FSI Updates for 4.19
This adds two FSI fixes:
- Fix a NULL dereference in the scom driver
- Fix a command buffer size issue in the sbefifo driver that
breaks some operations with POWER system debugger (cronus)
-----BEGIN PGP SIGNATURE-----
iQIbBAABAgAGBQJbaoOMAAoJEHM62YSLdExefOYP9jXixt/mn6Hu4/mBJwj1CnRC
ceGHeDz3uJCb67RkXhSc3z2MAqt0CrRCrj0knCk0tO6V5kjwPiAnNY2iO/TQGw3g
6h9DLIEw/kHBov1/VnZQEocoyJUyt/ykFKFinsSjn4L1dWRvgi5Uu4EzGHLRfJ7D
MVs3bKEFcvZ/lky8e7jy/aRGp9bjbtvDQs5OuPuhB1fahWcitvVTAtMMRE7nKf62
WlJlMFBXT5q7G3FNhUmw2KpjufS+KnWjhlg7mbhrwi5VL6XBDtO9sEEhRUOD4aXk
GpvlO/iIyozDF9KADnT7ERJqeZv5o8ROigM7/G2Kk+DAiVNYXmciUYCGT2Dtcs6d
51B3JB3NzW6cN0Zx/sWeqTcC+ai12t8l/+loPQfm2UR+ZgOnNhs8qZhQAU8KoEXY
2ULc7MpyM8JJQTJZ+il+FxEFhPjHK1rD8aLG9nQn62V41+JqXI2hZDRPdMhGp3WJ
vDdD305dnRgUiVQN+MVTbGFdnAXVgUDLcmWtyNCE1fU/dyCKDvLro7YpXBsqCrSt
iW0SixKlXZ59O90wJgvKAv01ySe7waQsv8Q5SMri+C2YPAhwZDGWxq9Crh/PVwNT
QUthWbTlvzcCtNEORINY7d4RTSoN3QLyIYzufXDJfNllhDGxEzAgVEXVGVtMv4M5
mefsATWRRrpOC/8X7ko=
=sE5y
-----END PGP SIGNATURE-----
Merge tag 'fsi-updates-2018-08-08' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/linux-fsi into char-misc-next
Ben writes:
FSI Updates for 4.19
This adds two FSI fixes:
- Fix a NULL dereference in the scom driver
- Fix a command buffer size issue in the sbefifo driver that
breaks some operations with POWER system debugger (cronus)
This commit is contained in:
Greg Kroah-Hartman
commit
6d33b3069e
|
|
@ -30,6 +30,7 @@
|
|||
#include <linux/delay.h>
|
||||
#include <linux/uio.h>
|
||||
#include <linux/vmalloc.h>
|
||||
#include <linux/mm.h>
|
||||
|
||||
/*
|
||||
* The SBEFIFO is a pipe-like FSI device for communicating with
|
||||
|
|
@ -110,7 +111,7 @@ enum sbe_state
|
|||
#define SBEFIFO_TIMEOUT_IN_RSP 1000
|
||||
|
||||
/* Other constants */
|
||||
#define SBEFIFO_MAX_CMD_LEN PAGE_SIZE
|
||||
#define SBEFIFO_MAX_USER_CMD_LEN (0x100000 + PAGE_SIZE)
|
||||
#define SBEFIFO_RESET_MAGIC 0x52534554 /* "RSET" */
|
||||
|
||||
struct sbefifo {
|
||||
|
|
@ -128,6 +129,7 @@ struct sbefifo {
|
|||
struct sbefifo_user {
|
||||
struct sbefifo *sbefifo;
|
||||
struct mutex file_lock;
|
||||
void *cmd_page;
|
||||
void *pending_cmd;
|
||||
size_t pending_len;
|
||||
};
|
||||
|
|
@ -726,7 +728,7 @@ int sbefifo_submit(struct device *dev, const __be32 *command, size_t cmd_len,
|
|||
return -ENODEV;
|
||||
if (WARN_ON_ONCE(sbefifo->magic != SBEFIFO_MAGIC))
|
||||
return -ENODEV;
|
||||
if (!resp_len || !command || !response || cmd_len > SBEFIFO_MAX_CMD_LEN)
|
||||
if (!resp_len || !command || !response)
|
||||
return -EINVAL;
|
||||
|
||||
/* Prepare iov iterator */
|
||||
|
|
@ -751,6 +753,15 @@ EXPORT_SYMBOL_GPL(sbefifo_submit);
|
|||
/*
|
||||
* Char device interface
|
||||
*/
|
||||
|
||||
static void sbefifo_release_command(struct sbefifo_user *user)
|
||||
{
|
||||
if (is_vmalloc_addr(user->pending_cmd))
|
||||
vfree(user->pending_cmd);
|
||||
user->pending_cmd = NULL;
|
||||
user->pending_len = 0;
|
||||
}
|
||||
|
||||
static int sbefifo_user_open(struct inode *inode, struct file *file)
|
||||
{
|
||||
struct sbefifo *sbefifo = container_of(inode->i_cdev, struct sbefifo, cdev);
|
||||
|
|
@ -762,8 +773,8 @@ static int sbefifo_user_open(struct inode *inode, struct file *file)
|
|||
|
||||
file->private_data = user;
|
||||
user->sbefifo = sbefifo;
|
||||
user->pending_cmd = (void *)__get_free_page(GFP_KERNEL);
|
||||
if (!user->pending_cmd) {
|
||||
user->cmd_page = (void *)__get_free_page(GFP_KERNEL);
|
||||
if (!user->cmd_page) {
|
||||
kfree(user);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
|
@ -816,7 +827,7 @@ static ssize_t sbefifo_user_read(struct file *file, char __user *buf,
|
|||
/* Extract the response length */
|
||||
rc = len - iov_iter_count(&resp_iter);
|
||||
bail:
|
||||
user->pending_len = 0;
|
||||
sbefifo_release_command(user);
|
||||
mutex_unlock(&user->file_lock);
|
||||
return rc;
|
||||
}
|
||||
|
|
@ -831,13 +842,23 @@ static ssize_t sbefifo_user_write(struct file *file, const char __user *buf,
|
|||
if (!user)
|
||||
return -EINVAL;
|
||||
sbefifo = user->sbefifo;
|
||||
if (len > SBEFIFO_MAX_CMD_LEN)
|
||||
if (len > SBEFIFO_MAX_USER_CMD_LEN)
|
||||
return -EINVAL;
|
||||
if (len & 3)
|
||||
return -EINVAL;
|
||||
|
||||
mutex_lock(&user->file_lock);
|
||||
|
||||
/* Can we use the pre-allocate buffer ? If not, allocate */
|
||||
if (len <= PAGE_SIZE)
|
||||
user->pending_cmd = user->cmd_page;
|
||||
else
|
||||
user->pending_cmd = vmalloc(len);
|
||||
if (!user->pending_cmd) {
|
||||
rc = -ENOMEM;
|
||||
goto bail;
|
||||
}
|
||||
|
||||
/* Copy the command into the staging buffer */
|
||||
if (copy_from_user(user->pending_cmd, buf, len)) {
|
||||
rc = -EFAULT;
|
||||
|
|
@ -863,6 +884,9 @@ static ssize_t sbefifo_user_write(struct file *file, const char __user *buf,
|
|||
/* Update the staging buffer size */
|
||||
user->pending_len = len;
|
||||
bail:
|
||||
if (!user->pending_len)
|
||||
sbefifo_release_command(user);
|
||||
|
||||
mutex_unlock(&user->file_lock);
|
||||
|
||||
/* And that's it, we'll issue the command on a read */
|
||||
|
|
@ -876,7 +900,8 @@ static int sbefifo_user_release(struct inode *inode, struct file *file)
|
|||
if (!user)
|
||||
return -EINVAL;
|
||||
|
||||
free_page((unsigned long)user->pending_cmd);
|
||||
sbefifo_release_command(user);
|
||||
free_page((unsigned long)user->cmd_page);
|
||||
kfree(user);
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -598,6 +598,7 @@ static int scom_probe(struct device *dev)
|
|||
kfree(scom);
|
||||
return -ENODEV;
|
||||
}
|
||||
scom->fsi_dev = fsi_dev;
|
||||
|
||||
/* Create chardev for userspace access */
|
||||
scom->dev.type = &fsi_cdev_type;
|
||||
|
|
|
|||
Loading…
Reference in New Issue