#
5e700b38 |
|
10-Apr-2024 |
Noah Loomans <noah@noahloomans.com> |
platform/chrome: cros_ec_uart: properly fix race condition The cros_ec_uart_probe() function calls devm_serdev_device_open() before it calls serdev_device_set_client_ops(). This can trigger a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ... ? ttyport_receive_buf A simplified version of crashing code is as follows: static inline size_t serdev_controller_receive_buf(struct serdev_controller *ctrl, const u8 *data, size_t count) { struct serdev_device *serdev = ctrl->serdev; if (!serdev || !serdev->ops->receive_buf) // CRASH! return 0; return serdev->ops->receive_buf(serdev, data, count); } It assumes that if SERPORT_ACTIVE is set and serdev exists, serdev->ops will also exist. This conflicts with the existing cros_ec_uart_probe() logic, as it first calls devm_serdev_device_open() (which sets SERPORT_ACTIVE), and only later sets serdev->ops via serdev_device_set_client_ops(). Commit 01f95d42b8f4 ("platform/chrome: cros_ec_uart: fix race condition") attempted to fix a similar race condition, but while doing so, made the window of error for this race condition to happen much wider. Attempt to fix the race condition again, making sure we fully setup before calling devm_serdev_device_open(). Fixes: 01f95d42b8f4 ("platform/chrome: cros_ec_uart: fix race condition") Cc: stable@vger.kernel.org Signed-off-by: Noah Loomans <noah@noahloomans.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Link: https://lore.kernel.org/r/20240410182618.169042-2-noah@noahloomans.com Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
|
#
fed99212 |
|
22-Jan-2024 |
Francesco Dolcini <francesco.dolcini@toradex.com> |
treewide, serdev: change receive_buf() return type to size_t receive_buf() is called from ttyport_receive_buf() that expects values ">= 0" from serdev_controller_receive_buf(), change its return type from ssize_t to size_t. The need for this clean-up was noticed while fixing a warning, see commit 94d053942544 ("Bluetooth: btnxpuart: fix recv_buf() return value"). Changing the callback prototype to return an unsigned seems the best way to document the API and ensure that is properly used. GNSS drivers implementation of serdev receive_buf() callback return directly the return value of gnss_insert_raw(). gnss_insert_raw() returns a signed int, however this is not an issue since the value returned is always positive, because of the kfifo_in() implementation. gnss_insert_raw() could be changed to return also an unsigned, however this is not implemented here as request by the GNSS maintainer Johan Hovold. Suggested-by: Jiri Slaby <jirislaby@kernel.org> Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com> Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> #for-iio Reviewed-by: Johan Hovold <johan@kernel.org> Reviewed-by: Rob Herring <robh@kernel.org> Reviewed-by: Alex Elder <elder@linaro.org> Acked-by: Maximilian Luz <luzmaximilian@gmail.com> # for platform/surface Acked-by: Lee Jones <lee@kernel.org> Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://lore.kernel.org/r/20240122180551.34429-1-francesco@dolcini.it Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
475fc6e2 |
|
06-Dec-2023 |
Jiri Slaby (SUSE) <jirislaby@kernel.org> |
tty: serdev: convert to u8 and size_t Switch character types to u8 and sizes to size_t. To conform to characters/sizes in the rest of the tty layer. This patch converts struct serdev_device_ops hooks and its instantiations. Signed-off-by: "Jiri Slaby (SUSE)" <jirislaby@kernel.org> Cc: Rob Herring <robh@kernel.org> Acked-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20231206073712.17776-24-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
8bb233b2 |
|
09-Jan-2023 |
Tzung-Bi Shih <tzungbi@kernel.org> |
platform/chrome: cros_ec_uart: fix negative type promoted to high serdev_device_write_buf() returns negative numbers on errors. When the return value compares to unsigned integer `len`, it promotes to quite large positive number. Fix it. Fixes: 04a8bdd135cc ("platform/chrome: cros_ec_uart: Add transport layer") Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Benson Leung <bleung@chromium.org> Link: https://lore.kernel.org/r/20230109081554.3792547-1-tzungbi@kernel.org
|
#
01f95d42 |
|
29-Dec-2022 |
Robert Zieba <robertzieba@google.com> |
platform/chrome: cros_ec_uart: fix race condition serdev_device_set_client_ops() is called before `ec_dev` is fully initialized. This can result in cros_ec_uart_rx_bytes() being called while `ec_dev` is still not initialized, resulting in a kernel panic. Call serdev_device_set_client_ops() after `ec_dev` is initialized. Fixes: 04a8bdd135cc ("platform/chrome: cros_ec_uart: Add transport layer") Signed-off-by: Robert Zieba <robertzieba@google.com> [tzungbi: modified commit message and fixed context conflict.] Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Link: https://lore.kernel.org/r/20221229094738.2304044-1-tzungbi@kernel.org
|
#
f9bce00f |
|
27-Dec-2022 |
Bhanu Prakash Maiya <bhanumaiya@chromium.org> |
platform/chrome: cros_ec_uart: Add DT enumeration support Existing firmware uses the "PRP0001" _HID and an associated compatible string to enumerate the cros_ec_uart. Add DT enumeration support for already shipped firmware. Signed-off-by: Bhanu Prakash Maiya <bhanumaiya@chromium.org> Co-developed-by: Mark Hasemeyer <markhas@chromium.org> Signed-off-by: Mark Hasemeyer <markhas@chromium.org> Reviewed-by: Prashant Malani <pmalani@chromium.org> Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://lore.kernel.org/r/20221227123212.v13.3.Ie23c217d69ff25d7354db942613f143bbc8ef891@changeid
|
#
04a8bdd1 |
|
27-Dec-2022 |
Bhanu Prakash Maiya <bhanumaiya@chromium.org> |
platform/chrome: cros_ec_uart: Add transport layer This patch does following: 1. Adds a new cros-ec-uart driver. This driver can send EC requests on UART and process response packets received on UART transport. 2. Once probed, this driver will initialize the serdev device based on the underlying information in the ACPI resource. After serdev device properties are set, this driver will register itself cros-ec. 3. High level driver can use this implementation to talk to ChromeOS Embedded Controller device in case it supports UART as transport. 4. When cros-ec driver initiates a request packet, outgoing message is processed in buffer and sent via serdev. Once bytes are sent, driver enables a wait_queue. 5. Since ChromeOS EC device sends response asynchronously, AP's TTY driver accumulates response bytes and calls the registered callback. TTY driver can send multiple callback for bytes ranging from 1 to MAX bytes supported by EC device. 6. Driver waits for EC_MSG_DEADLINE_MS to collect and process received bytes. It wakes wait_queue if expected bytes are received or else wait_queue timeout. Based on the error condition, driver returns data_len or error to cros_ec. Signed-off-by: Bhanu Prakash Maiya <bhanumaiya@chromium.org> Co-developed-by: Mark Hasemeyer <markhas@chromium.org> Signed-off-by: Mark Hasemeyer <markhas@chromium.org> Reviewed-by: Prashant Malani <pmalani@chromium.org> Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://lore.kernel.org/r/20221227123212.v13.1.If7926fcbad397bc6990dd725690229bed403948c@changeid
|