struct worker *worker; - if (target_wq->flags & WQ_MEM_RECLAIM) + if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM) return; worker = current_wq_worker(); + target_func = target_work ? target_work->func : NULL; WARN_ONCE(current->flags & PF_MEMALLOC, "workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps", @@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq) list_add_tail(&this_flusher.list, &wq->flusher_overflow); } - check_flush_dependency(wq, NULL); + check_flush_dependency(wq, NULL, false); mutex_unlock(&wq->mutex); @@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, } wq = pwq->wq; - check_flush_dependency(wq, work); + check_flush_dependency(wq, work, from_cancel); insert_wq_barrier(pwq, barr, work, worker); raw_spin_unlock_irq(&pool->lock);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010654-pedigree-employer-73ce@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Thu, 19 Dec 2024 09:30:30 +0000 Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo <tj(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 8b07576814a5..8336218ec4b8 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu) * check_flush_dependency - check for flush dependency sanity * @target_wq: workqueue being flushed * @target_work: work item being flushed (NULL for workqueue flushes) + * @from_cancel: are we called from the work cancel path * * %current is trying to flush the whole @target_wq or @target_work on it. - * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not - * reclaiming memory or running on a workqueue which doesn't have - * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to - * a deadlock. + * If this is not the cancel path (which implies work being flushed is either + * already running, or will not be at all), check if @target_wq doesn't have + * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running + * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward- + * progress guarantee leading to a deadlock. */ static void check_flush_dependency(struct workqueue_struct *target_wq, - struct work_struct *target_work) + struct work_struct *target_work, + bool from_cancel) { - work_func_t target_func = target_work ? target_work->func : NULL; + work_func_t target_func; struct worker *worker; - if (target_wq->flags & WQ_MEM_RECLAIM) + if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM) return; worker = current_wq_worker(); + target_func = target_work ? target_work->func : NULL; WARN_ONCE(current->flags & PF_MEMALLOC, "workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps", @@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq) list_add_tail(&this_flusher.list, &wq->flusher_overflow); } - check_flush_dependency(wq, NULL); + check_flush_dependency(wq, NULL, false); mutex_unlock(&wq->mutex); @@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, } wq = pwq->wq; - check_flush_dependency(wq, work); + check_flush_dependency(wq, work, from_cancel); insert_wq_barrier(pwq, barr, work, worker); raw_spin_unlock_irq(&pool->lock);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010653-enroll-disagree-652b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Thu, 19 Dec 2024 09:30:30 +0000 Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo <tj(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 8b07576814a5..8336218ec4b8 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu) * check_flush_dependency - check for flush dependency sanity * @target_wq: workqueue being flushed * @target_work: work item being flushed (NULL for workqueue flushes) + * @from_cancel: are we called from the work cancel path * * %current is trying to flush the whole @target_wq or @target_work on it. - * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not - * reclaiming memory or running on a workqueue which doesn't have - * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to - * a deadlock. + * If this is not the cancel path (which implies work being flushed is either + * already running, or will not be at all), check if @target_wq doesn't have + * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running + * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward- + * progress guarantee leading to a deadlock. */ static void check_flush_dependency(struct workqueue_struct *target_wq, - struct work_struct *target_work) + struct work_struct *target_work, + bool from_cancel) { - work_func_t target_func = target_work ? target_work->func : NULL; + work_func_t target_func; struct worker *worker; - if (target_wq->flags & WQ_MEM_RECLAIM) + if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM) return; worker = current_wq_worker(); + target_func = target_work ? target_work->func : NULL; WARN_ONCE(current->flags & PF_MEMALLOC, "workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps", @@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq) list_add_tail(&this_flusher.list, &wq->flusher_overflow); } - check_flush_dependency(wq, NULL); + check_flush_dependency(wq, NULL, false); mutex_unlock(&wq->mutex); @@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, } wq = pwq->wq; - check_flush_dependency(wq, work); + check_flush_dependency(wq, work, from_cancel); insert_wq_barrier(pwq, barr, work, worker); raw_spin_unlock_irq(&pool->lock);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x de35994ecd2dd6148ab5a6c5050a1670a04dec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010652-clad-doorframe-5d77@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From de35994ecd2dd6148ab5a6c5050a1670a04dec77 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Thu, 19 Dec 2024 09:30:30 +0000 Subject: [PATCH] workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After commit 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") amdgpu started seeing the following warning: [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu] ... [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched] ... [ ] Call Trace: [ ] <TASK> ... [ ] ? check_flush_dependency+0xf5/0x110 ... [ ] cancel_delayed_work_sync+0x6e/0x80 [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu] [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu] [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu] [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched] [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu] [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched] [ ] process_one_work+0x217/0x720 ... [ ] </TASK> The intent of the verifcation done in check_flush_depedency is to ensure forward progress during memory reclaim, by flagging cases when either a memory reclaim process, or a memory reclaim work item is flushed from a context not marked as memory reclaim safe. This is correct when flushing, but when called from the cancel(_delayed)_work_sync() paths it is a false positive because work is either already running, or will not be running at all. Therefore cancelling it is safe and we can relax the warning criteria by letting the helper know of the calling context. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: fca839c00a12 ("workqueue: warn if memory reclaim tries to flush !WQ_MEM_RECLAIM workqueue") References: 746ae46c1113 ("drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM") Cc: Tejun Heo <tj(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Signed-off-by: Tejun Heo <tj(a)kernel.org> diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 8b07576814a5..8336218ec4b8 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -3680,23 +3680,27 @@ void workqueue_softirq_dead(unsigned int cpu) * check_flush_dependency - check for flush dependency sanity * @target_wq: workqueue being flushed * @target_work: work item being flushed (NULL for workqueue flushes) + * @from_cancel: are we called from the work cancel path * * %current is trying to flush the whole @target_wq or @target_work on it. - * If @target_wq doesn't have %WQ_MEM_RECLAIM, verify that %current is not - * reclaiming memory or running on a workqueue which doesn't have - * %WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to - * a deadlock. + * If this is not the cancel path (which implies work being flushed is either + * already running, or will not be at all), check if @target_wq doesn't have + * %WQ_MEM_RECLAIM and verify that %current is not reclaiming memory or running + * on a workqueue which doesn't have %WQ_MEM_RECLAIM as that can break forward- + * progress guarantee leading to a deadlock. */ static void check_flush_dependency(struct workqueue_struct *target_wq, - struct work_struct *target_work) + struct work_struct *target_work, + bool from_cancel) { - work_func_t target_func = target_work ? target_work->func : NULL; + work_func_t target_func; struct worker *worker; - if (target_wq->flags & WQ_MEM_RECLAIM) + if (from_cancel || target_wq->flags & WQ_MEM_RECLAIM) return; worker = current_wq_worker(); + target_func = target_work ? target_work->func : NULL; WARN_ONCE(current->flags & PF_MEMALLOC, "workqueue: PF_MEMALLOC task %d(%s) is flushing !WQ_MEM_RECLAIM %s:%ps", @@ -3980,7 +3984,7 @@ void __flush_workqueue(struct workqueue_struct *wq) list_add_tail(&this_flusher.list, &wq->flusher_overflow); } - check_flush_dependency(wq, NULL); + check_flush_dependency(wq, NULL, false); mutex_unlock(&wq->mutex); @@ -4155,7 +4159,7 @@ static bool start_flush_work(struct work_struct *work, struct wq_barrier *barr, } wq = pwq->wq; - check_flush_dependency(wq, work); + check_flush_dependency(wq, work, from_cancel); insert_wq_barrier(pwq, barr, work, worker); raw_spin_unlock_irq(&pool->lock);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010611-sphinx-mayflower-3d16@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001 From: Dennis Lam <dennis.lamerice(a)gmail.com> Date: Tue, 17 Dec 2024 21:39:25 -0500 Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index 2b0daced98eb..3404e7a30c33 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 73d3367c533b..2956d888c131 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010610-gratified-icy-21bc@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001 From: Dennis Lam <dennis.lamerice(a)gmail.com> Date: Tue, 17 Dec 2024 21:39:25 -0500 Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index 2b0daced98eb..3404e7a30c33 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 73d3367c533b..2956d888c131 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010609-busybody-impromptu-d5f7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001 From: Dennis Lam <dennis.lamerice(a)gmail.com> Date: Tue, 17 Dec 2024 21:39:25 -0500 Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index 2b0daced98eb..3404e7a30c33 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 73d3367c533b..2956d888c131 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; }

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ocfs2: fix slab-use-after-free due to dangling pointer" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5f3fd772d152229d94602bca243fbb658068a597 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010608-payphone-borough-d229@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5f3fd772d152229d94602bca243fbb658068a597 Mon Sep 17 00:00:00 2001 From: Dennis Lam <dennis.lamerice(a)gmail.com> Date: Tue, 17 Dec 2024 21:39:25 -0500 Subject: [PATCH] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index 2b0daced98eb..3404e7a30c33 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 73d3367c533b..2956d888c131 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; }

5 months, 2 weeks

1
0
0 0

Buggy patch -- Re: [PATCH 6.1 00/60] 6.1.123-rc1 review

by Pavel Machek

Hi! > > > This is the start of the stable review cycle for the 6.1.123 release. > > > There are 60 patches in this series, all will be posted as a response > > > to this one. If anyone has any issues with these being applied, please > > > let me know. > > > > > Dan Carpenter <dan.carpenter(a)linaro.org> > > > mtd: rawnand: fix double free in atmel_pmecc_create_user() > > > > This is wrong for 6.1 and older -- we don't use devm_kzalloc there, so > > it creates memory leak. > > Thanks for testing and letting me know, This was not "all good" mail. Patch cited above is buggy. But you still included it in 6.1.123. Please drop. Best regards. Pavel -- DENX Software Engineering GmbH, Managing Director: Erika Unter HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

5 months, 2 weeks

2
1
0 0

[PATCH] soc: samsung: exynos-pmu: Fix uninitialized ret in tensor_set_bits_atomic()

by Krzysztof Kozlowski

If tensor_set_bits_atomic() is called with a mask of 0 the function will just iterate over its bit, not perform any updates and return stack value of 'ret'. Also reported by smatch: drivers/soc/samsung/exynos-pmu.c:129 tensor_set_bits_atomic() error: uninitialized symbol 'ret'. Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/soc/samsung/exynos-pmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c index d8c53cec7f37..dd5256e5aae1 100644 --- a/drivers/soc/samsung/exynos-pmu.c +++ b/drivers/soc/samsung/exynos-pmu.c @@ -126,7 +126,7 @@ static int tensor_set_bits_atomic(void *ctx, unsigned int offset, u32 val, if (ret) return ret; } - return ret; + return 0; } static bool tensor_is_atomic(unsigned int reg) -- 2.43.0

5 months, 2 weeks

1
1
0 0

[PATCH] sched/fair: Fix ksmd and kthreadd running on isolated CPU0 on arm64 systems

by wujing

This bug can be reproduced on Kunpeng arm64 and Phytium arm physical machines, as well as in virtual machine environments, based on the linux-4.19.y stable branch: 1. Check the number of CPUs on the system: nproc --all 96 2. Add the parameter isolcpus=0-85 to the grub configuration, update grub, and reboot. 3. Check the ksmd process: ps aux | grep -i ksmd root 502 0.0 0.0 0 0 ? S 10:00 0:00 [ksmd] ps -o pid,psr,comm -p 502 PID PSR COMMAND 502 0 ksmd 4. Check the kthreadd process: ps aux | grep -i kthreadd root 2 0.0 0.0 0 0 ? S 10:00 0:00 [kthreadd] ps -o pid,psr,comm -p 2 PID PSR COMMAND 2 0 kthreadd From the output above, it can be seen that both ksmd and kthreadd are still running on CPU0, which is unreasonable since CPU0 has been isolated. Cc: stable(a)vger.kernel.org # 4.19.x Signed-off-by: wujing <realwujing(a)qq.com> Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn> --- kernel/sched/fair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 0950cabfc1d0..454021ff70a1 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -6211,7 +6211,7 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t this_sd = rcu_dereference(*this_cpu_ptr(&sd_llc)); if (!this_sd) - return -1; + return housekeeping_any_cpu(HK_FLAG_DOMAIN); /* * Due to large variance we need a large fuzz factor; hackbench in -- 2.39.5

5 months, 2 weeks

2
1
0 0

[PATCH] sched/fair: Correct CPU selection from isolated domain

by wujing

From: wujing <realwujing(a)gmail.com> We encountered an issue where the kernel thread `ksmd` runs on the PMD dedicated isolated core, leading to high latency in OVS packets. Upon analysis, we discovered that this is caused by the current select_idle_smt() function not taking the sched_domain mask into account. Kernel version: linux-4.19.y Cc: stable(a)vger.kernel.org # 4.19.x Signed-off-by: wujing <realwujing(a)qq.com> Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn> --- kernel/sched/fair.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 09f82c84474b..0950cabfc1d0 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -6171,7 +6171,8 @@ static int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int t return -1; for_each_cpu(cpu, cpu_smt_mask(target)) { - if (!cpumask_test_cpu(cpu, &p->cpus_allowed)) + if (!cpumask_test_cpu(cpu, &p->cpus_allowed) || + !cpumask_test_cpu(cpu, sched_domain_span(sd))) continue; if (available_idle_cpu(cpu)) return cpu; -- 2.39.5

5 months, 2 weeks

2
1
0 0

[PATCH] sched/fair: Fix ksmd and kthreadd running on isolated CPU0 on arm64 systems

by wujing

This bug can be reproduced on Kunpeng arm64 and Phytium arm physical machines, as well as in virtual machine environments, based on the linux-4.19.y stable branch: 1. Check the number of CPUs on the system: nproc --all 96 2. Add the parameter isolcpus=0-85 to the grub configuration, update grub, and reboot. 3. Check the ksmd process: ps aux | grep -i ksmd root 502 0.0 0.0 0 0 ? S 10:00 0:00 [ksmd] ps -o pid,psr,comm -p 502 PID PSR COMMAND 502 0 ksmd 4. Check the kthreadd process: ps aux | grep -i kthreadd root 2 0.0 0.0 0 0 ? S 10:00 0:00 [kthreadd] ps -o pid,psr,comm -p 2 PID PSR COMMAND 2 0 kthreadd From the output above, it can be seen that both ksmd and kthreadd are still running on CPU0, which is unreasonable since CPU0 has been isolated. Signed-off-by: wujing <realwujing(a)qq.com> Signed-off-by: QiLiang Yuan <yuanql9(a)chinatelecom.cn> --- kernel/sched/fair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 0950cabfc1d0..454021ff70a1 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -6211,7 +6211,7 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t this_sd = rcu_dereference(*this_cpu_ptr(&sd_llc)); if (!this_sd) - return -1; + return housekeeping_any_cpu(HK_FLAG_DOMAIN); /* * Due to large variance we need a large fuzz factor; hackbench in -- 2.39.5

5 months, 2 weeks

3
4
0 0

[PATCH v2] [ARM] fix reference leak in locomo_init_one_child()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the patch as suggestions. --- arch/arm/common/locomo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index 309b74783468..9e48cbb2568e 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -253,6 +253,8 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) ret = device_register(&dev->dev); if (ret) { + put_device(&dev->dev); + return ret; out: kfree(dev); } -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH] usb: chipidea: ci_hdrc_imx: decrement device's refcount on the error path of .probe()

by Joe Hattori

Current implementation of ci_hdrc_imx_probe() does not decrement the refcount of the device obtained in usbmisc_get_init_data(). Add a put_device() call before returning an error after the call. This bug was found by an experimental static analysis tool that I am developing. Cc: stable(a)vger.kernel.org Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> --- drivers/usb/chipidea/ci_hdrc_imx.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c index f2801700be8e..6418052264f2 100644 --- a/drivers/usb/chipidea/ci_hdrc_imx.c +++ b/drivers/usb/chipidea/ci_hdrc_imx.c @@ -370,25 +370,29 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) data->pinctrl = devm_pinctrl_get(dev); if (PTR_ERR(data->pinctrl) == -ENODEV) data->pinctrl = NULL; - else if (IS_ERR(data->pinctrl)) - return dev_err_probe(dev, PTR_ERR(data->pinctrl), + else if (IS_ERR(data->pinctrl)) { + ret = dev_err_probe(dev, PTR_ERR(data->pinctrl), "pinctrl get failed\n"); + goto err_put; + } data->hsic_pad_regulator = devm_regulator_get_optional(dev, "hsic"); if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) { /* no pad regulator is needed */ data->hsic_pad_regulator = NULL; - } else if (IS_ERR(data->hsic_pad_regulator)) - return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), + } else if (IS_ERR(data->hsic_pad_regulator)) { + ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator), "Get HSIC pad regulator error\n"); + goto err_put; + } if (data->hsic_pad_regulator) { ret = regulator_enable(data->hsic_pad_regulator); if (ret) { dev_err(dev, "Failed to enable HSIC pad regulator\n"); - return ret; + goto err_put; } } } @@ -402,13 +406,14 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) dev_err(dev, "pinctrl_hsic_idle lookup failed, err=%ld\n", PTR_ERR(pinctrl_hsic_idle)); - return PTR_ERR(pinctrl_hsic_idle); + ret = PTR_ERR(pinctrl_hsic_idle); + goto err_put; } ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle); if (ret) { dev_err(dev, "hsic_idle select failed, err=%d\n", ret); - return ret; + goto err_put; } data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl, @@ -417,7 +422,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) dev_err(dev, "pinctrl_hsic_active lookup failed, err=%ld\n", PTR_ERR(data->pinctrl_hsic_active)); - return PTR_ERR(data->pinctrl_hsic_active); + ret = PTR_ERR(data->pinctrl_hsic_active); + goto err_put; } } @@ -527,6 +533,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) if (pdata.flags & CI_HDRC_PMQOS) cpu_latency_qos_remove_request(&data->pm_qos_req); data->ci_pdev = NULL; +err_put: + put_device(data->usbmisc_data->dev); return ret; } -- 2.34.1

5 months, 2 weeks

3
3
0 0

[PATCH 2/3] vfs: Fix implicit conversion problem when testing overflow case

by Julian Sun

The overflow check in generic_copy_file_checks() and generic_remap_checks() is now broken because the result of the addition is implicitly converted to an unsigned type, which disrupts the comparison with signed numbers. This caused the kernel to not return EOVERFLOW in copy_file_range() call with len is set to 0xffffffffa003e45bul. Use the check_add_overflow() macro to fix this issue. Reported-and-tested-by: syzbot+296b1c84b9cbf306e5a0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=296b1c84b9cbf306e5a0 Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files") Fixes: 96e6e8f4a68d ("vfs: add missing checks to copy_file_range") Inspired-by: Dave Chinner <david(a)fromorbit.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/read_write.c | 5 +++-- fs/remap_range.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/read_write.c b/fs/read_write.c index 070a7c33b9dd..5211246edc2e 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -1509,7 +1509,7 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in, struct inode *inode_in = file_inode(file_in); struct inode *inode_out = file_inode(file_out); uint64_t count = *req_count; - loff_t size_in; + loff_t size_in, tmp; int ret; ret = generic_file_rw_checks(file_in, file_out); @@ -1544,7 +1544,8 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in, return -ETXTBSY; /* Ensure offsets don't wrap. */ - if (pos_in + count < pos_in || pos_out + count < pos_out) + if (check_add_overflow(pos_in, count, &tmp) || + check_add_overflow(pos_out, count, &tmp)) return -EOVERFLOW; /* Shorten the copy to EOF */ diff --git a/fs/remap_range.c b/fs/remap_range.c index 28246dfc8485..6fdeb3c8cb70 100644 --- a/fs/remap_range.c +++ b/fs/remap_range.c @@ -36,7 +36,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in, struct inode *inode_out = file_out->f_mapping->host; uint64_t count = *req_count; uint64_t bcount; - loff_t size_in, size_out; + loff_t size_in, size_out, tmp; loff_t bs = inode_out->i_sb->s_blocksize; int ret; @@ -45,7 +45,8 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in, return -EINVAL; /* Ensure offsets don't wrap. */ - if (pos_in + count < pos_in || pos_out + count < pos_out) + if (check_add_overflow(pos_in, count, &tmp) || + check_add_overflow(pos_out, count, &tmp)) return -EINVAL; size_in = i_size_read(inode_in); -- 2.39.2

5 months, 2 weeks

5
7
0 0

[PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

by jianqi.ren.cn＠windriver.com

From: Kaixin Wang <kxwang23(a)m.fudan.edu.cn> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ] In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove. Signed-off-by: Kaixin Wang <kxwang23(a)m.fudan.edu.cn> Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- drivers/i3c/master/i3c-master-cdns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c index 35b90bb686ad..c5a37f58079a 100644 --- a/drivers/i3c/master/i3c-master-cdns.c +++ b/drivers/i3c/master/i3c-master-cdns.c @@ -1667,6 +1667,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev) { struct cdns_i3c_master *master = platform_get_drvdata(pdev); + cancel_work_sync(&master->hj_work); i3c_master_unregister(&master->base); clk_disable_unprepare(master->sysclk); -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH] Input: Fix error handling in input_register_device()

by Ma Ke

When device_add(&dev->dev) failed, calling put_device() to explicitly release dev->dev. Otherwise, it could cause double free problem. As comment of device_add() says, if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0cd587735205 ("Input: preallocate memory to hold event values") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/input/input.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/input/input.c b/drivers/input/input.c index 7f0477e04ad2..a0a36aa90ecc 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -2456,8 +2456,10 @@ int input_register_device(struct input_dev *dev) input_dev_poller_finalize(dev->poller); error = device_add(&dev->dev); - if (error) + if (error) { + put_device(&dev->dev); goto err_devres_free; + } path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL); pr_info("%s as %s\n", -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH] hugetlb: fix NULL pointer dereference in trace_hugetlbfs_alloc_inode

by Muchun Song

hugetlb_file_setup() will pass a NULL @dir to hugetlbfs_get_inode(), so we will access a NULL pointer for @dir. Fix it and set __entry->dr to 0 if @dir is NULL. Because ->i_ino cannot be 0 (see get_next_ino()), there is no confusing if user sees a 0 inode number. Fixes: 318580ad7f28 ("hugetlbfs: support tracepoint") Cc: stable(a)vger.kernel.org Reported-by: Cheung Wall <zzqq0103.hey(a)gmail.com> Closes: https://lore.kernel.org/linux-mm/02858D60-43C1-4863-A84F-3C76A8AF1F15@linux… Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> --- include/trace/events/hugetlbfs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/hugetlbfs.h b/include/trace/events/hugetlbfs.h index 8331c904a9ba8..59605dfaeeb43 100644 --- a/include/trace/events/hugetlbfs.h +++ b/include/trace/events/hugetlbfs.h @@ -23,7 +23,7 @@ TRACE_EVENT(hugetlbfs_alloc_inode, TP_fast_assign( __entry->dev = inode->i_sb->s_dev; __entry->ino = inode->i_ino; - __entry->dir = dir->i_ino; + __entry->dir = dir ? dir->i_ino : 0; __entry->mode = mode; ), -- 2.20.1

5 months, 2 weeks

2
1
0 0

[REGRESSION] amdgpu: thinkpad e495 backlight brightness resets after suspend

by Siva Mahadevan

#regzbot introduced: 99a02eab8 Observed behaviour: linux-stable v6.12.5 has a regression on my thinkpad e495 where suspend/resume of the laptop results in my backlight brightness settings to be reset to some very high value. After resume, I'm able to increase brightness further until max brightness, but I'm not able to decrease it anymore. Behaviour prior to regression: linux-stable v6.12.4 correctly maintains the same brightness setting on the backlight that was set prior to suspend/resume. Notes: I bisected this issue between v6.12.4 and v6.12.5 to commit 99a02eab8 titled "drm/amdgpu: rework resume handling for display (v2)". Hardware: * lenovo thinkpad e495 * AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx * VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Picasso/Raven 2 [Radeon Vega Series / Radeon Vega Mobile Series] (rev c2)

5 months, 2 weeks

3
4
0 0

[PATCH stable 6.6] bpf: support non-r10 register spill/fill to/from stack in precision tracking

by Shung-Hsi Yu

From: Andrii Nakryiko <andrii(a)kernel.org> [ Upstream commit 41f6f64e6999a837048b1bd13a2f8742964eca6b ] Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it *and* potentially adjusting offset. To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking. This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches. There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states). File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- ------------- test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%) Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees. Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present. Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352… Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Reported-by: Tao Lyu <tao.lyu(a)epfl.ch> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/r/20231205184248.1502704-2-andrii@kernel.org Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- This is a backport to fix CVE-2023-52920[1] 1: https://lore.kernel.org/linux-cve-announce/2024110518-CVE-2023-52920-17f6@g… --- include/linux/bpf_verifier.h | 33 +++- kernel/bpf/verifier.c | 175 ++++++++++-------- .../bpf/progs/verifier_subprog_precision.c | 23 ++- .../testing/selftests/bpf/verifier/precise.c | 38 ++-- 4 files changed, 170 insertions(+), 99 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 92919d52f7e1..cb8e97665eaa 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -319,12 +319,34 @@ struct bpf_func_state { struct bpf_stack_state *stack; }; -struct bpf_idx_pair { - u32 prev_idx; - u32 idx; +#define MAX_CALL_FRAMES 8 + +/* instruction history flags, used in bpf_jmp_history_entry.flags field */ +enum { + /* instruction references stack slot through PTR_TO_STACK register; + * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8) + * and accessed stack slot's index in next 6 bits (MAX_BPF_STACK is 512, + * 8 bytes per slot, so slot index (spi) is [0, 63]) + */ + INSN_F_FRAMENO_MASK = 0x7, /* 3 bits */ + + INSN_F_SPI_MASK = 0x3f, /* 6 bits */ + INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */ + + INSN_F_STACK_ACCESS = BIT(9), /* we need 10 bits total */ +}; + +static_assert(INSN_F_FRAMENO_MASK + 1 >= MAX_CALL_FRAMES); +static_assert(INSN_F_SPI_MASK + 1 >= MAX_BPF_STACK / 8); + +struct bpf_jmp_history_entry { + u32 idx; + /* insn idx can't be bigger than 1 million */ + u32 prev_idx : 22; + /* special flags, e.g., whether insn is doing register stack spill/load */ + u32 flags : 10; }; -#define MAX_CALL_FRAMES 8 /* Maximum number of register states that can exist at once */ #define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES) struct bpf_verifier_state { @@ -407,7 +429,7 @@ struct bpf_verifier_state { * For most states jmp_history_cnt is [0-3]. * For loops can go up to ~40. */ - struct bpf_idx_pair *jmp_history; + struct bpf_jmp_history_entry *jmp_history; u32 jmp_history_cnt; u32 dfs_depth; u32 callback_unroll_depth; @@ -640,6 +662,7 @@ struct bpf_verifier_env { int cur_stack; } cfg; struct backtrack_state bt; + struct bpf_jmp_history_entry *cur_hist_ent; u32 pass_cnt; /* number of times do_check() was called */ u32 subprog_cnt; /* number of instructions analyzed by the verifier */ diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4f19a091571b..5ca02af3a872 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1762,8 +1762,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state, int i, err; dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history, - src->jmp_history_cnt, sizeof(struct bpf_idx_pair), - GFP_USER); + src->jmp_history_cnt, sizeof(*dst_state->jmp_history), + GFP_USER); if (!dst_state->jmp_history) return -ENOMEM; dst_state->jmp_history_cnt = src->jmp_history_cnt; @@ -3397,6 +3397,21 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, return __check_reg_arg(env, state->regs, regno, t); } +static int insn_stack_access_flags(int frameno, int spi) +{ + return INSN_F_STACK_ACCESS | (spi << INSN_F_SPI_SHIFT) | frameno; +} + +static int insn_stack_access_spi(int insn_flags) +{ + return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK; +} + +static int insn_stack_access_frameno(int insn_flags) +{ + return insn_flags & INSN_F_FRAMENO_MASK; +} + static void mark_jmp_point(struct bpf_verifier_env *env, int idx) { env->insn_aux_data[idx].jmp_point = true; @@ -3408,28 +3423,51 @@ static bool is_jmp_point(struct bpf_verifier_env *env, int insn_idx) } /* for any branch, call, exit record the history of jmps in the given state */ -static int push_jmp_history(struct bpf_verifier_env *env, - struct bpf_verifier_state *cur) +static int push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur, + int insn_flags) { u32 cnt = cur->jmp_history_cnt; - struct bpf_idx_pair *p; + struct bpf_jmp_history_entry *p; size_t alloc_size; - if (!is_jmp_point(env, env->insn_idx)) + /* combine instruction flags if we already recorded this instruction */ + if (env->cur_hist_ent) { + /* atomic instructions push insn_flags twice, for READ and + * WRITE sides, but they should agree on stack slot + */ + WARN_ONCE((env->cur_hist_ent->flags & insn_flags) && + (env->cur_hist_ent->flags & insn_flags) != insn_flags, + "verifier insn history bug: insn_idx %d cur flags %x new flags %x\n", + env->insn_idx, env->cur_hist_ent->flags, insn_flags); + env->cur_hist_ent->flags |= insn_flags; return 0; + } cnt++; alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p))); p = krealloc(cur->jmp_history, alloc_size, GFP_USER); if (!p) return -ENOMEM; - p[cnt - 1].idx = env->insn_idx; - p[cnt - 1].prev_idx = env->prev_insn_idx; cur->jmp_history = p; + + p = &cur->jmp_history[cnt - 1]; + p->idx = env->insn_idx; + p->prev_idx = env->prev_insn_idx; + p->flags = insn_flags; cur->jmp_history_cnt = cnt; + env->cur_hist_ent = p; + return 0; } +static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st, + u32 hist_end, int insn_idx) +{ + if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx) + return &st->jmp_history[hist_end - 1]; + return NULL; +} + /* Backtrack one insn at a time. If idx is not at the top of recorded * history then previous instruction came from straight line execution. * Return -ENOENT if we exhausted all instructions within given state. @@ -3591,9 +3629,14 @@ static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg) return bt->reg_masks[bt->frame] & (1 << reg); } +static inline bool bt_is_frame_slot_set(struct backtrack_state *bt, u32 frame, u32 slot) +{ + return bt->stack_masks[frame] & (1ull << slot); +} + static inline bool bt_is_slot_set(struct backtrack_state *bt, u32 slot) { - return bt->stack_masks[bt->frame] & (1ull << slot); + return bt_is_frame_slot_set(bt, bt->frame, slot); } /* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */ @@ -3647,7 +3690,7 @@ static bool calls_callback(struct bpf_verifier_env *env, int insn_idx); * - *was* processed previously during backtracking. */ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, - struct backtrack_state *bt) + struct bpf_jmp_history_entry *hist, struct backtrack_state *bt) { const struct bpf_insn_cbs cbs = { .cb_call = disasm_kfunc_name, @@ -3660,7 +3703,7 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, u8 mode = BPF_MODE(insn->code); u32 dreg = insn->dst_reg; u32 sreg = insn->src_reg; - u32 spi, i; + u32 spi, i, fr; if (insn->code == 0) return 0; @@ -3723,20 +3766,15 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, * by 'precise' mark in corresponding register of this state. * No further tracking necessary. */ - if (insn->src_reg != BPF_REG_FP) + if (!hist || !(hist->flags & INSN_F_STACK_ACCESS)) return 0; - /* dreg = *(u64 *)[fp - off] was a fill from the stack. * that [fp - off] slot contains scalar that needs to be * tracked with precision */ - spi = (-insn->off - 1) / BPF_REG_SIZE; - if (spi >= 64) { - verbose(env, "BUG spi %d\n", spi); - WARN_ONCE(1, "verifier backtracking bug"); - return -EFAULT; - } - bt_set_slot(bt, spi); + spi = insn_stack_access_spi(hist->flags); + fr = insn_stack_access_frameno(hist->flags); + bt_set_frame_slot(bt, fr, spi); } else if (class == BPF_STX || class == BPF_ST) { if (bt_is_reg_set(bt, dreg)) /* stx & st shouldn't be using _scalar_ dst_reg @@ -3745,17 +3783,13 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, */ return -ENOTSUPP; /* scalars can only be spilled into stack */ - if (insn->dst_reg != BPF_REG_FP) + if (!hist || !(hist->flags & INSN_F_STACK_ACCESS)) return 0; - spi = (-insn->off - 1) / BPF_REG_SIZE; - if (spi >= 64) { - verbose(env, "BUG spi %d\n", spi); - WARN_ONCE(1, "verifier backtracking bug"); - return -EFAULT; - } - if (!bt_is_slot_set(bt, spi)) + spi = insn_stack_access_spi(hist->flags); + fr = insn_stack_access_frameno(hist->flags); + if (!bt_is_frame_slot_set(bt, fr, spi)) return 0; - bt_clear_slot(bt, spi); + bt_clear_frame_slot(bt, fr, spi); if (class == BPF_STX) bt_set_reg(bt, sreg); } else if (class == BPF_JMP || class == BPF_JMP32) { @@ -3799,10 +3833,14 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, WARN_ONCE(1, "verifier backtracking bug"); return -EFAULT; } - /* we don't track register spills perfectly, - * so fallback to force-precise instead of failing */ - if (bt_stack_mask(bt) != 0) - return -ENOTSUPP; + /* we are now tracking register spills correctly, + * so any instance of leftover slots is a bug + */ + if (bt_stack_mask(bt) != 0) { + verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt)); + WARN_ONCE(1, "verifier backtracking bug (subprog leftover stack slots)"); + return -EFAULT; + } /* propagate r1-r5 to the caller */ for (i = BPF_REG_1; i <= BPF_REG_5; i++) { if (bt_is_reg_set(bt, i)) { @@ -3827,8 +3865,11 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, WARN_ONCE(1, "verifier backtracking bug"); return -EFAULT; } - if (bt_stack_mask(bt) != 0) - return -ENOTSUPP; + if (bt_stack_mask(bt) != 0) { + verbose(env, "BUG stack slots %llx\n", bt_stack_mask(bt)); + WARN_ONCE(1, "verifier backtracking bug (callback leftover stack slots)"); + return -EFAULT; + } /* clear r1-r5 in callback subprog's mask */ for (i = BPF_REG_1; i <= BPF_REG_5; i++) bt_clear_reg(bt, i); @@ -4265,6 +4306,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) for (;;) { DECLARE_BITMAP(mask, 64); u32 history = st->jmp_history_cnt; + struct bpf_jmp_history_entry *hist; if (env->log.level & BPF_LOG_LEVEL2) { verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n", @@ -4328,7 +4370,8 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) err = 0; skip_first = false; } else { - err = backtrack_insn(env, i, subseq_idx, bt); + hist = get_jmp_hist_entry(st, history, i); + err = backtrack_insn(env, i, subseq_idx, hist, bt); } if (err == -ENOTSUPP) { mark_all_scalars_precise(env, env->cur_state); @@ -4381,22 +4424,10 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr)); for_each_set_bit(i, mask, 64) { if (i >= func->allocated_stack / BPF_REG_SIZE) { - /* the sequence of instructions: - * 2: (bf) r3 = r10 - * 3: (7b) *(u64 *)(r3 -8) = r0 - * 4: (79) r4 = *(u64 *)(r10 -8) - * doesn't contain jmps. It's backtracked - * as a single block. - * During backtracking insn 3 is not recognized as - * stack access, so at the end of backtracking - * stack slot fp-8 is still marked in stack_mask. - * However the parent state may not have accessed - * fp-8 and it's "unallocated" stack space. - * In such case fallback to conservative. - */ - mark_all_scalars_precise(env, env->cur_state); - bt_reset(bt); - return 0; + verbose(env, "BUG backtracking (stack slot %d, total slots %d)\n", + i, func->allocated_stack / BPF_REG_SIZE); + WARN_ONCE(1, "verifier backtracking bug (stack slot out of bounds)"); + return -EFAULT; } if (!is_spilled_scalar_reg(&func->stack[i])) { @@ -4561,7 +4592,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; struct bpf_insn *insn = &env->prog->insnsi[insn_idx]; struct bpf_reg_state *reg = NULL; - u32 dst_reg = insn->dst_reg; + int insn_flags = insn_stack_access_flags(state->frameno, spi); /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, * so it's aligned access and [off, off + size) are within stack limits @@ -4599,17 +4630,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, mark_stack_slot_scratched(env, spi); if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) && !register_is_null(reg) && env->bpf_capable) { - if (dst_reg != BPF_REG_FP) { - /* The backtracking logic can only recognize explicit - * stack slot address like [fp - 8]. Other spill of - * scalar via different register has to be conservative. - * Backtrack from here and mark all registers as precise - * that contributed into 'reg' being a constant. - */ - err = mark_chain_precision(env, value_regno); - if (err) - return err; - } save_register_state(state, spi, reg, size); /* Break the relation on a narrowing spill. */ if (fls64(reg->umax_value) > BITS_PER_BYTE * size) @@ -4621,6 +4641,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, __mark_reg_known(&fake_reg, insn->imm); fake_reg.type = SCALAR_VALUE; save_register_state(state, spi, &fake_reg, size); + insn_flags = 0; /* not a register spill */ } else if (reg && is_spillable_regtype(reg->type)) { /* register containing pointer is being spilled into stack */ if (size != BPF_REG_SIZE) { @@ -4666,9 +4687,12 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, /* Mark slots affected by this stack write. */ for (i = 0; i < size; i++) - state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = - type; + state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type; + insn_flags = 0; /* not a register spill */ } + + if (insn_flags) + return push_jmp_history(env, env->cur_state, insn_flags); return 0; } @@ -4857,6 +4881,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; struct bpf_reg_state *reg; u8 *stype, type; + int insn_flags = insn_stack_access_flags(reg_state->frameno, spi); stype = reg_state->stack[spi].slot_type; reg = &reg_state->stack[spi].spilled_ptr; @@ -4902,12 +4927,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, return -EACCES; } mark_reg_unknown(env, state->regs, dst_regno); + insn_flags = 0; /* not restoring original register state */ } state->regs[dst_regno].live |= REG_LIVE_WRITTEN; - return 0; - } - - if (dst_regno >= 0) { + } else if (dst_regno >= 0) { /* restore register state from stack */ copy_register_state(&state->regs[dst_regno], reg); /* mark reg as written since spilled pointer state likely @@ -4943,7 +4966,10 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); if (dst_regno >= 0) mark_reg_stack_read(env, reg_state, off, off + size, dst_regno); + insn_flags = 0; /* we are not restoring spilled register */ } + if (insn_flags) + return push_jmp_history(env, env->cur_state, insn_flags); return 0; } @@ -7027,7 +7053,6 @@ static int check_atomic(struct bpf_verifier_env *env, int insn_idx, struct bpf_i BPF_SIZE(insn->code), BPF_WRITE, -1, true, false); if (err) return err; - return 0; } @@ -16773,7 +16798,8 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) * the precision needs to be propagated back in * the current state. */ - err = err ? : push_jmp_history(env, cur); + if (is_jmp_point(env, env->insn_idx)) + err = err ? : push_jmp_history(env, cur, 0); err = err ? : propagate_precision(env, &sl->state); if (err) return err; @@ -16997,6 +17023,9 @@ static int do_check(struct bpf_verifier_env *env) u8 class; int err; + /* reset current history entry on each new instruction */ + env->cur_hist_ent = NULL; + env->prev_insn_idx = prev_insn_idx; if (env->insn_idx >= insn_cnt) { verbose(env, "invalid insn idx %d insn_cnt %d\n", @@ -17036,7 +17065,7 @@ static int do_check(struct bpf_verifier_env *env) } if (is_jmp_point(env, env->insn_idx)) { - err = push_jmp_history(env, state); + err = push_jmp_history(env, state, 0); if (err) return err; } diff --git a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c index f61d623b1ce8..f87365f7599b 100644 --- a/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c +++ b/tools/testing/selftests/bpf/progs/verifier_subprog_precision.c @@ -541,11 +541,24 @@ static __u64 subprog_spill_reg_precise(void) SEC("?raw_tp") __success __log_level(2) -/* precision backtracking can't currently handle stack access not through r10, - * so we won't be able to mark stack slot fp-8 as precise, and so will - * fallback to forcing all as precise - */ -__msg("mark_precise: frame0: falling back to forcing all scalars precise") +__msg("10: (0f) r1 += r7") +__msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1") +__msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8") +__msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4") +__msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)") +__msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(map=.data.vals,ks=4,vs=16) R10=fp0 fp-8_rw=P1") +__msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7") +__msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit") +__msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2") +__msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)") +__msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)") +__msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2") +__msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2") +__msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6") +__msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6") +__msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8") +__msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10") +__msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1") __naked int subprog_spill_into_parent_stack_slot_precise(void) { asm volatile ( diff --git a/tools/testing/selftests/bpf/verifier/precise.c b/tools/testing/selftests/bpf/verifier/precise.c index 0d84dd1f38b6..8a2ff81d8350 100644 --- a/tools/testing/selftests/bpf/verifier/precise.c +++ b/tools/testing/selftests/bpf/verifier/precise.c @@ -140,10 +140,11 @@ .result = REJECT, }, { - "precise: ST insn causing spi > allocated_stack", + "precise: ST zero to stack insn is supported", .insns = { BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), + /* not a register spill, so we stop precision propagation for R4 here */ BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0), BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), BPF_MOV64_IMM(BPF_REG_0, -1), @@ -157,11 +158,11 @@ mark_precise: frame0: last_idx 4 first_idx 2\ mark_precise: frame0: regs=r4 stack= before 4\ mark_precise: frame0: regs=r4 stack= before 3\ - mark_precise: frame0: regs= stack=-8 before 2\ - mark_precise: frame0: falling back to forcing all scalars precise\ - force_precise: frame0: forcing r0 to be precise\ mark_precise: frame0: last_idx 5 first_idx 5\ - mark_precise: frame0: parent state regs= stack=:", + mark_precise: frame0: parent state regs=r0 stack=:\ + mark_precise: frame0: last_idx 4 first_idx 2\ + mark_precise: frame0: regs=r0 stack= before 4\ + 5: R0=-1 R4=0", .result = VERBOSE_ACCEPT, .retval = -1, }, @@ -169,6 +170,8 @@ "precise: STX insn causing spi > allocated_stack", .insns = { BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), + /* make later reg spill more interesting by having somewhat known scalar */ + BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff), BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8), @@ -179,18 +182,21 @@ }, .prog_type = BPF_PROG_TYPE_XDP, .flags = BPF_F_TEST_STATE_FREQ, - .errstr = "mark_precise: frame0: last_idx 6 first_idx 6\ + .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\ mark_precise: frame0: parent state regs=r4 stack=:\ - mark_precise: frame0: last_idx 5 first_idx 3\ - mark_precise: frame0: regs=r4 stack= before 5\ - mark_precise: frame0: regs=r4 stack= before 4\ - mark_precise: frame0: regs= stack=-8 before 3\ - mark_precise: frame0: falling back to forcing all scalars precise\ - force_precise: frame0: forcing r0 to be precise\ - force_precise: frame0: forcing r0 to be precise\ - force_precise: frame0: forcing r0 to be precise\ - force_precise: frame0: forcing r0 to be precise\ - mark_precise: frame0: last_idx 6 first_idx 6\ + mark_precise: frame0: last_idx 6 first_idx 4\ + mark_precise: frame0: regs=r4 stack= before 6: (b7) r0 = -1\ + mark_precise: frame0: regs=r4 stack= before 5: (79) r4 = *(u64 *)(r10 -8)\ + mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\ + mark_precise: frame0: parent state regs=r0 stack=:\ + mark_precise: frame0: last_idx 3 first_idx 3\ + mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\ + mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\ + mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\ + mark_precise: frame0: parent state regs=r0 stack=:\ + mark_precise: frame0: last_idx 0 first_idx 0\ + mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\ + mark_precise: frame0: last_idx 7 first_idx 7\ mark_precise: frame0: parent state regs= stack=:", .result = VERBOSE_ACCEPT, .retval = -1, -- 2.47.0

5 months, 2 weeks

3
5
0 0

[PATCH] PCI: fix reference leak in pci_register_host_bridge()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/pci/probe.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 2e81ab0f5a25..73464ffbb0fc 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -974,8 +974,10 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) name = dev_name(&bus->dev); err = device_register(&bus->dev); - if (err) + if (err) { + put_device(&bus->dev); goto unregister; + } pcibios_add_bus(bus); -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH v2, 2/2] usb: typec: tcpm: fix the sender response time issue

by joswang

From: Jos Wang <joswang(a)lenovo.com> According to the USB PD3 CTS specification (https://usb.org/document-library/ usb-power-delivery-compliance-test-specification-0/ USB_PD3_CTS_Q4_2024_OR.zip), the requirements for tSenderResponse are different in PD2 and PD3 modes, see Table 19 Timing Table & Calculations. For PD2 mode, the tSenderResponse min 24ms and max 30ms; for PD3 mode, the tSenderResponse min 27ms and max 33ms. For the "TEST.PD.PROT.SRC.2 Get_Source_Cap No Request" test item, after receiving the Source_Capabilities Message sent by the UUT, the tester deliberately does not send a Request Message in order to force the SenderResponse timer on the Source UUT to timeout. The Tester checks that a Hard Reset is detected between tSenderResponse min and max，the delay is between the last bit of the GoodCRC Message EOP has been sent and the first bit of Hard Reset SOP has been received. The current code does not distinguish between PD2 and PD3 modes, and tSenderResponse defaults to 60ms. This will cause this test item and the following tests to fail: TEST.PD.PROT.SRC3.2 SenderResponseTimer Timeout TEST.PD.PROT.SNK.6 SenderResponseTimer Timeout Considering factors such as SOC performance, i2c rate, and the speed of PD chip sending data, "pd2-sender-response-time-ms" and "pd3-sender-response-time-ms" DT time properties are added to allow users to define platform timing. For values that have not been explicitly defined in DT using this property, a default value of 27ms for PD2 tSenderResponse and 30ms for PD3 tSenderResponse is set. Fixes: 2eadc33f40d4 ("typec: tcpm: Add core support for sink side PPS") Cc: stable(a)vger.kernel.org Signed-off-by: Jos Wang <joswang(a)lenovo.com> --- v1 -> v2: - modify the commit message - patch 1/2 and patch 2/2 are placed in the same thread drivers/usb/typec/tcpm/tcpm.c | 50 +++++++++++++++++++++++------------ include/linux/usb/pd.h | 3 ++- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 6021eeb903fe..3a159bfcf382 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -314,12 +314,16 @@ struct pd_data { * @sink_wait_cap_time: Deadline (in ms) for tTypeCSinkWaitCap timer * @ps_src_wait_off_time: Deadline (in ms) for tPSSourceOff timer * @cc_debounce_time: Deadline (in ms) for tCCDebounce timer + * @pd2_sender_response_time: Deadline (in ms) for pd20 tSenderResponse timer + * @pd3_sender_response_time: Deadline (in ms) for pd30 tSenderResponse timer */ struct pd_timings { u32 sink_wait_cap_time; u32 ps_src_off_time; u32 cc_debounce_time; u32 snk_bc12_cmpletion_time; + u32 pd2_sender_response_time; + u32 pd3_sender_response_time; }; struct tcpm_port { @@ -3776,7 +3780,9 @@ static bool tcpm_send_queued_message(struct tcpm_port *port) } else if (port->pwr_role == TYPEC_SOURCE) { tcpm_ams_finish(port); tcpm_set_state(port, HARD_RESET_SEND, - PD_T_SENDER_RESPONSE); + port->negotiated_rev >= PD_REV30 ? + port->timings.pd3_sender_response_time : + port->timings.pd2_sender_response_time); } else { tcpm_ams_finish(port); } @@ -4619,6 +4625,9 @@ static void run_state_machine(struct tcpm_port *port) enum typec_pwr_opmode opmode; unsigned int msecs; enum tcpm_state upcoming_state; + u32 sender_response_time = port->negotiated_rev >= PD_REV30 ? + port->timings.pd3_sender_response_time : + port->timings.pd2_sender_response_time; if (port->tcpc->check_contaminant && port->state != CHECK_CONTAMINANT) port->potential_contaminant = ((port->enter_state == SRC_ATTACH_WAIT && @@ -5113,7 +5122,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, SNK_WAIT_CAPABILITIES, 0); } else { tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; case SNK_NEGOTIATE_PPS_CAPABILITIES: @@ -5135,7 +5144,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, SNK_READY, 0); } else { tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; case SNK_TRANSITION_SINK: @@ -5387,7 +5396,7 @@ static void run_state_machine(struct tcpm_port *port) port->message_id_prime = 0; port->rx_msgid_prime = -1; tcpm_pd_send_control(port, PD_CTRL_SOFT_RESET, TCPC_TX_SOP_PRIME); - tcpm_set_state_cond(port, ready_state(port), PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, ready_state(port), sender_response_time); } else { port->message_id = 0; port->rx_msgid = -1; @@ -5398,7 +5407,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state_cond(port, hard_reset_state(port), 0); else tcpm_set_state_cond(port, hard_reset_state(port), - PD_T_SENDER_RESPONSE); + sender_response_time); } break; @@ -5409,8 +5418,7 @@ static void run_state_machine(struct tcpm_port *port) port->send_discover = true; port->send_discover_prime = false; } - tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, DR_SWAP_SEND_TIMEOUT, sender_response_time); break; case DR_SWAP_ACCEPT: tcpm_pd_send_control(port, PD_CTRL_ACCEPT, TCPC_TX_SOP); @@ -5444,7 +5452,7 @@ static void run_state_machine(struct tcpm_port *port) tcpm_set_state(port, ERROR_RECOVERY, 0); break; } - tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, FR_SWAP_SEND_TIMEOUT, sender_response_time); break; case FR_SWAP_SEND_TIMEOUT: tcpm_set_state(port, ERROR_RECOVERY, 0); @@ -5475,8 +5483,7 @@ static void run_state_machine(struct tcpm_port *port) break; case PR_SWAP_SEND: tcpm_pd_send_control(port, PD_CTRL_PR_SWAP, TCPC_TX_SOP); - tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state_cond(port, PR_SWAP_SEND_TIMEOUT, sender_response_time); break; case PR_SWAP_SEND_TIMEOUT: tcpm_swap_complete(port, -ETIMEDOUT); @@ -5574,8 +5581,7 @@ static void run_state_machine(struct tcpm_port *port) break; case VCONN_SWAP_SEND: tcpm_pd_send_control(port, PD_CTRL_VCONN_SWAP, TCPC_TX_SOP); - tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, VCONN_SWAP_SEND_TIMEOUT, sender_response_time); break; case VCONN_SWAP_SEND_TIMEOUT: tcpm_swap_complete(port, -ETIMEDOUT); @@ -5656,23 +5662,21 @@ static void run_state_machine(struct tcpm_port *port) break; case GET_STATUS_SEND: tcpm_pd_send_control(port, PD_CTRL_GET_STATUS, TCPC_TX_SOP); - tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_STATUS_SEND_TIMEOUT, sender_response_time); break; case GET_STATUS_SEND_TIMEOUT: tcpm_set_state(port, ready_state(port), 0); break; case GET_PPS_STATUS_SEND: tcpm_pd_send_control(port, PD_CTRL_GET_PPS_STATUS, TCPC_TX_SOP); - tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT, - PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_PPS_STATUS_SEND_TIMEOUT, sender_response_time); break; case GET_PPS_STATUS_SEND_TIMEOUT: tcpm_set_state(port, ready_state(port), 0); break; case GET_SINK_CAP: tcpm_pd_send_control(port, PD_CTRL_GET_SINK_CAP, TCPC_TX_SOP); - tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, PD_T_SENDER_RESPONSE); + tcpm_set_state(port, GET_SINK_CAP_TIMEOUT, sender_response_time); break; case GET_SINK_CAP_TIMEOUT: port->sink_cap_done = true; @@ -7109,6 +7113,18 @@ static void tcpm_fw_get_timings(struct tcpm_port *port, struct fwnode_handle *fw ret = fwnode_property_read_u32(fwnode, "sink-bc12-completion-time-ms", &val); if (!ret) port->timings.snk_bc12_cmpletion_time = val; + + ret = fwnode_property_read_u32(fwnode, "pd2-sender-response-time-ms", &val); + if (!ret) + port->timings.pd2_sender_response_time = val; + else + port->timings.pd2_sender_response_time = PD_T_PD2_SENDER_RESPONSE; + + ret = fwnode_property_read_u32(fwnode, "pd3-sender-response-time-ms", &val); + if (!ret) + port->timings.pd3_sender_response_time = val; + else + port->timings.pd3_sender_response_time = PD_T_PD3_SENDER_RESPONSE; } static int tcpm_fw_get_caps(struct tcpm_port *port, struct fwnode_handle *fwnode) diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h index d50098fb16b5..9c599e851b9a 100644 --- a/include/linux/usb/pd.h +++ b/include/linux/usb/pd.h @@ -457,7 +457,6 @@ static inline unsigned int rdo_max_power(u32 rdo) #define PD_T_NO_RESPONSE 5000 /* 4.5 - 5.5 seconds */ #define PD_T_DB_DETECT 10000 /* 10 - 15 seconds */ #define PD_T_SEND_SOURCE_CAP 150 /* 100 - 200 ms */ -#define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */ #define PD_T_RECEIVER_RESPONSE 15 /* 15ms max */ #define PD_T_SOURCE_ACTIVITY 45 #define PD_T_SINK_ACTIVITY 135 @@ -491,6 +490,8 @@ static inline unsigned int rdo_max_power(u32 rdo) #define PD_T_CC_DEBOUNCE 200 /* 100 - 200 ms */ #define PD_T_PD_DEBOUNCE 20 /* 10 - 20 ms */ #define PD_T_TRY_CC_DEBOUNCE 15 /* 10 - 20 ms */ +#define PD_T_PD2_SENDER_RESPONSE 27 /* PD20 spec 24 - 30 ms */ +#define PD_T_PD3_SENDER_RESPONSE 30 /* PD30 spec 27 - 33 ms */ #define PD_N_CAPS_COUNT (PD_T_NO_RESPONSE / PD_T_SEND_SOURCE_CAP) #define PD_N_HARD_RESET_COUNT 2 -- 2.17.1

5 months, 2 weeks

3
7
0 0

[PATCH] [ARM] fix reference leak in locomo_init_one_child()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- arch/arm/common/locomo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..7274010218ec 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -255,6 +255,7 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) ret = device_register(&dev->dev); if (ret) { + put_device(&dev->dev); out: kfree(dev); } -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH v6 0/8] driver core: class: Fix bug and code improvements for class APIs

by Zijun Hu

This patch series is to fix bugs and improve codes regarding various driver core device iterating APIs Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v6: - Remove dependencies since they have been merged into driver-core tree - Link to v5: https://lore.kernel.org/r/20241224-class_fix-v5-0-9eaaf7abe843@quicinc.com Changes in v5: - Add comments back and correct tile and commit messages for patch 8/8. - Link to v4: https://lore.kernel.org/r/20241218-class_fix-v4-0-3c40f098356b@quicinc.com Changes in v4: - Squich patches 3-5 into one based on Jonathan and Fan comments. - Add one more patch - Link to v3: https://lore.kernel.org/r/20241212-class_fix-v3-0-04e20c4f0971@quicinc.com Changes in v3: - Correct commit message, add fix tag, and correct pr_crit() message for 1st patch - Add more patches regarding driver core device iterating APIs. - Link to v2: https://lore.kernel.org/r/20241112-class_fix-v2-0-73d198d0a0d5@quicinc.com Changes in v2: - Remove both fix and stable tag for patch 1/3 - drop patch 3/3 - Link to v1: https://lore.kernel.org/r/20241105-class_fix-v1-0-80866f9994a5@quicinc.com --- Zijun Hu (8): driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() blk-cgroup: Fix class @block_class's subsystem refcount leakage driver core: Move true expression out of if condition in 3 device finding APIs driver core: Rename declaration parameter name for API device_find_child() cluster driver core: Correct parameter check for API device_for_each_child_reverse_from() driver core: Correct API device_for_each_child_reverse_from() prototype driver core: Introduce device_iter_t for device iterating APIs driver core: Move two simple APIs for finding child device to header block/blk-cgroup.c | 1 + drivers/base/bus.c | 9 +++++--- drivers/base/class.c | 11 ++++++++-- drivers/base/core.c | 49 +++++++++---------------------------------- drivers/base/driver.c | 9 +++++--- drivers/cxl/core/hdm.c | 2 +- drivers/cxl/core/region.c | 2 +- include/linux/device.h | 46 +++++++++++++++++++++++++++++++--------- include/linux/device/bus.h | 7 +++++-- include/linux/device/class.h | 4 ++-- include/linux/device/driver.h | 2 +- 11 files changed, 78 insertions(+), 64 deletions(-) --- base-commit: 7687c66c18c66d4ccd9949c6f641c0e7b5773483 change-id: 20241104-class_fix-f176bd9eba22 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

5 months, 2 weeks

1
1
0 0

[PATCH v2 1/2] HID: hid-plantronics: Add mic mute mapping and generalize quirks

by Wade Wang

From: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Add mapping for headset mute key events. Remove PLT_QUIRK_DOUBLE_VOLUME_KEYS quirk and made it generic. The quirk logic did not keep track of the actual previous key so any key event occurring in less than or equal to 5ms was ignored. Remove PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS quirk. It had the same logic issue as the double key quirk and was actually masking the as designed behavior of most of the headsets. It's occurrence should be minimized with the ALSA control naming quirk that is part of the patch set. Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Signed-off-by: Wade Wang <wade.wang(a)hp.com> Cc: stable(a)vger.kernel.org --- V1 -> V2: Optimize out 2 macros - no functional changes drivers/hid/hid-plantronics.c | 144 ++++++++++++++++------------------ 1 file changed, 67 insertions(+), 77 deletions(-) diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 25cfd964dc25..acb9eb18f7cc 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -6,9 +6,6 @@ * Copyright (c) 2015-2018 Terry Junge <terry.junge(a)plantronics.com> */ -/* - */ - #include "hid-ids.h" #include <linux/hid.h> @@ -23,30 +20,28 @@ #define PLT_VOL_UP 0x00b1 #define PLT_VOL_DOWN 0x00b2 +#define PLT_MIC_MUTE 0x00b5 #define PLT1_VOL_UP (PLT_HID_1_0_PAGE | PLT_VOL_UP) #define PLT1_VOL_DOWN (PLT_HID_1_0_PAGE | PLT_VOL_DOWN) +#define PLT1_MIC_MUTE (PLT_HID_1_0_PAGE | PLT_MIC_MUTE) #define PLT2_VOL_UP (PLT_HID_2_0_PAGE | PLT_VOL_UP) #define PLT2_VOL_DOWN (PLT_HID_2_0_PAGE | PLT_VOL_DOWN) +#define PLT2_MIC_MUTE (PLT_HID_2_0_PAGE | PLT_MIC_MUTE) +#define HID_TELEPHONY_MUTE (HID_UP_TELEPHONY | 0x2f) +#define HID_CONSUMER_MUTE (HID_UP_CONSUMER | 0xe2) #define PLT_DA60 0xda60 #define PLT_BT300_MIN 0x0413 #define PLT_BT300_MAX 0x0418 - -#define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \ - (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) - -#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) -#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1) - #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ -#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */ struct plt_drv_data { unsigned long device_type; - unsigned long last_volume_key_ts; - u32 quirks; + unsigned long last_key_ts; + unsigned long double_key_to; + __u16 last_key; }; static int plantronics_input_mapping(struct hid_device *hdev, @@ -58,34 +53,43 @@ static int plantronics_input_mapping(struct hid_device *hdev, unsigned short mapped_key; struct plt_drv_data *drv_data = hid_get_drvdata(hdev); unsigned long plt_type = drv_data->device_type; + int allow_mute = usage->hid == HID_TELEPHONY_MUTE; + int allow_consumer = field->application == HID_CP_CONSUMERCONTROL && + (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER && + usage->hid != HID_CONSUMER_MUTE; /* special case for PTT products */ if (field->application == HID_GD_JOYSTICK) goto defaulted; - /* handle volume up/down mapping */ /* non-standard types or multi-HID interfaces - plt_type is PID */ if (!(plt_type & HID_USAGE_PAGE)) { switch (plt_type) { case PLT_DA60: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer) goto defaulted; - goto ignored; + if (usage->hid == HID_CONSUMER_MUTE) { + mapped_key = KEY_MICMUTE; + goto mapped; + } + break; default: - if (PLT_ALLOW_CONSUMER) + if (allow_consumer || allow_mute) goto defaulted; } + goto ignored; } - /* handle standard types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ - /* 'basic telephony compliant' - allow default consumer page map */ - else if ((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && - (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) { - if (PLT_ALLOW_CONSUMER) - goto defaulted; - } - /* not 'basic telephony' - apply legacy mapping */ - /* only map if the field is in the device's primary vendor page */ - else if (!((field->application ^ plt_type) & HID_USAGE_PAGE)) { + + /* handle standard consumer control mapping */ + /* and standard telephony mic mute mapping */ + if (allow_consumer || allow_mute) + goto defaulted; + + /* handle vendor unique types - plt_type is 0xffa0uuuu or 0xffa2uuuu */ + /* if not 'basic telephony compliant' - map vendor unique controls */ + if (!((plt_type & HID_USAGE) >= PLT_BASIC_TELEPHONY && + (plt_type & HID_USAGE) != PLT_BASIC_EXCEPTION) && + !((field->application ^ plt_type) & HID_USAGE_PAGE)) switch (usage->hid) { case PLT1_VOL_UP: case PLT2_VOL_UP: @@ -95,8 +99,11 @@ static int plantronics_input_mapping(struct hid_device *hdev, case PLT2_VOL_DOWN: mapped_key = KEY_VOLUMEDOWN; goto mapped; + case PLT1_MIC_MUTE: + case PLT2_MIC_MUTE: + mapped_key = KEY_MICMUTE; + goto mapped; } - } /* * Future mapping of call control or other usages, @@ -105,6 +112,8 @@ static int plantronics_input_mapping(struct hid_device *hdev, */ ignored: + hid_dbg(hdev, "usage: %08x (appl: %08x) - ignored\n", + usage->hid, field->application); return -1; defaulted: @@ -123,38 +132,26 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, struct hid_usage *usage, __s32 value) { struct plt_drv_data *drv_data = hid_get_drvdata(hdev); + unsigned long prev_tsto, cur_ts; + __u16 prev_key, cur_key; - if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; + /* Usages are filtered in plantronics_usages. */ - /* Usages are filtered in plantronics_usages. */ + /* HZ too low for ms resolution - double key detection disabled */ + /* or it is a key release - handle key presses only. */ + if (!drv_data->double_key_to || !value) + return 0; - if (!value) /* Handle key presses only. */ - return 0; + prev_tsto = drv_data->last_key_ts + drv_data->double_key_to; + cur_ts = drv_data->last_key_ts = jiffies; + prev_key = drv_data->last_key; + cur_key = drv_data->last_key = usage->code; - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) - return 1; /* Ignore the repeated key. */ - - drv_data->last_volume_key_ts = cur_ts; + /* If the same key occurs in <= double_key_to -- ignore it */ + if (prev_key == cur_key && time_before_eq(cur_ts, prev_tsto)) { + hid_dbg(hdev, "double key %d ignored\n", cur_key); + return 1; /* Ignore the repeated key. */ } - if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) { - unsigned long prev_ts, cur_ts; - - /* Usages are filtered in plantronics_usages. */ - - if (!value) /* Handle key presses only. */ - return 0; - - prev_ts = drv_data->last_volume_key_ts; - cur_ts = jiffies; - if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT) - return 1; /* Ignore the followed opposite volume key. */ - - drv_data->last_volume_key_ts = cur_ts; - } - return 0; } @@ -196,12 +193,16 @@ static int plantronics_probe(struct hid_device *hdev, ret = hid_parse(hdev); if (ret) { hid_err(hdev, "parse failed\n"); - goto err; + return ret; } drv_data->device_type = plantronics_device_type(hdev); - drv_data->quirks = id->driver_data; - drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->double_key_to = msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); + drv_data->last_key_ts = jiffies - drv_data->double_key_to; + + /* if HZ does not allow ms resolution - disable double key detection */ + if (drv_data->double_key_to < PLT_DOUBLE_KEY_TIMEOUT) + drv_data->double_key_to = 0; hid_set_drvdata(hdev, drv_data); @@ -210,29 +211,10 @@ static int plantronics_probe(struct hid_device *hdev, if (ret) hid_err(hdev, "hw start failed\n"); -err: return ret; } static const struct hid_device_id plantronics_devices[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), - .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, - { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, - USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), - .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; @@ -241,6 +223,14 @@ MODULE_DEVICE_TABLE(hid, plantronics_devices); static const struct hid_usage_id plantronics_usages[] = { { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID }, { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID }, + { HID_TELEPHONY_MUTE, EV_KEY, HID_ANY_ID }, + { HID_CONSUMER_MUTE, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT2_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT2_MIC_MUTE, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_UP, EV_KEY, HID_ANY_ID }, + { PLT1_VOL_DOWN, EV_KEY, HID_ANY_ID }, + { PLT1_MIC_MUTE, EV_KEY, HID_ANY_ID }, { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR } }; -- 2.43.0

5 months, 2 weeks

3
5
0 0

[PATCH] arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented

by Marc Zyngier

The hwcaps code that exposes SVE features to userspace only considers ID_AA64ZFR0_EL1, while this is only valid when ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported. The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the ID_AA64ZFR0_EL1 register is also 0. So far, so good. Things become a bit more interesting if the HW implements SME. In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME* features. And these fields overlap with their SVE interpretations. But the architecture says that the SME and SVE feature sets must match, so we're still hunky-dory. This goes wrong if the HW implements SME, but not SVE. In this case, we end-up advertising some SVE features to userspace, even if the HW has none. That's because we never consider whether SVE is actually implemented. Oh well. Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE being non-zero. Reported-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/cpufeature.c | 58 ++++++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 6ce71f444ed84..d793ca08549cd 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1593,14 +1593,19 @@ feature_matches(u64 reg, const struct arm64_cpu_capabilities *entry) return val >= min && val <= max; } -static u64 -read_scoped_sysreg(const struct arm64_cpu_capabilities *entry, int scope) +static u64 __read_scoped_sysreg(u64 reg, int scope) { WARN_ON(scope == SCOPE_LOCAL_CPU && preemptible()); if (scope == SCOPE_SYSTEM) - return read_sanitised_ftr_reg(entry->sys_reg); + return read_sanitised_ftr_reg(reg); else - return __read_sysreg_by_encoding(entry->sys_reg); + return __read_sysreg_by_encoding(reg); +} + +static u64 +read_scoped_sysreg(const struct arm64_cpu_capabilities *entry, int scope) +{ + return __read_scoped_sysreg(entry->sys_reg, scope); } static bool @@ -3022,6 +3027,13 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .matches = match, \ } +#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \ + { \ + __HWCAP_CAP(#cap, cap_type, cap) \ + HWCAP_CPUID_MATCH(reg, field, min_value) \ + .matches = match, \ + } + #ifdef CONFIG_ARM64_PTR_AUTH static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = { { @@ -3050,6 +3062,18 @@ static const struct arm64_cpu_capabilities ptr_auth_hwcap_gen_matches[] = { }; #endif +#ifdef CONFIG_ARM64_SVE +static bool has_sve(const struct arm64_cpu_capabilities *cap, int scope) +{ + u64 aa64pfr0 = __read_scoped_sysreg(SYS_ID_AA64PFR0_EL1, scope); + + if (FIELD_GET(ID_AA64PFR0_EL1_SVE, aa64pfr0) < ID_AA64PFR0_EL1_SVE_IMP) + return false; + + return has_user_cpuid_feature(cap, scope); +} +#endif + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), @@ -3092,19 +3116,19 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT), #ifdef CONFIG_ARM64_SVE HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), - HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), - HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), - HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), - HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), - HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), - HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), - HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), - HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), + HWCAP_CAP_MATCH_ID(has_sve, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), #endif #ifdef CONFIG_ARM64_GCS HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS), -- 2.39.2

5 months, 2 weeks

2
4
0 0

[PATCH AUTOSEL 5.10] ASoC: mediatek: disable buffer pre-allocation

by Sasha Levin

From: Chen-Yu Tsai <wenst(a)chromium.org> [ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ] On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend (AFE) is limited to accessing a very small window (1 MiB) of memory, which is described as a reserved memory region in the device tree. On these two platforms, the maximum buffer size is given as 512 KiB. The MediaTek common code uses the same value for preallocations. This means that only the first two PCM substreams get preallocations, and then the whole space is exhausted, barring any other substreams from working. Since the substreams used are not always the first two, this means audio won't work correctly. This is observed on the MT8188 Geralt Chromebooks, on which the "mediatek,dai-link" property was dropped when it was upstreamed. That property causes the driver to only register the PCM substreams listed in the property, and in the order given. Instead of trying to compute an optimal value and figuring out which streams are used, simply disable preallocation. The PCM buffers are managed by the core and are allocated and released on the fly. There should be no impact to any of the other MediaTek platforms. Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c index 01501d5747a7..52495c930ca3 100644 --- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c +++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c @@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component, struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component); size = afe->mtk_afe_hardware->buffer_bytes_max; - snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, - afe->dev, size, size); + snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size); + return 0; } EXPORT_SYMBOL_GPL(mtk_afe_pcm_new); -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.15] ASoC: mediatek: disable buffer pre-allocation

by Sasha Levin

From: Chen-Yu Tsai <wenst(a)chromium.org> [ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ] On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend (AFE) is limited to accessing a very small window (1 MiB) of memory, which is described as a reserved memory region in the device tree. On these two platforms, the maximum buffer size is given as 512 KiB. The MediaTek common code uses the same value for preallocations. This means that only the first two PCM substreams get preallocations, and then the whole space is exhausted, barring any other substreams from working. Since the substreams used are not always the first two, this means audio won't work correctly. This is observed on the MT8188 Geralt Chromebooks, on which the "mediatek,dai-link" property was dropped when it was upstreamed. That property causes the driver to only register the PCM substreams listed in the property, and in the order given. Instead of trying to compute an optimal value and figuring out which streams are used, simply disable preallocation. The PCM buffers are managed by the core and are allocated and released on the fly. There should be no impact to any of the other MediaTek platforms. Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c index 01501d5747a7..52495c930ca3 100644 --- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c +++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c @@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component, struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component); size = afe->mtk_afe_hardware->buffer_bytes_max; - snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, - afe->dev, size, size); + snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size); + return 0; } EXPORT_SYMBOL_GPL(mtk_afe_pcm_new); -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.1] ASoC: mediatek: disable buffer pre-allocation

by Sasha Levin

From: Chen-Yu Tsai <wenst(a)chromium.org> [ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ] On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend (AFE) is limited to accessing a very small window (1 MiB) of memory, which is described as a reserved memory region in the device tree. On these two platforms, the maximum buffer size is given as 512 KiB. The MediaTek common code uses the same value for preallocations. This means that only the first two PCM substreams get preallocations, and then the whole space is exhausted, barring any other substreams from working. Since the substreams used are not always the first two, this means audio won't work correctly. This is observed on the MT8188 Geralt Chromebooks, on which the "mediatek,dai-link" property was dropped when it was upstreamed. That property causes the driver to only register the PCM substreams listed in the property, and in the order given. Instead of trying to compute an optimal value and figuring out which streams are used, simply disable preallocation. The PCM buffers are managed by the core and are allocated and released on the fly. There should be no impact to any of the other MediaTek platforms. Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://patch.msgid.link/20241219105303.548437-1-wenst@chromium.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c index 01501d5747a7..52495c930ca3 100644 --- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c +++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c @@ -120,8 +120,8 @@ int mtk_afe_pcm_new(struct snd_soc_component *component, struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component); size = afe->mtk_afe_hardware->buffer_bytes_max; - snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, - afe->dev, size, size); + snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size); + return 0; } EXPORT_SYMBOL_GPL(mtk_afe_pcm_new); -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.6 1/3] ASoC: rt722: add delay time to wait for the calibration procedure

by Sasha Levin

From: Shuming Fan <shumingf(a)realtek.com> [ Upstream commit c9e3ebdc52ebe028f238c9df5162ae92483bedd5 ] The calibration procedure needs some time to finish. This patch adds the delay time to ensure the calibration procedure is completed correctly. Signed-off-by: Shuming Fan <shumingf(a)realtek.com> Link: https://patch.msgid.link/20241218091307.96656-1-shumingf@realtek.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/codecs/rt722-sdca.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sound/soc/codecs/rt722-sdca.c b/sound/soc/codecs/rt722-sdca.c index b9b330375add..0f9f592744ad 100644 --- a/sound/soc/codecs/rt722-sdca.c +++ b/sound/soc/codecs/rt722-sdca.c @@ -1466,13 +1466,18 @@ static void rt722_sdca_jack_preset(struct rt722_sdca_priv *rt722) 0x008d); /* check HP calibration FSM status */ for (loop_check = 0; loop_check < chk_cnt; loop_check++) { + usleep_range(10000, 11000); ret = rt722_sdca_index_read(rt722, RT722_VENDOR_CALI, RT722_DAC_DC_CALI_CTL3, &calib_status); - if (ret < 0 || loop_check == chk_cnt) + if (ret < 0) dev_dbg(&rt722->slave->dev, "calibration failed!, ret=%d\n", ret); if ((calib_status & 0x0040) == 0x0) break; } + + if (loop_check == chk_cnt) + dev_dbg(&rt722->slave->dev, "%s, calibration time-out!\n", __func__); + /* Set ADC09 power entity floating control */ rt722_sdca_index_write(rt722, RT722_VENDOR_HDA_CTL, RT722_ADC0A_08_PDE_FLOAT_CTL, 0x2a12); -- 2.39.5

5 months, 2 weeks

1
2
0 0

[PATCH AUTOSEL 6.12 1/4] perf/x86/intel/uncore: Add Clearwater Forest support

by Sasha Levin

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit b6ccddd6fe1fd49c7a82b6fbed01cccad21a29c7 ] From the perspective of the uncore PMU, the Clearwater Forest is the same as the previous Sierra Forest. The only difference is the event list, which will be supported in the perf tool later. Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lkml.kernel.org/r/20241211161146.235253-1-kan.liang@linux.intel.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/events/intel/uncore.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c index d98fac567684..e7aba7349231 100644 --- a/arch/x86/events/intel/uncore.c +++ b/arch/x86/events/intel/uncore.c @@ -1910,6 +1910,7 @@ static const struct x86_cpu_id intel_uncore_match[] __initconst = { X86_MATCH_VFM(INTEL_ATOM_GRACEMONT, &adl_uncore_init), X86_MATCH_VFM(INTEL_ATOM_CRESTMONT_X, &gnr_uncore_init), X86_MATCH_VFM(INTEL_ATOM_CRESTMONT, &gnr_uncore_init), + X86_MATCH_VFM(INTEL_ATOM_DARKMONT_X, &gnr_uncore_init), {}, }; MODULE_DEVICE_TABLE(x86cpu, intel_uncore_match); -- 2.39.5

5 months, 2 weeks

1
3
0 0

[PATCH 1/7] mm/hugetlb: Fix avoid_reserve to allow taking folio from subpool

by Peter Xu

Since commit 04f2cbe35699 ("hugetlb: guarantee that COW faults for a process that called mmap(MAP_PRIVATE) on hugetlbfs will succeed"), avoid_reserve was introduced for a special case of CoW on hugetlb private mappings, and only if the owner VMA is trying to allocate yet another hugetlb folio that is not reserved within the private vma reserved map. Later on, in commit d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate"), alloc_huge_page() enforced to not consume any global reservation as long as avoid_reserve=true. This operation doesn't look correct, because even if it will enforce the allocation to not use global reservation at all, it will still try to take one reservation from the spool (if the subpool existed). Then since the spool reserved pages take from global reservation, it'll also take one reservation globally. Logically it can cause global reservation to go wrong. I wrote a reproducer below, trigger this special path, and every run of such program will cause global reservation count to increment by one, until it hits the number of free pages: #define _GNU_SOURCE /* See feature_test_macros(7) */ #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> #include <stdlib.h> #include <sys/mman.h> #define MSIZE (2UL << 20) int main(int argc, char *argv[]) { const char *path; int *buf; int fd, ret; pid_t child; if (argc < 2) { printf("usage: %s <hugetlb_file>\n", argv[0]); return -1; } path = argv[1]; fd = open(path, O_RDWR | O_CREAT, 0666); if (fd < 0) { perror("open failed"); return -1; } ret = fallocate(fd, 0, 0, MSIZE); if (ret != 0) { perror("fallocate"); return -1; } buf = mmap(NULL, MSIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0); if (buf == MAP_FAILED) { perror("mmap() failed"); return -1; } /* Allocate a page */ *buf = 1; child = fork(); if (child == 0) { /* child doesn't need to do anything */ exit(0); } /* Trigger CoW from owner */ *buf = 2; munmap(buf, MSIZE); close(fd); unlink(path); return 0; } It can only reproduce with a sub-mount when there're reserved pages on the spool, like: # sysctl vm.nr_hugepages=128 # mkdir ./hugetlb-pool # mount -t hugetlbfs -o min_size=8M,pagesize=2M none ./hugetlb-pool Then run the reproducer on the mountpoint: # ./reproducer ./hugetlb-pool/test Fix it by taking the reservation from spool if available. In general, avoid_reserve is IMHO more about "avoid vma resv map", not spool's. I copied stable, however I have no intention for backporting if it's not a clean cherry-pick, because private hugetlb mapping, and then fork() on top is too rare to hit. Cc: linux-stable <stable(a)vger.kernel.org> Fixes: d85f69b0b533 ("mm/hugetlb: alloc_huge_page handle areas hole punched by fallocate") Signed-off-by: Peter Xu <peterx(a)redhat.com> --- mm/hugetlb.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index cec4b121193f..9ce69fd22a01 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1394,8 +1394,7 @@ static unsigned long available_huge_pages(struct hstate *h) static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h, struct vm_area_struct *vma, - unsigned long address, int avoid_reserve, - long chg) + unsigned long address, long chg) { struct folio *folio = NULL; struct mempolicy *mpol; @@ -1411,10 +1410,6 @@ static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h, if (!vma_has_reserves(vma, chg) && !available_huge_pages(h)) goto err; - /* If reserves cannot be used, ensure enough pages are in the pool */ - if (avoid_reserve && !available_huge_pages(h)) - goto err; - gfp_mask = htlb_alloc_mask(h); nid = huge_node(vma, address, gfp_mask, &mpol, &nodemask); @@ -1430,7 +1425,7 @@ static struct folio *dequeue_hugetlb_folio_vma(struct hstate *h, folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask, nid, nodemask); - if (folio && !avoid_reserve && vma_has_reserves(vma, chg)) { + if (folio && vma_has_reserves(vma, chg)) { folio_set_hugetlb_restore_reserve(folio); h->resv_huge_pages--; } @@ -3007,17 +3002,6 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, gbl_chg = hugepage_subpool_get_pages(spool, 1); if (gbl_chg < 0) goto out_end_reservation; - - /* - * Even though there was no reservation in the region/reserve - * map, there could be reservations associated with the - * subpool that can be used. This would be indicated if the - * return value of hugepage_subpool_get_pages() is zero. - * However, if avoid_reserve is specified we still avoid even - * the subpool reservations. - */ - if (avoid_reserve) - gbl_chg = 1; } /* If this allocation is not consuming a reservation, charge it now. @@ -3040,7 +3024,7 @@ struct folio *alloc_hugetlb_folio(struct vm_area_struct *vma, * from the global free pool (global change). gbl_chg == 0 indicates * a reservation exists for the allocation. */ - folio = dequeue_hugetlb_folio_vma(h, vma, addr, avoid_reserve, gbl_chg); + folio = dequeue_hugetlb_folio_vma(h, vma, addr, gbl_chg); if (!folio) { spin_unlock_irq(&hugetlb_lock); folio = alloc_buddy_hugetlb_folio_with_mpol(h, vma, addr); -- 2.47.0

5 months, 2 weeks

2
3
0 0

[PATCH 1/2] dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2)

by Milan Broz

This patch fixes an issue that was fixed in the commit df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") but later broken again in the commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") If the Reed-Solomon roots setting spans multiple blocks, the code does not use proper parity bytes and randomly fails to repair even trivial errors. This bug cannot happen if the sector size is multiple of RS roots setting (Android case with roots 2). The previous solution was to find a dm-bufio block size that is multiple of the device sector size and roots size. Unfortunately, the optimization in commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") is incorrect and uses data block size for some roots (for example, it uses 4096 block size for roots = 20). This patch uses a different approach: - It always uses a configured data block size for dm-bufio to avoid possible misaligned IOs. - and it caches the processed parity bytes, so it can join it if it spans two blocks. As the RS calculation is called only if an error is detected and the process is computationally intensive, copying a few more bytes should not introduce performance issues. The issue was reported to cryptsetup with trivial reproducer https://gitlab.com/cryptsetup/cryptsetup/-/issues/923 Reproducer (with roots=20): # create verity device with RS FEC dd if=/dev/urandom of=data.img bs=4096 count=8 status=none veritysetup format data.img hash.img --fec-device=fec.img --fec-roots=20 | \ awk '/^Root hash/{ print $3 }' >roothash # create an erasure that should always be repairable with this roots setting dd if=/dev/zero of=data.img conv=notrunc bs=1 count=4 seek=4 status=none # try to read it through dm-verity veritysetup open data.img test hash.img --fec-device=fec.img --fec-roots=20 $(cat roothash) dd if=/dev/mapper/test of=/dev/null bs=4096 status=noxfer Even now the log says it cannot repair it: : verity-fec: 7:1: FEC 0: failed to correct: -74 : device-mapper: verity: 7:1: data block 0 is corrupted ... With this fix, errors are properly repaired. : verity-fec: 7:1: FEC 0: corrected 4 errors Signed-off-by: Milan Broz <gmazyland(a)gmail.com> Fixes: 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") Cc: stable(a)vger.kernel.org --- drivers/md/dm-verity-fec.c | 40 +++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c index 62b1a44b8dd2..6bd9848518d4 100644 --- a/drivers/md/dm-verity-fec.c +++ b/drivers/md/dm-verity-fec.c @@ -60,15 +60,19 @@ static int fec_decode_rs8(struct dm_verity *v, struct dm_verity_fec_io *fio, * to the data block. Caller is responsible for releasing buf. */ static u8 *fec_read_parity(struct dm_verity *v, u64 rsb, int index, - unsigned int *offset, struct dm_buffer **buf, - unsigned short ioprio) + unsigned int *offset, unsigned int par_buf_offset, + struct dm_buffer **buf, unsigned short ioprio) { u64 position, block, rem; u8 *res; + /* We have already part of parity bytes read, skip to the next block */ + if (par_buf_offset) + index++; + position = (index + rsb) * v->fec->roots; block = div64_u64_rem(position, v->fec->io_size, &rem); - *offset = (unsigned int)rem; + *offset = par_buf_offset ? 0 : (unsigned int)rem; res = dm_bufio_read_with_ioprio(v->fec->bufio, block, buf, ioprio); if (IS_ERR(res)) { @@ -128,11 +132,12 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io, { int r, corrected = 0, res; struct dm_buffer *buf; - unsigned int n, i, offset; - u8 *par, *block; + unsigned int n, i, offset, par_buf_offset = 0; + u8 *par, *block, par_buf[DM_VERITY_FEC_RSM - DM_VERITY_FEC_MIN_RSN]; struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); - par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio)); + par = fec_read_parity(v, rsb, block_offset, &offset, + par_buf_offset, &buf, bio_prio(bio)); if (IS_ERR(par)) return PTR_ERR(par); @@ -142,7 +147,8 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io, */ fec_for_each_buffer_rs_block(fio, n, i) { block = fec_buffer_rs_block(v, fio, n, i); - res = fec_decode_rs8(v, fio, block, &par[offset], neras); + memcpy(&par_buf[par_buf_offset], &par[offset], v->fec->roots - par_buf_offset); + res = fec_decode_rs8(v, fio, block, par_buf, neras); if (res < 0) { r = res; goto error; @@ -155,12 +161,21 @@ static int fec_decode_bufs(struct dm_verity *v, struct dm_verity_io *io, if (block_offset >= 1 << v->data_dev_block_bits) goto done; - /* read the next block when we run out of parity bytes */ - offset += v->fec->roots; + /* Read the next block when we run out of parity bytes */ + offset += (v->fec->roots - par_buf_offset); + /* Check if parity bytes are split between blocks */ + if (offset < v->fec->io_size && (offset + v->fec->roots) > v->fec->io_size) { + par_buf_offset = v->fec->io_size - offset; + memcpy(par_buf, &par[offset], par_buf_offset); + offset += par_buf_offset; + } else + par_buf_offset = 0; + if (offset >= v->fec->io_size) { dm_bufio_release(buf); - par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio)); + par = fec_read_parity(v, rsb, block_offset, &offset, + par_buf_offset, &buf, bio_prio(bio)); if (IS_ERR(par)) return PTR_ERR(par); } @@ -724,10 +739,7 @@ int verity_fec_ctr(struct dm_verity *v) return -E2BIG; } - if ((f->roots << SECTOR_SHIFT) & ((1 << v->data_dev_block_bits) - 1)) - f->io_size = 1 << v->data_dev_block_bits; - else - f->io_size = v->fec->roots << SECTOR_SHIFT; + f->io_size = 1 << v->data_dev_block_bits; f->bufio = dm_bufio_client_create(f->dev->bdev, f->io_size, -- 2.45.2

5 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122324-twitter-clustered-891d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Tue, 17 Sep 2024 11:09:17 +0530 Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is bigger than the variable hv_sched_clock_offset, which is cached during early boot, but depending on the timing this assumption may be false when a hibernated VM starts again (the clock counter starts from 0 again) and is resuming back (Note: hv_init_tsc_clocksource() is not called during hibernation/resume); consequently, read_hv_sched_clock_tsc() may return a negative integer (which is interpreted as a huge positive integer since the return type is u64) and new kernel messages are prefixed with huge timestamps before read_hv_sched_clock_tsc() grows big enough (which typically takes several seconds). Fix the issue by saving the Hyper-V clock counter just before the suspend, and using it to correct the hv_sched_clock_offset in resume. This makes hv tsc page based sched_clock continuous and ensures that post resume, it starts from where it left off during suspend. Override x86_platform.save_sched_clock_state and x86_platform.restore_sched_clock_state routines to correct this as soon as possible. Note: if Invariant TSC is available, the issue doesn't happen because 1) we don't register read_hv_sched_clock_tsc() for sched clock: See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework clocksource and sched clock setup"); 2) the common x86 code adjusts TSC similarly: see __restore_processor_state() -> tsc_verify_tsc_adjust(true) and x86_platform.restore_sched_clock_state(). Cc: stable(a)vger.kernel.org Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation") Co-developed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com> diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index d18078834ded..dc12fe5ef3ca 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs) hyperv_cleanup(); } #endif /* CONFIG_CRASH_DUMP */ + +static u64 hv_ref_counter_at_suspend; +static void (*old_save_sched_clock_state)(void); +static void (*old_restore_sched_clock_state)(void); + +/* + * Hyper-V clock counter resets during hibernation. Save and restore clock + * offset during suspend/resume, while also considering the time passed + * before suspend. This is to make sure that sched_clock using hv tsc page + * based clocksource, proceeds from where it left off during suspend and + * it shows correct time for the timestamps of kernel messages after resume. + */ +static void save_hv_clock_tsc_state(void) +{ + hv_ref_counter_at_suspend = hv_read_reference_counter(); +} + +static void restore_hv_clock_tsc_state(void) +{ + /* + * Adjust the offsets used by hv tsc clocksource to + * account for the time spent before hibernation. + * adjusted value = reference counter (time) at suspend + * - reference counter (time) now. + */ + hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter()); +} + +/* + * Functions to override save_sched_clock_state and restore_sched_clock_state + * functions of x86_platform. The Hyper-V clock counter is reset during + * suspend-resume and the offset used to measure time needs to be + * corrected, post resume. + */ +static void hv_save_sched_clock_state(void) +{ + old_save_sched_clock_state(); + save_hv_clock_tsc_state(); +} + +static void hv_restore_sched_clock_state(void) +{ + restore_hv_clock_tsc_state(); + old_restore_sched_clock_state(); +} + +static void __init x86_setup_ops_for_tsc_pg_clock(void) +{ + if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE)) + return; + + old_save_sched_clock_state = x86_platform.save_sched_clock_state; + x86_platform.save_sched_clock_state = hv_save_sched_clock_state; + + old_restore_sched_clock_state = x86_platform.restore_sched_clock_state; + x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state; +} #endif /* CONFIG_HYPERV */ static uint32_t __init ms_hyperv_platform(void) @@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void) /* Register Hyper-V specific clocksource */ hv_init_clocksource(); + x86_setup_ops_for_tsc_pg_clock(); hv_vtl_init_platform(); #endif /* diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c index 99177835cade..b39dee7b93af 100644 --- a/drivers/clocksource/hyperv_timer.c +++ b/drivers/clocksource/hyperv_timer.c @@ -27,7 +27,8 @@ #include <asm/mshyperv.h> static struct clock_event_device __percpu *hv_clock_event; -static u64 hv_sched_clock_offset __ro_after_init; +/* Note: offset can hold negative values after hibernation. */ +static u64 hv_sched_clock_offset __read_mostly; /* * If false, we're using the old mechanism for stimer0 interrupts @@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg) hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64); } +/* + * Called during resume from hibernation, from overridden + * x86_platform.restore_sched_clock_state routine. This is to adjust offsets + * used to calculate time for hv tsc page based sched_clock, to account for + * time spent before hibernation. + */ +void hv_adj_sched_clock_offset(u64 offset) +{ + hv_sched_clock_offset -= offset; +} + #ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK static int hv_cs_enable(struct clocksource *cs) { diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h index 6cdc873ac907..aa5233b1eba9 100644 --- a/include/clocksource/hyperv_timer.h +++ b/include/clocksource/hyperv_timer.h @@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void); extern unsigned long hv_get_tsc_pfn(void); extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void); +extern void hv_adj_sched_clock_offset(u64 offset); + static __always_inline bool hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg, u64 *cur_tsc, u64 *time)

5 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122327-imaginary-gizzard-8e8b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Tue, 17 Sep 2024 11:09:17 +0530 Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is bigger than the variable hv_sched_clock_offset, which is cached during early boot, but depending on the timing this assumption may be false when a hibernated VM starts again (the clock counter starts from 0 again) and is resuming back (Note: hv_init_tsc_clocksource() is not called during hibernation/resume); consequently, read_hv_sched_clock_tsc() may return a negative integer (which is interpreted as a huge positive integer since the return type is u64) and new kernel messages are prefixed with huge timestamps before read_hv_sched_clock_tsc() grows big enough (which typically takes several seconds). Fix the issue by saving the Hyper-V clock counter just before the suspend, and using it to correct the hv_sched_clock_offset in resume. This makes hv tsc page based sched_clock continuous and ensures that post resume, it starts from where it left off during suspend. Override x86_platform.save_sched_clock_state and x86_platform.restore_sched_clock_state routines to correct this as soon as possible. Note: if Invariant TSC is available, the issue doesn't happen because 1) we don't register read_hv_sched_clock_tsc() for sched clock: See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework clocksource and sched clock setup"); 2) the common x86 code adjusts TSC similarly: see __restore_processor_state() -> tsc_verify_tsc_adjust(true) and x86_platform.restore_sched_clock_state(). Cc: stable(a)vger.kernel.org Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation") Co-developed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com> diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index d18078834ded..dc12fe5ef3ca 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs) hyperv_cleanup(); } #endif /* CONFIG_CRASH_DUMP */ + +static u64 hv_ref_counter_at_suspend; +static void (*old_save_sched_clock_state)(void); +static void (*old_restore_sched_clock_state)(void); + +/* + * Hyper-V clock counter resets during hibernation. Save and restore clock + * offset during suspend/resume, while also considering the time passed + * before suspend. This is to make sure that sched_clock using hv tsc page + * based clocksource, proceeds from where it left off during suspend and + * it shows correct time for the timestamps of kernel messages after resume. + */ +static void save_hv_clock_tsc_state(void) +{ + hv_ref_counter_at_suspend = hv_read_reference_counter(); +} + +static void restore_hv_clock_tsc_state(void) +{ + /* + * Adjust the offsets used by hv tsc clocksource to + * account for the time spent before hibernation. + * adjusted value = reference counter (time) at suspend + * - reference counter (time) now. + */ + hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter()); +} + +/* + * Functions to override save_sched_clock_state and restore_sched_clock_state + * functions of x86_platform. The Hyper-V clock counter is reset during + * suspend-resume and the offset used to measure time needs to be + * corrected, post resume. + */ +static void hv_save_sched_clock_state(void) +{ + old_save_sched_clock_state(); + save_hv_clock_tsc_state(); +} + +static void hv_restore_sched_clock_state(void) +{ + restore_hv_clock_tsc_state(); + old_restore_sched_clock_state(); +} + +static void __init x86_setup_ops_for_tsc_pg_clock(void) +{ + if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE)) + return; + + old_save_sched_clock_state = x86_platform.save_sched_clock_state; + x86_platform.save_sched_clock_state = hv_save_sched_clock_state; + + old_restore_sched_clock_state = x86_platform.restore_sched_clock_state; + x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state; +} #endif /* CONFIG_HYPERV */ static uint32_t __init ms_hyperv_platform(void) @@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void) /* Register Hyper-V specific clocksource */ hv_init_clocksource(); + x86_setup_ops_for_tsc_pg_clock(); hv_vtl_init_platform(); #endif /* diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c index 99177835cade..b39dee7b93af 100644 --- a/drivers/clocksource/hyperv_timer.c +++ b/drivers/clocksource/hyperv_timer.c @@ -27,7 +27,8 @@ #include <asm/mshyperv.h> static struct clock_event_device __percpu *hv_clock_event; -static u64 hv_sched_clock_offset __ro_after_init; +/* Note: offset can hold negative values after hibernation. */ +static u64 hv_sched_clock_offset __read_mostly; /* * If false, we're using the old mechanism for stimer0 interrupts @@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg) hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64); } +/* + * Called during resume from hibernation, from overridden + * x86_platform.restore_sched_clock_state routine. This is to adjust offsets + * used to calculate time for hv tsc page based sched_clock, to account for + * time spent before hibernation. + */ +void hv_adj_sched_clock_offset(u64 offset) +{ + hv_sched_clock_offset -= offset; +} + #ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK static int hv_cs_enable(struct clocksource *cs) { diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h index 6cdc873ac907..aa5233b1eba9 100644 --- a/include/clocksource/hyperv_timer.h +++ b/include/clocksource/hyperv_timer.h @@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void); extern unsigned long hv_get_tsc_pfn(void); extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void); +extern void hv_adj_sched_clock_offset(u64 offset); + static __always_inline bool hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg, u64 *cur_tsc, u64 *time)

5 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122325-flavoring-mute-cb7e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Tue, 17 Sep 2024 11:09:17 +0530 Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is bigger than the variable hv_sched_clock_offset, which is cached during early boot, but depending on the timing this assumption may be false when a hibernated VM starts again (the clock counter starts from 0 again) and is resuming back (Note: hv_init_tsc_clocksource() is not called during hibernation/resume); consequently, read_hv_sched_clock_tsc() may return a negative integer (which is interpreted as a huge positive integer since the return type is u64) and new kernel messages are prefixed with huge timestamps before read_hv_sched_clock_tsc() grows big enough (which typically takes several seconds). Fix the issue by saving the Hyper-V clock counter just before the suspend, and using it to correct the hv_sched_clock_offset in resume. This makes hv tsc page based sched_clock continuous and ensures that post resume, it starts from where it left off during suspend. Override x86_platform.save_sched_clock_state and x86_platform.restore_sched_clock_state routines to correct this as soon as possible. Note: if Invariant TSC is available, the issue doesn't happen because 1) we don't register read_hv_sched_clock_tsc() for sched clock: See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework clocksource and sched clock setup"); 2) the common x86 code adjusts TSC similarly: see __restore_processor_state() -> tsc_verify_tsc_adjust(true) and x86_platform.restore_sched_clock_state(). Cc: stable(a)vger.kernel.org Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation") Co-developed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com> diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index d18078834ded..dc12fe5ef3ca 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs) hyperv_cleanup(); } #endif /* CONFIG_CRASH_DUMP */ + +static u64 hv_ref_counter_at_suspend; +static void (*old_save_sched_clock_state)(void); +static void (*old_restore_sched_clock_state)(void); + +/* + * Hyper-V clock counter resets during hibernation. Save and restore clock + * offset during suspend/resume, while also considering the time passed + * before suspend. This is to make sure that sched_clock using hv tsc page + * based clocksource, proceeds from where it left off during suspend and + * it shows correct time for the timestamps of kernel messages after resume. + */ +static void save_hv_clock_tsc_state(void) +{ + hv_ref_counter_at_suspend = hv_read_reference_counter(); +} + +static void restore_hv_clock_tsc_state(void) +{ + /* + * Adjust the offsets used by hv tsc clocksource to + * account for the time spent before hibernation. + * adjusted value = reference counter (time) at suspend + * - reference counter (time) now. + */ + hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter()); +} + +/* + * Functions to override save_sched_clock_state and restore_sched_clock_state + * functions of x86_platform. The Hyper-V clock counter is reset during + * suspend-resume and the offset used to measure time needs to be + * corrected, post resume. + */ +static void hv_save_sched_clock_state(void) +{ + old_save_sched_clock_state(); + save_hv_clock_tsc_state(); +} + +static void hv_restore_sched_clock_state(void) +{ + restore_hv_clock_tsc_state(); + old_restore_sched_clock_state(); +} + +static void __init x86_setup_ops_for_tsc_pg_clock(void) +{ + if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE)) + return; + + old_save_sched_clock_state = x86_platform.save_sched_clock_state; + x86_platform.save_sched_clock_state = hv_save_sched_clock_state; + + old_restore_sched_clock_state = x86_platform.restore_sched_clock_state; + x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state; +} #endif /* CONFIG_HYPERV */ static uint32_t __init ms_hyperv_platform(void) @@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void) /* Register Hyper-V specific clocksource */ hv_init_clocksource(); + x86_setup_ops_for_tsc_pg_clock(); hv_vtl_init_platform(); #endif /* diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c index 99177835cade..b39dee7b93af 100644 --- a/drivers/clocksource/hyperv_timer.c +++ b/drivers/clocksource/hyperv_timer.c @@ -27,7 +27,8 @@ #include <asm/mshyperv.h> static struct clock_event_device __percpu *hv_clock_event; -static u64 hv_sched_clock_offset __ro_after_init; +/* Note: offset can hold negative values after hibernation. */ +static u64 hv_sched_clock_offset __read_mostly; /* * If false, we're using the old mechanism for stimer0 interrupts @@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg) hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64); } +/* + * Called during resume from hibernation, from overridden + * x86_platform.restore_sched_clock_state routine. This is to adjust offsets + * used to calculate time for hv tsc page based sched_clock, to account for + * time spent before hibernation. + */ +void hv_adj_sched_clock_offset(u64 offset) +{ + hv_sched_clock_offset -= offset; +} + #ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK static int hv_cs_enable(struct clocksource *cs) { diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h index 6cdc873ac907..aa5233b1eba9 100644 --- a/include/clocksource/hyperv_timer.h +++ b/include/clocksource/hyperv_timer.h @@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void); extern unsigned long hv_get_tsc_pfn(void); extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void); +extern void hv_adj_sched_clock_offset(u64 offset); + static __always_inline bool hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg, u64 *cur_tsc, u64 *time)

5 months, 2 weeks

3
2
0 0

[PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

by jianqi.ren.cn＠windriver.com

From: Kaixin Wang <kxwang23(a)m.fudan.edu.cn> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ] In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove. Signed-off-by: Kaixin Wang <kxwang23(a)m.fudan.edu.cn> Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- drivers/i3c/master/i3c-master-cdns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c index b9cfda6ae9ae..4473c0b1ae2e 100644 --- a/drivers/i3c/master/i3c-master-cdns.c +++ b/drivers/i3c/master/i3c-master-cdns.c @@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev) struct cdns_i3c_master *master = platform_get_drvdata(pdev); int ret; + cancel_work_sync(&master->hj_work); ret = i3c_master_unregister(&master->base); if (ret) return ret; -- 2.25.1

5 months, 2 weeks

3
3
0 0

FAILED: patch "[PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bcc80dec91ee745b3d66f3e48f0ec2efdea97149 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122326-eraser-perennial-6b59@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bcc80dec91ee745b3d66f3e48f0ec2efdea97149 Mon Sep 17 00:00:00 2001 From: Naman Jain <namjain(a)linux.microsoft.com> Date: Tue, 17 Sep 2024 11:09:17 +0530 Subject: [PATCH] x86/hyperv: Fix hv tsc page based sched_clock for hibernation read_hv_sched_clock_tsc() assumes that the Hyper-V clock counter is bigger than the variable hv_sched_clock_offset, which is cached during early boot, but depending on the timing this assumption may be false when a hibernated VM starts again (the clock counter starts from 0 again) and is resuming back (Note: hv_init_tsc_clocksource() is not called during hibernation/resume); consequently, read_hv_sched_clock_tsc() may return a negative integer (which is interpreted as a huge positive integer since the return type is u64) and new kernel messages are prefixed with huge timestamps before read_hv_sched_clock_tsc() grows big enough (which typically takes several seconds). Fix the issue by saving the Hyper-V clock counter just before the suspend, and using it to correct the hv_sched_clock_offset in resume. This makes hv tsc page based sched_clock continuous and ensures that post resume, it starts from where it left off during suspend. Override x86_platform.save_sched_clock_state and x86_platform.restore_sched_clock_state routines to correct this as soon as possible. Note: if Invariant TSC is available, the issue doesn't happen because 1) we don't register read_hv_sched_clock_tsc() for sched clock: See commit e5313f1c5404 ("clocksource/drivers/hyper-v: Rework clocksource and sched clock setup"); 2) the common x86 code adjusts TSC similarly: see __restore_processor_state() -> tsc_verify_tsc_adjust(true) and x86_platform.restore_sched_clock_state(). Cc: stable(a)vger.kernel.org Fixes: 1349401ff1aa ("clocksource/drivers/hyper-v: Suspend/resume Hyper-V clocksource for hibernation") Co-developed-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Link: https://lore.kernel.org/r/20240917053917.76787-1-namjain@linux.microsoft.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240917053917.76787-1-namjain(a)linux.microsoft.com> diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index d18078834ded..dc12fe5ef3ca 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -223,6 +223,63 @@ static void hv_machine_crash_shutdown(struct pt_regs *regs) hyperv_cleanup(); } #endif /* CONFIG_CRASH_DUMP */ + +static u64 hv_ref_counter_at_suspend; +static void (*old_save_sched_clock_state)(void); +static void (*old_restore_sched_clock_state)(void); + +/* + * Hyper-V clock counter resets during hibernation. Save and restore clock + * offset during suspend/resume, while also considering the time passed + * before suspend. This is to make sure that sched_clock using hv tsc page + * based clocksource, proceeds from where it left off during suspend and + * it shows correct time for the timestamps of kernel messages after resume. + */ +static void save_hv_clock_tsc_state(void) +{ + hv_ref_counter_at_suspend = hv_read_reference_counter(); +} + +static void restore_hv_clock_tsc_state(void) +{ + /* + * Adjust the offsets used by hv tsc clocksource to + * account for the time spent before hibernation. + * adjusted value = reference counter (time) at suspend + * - reference counter (time) now. + */ + hv_adj_sched_clock_offset(hv_ref_counter_at_suspend - hv_read_reference_counter()); +} + +/* + * Functions to override save_sched_clock_state and restore_sched_clock_state + * functions of x86_platform. The Hyper-V clock counter is reset during + * suspend-resume and the offset used to measure time needs to be + * corrected, post resume. + */ +static void hv_save_sched_clock_state(void) +{ + old_save_sched_clock_state(); + save_hv_clock_tsc_state(); +} + +static void hv_restore_sched_clock_state(void) +{ + restore_hv_clock_tsc_state(); + old_restore_sched_clock_state(); +} + +static void __init x86_setup_ops_for_tsc_pg_clock(void) +{ + if (!(ms_hyperv.features & HV_MSR_REFERENCE_TSC_AVAILABLE)) + return; + + old_save_sched_clock_state = x86_platform.save_sched_clock_state; + x86_platform.save_sched_clock_state = hv_save_sched_clock_state; + + old_restore_sched_clock_state = x86_platform.restore_sched_clock_state; + x86_platform.restore_sched_clock_state = hv_restore_sched_clock_state; +} #endif /* CONFIG_HYPERV */ static uint32_t __init ms_hyperv_platform(void) @@ -579,6 +636,7 @@ static void __init ms_hyperv_init_platform(void) /* Register Hyper-V specific clocksource */ hv_init_clocksource(); + x86_setup_ops_for_tsc_pg_clock(); hv_vtl_init_platform(); #endif /* diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c index 99177835cade..b39dee7b93af 100644 --- a/drivers/clocksource/hyperv_timer.c +++ b/drivers/clocksource/hyperv_timer.c @@ -27,7 +27,8 @@ #include <asm/mshyperv.h> static struct clock_event_device __percpu *hv_clock_event; -static u64 hv_sched_clock_offset __ro_after_init; +/* Note: offset can hold negative values after hibernation. */ +static u64 hv_sched_clock_offset __read_mostly; /* * If false, we're using the old mechanism for stimer0 interrupts @@ -470,6 +471,17 @@ static void resume_hv_clock_tsc(struct clocksource *arg) hv_set_msr(HV_MSR_REFERENCE_TSC, tsc_msr.as_uint64); } +/* + * Called during resume from hibernation, from overridden + * x86_platform.restore_sched_clock_state routine. This is to adjust offsets + * used to calculate time for hv tsc page based sched_clock, to account for + * time spent before hibernation. + */ +void hv_adj_sched_clock_offset(u64 offset) +{ + hv_sched_clock_offset -= offset; +} + #ifdef HAVE_VDSO_CLOCKMODE_HVCLOCK static int hv_cs_enable(struct clocksource *cs) { diff --git a/include/clocksource/hyperv_timer.h b/include/clocksource/hyperv_timer.h index 6cdc873ac907..aa5233b1eba9 100644 --- a/include/clocksource/hyperv_timer.h +++ b/include/clocksource/hyperv_timer.h @@ -38,6 +38,8 @@ extern void hv_remap_tsc_clocksource(void); extern unsigned long hv_get_tsc_pfn(void); extern struct ms_hyperv_tsc_page *hv_get_tsc_page(void); +extern void hv_adj_sched_clock_offset(u64 offset); + static __always_inline bool hv_read_tsc_page_tsc(const struct ms_hyperv_tsc_page *tsc_pg, u64 *cur_tsc, u64 *time)

5 months, 2 weeks

3
2
0 0

[PATCH 6.6.y] net/mlx5e: Don't call cleanup on profile rollback failure

by jianqi.ren.cn＠windriver.com

From: Cosmin Ratiu <cratiu(a)nvidia.com> [ Upstream commit 4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0 ] When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e profiles initialization") Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com> Reviewed-by: Dragos Tatulea <dtatulea(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index 6e431f587c23..b34f57ab9755 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -6110,7 +6110,9 @@ static void mlx5e_remove(struct auxiliary_device *adev) mlx5e_dcbnl_delete_app(priv); unregister_netdev(priv->netdev); mlx5e_suspend(adev, state); - priv->profile->cleanup(priv); + /* Avoid cleanup if profile rollback failed. */ + if (priv->profile) + priv->profile->cleanup(priv); mlx5e_destroy_netdev(priv); mlx5e_devlink_port_unregister(mlx5e_dev); mlx5e_destroy_devlink(mlx5e_dev); -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH 6.6.y] btrfs: fix use-after-free in btrfs_encoded_read_endio()

by Alva Lan

From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> [ Upstream commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc ] Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and the crash dump's vmcore file shows that the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on the wait_queue that is in the private data passed to the end_io handler. Commit 4ff47df40447 ("btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages()") moved 'struct btrfs_encoded_read_private' off the stack. Before that commit one can see a corruption of the private data when analyzing the vmcore after a crash: *(struct btrfs_encoded_read_private *)0xffff88815626eec8 = { .wait = (wait_queue_head_t){ .lock = (spinlock_t){ .rlock = (struct raw_spinlock){ .raw_lock = (arch_spinlock_t){ .val = (atomic_t){ .counter = (int)-2005885696, }, .locked = (u8)0, .pending = (u8)157, .locked_pending = (u16)40192, .tail = (u16)34928, }, .magic = (unsigned int)536325682, .owner_cpu = (unsigned int)29, .owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 }, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .head = (struct list_head){ .next = (struct list_head *)0x112cca, .prev = (struct list_head *)0x47, }, }, .pending = (atomic_t){ .counter = (int)-1491499288, }, .status = (blk_status_t)130, } Here we can see several indicators of in-memory data corruption, e.g. the large negative atomic values of ->pending or ->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic 0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus pointer values for ->wait->head. To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the corruption, as atomic_dec_return() is defined as two instructions on x86_64, whereas atomic_dec_and_test() is defined as a single atomic operation. This can lead to a situation where counter value is already decremented but the if statement in btrfs_encoded_read_endio() is not completely processed, i.e. the 0 test has not completed. If another thread continues executing btrfs_encoded_read_regular_fill_pages() the atomic_dec_return() there can see an already updated ->pending counter and continues by freeing the private data. Continuing in the endio handler the test for 0 succeeds and the wait_queue is woken up, resulting in a use-after-free. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Suggested-by: Damien Le Moal <Damien.LeMoal(a)wdc.com> Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- fs/btrfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index d6767f728c07..eb9319d856f2 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9972,7 +9972,7 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (!atomic_dec_return(&priv->pending)) + if (atomic_dec_and_test(&priv->pending)) wake_up(&priv->wait); bio_put(&bbio->bio); } -- 2.43.0

5 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] pmdomain: core: add dummy release function to genpd device" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f64f610ec6ab59dd0391b03842cea3a4cd8ee34f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010307-papaya-expenses-89a5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f64f610ec6ab59dd0391b03842cea3a4cd8ee34f Mon Sep 17 00:00:00 2001 From: Lucas Stach <l.stach(a)pengutronix.de> Date: Wed, 18 Dec 2024 19:44:33 +0100 Subject: [PATCH] pmdomain: core: add dummy release function to genpd device The genpd device, which is really only used as a handle to lookup OPP, but not even registered to the device core otherwise and thus lifetime linked to the genpd struct it is contained in, is missing a release function. After b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") the device will be cleaned up going through the driver core device_release() function, which will warn when no release callback is present for the device. Add a dummy release function to shut up the warning. Signed-off-by: Lucas Stach <l.stach(a)pengutronix.de> Tested-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> Fixes: b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") Cc: stable(a)vger.kernel.org Message-ID: <20241218184433.1930532-1-l.stach(a)pengutronix.de> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index bb11f467dc78..20a9efebbcb7 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2142,6 +2142,11 @@ static int genpd_set_default_power_state(struct generic_pm_domain *genpd) return 0; } +static void genpd_provider_release(struct device *dev) +{ + /* nothing to be done here */ +} + static int genpd_alloc_data(struct generic_pm_domain *genpd) { struct genpd_governor_data *gd = NULL; @@ -2173,6 +2178,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) genpd->gd = gd; device_initialize(&genpd->dev); + genpd->dev.release = genpd_provider_release; if (!genpd_is_dev_name_fw(genpd)) { dev_set_name(&genpd->dev, "%s", genpd->name);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: add dummy release function to genpd device" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f64f610ec6ab59dd0391b03842cea3a4cd8ee34f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010306-chooser-varmint-6746@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f64f610ec6ab59dd0391b03842cea3a4cd8ee34f Mon Sep 17 00:00:00 2001 From: Lucas Stach <l.stach(a)pengutronix.de> Date: Wed, 18 Dec 2024 19:44:33 +0100 Subject: [PATCH] pmdomain: core: add dummy release function to genpd device The genpd device, which is really only used as a handle to lookup OPP, but not even registered to the device core otherwise and thus lifetime linked to the genpd struct it is contained in, is missing a release function. After b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") the device will be cleaned up going through the driver core device_release() function, which will warn when no release callback is present for the device. Add a dummy release function to shut up the warning. Signed-off-by: Lucas Stach <l.stach(a)pengutronix.de> Tested-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> Fixes: b8f7bbd1f4ec ("pmdomain: core: Add missing put_device()") Cc: stable(a)vger.kernel.org Message-ID: <20241218184433.1930532-1-l.stach(a)pengutronix.de> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index bb11f467dc78..20a9efebbcb7 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2142,6 +2142,11 @@ static int genpd_set_default_power_state(struct generic_pm_domain *genpd) return 0; } +static void genpd_provider_release(struct device *dev) +{ + /* nothing to be done here */ +} + static int genpd_alloc_data(struct generic_pm_domain *genpd) { struct genpd_governor_data *gd = NULL; @@ -2173,6 +2178,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) genpd->gd = gd; device_initialize(&genpd->dev); + genpd->dev.release = genpd_provider_release; if (!genpd_is_dev_name_fw(genpd)) { dev_set_name(&genpd->dev, "%s", genpd->name);

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 469c0682e03d67d8dc970ecaa70c2d753057c7c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010323-relatable-curliness-4865@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Mon Sep 17 00:00:00 2001 From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Date: Sun, 15 Dec 2024 12:01:59 +0900 Subject: [PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Cc: stable(a)vger.kernel.org Message-ID: <20241215030159.1526624-1-joe(a)pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpcv2.c b/drivers/pmdomain/imx/gpcv2.c index e67ecf99ef84..9bdb80fd7210 100644 --- a/drivers/pmdomain/imx/gpcv2.c +++ b/drivers/pmdomain/imx/gpcv2.c @@ -1458,12 +1458,12 @@ static int imx_gpcv2_probe(struct platform_device *pdev) .max_register = SZ_4K, }; struct device *dev = &pdev->dev; - struct device_node *pgc_np; + struct device_node *pgc_np __free(device_node) = + of_get_child_by_name(dev->of_node, "pgc"); struct regmap *regmap; void __iomem *base; int ret; - pgc_np = of_get_child_by_name(dev->of_node, "pgc"); if (!pgc_np) { dev_err(dev, "No power domains specified in DT\n"); return -EINVAL;

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 469c0682e03d67d8dc970ecaa70c2d753057c7c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010322-dubiously-ninja-027d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Mon Sep 17 00:00:00 2001 From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Date: Sun, 15 Dec 2024 12:01:59 +0900 Subject: [PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Cc: stable(a)vger.kernel.org Message-ID: <20241215030159.1526624-1-joe(a)pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpcv2.c b/drivers/pmdomain/imx/gpcv2.c index e67ecf99ef84..9bdb80fd7210 100644 --- a/drivers/pmdomain/imx/gpcv2.c +++ b/drivers/pmdomain/imx/gpcv2.c @@ -1458,12 +1458,12 @@ static int imx_gpcv2_probe(struct platform_device *pdev) .max_register = SZ_4K, }; struct device *dev = &pdev->dev; - struct device_node *pgc_np; + struct device_node *pgc_np __free(device_node) = + of_get_child_by_name(dev->of_node, "pgc"); struct regmap *regmap; void __iomem *base; int ret; - pgc_np = of_get_child_by_name(dev->of_node, "pgc"); if (!pgc_np) { dev_err(dev, "No power domains specified in DT\n"); return -EINVAL;

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 469c0682e03d67d8dc970ecaa70c2d753057c7c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010322-villain-exes-fff1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Mon Sep 17 00:00:00 2001 From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Date: Sun, 15 Dec 2024 12:01:59 +0900 Subject: [PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Cc: stable(a)vger.kernel.org Message-ID: <20241215030159.1526624-1-joe(a)pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpcv2.c b/drivers/pmdomain/imx/gpcv2.c index e67ecf99ef84..9bdb80fd7210 100644 --- a/drivers/pmdomain/imx/gpcv2.c +++ b/drivers/pmdomain/imx/gpcv2.c @@ -1458,12 +1458,12 @@ static int imx_gpcv2_probe(struct platform_device *pdev) .max_register = SZ_4K, }; struct device *dev = &pdev->dev; - struct device_node *pgc_np; + struct device_node *pgc_np __free(device_node) = + of_get_child_by_name(dev->of_node, "pgc"); struct regmap *regmap; void __iomem *base; int ret; - pgc_np = of_get_child_by_name(dev->of_node, "pgc"); if (!pgc_np) { dev_err(dev, "No power domains specified in DT\n"); return -EINVAL;

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 469c0682e03d67d8dc970ecaa70c2d753057c7c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010321-bacteria-pebbly-7249@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Mon Sep 17 00:00:00 2001 From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Date: Sun, 15 Dec 2024 12:01:59 +0900 Subject: [PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Cc: stable(a)vger.kernel.org Message-ID: <20241215030159.1526624-1-joe(a)pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpcv2.c b/drivers/pmdomain/imx/gpcv2.c index e67ecf99ef84..9bdb80fd7210 100644 --- a/drivers/pmdomain/imx/gpcv2.c +++ b/drivers/pmdomain/imx/gpcv2.c @@ -1458,12 +1458,12 @@ static int imx_gpcv2_probe(struct platform_device *pdev) .max_register = SZ_4K, }; struct device *dev = &pdev->dev; - struct device_node *pgc_np; + struct device_node *pgc_np __free(device_node) = + of_get_child_by_name(dev->of_node, "pgc"); struct regmap *regmap; void __iomem *base; int ret; - pgc_np = of_get_child_by_name(dev->of_node, "pgc"); if (!pgc_np) { dev_err(dev, "No power domains specified in DT\n"); return -EINVAL;

5 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 469c0682e03d67d8dc970ecaa70c2d753057c7c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010321-pampers-glazing-2689@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 469c0682e03d67d8dc970ecaa70c2d753057c7c0 Mon Sep 17 00:00:00 2001 From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Date: Sun, 15 Dec 2024 12:01:59 +0900 Subject: [PATCH] pmdomain: imx: gpcv2: fix an OF node reference leak in imx_gpcv2_probe() imx_gpcv2_probe() leaks an OF node reference obtained by of_get_child_by_name(). Fix it by declaring the device node with the __free(device_node) cleanup construct. This bug was found by an experimental static analysis tool that I am developing. Fixes: 03aa12629fc4 ("soc: imx: Add GPCv2 power gating driver") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Cc: stable(a)vger.kernel.org Message-ID: <20241215030159.1526624-1-joe(a)pf.is.s.u-tokyo.ac.jp> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpcv2.c b/drivers/pmdomain/imx/gpcv2.c index e67ecf99ef84..9bdb80fd7210 100644 --- a/drivers/pmdomain/imx/gpcv2.c +++ b/drivers/pmdomain/imx/gpcv2.c @@ -1458,12 +1458,12 @@ static int imx_gpcv2_probe(struct platform_device *pdev) .max_register = SZ_4K, }; struct device *dev = &pdev->dev; - struct device_node *pgc_np; + struct device_node *pgc_np __free(device_node) = + of_get_child_by_name(dev->of_node, "pgc"); struct regmap *regmap; void __iomem *base; int ret; - pgc_np = of_get_child_by_name(dev->of_node, "pgc"); if (!pgc_np) { dev_err(dev, "No power domains specified in DT\n"); return -EINVAL;

5 months, 2 weeks

1
0
0 0

[PATCH] PCI: endpoint: Fix a double free in __pci_epc_create()

by Ma Ke

The put_device(&epc->dev) call will trigger pci_epc_release() which frees "epc" so the kfree(epc) on the next line is a double free. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions") Signed-off-by: Ma Ke <make_ruc2021(a)163.com> --- drivers/pci/endpoint/pci-epc-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c index 46c9a5c3ca14..652350f054cf 100644 --- a/drivers/pci/endpoint/pci-epc-core.c +++ b/drivers/pci/endpoint/pci-epc-core.c @@ -818,7 +818,6 @@ __pci_epc_create(struct device *dev, const struct pci_epc_ops *ops, put_dev: put_device(&epc->dev); - kfree(epc); err_ret: return ERR_PTR(ret); -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH] usb-storage: Add max sectors quirk for Nokia 208

by Lubomir Rintel

This fixes data corruption when accessing the internal SD card in mass storage mode. I am actually not too sure why. I didn't figure a straightforward way to reproduce the issue, but i seem to get garbage when issuing a lot (over 50) of large reads (over 120 sectors) are done in a quick succession. That is, time seems to matter here -- larger reads are fine if they are done with some delay between them. But I'm not great at understanding this sort of things, so I'll assume the issue other, smarter, folks were seeing with similar phones is the same problem and I'll just put my quirk next to theirs. The "Software details" screen on the phone is as follows: V 04.06 07-08-13 RM-849 (c) Nokia TL;DR version of the device descriptor: idVendor 0x0421 Nokia Mobile Phones idProduct 0x06c2 bcdDevice 4.06 iManufacturer 1 Nokia iProduct 2 Nokia 208 The patch assumes older firmwares are broken too (I'm unable to test, but no biggie if they aren't I guess), and I have no idea if newer firmware exists. Signed-off-by: Lubomir Rintel <lkundrak(a)v3.sk> Cc: <stable(a)vger.kernel.org> --- drivers/usb/storage/unusual_devs.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h index e5ad23d86833..54f0b1c83317 100644 --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -255,6 +255,13 @@ UNUSUAL_DEV( 0x0421, 0x06aa, 0x1110, 0x1110, USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_MAX_SECTORS_64 ), +/* Added by Lubomir Rintel <lkundrak(a)v3.sk>, a very fine chap */ +UNUSUAL_DEV( 0x0421, 0x06c2, 0x0000, 0x0406, + "Nokia", + "Nokia 208", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_MAX_SECTORS_64 ), + #ifdef NO_SDDR09 UNUSUAL_DEV( 0x0436, 0x0005, 0x0100, 0x0100, "Microtech", -- 2.47.1

5 months, 2 weeks

3
2
0 0

[PATCH v3] USB: core: Disable LPM only for non-suspended ports

by Kai-Heng Feng

There's USB error when tegra board is shutting down: [ 180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113 [ 180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113 [ 180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113 [ 186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead [ 186.157858] tegra-xusb 3610000.usb: HC died; cleaning up [ 186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command The issue is caused by disabling LPM on already suspended ports. For USB2 LPM, the LPM is already disabled during port suspend. For USB3 LPM, port won't transit to U1/U2 when it's already suspended in U3, hence disabling LPM is only needed for ports that are not suspended. Cc: Wayne Chang <waynec(a)nvidia.com> Cc: stable(a)vger.kernel.org Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown") Signed-off-by: Kai-Heng Feng <kaihengf(a)nvidia.com> --- v3: Use udev->port_is_suspended which reflects upstream port status v2: Add "Cc: stable(a)vger.kernel.org" drivers/usb/core/port.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c index e7da2fca11a4..c92fb648a1c4 100644 --- a/drivers/usb/core/port.c +++ b/drivers/usb/core/port.c @@ -452,10 +452,11 @@ static int usb_port_runtime_suspend(struct device *dev) static void usb_port_shutdown(struct device *dev) { struct usb_port *port_dev = to_usb_port(dev); + struct usb_device *udev = port_dev->child; - if (port_dev->child) { - usb_disable_usb2_hardware_lpm(port_dev->child); - usb_unlocked_disable_lpm(port_dev->child); + if (udev && !udev->port_is_suspended) { + usb_disable_usb2_hardware_lpm(udev); + usb_unlocked_disable_lpm(udev); } } -- 2.47.0

5 months, 2 weeks

4
4
0 0

[PATCH 5.4~6.6] MIPS: Probe toolchain support of -msym32

by WangYuli

From: Jiaxun Yang <jiaxun.yang(a)flygoat.com> [ Upstream commit 18ca63a2e23c5e170d2d7552b64b1f5ad019cd9b ] msym32 is not supported by LLVM toolchain. Workaround by probe toolchain support of msym32 for KBUILD_SYM32 feature. Link: https://github.com/ClangBuiltLinux/linux/issues/1544 Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- arch/mips/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/Makefile b/arch/mips/Makefile index f49807e1f19b..0888074f4dfe 100644 --- a/arch/mips/Makefile +++ b/arch/mips/Makefile @@ -299,7 +299,7 @@ drivers-$(CONFIG_PCI) += arch/mips/pci/ ifdef CONFIG_64BIT ifndef KBUILD_SYM32 ifeq ($(shell expr $(load-y) \< 0xffffffff80000000), 0) - KBUILD_SYM32 = y + KBUILD_SYM32 = $(call cc-option-yn, -msym32) endif endif -- 2.47.1

5 months, 2 weeks

3
5
0 0

[PATCH net 0/3] mptcp: rx path fixes

by Matthieu Baerts (NGI0)

Here are 3 different fixes, all related to the MPTCP receive buffer: - Patch 1: fix receive buffer space when recvmsg() blocks after receiving some data. For a fix introduced in v6.12, backported to v6.1. - Patch 2: mptcp_cleanup_rbuf() can be called when no data has been copied. For 5.11. - Patch 3: prevent excessive coalescing on receive, which can affect the throughput badly. It looks better to wait a bit before backporting this one to stable versions, to get more results. For 5.10. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Please note that there is no urgency here as well: this can of course be sent to Linus next year! Enjoy this holiday period! --- Paolo Abeni (3): mptcp: fix recvbuffer adjust on sleeping rcvmsg mptcp: don't always assume copied data in mptcp_cleanup_rbuf() mptcp: prevent excessive coalescing on receive net/mptcp/protocol.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) --- base-commit: a024e377efed31ecfb39210bed562932321345b3 change-id: 20241230-net-mptcp-rbuf-fixes-74526e59d951 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

5 months, 2 weeks

2
4
0 0

FAILED: patch "[PATCH] selinux: ignore unknown extended permissions" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024122319-risk-starlit-ce4a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek(a)google.com> Date: Thu, 5 Dec 2024 12:09:19 +1100 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Thiébaud Weksteen <tweek(a)google.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 971c45d576ba..3d5c563cfc4c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -979,7 +979,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, return; break; default: - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -998,7 +1001,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, &node->datum.u.xperms->perms, xpermd->dontaudit); } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } }

5 months, 2 weeks

3
2
0 0

[for-linus][PATCH 1/2] fgraph: Add READ_ONCE() when accessing fgraph_array[]

by Steven Rostedt

From: Zilin Guan <zilin(a)seu.edu.cn> In __ftrace_return_to_handler(), a loop iterates over the fgraph_array[] elements, which are fgraph_ops. The loop checks if an element is a fgraph_stub to prevent using a fgraph_stub afterward. However, if the compiler reloads fgraph_array[] after this check, it might race with an update to fgraph_array[] that introduces a fgraph_stub. This could result in the stub being processed, but the stub contains a null "func_hash" field, leading to a NULL pointer dereference. To ensure that the gops compared against the fgraph_stub matches the gops processed later, add a READ_ONCE(). A similar patch appears in commit 63a8dfb ("function_graph: Add READ_ONCE() when accessing fgraph_array[]"). Cc:stable@vger.kernel.org Fixes: 37238abe3cb47 ("ftrace/function_graph: Pass fgraph_ops to function graph callbacks") Link: https://lore.kernel.org/20241231113731.277668-1-zilin@seu.edu.cn Signed-off-by: Zilin Guan <zilin(a)seu.edu.cn> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/fgraph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index ddedcb50917f..30e3ddc8a8a8 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -833,7 +833,7 @@ static unsigned long __ftrace_return_to_handler(struct fgraph_ret_regs *ret_regs #endif { for_each_set_bit(i, &bitmap, sizeof(bitmap) * BITS_PER_BYTE) { - struct fgraph_ops *gops = fgraph_array[i]; + struct fgraph_ops *gops = READ_ONCE(fgraph_array[i]); if (gops == &fgraph_stub) continue; -- 2.45.2

5 months, 2 weeks

3
3
0 0

+ fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc: do_task_stat: fix ESP not readable during coredump has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nam Cao <namcao(a)linutronix.de> Subject: fs/proc: do_task_stat: fix ESP not readable during coredump Date: Thu, 2 Jan 2025 09:22:56 +0100 The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Link: https://lkml.kernel.org/r/d89af63d478d6c64cc46a01420b46fd6eb147d6f.17358057… Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Kees Cook <kees(a)kernel.org> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: Dylan Hatch <dylanbhatch(a)google.com> Cc: John Ogness <john.ogness(a)linutronix.de> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/array.c~fs-proc-do_task_stat-fix-esp-not-readable-during-coredump +++ a/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); _ Patches currently in -mm which might be from namcao(a)linutronix.de are fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch selftests-coredump-add-stackdump-test.patch

5 months, 2 weeks

1
0
0 0

[PATCH v3 0/4] scsi: ufs: qcom: Suspend fixes

by Manivannan Sadhasivam via B4 Relay

Hi, This series fixes the several suspend issues on Qcom platforms. Patch 1 fixes the resume failure with spm_lvl=5 suspend on most of the Qcom platforms. For this patch, I couldn't figure out the exact commit that caused the issue. So I used the commit that introduced reinit support as a placeholder. Patch 4 fixes the suspend issue on SM8550 and SM8650 platforms where UFS PHY retention is not supported. Hence the default spm_lvl=3 suspend fails. So this patch configures spm_lvl=5 as the default suspend level to force UFSHC/ device powerdown during suspend. This supersedes the previous series [1] that tried to fix the issue in clock drivers. This series is tested on Qcom SM8550 QRD, SM8650 QRD and Qcom RB5 boards. [1] https://lore.kernel.org/linux-arm-msm/20241107-ufs-clk-fix-v1-0-6032ff22a05… Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- Changes in v3: - Added a patch that honors the runtime/system PM levels set by host drivers. Otherwise patch 4 doesn't have any effect. This was discovered with SM8650 QRD. - Collected tags - Link to v2: https://lore.kernel.org/r/20241213-ufs-qcom-suspend-fix-v2-0-1de6cd2d6146@l… Changes in v2: - Changed 'ufs_qcom_drvdata::quirks' type to 'enum ufshcd_quirks' - Collected tags - Link to v1: https://lore.kernel.org/r/20241211-ufs-qcom-suspend-fix-v1-0-83ebbde76b1c@l… --- Manivannan Sadhasivam (4): scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence() scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers scsi: ufs: qcom: Allow passing platform specific OF data scsi: ufs: qcom: Power down the controller/device during system suspend for SM8550/SM8650 SoCs drivers/ufs/core/ufshcd-priv.h | 6 ------ drivers/ufs/core/ufshcd.c | 10 ++++++---- drivers/ufs/host/ufs-qcom.c | 31 +++++++++++++++++++------------ drivers/ufs/host/ufs-qcom.h | 5 +++++ include/ufs/ufshcd.h | 2 -- 5 files changed, 30 insertions(+), 24 deletions(-) --- base-commit: 40384c840ea1944d7c5a392e8975ed088ecf0b37 change-id: 20241211-ufs-qcom-suspend-fix-5618e9c56d93 Best regards, -- Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org>

5 months, 2 weeks

3
4
0 0

+ filemap-avoid-truncating-64-bit-offset-to-32-bits.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: filemap: avoid truncating 64-bit offset to 32 bits has been added to the -mm mm-hotfixes-unstable branch. Its filename is filemap-avoid-truncating-64-bit-offset-to-32-bits.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marco Nelissen <marco.nelissen(a)gmail.com> Subject: filemap: avoid truncating 64-bit offset to 32 bits Date: Thu, 2 Jan 2025 11:04:11 -0800 On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com Fixes: 54fa39ac2e00b ("iomap: use mapping_seek_hole_data") Signed-off-by: Marco Nelissen <marco.nelissen(a)gmail.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/filemap.c~filemap-avoid-truncating-64-bit-offset-to-32-bits +++ a/mm/filemap.c @@ -2996,7 +2996,7 @@ static inline loff_t folio_seek_hole_dat if (ops->is_partially_uptodate(folio, offset, bsz) == seek_data) break; - start = (start + bsz) & ~(bsz - 1); + start = (start + bsz) & ~((u64)bsz - 1); offset += bsz; } while (offset < folio_size(folio)); unlock: _ Patches currently in -mm which might be from marco.nelissen(a)gmail.com are filemap-avoid-truncating-64-bit-offset-to-32-bits.patch

5 months, 2 weeks

1
0
0 0

[for-linus][PATCH 2/2] ftrace: Fix function profilers filtering functionality

by Steven Rostedt

From: Kohei Enju <enjuk(a)amazon.com> Commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profile_enabled) has been showing statistics for all functions, ignoring set_ftrace_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/20250101190820.72534-1-enjuk@amazon.com Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju <enjuk(a)amazon.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ftrace.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9b17efb1a87d..2e113f8b13a2 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -902,16 +902,13 @@ static void profile_graph_return(struct ftrace_graph_ret *trace, } static struct fgraph_ops fprofiler_ops = { - .ops = { - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(fprofiler_ops.ops) - }, .entryfunc = &profile_graph_entry, .retfunc = &profile_graph_return, }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&fprofiler_ops.ops); return register_ftrace_graph(&fprofiler_ops); } @@ -922,12 +919,11 @@ static void unregister_ftrace_profiler(void) #else static struct ftrace_ops ftrace_profile_ops __read_mostly = { .func = function_profile_call, - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(ftrace_profile_ops) }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&ftrace_profile_ops); return register_ftrace_function(&ftrace_profile_ops); } -- 2.45.2

5 months, 2 weeks

1
0
0 0

[PATCH net 2/5] gve: guard XDP xmit NDO on existence of xdp queues

by Praveen Kaligineedi

From: Joshua Washington <joshwash(a)google.com> In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false. In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL. The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete. Fixes: 39a7f4aa3e4a ("gve: Add XDP REDIRECT support for GQI-QPL format") Cc: stable(a)vger.kernel.org Signed-off-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com> Reviewed-by: Praveen Kaligineedi <pkaligineedi(a)google.com> Reviewed-by: Shailend Chand <shailend(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> --- drivers/net/ethernet/google/gve/gve_main.c | 3 +++ drivers/net/ethernet/google/gve/gve_tx.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index e171ca248f9a..5d7b0cc59959 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -1899,6 +1899,9 @@ static void gve_turndown(struct gve_priv *priv) gve_clear_napi_enabled(priv); gve_clear_report_stats(priv); + + /* Make sure that all traffic is finished processing. */ + synchronize_net(); } static void gve_turnup(struct gve_priv *priv) diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c index 83ad278ec91f..852f8c7e39d2 100644 --- a/drivers/net/ethernet/google/gve/gve_tx.c +++ b/drivers/net/ethernet/google/gve/gve_tx.c @@ -837,9 +837,12 @@ int gve_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, struct gve_tx_ring *tx; int i, err = 0, qid; - if (unlikely(flags & ~XDP_XMIT_FLAGS_MASK)) + if (unlikely(flags & ~XDP_XMIT_FLAGS_MASK) || !priv->xdp_prog) return -EINVAL; + if (!gve_get_napi_enabled(priv)) + return -ENETDOWN; + qid = gve_xdp_tx_queue_id(priv, smp_processor_id() % priv->num_xdp_queues); -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 2 weeks

3
2
0 0

[REGRESSION] Brightness control does not work after waking up from suspend

by Fernando Ramos

Commit 73dae652dcac776296890da215ee7dec357a1032 (included in 6.13-rc2) was backported to 6.12.5 as 99a02eab82515343d536796aa917dee50aec1551. This causes a problem where brightness control no longer works after waking up from suspend. This is the output of "journalctl -f" when the issue is triggered: > ... > Dec 25 01:37:00 x395 kernel: usb 4-1: reset full-speed USB device number 2 using xhci_hcd > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring gfx uses VM inv eng 0 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.0.0 uses VM inv eng 1 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.1.0 uses VM inv eng 4 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.2.0 uses VM inv eng 5 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.3.0 uses VM inv eng 6 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.0.1 uses VM inv eng 7 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.1.1 uses VM inv eng 8 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.2.1 uses VM inv eng 9 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring comp_1.3.1 uses VM inv eng 10 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring kiq_0.2.1.0 uses VM inv eng 11 on hub 0 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring sdma0 uses VM inv eng 0 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_dec uses VM inv eng 1 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_enc0 uses VM inv eng 4 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring vcn_enc1 uses VM inv eng 5 on hub 8 > Dec 25 01:37:00 x395 kernel: amdgpu 0000:05:00.0: amdgpu: ring jpeg_dec uses VM inv eng 6 on hub 8 > Dec 25 01:37:00 x395 kernel: irq 7: nobody cared (try booting with the "irqpoll" option) > Dec 25 01:37:00 x395 kernel: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.7-rc1-gc157915828d8 #7 14cb019df871d9dae96d82113f6abf187f110b68 > Dec 25 01:37:00 x395 kernel: Hardware name: LENOVO 20NLCTO1WW/20NLCTO1WW, BIOS R13ET50W(1.24 ) 06/11/2021 > Dec 25 01:37:00 x395 kernel: Call Trace: > Dec 25 01:37:00 x395 kernel: <IRQ> > Dec 25 01:37:00 x395 kernel: dump_stack_lvl+0x5d/0x80 > Dec 25 01:37:00 x395 kernel: __report_bad_irq+0x35/0xa7 > Dec 25 01:37:00 x395 kernel: note_interrupt.cold+0xa/0x62 > Dec 25 01:37:00 x395 kernel: handle_irq_event+0x6f/0x80 > Dec 25 01:37:00 x395 kernel: handle_fasteoi_irq+0x78/0x200 > Dec 25 01:37:00 x395 kernel: __common_interrupt+0x3e/0x90 > Dec 25 01:37:00 x395 kernel: common_interrupt+0x42/0xa0 > Dec 25 01:37:00 x395 kernel: asm_common_interrupt+0x26/0x40 > Dec 25 01:37:00 x395 kernel: RIP: 0010:tmigr_handle_remote+0x87/0x470 > Dec 25 01:37:00 x395 kernel: Code: 24 04 00 0f 84 ac 00 00 00 48 b9 ff ff ff ff ff ff ff 7f 41 0f b6 54 24 10 48 89 4c 24 38 88 54 24 48 49 8b 44 24 08 8b 40 50 <0f> b6 c4 38 c2 74 0e 3c ff 74 0a 49 8b 44 24 18 48 39 c8 74 76 48 > Dec 25 01:37:00 x395 kernel: RSP: 0018:ffffafe000003ea8 EFLAGS: 00000202 > Dec 25 01:37:00 x395 kernel: RAX: 000000003de00141 RBX: 0000000000000002 RCX: 7fffffffffffffff > Dec 25 01:37:00 x395 kernel: RDX: 0000000000000001 RSI: ffffafe000003ed8 RDI: ffffafe000003f10 > Dec 25 01:37:00 x395 kernel: RBP: 0000000000000101 R08: f1c92dc141c95fb9 R09: 263db225b099c5f2 > Dec 25 01:37:00 x395 kernel: R10: f1c92dc141c95fb9 R11: 263db225b099c5f2 R12: ffff989030a26300 > Dec 25 01:37:00 x395 kernel: R13: 0000000000000001 R14: 0000000000000282 R15: 0000000000000001 > Dec 25 01:37:00 x395 kernel: ? srso_return_thunk+0x5/0x5f > Dec 25 01:37:00 x395 kernel: ? __run_timers+0x1fc/0x280 > Dec 25 01:37:00 x395 kernel: handle_softirqs+0xe4/0x2a0 > Dec 25 01:37:00 x395 kernel: __irq_exit_rcu+0x97/0xb0 > Dec 25 01:37:00 x395 kernel: sysvec_apic_timer_interrupt+0x71/0x90 > Dec 25 01:37:00 x395 kernel: </IRQ> > Dec 25 01:37:00 x395 kernel: <TASK> > Dec 25 01:37:00 x395 kernel: asm_sysvec_apic_timer_interrupt+0x1a/0x20 > Dec 25 01:37:00 x395 kernel: RIP: 0010:tick_nohz_idle_enter+0x59/0x70 > Dec 25 01:37:00 x395 kernel: Code: 02 00 01 83 45 7c 01 e8 05 c9 fe ff 48 89 85 80 00 00 00 48 83 8b 00 62 02 00 04 83 45 7c 01 e8 3d 93 f8 ff fb 0f 1f 44 00 00 <5b> 5d e9 10 d1 c8 00 0f 0b eb c6 66 66 2e 0f 1f 84 00 00 00 00 00 > Dec 25 01:37:00 x395 kernel: RSP: 0018:ffffffffa1c03e68 EFLAGS: 00000282 > Dec 25 01:37:00 x395 kernel: RAX: 0000000874467ae1 RBX: ffff989030a00000 RCX: 0000000874467ae1 > Dec 25 01:37:00 x395 kernel: RDX: 0000000874467ae1 RSI: 0000000000001d53 RDI: 0000000874467ae1 > Dec 25 01:37:00 x395 kernel: RBP: ffff989030a26200 R08: 0000000000000002 R09: 0000000000000000 > Dec 25 01:37:00 x395 kernel: R10: 0000000000000001 R11: 0000000000000000 R12: ffff98903efc9ff4 > Dec 25 01:37:00 x395 kernel: R13: 0000000000000000 R14: ffffffffa1c10038 R15: 00000000aafaf000 > Dec 25 01:37:00 x395 kernel: ? tick_nohz_idle_enter+0x53/0x70 > Dec 25 01:37:00 x395 kernel: do_idle+0x3f/0x210 > Dec 25 01:37:00 x395 kernel: cpu_startup_entry+0x29/0x30 > Dec 25 01:37:00 x395 kernel: rest_init+0xcc/0xd0 > Dec 25 01:37:00 x395 kernel: start_kernel+0x9be/0x9c0 > Dec 25 01:37:00 x395 kernel: x86_64_start_reservations+0x24/0x30 > Dec 25 01:37:00 x395 kernel: x86_64_start_kernel+0x95/0xa0 > Dec 25 01:37:00 x395 kernel: common_startup_64+0x13e/0x141 > Dec 25 01:37:00 x395 kernel: </TASK> > Dec 25 01:37:00 x395 kernel: handlers: > Dec 25 01:37:00 x395 kernel: [<00000000d69cbeca>] amd_gpio_irq_handler > Dec 25 01:37:00 x395 kernel: Disabling IRQ #7 > Dec 25 01:37:00 x395 kernel: usb 4-2: reset high-speed USB device number 3 using xhci_hcd > Dec 25 01:37:01 x395 kernel: usb 4-2.1: reset high-speed USB device number 4 using xhci_hcd > Dec 25 01:37:01 x395 kernel: OOM killer enabled. > Dec 25 01:37:01 x395 kernel: Restarting tasks ... > Dec 25 01:37:01 x395 kernel: usb 4-2.2: USB disconnect, device number 5 > Dec 25 01:37:01 x395 kernel: done. > ... The problem only happens in the stable branch (v6.12.y) and not in the main branch. More specifically: Version Problem present ================================================================= v6.12.5 Yes !! v6.12.5 + revert 99a02eab No v6.12.7-rc1 (c157915828d) Yes !! v6.12.7-rc1 (c157915828d) + revert 99a02eab No v6.13-rc4 No

5 months, 2 weeks

2
2
0 0

[PATCH RFT 6/6] serial: sh-sci: Increment the runtime usage counter for the earlycon device

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> In the sh-sci driver, serial ports are mapped to the sci_ports[] array, with earlycon mapped at index zero. The uart_add_one_port() function eventually calls __device_attach(), which, in turn, calls pm_request_idle(). The identified code path is as follows: uart_add_one_port() -> serial_ctrl_register_port() -> serial_core_register_port() -> serial_core_port_device_add() -> serial_base_port_add() -> device_add() -> bus_probe_device() -> device_initial_probe() -> __device_attach() -> // ... if (dev->p->dead) { // ... } else if (dev->driver) { // ... } else { // ... pm_request_idle(dev); // ... } The earlycon device clocks are enabled by the bootloader. However, the pm_request_idle() call in __device_attach() disables the SCI port clocks while earlycon is still active. The earlycon write function, serial_console_write(), calls sci_poll_put_char() via serial_console_putchar(). If the SCI port clocks are disabled, writing to earlycon may sometimes cause the SR.TDFE bit to remain unset indefinitely, causing the while loop in sci_poll_put_char() to never exit. On single-core SoCs, this can result in the system being blocked during boot when this issue occurs. To resolve this, increment the runtime PM usage counter for the earlycon SCI device before registering the UART port. Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- drivers/tty/serial/sh-sci.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index f74eb68774ca..6acdc8588d2d 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -3435,7 +3435,24 @@ static int sci_probe_single(struct platform_device *dev, sciport->port.flags |= UPF_HARD_FLOW; } + /* + * In case: + * - this is the earlycon port (mapped on index 0 in sci_ports[]) and + * - it now maps to an alias other than zero and + * - the earlycon is still alive (e.g., "earlycon keep_bootcon" is + * available in bootargs) + * + * we need to avoid disabling clocks and PM domains through the runtime + * PM APIs called in __device_attach(). For this, increment the runtime + * PM reference counter (the clocks and PM domains were already enabled + * by the bootloader). Otherwise the earlycon may access the HW when it + * has no clocks enabled leading to failures (infinite loop in + * sci_poll_put_char()). + */ + if (sci_ports[0].earlycon && sci_ports[0].port.mapbase == sci_res->start) { + pm_runtime_get_noresume(&dev->dev); + /* * Skip cleanup up the sci_port[0] in early_console_exit(), this * port is the same as the earlycon one. -- 2.39.2

5 months, 2 weeks

3
3
0 0

[PATCH] blk-crypto: Add check for mempool_alloc()

by Haoxiang Li

Add check for the return value of mempool_alloc() to catch the potential exception and avoid null pointer dereference. Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- block/blk-crypto-fallback.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c index 29a205482617..47acd7a48767 100644 --- a/block/blk-crypto-fallback.c +++ b/block/blk-crypto-fallback.c @@ -514,6 +514,12 @@ bool blk_crypto_fallback_bio_prep(struct bio **bio_ptr) * bi_end_io appropriately to trigger decryption when the bio is ended. */ f_ctx = mempool_alloc(bio_fallback_crypt_ctx_pool, GFP_NOIO); + + if (!f_ctx) { + bio->bi_status = BLK_STS_RESOURCE; + return false; + } + f_ctx->crypt_ctx = *bc; f_ctx->crypt_iter = bio->bi_iter; f_ctx->bi_private_orig = bio->bi_private; -- 2.25.1

5 months, 2 weeks

2
1
0 0

[PATCH] iommu/tegra241-cmdqv: Read SMMU IDR1.CMDQS instead of hardcoding

by Nicolin Chen

The hardware limitation "max=19" actually comes from SMMU Command Queue. So, it'd be more natural for tegra241-cmdqv driver to read it out rather than hardcoding it itself. This is not an issue yet for a kernel on a baremetal system, but a guest kernel setting the queue base/size in form of IPA/gPA might result in a noncontiguous queue in the physical address space, if underlying physical pages backing up the guest RAM aren't contiguous entirely: e.g. 2MB-page backed guest RAM cannot guarantee a contiguous queue if it is 8MB (capped to VCMDQ_LOG2SIZE_MAX=19). This might lead to command errors when HW does linear-read from a noncontiguous queue memory. Adding this extra IDR1.CMDQS cap (in the guest kernel) allows VMM to set SMMU's IDR1.CMDQS=17 for the case mentioned above, so a guest-level queue will be capped to maximum 2MB, ensuring a contiguous queue memory. Fixes: a3799717b881 ("iommu/tegra241-cmdqv: Fix alignment failure at max_n_shift") Reported-by: Ian Kalinowski <ikalinowski(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Nicolin Chen <nicolinc(a)nvidia.com> --- drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c index 6e41ddaa24d6..d525ab43a4ae 100644 --- a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c +++ b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c @@ -79,7 +79,6 @@ #define TEGRA241_VCMDQ_PAGE1(q) (TEGRA241_VCMDQ_PAGE1_BASE + 0x80*(q)) #define VCMDQ_ADDR GENMASK(47, 5) #define VCMDQ_LOG2SIZE GENMASK(4, 0) -#define VCMDQ_LOG2SIZE_MAX 19 #define TEGRA241_VCMDQ_BASE 0x00000 #define TEGRA241_VCMDQ_CONS_INDX_BASE 0x00008 @@ -505,12 +504,15 @@ static int tegra241_vcmdq_alloc_smmu_cmdq(struct tegra241_vcmdq *vcmdq) struct arm_smmu_cmdq *cmdq = &vcmdq->cmdq; struct arm_smmu_queue *q = &cmdq->q; char name[16]; + u32 regval; int ret; snprintf(name, 16, "vcmdq%u", vcmdq->idx); - /* Queue size, capped to ensure natural alignment */ - q->llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT, VCMDQ_LOG2SIZE_MAX); + /* Cap queue size to SMMU's IDR1.CMDQS and ensure natural alignment */ + regval = readl_relaxed(smmu->base + ARM_SMMU_IDR1); + q->llq.max_n_shift = + min_t(u32, CMDQ_MAX_SZ_SHIFT, FIELD_GET(IDR1_CMDQS, regval)); /* Use the common helper to init the VCMDQ, and then... */ ret = arm_smmu_init_one_queue(smmu, q, vcmdq->page0, -- 2.43.0

5 months, 2 weeks

3
2
0 0

[PATCH 6.6.y] f2fs: fix to wait dio completion

by Alva Lan

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d ] It should wait all existing dio write IOs before block removal, otherwise, previous direct write IO may overwrite data in the block which may be reused by other inode. Cc: stable(a)vger.kernel.org Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [ Resolve line conflicts to make it work on 6.6.y ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- fs/f2fs/file.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 196755a34833..ae129044c52f 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -1037,6 +1037,13 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, return err; } + /* + * wait for inflight dio, blocks should be removed after + * IO completion. + */ + if (attr->ia_size < old_size) + inode_dio_wait(inode); + f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); filemap_invalidate_lock(inode->i_mapping); @@ -1873,6 +1880,12 @@ static long f2fs_fallocate(struct file *file, int mode, if (ret) goto out; + /* + * wait for inflight dio, blocks should be removed after IO + * completion. + */ + inode_dio_wait(inode); + if (mode & FALLOC_FL_PUNCH_HOLE) { if (offset >= inode->i_size) goto out; -- 2.43.0

5 months, 2 weeks

2
1
0 0

Linux 6.12.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.8 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arch/arm64/silicon-errata.rst | 5 Documentation/devicetree/bindings/sound/realtek,rt5645.yaml | 2 Makefile | 2 arch/arm64/boot/dts/broadcom/bcm2712.dtsi | 8 arch/loongarch/include/asm/inst.h | 12 arch/loongarch/kernel/efi.c | 2 arch/loongarch/kernel/inst.c | 2 arch/loongarch/net/bpf_jit.c | 6 arch/powerpc/platforms/book3s/vas-api.c | 36 ++ arch/x86/events/intel/core.c | 12 arch/x86/events/intel/ds.c | 1 arch/x86/events/intel/uncore.c | 1 arch/x86/kernel/cet.c | 30 ++ block/blk-mq.c | 15 - drivers/acpi/arm64/iort.c | 2 drivers/base/regmap/regmap.c | 4 drivers/block/ublk_drv.c | 26 + drivers/block/virtio_blk.c | 7 drivers/bluetooth/btusb.c | 41 +- drivers/dma/amd/qdma/qdma.c | 28 - drivers/dma/apple-admac.c | 7 drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 drivers/dma/dw/internal.h | 8 drivers/dma/dw/pci.c | 4 drivers/dma/fsl-edma-common.h | 1 drivers/dma/fsl-edma-main.c | 41 ++ drivers/dma/ls2x-apb-dma.c | 2 drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 + drivers/gpu/drm/xe/xe_devcoredump.c | 69 ++-- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 ++++++-- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 13 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 28 + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 drivers/pci/msi/irqdomain.c | 7 drivers/pci/msi/msi.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 drivers/phy/phy-core.c | 21 - drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 3 drivers/platform/chrome/cros_ec_lpc.c | 4 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/bq24190_charger.c | 12 drivers/power/supply/cros_charge-control.c | 36 +- drivers/power/supply/gpio-charger.c | 8 drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpi3mr/mpi3mr.h | 9 drivers/scsi/mpi3mr/mpi3mr_app.c | 36 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 121 +++----- drivers/scsi/mpi3mr/mpi3mr_os.c | 2 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 drivers/scsi/qla1280.h | 12 drivers/scsi/storvsc_drv.c | 7 drivers/spi/spi-intel-pci.c | 2 drivers/spi/spi-omap2-mcspi.c | 6 drivers/virt/coco/tdx-guest/tdx-guest.c | 4 drivers/watchdog/Kconfig | 1 drivers/watchdog/it87_wdt.c | 39 ++ drivers/watchdog/mtk_wdt.c | 6 drivers/watchdog/rzg2l_wdt.c | 20 + drivers/watchdog/s3c2410_wdt.c | 8 fs/btrfs/ctree.c | 11 fs/btrfs/inode.c | 129 ++++++-- fs/btrfs/qgroup.c | 3 fs/btrfs/relocation.c | 6 fs/btrfs/send.c | 6 fs/btrfs/sysfs.c | 6 fs/ceph/file.c | 2 fs/nfsd/export.c | 31 -- fs/nfsd/export.h | 4 fs/nfsd/nfs4callback.c | 4 fs/smb/client/Kconfig | 1 fs/smb/client/smb2pdu.c | 3 fs/smb/server/smb_common.c | 4 fs/udf/namei.c | 16 + include/linux/platform_data/amd_qdma.h | 2 include/linux/sched.h | 3 include/linux/skmsg.h | 11 include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 include/uapi/linux/stddef.h | 13 io_uring/sqpoll.c | 6 kernel/bpf/verifier.c | 18 - kernel/fork.c | 13 kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 net/ceph/osd_client.c | 2 net/core/filter.c | 21 + net/core/skmsg.c | 6 net/ipv4/tcp_bpf.c | 6 sound/core/memalloc.c | 2 sound/core/ump.c | 26 + sound/pci/hda/patch_conexant.c | 28 + sound/sh/sh_dac_audio.c | 5 sound/soc/amd/ps/pci-ps.c | 17 + sound/soc/intel/boards/sof_sdw.c | 23 + sound/soc/sof/intel/hda-dai.c | 25 + sound/soc/sof/intel/hda.h | 2 tools/include/uapi/linux/stddef.h | 15 - tools/objtool/noreturns.h | 1 tools/testing/selftests/bpf/progs/dynptr_fail.c | 22 - tools/testing/selftests/bpf/progs/iters_state_safety.c | 14 tools/testing/selftests/bpf/progs/iters_testmod_seq.c | 4 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 2 tools/testing/selftests/bpf/progs/verifier_bits_iter.c | 4 tools/testing/selftests/bpf/trace_helpers.c | 4 tools/tracing/rtla/src/timerlat_hist.c | 177 ++++++------ 116 files changed, 1166 insertions(+), 545 deletions(-) Aapo Vienamo (1): spi: intel: Add Panther Lake SPI controller support Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andrea Righi (1): bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Bharath SM (1): smb: fix bytes written value in /proc/fs/cifs/Stats Binbin Zhou (1): dmaengine: loongson2-apb: Change GENMASK to GENMASK_ULL Boris Burkov (2): btrfs: check folio mapping after unlock in put_file_data() btrfs: check folio mapping after unlock in relocate_one_folio() Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chen-Yu Tsai (1): ASoC: dt-bindings: realtek,rt5645: Fix CPVDD voltage comment Chris Lu (4): Bluetooth: btusb: mediatek: move Bluetooth power off command position Bluetooth: btusb: mediatek: add callback function in btusb_disconnect Bluetooth: btusb: mediatek: add intf release flow when usb disconnect Bluetooth: btusb: mediatek: change the conditions for ISO interface Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Claudiu Beznea (1): watchdog: rzg2l_wdt: Power on the watchdog domain in the restart handler Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Cristian Ciocaltea (1): phy: rockchip: samsung-hdptx: Set drvdata before enabling runtime PM Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dragan Simic (1): smb: client: Deduplicate "select NETFS_SUPPORT" in Kconfig Dustin L. Howett (1): platform/chrome: cros_ec_lpc: fix product identity for early Framework Laptops Emmanuel Grumbach (1): wifi: iwlwifi: be less noisy if the NIC is dead in S3 Fedor Pchelkin (1): ALSA: memalloc: prefer dma_mapping_error() over explicit address checking Filipe Manana (4): btrfs: fix race with memory mapped writes when activating swap file btrfs: avoid monopolizing a core when activating a swap file btrfs: fix swap file activation failure due to extents that used to be shared btrfs: fix use-after-free when COWing tree bock and tracing is enabled Greg Kroah-Hartman (1): Linux 6.12.8 Hans de Goede (1): power: supply: bq24190: Fix BQ24296 Vbus regulator support Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Huacai Chen (1): LoongArch: Fix reserving screen info memory for above-4G firmware Ilya Dryomov (1): ceph: allocate sparse_ext map only for sparse reads Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Jan Kara (2): udf: Skip parent dir link count update if corrupted udf: Verify inode link counts before performing rename Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jerome Marchand (1): selftests/bpf: Fix compilation error in get_uprobe_offset() Joe Hattori (1): dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() John Harrison (1): drm/xe: Move the coredump registration to the worker thread Julian Sun (1): btrfs: fix transaction atomicity bug when enabling simple quotas Justin Chen (1): phy: usb: Toggle the PHY power during init Kan Liang (3): perf/x86/intel/uncore: Add Clearwater Forest support perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC perf/x86/intel/ds: Add PEBS format 6 Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Kumar Kartikeya Dwivedi (1): bpf: Zero index arg error string for dynptr and iter Li RongQing (1): virt: tdx-guest: Just leak decrypted memory on unrecoverable errors Lizhi Hou (1): dmaengine: amd: qdma: Remove using the private get and set dma_ops APIs Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Lorenzo Stoakes (1): fork: avoid inappropriate uprobe access to invalid mm Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Matthew Brost (1): drm/xe: Take PM ref in delayed snapshot capture worker Ming Lei (3): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table ublk: detach gendisk from ublk device if add_disk() fails NeilBrown (1): nfsd: restore callback functionality for NFSv4.0 Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Peter Griffin (1): Revert "watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs" Peter Ujfalusi (1): ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP Purushothama Siddaiah (1): spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Qinxin Xia (1): ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Ranjan Kumar (5): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time scsi: mpi3mr: Synchronize access to ioctl data buffer scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs scsi: mpi3mr: Start controller indexing from 0 scsi: mpi3mr: Handling of fault code for insufficient power Richard Fitzgerald (2): ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21QA and 21QB ASoC: Intel: sof_sdw: Fix DMI match for Lenovo 21Q6 and 21Q7 Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Takashi Iwai (6): ALSA: ump: Don't open legacy substream for an inactive group ALSA: ump: Indicate the inactive group in legacy substream names ALSA: ump: Update legacy substream names upon FB info update ALSA: sh: Use standard helper for buffer accesses ALSA: ump: Shut up truncated string warning ALSA: sh: Fix wrong argument order for copy_from_iter() Thomas Gleixner (1): PCI/MSI: Handle lack of irqdomain gracefully Thomas Weißschuh (3): power: supply: cros_charge-control: add mutex for driver data power: supply: cros_charge-control: allow start_threshold == end_threshold power: supply: cros_charge-control: hide start threshold on v2 cmd Tiezhu Yang (1): LoongArch: BPF: Adjust the parameter of emit_jirl() Tomas Glozar (1): rtla/timerlat: Fix histogram ALL for zero samples Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Venkata Prasad Potturu (1): ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry Willow Cunningham (1): arm64: dts: broadcom: Fix L2 linesize for Raspberry Pi 5 Xin Li (Intel) (1): x86/fred: Clear WFE in missing-ENDBRANCH #CPs Yang Erkun (1): nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" Yassine Oudjana (1): watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue chenchangcheng (1): objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns

5 months, 2 weeks

1
1
0 0

Linux 6.6.69

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.69 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/include/asm/inst.h | 12 + arch/loongarch/kernel/efi.c | 2 arch/loongarch/kernel/inst.c | 2 arch/loongarch/net/bpf_jit.c | 6 arch/mips/Makefile | 2 arch/mips/include/asm/mipsregs.h | 13 + arch/powerpc/platforms/book3s/vas-api.c | 36 +++++ arch/x86/include/asm/intel-family.h | 87 ++++++++++++ arch/x86/include/asm/processor.h | 20 ++ arch/x86/kernel/cpu/intel.c | 118 ++++++++--------- arch/x86/kernel/cpu/match.c | 3 block/blk-mq.c | 119 +++++++++++++++-- drivers/base/power/domain.c | 1 drivers/base/regmap/regmap.c | 4 drivers/block/virtio_blk.c | 7 - drivers/dma/apple-admac.c | 7 - drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 drivers/dma/dw/internal.h | 8 + drivers/dma/dw/pci.c | 4 drivers/dma/fsl-edma-common.h | 1 drivers/dma/fsl-edma-main.c | 41 +++++- drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 22 --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 14 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 9 - drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 8 - drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 28 ++-- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 15 ++ drivers/gpu/drm/amd/amdkfd/kfd_flat_memory.c | 3 drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 21 +-- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 32 ++-- drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c | 63 ++++++--- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 43 ++---- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 44 ++---- drivers/gpu/drm/amd/include/kgd_kfd_interface.h | 14 -- drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 ++- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 +++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 + drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/pci/msi/irqdomain.c | 7 - drivers/pci/msi/msi.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 drivers/phy/phy-core.c | 21 +-- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/gpio-charger.c | 8 + drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 - drivers/scsi/qla1280.h | 12 - drivers/scsi/storvsc_drv.c | 7 - drivers/spi/spi-intel-pci.c | 2 drivers/spi/spi-omap2-mcspi.c | 6 drivers/watchdog/it87_wdt.c | 39 +++++ drivers/watchdog/mtk_wdt.c | 6 fs/btrfs/inode.c | 2 fs/btrfs/sysfs.c | 6 fs/ceph/addr.c | 4 fs/ceph/file.c | 43 +++--- fs/ceph/super.h | 14 ++ fs/nfsd/export.c | 31 ---- fs/nfsd/export.h | 4 fs/nfsd/nfs4callback.c | 4 fs/smb/server/smb_common.c | 4 fs/udf/namei.c | 6 include/linux/ceph/osd_client.h | 7 - include/linux/sched.h | 3 include/linux/sched/task_stack.h | 2 include/linux/skmsg.h | 11 + include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 + include/uapi/linux/stddef.h | 13 + io_uring/sqpoll.c | 6 kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 net/ceph/osd_client.c | 2 net/core/filter.c | 21 ++- net/core/skmsg.c | 6 net/ipv4/tcp_bpf.c | 6 sound/pci/hda/patch_conexant.c | 28 ++++ sound/pci/hda/patch_realtek.c | 7 + sound/sh/sh_dac_audio.c | 5 tools/include/uapi/linux/stddef.h | 15 +- 91 files changed, 977 insertions(+), 426 deletions(-) Aapo Vienamo (1): spi: intel: Add Panther Lake SPI controller support Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alex Deucher (5): drm/amdgpu/hdp4.0: do a posting read when flushing HDP drm/amdgpu/hdp5.0: do a posting read when flushing HDP drm/amdgpu/hdp6.0: do a posting read when flushing HDP drm/amdkfd: reduce stack size in kfd_topology_add_device() drm/amdkfd: drop struct kfd_cu_info Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andrew Cooper (1): x86/cpu/intel: Drop stray FAM6 check with new Intel CPU model defines Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chris Chiu (1): ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Colin Ian King (1): ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dirk Su (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Filipe Manana (1): btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman (1): Linux 6.6.69 Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Huacai Chen (1): LoongArch: Fix reserving screen info memory for above-4G firmware Ilya Dryomov (2): ceph: fix memory leak in ceph_direct_read_write() ceph: allocate sparse_ext map only for sparse reads Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Jan Kara (1): udf: Skip parent dir link count update if corrupted Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jesse.zhang(a)amd.com (1): drm/amdkfd: pause autosuspend when creating pdd Jiaxun Yang (2): MIPS: Probe toolchain support of -msym32 MIPS: mipsregs: Set proper ISA level for virt extensions Joe Hattori (1): dmaengine: fsl-edma: implement the cleanup path of fsl_edma3_attach_pd() Justin Chen (1): phy: usb: Toggle the PHY power during init Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Len Brown (1): x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation Lijo Lazar (1): drm/amdkfd: Use device based logging for errors Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Ming Lei (4): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table blk-mq: move cpuhp callback registering out of q->sysfs_lock block: avoid to reuse `hctx` not removed from cpuhp callback list NeilBrown (1): nfsd: restore callback functionality for NFSv4.0 Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Purushothama Siddaiah (1): spi: omap2-mcspi: Fix the IS_ERR() bug for devm_clk_get_optional_enabled() Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Qun-Wei Lin (1): sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Ranjan Kumar (1): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Takashi Iwai (2): ALSA: sh: Use standard helper for buffer accesses ALSA: sh: Fix wrong argument order for copy_from_iter() Thomas Gleixner (1): PCI/MSI: Handle lack of irqdomain gracefully Tiezhu Yang (1): LoongArch: BPF: Adjust the parameter of emit_jirl() Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Tony Luck (5): x86/cpu: Add model number for Intel Clearwater Forest processor x86/cpu: Add model number for another Intel Arrow Lake mobile processor x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86 x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h x86/cpu/intel: Switch to new Intel CPU model defines Ulf Hansson (1): pmdomain: core: Add missing put_device() Victor Zhao (1): drm/amd/amdgpu: allow use kiq to do hdp flush under sriov Xiubo Li (1): ceph: try to allocate a smaller extent map for sparse read Yang Erkun (1): nfsd: Revert "nfsd: release svc_expkey/svc_export with rcu_work" Yassine Oudjana (1): watchdog: mediatek: Add support for MT6735 TOPRGU/WDT Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue

5 months, 2 weeks

1
1
0 0

Linux 6.1.123

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.123 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/mips/Makefile | 2 arch/mips/include/asm/mipsregs.h | 13 +- arch/powerpc/platforms/book3s/vas-api.c | 36 ++++++ block/blk-mq.c | 15 +- drivers/base/power/domain.c | 1 drivers/base/regmap/regmap.c | 4 drivers/block/virtio_blk.c | 7 - drivers/dma/apple-admac.c | 7 - drivers/dma/at_xdmac.c | 2 drivers/dma/dw/acpi.c | 6 - drivers/dma/dw/internal.h | 8 + drivers/dma/dw/pci.c | 4 drivers/dma/mv_xor.c | 2 drivers/dma/tegra186-gpc-dma.c | 10 + drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 +++- drivers/i2c/busses/i2c-imx.c | 1 drivers/i2c/busses/i2c-microchip-corei2c.c | 122 ++++++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 drivers/mtd/nand/raw/arasan-nand-controller.c | 11 + drivers/mtd/nand/raw/atmel/pmecc.c | 4 drivers/mtd/nand/raw/diskonchip.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 + drivers/phy/phy-core.c | 21 ++- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 drivers/platform/x86/asus-nb-wmi.c | 1 drivers/power/supply/gpio-charger.c | 8 + drivers/scsi/megaraid/megaraid_sas_base.c | 5 drivers/scsi/mpt3sas/mpt3sas_base.c | 7 + drivers/scsi/qla1280.h | 12 +- drivers/scsi/storvsc_drv.c | 7 + drivers/watchdog/it87_wdt.c | 39 ++++++ fs/btrfs/inode.c | 2 fs/btrfs/sysfs.c | 6 - fs/nfsd/nfs4callback.c | 4 fs/nfsd/nfs4state.c | 2 fs/smb/server/smb_common.c | 4 include/linux/sched.h | 5 include/linux/skmsg.h | 11 + include/linux/trace_events.h | 2 include/linux/vmstat.h | 2 include/net/sock.h | 10 + include/uapi/linux/stddef.h | 13 +- io_uring/sqpoll.c | 6 + kernel/bpf/syscall.c | 13 +- kernel/rcu/tasks.h | 82 ++++---------- kernel/trace/trace.c | 3 kernel/trace/trace_kprobe.c | 2 mm/vmalloc.c | 6 - net/core/filter.c | 21 ++- net/core/skmsg.c | 6 - net/ipv4/tcp_bpf.c | 6 - sound/pci/hda/patch_conexant.c | 28 ++++ sound/pci/hda/patch_realtek.c | 7 + tools/include/uapi/linux/stddef.h | 15 +- 57 files changed, 471 insertions(+), 184 deletions(-) Akhil R (1): dmaengine: tegra: Return correct DMA status when paused Alexander Lobakin (1): stddef: make __struct_group() UAPI C++-friendly Andy Shevchenko (1): dmaengine: dw: Select only supported masters for ACPI devices Armin Wolf (1): platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Bart Van Assche (1): mm/vmstat: fix a W=1 clang compiler warning Brahmajit Das (1): smb: server: Fix building with GCC 15 Carlos Song (1): i2c: imx: add imx7d compatible string for applying erratum ERR007805 Cathy Avery (1): scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Chen Ridong (2): dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset freezer, sched: Report frozen tasks as 'D' instead of 'R' Chris Chiu (1): ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Christian Göttsche (1): tracing: Constify string literal data member in struct trace_event_call Chukun Pan (1): phy: rockchip: naneng-combphy: fix phy reset Colin Ian King (1): ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Cong Wang (2): tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() bpf: Check negative offsets in __bpf_skb_min_len() Conor Dooley (2): i2c: microchip-core: actually use repeated sends i2c: microchip-core: fix "ghost" detections Cosmin Ratiu (1): net/mlx5e: Don't call cleanup on profile rollback failure Dan Carpenter (1): mtd: rawnand: fix double free in atmel_pmecc_create_user() Dimitri Fedrau (1): power: supply: gpio-charger: Fix set charge current limits Dirk Su (1): ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Filipe Manana (1): btrfs: avoid monopolizing a core when activating a swap file Greg Kroah-Hartman (2): Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()" Linux 6.1.123 Haren Myneni (1): powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Hou Tao (1): bpf: Check validity of link->type in bpf_link_show_fdinfo() Imre Deak (1): drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() James Hilliard (1): watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Javier Carrasco (1): dmaengine: mv_xor: fix child node refcount handling in early exit Jiaxun Yang (2): MIPS: Probe toolchain support of -msym32 MIPS: mipsregs: Set proper ISA level for virt extensions Justin Chen (1): phy: usb: Toggle the PHY power during init Krishna Kurapati (1): phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Lizhi Xu (1): tracing: Prevent bad count for tracing_cpumask_write Maciej Andrzejewski (2): mtd: rawnand: arasan: Fix double assertion of chip-select mtd: rawnand: arasan: Fix missing de-registration of NAND Magnus Lindholm (1): scsi: qla1280: Fix hw revision numbering for ISP1020/1040 Mark Brown (1): regmap: Use correct format specifier for logging range errors Masami Hiramatsu (Google) (1): tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Matthew Wilcox (Oracle) (1): vmalloc: fix accounting with i915 Ming Lei (2): virtio-blk: don't keep queue frozen during system suspend blk-mq: register cpuhp callback after hctx is added to xarray table NeilBrown (2): nfsd: restore callback functionality for NFSv4.0 sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE Nikita Zhandarovich (1): media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Pavel Begunkov (1): io_uring/sqpoll: fix sqpoll error handling races Qu Wenruo (1): btrfs: sysfs: fix direct super block member reads Ranjan Kumar (1): scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Sasha Finkelstein (1): dmaengine: apple-admac: Avoid accessing registers in probe Tomas Henzl (1): scsi: megaraid_sas: Fix for a potential deadlock Ulf Hansson (1): pmdomain: core: Add missing put_device() Yang Erkun (1): nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Zichen Xie (1): mtd: diskonchip: Cast an operand to prevent potential overflow Zijian Zhang (1): tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Zijun Hu (5): phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy bo liu (1): ALSA: hda/conexant: fix Z60MR100 startup pop issue

5 months, 2 weeks

1
1
0 0

[PATCH 6.1 00/60] 6.1.123-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.123 release. There are 60 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 01 Jan 2025 15:41:48 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.123-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.123-rc1 Colin Ian King <colin.i.king(a)gmail.com> ALSA: hda/realtek: Fix spelling mistake "Firelfy" -> "Firefly" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()" Yang Erkun <yangerkun(a)huaweicloud.com> nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net Qu Wenruo <wqu(a)suse.com> btrfs: sysfs: fix direct super block member reads Filipe Manana <fdmanana(a)suse.com> btrfs: avoid monopolizing a core when activating a swap file Dimitri Fedrau <dimitri.fedrau(a)liebherr.com> power: supply: gpio-charger: Fix set charge current limits Conor Dooley <conor.dooley(a)microchip.com> i2c: microchip-core: fix "ghost" detections Carlos Song <carlos.song(a)nxp.com> i2c: imx: add imx7d compatible string for applying erratum ERR007805 Conor Dooley <conor.dooley(a)microchip.com> i2c: microchip-core: actually use repeated sends Pavel Begunkov <asml.silence(a)gmail.com> io_uring/sqpoll: fix sqpoll error handling races Lizhi Xu <lizhi.xu(a)windriver.com> tracing: Prevent bad count for tracing_cpumask_write Christian Göttsche <cgzones(a)googlemail.com> tracing: Constify string literal data member in struct trace_event_call Chen Ridong <chenridong(a)huawei.com> freezer, sched: Report frozen tasks as 'D' instead of 'R' NeilBrown <neilb(a)suse.de> sched/core: Report correct state for TASK_IDLE | TASK_FREEZABLE Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Add missing put_device() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops Dirk Su <dirk.su(a)canonical.com> ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook X G1i Hou Tao <houtao1(a)huawei.com> bpf: Check validity of link->type in bpf_link_show_fdinfo() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Don't call cleanup on profile rollback failure Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: mipsregs: Set proper ISA level for virt extensions Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Probe toolchain support of -msym32 Matthew Wilcox (Oracle) <willy(a)infradead.org> vmalloc: fix accounting with i915 Ming Lei <ming.lei(a)redhat.com> blk-mq: register cpuhp callback after hctx is added to xarray table Ming Lei <ming.lei(a)redhat.com> virtio-blk: don't keep queue frozen during system suspend Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() Cathy Avery <cavery(a)redhat.com> scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time Armin Wolf <W_Armin(a)gmx.de> platform/x86: asus-nb-wmi: Ignore unknown event 0xCF Mark Brown <broonie(a)kernel.org> regmap: Use correct format specifier for logging range errors Brahmajit Das <brahmajit.xyz(a)gmail.com> smb: server: Fix building with GCC 15 bo liu <bo.liu(a)senarytech.com> ALSA: hda/conexant: fix Z60MR100 startup pop issue Tomas Henzl <thenzl(a)redhat.com> scsi: megaraid_sas: Fix for a potential deadlock Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix hw revision numbering for ISP1020/1040 James Hilliard <james.hilliard1(a)gmail.com> watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/kprobe: Make trace_kprobe's module callback called after jump_label update Alexander Lobakin <aleksander.lobakin(a)intel.com> stddef: make __struct_group() UAPI C++-friendly Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries/vas: Add close() callback in vas_vm_ops struct Dan Carpenter <dan.carpenter(a)linaro.org> mtd: rawnand: fix double free in atmel_pmecc_create_user() Chen Ridong <chenridong(a)huawei.com> dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset Sasha Finkelstein <fnkl.kernel(a)gmail.com> dmaengine: apple-admac: Avoid accessing registers in probe Akhil R <akhilrajeev(a)nvidia.com> dmaengine: tegra: Return correct DMA status when paused Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> dmaengine: dw: Select only supported masters for ACPI devices Javier Carrasco <javier.carrasco.cruz(a)gmail.com> dmaengine: mv_xor: fix child node refcount handling in early exit Chukun Pan <amadeus(a)jmu.edu.cn> phy: rockchip: naneng-combphy: fix phy reset Justin Chen <justin.chen(a)broadcom.com> phy: usb: Toggle the PHY power during init Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_destroy() fails to destroy the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix that API devm_phy_put() fails to release the phy Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() Zijun Hu <quic_zijuhu(a)quicinc.com> phy: core: Fix an OF node refcount leakage in _of_phy_get() Krishna Kurapati <quic_kriskura(a)quicinc.com> phy: qcom-qmp: Fix register name in RX Lane config of SC8280XP Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net> mtd: rawnand: arasan: Fix missing de-registration of NAND Maciej Andrzejewski <maciej.andrzejewski(a)m-works.net> mtd: rawnand: arasan: Fix double assertion of chip-select Zichen Xie <zichenxie0106(a)gmail.com> mtd: diskonchip: Cast an operand to prevent potential overflow NeilBrown <neilb(a)suse.de> nfsd: restore callback functionality for NFSv4.0 Cong Wang <cong.wang(a)bytedance.com> bpf: Check negative offsets in __bpf_skb_min_len() Zijian Zhang <zijianzhang(a)bytedance.com> tcp_bpf: Add sk_rmem_alloc related logic for tcp_bpf ingress redirection Cong Wang <cong.wang(a)bytedance.com> tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() Bart Van Assche <bvanassche(a)acm.org> mm/vmstat: fix a W=1 clang compiler warning Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg ------------- Diffstat: Makefile | 4 +- arch/mips/Makefile | 2 +- arch/mips/include/asm/mipsregs.h | 13 ++- arch/powerpc/platforms/book3s/vas-api.c | 36 ++++++ block/blk-mq.c | 15 ++- drivers/base/power/domain.c | 1 + drivers/base/regmap/regmap.c | 4 +- drivers/block/virtio_blk.c | 7 +- drivers/dma/apple-admac.c | 7 +- drivers/dma/at_xdmac.c | 2 + drivers/dma/dw/acpi.c | 6 +- drivers/dma/dw/internal.h | 8 ++ drivers/dma/dw/pci.c | 4 +- drivers/dma/mv_xor.c | 2 + drivers/dma/tegra186-gpc-dma.c | 10 ++ drivers/gpu/drm/display/drm_dp_mst_topology.c | 24 +++- drivers/i2c/busses/i2c-imx.c | 1 + drivers/i2c/busses/i2c-microchip-corei2c.c | 126 ++++++++++++++++----- drivers/media/dvb-frontends/dib3000mb.c | 2 +- drivers/mtd/nand/raw/arasan-nand-controller.c | 11 +- drivers/mtd/nand/raw/atmel/pmecc.c | 4 +- drivers/mtd/nand/raw/diskonchip.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +- drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 + drivers/phy/phy-core.c | 21 ++-- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 2 +- drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 2 +- drivers/platform/x86/asus-nb-wmi.c | 1 + drivers/power/supply/gpio-charger.c | 8 ++ drivers/scsi/megaraid/megaraid_sas_base.c | 5 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 7 +- drivers/scsi/qla1280.h | 12 +- drivers/scsi/storvsc_drv.c | 7 +- drivers/watchdog/it87_wdt.c | 39 +++++++ fs/btrfs/inode.c | 2 + fs/btrfs/sysfs.c | 6 +- fs/nfsd/nfs4callback.c | 4 +- fs/nfsd/nfs4state.c | 2 +- fs/smb/server/smb_common.c | 4 +- include/linux/sched.h | 5 +- include/linux/skmsg.h | 11 +- include/linux/trace_events.h | 2 +- include/linux/vmstat.h | 2 +- include/net/sock.h | 10 +- include/uapi/linux/stddef.h | 13 ++- io_uring/sqpoll.c | 6 + kernel/bpf/syscall.c | 13 ++- kernel/rcu/tasks.h | 82 +++++--------- kernel/trace/trace.c | 3 + kernel/trace/trace_kprobe.c | 2 +- mm/vmalloc.c | 6 +- net/core/filter.c | 21 +++- net/core/skmsg.c | 6 +- net/ipv4/tcp_bpf.c | 6 +- sound/pci/hda/patch_conexant.c | 28 +++++ sound/pci/hda/patch_realtek.c | 7 ++ tools/include/uapi/linux/stddef.h | 15 ++- 57 files changed, 474 insertions(+), 187 deletions(-)

5 months, 2 weeks

8
68
0 0

[PATCH v3 1/2] fs/proc: do_task_stat: Fix ESP not readable during coredump

by Nam Cao

The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Cc: stable(a)vger.kernel.org Cc: Eric W. Biederman <ebiederm(a)xmission.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 55ed3510d2bb..d6a0369caa93 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); -- 2.39.5

5 months, 2 weeks

1
0
0 0

[PATCH v1] ftrace: Fix function profiler's filtering functionality

by Kohei Enju

From commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profil e_enabled) has been showing statistics for all functions, ignoring set_ftra ce_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` root@localhost:~# echo 'vfs*' > /sys/kernel/tracing/set_ftrace_filter root@localhost:~# echo 1 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# sleep 1 root@localhost:~# echo 0 > /sys/kernel/tracing/function_profile_enabled root@localhost:~# head /sys/kernel/tracing/trace_stat/* Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable(a)vger.kernel.org Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju <enjuk(a)amazon.com> --- kernel/trace/ftrace.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9b17efb1a87d..2e113f8b13a2 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -902,16 +902,13 @@ static void profile_graph_return(struct ftrace_graph_ret *trace, } static struct fgraph_ops fprofiler_ops = { - .ops = { - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(fprofiler_ops.ops) - }, .entryfunc = &profile_graph_entry, .retfunc = &profile_graph_return, }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&fprofiler_ops.ops); return register_ftrace_graph(&fprofiler_ops); } @@ -922,12 +919,11 @@ static void unregister_ftrace_profiler(void) #else static struct ftrace_ops ftrace_profile_ops __read_mostly = { .func = function_profile_call, - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(ftrace_profile_ops) }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&ftrace_profile_ops); return register_ftrace_function(&ftrace_profile_ops); } -- 2.39.5 (Apple Git-154)

5 months, 2 weeks

1
0
0 0

[PATCH v1] ftrace: Fix function profiler's filtering functionality

by Kohei Enju

From commit c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering"), function profiler (enabled via function_profil e_enabled) has been showing statistics for all functions, ignoring set_ftra ce_filter settings. While tracers are instantiated, the function profiler is not. Therefore, it should use the global set_ftrace_filter for consistency. This patch modifies the function profiler to use the global filter, fixing the filtering functionality. Before (filtering not working): ``` Function Hit Time Avg s^2 -------- --- ---- --- --- schedule 314 22290594 us 70989.15 us 40372231 us x64_sys_call 1527 8762510 us 5738.382 us 3414354 us schedule_hrtimeout_range 176 8665356 us 49234.98 us 405618876 us __x64_sys_ppoll 324 5656635 us 17458.75 us 19203976 us do_sys_poll 324 5653747 us 17449.83 us 19214945 us schedule_timeout 67 5531396 us 82558.15 us 2136740827 us __x64_sys_pselect6 12 3029540 us 252461.7 us 63296940171 us do_pselect.constprop.0 12 3029532 us 252461.0 us 63296952931 us ``` After (filtering working): ``` Function Hit Time Avg s^2 -------- --- ---- --- --- vfs_write 462 68476.43 us 148.217 us 25874.48 us vfs_read 641 9611.356 us 14.994 us 28868.07 us vfs_fstat 890 878.094 us 0.986 us 1.667 us vfs_fstatat 227 757.176 us 3.335 us 18.928 us vfs_statx 226 610.610 us 2.701 us 17.749 us vfs_getattr_nosec 1187 460.919 us 0.388 us 0.326 us vfs_statx_path 297 343.287 us 1.155 us 11.116 us vfs_rename 6 291.575 us 48.595 us 9889.236 us ``` Cc: stable(a)vger.kernel.org Fixes: c132be2c4fcc ("function_graph: Have the instances use their own ftrace_ops for filtering") Signed-off-by: Kohei Enju <enjuk(a)amazon.com> --- kernel/trace/ftrace.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9b17efb1a87d..2e113f8b13a2 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -902,16 +902,13 @@ static void profile_graph_return(struct ftrace_graph_ret *trace, } static struct fgraph_ops fprofiler_ops = { - .ops = { - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(fprofiler_ops.ops) - }, .entryfunc = &profile_graph_entry, .retfunc = &profile_graph_return, }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&fprofiler_ops.ops); return register_ftrace_graph(&fprofiler_ops); } @@ -922,12 +919,11 @@ static void unregister_ftrace_profiler(void) #else static struct ftrace_ops ftrace_profile_ops __read_mostly = { .func = function_profile_call, - .flags = FTRACE_OPS_FL_INITIALIZED, - INIT_OPS_HASH(ftrace_profile_ops) }; static int register_ftrace_profiler(void) { + ftrace_ops_set_global_filter(&ftrace_profile_ops); return register_ftrace_function(&ftrace_profile_ops); } -- 2.39.5 (Apple Git-154)

5 months, 2 weeks

1
0
0 0

[PATCH] drm/xe/tracing: Fix a potential TP_printk UAF

by Thomas Hellström

The commit afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event. Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time. Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10. Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces") Cc: Gustavo Sousa <gustavo.sousa(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Radhakrishna Sripada <radhakrishna.sripada(a)intel.com> Cc: Matt Roper <matthew.d.roper(a)intel.com> Cc: "Thomas Hellström" <thomas.hellstrom(a)linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: intel-xe(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.11+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h b/drivers/gpu/drm/xe/xe_trace_bo.h index 1762dd30ba6d..ea50fee50c7d 100644 --- a/drivers/gpu/drm/xe/xe_trace_bo.h +++ b/drivers/gpu/drm/xe/xe_trace_bo.h @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move, TP_STRUCT__entry( __field(struct xe_bo *, bo) __field(size_t, size) - __field(u32, new_placement) - __field(u32, old_placement) + __string(new_placement_name, xe_mem_type_to_name[new_placement]) + __string(old_placement_name, xe_mem_type_to_name[old_placement]) __string(device_id, __dev_name_bo(bo)) __field(bool, move_lacks_source) ), @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move, TP_fast_assign( __entry->bo = bo; __entry->size = bo->size; - __entry->new_placement = new_placement; - __entry->old_placement = old_placement; + __assign_str(new_placement_name); + __assign_str(old_placement_name); __assign_str(device_id); __entry->move_lacks_source = move_lacks_source; ), TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, - xe_mem_type_to_name[__entry->old_placement], - xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) + __get_str(old_placement_name), + __get_str(new_placement_name), __get_str(device_id)) ); DECLARE_EVENT_CLASS(xe_vma, -- 2.47.1

5 months, 2 weeks

4
7
0 0

Linux 6.1.120

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.120 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-bus-pci | 11 Documentation/ABI/testing/sysfs-fs-f2fs | 7 Documentation/RCU/stallwarn.rst | 2 Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml | 22 Documentation/devicetree/bindings/iio/dac/adi,ad3552r.yaml | 2 Documentation/devicetree/bindings/serial/rs485.yaml | 19 Documentation/devicetree/bindings/sound/mt6359.yaml | 10 Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 Documentation/driver-api/fpga/fpga-bridge.rst | 7 Documentation/driver-api/fpga/fpga-mgr.rst | 34 Documentation/filesystems/mount_api.rst | 3 Documentation/locking/seqlock.rst | 2 Documentation/networking/j1939.rst | 2 Makefile | 2 arch/arm/boot/dts/sun9i-a80-cubieboard4.dts | 4 arch/arm/kernel/entry-armv.S | 8 arch/arm/kernel/head.S | 4 arch/arm/kernel/psci_smp.c | 7 arch/arm/mm/idmap.c | 7 arch/arm/mm/ioremap.c | 35 arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi | 3 arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-verdin.dtsi | 2 arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi | 8 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts | 2 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi | 3 arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 56 arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi | 4 arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 2 arch/arm64/boot/dts/mediatek/mt8195.dtsi | 2 arch/arm64/kernel/fpsimd.c | 1 arch/arm64/kernel/process.c | 2 arch/arm64/kernel/ptrace.c | 6 arch/arm64/kernel/smccc-call.S | 35 arch/arm64/kernel/vmlinux.lds.S | 6 arch/arm64/kvm/arm.c | 2 arch/arm64/kvm/mmio.c | 36 arch/arm64/kvm/pmu-emul.c | 1 arch/arm64/kvm/vgic/vgic-its.c | 32 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 7 arch/arm64/kvm/vgic/vgic.h | 24 arch/arm64/mm/context.c | 4 arch/arm64/net/bpf_jit_comp.c | 47 arch/loongarch/Makefile | 21 arch/loongarch/include/asm/hugetlb.h | 10 arch/loongarch/include/asm/page.h | 5 arch/loongarch/include/asm/percpu.h | 6 arch/loongarch/mm/tlb.c | 2 arch/loongarch/net/bpf_jit.c | 2 arch/loongarch/vdso/Makefile | 2 arch/m68k/coldfire/device.c | 8 arch/m68k/include/asm/mcfgpio.h | 2 arch/m68k/include/asm/mvme147hw.h | 4 arch/m68k/kernel/early_printk.c | 9 arch/m68k/mvme147/config.c | 30 arch/m68k/mvme147/mvme147.h | 6 arch/m68k/mvme16x/config.c | 2 arch/m68k/mvme16x/mvme16x.h | 6 arch/microblaze/kernel/microblaze_ksyms.c | 10 arch/mips/boot/dts/loongson/ls7a-pch.dtsi | 73 arch/mips/include/asm/switch_to.h | 2 arch/parisc/kernel/ftrace.c | 2 arch/powerpc/Kconfig | 4 arch/powerpc/Makefile | 13 arch/powerpc/include/asm/cache.h | 4 arch/powerpc/include/asm/dtl.h | 4 arch/powerpc/include/asm/fadump.h | 7 arch/powerpc/include/asm/page_32.h | 4 arch/powerpc/include/asm/sstep.h | 5 arch/powerpc/include/asm/vdso.h | 1 arch/powerpc/kernel/fadump.c | 23 arch/powerpc/kernel/prom_init.c | 29 arch/powerpc/kernel/setup-common.c | 6 arch/powerpc/kernel/setup_64.c | 1 arch/powerpc/kernel/vdso/Makefile | 57 arch/powerpc/kexec/file_load_64.c | 9 arch/powerpc/kvm/book3s_hv.c | 10 arch/powerpc/kvm/book3s_hv_nested.c | 14 arch/powerpc/lib/sstep.c | 12 arch/powerpc/mm/fault.c | 10 arch/powerpc/platforms/pseries/dtl.c | 8 arch/powerpc/platforms/pseries/lpar.c | 8 arch/s390/kernel/entry.S | 4 arch/s390/kernel/kprobes.c | 6 arch/s390/kernel/perf_cpum_sf.c | 4 arch/s390/kernel/syscalls/Makefile | 2 arch/sh/kernel/cpu/proc.c | 2 arch/um/drivers/net_kern.c | 2 arch/um/drivers/ubd_kern.c | 2 arch/um/drivers/vector_kern.c | 3 arch/um/kernel/physmem.c | 6 arch/um/kernel/process.c | 2 arch/um/kernel/sysrq.c | 2 arch/x86/crypto/aegis128-aesni-asm.S | 29 arch/x86/events/amd/core.c | 10 arch/x86/events/intel/core.c | 34 arch/x86/events/intel/pt.c | 11 arch/x86/events/intel/pt.h | 2 arch/x86/include/asm/amd_nb.h | 5 arch/x86/include/asm/barrier.h | 18 arch/x86/include/asm/cpufeatures.h | 1 arch/x86/include/asm/processor.h | 18 arch/x86/kernel/cpu/amd.c | 3 arch/x86/kernel/cpu/common.c | 7 arch/x86/kernel/cpu/hygon.c | 3 arch/x86/kvm/mmu/mmu.c | 5 arch/x86/kvm/mmu/paging_tmpl.h | 5 arch/x86/kvm/mmu/spte.c | 18 arch/x86/pci/acpi.c | 119 block/blk-merge.c | 10 block/blk-mq.c | 6 block/blk-mq.h | 13 crypto/api.c | 63 crypto/internal.h | 8 crypto/pcrypt.c | 12 drivers/acpi/arm64/gtdt.c | 2 drivers/acpi/cppc_acpi.c | 1 drivers/base/bus.c | 2 drivers/base/core.c | 69 drivers/base/property.c | 6 drivers/base/regmap/regmap-irq.c | 4 drivers/base/regmap/regmap.c | 12 drivers/block/brd.c | 66 drivers/block/ublk_drv.c | 17 drivers/block/virtio_blk.c | 46 drivers/bluetooth/btusb.c | 2 drivers/clk/clk-apple-nco.c | 3 drivers/clk/clk-axi-clkgen.c | 22 drivers/clk/imx/clk-fracn-gppll.c | 10 drivers/clk/imx/clk-lpcg-scu.c | 37 drivers/clk/imx/clk-scu.c | 2 drivers/clk/qcom/gcc-qcs404.c | 1 drivers/clk/renesas/rzg2l-cpg.c | 11 drivers/clk/sunxi-ng/ccu-sun20i-d1.c | 2 drivers/clocksource/Kconfig | 3 drivers/clocksource/timer-ti-dm-systimer.c | 4 drivers/comedi/comedi_fops.c | 12 drivers/counter/stm32-timer-cnt.c | 16 drivers/counter/ti-ecap-capture.c | 7 drivers/cpufreq/cppc_cpufreq.c | 6 drivers/cpufreq/loongson2_cpufreq.c | 4 drivers/cpufreq/mediatek-cpufreq-hw.c | 2 drivers/crypto/bcm/cipher.c | 5 drivers/crypto/caam/caampkc.c | 11 drivers/crypto/caam/qi.c | 2 drivers/crypto/cavium/cpt/cptpf_main.c | 6 drivers/crypto/hisilicon/hpre/hpre_main.c | 35 drivers/crypto/hisilicon/qm.c | 47 drivers/crypto/hisilicon/sec2/sec_main.c | 35 drivers/crypto/hisilicon/zip/zip_main.c | 35 drivers/crypto/inside-secure/safexcel_hash.c | 2 drivers/crypto/qat/qat_common/adf_hw_arbiter.c | 4 drivers/dax/pmem/Makefile | 7 drivers/dax/pmem/pmem.c | 10 drivers/dma-buf/dma-fence-array.c | 28 drivers/dma-buf/dma-fence-unwrap.c | 126 drivers/edac/bluefield_edac.c | 2 drivers/edac/fsl_ddr_edac.c | 22 drivers/edac/igen6_edac.c | 2 drivers/firmware/arm_scpi.c | 3 drivers/firmware/efi/tpm.c | 17 drivers/firmware/google/gsmi.c | 6 drivers/firmware/smccc/smccc.c | 4 drivers/fpga/fpga-bridge.c | 57 drivers/fpga/fpga-mgr.c | 82 drivers/gpio/gpio-exar.c | 10 drivers/gpio/gpio-grgpio.c | 26 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 48 drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 5 drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 6 drivers/gpu/drm/amd/amdgpu/vega20_ih.c | 27 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 5 drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 14 drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 3 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 drivers/gpu/drm/bridge/analogix/anx7625.c | 2 drivers/gpu/drm/bridge/ite-it6505.c | 11 drivers/gpu/drm/bridge/tc358767.c | 7 drivers/gpu/drm/display/drm_dp_dual_mode_helper.c | 4 drivers/gpu/drm/display/drm_dp_mst_topology.c | 55 drivers/gpu/drm/drm_mm.c | 2 drivers/gpu/drm/drm_panel_orientation_quirks.c | 19 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 3 drivers/gpu/drm/etnaviv/etnaviv_drv.c | 10 drivers/gpu/drm/etnaviv/etnaviv_dump.c | 7 drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 48 drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 21 drivers/gpu/drm/fsl-dcu/Kconfig | 1 drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 15 drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h | 3 drivers/gpu/drm/imx/dcss/dcss-crtc.c | 6 drivers/gpu/drm/imx/ipuv3-crtc.c | 6 drivers/gpu/drm/mcde/mcde_drv.c | 1 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 4 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 2 drivers/gpu/drm/msm/msm_debugfs.c | 12 drivers/gpu/drm/msm/msm_drv.h | 9 drivers/gpu/drm/msm/msm_gpu.h | 15 drivers/gpu/drm/msm/msm_gpu_devfreq.c | 148 drivers/gpu/drm/omapdrm/dss/base.c | 25 drivers/gpu/drm/omapdrm/dss/omapdss.h | 3 drivers/gpu/drm/omapdrm/omap_drv.c | 4 drivers/gpu/drm/omapdrm/omap_gem.c | 10 drivers/gpu/drm/panel/panel-simple.c | 28 drivers/gpu/drm/panfrost/panfrost_gpu.c | 1 drivers/gpu/drm/radeon/r600_cs.c | 2 drivers/gpu/drm/scheduler/sched_main.c | 8 drivers/gpu/drm/sti/sti_cursor.c | 3 drivers/gpu/drm/sti/sti_gdp.c | 3 drivers/gpu/drm/sti/sti_hqvdp.c | 3 drivers/gpu/drm/sti/sti_mixer.c | 2 drivers/gpu/drm/ttm/ttm_bo_util.c | 13 drivers/gpu/drm/ttm/ttm_tt.c | 12 drivers/gpu/drm/v3d/v3d_mmu.c | 29 drivers/gpu/drm/v3d/v3d_perfmon.c | 2 drivers/gpu/drm/vc4/vc4_drv.h | 1 drivers/gpu/drm/vc4/vc4_hdmi.c | 6 drivers/gpu/drm/vc4/vc4_hvs.c | 31 drivers/hid/hid-ids.h | 1 drivers/hid/hid-magicmouse.c | 56 drivers/hid/wacom_sys.c | 3 drivers/hid/wacom_wac.c | 4 drivers/hwmon/nct6775-core.c | 7 drivers/hwmon/tps23861.c | 2 drivers/i3c/master.c | 201 drivers/i3c/master/dw-i3c-master.c | 5 drivers/i3c/master/i3c-master-cdns.c | 5 drivers/i3c/master/mipi-i3c-hci/core.c | 4 drivers/i3c/master/mipi-i3c-hci/dma.c | 2 drivers/i3c/master/svc-i3c-master.c | 148 drivers/iio/adc/ad7780.c | 2 drivers/iio/adc/ad7923.c | 4 drivers/iio/inkern.c | 2 drivers/iio/light/al3010.c | 11 drivers/iio/light/ltr501.c | 2 drivers/iio/magnetometer/yamaha-yas530.c | 13 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/hns/hns_roce_cq.c | 4 drivers/infiniband/hw/hns/hns_roce_device.h | 1 drivers/infiniband/hw/hns/hns_roce_hem.c | 76 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 172 drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 drivers/infiniband/hw/hns/hns_roce_mr.c | 11 drivers/infiniband/hw/hns/hns_roce_qp.c | 54 drivers/infiniband/hw/hns/hns_roce_srq.c | 4 drivers/iommu/arm/arm-smmu/arm-smmu.c | 11 drivers/iommu/intel/iommu.c | 40 drivers/iommu/io-pgtable-arm.c | 18 drivers/leds/flash/leds-mt6360.c | 3 drivers/leds/led-class.c | 14 drivers/leds/leds-lp55xx-common.c | 3 drivers/mailbox/arm_mhuv2.c | 8 drivers/mailbox/mtk-cmdq-mailbox.c | 12 drivers/md/bcache/closure.c | 10 drivers/md/bcache/super.c | 2 drivers/md/dm-thin.c | 1 drivers/media/dvb-frontends/ts2020.c | 8 drivers/media/i2c/adv7604.c | 5 drivers/media/i2c/adv7842.c | 13 drivers/media/i2c/dw9768.c | 10 drivers/media/i2c/tc358743.c | 4 drivers/media/platform/allegro-dvt/allegro-core.c | 4 drivers/media/platform/amphion/vpu_drv.c | 2 drivers/media/platform/amphion/vpu_v4l2.c | 2 drivers/media/platform/aspeed/aspeed-video.c | 4 drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 4 drivers/media/platform/qcom/venus/core.c | 2 drivers/media/platform/qcom/venus/core.h | 11 drivers/media/platform/qcom/venus/vdec.c | 4 drivers/media/platform/qcom/venus/venc.c | 72 drivers/media/platform/samsung/exynos4-is/media-dev.h | 5 drivers/media/radio/wl128x/fmdrv_common.c | 3 drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 drivers/media/usb/cx231xx/cx231xx-cards.c | 2 drivers/media/usb/gspca/ov534.c | 2 drivers/media/usb/uvc/uvc_driver.c | 113 drivers/media/v4l2-core/v4l2-dv-timings.c | 132 drivers/memory/renesas-rpc-if.c | 42 drivers/message/fusion/mptsas.c | 4 drivers/mfd/da9052-spi.c | 2 drivers/mfd/intel_soc_pmic_bxtwc.c | 126 drivers/mfd/rt5033.c | 4 drivers/mfd/tps65010.c | 8 drivers/misc/apds990x.c | 12 drivers/misc/eeprom/eeprom_93cx6.c | 10 drivers/mmc/core/bus.c | 2 drivers/mmc/core/card.h | 7 drivers/mmc/core/core.c | 3 drivers/mmc/core/quirks.h | 9 drivers/mmc/core/sd.c | 2 drivers/mmc/host/mmc_spi.c | 9 drivers/mmc/host/mtk-sd.c | 9 drivers/mmc/host/sdhci-pci-core.c | 72 drivers/mmc/host/sdhci-pci.h | 1 drivers/mtd/hyperbus/rpc-if.c | 31 drivers/mtd/nand/raw/atmel/pmecc.c | 8 drivers/mtd/nand/raw/atmel/pmecc.h | 2 drivers/mtd/spi-nor/core.c | 2 drivers/mtd/ubi/attach.c | 12 drivers/mtd/ubi/fastmap-wl.c | 19 drivers/mtd/ubi/wl.c | 11 drivers/mtd/ubi/wl.h | 3 drivers/net/can/c_can/c_can_main.c | 26 drivers/net/can/dev/dev.c | 2 drivers/net/can/ifi_canfd/ifi_canfd.c | 58 drivers/net/can/m_can/m_can.c | 33 drivers/net/can/sja1000/sja1000.c | 67 drivers/net/can/spi/hi311x.c | 50 drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 drivers/net/can/sun4i_can.c | 22 drivers/net/can/usb/ems_usb.c | 58 drivers/net/can/usb/gs_usb.c | 104 drivers/net/dsa/qca/qca8k-8xxx.c | 2 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 9 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 drivers/net/ethernet/broadcom/tg3.c | 3 drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c | 13 drivers/net/ethernet/freescale/fec_mpc52xx_phy.c | 2 drivers/net/ethernet/freescale/fec_ptp.c | 13 drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c | 2 drivers/net/ethernet/google/gve/gve_main.c | 7 drivers/net/ethernet/google/gve/gve_rx.c | 4 drivers/net/ethernet/google/gve/gve_tx.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 4 drivers/net/ethernet/intel/ixgbe/ixgbe_common.h | 2 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 2 drivers/net/ethernet/intel/ixgbevf/ipsec.c | 1 drivers/net/ethernet/marvell/octeontx2/af/rpm.c | 2 drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 4 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 5 drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c | 9 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 10 drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 10 drivers/net/ethernet/marvell/pxa168_eth.c | 14 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 13 drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 5 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 4 drivers/net/ethernet/qlogic/qed/qed_mcp.c | 4 drivers/net/ethernet/qlogic/qede/qede_ptp.c | 13 drivers/net/ethernet/realtek/r8169_main.c | 14 drivers/net/ethernet/rocker/rocker_main.c | 2 drivers/net/ethernet/sfc/ptp.c | 7 drivers/net/ethernet/sfc/siena/ptp.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 2 drivers/net/ethernet/ti/am65-cpts.c | 5 drivers/net/geneve.c | 2 drivers/net/mdio/mdio-ipq4019.c | 5 drivers/net/netdevsim/ipsec.c | 11 drivers/net/phy/sfp.c | 3 drivers/net/usb/lan78xx.c | 40 drivers/net/usb/qmi_wwan.c | 1 drivers/net/usb/r8152.c | 1 drivers/net/veth.c | 44 drivers/net/vrf.c | 24 drivers/net/wireless/ath/ath10k/mac.c | 4 drivers/net/wireless/ath/ath5k/pci.c | 2 drivers/net/wireless/ath/ath9k/htc_hst.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 3 drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 8 drivers/net/wireless/intel/iwlwifi/fw/init.c | 4 drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 drivers/net/wireless/intersil/p54/p54spi.c | 4 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 drivers/net/wireless/realtek/rtw89/mac80211.c | 4 drivers/net/wireless/realtek/rtw89/util.h | 18 drivers/net/wireless/silabs/wfx/main.c | 17 drivers/nvdimm/dax_devs.c | 4 drivers/nvdimm/nd.h | 7 drivers/nvme/host/pci.c | 55 drivers/pci/controller/dwc/pci-keystone.c | 12 drivers/pci/controller/pcie-rockchip-ep.c | 16 drivers/pci/controller/pcie-rockchip.h | 4 drivers/pci/endpoint/pci-epc-core.c | 13 drivers/pci/hotplug/cpqphp_pci.c | 19 drivers/pci/pci-sysfs.c | 26 drivers/pci/pci.c | 7 drivers/pci/pci.h | 1 drivers/pci/probe.c | 30 drivers/pci/quirks.c | 15 drivers/pci/slot.c | 4 drivers/perf/arm-cmn.c | 4 drivers/perf/arm_smmuv3_pmu.c | 19 drivers/pinctrl/freescale/Kconfig | 2 drivers/pinctrl/pinctrl-k210.c | 2 drivers/pinctrl/pinctrl-zynqmp.c | 1 drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 4 drivers/pinctrl/qcom/pinctrl-spmi-mpp.c | 1 drivers/platform/chrome/cros_ec_typec.c | 1 drivers/platform/x86/dell/dell-smbios-base.c | 1 drivers/platform/x86/dell/dell-wmi-base.c | 6 drivers/platform/x86/intel/bxtwc_tmu.c | 22 drivers/platform/x86/panasonic-laptop.c | 10 drivers/platform/x86/thinkpad_acpi.c | 28 drivers/power/supply/bq27xxx_battery.c | 37 drivers/power/supply/power_supply_core.c | 2 drivers/ptp/ptp_clock.c | 3 drivers/ptp/ptp_dte.c | 5 drivers/pwm/pwm-imx27.c | 98 drivers/regulator/rk808-regulator.c | 2 drivers/remoteproc/qcom_q6v5_mss.c | 6 drivers/remoteproc/qcom_q6v5_pas.c | 44 drivers/rpmsg/qcom_glink_native.c | 101 drivers/rtc/interface.c | 7 drivers/rtc/rtc-ab-eoz9.c | 7 drivers/rtc/rtc-abx80x.c | 2 drivers/rtc/rtc-cmos.c | 31 drivers/rtc/rtc-rzn1.c | 8 drivers/rtc/rtc-st-lpc.c | 5 drivers/s390/cio/cio.c | 6 drivers/s390/cio/device.c | 18 drivers/scsi/bfa/bfad.c | 3 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 1 drivers/scsi/lpfc/lpfc_hbadisc.c | 3 drivers/scsi/lpfc/lpfc_scsi.c | 13 drivers/scsi/lpfc/lpfc_sli.c | 11 drivers/scsi/qedf/qedf_main.c | 1 drivers/scsi/qedi/qedi_main.c | 1 drivers/scsi/qla2xxx/qla_attr.c | 1 drivers/scsi/qla2xxx/qla_bsg.c | 124 drivers/scsi/qla2xxx/qla_mid.c | 1 drivers/scsi/qla2xxx/qla_os.c | 15 drivers/scsi/scsi_debug.c | 2 drivers/scsi/st.c | 31 drivers/sh/intc/core.c | 2 drivers/soc/fsl/rcpm.c | 1 drivers/soc/imx/soc-imx8m.c | 107 drivers/soc/qcom/qcom-geni-se.c | 3 drivers/soc/qcom/socinfo.c | 8 drivers/soc/ti/smartreflex.c | 4 drivers/soc/ti/ti_sci_pm_domains.c | 4 drivers/soc/xilinx/xlnx_event_manager.c | 4 drivers/spi/atmel-quadspi.c | 2 drivers/spi/spi-fsl-lpspi.c | 14 drivers/spi/spi-mpc52xx.c | 1 drivers/spi/spi-rpc-if.c | 14 drivers/spi/spi-tegra210-quad.c | 2 drivers/spi/spi-zynqmp-gqspi.c | 2 drivers/spi/spi.c | 13 drivers/staging/media/atomisp/pci/sh_css_params.c | 2 drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 2 drivers/thermal/thermal_core.c | 2 drivers/tty/serial/8250/8250_dw.c | 5 drivers/tty/serial/8250/8250_fintek.c | 14 drivers/tty/serial/8250/8250_omap.c | 4 drivers/tty/serial/amba-pl011.c | 79 drivers/tty/serial/sc16is7xx.c | 5 drivers/tty/tty_ldisc.c | 2 drivers/ufs/core/ufs-sysfs.c | 6 drivers/ufs/core/ufshcd.c | 11 drivers/ufs/host/ufs-exynos.c | 16 drivers/ufs/host/ufs-renesas.c | 9 drivers/usb/chipidea/udc.c | 2 drivers/usb/dwc3/core.h | 1 drivers/usb/dwc3/ep0.c | 7 drivers/usb/dwc3/gadget.c | 104 drivers/usb/dwc3/gadget.h | 1 drivers/usb/gadget/composite.c | 18 drivers/usb/host/ehci-spear.c | 7 drivers/usb/host/xhci-dbgcap.c | 135 drivers/usb/host/xhci-dbgcap.h | 2 drivers/usb/host/xhci-ring.c | 18 drivers/usb/misc/chaoskey.c | 35 drivers/usb/misc/iowarrior.c | 50 drivers/usb/misc/yurex.c | 5 drivers/usb/musb/musb_gadget.c | 13 drivers/usb/typec/tcpm/wcove.c | 4 drivers/vdpa/mlx5/core/mr.c | 4 drivers/vfio/pci/mlx5/cmd.c | 47 drivers/vfio/pci/vfio_pci_config.c | 16 drivers/video/fbdev/efifb.c | 11 drivers/video/fbdev/sh7760fb.c | 11 drivers/watchdog/apple_wdt.c | 2 drivers/watchdog/iTCO_wdt.c | 21 drivers/watchdog/mtk_wdt.c | 6 drivers/watchdog/rti_wdt.c | 3 drivers/xen/xenbus/xenbus_probe.c | 8 fs/btrfs/ctree.c | 10 fs/btrfs/ctree.h | 2 fs/btrfs/extent-tree.c | 3 fs/btrfs/inode.c | 14 fs/btrfs/ioctl.c | 36 fs/btrfs/ref-verify.c | 1 fs/btrfs/root-tree.c | 10 fs/btrfs/volumes.c | 42 fs/cachefiles/ondemand.c | 4 fs/ceph/super.c | 10 fs/eventpoll.c | 6 fs/exfat/namei.c | 1 fs/ext4/ext4.h | 1 fs/ext4/fsmap.c | 54 fs/ext4/mballoc.c | 18 fs/ext4/mballoc.h | 1 fs/ext4/super.c | 33 fs/f2fs/file.c | 8 fs/f2fs/gc.c | 2 fs/f2fs/inode.c | 4 fs/f2fs/segment.c | 74 fs/f2fs/segment.h | 41 fs/fscache/volume.c | 3 fs/hfsplus/hfsplus_fs.h | 3 fs/hfsplus/wrapper.c | 2 fs/inode.c | 10 fs/jffs2/compr_rtime.c | 3 fs/jffs2/erase.c | 7 fs/jfs/jfs_dmap.c | 6 fs/jfs/jfs_dtree.c | 15 fs/jfs/xattr.c | 2 fs/nfs/internal.h | 2 fs/nfs/nfs4proc.c | 8 fs/nfsd/export.c | 5 fs/nfsd/nfs4callback.c | 16 fs/nfsd/nfs4proc.c | 7 fs/nfsd/nfs4recover.c | 3 fs/nfsd/nfs4state.c | 19 fs/nilfs2/dir.c | 2 fs/notify/fsnotify.c | 23 fs/ntfs3/record.c | 32 fs/ocfs2/aops.h | 2 fs/ocfs2/dlmglue.c | 1 fs/ocfs2/file.c | 4 fs/ocfs2/localalloc.c | 19 fs/ocfs2/namei.c | 4 fs/overlayfs/inode.c | 7 fs/overlayfs/util.c | 3 fs/proc/kcore.c | 11 fs/proc/softirqs.c | 2 fs/quota/dquot.c | 2 fs/smb/client/cached_dir.c | 2 fs/smb/client/cifssmb.c | 2 fs/smb/client/smb2ops.c | 8 fs/smb/server/smb2pdu.c | 6 fs/ubifs/super.c | 6 fs/ubifs/tnc_commit.c | 2 fs/udf/inode.c | 46 fs/unicode/mkutf8data.c | 70 fs/unicode/utf8-core.c | 2 fs/unicode/utf8data.c_shipped | 6703 +++++----- fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/xfs_log_recover.c | 5 include/drm/display/drm_dp_mst_helper.h | 7 include/drm/ttm/ttm_tt.h | 7 include/linux/arm-smccc.h | 30 include/linux/blkdev.h | 2 include/linux/bpf.h | 7 include/linux/cache.h | 6 include/linux/crypto.h | 1 include/linux/devfreq.h | 7 include/linux/dma-mapping.h | 5 include/linux/eeprom_93cx6.h | 11 include/linux/eventpoll.h | 2 include/linux/fpga/fpga-bridge.h | 10 include/linux/fpga/fpga-mgr.h | 26 include/linux/fwnode.h | 2 include/linux/hisi_acc_qm.h | 8 include/linux/i3c/master.h | 35 include/linux/jiffies.h | 2 include/linux/leds.h | 2 include/linux/lockdep.h | 2 include/linux/mmc/card.h | 1 include/linux/netdevice.h | 30 include/linux/netpoll.h | 2 include/linux/pci-epc.h | 2 include/linux/pci.h | 6 include/linux/property.h | 20 include/linux/rbtree_latch.h | 2 include/linux/scatterlist.h | 2 include/linux/seqlock.h | 107 include/linux/slab.h | 14 include/linux/sock_diag.h | 10 include/linux/util_macros.h | 56 include/media/v4l2-dv-timings.h | 18 include/memory/renesas-rpc-if.h | 18 include/net/bluetooth/hci_sync.h | 12 include/net/sock.h | 2 include/trace/trace_events.h | 36 include/uapi/linux/rtnetlink.h | 2 include/ufs/ufshcd.h | 19 init/initramfs.c | 15 io_uring/io_uring.c | 12 io_uring/tctx.c | 13 ipc/namespace.c | 4 kernel/bpf/devmap.c | 6 kernel/bpf/helpers.c | 6 kernel/bpf/lpm_trie.c | 55 kernel/bpf/syscall.c | 3 kernel/bpf/verifier.c | 41 kernel/cgroup/cgroup.c | 21 kernel/dma/debug.c | 8 kernel/kcsan/debugfs.c | 74 kernel/printk/printk.c | 2 kernel/rcu/tasks.h | 82 kernel/sched/core.c | 4 kernel/sched/fair.c | 2 kernel/time/ntp.c | 2 kernel/time/sched_clock.c | 2 kernel/time/time.c | 2 kernel/time/timekeeping.c | 4 kernel/trace/bpf_trace.c | 6 kernel/trace/ftrace.c | 3 kernel/trace/trace_clock.c | 2 kernel/trace/trace_eprobe.c | 5 kernel/trace/trace_event_perf.c | 6 kernel/trace/trace_syscalls.c | 12 kernel/trace/tracing_map.c | 6 lib/maple_tree.c | 13 lib/stackinit_kunit.c | 1 lib/string_helpers.c | 2 mm/damon/vaddr-test.h | 1 mm/damon/vaddr.c | 4 mm/kasan/report.c | 65 mm/mmap.c | 4 mm/page_alloc.c | 15 mm/swap.c | 20 mm/vmstat.c | 1 net/9p/trans_xen.c | 9 net/bluetooth/hci_core.c | 13 net/bluetooth/hci_sync.c | 132 net/bluetooth/hci_sysfs.c | 15 net/bluetooth/l2cap_sock.c | 1 net/bluetooth/mgmt.c | 61 net/bluetooth/rfcomm/sock.c | 20 net/can/af_can.c | 1 net/can/j1939/transport.c | 2 net/core/dev.c | 61 net/core/filter.c | 95 net/core/gen_estimator.c | 2 net/core/neighbour.c | 1 net/core/netpoll.c | 2 net/core/rtnetlink.c | 2 net/core/skmsg.c | 4 net/core/sock_diag.c | 114 net/dccp/feat.c | 6 net/ethtool/bitset.c | 48 net/hsr/hsr_device.c | 4 net/hsr/hsr_forward.c | 2 net/ieee802154/socket.c | 12 net/ipv4/af_inet.c | 22 net/ipv4/cipso_ipv4.c | 2 net/ipv4/inet_connection_sock.c | 2 net/ipv4/inet_diag.c | 11 net/ipv4/ip_output.c | 13 net/ipv4/ipmr.c | 42 net/ipv4/ipmr_base.c | 3 net/ipv4/tcp.c | 2 net/ipv4/tcp_bpf.c | 18 net/ipv4/tcp_fastopen.c | 7 net/ipv4/udp.c | 2 net/ipv6/addrconf.c | 41 net/ipv6/af_inet6.c | 24 net/ipv6/ip6_fib.c | 2 net/ipv6/ip6_output.c | 13 net/ipv6/ip6mr.c | 38 net/ipv6/ipv6_sockglue.c | 3 net/ipv6/route.c | 16 net/iucv/af_iucv.c | 26 net/llc/af_llc.c | 2 net/mac80211/main.c | 2 net/mptcp/protocol.c | 4 net/netfilter/ipset/ip_set_bitmap_ip.c | 7 net/netfilter/ipset/ip_set_core.c | 5 net/netfilter/ipvs/ip_vs_proto.c | 4 net/netfilter/nf_tables_api.c | 19 net/netfilter/nft_set_hash.c | 16 net/netfilter/nft_socket.c | 2 net/netfilter/xt_LED.c | 4 net/netlink/diag.c | 1 net/packet/af_packet.c | 12 net/packet/diag.c | 1 net/rfkill/rfkill-gpio.c | 8 net/rxrpc/af_rxrpc.c | 7 net/sched/act_api.c | 2 net/sched/cls_flower.c | 5 net/sched/sch_cbs.c | 2 net/sched/sch_tbf.c | 18 net/smc/af_smc.c | 2 net/smc/smc_diag.c | 1 net/sunrpc/cache.c | 4 net/sunrpc/xprtrdma/svc_rdma.c | 40 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 net/sunrpc/xprtsock.c | 1 net/tipc/diag.c | 1 net/tipc/udp_media.c | 2 net/unix/diag.c | 1 net/vmw_vsock/diag.c | 1 net/xdp/xsk_buff_pool.c | 5 net/xdp/xsk_diag.c | 1 net/xdp/xskmap.c | 2 samples/bpf/test_cgrp2_sock.c | 4 samples/bpf/xdp_adjust_tail_kern.c | 1 scripts/mod/file2alias.c | 5 scripts/mod/modpost.c | 4 security/apparmor/capability.c | 2 security/apparmor/policy_unpack_test.c | 6 sound/core/pcm_native.c | 6 sound/hda/intel-dsp-config.c | 4 sound/pci/hda/patch_realtek.c | 157 sound/soc/amd/yc/acp6x-mach.c | 39 sound/soc/codecs/da7219.c | 9 sound/soc/codecs/hdmi-codec.c | 140 sound/soc/fsl/fsl_micfil.c | 4 sound/soc/generic/audio-graph-card2.c | 3 sound/soc/intel/atom/sst/sst_acpi.c | 64 sound/soc/intel/avs/pcm.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 48 sound/soc/stm/stm32_sai_sub.c | 6 sound/usb/6fire/chip.c | 10 sound/usb/caiaq/audio.c | 10 sound/usb/caiaq/audio.h | 1 sound/usb/caiaq/device.c | 19 sound/usb/caiaq/input.c | 12 sound/usb/caiaq/input.h | 1 sound/usb/clock.c | 24 sound/usb/endpoint.c | 14 sound/usb/mixer.c | 58 sound/usb/mixer_maps.c | 10 sound/usb/quirks-table.h | 14 sound/usb/quirks.c | 58 sound/usb/usbaudio.h | 4 sound/usb/usx2y/us122l.c | 5 sound/usb/usx2y/usbusx2y.c | 2 tools/bpf/bpftool/jit_disasm.c | 51 tools/bpf/bpftool/main.h | 25 tools/bpf/bpftool/map.c | 1 tools/bpf/bpftool/prog.c | 22 tools/lib/bpf/libbpf.c | 4 tools/lib/bpf/linker.c | 2 tools/lib/thermal/Makefile | 4 tools/lib/thermal/commands.c | 52 tools/perf/builtin-ftrace.c | 2 tools/perf/builtin-stat.c | 52 tools/perf/builtin-trace.c | 16 tools/perf/util/cs-etm.c | 25 tools/perf/util/evlist.c | 19 tools/perf/util/evlist.h | 1 tools/perf/util/probe-finder.c | 21 tools/perf/util/probe-finder.h | 4 tools/scripts/Makefile.arch | 4 tools/testing/selftests/arm64/mte/check_tags_inclusion.c | 4 tools/testing/selftests/arm64/mte/mte_common_util.c | 4 tools/testing/selftests/arm64/pauth/pac.c | 3 tools/testing/selftests/bpf/network_helpers.h | 44 tools/testing/selftests/bpf/test_progs.c | 9 tools/testing/selftests/bpf/test_sockmap.c | 165 tools/testing/selftests/mount_setattr/mount_setattr_test.c | 2 tools/testing/selftests/net/pmtu.sh | 2 tools/testing/selftests/resctrl/resctrl_val.c | 3 tools/testing/selftests/vDSO/parse_vdso.c | 3 tools/testing/selftests/watchdog/watchdog-test.c | 6 tools/testing/selftests/wireguard/netns.sh | 1 tools/tracing/rtla/src/utils.c | 4 tools/tracing/rtla/src/utils.h | 2 tools/verification/dot2/automata.py | 18 773 files changed, 11342 insertions(+), 7062 deletions(-) Abel Vesa (1): remoteproc: qcom: q6v5: Use _clk_get_optional for aggre2_clk Adrian Hunter (1): perf/x86/intel/pt: Fix buffer full but size is 0 case Ahmed Ehab (1): locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() Ahsan Atta (1): crypto: qat - remove faulty arbiter config reset Ajay Kaher (1): ptp: Add error handling for adjfine callback in ptp_clock_adjtime Aleksandr Mishin (1): acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() Alex Deucher (2): drm/amdgpu/hdp5.2: do a posting read when flushing HDP drm/amdgpu: rework resume handling for display (v2) Alex Hung (4): drm/amd/display: Check null-initialized variables drm/amd/display: Initialize denominators' default to 1 drm/amd/display: Check phantom_stream before it is used drm/amd/display: Check BIOS images before it is used Alex Zenla (2): 9p/xen: fix init sequence 9p/xen: fix release of IRQ Alexander Hölzl (1): can: j1939: fix error in J1939 documentation. Alexander Kozhinov (1): can: gs_usb: add usb endpoint address detection at driver probe step Alexander Shiyan (1): media: i2c: tc358743: Fix crash in the probe error path when using polling Alexander Stein (1): spi: spi-fsl-lpspi: downgrade log level for pio mode Alexander Sverdlin (1): watchdog: rti: of: honor timeout-sec property Alexandru Ardelean (1): util_macros.h: fix/rework find_closest() macros Alexis Lothoré (eBPF Foundation) (1): selftests/bpf: add missing header include for htons Alper Nebi Yasak (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Amadeusz Sławiński (1): ASoC: Intel: avs: Fix return status of avs_pcm_hw_constraints_init() Amir Goldstein (1): fsnotify: fix sending inotify event with unexpected filename Amir Mohammadi (1): bpftool: fix potential NULL pointer dereferencing in prog_dump() Andre Przywara (4): kselftest/arm64: mte: fix printf type warnings about __u64 kselftest/arm64: mte: fix printf type warnings about longs ARM: dts: cubieboard4: Fix DCDC5 regulator constraints clk: sunxi-ng: d1: Fix PLL_AUDIO0 preset Andrej Shadura (1): Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() Andrew Lunn (1): dsa: qca8k: Use nested lock to avoid splat Andrey Konovalov (1): kasan: suppress recursive reports for HW_TAGS Andrii Nakryiko (2): libbpf: fix sym_is_subprog() logic for weak global subprogs libbpf: never interpret subprogs in .text as entry programs André Almeida (1): unicode: Fix utf8_load() error path Andy Shevchenko (7): regmap: irq: Set lockdep class for hierarchical IRQ domains drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices device property: Constify device child node APIs iio: light: ltr501: Add LTER0303 to the supported devices Andy-ld Lu (1): mmc: mtk-sd: Fix error handle of probe function Angelo Dureghello (1): dt-bindings: iio: dac: ad3552r: fix maximum spi speed Anil Gurumurthy (1): scsi: qla2xxx: Supported speed displayed incorrectly for VPorts Antonio Quartulli (1): m68k: coldfire/device.c: only build FEC when HW macros are defined Arnaldo Carvalho de Melo (1): perf ftrace latency: Fix unit on histogram first entry when using --use-nsec Arnd Bergmann (2): x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB serial: amba-pl011: fix build regression Artem Sadovnikov (1): jfs: xattr: check invalid xattr size more strictly Avihai Horon (1): vfio/pci: Properly hide first-in-list PCIe extended capability Baochen Qiang (2): wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss1 wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss2 Barnabás Czémán (3): power: supply: bq27xxx: Fix registers of bq27426 pinctrl: qcom-pmic-gpio: add support for PM8937 pinctrl: qcom: spmi-mpp: Add PM8937 compatible Bart Van Assche (2): power: supply: core: Remove might_sleep() from power_supply_put() scsi: ufs: core: Make DMA mask configuration more flexible Bartosz Golaszewski (4): mmc: mmc_spi: drop buggy snprintf() pinctrl: zynqmp: drop excess struct member description lib: string_helpers: silence snprintf() output truncation warning gpio: grgpio: use a helper variable to store the address of ofdev->dev Baruch Siach (1): doc: rcu: update printed dynticks counter bits Ben Greear (1): mac80211: fix user-power when emulating chanctx Benjamin Große (1): usb: add support for new USB device ID 0x17EF:0x3098 for the r8152 driver Benjamin Peterson (3): perf trace: avoid garbage when not printing a trace event's arguments perf trace: Do not lose last events in a race perf trace: Avoid garbage when not printing a syscall's arguments Benoît Monin (1): net: usb: qmi_wwan: add Quectel RG650V Benoît Sevens (1): ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices Bibo Mao (1): LoongArch: Add architecture specific huge_pte_clear() Biju Das (2): mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE clk: renesas: rzg2l: Fix FOUTPOSTDIV clk Bin Liu (1): serial: 8250: omap: Move pm_runtime_get_sync Bjorn Andersson (1): rpmsg: glink: Fix GLINK command prefix Björn Töpel (1): tools: Override makefile ARCH variable if defined, but empty Boris Burkov (2): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations btrfs: do not clear read-only when adding sprout device Borislav Petkov (AMD) (1): x86/barrier: Do not serialize MSR accesses on AMD Brahmajit Das (1): drm/display: Fix building with GCC 15 Breno Leitao (5): ipmr: Fix access to mfc_cache_list without lock held spi: tegra210-quad: Avoid shift-out-of-bounds netpoll: Use rcu_access_pointer() in netpoll_poll_lock perf/x86/amd: Warn only on new bits set netpoll: Use rcu_access_pointer() in __netpoll_setup Callahan Kovacs (1): HID: magicmouse: Apple Magic Trackpad 2 USB-C driver support Carlos Song (2): i3c: master: support to adjust first broadcast address speed i3c: master: svc: use slow speed for first broadcast address Catalin Marinas (4): mm/slab: decouple ARCH_KMALLOC_MINALIGN from ARCH_DMA_MINALIGN powerpc: move the ARCH_DMA_MINALIGN definition to asm/cache.h dma: allow dma_get_cache_alignment() to be overridden by the arch code arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs Chao Yu (2): f2fs: fix to account dirty data in __get_secs_required() f2fs: fix to avoid forcing direct write to use buffered IO on inline_data inode Charles Han (3): soc: qcom: Add check devm_kasprintf() returned value clk: clk-apple-nco: Add NULL check in applnco_probe gpio: grgpio: Add NULL check in grgpio_probe Chen Ridong (4): crypto: caam - add error check to caam_rsa_set_priv_key_form crypto: bcm - add error check in the ahash_hmac_init function Revert "cgroup: Fix memory leak caused by missing cgroup_bpf_offline" cgroup/bpf: only cgroup v2 can be attached by bpf programs Chen-Yu Tsai (6): arm64: dts: mediatek: mt8173-elm-hana: Add vdd-supply to second source trackpad arm64: dts: mediatek: mt8183-kukui-jacuzzi: Fix DP bridge supply names arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add supplies for fixed regulators Revert "arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled" arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled drm/bridge: it6505: Fix inverted reset polarity ChenXiaoSong (1): btrfs: add might_sleep() annotations Cheng Ming Lin (1): mtd: spi-nor: core: replace dummy buswidth from addr to data Chengchang Tang (1): RDMA/hns: Add clear_hem return value to log Chih-Kang Chang (1): wifi: rtw89: avoid to add interface to list twice when SER Christian Brauner (1): epoll: annotate racy check Christian König (1): dma-buf: fix dma_fence_array_signaled v4 Christoph Hellwig (8): nvme-pci: fix freeing of the HMB descriptor table block: fix bio_split_rw_at to take zone_write_granularity into account nvme-pci: reverse request order in nvme_queue_rqs virtio_blk: reverse request order in virtio_queue_rqs f2fs: remove struct segment_allocation default_salloc_ops f2fs: open code allocate_segment_by_default f2fs: remove the unused flush argument to change_curseg block: return unsigned int from bdev_io_min Christophe JAILLET (3): crypto: caam - Fix the pointer passed to caam_qi_shutdown() crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() iio: light: al3010: Fix an error handling path in al3010_probe() Christophe Leroy (2): powerpc/vdso: Flag VDSO64 entry points as functions powerpc/vdso: Refactor CFLAGS for CVDSO build Chuck Lever (5): svcrdma: Address an integer overflow NFSD: Prevent NULL dereference in nfsd4_process_cb_update() NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() NFSD: Fix nfsd4_shutdown_copy() NFSD: Prevent a potential integer overflow Chun-Tse Shao (1): perf/arm-smmuv3: Fix lockdep assert in ->event_init() Clark Wang (1): pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle Claudiu Beznea (1): serial: sh-sci: Clean sci_ports[0] after at earlycon exit Cosmin Tanislav (1): regmap: detach regmap from dev on regmap_exit Csókás, Bence (1): spi: atmel-quadspi: Fix register name in verbose logging function Damien Le Moal (1): PCI: rockchip-ep: Fix address translation unit programming Dan Carpenter (3): soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb() sh: intc: Fix use-after-free bug in register_intc_controller() Daniel Borkmann (2): bpf: Fix helper writes to read-only maps net: Move {l,t,d}stats allocation to core and convert veth & vrf Daniel Gabay (1): wifi: iwlwifi: mvm: Use the sync timepoint API in suspend Daniel Lezcano (2): tools/lib/thermal: Make more generic the command encoding function thermal/lib: Fix memory leak on error in thermal_genl_auto() Daniel Palmer (2): m68k: mvme147: Fix SCSI controller IRQ numbers m68k: mvme147: Reinstate early console Daolong Zhu (4): arm64: dts: mt8183: fennel: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: burnet: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: cozmo: add i2c2's i2c-scl-internal-delay-ns arm64: dts: mt8183: Damu: add i2c2's i2c-scl-internal-delay-ns Dario Binacchi (9): can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL can: hi311x: hi3110_can_ist(): fix potential use-after-free can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics can: hi311x: hi3110_can_ist(): fix {rx,tx}_errors statistics can: sja1000: sja1000_err(): fix {rx,tx}_errors statistics can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics Dave Stevenson (5): drm/vc4: hvs: Don't write gamma luts on 2711 drm/vc4: hvs: Fix dlist debug not resetting the next entry pointer drm/vc4: hvs: Remove incorrect limit from hvs_dlist debugfs function drm/vc4: hvs: Correct logic on stopping an HVS channel drm/vc4: hvs: Set AXI panic modes for the HVS David Disseldorp (1): initramfs: avoid filename buffer overrun David Given (1): media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera David Thompson (1): EDAC/bluefield: Fix potential integer overflow David Wang (1): proc/softirqs: replace seq_printf with seq_put_decimal_ull_width Defa Li (1): i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock Dikshita Agarwal (1): venus: venc: add handling for VIDIOC_ENCODER_CMD Dinesh Kumar (1): ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max Dipendra Khadka (6): octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c Dmitry Antipov (5): Bluetooth: fix use-after-free in device_for_each_child() ocfs2: fix uninitialized value in ocfs2_file_read_iter() netfilter: x_tables: fix LED ID check in led_tg_check() can: j1939: j1939_session_new(): fix skb reference counting rocker: fix link status detection in rocker_carrier_init() Dmitry Baryshkov (1): remoteproc: qcom: pas: add minidump_id to SM8350 resources Dmitry Kandybka (1): mptcp: fix possible integer overflow in mptcp_reset_tout_timer Dmitry Torokhov (1): rtc: cmos: avoid taking rtc_lock for extended period of time Dom Cobley (2): drm/vc4: hdmi: Avoid hang with debug registers when suspended drm/vc4: hdmi: Avoid log spam for audio start failure Dong Aisheng (1): clk: imx: clk-scu: fix clk enable state save and restore Doug Brown (1): drm/etnaviv: fix power register offset on GC300 Dragan Simic (1): arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer Eduard Zingerman (1): selftests/bpf: Fix backtrace printing for selftests crashes Edward Adam Davis (1): USB: chaoskey: Fix possible deadlock chaoskey_list_lock Elena Salomatkina (1): net/sched: cbs: Fix integer overflow in cbs_set_port_rate() Eric Biggers (1): crypto: x86/aegis128 - access 32-bit arguments as 32-bit Eric Dumazet (7): sock_diag: add module pointer to "struct sock_diag_handler" sock_diag: allow concurrent operations sock_diag: allow concurrent operation in sock_diag_rcv_msg() net: use unrcu_pointer() helper net: hsr: fix hsr_init_sk() vs network/transport headers. net: hsr: avoid potential out-of-bound access in fill_frame_info() geneve: do not assume mac header is set in geneve_xmit_skb() Eryk Zagorski (1): ALSA: usb-audio: Fix Yamaha P-125 Quirk Entry Esben Haabendal (1): pinctrl: freescale: fix COMPILE_TEST error with PINCTRL_IMX_SCU Esther Shimanovich (1): PCI: Detect and trust built-in Thunderbolt chips Everest K.C (1): crypto: cavium - Fix the if condition to exit loop after timeout Filip Brozovic (1): serial: 8250_fintek: Add support for F81216E Filipe Manana (3): btrfs: don't loop for nowait writes when checking for cross references btrfs: ref-verify: fix use-after-free after invalid ref action btrfs: fix missing snapshot drew unlock when root is dead during swap activation Florian Westphal (1): netfilter: nf_tables: must hold rcu read lock while iterating object type list Francesco Dolcini (2): arm64: dts: freescale: imx8mm-verdin: Fix SD regulator startup delay arm64: dts: freescale: imx8mp-verdin: Fix SD regulator startup delay Frank Li (10): i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() i3c: master: add enable(disable) hot join in sys entry i3c: master: svc: add hot join support i3c: master: fix kernel-doc check warning i3c: master: svc: Modify enabled_events bit 7:0 to act as IBI enable counter i3c: master: Replace hard code 2 with macro I3C_ADDR_SLOT_STATUS_BITS i3c: master: Extend address status bit to 4 and add I3C_ADDR_SLOT_EXT_DESIRED i3c: master: Fix dynamic address leak when 'assigned-address' is present i3c: master: Remove i3c_dev_disable_ibi_locked(olddev) on device hotjoin i3c: master: svc: fix possible assignment of the same address to two devices Fuad Tabba (1): KVM: arm64: Change kvm_handle_mmio_return() return polarity Gabor Juhos (1): clk: qcom: gcc-qcs404: fix initial rate of GPLL3 Gabriele Monaco (1): verification/dot2: Improve dot parser robustness Gaosheng Cui (2): drivers: soc: xilinx: add the missing kfree in xlnx_add_cb_for_suspend() media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() Gautam Menghani (3): KVM: PPC: Book3S HV: Stop using vc->dpdes for nested KVM guests KVM: PPC: Book3S HV: Avoid returning to nested hypervisor on pending doorbells powerpc/pseries: Fix KVM guest detection for disabling hardlockup detector Geert Uytterhoeven (4): m68k: mvme16x: Add and use "mvme16x.h" memory: renesas-rpc-if: Improve Runtime PM handling memory: renesas-rpc-if: Pass device instead of rpcif to rpcif_*() memory: renesas-rpc-if: Remove Runtime PM wrappers Ghanshyam Agrawal (3): jfs: array-index-out-of-bounds fix in dtReadFirst jfs: fix shift-out-of-bounds in dbSplit jfs: fix array-index-out-of-bounds in jfs_readdir Greg Kroah-Hartman (2): Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" Linux 6.1.120 Gregory Price (1): tpm: fix signed/unsigned bug when checking event logs Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures Gwendal Grignou (1): scsi: ufs: core: sysfs: Prevent div by zero Hangbin Liu (3): netdevsim: copy addresses for both in and out paths wireguard: selftests: load nf_conntrack if not present net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged Hans Verkuil (1): media: v4l2-core: v4l2-dv-timings: check cvt/gtf result Hans de Goede (6): ASoC: Intel: bytcr_rt5640: Add support for non ACPI instantiated codec ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet ASoC: Intel: sst: Support LPE0F28 ACPI HID drm: panel-orientation-quirks: Make Lenovo Yoga Tab 3 X90F DMI match less strict ASoC: Intel: sst: Fix used of uninitialized ctx to log an error mmc: sdhci-pci: Add DMI quirk for missing CD GPIO on Vexia Edu Atla 10 tablet Hariprasad Kelam (1): octeontx2-af: RPM: Fix mismatch in lmac type Harith G (1): ARM: 9420/1: smp: Fix SMP for xip kernels Harshit Mogalapalli (1): dax: delete a stale directory pmem Heiner Kallweit (1): r8169: don't apply UDP padding quirk on RTL8126A Heming Zhao (1): ocfs2: Revert "ocfs2: fix the la space leak when unmounting an ocfs2 volume" Herbert Xu (2): crypto: api - Add crypto_tfm_get crypto: api - Add crypto_clone_tfm Hilda Wu (1): Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables Hou Tao (4): bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem bpf: Handle in-place update for full LPM trie correctly bpf: Fix exact match conditions in trie_get_next_key() Hsin-Te Yuan (2): arm64: dts: mt8183: krane: Fix the address of eeprom at i2c4 arm64: dts: mt8183: kukui: Fix the address of eeprom at i2c4 Hsin-Yi Wang (1): arm64: dts: mt8183: jacuzzi: Move panel under aux-bus Huacai Chen (2): sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK LoongArch: Fix sleeping in atomic context for PREEMPT_RT Hubert Wiśniewski (1): usb: musb: Fix hardware lockup on first Rx endpoint request Hugo Villeneuve (1): serial: sc16is7xx: fix invalid FIFO access with special register set Ian Rogers (2): perf stat: Fix affinity memory leaks on error path perf probe: Fix libdw memory leak Ido Schimmel (1): mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path Ignat Korchagin (7): af_packet: avoid erroring out after sock_init_data() in packet_create() Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() net: af_can: do not leave a dangling sk pointer in can_create() net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() net: inet: do not leave a dangling sk pointer in inet_create() net: inet6: do not leave a dangling sk pointer in inet6_create() Igor Artemiev (1): drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() Igor Prusov (1): dt-bindings: vendor-prefixes: Add NeoFidelity, Inc Ilpo Järvinen (1): PCI: cpqphp: Fix PCIBIOS_* return value confusion Ilya Zverev (1): ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 Imre Deak (3): drm/dp_mst: Fix MST sideband message body length check drm/dp_mst: Verify request type in the corresponding down message reply drm/dp_mst: Fix resetting msg rx state after topology removal Inochi Amaoto (1): serial: 8250_dw: Add Sophgo SG2044 quirk Ivan Solodovnikov (1): dccp: Fix memory leak in dccp_feat_change_recv Jacob Keller (3): ptp: convert remaining drivers to adjfine interface ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5 ixgbe: downgrade logging of unsupported VF API version to debug Jakob Hauser (1): iio: magnetometer: yas530: use signed integer type for clamp limits Jakub Kicinski (1): net/neighbor: clear error in case strict check is not set James Clark (1): perf cs-etm: Don't flush when packet_queue fills up Jammy Huang (1): media: aspeed: Fix memory overwrite if timing is 1600x900 Jan Kara (3): ext4: make 'abort' mount option handling standard ext4: avoid remount errors with 'abort' mount option udf: Fold udf_getblk() into udf_bread() Jan Stancek (1): tools/rtla: fix collision with glibc sched_attr/sched_set_attr Jann Horn (1): comedi: Flush partial mappings in error case Jared Kangas (1): kasan: make report_lock a raw spinlock Jarkko Nikula (1): i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request Jason Gerecke (1): HID: wacom: Interpret tilt data from Intuos Pro BT as signed values Jason-JH.Lin (1): mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() Javier Carrasco (5): clocksource/drivers/timer-ti-dm: Fix child node refcount handling wifi: brcmfmac: release 'root' node in all execution paths platform/chrome: cros_ec_typec: fix missing fwnode reference decrement soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() leds: flash: mt6360: Fix device_for_each_child_node() refcounting in error paths Jean-Michel Hautbois (1): m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x Jens Axboe (1): io_uring/tctx: work around xa_store() allocation error issue Jeongjun Park (4): wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() ext4: supress data-race warnings in ext4_free_inodes_{count,set}() netfilter: ipset: add missing range check in bitmap_ip_uadt Jianbo Liu (1): net/mlx5e: Remove workaround to avoid syndrome for internal port Jiapeng Chong (1): wifi: ipw2x00: libipw_rx_any(): fix bad alignment Jiasheng Jiang (2): counter: stm32-timer-cnt: Add check for clk_enable() counter: ti-ecap-capture: Add check for clk_enable() Jiayuan Chen (2): bpf: fix filed access without lock bpf: fix recursive lock when verdict program return SK_PASS Jing Zhang (1): KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* Jinghao Jia (1): ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Jinjie Ruan (22): spi: spi-fsl-lpspi: Use IRQF_NO_AUTOEN flag in request_irq() soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq() spi: zynqmp-gqspi: Undo runtime PM changes at driver exit time wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq() wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq() drm/imx/dcss: Use IRQF_NO_AUTOEN flag in request_irq() drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq() drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq() mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost() cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power() misc: apds990x: Fix missing pm_runtime_disable() apparmor: test: Fix memory leak for aa_unpack_strdup() cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq() media: i2c: dw9768: Fix pm_runtime_set_suspended() with runtime pm enabled media: amphion: Fix pm_runtime_set_suspended() with runtime pm enabled media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate() i3c: master: svc: Fix pm_runtime_set_suspended() with runtime pm enabled Jiri Olsa (1): fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero Jiri Wiesner (1): net/ipv6: release expired exception dst cached in socket Joaquín Ignacio Aramendía (3): drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model drm: panel-orientation-quirks: Add quirk for AYA NEO Founder edition drm: panel-orientation-quirks: Add quirk for AYA NEO GEEK Joe Hattori (1): media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available Johan Hovold (1): pinctrl: qcom: spmi: fix debugfs drive strength John Garry (1): scsi: scsi_debug: Fix hrtimer support for ndelay John Watts (1): ASoC: audio-graph-card2: Purge absent supplies for device tree nodes Jonas Gorski (1): mips: asm: fix warning when disabling MIPS_FP_SUPPORT Jonas Karlman (1): ASoC: hdmi-codec: reorder channel allocation list Jonathan Cameron (2): device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. device property: Introduce device_for_each_child_node_scoped() Jonathan Marek (1): rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length Jordy Zomer (2): ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write Josef Bacik (1): btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() Josh Poimboeuf (1): parisc/ftrace: Fix function graph tracing disablement Junxian Huang (4): RDMA/hns: Use dev_* printings in hem code instead of ibdev_* RDMA/hns: Remove unnecessary QP type checks RDMA/hns: Fix out-of-order issue of requester when setting FENCE RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() Justin Tee (1): scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths K Prateek Nayak (3): sched/core: Remove the unnecessary need_resched() check in nohz_csd_func() sched/fair: Check idle_cpu() before need_resched() to detect ilb CPU turning busy sched/core: Prevent wakeup of ksoftirqd during idle load balance Kai Mäkisara (2): scsi: st: Don't modify unknown block number in MTIOCGET scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset Kailang Yang (3): ALSA: hda/realtek: Update ALC256 depop procedure ALSA: hda/realtek: Update ALC225 depop procedure ALSA: hda/realtek: Set PCBeep to default value for ALC274 Kaixin Wang (1): i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Kan Liang (1): perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated Kartik Rajput (1): serial: amba-pl011: Fix RX stall when DMA is used Kashyap Desai (1): RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey Kees Cook (2): lib: stackinit: hide never-taken branch from compiler smb: client: memcpy() with surrounding object base address Keita Aihara (1): mmc: core: Add SD card quirk for broken poweroff notification Keith Busch (1): PCI: Add 'reset_subordinate' to reset hierarchy below bridge Kent Overstreet (1): closures: Change BUG_ON() to WARN_ON() Kinsey Moore (1): jffs2: Prevent rtime decompress memory corruption Kishon Vijay Abraham I (2): PCI: keystone: Set mode as Root Complex for "ti,keystone-pcie" compatible PCI: keystone: Add link up check to ks_pcie_other_map_bus() Konstantin Komarov (2): fs/ntfs3: Fixed overflow check in mi_enum_attr() fs/ntfs3: Sequential field availability check in mi_enum_attr() Kory Maincent (1): ethtool: Fix wrong mod state in case of verbose and no_mask bitset Kuan-Wei Chiu (1): tracing: Fix cmp_entries_dup() to respect sort() comparison rules Kuniyuki Iwashima (2): tcp: Fix use-after-free of nreq in reqsk_timer_handler(). tipc: Fix use-after-free of kernel socket in cleanup_bearer(). Kunkun Jiang (2): KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE Kuro Chung (1): drm/bridge: it6505: update usleep_range for RC circuit charge time Kurt Borja (2): platform/x86: dell-smbios-base: Extends support to Alienware products platform/x86: dell-wmi-base: Handle META key Lock/Unlock events Lang Yu (1): drm/amdgpu: refine error handling in amdgpu_ttm_tt_pin_userptr Larysa Zaremba (1): xsk: always clear DMA mapping information when unmapping the pool Leo Yan (1): perf probe: Correct demangled symbols in C++ program Levi Yun (3): trace/trace_event_perf: remove duplicate samples on the first tracepoint event perf stat: Close cork_fd when create_perf_stat_counter() failed dma-debug: fix a possible deadlock on radix_lock Li Huafei (2): crypto: inside-secure - Fix the return value of safexcel_xcbcmac_cra_init() media: atomisp: Add check for rgby_data memory allocation failure Li Lingfeng (1): nfs: ignore SB_RDONLY when mounting nfs Li Zetao (1): media: ts2020: fix null-ptr-deref in ts2020_probe() Li Zhijian (2): selftests/watchdog-test: Fix system accidentally reset after watchdog-test fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Liao Chen (2): drm/bridge: it6505: Enable module autoloading drm/mcde: Enable module autoloading Liequan Che (1): bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Lifeng Zheng (1): ACPI: CPPC: Fix _CPC register setting issue Linus Torvalds (1): Revert "unicode: Don't special case ignorable code points" Linus Walleij (3): ARM: 9429/1: ioremap: Sync PGDs for VMALLOC shadow ARM: 9430/1: entry: Do a dummy read from VMAP shadow ARM: 9431/1: mm: Pair atomic_set_release() with _read_acquire() Liu Jian (1): sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport Lizhi Xu (1): btrfs: add a sanity check for btrfs root in btrfs_search_slot() Long Li (1): xfs: remove unknown compat feature check in superblock write validation LongPing Wei (1): f2fs: fix the wrong f2fs_bug_on condition in f2fs_do_replace_block Louis Leseur (1): net/qed: allow old cards not supporting "num_images" to work Lucas Stach (2): drm/etnaviv: hold GPU lock across perfmon sampling drm/etnaviv: flush shader L1 cache after user commandstream Luis Chamberlain (1): sunrpc: simplify two-level sysctl registration for svcrdma_parm_table Luiz Augusto von Dentz (5): Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet Bluetooth: MGMT: Fix possible deadlocks Lukas Wunner (1): PCI: Fix use-after-free of slot->bus on hot remove Lukasz Luba (1): drm/msm/gpu: Check the status of registration to PM QoS Luo Qiu (1): firmware: arm_scpi: Check the DVFS OPP count returned by the firmware Luo Yifan (2): ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate() ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div() Ma Ke (3): drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check drm/sti: avoid potential dereference of error pointers Ma Wupeng (1): ipc: fix memleak if msg_init_ns failed in create_ipc_ns Maciej Fijalkowski (2): bpf: fix OOB devmap writes when deleting elements xsk: fix OOB map writes when deleting elements Macpaul Lin (2): arm64: dts: mt8195: Fix dtbs_check error for infracfg_ao node ASoC: dt-bindings: mt6359: Update generic node name and dmic-mode Manikandan Muralidharan (1): drm/panel: simple: Add Microchip AC69T88A LVDS Display panel Manikanta Mylavarapu (1): soc: qcom: socinfo: fix revision check in qcom_socinfo_probe() Manivannan Sadhasivam (1): PCI: endpoint: Use a separate lock for protecting epc->pci_epf list Marc Kleine-Budde (6): can: gs_usb: remove leading space from goto labels can: gs_usb: gs_usb_probe(): align block comment can: gs_usb: uniformly use "parent" as variable name for struct gs_usb can: gs_usb: add VID/PID for Xylanta SAINT3 product family can: dev: can_set_termination(): allow sleeping GPIOs can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6. Marc Zyngier (1): KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR Marcelo Dalmas (1): ntp: Remove invalid cast in time offset math Marco Elver (3): kcsan, seqlock: Support seqcount_latch_t kcsan, seqlock: Fix incorrect assumption in read_seqbegin() kcsan: Turn report_filterlist_lock into a raw_spinlock Marco Pagani (2): fpga: bridge: add owner module and take its refcount fpga: manager: add owner module and take its refcount Marcus Folkesson (1): mfd: da9052-spi: Change read-mask to write-mask Marek Vasut (1): soc: imx8m: Probe the SoC driver as platform driver Marie Ramlow (1): ALSA: usb-audio: add mixer mapping for Corsair HS80 Mark Brown (3): clocksource/drivers:sp804: Make user selectable kselftest/arm64: Don't leak pipe fds in pac.exec_sign_all() arm64/sve: Discard stale CPU state when handling SVE traps Mark Rutland (2): arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint Markus Petri (1): ASoC: amd: yc: Support dmic on another model of Lenovo Thinkpad E14 Gen 6 Martin Ottens (1): net/sched: tbf: correct backlog statistic for GSO packets Masahiro Yamada (3): arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG s390/syscalls: Avoid creation of arch/arch/ directory modpost: remove incorrect code in do_eisa_entry() Masami Hiramatsu (Google) (1): tracing/eprobe: Fix to release eprobe when failed to add dyn_event Mathias Nyman (1): xhci: dbc: Fix STALL transfer event handling Mathieu Desnoyers (1): tracing/ftrace: disable preemption in syscall probe Matthias Schiffer (1): drm: fsl-dcu: enable PIXCLK on LS1021A Maurice Lambert (1): netlink: typographical error in nlmsg_type constants definition Maxime Chevallier (2): net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken rtc: ab-eoz9: don't fail temperature reads on undervoltage notification Maíra Canal (2): drm/v3d: Address race-condition in MMU flush drm/v3d: Enable Performance Counters before clearing them MengEn Sun (1): vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event Mengyuan Lou (1): PCI: Add ACS quirk for Wangxun FF5xxx NICs Michael Ellerman (3): powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore selftests/mount_setattr: Fix failures on 64K PAGE_SIZE kernels powerpc/prom_init: Fixup missing powermac #size-cells Michael Grzeschik (1): usb: dwc3: ep0: Don't reset resource alloc flag (including ep0) Michal Luczaj (2): llc: Improve setsockopt() handling of malformed user input rxrpc: Improve setsockopt() handling of malformed user input Michal Pecio (1): usb: xhci: Fix TD invalidation under pending Set TR Dequeue Michal Simek (2): microblaze: Export xmb_manager functions dt-bindings: serial: rs485: Fix rs485-rts-delay property Michal Suchanek (1): powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static Michal Vokáč (1): leds: lp55xx: Remove redundant test for invalid channel number Michal Vrastil (1): Revert "usb: gadget: composite: fix OS descriptors w_value logic" Miguel Ojeda (1): time: Fix references to _msecs_to_jiffies() handling of values Mikhail Rudenko (1): regulator: rk808: Add apply_bit for BUCK3 on RK809 Ming Lei (2): ublk: fix ublk_ch_mmap() for 64K page size ublk: fix error code for unsupported command Ming Qian (3): media: amphion: Set video drvdata before register video device media: imx-jpeg: Set video drvdata before register video device media: imx-jpeg: Ensure power suppliers be suspended before detach them Mingwei Zheng (1): net: rfkill: gpio: Add check for clk_enable() Miquel Raynal (1): mtd: rawnand: atmel: Fix possible memory leak Miri Korenblit (1): wifi: iwlwifi: mvm: avoid NULL pointer dereference Mirsad Todorovac (1): fs/proc/kcore.c: fix coccinelle reported ERROR instances Mostafa Saleh (1): iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables Muchun Song (1): block: fix ordering between checking BLK_MQ_S_STOPPED request adding Mukesh Ojha (1): leds: class: Protect brightness_show() with led_cdev->led_access mutex Murad Masimov (1): hwmon: (tps23861) Fix reporting of negative temperatures Namhyung Kim (1): perf/arm-cmn: Ensure port and device id bits are set properly Namjae Jeon (1): exfat: fix uninit-value in __exfat_get_dentry_set Nathan Chancellor (7): powerpc: Fix stack protector Kconfig test for clang powerpc: Adjust adding stack protector flags to KBUILD_CLAGS for clang powerpc/vdso: Remove unused '-s' flag from ASFLAGS powerpc/vdso: Improve linker flags powerpc/vdso: Remove an unsupported flag from vgettimeofday-32.o with clang powerpc/vdso: Include CLANG_FLAGS explicitly in ldflags-y powerpc/vdso: Drop -mstack-protector-guard flags in 32-bit files with clang Nazar Bilinskyi (1): ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 Nick Chan (1): watchdog: apple: Actually flush writes after requesting watchdog restart Nicolas Bouchinet (1): tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler Nihar Chaithanya (1): jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree Nikolay Kuratov (1): KVM: x86/mmu: Ensure that kvm_release_pfn_clean() takes exact pfn from kvm_faultin_pfn() Nobuhiro Iwamatsu (1): rtc: abx80x: Fix WDT bit position of the status register Norbert van Bolhuis (1): wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw() Nuno Sa (3): dt-bindings: clock: axi-clkgen: include AXI clk clk: clk-axi-clkgen: make sure to enable the AXI bus clock iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer Ojaswin Mujoo (1): quota: flush quota_release_work upon quota writeback Oleksandr Ocheretnyi (1): iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call Oleksandr Tymoshenko (1): ovl: properly handle large files in ovl_security_fileattr Oleksij Rempel (3): net: usb: lan78xx: Fix double free issue with interrupt buffer allocation net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration Oliver Neukum (2): usb: yurex: make waiting on yurex_write interruptible USB: chaoskey: fail open after removal Oliver Upton (1): KVM: arm64: Don't retire aborted MMIO instruction Orange Kao (1): EDAC/igen6: Avoid segmentation fault on module unload Pablo Neira Ayuso (3): netfilter: nf_tables: skip transaction if update object is not implemented netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level netfilter: nft_set_hash: skip duplicated elements pending gc run Pali Rohár (1): cifs: Fix buffer overflow when parsing NFS reparse points Paolo Abeni (4): ipv6: release nexthop on device removal selftests: net: really check for bg process completion ip6mr: fix tables suspicious RCU usage ipmr: fix tables suspicious RCU usage Parker Newman (1): misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle Patrick Donnelly (1): ceph: extract entity name from device id Paul Aurich (1): smb: cached directories can be more than root file handle Pavan Chebbi (1): tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets Pavel Begunkov (1): io_uring: wake up optimisations Pei Xiao (3): hwmon: (nct6775-core) Fix overflows seen when writing limit attributes drm/sti: Add __iomem for mixer_dbg_mxn's parameter spi: mpc52xx: Add cancel_work_sync before module remove Peilin Ye (2): bpf: Fix dev's rx stats for bpf_redirect_peer traffic veth: Use tstats per-CPU traffic counters Peng Fan (3): clk: imx: lpcg-scu: SW workaround for errata (e10858) clk: imx: fracn-gppll: correct PLL initialization flow clk: imx: fracn-gppll: fix pll power up Peter Griffin (1): scsi: ufs: exynos: Fix hibern8 notify callbacks Peter Wang (1): scsi: ufs: core: Add missing post notify for power mode change Peter Zijlstra (1): seqlock/latch: Provide raw_read_seqcount_latch_retry() Phil Sutter (1): netfilter: ipset: Hold module reference while requesting a module Philipp Stanner (1): drm/sched: memset() 'job' in drm_sched_job_init() Pin-yen Lin (1): drm/bridge: anx7625: Drop EDID cache on bridge power off Piyush Raj Chouhan (1): ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13 Pratyush Brahma (1): iommu/arm-smmu: Defer probe of clients after smmu device bound Prike Liang (2): drm/amdgpu: Dereference the ATCS ACPI buffer drm/amdgpu: set the right AMDGPU sg segment limitation Priyanka Singh (1): EDAC/fsl_ddr: Fix bad bit shift operations Qi Han (2): f2fs: compress: fix inconsistent update of i_blocks in release_compress_blocks and reserve_compress_blocks f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. Qingfang Deng (1): jffs2: fix use of uninitialized variable Qiu-ji Chen (3): xen: Fix the issue of resource not being properly released in xenbus_dev_probe() ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() media: wl128x: Fix atomicity violation in fmc_send_cmd() Qu Wenruo (1): btrfs: avoid unnecessary device path update for the same device Quentin Monnet (1): bpftool: Remove asserts from JIT disassembler Quinn Tran (3): scsi: qla2xxx: Fix abort in bsg timeout scsi: qla2xxx: Fix NVMe and NPIV connect issue scsi: qla2xxx: Fix use after free on unload Rafael J. Wysocki (1): thermal: core: Initialize thermal zones before registering them Raghavendra Rao Ananta (1): KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status Randy Dunlap (3): fs_parser: update mount_api doc to match function signature scatterlist: fix incorrect func name in kernel-doc drm/msm: DEVFREQ_GOV_SIMPLE_ONDEMAND is no longer needed Reinette Chatre (1): selftests/resctrl: Protect against array overrun during iMC config parsing Ricardo Ribalda (1): media: uvcvideo: Stop stream during unregister Richard Weinberger (1): jffs2: Fix rtime decompressor Ritesh Harjani (IBM) (3): powerpc/fadump: Refactor and prepare fadump_cma_init for late init powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() powerpc/mm/fault: Fix kfence page fault reporting Rob Clark (3): drm/msm/gpu: Add devfreq tuning debugfs drm/msm/gpu: Bypass PM QoS constraint for idle clamp PM / devfreq: Fix build issues with devfreq disabled Rohan Barar (1): media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108 Roman Gushchin (1): mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Rosen Penev (3): net: mdio-ipq4019: add missing error check wifi: ath5k: add PCI ID for SX76X wifi: ath5k: add PCI ID for Arcadyan devices Ryusuke Konishi (1): nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Sahas Leelodharry (1): ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) Sai Kumar Cholleti (1): gpio: exar: set value when external pull-up or pull-down is present Saravana Kannan (3): driver core: fw_devlink: Improve logs for cycle detection driver core: Add FWLINK_FLAG_IGNORE to completely ignore a fwnode link driver core: fw_devlink: Stop trying to optimize cycle detection logic Saravanan Vajravel (1): bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is down Sathvika Vasireddy (1): powerpc/vdso: Skip objtool from running on VDSO files Saurav Kashyap (1): scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt Sean Christopherson (1): KVM: x86/mmu: Skip the "try unsync" path iff the old SPTE was a leaf SPTE Sergey Senozhatsky (1): media: venus: provide ctx queue lock for ioctl synchronization Shengjiu Wang (1): ASoC: fsl_micfil: fix regmap_write_bits usage Shengyu Qu (1): net: sfp: change quirks for Alcatel Lucent G-010S-P Shu Han (1): mm: call the security_mmap_file() LSM hook in remap_file_pages() Si-Wei Liu (1): vdpa/mlx5: Fix suboptimal range on iotlb iteration Sibi Sankar (1): remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region Sidraya Jayagond (1): s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() Simon Horman (2): net: fec_mpc52xx_phy: Use %pa to format resource_size_t net: ethernet: fs_enet: Use %pa to format resource_size_t Srinivas Pandruvada (1): thermal: int3400: Fix reading of current_uuid for active policy Srinivasan Shanmugam (4): drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func Stanislav Fomichev (1): selftests/bpf: Add csum helpers Stanislaw Gruszka (1): spi: Fix acpi deferred irq probe Steve French (1): smb3: request handle caching when caching directories Steven Price (1): drm/panfrost: Remove unused id_mask from struct panfrost_model Takashi Iwai (9): ALSA: usx2y: Use snd_card_free_when_closed() at disconnection ALSA: us122l: Use snd_card_free_when_closed() at disconnection ALSA: caiaq: Use snd_card_free_when_closed() at disconnection ALSA: 6fire: Release resources at card release ALSA: usb-audio: Fix out of bounds reads when finding clock sources ALSA: pcm: Add sanity NULL check for the default mmap fault handler ALSA: hda/realtek: Apply quirk for Medion E15433 ALSA: usb-audio: Notify xrun for low-latency mode ALSA: usb-audio: Make mic volume workarounds globally applicable Tetsuo Handa (1): ocfs2: free inode when ocfs2_get_init_inode() fails Thadeu Lima de Souza Cascardo (2): hfsplus: don't query the device logical block size multiple times media: uvcvideo: Require entities to have a non-zero unique ID Theodore Ts'o (1): ext4: fix FS_IOC_GETFSMAP handling Thinh Nguyen (5): usb: dwc3: gadget: Fix checking for number of TRBs left usb: dwc3: gadget: Fix looping of queued SG entries usb: dwc3: gadget: Rewrite endpoint allocation flow usb: dwc3: ep0: Don't clear ep0 DWC3_EP_TRANSFER_STARTED usb: dwc3: ep0: Don't reset resource alloc flag Thomas Gleixner (2): serial: amba-pl011: Use port lock wrappers modpost: Add .irqentry.text to OTHER_SECTIONS Thomas Richter (1): s390/cpum_sf: Handle CPU hotplug remove during sampling Thomas Weißschuh (1): fbdev: efifb: Register sysfs groups through driver core Thomas Zimmermann (1): fbdev/sh7760fb: Alloc DMA memory from hardware device Tiezhu Yang (2): LoongArch: Fix build failure with GCC 15 (-std=gnu23) LoongArch: BPF: Sign-extend return values Tiwei Bie (6): um: ubd: Do not use drvdata in release um: net: Do not use drvdata in release um: vector: Do not use drvdata in release um: Fix potential integer overflow during physmem setup um: Fix the return value of elf_core_copy_task_fpregs um: Always dump trace for specified task in show_stack Todd Kjos (1): PCI: Fix reset_method_store() memory leak Tomi Valkeinen (3): drm/omap: Fix possible NULL dereference drm/omap: Fix locking in omap_gem_new_dmabuf() drm/bridge: tc358767: Fix link properties discovery Tony Ambardar (1): libbpf: Fix output .symtab byte-order during linking Trond Myklebust (1): NFSv4.0: Fix a use-after-free problem in the asynchronous open() Tvrtko Ursulin (2): dma-fence: Fix reference leak on fence merge failure path dma-fence: Use kernel's sort for merging fences Ulf Hansson (1): mmc: core: Further prevent card detect during shutdown Umio Yasuno (1): drm/amd/pm: update current_socclk and current_uclk in gpu_metrics on smu v13.0.7 Uros Bizjak (1): tracing: Use atomic64_inc_return() in trace_clock_counter() Uwe Kleine-König (3): mtd: hyperbus: rpc-if: Convert to platform remove callback returning void i3c: Make i3c_master_unregister() return void ASoC: amd: yc: Add quirk for microphone on Lenovo Thinkpad T14s Gen 6 21M1CTO1WW Vadim Fedorenko (1): net-timestamp: make sk_tskey more predictable in error path Vasiliy Kovalev (1): ovl: Filter invalid inodes with missing lookup function Vasily Gorbik (1): s390/entry: Mark IRQ entries to fix stack depot warnings Venkata Prasad Potturu (1): ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry Victor Lu (1): drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts for vega20_ih Victor Zhao (1): drm/amdgpu: skip amdgpu_device_cache_pci_state under sriov Vineeth Vijayan (1): s390/cio: Do not unregister the subchannel based on DNV Vishnu Sankar (1): platform/x86: thinkpad_acpi: Fix for ThinkPad's with ECFW showing incorrect fan speed Vitalii Mordan (2): marvell: pxa168_eth: fix call balance of pep->clk handling routines usb: ehci-spear: fix call balance of sehci clk handling routines WANG Xuerui (1): LoongArch: Tweak CFLAGS for Clang compatibility Wang Liang (1): net: fix crash when config small gso_max_size/gso_ipv4_max_size WangYuli (1): HID: wacom: fix when get product name maybe null pointer Waqar Hameed (1): ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit Wei Yang (1): maple_tree: refine mas_store_root() on storing NULL Weili Qian (1): crypto: hisilicon/qm - disable same error report before resetting Wen Gu (1): net/smc: fix LGR and link use-after-free issue Wengang Wang (1): ocfs2: update seq_file index in ocfs2_dlm_seq_next Will Deacon (1): arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled Wolfram Sang (1): rtc: rzn1: fix BCD to rtc_time conversion errors Xi Ruoyao (1): MIPS: Loongson64: DTS: Really fix PCIe port nodes for ls7a Xiaolei Wang (1): drm/etnaviv: Request pages from DMA32 zone on addressing_limited Xin Long (1): net: sched: fix erspan_opt settings in cls_flower Xu Kuohai (1): bpf, arm64: Remove garbage frame for struct_ops trampoline Xu Yang (1): usb: chipidea: udc: handle USB Error Interrupt if IOC not set Yang Erkun (4): brd: defer automatic disk creation until module initialization succeeds SUNRPC: make sure cache entry active before cache_show nfsd: make sure exp active before svc_export_show nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur Yao Zi (1): platform/x86: panasonic-laptop: Return errno correctly in show callback Yassine Oudjana (1): watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart() Ye Bin (2): scsi: bfa: Fix use-after-free in bfad_im_module_exit() svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init() Yi Yang (2): crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY nvdimm: rectify the illogical code within nd_dax_probe() Yihang Li (1): scsi: hisi_sas: Add cond_resched() for no forced preemption model Yishai Hadas (1): vfio/mlx5: Align the page tracking max message size with the device capability Yongliang Gao (1): rtc: check if __rtc_read_time was successful in rtc_timer_do_work() Yongpeng Yang (1): f2fs: check curseg->inited before write_sum_page in change_curseg Yuan Can (6): firmware: google: Unregister driver_info on failure wifi: wfx: Fix error handling in wfx_core_init() drm/amdkfd: Fix wrong usage of INIT_WORK() cpufreq: loongson2: Unregister platform_driver on failure dm thin: Add missing destroy_work_on_stack() igb: Fix potential invalid memory access in igb_init_module() Yuan Chen (1): bpf: Fix the xdp_adjust_tail sample prog issue Yuli Wang (1): LoongArch: Define a default value for VM_DATA_DEFAULT_FLAGS Zack Rusin (2): drm/ttm: Make sure the mapped tt pages are decrypted when needed drm/ttm: Print the memory decryption status just once Zeng Heng (1): scsi: fusion: Remove unused variable 'rc' Zhang Changzhong (1): mfd: rt5033: Fix missing regmap_del_irq_chip() Zhang Zekun (3): pmdomain: ti-sci: Add missing of_node_put() for args.np powerpc/kexec: Fix return of uninitialized variable Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()" Zhen Lei (3): scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() Zheng Yejian (1): mm/damon/vaddr: fix issue in damon_va_evenly_split_region() Zhenzhong Duan (2): iommu/vt-d: Fix checks and print in dmar_fault_dump_ptes() iommu/vt-d: Fix checks and print in pgtable_walk() Zhiguo Niu (1): f2fs: fix to avoid use GC_AT when setting gc_mode as GC_URGENT_LOW or GC_URGENT_MID Zhihao Cheng (4): ubi: wl: Put source PEB into correct list if trying locking LEB failed ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty ubifs: Correct the total block count by deducting journal reservation ubi: fastmap: Fix duplicate slab cache names while attaching Zhu Jun (1): samples/bpf: Fix a resource leak Zichen Xie (1): drm/msm/dpu: cast crtc_clk calculation to u64 in _dpu_core_perf_calc_clk() Zicheng Qu (2): ad7780: fix division by zero in ad7780_write_raw() iio: Fix fwnode_handle in __fwnode_iio_channel_get_by_name() Zijian Zhang (10): selftests/bpf: Fix msg_verify_data in test_sockmap selftests/bpf: Fix txmsg_redir of test_txmsg_pull in test_sockmap selftests/bpf: Add txmsg_pass to pull/push/pop in test_sockmap selftests/bpf: Fix SENDPAGE data logic in test_sockmap selftests/bpf: Fix total_bytes in msg_loop_rx in test_sockmap selftests/bpf: Add push/pop checking for msg_verify_data in test_sockmap bpf, sockmap: Several fixes to bpf_msg_push_data bpf, sockmap: Several fixes to bpf_msg_pop_data bpf, sockmap: Fix sk_msg_reset_curr tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg Zijun Hu (2): driver core: bus: Fix double free in driver API bus_register() PCI: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() Ziwei Xiao (1): gve: Fixes for napi_poll when budget is 0 Zizhi Wo (2): cachefiles: Fix missing pos updates in cachefiles_ondemand_fd_write_iter() netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING Zqiang (1): rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() chao liu (1): apparmor: fix 'Do simple duplicate message elimination' guoweikang (1): ftrace: Fix regression with module command in stack_trace_filter lei lu (2): ntfs3: Add bounds checking to mi_enum_attr() xfs: add bounds checking to xlog_recover_process_data weiyufeng (1): PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads wenglianfa (2): RDMA/hns: Fix an AEQE overflow error caused by untimely update of eq_db_ci RDMA/hns: Fix cpu stuck caused by printings during reset zhang jiao (2): tools/lib/thermal: Remove the thermal.h soft link when doing make clean pinctrl: k210: Undef K210_PC_DEFAULT

5 months, 3 weeks

4
8
0 0

[PATCH] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]

by Gustavo Azor

Estimated people: I can confirm what the next patch works: diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 821867de43be..ab4c0e0b6b8e 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -440,6 +440,13 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { DMI_MATCH(DMI_BOARD_NAME, "S5602ZA"), }, }, + { + /* Asus Vivobook X1504VAP */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_BOARD_NAME, "X1504VAP"), + }, + }, { /* Asus Vivobook X1704VAP */ .matches = { -- 2.47.1 I did all the steps in the tutorial https://docs.fedoraproject.org/en-US/quick-docs/kernel-testing-patches/ and the keyboard Asus Vivobook X1504VAP is working fine!! Please include the patch in future kernels. Thank you very much.

5 months, 3 weeks

1
0
0 0

[PATCH 1/2] arm64: dts: qcom: sa8775p: Fix the size of 'addr_space' regions

by Manivannan Sadhasivam

For both the controller instances, size of the 'addr_space' region should be 0x1fe00000 as per the hardware memory layout. Otherwise, endpoint drivers cannot request even reasonable BAR size of 1MB. Cc: stable(a)vger.kernel.org # 6.11 Fixes: c5f5de8434ec ("arm64: dts: qcom: sa8775p: Add ep pcie1 controller node") Fixes: 1924f5518224 ("arm64: dts: qcom: sa8775p: Add ep pcie0 controller node") Reviewed-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- arch/arm64/boot/dts/qcom/sa8775p.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sa8775p.dtsi b/arch/arm64/boot/dts/qcom/sa8775p.dtsi index 9f315a51a7c1..368bcf7c9802 100644 --- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi @@ -6092,7 +6092,7 @@ pcie0_ep: pcie-ep@1c00000 { <0x0 0x40000000 0x0 0xf20>, <0x0 0x40000f20 0x0 0xa8>, <0x0 0x40001000 0x0 0x4000>, - <0x0 0x40200000 0x0 0x100000>, + <0x0 0x40200000 0x0 0x1fe00000>, <0x0 0x01c03000 0x0 0x1000>, <0x0 0x40005000 0x0 0x2000>; reg-names = "parf", "dbi", "elbi", "atu", "addr_space", @@ -6250,7 +6250,7 @@ pcie1_ep: pcie-ep@1c10000 { <0x0 0x60000000 0x0 0xf20>, <0x0 0x60000f20 0x0 0xa8>, <0x0 0x60001000 0x0 0x4000>, - <0x0 0x60200000 0x0 0x100000>, + <0x0 0x60200000 0x0 0x1fe00000>, <0x0 0x01c13000 0x0 0x1000>, <0x0 0x60005000 0x0 0x2000>; reg-names = "parf", "dbi", "elbi", "atu", "addr_space", -- 2.25.1

5 months, 3 weeks

1
0
0 0

[PATCH 5.10.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 19d781a3d305a6..64ff51c2f3d642 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1457,6 +1457,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, continue; } + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + if (!down_write_trylock( &F2FS_I(inode)->i_gc_rwsem[WRITE])) { iput(inode); -- 2.33.8

5 months, 3 weeks

1
0
0 0

[PATCH 5.15.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 9a57754e6e0c1d..ef09b7fc065fab 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1479,6 +1479,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, special_file(inode->i_mode)) continue; + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + if (!down_write_trylock( &F2FS_I(inode)->i_gc_rwsem[WRITE])) { iput(inode); -- 2.33.8

5 months, 3 weeks

1
0
0 0

[PATCH 6.1.y] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

by Vasiliy Kovalev

From: Chao Yu <chao(a)kernel.org> [ Upstream commit fc01008c92f40015aeeced94750855a7111b6929 ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing. Reported-by: syzbot+848062ba19c8782ca5c8(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [kovalev: Replaced f2fs_err_ratelimited() with printk_ratelimited() to use a supported function] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-44942 Link: https://www.cve.org/CVERecord/?id=CVE-2024-44942 --- fs/f2fs/gc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 687b2ce82c8542..8e6e91fedbf32a 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1577,6 +1577,17 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, continue; } + if (f2fs_has_inline_data(inode)) { + iput(inode); + set_sbi_flag(sbi, SBI_NEED_FSCK); + printk_ratelimited("%sF2FS-fs (%s): " + "inode %lx has both inline_data flag and " + "data block, nid=%u, ofs_in_node=%u", + KERN_INFO, sbi->sb->s_id, + inode->i_ino, dni.nid, ofs_in_node); + continue; + } + err = f2fs_gc_pinned_control(inode, gc_type, segno); if (err == -EAGAIN) { iput(inode); -- 2.33.8

5 months, 3 weeks

1
0
0 0

Re:Patch "phy: rockchip: naneng-combphy: fix phy reset" has been added to the 6.12-stable tree

by Chukun Pan

Hi, > This is a note to let you know that I've just added the patch titled > > phy: rockchip: naneng-combphy: fix phy reset > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > phy-rockchip-naneng-combphy-fix-phy-reset.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please backport this commit together: arm64: dts: rockchip: add reset-names for combphy on rk3568 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/… If apply fails, please change arch/arm64/boot/dts/rockchip/rk356x-base.dtsi to arch/arm64/boot/dts/rockchip/rk356x.dtsi. Thanks, Chukun -- 2.25.1

5 months, 3 weeks

2
4
0 0

[merged mm-hotfixes-stable] scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity has been removed from the -mm tree. Its filename was scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Date: Thu, 26 Dec 2024 22:03:32 +0800 The orc_sort_cmp() function, used with qsort(), previously violated the symmetry and transitivity rules required by the C standard. Specifically, when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b and b < a, which breaks the required symmetry and transitivity. This can lead to undefined behavior and incorrect sorting results, potentially causing memory corruption in glibc implementations [1]. Symmetry: If x < y, then y > x. Transitivity: If x < y and y < z, then x < z. Fix the comparison logic to return 0 when both entries are ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements. Link: https://www.qualys.com/2024/01/30/qsort.txt [1] Link: https://lkml.kernel.org/r/20241226140332.2670689-1-visitorckw@gmail.com Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting") Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: <chuang(a)cs.nycu.edu.tw> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Shile Zhang <shile.zhang(a)linux.alibaba.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- scripts/sorttable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/scripts/sorttable.h~scripts-sorttable-fix-orc_sort_cmp-to-maintain-symmetry-and-transitivity +++ a/scripts/sorttable.h @@ -110,7 +110,7 @@ static inline unsigned long orc_ip(const static int orc_sort_cmp(const void *_a, const void *_b) { - struct orc_entry *orc_a; + struct orc_entry *orc_a, *orc_b; const int *a = g_orc_ip_table + *(int *)_a; const int *b = g_orc_ip_table + *(int *)_b; unsigned long a_val = orc_ip(a); @@ -128,6 +128,9 @@ static int orc_sort_cmp(const void *_a, * whitelisted .o files which didn't get objtool generation. */ orc_a = g_orc_table + (a - g_orc_ip_table); + orc_b = g_orc_table + (b - g_orc_ip_table); + if (orc_a->type == ORC_TYPE_UNDEFINED && orc_b->type == ORC_TYPE_UNDEFINED) + return 0; return orc_a->type == ORC_TYPE_UNDEFINED ? -1 : 1; } _ Patches currently in -mm which might be from visitorckw(a)gmail.com are lib-min_heap-improve-type-safety-in-min_heap-macros-by-using-container_of.patch lib-test_min_heap-use-inline-min-heap-variants-to-reduce-attack-vector.patch lib-min_heap-add-brief-introduction-to-min-heap-api.patch documentation-core-api-min_heap-add-author-information.patch lib-sort-clarify-comparison-function-requirements-in-sort_r.patch lib-list_sort-clarify-comparison-function-requirements-in-sort_r.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes has been removed from the -mm tree. Its filename was mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix ignored quota goals and filters of newly committed schemes Date: Sun, 22 Dec 2024 15:12:22 -0800 damon_commit_schemes() ignores quota goals and filters of the newly committed schemes. This makes users confused about the behaviors. Correctly handle those inputs. Link: https://lkml.kernel.org/r/20241222231222.85060-3-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/mm/damon/core.c~mm-damon-core-fix-ignored-quota-goals-and-filters-of-newly-committed-schemes +++ a/mm/damon/core.c @@ -868,6 +868,11 @@ static int damon_commit_schemes(struct d NUMA_NO_NODE); if (!new_scheme) return -ENOMEM; + err = damos_commit(new_scheme, src_scheme); + if (err) { + damon_destroy_scheme(new_scheme); + return err; + } damon_add_scheme(dst, new_scheme); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() has been removed from the -mm tree. Its filename was mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix new damon_target objects leaks on damon_commit_targets() Date: Sun, 22 Dec 2024 15:12:21 -0800 Patch series "mm/damon/core: fix memory leaks and ignored inputs from damon_commit_ctx()". Due to two bugs in damon_commit_targets() and damon_commit_schemes(), which are called from damon_commit_ctx(), some user inputs can be ignored, and some mmeory objects can be leaked. Fix those. Note that only DAMON sysfs interface users are affected. Other DAMON core API user modules that more focused more on simple and dedicated production usages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy function in the way, so not affected. This patch (of 2): When new DAMON targets are added via damon_commit_targets(), the newly created targets are not deallocated when updating the internal data (damon_commit_target()) is failed. Worse yet, even if the setup is successfully done, the new target is not linked to the context. Hence, the new targets are always leaked regardless of the internal data setup failure. Fix the leaks. Link: https://lkml.kernel.org/r/20241222231222.85060-2-sj@kernel.org Fixes: 9cb3d0b9dfce ("mm/damon/core: implement DAMON context commit function") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-new-damon_target-objects-leaks-on-damon_commit_targets +++ a/mm/damon/core.c @@ -961,8 +961,11 @@ static int damon_commit_targets( return -ENOMEM; err = damon_commit_target(new_target, false, src_target, damon_target_has_pid(src)); - if (err) + if (err) { + damon_destroy_target(new_target); return err; + } + damon_add_target(dst, new_target); } return 0; } _ Patches currently in -mm which might be from sj(a)kernel.org are samples-add-a-skeleton-of-a-sample-damon-module-for-working-set-size-estimation.patch samples-damon-wsse-start-and-stop-damon-as-the-user-requests.patch samples-damon-wsse-implement-working-set-size-estimation-and-logging.patch samples-damon-introduce-a-skeleton-of-a-smaple-damon-module-for-proactive-reclamation.patch samples-damon-prcl-implement-schemes-setup.patch replace-free-hugepage-folios-after-migration-fix-2.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep() has been removed from the -mm tree. Its filename was vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Koichiro Den <koichiro.den(a)canonical.com> Subject: vmstat: disable vmstat_work on vmstat_cpu_down_prep() Date: Sat, 21 Dec 2024 12:33:20 +0900 Even after mm/vmstat:online teardown, shepherd may still queue work for the dying cpu until the cpu is removed from online mask. While it's quite rare, this means that after unbind_workers() unbinds a per-cpu kworker, it potentially runs vmstat_update for the dying CPU on an irrelevant cpu before entering atomic AP states. When CONFIG_DEBUG_PREEMPT=y, it results in the following error with the backtrace. BUG: using smp_processor_id() in preemptible [00000000] code: \ kworker/7:3/1702 caller is refresh_cpu_vm_stats+0x235/0x5f0 CPU: 0 UID: 0 PID: 1702 Comm: kworker/7:3 Tainted: G Tainted: [N]=TEST Workqueue: mm_percpu_wq vmstat_update Call Trace: <TASK> dump_stack_lvl+0x8d/0xb0 check_preemption_disabled+0xce/0xe0 refresh_cpu_vm_stats+0x235/0x5f0 vmstat_update+0x17/0xa0 process_one_work+0x869/0x1aa0 worker_thread+0x5e5/0x1100 kthread+0x29e/0x380 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> So, for mm/vmstat:online, disable vmstat_work reliably on teardown and symmetrically enable it on startup. Link: https://lkml.kernel.org/r/20241221033321.4154409-1-koichiro.den@canonical.c… Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmstat.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/vmstat.c~vmstat-disable-vmstat_work-on-vmstat_cpu_down_prep +++ a/mm/vmstat.c @@ -2148,13 +2148,14 @@ static int vmstat_cpu_online(unsigned in if (!node_state(cpu_to_node(cpu), N_CPU)) { node_set_state(cpu_to_node(cpu), N_CPU); } + enable_delayed_work(&per_cpu(vmstat_work, cpu)); return 0; } static int vmstat_cpu_down_prep(unsigned int cpu) { - cancel_delayed_work_sync(&per_cpu(vmstat_work, cpu)); + disable_delayed_work_sync(&per_cpu(vmstat_work, cpu)); return 0; } _ Patches currently in -mm which might be from koichiro.den(a)canonical.com are hugetlb-prioritize-surplus-allocation-from-current-node.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' has been removed from the -mm tree. Its filename was mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Baolin Wang <baolin.wang(a)linux.alibaba.com> Subject: mm: shmem: fix the update of 'shmem_falloc->nr_unswapped' Date: Thu, 19 Dec 2024 15:30:09 +0800 The 'shmem_falloc->nr_unswapped' is used to record how many writepage refused to swap out because fallocate() is allocating, but after shmem supports large folio swap out, the update of 'shmem_falloc->nr_unswapped' does not use the correct number of pages in the large folio, which may lead to fallocate() not exiting as soon as possible. Anyway, this is found through code inspection, and I am not sure whether it would actually cause serious issues. Link: https://lkml.kernel.org/r/f66a0119d0564c2c37c84f045835b870d1b2196f.17345931… Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/shmem.c~mm-shmem-fix-the-update-of-shmem_falloc-nr_unswapped +++ a/mm/shmem.c @@ -1535,7 +1535,7 @@ try_split: !shmem_falloc->waitq && index >= shmem_falloc->start && index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; + shmem_falloc->nr_unswapped += nr_pages; else shmem_falloc = NULL; spin_unlock(&inode->i_lock); _ Patches currently in -mm which might be from baolin.wang(a)linux.alibaba.com are mm-factor-out-the-order-calculation-into-a-new-helper.patch mm-shmem-change-shmem_huge_global_enabled-to-return-huge-order-bitmap.patch mm-shmem-add-large-folio-support-for-tmpfs.patch mm-shmem-add-a-kernel-command-line-to-change-the-default-huge-policy-for-tmpfs.patch docs-tmpfs-drop-fadvise-from-the-documentation.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-shmem-fix-incorrect-index-alignment-for-within_size-policy.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: shmem: fix incorrect index alignment for within_size policy has been removed from the -mm tree. Its filename was mm-shmem-fix-incorrect-index-alignment-for-within_size-policy.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Baolin Wang <baolin.wang(a)linux.alibaba.com> Subject: mm: shmem: fix incorrect index alignment for within_size policy Date: Thu, 19 Dec 2024 15:30:08 +0800 With enabling the shmem per-size within_size policy, using an incorrect 'order' size to round_up() the index can lead to incorrect i_size checks, resulting in an inappropriate large orders being returned. Changing to use '1 << order' to round_up() the index to fix this issue. Additionally, adding an 'aligned_index' variable to avoid affecting the index checks. Link: https://lkml.kernel.org/r/77d8ef76a7d3d646e9225e9af88a76549a68aab1.17345931… Fixes: e7a2ab7b3bb5 ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/mm/shmem.c~mm-shmem-fix-incorrect-index-alignment-for-within_size-policy +++ a/mm/shmem.c @@ -1689,6 +1689,7 @@ unsigned long shmem_allowable_huge_order unsigned long mask = READ_ONCE(huge_shmem_orders_always); unsigned long within_size_orders = READ_ONCE(huge_shmem_orders_within_size); unsigned long vm_flags = vma ? vma->vm_flags : 0; + pgoff_t aligned_index; bool global_huge; loff_t i_size; int order; @@ -1723,9 +1724,9 @@ unsigned long shmem_allowable_huge_order /* Allow mTHP that will be fully within i_size. */ order = highest_order(within_size_orders); while (within_size_orders) { - index = round_up(index + 1, order); + aligned_index = round_up(index + 1, 1 << order); i_size = round_up(i_size_read(inode), PAGE_SIZE); - if (i_size >> PAGE_SHIFT >= index) { + if (i_size >> PAGE_SHIFT >= aligned_index) { mask |= within_size_orders; break; } _ Patches currently in -mm which might be from baolin.wang(a)linux.alibaba.com are mm-factor-out-the-order-calculation-into-a-new-helper.patch mm-shmem-change-shmem_huge_global_enabled-to-return-huge-order-bitmap.patch mm-shmem-add-large-folio-support-for-tmpfs.patch mm-shmem-add-a-kernel-command-line-to-change-the-default-huge-policy-for-tmpfs.patch docs-tmpfs-drop-fadvise-from-the-documentation.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: zswap: fix race between [de]compression and CPU hotunplug has been removed from the -mm tree. Its filename was mm-zswap-fix-race-between-compression-and-cpu-hotunplug.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yosry Ahmed <yosryahmed(a)google.com> Subject: mm: zswap: fix race between [de]compression and CPU hotunplug Date: Thu, 19 Dec 2024 21:24:37 +0000 In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead(). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to per-acomp_ctx") increased the UAF surface area by making the per-CPU buffers dynamic, adding yet another resource that can be freed from under zswap compression/decompression by CPU hotunplug. There are a few ways to fix this: (a) Add a refcount for acomp_ctx. (b) Disable migration while using the per-CPU acomp_ctx. (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding the CPUs read lock. Implement (c) since it's simpler than (a), and (b) involves using migrate_disable() which is apparently undesired (see huge comment in include/linux/preempt.h). Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") Signed-off-by: Yosry Ahmed <yosryahmed(a)google.com> Reported-by: Johannes Weiner <hannes(a)cmpxchg.org> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tP… Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Vitaly Wool <vitalywool(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/zswap.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) --- a/mm/zswap.c~mm-zswap-fix-race-between-compression-and-cpu-hotunplug +++ a/mm/zswap.c @@ -880,6 +880,18 @@ static int zswap_cpu_comp_dead(unsigned return 0; } +/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ +static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) +{ + cpus_read_lock(); + return raw_cpu_ptr(acomp_ctx); +} + +static void acomp_ctx_put_cpu(void) +{ + cpus_read_unlock(); +} + static bool zswap_compress(struct page *page, struct zswap_entry *entry, struct zswap_pool *pool) { @@ -893,8 +905,7 @@ static bool zswap_compress(struct page * gfp_t gfp; u8 *dst; - acomp_ctx = raw_cpu_ptr(pool->acomp_ctx); - + acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); dst = acomp_ctx->buffer; @@ -950,6 +961,7 @@ unlock: zswap_reject_alloc_fail++; mutex_unlock(&acomp_ctx->mutex); + acomp_ctx_put_cpu(); return comp_ret == 0 && alloc_ret == 0; } @@ -960,7 +972,7 @@ static void zswap_decompress(struct zswa struct crypto_acomp_ctx *acomp_ctx; u8 *src; - acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); + acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); @@ -990,6 +1002,7 @@ static void zswap_decompress(struct zswa if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); + acomp_ctx_put_cpu(); } /********************************* _ Patches currently in -mm which might be from yosryahmed(a)google.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv has been removed from the -mm tree. Its filename was ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Dennis Lam <dennis.lamerice(a)gmail.com> Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Date: Tue, 17 Dec 2024 21:39:25 -0500 When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") Signed-off-by: Dennis Lam <dennis.lamerice(a)gmail.com> Reported-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) --- a/fs/ocfs2/quota_global.c~ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv +++ a/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct supe int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)) { status = -ESRCH; goto out; } --- a/fs/ocfs2/quota_local.c~ocfs2-fix-slab-use-after-free-due-to-dangling-pointer-dqi_priv +++ a/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ out: brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; } _ Patches currently in -mm which might be from dennis.lamerice(a)gmail.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit has been removed from the -mm tree. Its filename was fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: fs/proc/task_mmu: fix pagemap flags with PMD THP entries on 32bit Date: Tue, 17 Dec 2024 20:50:00 +0100 Entries (including flags) are u64, even on 32bit. So right now we are cutting of the flags on 32bit. This way, for example the cow selftest complains about: # ./cow ... Bail Out! read and ioctl return unmatched results for populated: 0 1 Link: https://lkml.kernel.org/r/20241217195000.1734039-1-david@redhat.com Fixes: 2c1f057e5be6 ("fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-fix-pagemap-flags-with-pmd-thp-entries-on-32bit +++ a/fs/proc/task_mmu.c @@ -1810,7 +1810,7 @@ static int pagemap_pmd_range(pmd_t *pmdp } for (; addr != end; addr += PAGE_SIZE, idx++) { - unsigned long cur_flags = flags; + u64 cur_flags = flags; pagemap_entry_t pme; if (folio && (flags & PM_PRESENT) && _ Patches currently in -mm which might be from david(a)redhat.com are docs-tmpfs-update-the-large-folios-policy-for-tmpfs-and-shmem.patch mm-memory_hotplug-move-debug_pagealloc_map_pages-into-online_pages_range.patch mm-page_isolation-dont-pass-gfp-flags-to-isolate_single_pageblock.patch mm-page_isolation-dont-pass-gfp-flags-to-start_isolate_page_range.patch mm-page_alloc-make-__alloc_contig_migrate_range-static.patch mm-page_alloc-sort-out-the-alloc_contig_range-gfp-flags-mess.patch mm-page_alloc-forward-the-gfp-flags-from-alloc_contig_range-to-post_alloc_hook.patch powernv-memtrace-use-__gfp_zero-with-alloc_contig_pages.patch mm-hugetlb-dont-map-folios-writable-without-vm_write-when-copying-during-fork.patch fs-proc-vmcore-convert-vmcore_cb_lock-into-vmcore_mutex.patch fs-proc-vmcore-replace-vmcoredd_mutex-by-vmcore_mutex.patch fs-proc-vmcore-disallow-vmcore-modifications-while-the-vmcore-is-open.patch fs-proc-vmcore-prefix-all-pr_-with-vmcore.patch fs-proc-vmcore-move-vmcore-definitions-out-of-kcoreh.patch fs-proc-vmcore-factor-out-allocating-a-vmcore-range-and-adding-it-to-a-list.patch fs-proc-vmcore-factor-out-freeing-a-list-of-vmcore-ranges.patch fs-proc-vmcore-introduce-proc_vmcore_device_ram-to-detect-device-ram-ranges-in-2nd-kernel.patch virtio-mem-mark-device-ready-before-registering-callbacks-in-kdump-mode.patch virtio-mem-remember-usable-region-size.patch virtio-mem-support-config_proc_vmcore_device_ram.patch s390-kdump-virtio-mem-kdump-support-config_proc_vmcore_device_ram.patch mm-page_alloc-dont-use-__gfp_hardwall-when-migrating-pages-via-alloc_contig.patch mm-memory_hotplug-dont-use-__gfp_hardwall-when-migrating-pages-via-memory-offlining.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] kcov-mark-in_softirq_really-as-__always_inline.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kcov: mark in_softirq_really() as __always_inline has been removed from the -mm tree. Its filename was kcov-mark-in_softirq_really-as-__always_inline.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Arnd Bergmann <arnd(a)arndb.de> Subject: kcov: mark in_softirq_really() as __always_inline Date: Tue, 17 Dec 2024 08:18:10 +0100 If gcc decides not to inline in_softirq_really(), objtool warns about a function call with UACCESS enabled: kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc+0x1e: call to in_softirq_really() with UACCESS enabled kernel/kcov.o: warning: objtool: check_kcov_mode+0x11: call to in_softirq_really() with UACCESS enabled Mark this as __always_inline to avoid the problem. Link: https://lkml.kernel.org/r/20241217071814.2261620-1-arnd@kernel.org Fixes: 7d4df2dad312 ("kcov: properly check for softirq context") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Reviewed-by: Marco Elver <elver(a)google.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kcov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/kcov.c~kcov-mark-in_softirq_really-as-__always_inline +++ a/kernel/kcov.c @@ -166,7 +166,7 @@ static void kcov_remote_area_put(struct * Unlike in_serving_softirq(), this function returns false when called during * a hardirq or an NMI that happened in the softirq context. */ -static inline bool in_softirq_really(void) +static __always_inline bool in_softirq_really(void) { return in_serving_softirq() && !in_hardirq() && !in_nmi(); } _ Patches currently in -mm which might be from arnd(a)arndb.de are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/kmemleak: fix sleeping function called from invalid context at print message has been removed from the -mm tree. Its filename was mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Alessandro Carminati <acarmina(a)redhat.com> Subject: mm/kmemleak: fix sleeping function called from invalid context at print message Date: Tue, 17 Dec 2024 14:20:33 +0000 Address a bug in the kernel that triggers a "sleeping function called from invalid context" warning when /sys/kernel/debug/kmemleak is printed under specific conditions: - CONFIG_PREEMPT_RT=y - Set SELinux as the LSM for the system - Set kptr_restrict to 1 - kmemleak buffer contains at least one item BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 6 locks held by cat/136: #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 irq event stamp: 136660 hardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 Tainted: [E]=UNSIGNED_MODULE Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 restricted_pointer+0x21c/0x4b0 pointer+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 print_unreferenced+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 full_proxy_read+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 invoke_syscall.constprop.0+0xd4/0x1d8 el0_svc+0x50/0x158 el0t_64_sync+0x17c/0x180 %pS and %pK, in the same back trace line, are redundant, and %pS can void %pK service in certain contexts. %pS alone already provides the necessary information, and if it cannot resolve the symbol, it falls back to printing the raw address voiding the original intent behind the %pK. Additionally, %pK requires a privilege check CAP_SYSLOG enforced through the LSM, which can trigger a "sleeping function called from invalid context" warning under RT_PREEMPT kernels when the check occurs in an atomic context. This issue may also affect other LSMs. This change avoids the unnecessary privilege check and resolves the sleeping function warning without any loss of information. Link: https://lkml.kernel.org/r/20241217142032.55793-1-acarmina@redhat.com Fixes: 3a6f33d86baa ("mm/kmemleak: use %pK to display kernel pointers in backtrace") Signed-off-by: Alessandro Carminati <acarmina(a)redhat.com> Acked-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Acked-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Cl��ment L��ger <clement.leger(a)bootlin.com> Cc: Alessandro Carminati <acarmina(a)redhat.com> Cc: Eric Chanudet <echanude(a)redhat.com> Cc: Gabriele Paoloni <gpaoloni(a)redhat.com> Cc: Juri Lelli <juri.lelli(a)redhat.com> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Thomas Wei��schuh <thomas.weissschuh(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmemleak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/kmemleak.c~mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message +++ a/mm/kmemleak.c @@ -373,7 +373,7 @@ static void print_unreferenced(struct se for (i = 0; i < nr_entries; i++) { void *ptr = (void *)entries[i]; - warn_or_seq_printf(seq, " [<%pK>] %pS\n", ptr, ptr); + warn_or_seq_printf(seq, " %pS\n", ptr); } } _ Patches currently in -mm which might be from acarmina(a)redhat.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-independent-pmd-page-table-shared-count.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: hugetlb: independent PMD page table shared count has been removed from the -mm tree. Its filename was mm-hugetlb-independent-pmd-page-table-shared-count.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liu Shixin <liushixin2(a)huawei.com> Subject: mm: hugetlb: independent PMD page table shared count Date: Mon, 16 Dec 2024 15:11:47 +0800 The folio refcount may be increased unexpectly through try_get_folio() by caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked: BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) page_type: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BAD_PAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 dump_stack+0x18/0x28 bad_page+0x8c/0x130 free_page_is_bad_report+0xa4/0xb0 free_unref_page+0x3cc/0x620 __folio_put+0xf4/0x158 split_huge_pages_all+0x1e0/0x3e8 split_huge_pages_write+0x25c/0x2d8 full_proxy_write+0x64/0xd8 vfs_write+0xcc/0x280 ksys_write+0x70/0x110 __arm64_sys_write+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 The issue may be triggered by damon, offline_page, page_idle, etc, which will increase the refcount of page table. 1. The page table itself will be discarded after reporting the "nonzero mapcount". 2. The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped. Fix it by introducing independent PMD page table shared count. As described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv pmds, so we can reuse the field as pt_share_count. Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Ken Chen <kenneth.w.chen(a)intel.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mm.h | 1 + include/linux/mm_types.h | 30 ++++++++++++++++++++++++++++++ mm/hugetlb.c | 16 +++++++--------- 3 files changed, 38 insertions(+), 9 deletions(-) --- a/include/linux/mm.h~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/include/linux/mm.h @@ -3125,6 +3125,7 @@ static inline bool pagetable_pmd_ctor(st if (!pmd_ptlock_init(ptdesc)) return false; __folio_set_pgtable(folio); + ptdesc_pmd_pts_init(ptdesc); lruvec_stat_add_folio(folio, NR_PAGETABLE); return true; } --- a/include/linux/mm_types.h~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/include/linux/mm_types.h @@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a); * @pt_index: Used for s390 gmap. * @pt_mm: Used for x86 pgds. * @pt_frag_refcount: For fragmented page table tracking. Powerpc only. + * @pt_share_count: Used for HugeTLB PMD page table share count. * @_pt_pad_2: Padding to ensure proper alignment. * @ptl: Lock for the page table. * @__page_type: Same as page->page_type. Unused for page tables. @@ -471,6 +472,9 @@ struct ptdesc { pgoff_t pt_index; struct mm_struct *pt_mm; atomic_t pt_frag_refcount; +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + atomic_t pt_share_count; +#endif }; union { @@ -516,6 +520,32 @@ static_assert(sizeof(struct ptdesc) <= s const struct page *: (const struct ptdesc *)(p), \ struct page *: (struct ptdesc *)(p))) +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ + atomic_set(&ptdesc->pt_share_count, 0); +} + +static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc) +{ + atomic_inc(&ptdesc->pt_share_count); +} + +static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc) +{ + atomic_dec(&ptdesc->pt_share_count); +} + +static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc) +{ + return atomic_read(&ptdesc->pt_share_count); +} +#else +static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) +{ +} +#endif + /* * Used for sizing the vmemmap region on some architectures */ --- a/mm/hugetlb.c~mm-hugetlb-independent-pmd-page-table-shared-count +++ a/mm/hugetlb.c @@ -7211,7 +7211,7 @@ pte_t *huge_pmd_share(struct mm_struct * spte = hugetlb_walk(svma, saddr, vma_mmu_pagesize(svma)); if (spte) { - get_page(virt_to_page(spte)); + ptdesc_pmd_pts_inc(virt_to_ptdesc(spte)); break; } } @@ -7226,7 +7226,7 @@ pte_t *huge_pmd_share(struct mm_struct * (pmd_t *)((unsigned long)spte & PAGE_MASK)); mm_inc_nr_pmds(mm); } else { - put_page(virt_to_page(spte)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(spte)); } spin_unlock(&mm->page_table_lock); out: @@ -7238,10 +7238,6 @@ out: /* * unmap huge page backed by shared pte. * - * Hugetlb pte page is ref counted at the time of mapping. If pte is shared - * indicated by page_count > 1, unmap is achieved by clearing pud and - * decrementing the ref count. If count == 1, the pte page is not shared. - * * Called with page table lock held. * * returns: 1 successfully unmapped a shared pte page @@ -7250,18 +7246,20 @@ out: int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { + unsigned long sz = huge_page_size(hstate_vma(vma)); pgd_t *pgd = pgd_offset(mm, addr); p4d_t *p4d = p4d_offset(pgd, addr); pud_t *pud = pud_offset(p4d, addr); i_mmap_assert_write_locked(vma->vm_file->f_mapping); hugetlb_vma_assert_locked(vma); - BUG_ON(page_count(virt_to_page(ptep)) == 0); - if (page_count(virt_to_page(ptep)) == 1) + if (sz != PMD_SIZE) + return 0; + if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) return 0; pud_clear(pud); - put_page(virt_to_page(ptep)); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); mm_dec_nr_pmds(mm); return 1; } _ Patches currently in -mm which might be from liushixin2(a)huawei.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: maple_tree: reload mas before the second call for mas_empty_area has been removed from the -mm tree. Its filename was maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yang Erkun <yangerkun(a)huawei.com> Subject: maple_tree: reload mas before the second call for mas_empty_area Date: Sat, 14 Dec 2024 17:30:05 +0800 Change the LONG_MAX in simple_offset_add to 1024, and do latter: [root@fedora ~]# mkdir /tmp/dir [root@fedora ~]# for i in {1..1024}; do touch /tmp/dir/$i; done touch: cannot touch '/tmp/dir/1024': Device or resource busy [root@fedora ~]# rm /tmp/dir/123 [root@fedora ~]# touch /tmp/dir/1024 [root@fedora ~]# rm /tmp/dir/100 [root@fedora ~]# touch /tmp/dir/1025 touch: cannot touch '/tmp/dir/1025': Device or resource busy After we delete file 100, actually this is a empty entry, but the latter create failed unexpected. mas_alloc_cyclic has two chance to find empty entry. First find the entry with range range_lo and range_hi, if no empty entry exist, and range_lo > min, retry find with range min and range_hi. However, the first call mas_empty_area may mark mas as EBUSY, and the second call for mas_empty_area will return false directly. Fix this by reload mas before second call for mas_empty_area. [Liam.Howlett(a)Oracle.com: fix mas_alloc_cyclic() second search] Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Link: https://lkml.kernel.org/r/20241214093005.72284-1-yangerkun@huaweicloud.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Chuck Lever <chuck.lever(a)oracle.com> says: Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/maple_tree.c~maple_tree-reload-mas-before-the-second-call-for-mas_empty_area +++ a/lib/maple_tree.c @@ -4354,6 +4354,7 @@ int mas_alloc_cyclic(struct ma_state *ma ret = 1; } if (ret < 0 && range_lo > min) { + mas_reset(mas); ret = mas_empty_area(mas, min, range_hi, 1); if (ret == 0) ret = 1; _ Patches currently in -mm which might be from yangerkun(a)huawei.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-readahead-fix-large-folio-support-in-async-readahead.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/readahead: fix large folio support in async readahead has been removed from the -mm tree. Its filename was mm-readahead-fix-large-folio-support-in-async-readahead.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Yafang Shao <laoar.shao(a)gmail.com> Subject: mm/readahead: fix large folio support in async readahead Date: Fri, 6 Dec 2024 16:30:25 +0800 When testing large folio support with XFS on our servers, we observed that only a few large folios are mapped when reading large files via mmap. After a thorough analysis, I identified it was caused by the `/sys/block/*/queue/read_ahead_kb` setting. On our test servers, this parameter is set to 128KB. After I tune it to 2MB, the large folio can work as expected. However, I believe the large folio behavior should not be dependent on the value of read_ahead_kb. It would be more robust if the kernel can automatically adopt to it. With /sys/block/*/queue/read_ahead_kb set to 128KB and performing a sequential read on a 1GB file using MADV_HUGEPAGE, the differences in /proc/meminfo are as follows: - before this patch FileHugePages: 18432 kB FilePmdMapped: 4096 kB - after this patch FileHugePages: 1067008 kB FilePmdMapped: 1048576 kB This shows that after applying the patch, the entire 1GB file is mapped to huge pages. The stable list is CCed, as without this patch, large folios don't function optimally in the readahead path. It's worth noting that if read_ahead_kb is set to a larger value that isn't aligned with huge page sizes (e.g., 4MB + 128KB), it may still fail to map to hugepages. Link: https://lkml.kernel.org/r/20241108141710.9721-1-laoar.shao@gmail.com Link: https://lkml.kernel.org/r/20241206083025.3478-1-laoar.shao@gmail.com Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") Signed-off-by: Yafang Shao <laoar.shao(a)gmail.com> Tested-by: kernel test robot <oliver.sang(a)intel.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/readahead.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/mm/readahead.c~mm-readahead-fix-large-folio-support-in-async-readahead +++ a/mm/readahead.c @@ -646,7 +646,11 @@ void page_cache_async_ra(struct readahea 1UL << order); if (index == expected) { ra->start += ra->size; - ra->size = get_next_ra_size(ra, max_pages); + /* + * In the case of MADV_HUGEPAGE, the actual size might exceed + * the readahead window. + */ + ra->size = max(ra->size, get_next_ra_size(ra, max_pages)); ra->async_size = ra->size; goto readit; } _ Patches currently in -mm which might be from laoar.shao(a)gmail.com are kernel-remove-get_task_comm-and-print-task-comm-directly.patch arch-remove-get_task_comm-and-print-task-comm-directly.patch net-remove-get_task_comm-and-print-task-comm-directly.patch security-remove-get_task_comm-and-print-task-comm-directly.patch drivers-remove-get_task_comm-and-print-task-comm-directly.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() has been removed from the -mm tree. Its filename was mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Seiji Nishikawa <snishika(a)redhat.com> Subject: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Date: Sun, 1 Dec 2024 01:12:34 +0900 The task sometimes continues looping in throttle_direct_reclaim() because allow_direct_reclaim(pgdat) keeps returning false. #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c #2 [ffff80002cb6f990] schedule at ffff800008abc50c #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550 #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68 #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660 #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98 #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8 #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974 #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4 At this point, the pgdat contains the following two zones: NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: "DMA32" SIZE: 20480 MIN/LOW/HIGH: 11/28/45 VM_STAT: NR_FREE_PAGES: 359 NR_ZONE_INACTIVE_ANON: 18813 NR_ZONE_ACTIVE_ANON: 0 NR_ZONE_INACTIVE_FILE: 50 NR_ZONE_ACTIVE_FILE: 0 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: "Normal" SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264 VM_STAT: NR_FREE_PAGES: 146 NR_ZONE_INACTIVE_ANON: 94668 NR_ZONE_ACTIVE_ANON: 3 NR_ZONE_INACTIVE_FILE: 735 NR_ZONE_ACTIVE_FILE: 78 NR_ZONE_UNEVICTABLE: 0 NR_ZONE_WRITE_PENDING: 0 NR_MLOCK: 0 NR_BOUNCE: 0 NR_ZSPAGES: 0 NR_FREE_CMA_PAGES: 0 In allow_direct_reclaim(), while processing ZONE_DMA32, the sum of inactive/active file-backed pages calculated in zone_reclaimable_pages() based on the result of zone_page_state_snapshot() is zero. Additionally, since this system lacks swap, the calculation of inactive/ active anonymous pages is skipped. crash> p nr_swap_pages nr_swap_pages = $1937 = { counter = 0 } As a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to the processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having free pages significantly exceeding the high watermark. The problem is that the pgdat->kswapd_failures hasn't been incremented. crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures $1935 = 0x0 This is because the node deemed balanced. The node balancing logic in balance_pgdat() evaluates all zones collectively. If one or more zones (e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the entire node is deemed balanced. This causes balance_pgdat() to exit early before incrementing the kswapd_failures, as it considers the overall memory state acceptable, even though some zones (like ZONE_NORMAL) remain under significant pressure. The patch ensures that zone_reclaimable_pages() includes free pages (NR_FREE_PAGES) in its calculation when no other reclaimable pages are available (e.g., file-backed or anonymous pages). This change prevents zones like ZONE_DMA32, which have sufficient free pages, from being mistakenly deemed unreclaimable. By doing so, the patch ensures proper node balancing, avoids masking pressure on other zones like ZONE_NORMAL, and prevents infinite loops in throttle_direct_reclaim() caused by allow_direct_reclaim(pgdat) repeatedly returning false. The kernel hangs due to a task stuck in throttle_direct_reclaim(), caused by a node being incorrectly deemed balanced despite pressure in certain zones, such as ZONE_NORMAL. This issue arises from zone_reclaimable_pages() returning 0 for zones without reclaimable file- backed or anonymous pages, causing zones like ZONE_DMA32 with sufficient free pages to be skipped. The lack of swap or reclaimable pages results in ZONE_DMA32 being ignored during reclaim, masking pressure in other zones. Consequently, pgdat->kswapd_failures remains 0 in balance_pgdat(), preventing fallback mechanisms in allow_direct_reclaim() from being triggered, leading to an infinite loop in throttle_direct_reclaim(). This patch modifies zone_reclaimable_pages() to account for free pages (NR_FREE_PAGES) when no other reclaimable pages exist. This ensures zones with sufficient free pages are not skipped, enabling proper balancing and reclaim behavior. [akpm(a)linux-foundation.org: coding-style cleanups] Link: https://lkml.kernel.org/r/20241130164346.436469-1-snishika@redhat.com Link: https://lkml.kernel.org/r/20241130161236.433747-2-snishika@redhat.com Fixes: 5a1c84b404a7 ("mm: remove reclaim and compaction retry approximations") Signed-off-by: Seiji Nishikawa <snishika(a)redhat.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/vmscan.c~mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim +++ a/mm/vmscan.c @@ -374,7 +374,14 @@ unsigned long zone_reclaimable_pages(str if (can_reclaim_anon_pages(NULL, zone_to_nid(zone), NULL)) nr += zone_page_state_snapshot(zone, NR_ZONE_INACTIVE_ANON) + zone_page_state_snapshot(zone, NR_ZONE_ACTIVE_ANON); - + /* + * If there are no reclaimable file-backed or anonymous pages, + * ensure zones with sufficient free pages are not skipped. + * This prevents zones like DMA32 from being ignored in reclaim + * scenarios where they can still help alleviate memory pressure. + */ + if (nr == 0) + nr = zone_page_state_snapshot(zone, NR_FREE_PAGES); return nr; } _ Patches currently in -mm which might be from snishika(a)redhat.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: reinstate ability to map write-sealed memfd mappings read-only has been removed from the -mm tree. Its filename was mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm: reinstate ability to map write-sealed memfd mappings read-only Date: Thu, 28 Nov 2024 15:06:17 +0000 Patch series "mm: reinstate ability to map write-sealed memfd mappings read-only". In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. This series reworks how we both permit write-sealed mappings being mapped read-only and disallow mprotect() from undoing the write-seal, fixing this regression. We also add a regression test to ensure that we do not accidentally regress this in future. Thanks to Julian Orth for reporting this regression. This patch (of 2): In commit 158978945f31 ("mm: perform the mapping_map_writable() check after call_mmap()") (and preceding changes in the same series) it became possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. This was previously unnecessarily disallowed, despite the man page documentation indicating that it would be, thereby limiting the usefulness of F_SEAL_WRITE logic. We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE seal (one which disallows future writes to the memfd) to also be used for F_SEAL_WRITE. For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a read-only mapping to disallow mprotect() from overriding the seal - an operation performed by seal_check_write(), invoked from shmem_mmap(), the f_op->mmap() hook used by shmem mappings. By extending this to F_SEAL_WRITE and critically - checking mapping_map_writable() to determine if we may map the memfd AFTER we invoke shmem_mmap() - the desired logic becomes possible. This is because mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will have cleared. Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") unintentionally undid this logic by moving the mapping_map_writable() check before the shmem_mmap() hook is invoked, thereby regressing this change. We reinstate this functionality by moving the check out of shmem_mmap() and instead performing it in do_mmap() at the point at which VMA flags are being determined, which seems in any case to be a more appropriate place in which to make this determination. In order to achieve this we rework memfd seal logic to allow us access to this information using existing logic and eliminate the clearing of VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() instead. Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.17328047… Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Julian Orth <ju.orth(a)gmail.com> Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZx… Cc: Jann Horn <jannh(a)google.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/memfd.h | 14 +++++++++ include/linux/mm.h | 58 +++++++++++++++++++++++++++------------- mm/memfd.c | 2 - mm/mmap.c | 4 ++ 4 files changed, 59 insertions(+), 19 deletions(-) --- a/include/linux/memfd.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/memfd.h @@ -7,6 +7,7 @@ #ifdef CONFIG_MEMFD_CREATE extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg); struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx); +unsigned int *memfd_file_seals_ptr(struct file *file); #else static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a) { @@ -16,6 +17,19 @@ static inline struct folio *memfd_alloc_ { return ERR_PTR(-EINVAL); } + +static inline unsigned int *memfd_file_seals_ptr(struct file *file) +{ + return NULL; +} #endif +/* Retrieve memfd seals associated with the file, if any. */ +static inline unsigned int memfd_file_seals(struct file *file) +{ + unsigned int *sealsp = memfd_file_seals_ptr(file); + + return sealsp ? *sealsp : 0; +} + #endif /* __LINUX_MEMFD_H */ --- a/include/linux/mm.h~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/include/linux/mm.h @@ -4101,6 +4101,37 @@ void mem_dump_obj(void *object); static inline void mem_dump_obj(void *object) {} #endif +static inline bool is_write_sealed(int seals) +{ + return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); +} + +/** + * is_readonly_sealed - Checks whether write-sealed but mapped read-only, + * in which case writes should be disallowing moving + * forwards. + * @seals: the seals to check + * @vm_flags: the VMA flags to check + * + * Returns whether readonly sealed, in which case writess should be disallowed + * going forward. + */ +static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) +{ + /* + * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (is_write_sealed(seals) && + ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) + return true; + + return false; +} + /** * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and * handle them. @@ -4112,24 +4143,15 @@ static inline void mem_dump_obj(void *ob */ static inline int seal_check_write(int seals, struct vm_area_struct *vma) { - if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * write seals are active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; - - /* - * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vm_flags_clear(vma, VM_MAYWRITE); - } + if (!is_write_sealed(seals)) + return 0; + + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; return 0; } --- a/mm/memfd.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/memfd.c @@ -170,7 +170,7 @@ static int memfd_wait_for_pins(struct ad return error; } -static unsigned int *memfd_file_seals_ptr(struct file *file) +unsigned int *memfd_file_seals_ptr(struct file *file) { if (shmem_file(file)) return &SHMEM_I(file_inode(file))->seals; --- a/mm/mmap.c~mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only +++ a/mm/mmap.c @@ -47,6 +47,7 @@ #include <linux/oom.h> #include <linux/sched/mm.h> #include <linux/ksm.h> +#include <linux/memfd.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> @@ -368,6 +369,7 @@ unsigned long do_mmap(struct file *file, if (file) { struct inode *inode = file_inode(file); + unsigned int seals = memfd_file_seals(file); unsigned long flags_mask; if (!file_mmap_ok(file, inode, pgoff, len)) @@ -408,6 +410,8 @@ unsigned long do_mmap(struct file *file, vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); + else if (is_readonly_sealed(seals, vm_flags)) + vm_flags &= ~VM_MAYWRITE; fallthrough; case MAP_PRIVATE: if (!(file->f_mode & FMODE_READ)) _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-vma-move-brk-internals-to-mm-vmac.patch mm-vma-move-brk-internals-to-mm-vmac-fix.patch mm-vma-move-unmapped_area-internals-to-mm-vmac.patch mm-abstract-get_arg_page-stack-expansion-and-mmap-read-lock.patch mm-vma-move-stack-expansion-logic-to-mm-vmac.patch mm-vma-move-__vm_munmap-to-mm-vmac.patch selftests-mm-add-fork-cow-guard-page-test.patch mm-enforce-__must_check-on-vma-merge-and-split.patch mm-perform-all-memfd-seal-checks-in-a-single-place.patch mm-perform-all-memfd-seal-checks-in-a-single-place-fix.patch maintainers-update-memory-mapping-section.patch mm-assert-mmap-write-lock-held-on-do_mmap-mmap_region.patch mm-add-comments-to-do_mmap-mmap_region-and-vm_mmap.patch tools-testing-add-simple-__mmap_region-userland-test.patch

5 months, 3 weeks

1
0
0 0

[folded-merged] maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: maple_tree: fix mas_alloc_cyclic() second search has been removed from the -mm tree. Its filename was maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix.patch This patch was dropped because it was folded into maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch ------------------------------------------------------ From: "Liam R. Howlett" <Liam.Howlett(a)Oracle.com> Subject: maple_tree: fix mas_alloc_cyclic() second search Date: Mon, 16 Dec 2024 14:01:12 -0500 The first search may leave the maple state in an error state. Reset the maple state before the second search so that the search has a chance of executing correctly after an exhausted first search. Link: https://lore.kernel.org/all/20241216060600.287B4C4CED0@smtp.kernel.org/ Link: https://lkml.kernel.org/r/20241216190113.1226145-2-Liam.Howlett@oracle.com Fixes: 9b6713cc7522 ("maple_tree: Add mtree_alloc_cyclic()") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Chuck Lever <chuck.lever(a)oracle.com> says: Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/lib/maple_tree.c~maple_tree-reload-mas-before-the-second-call-for-mas_empty_area-fix +++ a/lib/maple_tree.c @@ -4346,7 +4346,6 @@ int mas_alloc_cyclic(struct ma_state *ma { unsigned long min = range_lo; int ret = 0; - struct ma_state m = *mas; range_lo = max(min, *next); ret = mas_empty_area(mas, range_lo, range_hi, 1); @@ -4355,7 +4354,7 @@ int mas_alloc_cyclic(struct ma_state *ma ret = 1; } if (ret < 0 && range_lo > min) { - *mas = m; + mas_reset(mas); ret = mas_empty_area(mas, min, range_hi, 1); if (ret == 0) ret = 1; _ Patches currently in -mm which might be from Liam.Howlett(a)Oracle.com are maple_tree-reload-mas-before-the-second-call-for-mas_empty_area.patch test_maple_tree-test-exhausted-upper-limit-of-mtree_alloc_cyclic.patch

5 months, 3 weeks

1
0
0 0

[PATCH net] gve: trigger RX NAPI instead of TX NAPI in gve_xsk_wakeup

by Praveen Kaligineedi

From: Joshua Washington <joshwash(a)google.com> Commit ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") moved XSK TX processing to be part of the RX NAPI. However, that commit did not include triggering the RX NAPI in gve_xsk_wakeup. This is necessary because the TX NAPI only processes TX completions, meaning that a TX wakeup would not actually trigger XSK descriptor processing. Also, the branch on XDP_WAKEUP_TX was supposed to have been removed, as the NAPI should be scheduled whether the wakeup is for RX or TX. Fixes: ba0925c34e0f ("gve: process XSK TX descriptors as part of RX NAPI") Cc: stable(a)vger.kernel.org Signed-off-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Praveen Kaligineedi <pkaligineedi(a)google.com> --- drivers/net/ethernet/google/gve/gve_main.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index 09fb7f16f73e..8a8f6ab12a98 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -1714,7 +1714,7 @@ static int gve_xsk_pool_disable(struct net_device *dev, static int gve_xsk_wakeup(struct net_device *dev, u32 queue_id, u32 flags) { struct gve_priv *priv = netdev_priv(dev); - int tx_queue_id = gve_xdp_tx_queue_id(priv, queue_id); + struct napi_struct *napi; if (!gve_get_napi_enabled(priv)) return -ENETDOWN; @@ -1722,19 +1722,12 @@ static int gve_xsk_wakeup(struct net_device *dev, u32 queue_id, u32 flags) if (queue_id >= priv->rx_cfg.num_queues || !priv->xdp_prog) return -EINVAL; - if (flags & XDP_WAKEUP_TX) { - struct gve_tx_ring *tx = &priv->tx[tx_queue_id]; - struct napi_struct *napi = - &priv->ntfy_blocks[tx->ntfy_id].napi; - - if (!napi_if_scheduled_mark_missed(napi)) { - /* Call local_bh_enable to trigger SoftIRQ processing */ - local_bh_disable(); - napi_schedule(napi); - local_bh_enable(); - } - - tx->xdp_xsk_wakeup++; + napi = &priv->ntfy_blocks[gve_rx_idx_to_ntfy(priv, queue_id)].napi; + if (!napi_if_scheduled_mark_missed(napi)) { + /* Call local_bh_enable to trigger SoftIRQ processing */ + local_bh_disable(); + napi_schedule(napi); + local_bh_enable(); } return 0; -- 2.47.1.613.gc27f4b7a9f-goog

5 months, 3 weeks

2
1
0 0

btrfs: lsblk multiple mount point issue on LTS 6.6

by Mike Pagano

Greg, A Gentoo user found an issue with btrfs where: "... upstream commit a5d74fa24752 ("btrfs: avoid unnecessary device path update for the same device") breaks 6.6 LTS kernel behavior where previously lsblk can properly show multiple mount points of the same btrfs" There's a revert on the bug report [1]. The fix by the author can be found on linux-btrfs [2] [1] https://bugs.gentoo.org/947126 [2] https://lore.kernel.org/linux-btrfs/30aefd8b4e8c1f0c5051630b106a1ff3570d28e… Mike -- Mike Pagano Gentoo Developer - Kernel Project E-Mail : mpagano(a)gentoo.org GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137 Public Key : http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137&op=index

5 months, 3 weeks

2
1
0 0

[PATCH v2 1/2] fs/proc: do_task_stat: Fix ESP not readable during coredump

by Nam Cao

The field "eip" (instruction pointer) and "esp" (stack pointer) of a task can be read from /proc/PID/stat. These fields can be interesting for coredump. However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat"), because it is generally unsafe to do so. But it is safe for a coredumping process, and therefore exceptions were made: - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping"). - for all other threads in a coredumping process by commit cb8f381f1613 ("fs/proc/array.c: allow reporting eip/esp for all coredumping threads"). The above two commits check the PF_DUMPCORE flag to determine a coredump thread and the PF_EXITING flag for the other threads. Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups before dumping core") moved coredump to happen earlier and before PF_EXITING is set. Thus, checking PF_EXITING is no longer the correct way to determine threads in a coredumping process. Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. Checking of PF_EXITING was added for coredumping, so it probably can now be removed. But it doesn't hurt to keep. Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") Cc: stable(a)vger.kernel.org Cc: Eric W. Biederman <ebiederm(a)xmission.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- fs/proc/array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 55ed3510d2bb..d6a0369caa93 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, * a program is not able to use ptrace(2) in that case. It is * safe because the task has stopped executing permanently. */ - if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { + if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { if (try_get_task_stack(task)) { eip = KSTK_EIP(task); esp = KSTK_ESP(task); -- 2.39.5

5 months, 3 weeks

2
1
0 0

Re: [PATCH 6.12 000/114] 6.12.8-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

5 months, 3 weeks

1
0
0 0

Re: Patch "watchdog: s3c2410_wdt: add support for exynosautov920 SoC" has been added to the 6.12-stable tree

by Krzysztof Kozlowski

On 28/12/2024 15:20, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > watchdog: s3c2410_wdt: add support for exynosautov920 SoC > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > watchdog-s3c2410_wdt-add-support-for-exynosautov920-.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. This is a new device support, depending on several other pieces like syscon support, Exynos PMU and of course arm64/boot/dts patches. It really relies on the rest of SoC support and alone is useless. This is way beyond simple quirks thus I believe it does not meet stable criteria at all. Based on that I recommend to drop this patch from stable backports. Best regards, Krzysztof

5 months, 3 weeks

2
1
0 0

[PATCH stable 5.15] net:dsa:fix the dsa_ptr null pointer dereference

by jiang.kun2＠zte.com.cn

From: Peilin He<he.peilin(a)zte.com.cn> Upstream commit 6c24a03a61a2 ("net: dsa: improve shutdown sequence") Issue ===== Repeatedly accessing the DSA Ethernet controller via the ethtool command, followed by a system reboot, may trigger a DSA null pointer dereference, causing a kernel panic and preventing the system from rebooting properly. This can lead to data loss or denial-of-service, resulting in serious consequences. The following is the panic log: [ 172.523467] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 172.706923] Call trace: [ 172.709371] dsa_master_get_sset_count+0x24/0xa4 [ 172.714000] ethtool_get_drvinfo+0x8c/0x210 [ 172.718193] dev_ethtool+0x780/0x2120 [ 172.721863] dev_ioctl+0x1b0/0x580 [ 172.725273] sock_do_ioctl+0xc0/0x100 [ 172.728944] sock_ioctl+0x130/0x3c0 [ 172.732440] __arm64_sys_ioctl+0xb4/0x100 [ 172.736460] invoke_syscall+0x50/0x120 [ 172.740219] el0_svc_common.constprop.0+0x4c/0xf4 [ 172.744936] do_el0_svc+0x2c/0xa0 [ 172.748257] el0_svc+0x20/0x60 [ 172.751318] el0t_64_sync_handler+0xe8/0x114 [ 172.755599] el0t_64_sync+0x180/0x184 [ 172.759271] Code: a90153f3 2a0103f4 a9025bf5 f9418015 (f94012b6) [ 172.765383] ---[ end trace 0000000000000002 ]--- Root Cause ========== Based on analysis of the Linux 5.15 stable version, the function dsa_master_get_sset_count() accesses members of the structure pointed to by cpu_dp without checking for a null pointer. If cpu_dp is a null pointer, this will cause a kernel panic. static int dsa_master_get_sset_count(struct net_device *dev, int sset) { struct dsa_port *cpu_dp = dev->dsa_ptr; const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops; struct dsa_switch *ds = cpu_dp->ds; ... } dev->dsa_ptr is set to NULL in the dsa_switch_shutdown() or dsa_master_teardown() functions. When the DSA module unloads, dsa_master_ethtool_teardown(dev) restores the original copy of the DSA device's ethtool_ops using "dev->ethtool_ops = cpu_dp->orig_ethtool_ops;" before setting dev->dsa_ptr to NULL. This ensures that ethtool_ops remains accessible after DSA unloads. However, dsa_switch_shutdown does not restore the original copy of the DSA device's ethtool_ops, potentially leading to a null pointer dereference of dsa_ptr and causing a system panic. Essentially, when we set master->dsa_ptr to NULL, we need to ensure that no user ports are making requests to the DSA driver. Solution ======== The addition of the netif_device_detach() function is to ensure that ioctls, rtnetlinks and ethtool requests on the user ports no longer propagate down to the driver - we're no longer prepared to handle them. Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") Suggested-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Signed-off-by: Peilin He <he.peilin(a)zte.com.cn> Reviewed-by: xu xin <xu.xin16(a)zte.com.cn> Signed-off-by: Kun Jiang <jiang.kun2(a)zte.com.cn> Cc: Fan Yu <fan.yu9(a)zte.com.cn> Cc: Yutan Qiu <qiu.yutan(a)zte.com.cn> Cc: Yaxin Wang <wang.yaxin(a)zte.com.cn> Cc: tuqiang <tu.qiang35(a)zte.com.cn> Cc: Yang Yang <yang.yang29(a)zte.com.cn> Cc: ye xingchen <ye.xingchen(a)zte.com.cn> Cc: Yunkai Zhang <zhang.yunkai(a)zte.com.cn> --- net/dsa/dsa2.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c index 543834e31298..bf384b30ec0a 100644 --- a/net/dsa/dsa2.c +++ b/net/dsa/dsa2.c @@ -1656,6 +1656,7 @@ EXPORT_SYMBOL_GPL(dsa_unregister_switch); void dsa_switch_shutdown(struct dsa_switch *ds) { struct net_device *master, *slave_dev; + LIST_HEAD(close_list); struct dsa_port *dp; mutex_lock(&dsa2_mutex); @@ -1665,6 +1666,11 @@ void dsa_switch_shutdown(struct dsa_switch *ds) rtnl_lock(); + dsa_switch_for_each_cpu_port(dp, ds) + list_add(&dp->master->close_list, &close_list); + + dev_close_many(&close_list, true); + list_for_each_entry(dp, &ds->dst->ports, list) { if (dp->ds != ds) continue; @@ -1675,6 +1681,7 @@ void dsa_switch_shutdown(struct dsa_switch *ds) master = dp->cpu_dp->master; slave_dev = dp->slave; + netif_device_detach(slave_dev); netdev_upper_dev_unlink(master, slave_dev); } -- 2.25.1

5 months, 3 weeks

2
1
0 0

[PATCH 6/6] nvmem: core: improve range check for nvmem_cell_write()

by srinivas.kandagatla＠linaro.org

From: Jennifer Berringer <jberring(a)redhat.com> When __nvmem_cell_entry_write() is called for an nvmem cell that does not need bit shifting, it requires that the len parameter exactly matches the nvmem cell size. However, when the nvmem cell has a nonzero bit_offset, it was skipping this check. Accepting values of len larger than the cell size results in nvmem_cell_prepare_write_buffer() trying to write past the end of a heap buffer that it allocates. Add a check to avoid that problem and instead return -EINVAL when len doesn't match the number of bits expected by the nvmem cell when bit_offset is nonzero. This check uses cell->nbits in order to allow providing the smaller size to cells that are shifted into another byte by bit_offset. For example, a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should accept a 1-byte write here, although no current callers depend on this. Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") Cc: stable(a)vger.kernel.org Signed-off-by: Jennifer Berringer <jberring(a)redhat.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- drivers/nvmem/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index d6494dfc20a7..845540b57e68 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -1790,6 +1790,8 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si return -EINVAL; if (cell->bit_offset || cell->nbits) { + if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) + return -EINVAL; buf = nvmem_cell_prepare_write_buffer(cell, buf, len); if (IS_ERR(buf)) return PTR_ERR(buf); -- 2.25.1

5 months, 3 weeks

1
0
0 0

[PATCH 5/6] nvmem: qcom-spmi-sdam: Set size in struct nvmem_config

by srinivas.kandagatla＠linaro.org

From: Luca Weiss <luca.weiss(a)fairphone.com> Let the nvmem core know what size the SDAM is, most notably this fixes the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes user space work with that file. ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000080 Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") Cc: stable(a)vger.kernel.org Signed-off-by: Luca Weiss <luca.weiss(a)fairphone.com> Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- drivers/nvmem/qcom-spmi-sdam.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvmem/qcom-spmi-sdam.c b/drivers/nvmem/qcom-spmi-sdam.c index 9aa8f42faa4c..4f1cca6eab71 100644 --- a/drivers/nvmem/qcom-spmi-sdam.c +++ b/drivers/nvmem/qcom-spmi-sdam.c @@ -144,6 +144,7 @@ static int sdam_probe(struct platform_device *pdev) sdam->sdam_config.owner = THIS_MODULE; sdam->sdam_config.add_legacy_fixed_of_cells = true; sdam->sdam_config.stride = 1; + sdam->sdam_config.size = sdam->size; sdam->sdam_config.word_size = 1; sdam->sdam_config.reg_read = sdam_read; sdam->sdam_config.reg_write = sdam_write; -- 2.25.1

5 months, 3 weeks

1
0
0 0

Request to backport fixes for crash in hci_unregister_dev() to 6.12.y

by Fedor Pchelkin

On 6.12 there is a kernel crash during the release of btusb Mediatek device. list_del corruption, ffff8aae1f024000->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 UID: 0 PID: 3770 Comm: qemu-system-x86 Tainted: G W 6.12.5-200.fc41.x86_64 #1 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__list_del_entry_valid_or_report.cold+0x5c/0x6f Call Trace: <TASK> hci_unregister_dev+0x46/0x1f0 [bluetooth] btusb_disconnect+0x67/0x170 [btusb] usb_unbind_interface+0x95/0x2d0 device_release_driver_internal+0x19c/0x200 proc_ioctl+0x1be/0x230 usbdev_ioctl+0x6bd/0x1430 __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Note: Taint is due to the amdgpu warnings, totally unrelated to the issue. The bug has been fixed "silently" in upstream with the following series of 4 commits [1]: ad0c6f603bb0 ("Bluetooth: btusb: mediatek: move Bluetooth power off command position") cea1805f165c ("Bluetooth: btusb: mediatek: add callback function in btusb_disconnect") 489304e67087 ("Bluetooth: btusb: mediatek: add intf release flow when usb disconnect") defc33b5541e ("Bluetooth: btusb: mediatek: change the conditions for ISO interface") These commits can be cleanly cherry-picked to 6.12.y and I may confirm they fix the problem. FWIW, the offending commit is ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions") and it is present in 6.11.y and 6.12.y. 6.11.y is EOL, so please apply the patches to 6.12.y. [1]: https://lore.kernel.org/linux-bluetooth/20240923084705.14123-1-chris.lu@med… -- Thanks, Fedor

5 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123039-broadside-tuesday-404a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123040-crablike-vision-ad10@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123039-vivacious-clutch-03a5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123038-headscarf-village-fcdb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123037-theology-zookeeper-1b67@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: allow swap activation to be interruptible" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123036-grout-exposure-3af8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a45022a0efadd99bcc58f7f1cc2b6fb3b808c40 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Mon, 9 Dec 2024 16:31:41 +0000 Subject: [PATCH] btrfs: allow swap activation to be interruptible During swap activation we iterate over the extents of a file, then do several checks for each extent, some of which may take some significant time such as checking if an extent is shared. Since a file can have many thousands of extents, this can be a very slow operation and it's currently not interruptible. I had a bug during development of a previous patch that resulted in an infinite loop when iterating the extents, so a core was busy looping and I couldn't cancel the operation, which is very annoying and requires a reboot. So make the loop interruptible by checking for fatal signals at the end of each iteration and stopping immediately if there is one. CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index b87f19630b00..c4675f4345fd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -10073,6 +10073,11 @@ static int btrfs_swap_activate(struct swap_info_struct *sis, struct file *file, bsi.block_start = physical_block_start; bsi.block_len = len; } + + if (fatal_signal_pending(current)) { + ret = -EINTR; + goto out; + } } if (bsi.block_len)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123056-thrash-utility-f7d7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123055-unholy-vice-e16b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free waiting for encoded read endios" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x d29662695ed7c015521e5fc9387df25aab192a2e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123053-neurosis-bounding-947c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d29662695ed7c015521e5fc9387df25aab192a2e Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Date: Wed, 13 Nov 2024 18:16:49 +0100 Subject: [PATCH] btrfs: fix use-after-free waiting for encoded read endios Fix a use-after-free in the I/O completion path for encoded reads by using a completion instead of a wait_queue for synchronizing the destruction of 'struct btrfs_encoded_read_private'. Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 94c8809e8170..6baa0269a85b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9078,9 +9078,9 @@ static ssize_t btrfs_encoded_read_inline( } struct btrfs_encoded_read_private { - wait_queue_head_t wait; + struct completion done; void *uring_ctx; - atomic_t pending; + refcount_t pending_refs; blk_status_t status; }; @@ -9099,14 +9099,14 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (atomic_dec_and_test(&priv->pending)) { + if (refcount_dec_and_test(&priv->pending_refs)) { int err = blk_status_to_errno(READ_ONCE(priv->status)); if (priv->uring_ctx) { btrfs_uring_read_extent_endio(priv->uring_ctx, err); kfree(priv); } else { - wake_up(&priv->wait); + complete(&priv->done); } } bio_put(&bbio->bio); @@ -9126,8 +9126,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, if (!priv) return -ENOMEM; - init_waitqueue_head(&priv->wait); - atomic_set(&priv->pending, 1); + init_completion(&priv->done); + refcount_set(&priv->pending_refs, 1); priv->status = 0; priv->uring_ctx = uring_ctx; @@ -9140,7 +9140,7 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE); if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) { - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info, @@ -9155,11 +9155,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, disk_io_size -= bytes; } while (disk_io_size); - atomic_inc(&priv->pending); + refcount_inc(&priv->pending_refs); btrfs_submit_bbio(bbio, 0); if (uring_ctx) { - if (atomic_dec_return(&priv->pending) == 0) { + if (refcount_dec_and_test(&priv->pending_refs)) { ret = blk_status_to_errno(READ_ONCE(priv->status)); btrfs_uring_read_extent_endio(uring_ctx, ret); kfree(priv); @@ -9168,8 +9168,8 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode, return -EIOCBQUEUED; } else { - if (atomic_dec_return(&priv->pending) != 0) - io_wait_event(priv->wait, !atomic_read(&priv->pending)); + if (!refcount_dec_and_test(&priv->pending_refs)) + wait_for_completion_io(&priv->done); /* See btrfs_encoded_read_endio() for ordering. */ ret = blk_status_to_errno(READ_ONCE(priv->status)); kfree(priv);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123027-yeah-suitcase-41e7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123025-animal-itunes-c557@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123023-hardy-ravioli-a818@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix use-after-free when COWing tree bock and tracing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 44f52bbe96dfdbe4aca3818a2534520082a07040 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024123021-campus-undoing-7345@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 44f52bbe96dfdbe4aca3818a2534520082a07040 Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 11 Dec 2024 16:08:07 +0000 Subject: [PATCH] btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Reported-by: syzbot+8517da8635307182c8a5(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@googl… CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 693dc27ffb89..185985a337b3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -654,6 +654,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, goto error_unlock_cow; } } + + trace_btrfs_cow_block(root, buf, cow); if (unlock_orig) btrfs_tree_unlock(buf); free_extent_buffer_stale(buf); @@ -710,7 +712,6 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, { struct btrfs_fs_info *fs_info = root->fs_info; u64 search_start; - int ret; if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { btrfs_abort_transaction(trans, -EUCLEAN); @@ -751,12 +752,8 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, * Also We don't care about the error, as it's handled internally. */ btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); - ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, - cow_ret, search_start, 0, nest); - - trace_btrfs_cow_block(root, buf, *cow_ret); - - return ret; + return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, + cow_ret, search_start, 0, nest); } ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO);

5 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror