Fix the payload size of incoming requests, which should not include the
operation message-header size.
When creating requests we pass the sizes of request and response
payloads and greybus core allocates buffers and adds the required
headers. Specifically, the payload sizes do not include the
message-header size.
This is currently not the case for incoming requests however, something
which prevents protocol drivers from implementing appropriate input
verification and could lead to random data being treated as a valid
message in case of a short request.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 27 Mar 2015 11:41:17 +0000 (12:41 +0100)]
greybus: operation: fix null-deref on operation destroy
Incoming operations are created without a response message. If a
protocol driver fails to send a response, or if the operation were to be
cancelled before it has been fully processed, we get a null-pointer
dereference when the operation is released.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 27 Mar 2015 11:41:16 +0000 (12:41 +0100)]
greybus: operation: fix null-deref on operation cancel
Incoming operations are created without a response message. If an
operation were to be cancelled before it has been fully processed (e.g.
on connection destroy), we would get a null-pointer dereference in
gb_operation_cancel.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 27 Mar 2015 11:41:13 +0000 (12:41 +0100)]
greybus: operation: fix use-after-free when sending responses
Fix use-after-free when sending responses due to reference imbalance.
Make sure to take a reference to the operation when sending responses.
This reference is dropped in greybus_data_sent when the message has been
sent, while the initial reference is dropped in gb_operation_work after
processing the corresponding request.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 27 Mar 2015 11:41:12 +0000 (12:41 +0100)]
greybus: operation: fix callback handling and documentation
Fix up obsolete comments referring to null callback pointers for
synchronous operations, and make sure a callback is always provided when
sending a request.
Also document that the callback is responsible for dropping the initial
(and not necessarily final) reference to the operation.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 27 Mar 2015 11:41:10 +0000 (12:41 +0100)]
greybus: operation: fix missing symbol exports
Add missing EXPORT_SYMBOL_GPL for gb_operation_response_alloc,
gb_operation_result, gb_operation_get, gb_operation_request_send and
gb_operation_cancel, which are all supposed to be accessible from
protocol handlers.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Viresh Kumar [Fri, 27 Mar 2015 11:02:56 +0000 (16:32 +0530)]
greybus: kernel_ver.h: include <linux/kernel.h> to fix warning
And this is the warning I was getting on kernel version > 3.14
CC [M] greybus/connection.o
In file included from
include/asm-generic/gpio.h:4:0,
from arch/arm/include/asm/gpio.h:9,
from include/linux/gpio.h:48,
from greybus/kernel_ver.h:59,
from greybus/connection.c:12:
include/linux/kernel.h:35:0: warning: "U16_MAX" redefined
kernel_ver.h is taking care of defining U16_MAX only if is not defined earlier,
but it is often included as the first .h file. <linux/kernel.h> might be
included later, which always defines it, unconditionally. And so this warning.
Alex Elder [Fri, 27 Mar 2015 02:25:01 +0000 (21:25 -0500)]
greybus: clean up some small messes
This is an old patch that I neglected to send out. It's cleaning
up a couple things that got committed before I had a chance to
comment on them.
In operation.c there is a "FIXME" comment that is easily proven
wrong by inspection.
In gb_protocol_put(), there is another wrong "FIXME" comment as
well. We can also use our cached copies of the protocol major
and minor version number in another spot. And balance that
out by using a cached copy of the protocol id.
Signed-off-by: Alex Elder <elder@linaro.org> Reviewed-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Viresh Kumar [Tue, 24 Mar 2015 14:44:29 +0000 (20:14 +0530)]
greybus: interface: put module->dev on failures
In order to decrement the reference count of module on failures, we must call
put_device(module->dev). This was missing for one of the error cases, fix it.
Viresh Kumar [Tue, 24 Mar 2015 11:38:13 +0000 (17:08 +0530)]
greybus: manifest: descriptor size should be >= header size
We are calculating descriptors expected size differently based on the type of
descriptor, that's fine but at few places we aren't taking size of the header
into account. And that looks wrong.
Lets make sure it is atleast as big as descriptor's header.
greybus: es1: move debugfs function to use kstrotoint_from_user()
No need to duplicate built-in functions that the kernel has, so have the
core kernel parse the userspace string. Saves us an allocation and
makes the logic simpler.
Alexandre Bailon [Mon, 23 Mar 2015 16:52:37 +0000 (17:52 +0100)]
greybus: Dump log from APB1
On AP module (form factor), we don't have access to APBridge JTAG or UART.
But sometime, we still need to get log from APBridge. Add a new request in control endpoint
to get APBridge logs.
Logs can be accessed using debugfs (greybus/apb1_log).
Johan Hovold [Thu, 19 Mar 2015 15:55:23 +0000 (16:55 +0100)]
greybus: gpio: add error messages to callbacks not propagating errors
Add error messages on failures to deactivate, set and get operation
handlers as any errors would not be detected by the upper layers (either
because the callbacks are declared void or expected to return a boolean
value).
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Remove overly defensive argument verification in gpio-chip callbacks. We
should trust gpiolib to get this right (or we would not even get any
callback) just like the other gpio drivers do.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Thu, 19 Mar 2015 15:46:18 +0000 (16:46 +0100)]
greybus: operation: use dev_err in gb_operation_sync
Use the more informative dev_err in gb_operation_sync, which includes
the connection device name in the error message (which in turn encodes
the module, interface, bundle and cport ids).
Add missing braces to conditional-construct branches while at it.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Thu, 19 Mar 2015 15:46:17 +0000 (16:46 +0100)]
greybus: connection: replace custom error function with dev_err
Remove custom connection error function and replace it with dev_err.
The standard error function provides more information in the message
prefix (e.g. includes the interface id), has a well-known semantics
(e.g. does does not add newlines to messages), and is even somewhat
shorter to type.
Note that some uses of the custom function were already adding double
newlines due to the non-standard semantics.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Thu, 19 Mar 2015 15:46:14 +0000 (16:46 +0100)]
greybus: ap: fix svc handshake protocol check
Fix incorrect SVC handshake protocol check, which would only bail out if
both major and minor protocol versions supported by the SVC differed.
Since we currently only support one version of the protocol, upgrade the
debug message to warning and bail unless the protocol versions match
perfectly for now.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Tue, 17 Mar 2015 09:55:52 +0000 (10:55 +0100)]
greybus: connection: fix oops after failed init
Make sure not to call connection_exit for connections that have never
been initialised (e.g. due to failure to init).
This fixes oopses due to null-dereferences and use-after-free in
connection_exit callbacks (e.g. trying to remove a gpio-chip that has
never been added) when the bundle and interface are ultimately
destroyed.
Johan Hovold [Mon, 2 Mar 2015 08:55:26 +0000 (09:55 +0100)]
greybus: connection: fix locking in gb_hd_connection_find
Fix unconditional re-enabling of interrupts in gb_hd_connection_find,
which can be called with local interrupts disabled from the USB
completion handler.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
When it receive an interrupt, the function gb_gpio_request_recv doesn't
use the good gpio number to get the irq number. Then, the expected irq is never fired.
Johan Hovold [Mon, 2 Mar 2015 11:34:40 +0000 (12:34 +0100)]
greybus: operation: fix locking issues
Fix unconditional re-enabling of interrupts in various operation
functions that can all be called with local interrupts disabled from USB
completion handlers.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 13 Feb 2015 06:58:04 +0000 (14:58 +0800)]
greybus: gpio: fix memory leaks at init and exit
Fix three related memory leaks in the init an exit callbacks, where the
gpio-lines array was never freed at all and the controller data wasn't
freed in the init error path.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Matt Porter [Tue, 17 Feb 2015 15:48:23 +0000 (10:48 -0500)]
greybus: gpio: add interrupt handling support
Adds gpio interrupt handling support using an irqchip/irqdomain
instantiation inside the GB GPIO driver. This implementation works
on older kernels such as 3.10 that do not have the gpiolib irqchip
helpers. Any line on a Greybus gpiochip may be configured as an
interrupt. Once configured, IRQ event messages received from a
module fire off the registered interrupt handler.
Signed-off-by: Matt Porter <mporter@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Johan Hovold [Fri, 13 Feb 2015 03:28:09 +0000 (11:28 +0800)]
greybus: bundle: fix sleep-while-atomic in gb_bundle_destroy
Make sure to release the spin lock protecting the interface bundle lists
before tearing down the connections and removing the bundle device,
which are operations that may sleep.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
greybus: es1.c: wait until the last possible minute to start the svc messages
When initializing the USB device, we were starting up the svc message
queue before the cport urbs were allocated. This might not be an issue
for "slower" machines, but not having any allocated urbs for a cport
might be an issue if we were to handle svc messages.
So wait until everything is properly initialized and allocated before
starting the svc urb.
SVC messages come in in an "order", so don't mess them up by processing
them out of order. Fix this by making our work queue ordered, which
should keep everything in line.
Reported-by: Perry Hung <perry@leaflabs.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Viresh Kumar [Thu, 22 Jan 2015 06:40:38 +0000 (12:10 +0530)]
greybus: i2c: fix name conflict between function and struct: gb_i2c_transfer_request
'gb_i2c_transfer_request' is the name given to a function and a struct. Though
we don't get any compilation errors/warnings about it, but the names should be
unique.
Viresh Kumar [Thu, 22 Jan 2015 07:12:39 +0000 (12:42 +0530)]
greybus: i2c: fix name conflict between function and struct: gb_i2c_transfer_response
'gb_i2c_transfer_response' is the name given to a function and a struct. Though
we don't get any compilation errors/warnings about it, but the names should be
unique.
Alexandre Bailon [Thu, 22 Jan 2015 07:23:37 +0000 (15:23 +0800)]
greybus: protocol.c: fix a kernel panic caused by __gb_protocol_register
__gb_protocol_register check if the protocol is not already registred,
and then register it. It register in existing->lists but at this point,
existing is always NULL (we exist just before if not).
Use gb_protocols instead.
Viresh Kumar [Wed, 21 Jan 2015 10:40:41 +0000 (16:10 +0530)]
greybus: Remove "gb-" prefix from .c files
Some files are still prefixed with "gb-" with the reasoning that the modules
would be named so, i.e. gb-*.ko. But this can be done by playing a bit in
Makefile instead and keep uniform naming of .c files.
Viresh Kumar [Wed, 21 Jan 2015 10:40:40 +0000 (16:10 +0530)]
greybus: Remove "-gb" suffix from .c files
Some files are prefixed with "gb-" and some are suffixed with "-gb". The
rationale behind the first one is that the modules would be named so, i.e.
gb-*.ko. But there is no reason to keep the "-gb" suffix in the second case.
Rui Miguel Silva [Tue, 20 Jan 2015 16:38:44 +0000 (16:38 +0000)]
greybus: es1: release urb on error path
if error is return when submiting the urb, we need to make sure to release the
urb from the pool, or from the dinamicly allocated. As in it, factor out the free
code and create the free_urb function.
Signed-off-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Perry Hung [Wed, 14 Jan 2015 21:19:26 +0000 (16:19 -0500)]
greybus: gb_operation: replace timeout workqueue
If an operation is issued and the response never comes back,
gb_operation_timeout() cancels the operation but never wakes up the
waiter in gb_operation_request_send().
This patch removes the timeout workqueue and changes the request wait to
wait_for_completion_interruptible_timeout(), with timeout set to
OPERATION_TIMEOUT_DEFAULT.
Signed-off-by: Perry Hung <perry@leaflabs.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>