Make sure not to update the response message buffer for an operation
that is already scheduled for completion.
Currently if we get two incoming responses with the same id, the second
one would overwrite the response message buffer.
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Fix potential corruption of outgoing responses by verifying that the
operations is indeed outgoing when receiving a response.
Failure to do so could lead to an incoming response corrupting an
outgoing response that uses the same operation id.
Reported-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Fix potential use-after-free in response receive path, due to lack of
reference counting when looking up operations on a connection.
Make sure to acquire a reference to the operation while holding the
connection-list lock.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Make sure to acquire the connection-list lock atomically when releasing
the final reference.
This allows the list to be traversed and references to be acquired
(while holding the lock) without racing with the destructor.
Suggested-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
idr and ida structures have internal memory allocated that needs to be
freed when modules are removed. So call the proper idr_destroy() or
ida_destroy() functions on the module exit path to free the memory.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Its another special protocol (just like control protocol) and is
required to be accessed from other files, lets save a pointer to it in
interface structure.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Its an essential part of greybus core and shouldn't be present as a
separate module. Make it part of greybus.ko module.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We failed to bind a protocol for the connection, not for bundle. And so
connection's 'dev' must be used for printing message.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Function's name is gb_interface_init(), not gb_interface_add().
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
gb_connection_create() can initialize a connection if bundle->device id
is valid. And so the connection must be destroyed by calling
gb_connection_exit() before gb_connection_destroy(). This wasn't done in
the code that is parsing the manifest.
Fix it.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Fix copy to/from scatterlist destination buffer offset, fix
calculation of blocks to be transfer and make a more verbose out of
error when the blocks receive/send do not match.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
As we do not have, yet, a event callback to notify core about changes
we add the MMC_CAP_NEEDS_POLL capability to the rest of the caps
received from the module.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Before initiating a transfers, check if the command (for single block)
match the number of blocks in the request.
While at it, fix also a missing break.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
No need to pass the all request to the transfer related funtctions.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
If data is not available the stop command could dereference NULL.
Fetch the stop command directly from the request instead.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Functions were returning the wrong flag for the expected value. Swap
them.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Between the time connection with module is up and the host is added,
we can receive events (card inserted/removed, write protection
switch), so until the setup is complete we queue the events received
and handle them after.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Instead of using values in the command cmd_flags field use the real
flags in a bit mask.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 22690d72ae145cf12ae3df033670ed8ad7ecdde7.
It was meant for the gbsim repo, not this one :(
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The ccflags variable was spelled wrong, so no extra compilation flags
could be specified.
The proper flag is 'ccflags-y.'
Signed-off-by: Perry Hung <perry@leaflabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
An operation with a response in-flight will already have set the
operation result and would therefore never be cancelled by the current
implementation.
Note that the reference taken when sending the result will be dropped
in the message completion callback.
Also note that an incoming, non-unidirectional messages will always have
an allocated response if its result has been set.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Make sure to allocate a response message before setting the operation
result.
This is needed to handle cancellation of incoming operations.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Drop redundant OOM message, which would already have been logged by the
memory subsystem.
Also remove a FIXME about possibly sending a pre-allocated response,
which is neither possible or desirable. If we ever run out of memory we
have bigger problems then getting a response back to firmware.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Add flag to identify unidirectional operations.
Use convenience helper rather than open coding the identification when
suppressing response messages.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Add flag field to struct gb_operation, and a first flag
GB_OPERATION_FLAG_INCOMING to identify incoming operations.
Pass an initial set of flags when allocating new operations, and use
these to identify incoming operations rather than overloading the
meaning of GB_OPERATION_TYPE_INVALID. This also allows us to set the
type for all operations during allocation.
Also add convenience helper to identify incoming operations.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The final reference of an operation will be put after its completion
handler has run, so we must not drop the reference if it has already
been scheduled to avoid use-after-free.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Since commit 46ce118a2678 ("operation: refactor response handling")
sending operation responses is handled by greybus core so there is
currently no need to export the response helper.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Add gfp mask argument to gb_operation_request_send in order to allow
submissions from atomic context.
Note that responses are currently always sent from non-atomic context as
incoming requests are processed in a work queue.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Add gfp mask argument to gb_operation_create to allow operations to be
allocated in atomic context.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The current host-controller message-cancellation implementation suffer
from a lifetime bug as dynamically allocated URBs would complete and be
deallocated while being unlinked as part of cancellation.
The current locking is also insufficient to prevent the related race
where the URB is deallocated before being unlinked.
Fix this by pushing the cancellation implementation from greybus core
down to the host-controller drivers, and replace the "cookie" pointer
with a hcpriv field that those drivers can use to maintain their state
with the required locking and reference counting in place.
Specifically the drivers need to acquire a reference to the URB under a
lock before calling usb_kill_urb as part of cancellation.
Note that this also removes the insufficient gb_message_mutex, which
also effectively prevented us from implementing support for submissions
from atomic context.
Instead the host-controller drivers must now explicitly make sure that
the pre-allocated URBs are not reused while cancellation is in progress.
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
They aren't used anymore, remove them. This also gets rid of
gb_bundle_connections_init().
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
While introducing bundles, the device_id also got moved to the bundle,
whereas it identifies an interface block to the AP.
Move it back to interface instead of bundle.
Calls to gb_bundle(s)_init() are dropped as connections will be
initialized while they are created now, as device_id will be valid.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The responsibility of this routine is to configure ARA switch to
establish a connection between a cport on the AP and a cport on an
interface.
The SVC protocol is responsible for such requests and we already have
connection_{create|destroy}_operation() to take care of this.
Moreover, this request is not served by the firmware or gbsim today and
they just print a debug message on this request. And so it is safe to
drop svc_set_route_send() function and fix the required functionality of
configuring the switch in svc protocol driver later.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
intf_cport_id is local to an interface and same intf_cport_id can be
used for two separate interface blocks. For finding a connection for an
interface, we are matching intf_cport_id of the connection with
cport_id, passed as argument. This is wrong, as it can match for a
connection on a different interface block.
Fix it by also comparing interface block for which connection is
requested.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We may bind protocol with a connection from gb_connection_create(), if
bundle's device_id is already set. That's not the case until now.
But if the protocol is initialized with a call to
protocol->connection_init() from this place, kernel will crash.
This will happen because the connection isn't fully initialized yet, for
example its operation list isn't initialized yet. And as soon as the
protocol driver tries to send a request to the module from its
connection_init() callback, we will add an operation to this
uninitialized list. And it will crash while doing:
prev->next = new;
Try to bind the connection with a protocol only after the connection is
ready for operations.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
No need to write simple init/exit routines, use
gb_builtin_protocol_driver().
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This macro is also required by core protocols like control and svc, and
hence the 'gpbridge' name doesn't fit anymore.
Lets call this macro gb_builtin_protocol_driver().
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We have already defined macro's for SVC's major/minor numbers, lets use
them.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The greybus UART protocol specification was updated to reduce the size of
the control field in serial-state-request and line-state-request. This
patch updates the kernel protocol driver to reflect the specification
changes. Once applied gbsim changes will be also be updated automatically
since gbsim depends on the header being modified directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
After reviewing the UART specification for greybus break, parity, framing
and over-run errors were moved to the receive-data message. This patch
implements that specification change in the UART protocol driver. Matching
code in gbsim has been tested with this change.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Parity/overrun/framing and break signals have been moved to the
receive-data message to more easily associate the signals with the TTY API.
Update the definitions in the protocol header and add a flags field to the
receive-data structure to facilitate transmission of those signal with the
receive-data message.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
There are new protocols defined which don't belong to any existing
class, add more classes to support them.
Reported-by: Alexandre Bailon <abailon@baylibre.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The mmc request should assigned before use. Then
It should avoid freeing before using in mmc_request_done().
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The mmc host should be removed frist. Then it
will be freed.
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The macro of sdio version major and minor is defined twice.
This patch remove the redundant one.
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The current audio code uses i2c_get_adapter() without checking
that a non-NULL pointer is returned (i.e., that the i2c device
actually exists). When that happens, the system panics.
Fix the potential panic by erroring out with -ENODEV when
i2c_get_adapter() returns NULL.
CC: John Stultz <john.stultz@linaro.com>
Signed-off-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Johan Hovold