mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-16 16:54:20 +08:00
bf0cd60b7e
AV/C deferred transaction was supported at a commit00a7bb81c2
("ALSA: firewire-lib: Add support for deferred transaction") while 'deferrable' flag can be uninitialized for non-control/notify AV/C transactions. UBSAN reports it: kernel: ================================================================================ kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 kernel: load of value 158 is not a valid value for type '_Bool' kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 kernel: Call Trace: kernel: <IRQ> kernel: show_stack+0x52/0x58 kernel: dump_stack_lvl+0x4a/0x5f kernel: dump_stack+0x10/0x12 kernel: ubsan_epilogue+0x9/0x45 kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] kernel: fcp_response+0x28/0x30 [snd_firewire_lib] kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] kernel: tasklet_action_common.constprop.0+0xea/0xf0 kernel: tasklet_action+0x22/0x30 kernel: __do_softirq+0xd9/0x2e3 kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 kernel: do_softirq+0x75/0xa0 kernel: </IRQ> kernel: <TASK> kernel: __local_bh_enable_ip+0x50/0x60 kernel: irq_forced_thread_fn+0x7e/0x90 kernel: irq_thread+0xba/0x190 kernel: ? irq_thread_fn+0x60/0x60 kernel: kthread+0x11e/0x140 kernel: ? irq_thread_check_affinity+0xf0/0xf0 kernel: ? set_kthread_struct+0x50/0x50 kernel: ret_from_fork+0x22/0x30 kernel: </TASK> kernel: ================================================================================ This commit fixes the bug. The bug has no disadvantage for the non- control/notify AV/C transactions since the flag has an effect for AV/C response with INTERIM (0x0f) status which is not used for the transactions in AV/C general specification. Fixes:00a7bb81c2
("ALSA: firewire-lib: Add support for deferred transaction") Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai@suse.de>
402 lines
10 KiB
C
402 lines
10 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Function Control Protocol (IEC 61883-1) helper functions
|
|
*
|
|
* Copyright (c) Clemens Ladisch <clemens@ladisch.de>
|
|
*/
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/firewire.h>
|
|
#include <linux/firewire-constants.h>
|
|
#include <linux/list.h>
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/wait.h>
|
|
#include <linux/delay.h>
|
|
#include "fcp.h"
|
|
#include "lib.h"
|
|
#include "amdtp-stream.h"
|
|
|
|
#define CTS_AVC 0x00
|
|
|
|
#define ERROR_RETRIES 3
|
|
#define ERROR_DELAY_MS 5
|
|
#define FCP_TIMEOUT_MS 125
|
|
|
|
int avc_general_set_sig_fmt(struct fw_unit *unit, unsigned int rate,
|
|
enum avc_general_plug_dir dir,
|
|
unsigned short pid)
|
|
{
|
|
unsigned int sfc;
|
|
u8 *buf;
|
|
bool flag;
|
|
int err;
|
|
|
|
flag = false;
|
|
for (sfc = 0; sfc < CIP_SFC_COUNT; sfc++) {
|
|
if (amdtp_rate_table[sfc] == rate) {
|
|
flag = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!flag)
|
|
return -EINVAL;
|
|
|
|
buf = kzalloc(8, GFP_KERNEL);
|
|
if (buf == NULL)
|
|
return -ENOMEM;
|
|
|
|
buf[0] = 0x00; /* AV/C CONTROL */
|
|
buf[1] = 0xff; /* UNIT */
|
|
if (dir == AVC_GENERAL_PLUG_DIR_IN)
|
|
buf[2] = 0x19; /* INPUT PLUG SIGNAL FORMAT */
|
|
else
|
|
buf[2] = 0x18; /* OUTPUT PLUG SIGNAL FORMAT */
|
|
buf[3] = 0xff & pid; /* plug id */
|
|
buf[4] = 0x90; /* EOH_1, Form_1, FMT. AM824 */
|
|
buf[5] = 0x07 & sfc; /* FDF-hi. AM824, frequency */
|
|
buf[6] = 0xff; /* FDF-mid. AM824, SYT hi (not used)*/
|
|
buf[7] = 0xff; /* FDF-low. AM824, SYT lo (not used) */
|
|
|
|
/* do transaction and check buf[1-5] are the same against command */
|
|
err = fcp_avc_transaction(unit, buf, 8, buf, 8,
|
|
BIT(1) | BIT(2) | BIT(3) | BIT(4) | BIT(5));
|
|
if (err < 0)
|
|
;
|
|
else if (err < 8)
|
|
err = -EIO;
|
|
else if (buf[0] == 0x08) /* NOT IMPLEMENTED */
|
|
err = -ENOSYS;
|
|
else if (buf[0] == 0x0a) /* REJECTED */
|
|
err = -EINVAL;
|
|
if (err < 0)
|
|
goto end;
|
|
|
|
err = 0;
|
|
end:
|
|
kfree(buf);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(avc_general_set_sig_fmt);
|
|
|
|
int avc_general_get_sig_fmt(struct fw_unit *unit, unsigned int *rate,
|
|
enum avc_general_plug_dir dir,
|
|
unsigned short pid)
|
|
{
|
|
unsigned int sfc;
|
|
u8 *buf;
|
|
int err;
|
|
|
|
buf = kzalloc(8, GFP_KERNEL);
|
|
if (buf == NULL)
|
|
return -ENOMEM;
|
|
|
|
buf[0] = 0x01; /* AV/C STATUS */
|
|
buf[1] = 0xff; /* Unit */
|
|
if (dir == AVC_GENERAL_PLUG_DIR_IN)
|
|
buf[2] = 0x19; /* INPUT PLUG SIGNAL FORMAT */
|
|
else
|
|
buf[2] = 0x18; /* OUTPUT PLUG SIGNAL FORMAT */
|
|
buf[3] = 0xff & pid; /* plug id */
|
|
buf[4] = 0x90; /* EOH_1, Form_1, FMT. AM824 */
|
|
buf[5] = 0xff; /* FDF-hi. AM824, frequency */
|
|
buf[6] = 0xff; /* FDF-mid. AM824, SYT hi (not used) */
|
|
buf[7] = 0xff; /* FDF-low. AM824, SYT lo (not used) */
|
|
|
|
/* do transaction and check buf[1-4] are the same against command */
|
|
err = fcp_avc_transaction(unit, buf, 8, buf, 8,
|
|
BIT(1) | BIT(2) | BIT(3) | BIT(4));
|
|
if (err < 0)
|
|
;
|
|
else if (err < 8)
|
|
err = -EIO;
|
|
else if (buf[0] == 0x08) /* NOT IMPLEMENTED */
|
|
err = -ENOSYS;
|
|
else if (buf[0] == 0x0a) /* REJECTED */
|
|
err = -EINVAL;
|
|
else if (buf[0] == 0x0b) /* IN TRANSITION */
|
|
err = -EAGAIN;
|
|
if (err < 0)
|
|
goto end;
|
|
|
|
/* check sfc field and pick up rate */
|
|
sfc = 0x07 & buf[5];
|
|
if (sfc >= CIP_SFC_COUNT) {
|
|
err = -EAGAIN; /* also in transition */
|
|
goto end;
|
|
}
|
|
|
|
*rate = amdtp_rate_table[sfc];
|
|
err = 0;
|
|
end:
|
|
kfree(buf);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(avc_general_get_sig_fmt);
|
|
|
|
int avc_general_get_plug_info(struct fw_unit *unit, unsigned int subunit_type,
|
|
unsigned int subunit_id, unsigned int subfunction,
|
|
u8 info[AVC_PLUG_INFO_BUF_BYTES])
|
|
{
|
|
u8 *buf;
|
|
int err;
|
|
|
|
/* extended subunit in spec.4.2 is not supported */
|
|
if ((subunit_type == 0x1E) || (subunit_id == 5))
|
|
return -EINVAL;
|
|
|
|
buf = kzalloc(8, GFP_KERNEL);
|
|
if (buf == NULL)
|
|
return -ENOMEM;
|
|
|
|
buf[0] = 0x01; /* AV/C STATUS */
|
|
/* UNIT or Subunit, Functionblock */
|
|
buf[1] = ((subunit_type & 0x1f) << 3) | (subunit_id & 0x7);
|
|
buf[2] = 0x02; /* PLUG INFO */
|
|
buf[3] = 0xff & subfunction;
|
|
|
|
err = fcp_avc_transaction(unit, buf, 8, buf, 8, BIT(1) | BIT(2));
|
|
if (err < 0)
|
|
;
|
|
else if (err < 8)
|
|
err = -EIO;
|
|
else if (buf[0] == 0x08) /* NOT IMPLEMENTED */
|
|
err = -ENOSYS;
|
|
else if (buf[0] == 0x0a) /* REJECTED */
|
|
err = -EINVAL;
|
|
else if (buf[0] == 0x0b) /* IN TRANSITION */
|
|
err = -EAGAIN;
|
|
if (err < 0)
|
|
goto end;
|
|
|
|
info[0] = buf[4];
|
|
info[1] = buf[5];
|
|
info[2] = buf[6];
|
|
info[3] = buf[7];
|
|
|
|
err = 0;
|
|
end:
|
|
kfree(buf);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(avc_general_get_plug_info);
|
|
|
|
static DEFINE_SPINLOCK(transactions_lock);
|
|
static LIST_HEAD(transactions);
|
|
|
|
enum fcp_state {
|
|
STATE_PENDING,
|
|
STATE_BUS_RESET,
|
|
STATE_COMPLETE,
|
|
STATE_DEFERRED,
|
|
};
|
|
|
|
struct fcp_transaction {
|
|
struct list_head list;
|
|
struct fw_unit *unit;
|
|
void *response_buffer;
|
|
unsigned int response_size;
|
|
unsigned int response_match_bytes;
|
|
enum fcp_state state;
|
|
wait_queue_head_t wait;
|
|
bool deferrable;
|
|
};
|
|
|
|
/**
|
|
* fcp_avc_transaction - send an AV/C command and wait for its response
|
|
* @unit: a unit on the target device
|
|
* @command: a buffer containing the command frame; must be DMA-able
|
|
* @command_size: the size of @command
|
|
* @response: a buffer for the response frame
|
|
* @response_size: the maximum size of @response
|
|
* @response_match_bytes: a bitmap specifying the bytes used to detect the
|
|
* correct response frame
|
|
*
|
|
* This function sends a FCP command frame to the target and waits for the
|
|
* corresponding response frame to be returned.
|
|
*
|
|
* Because it is possible for multiple FCP transactions to be active at the
|
|
* same time, the correct response frame is detected by the value of certain
|
|
* bytes. These bytes must be set in @response before calling this function,
|
|
* and the corresponding bits must be set in @response_match_bytes.
|
|
*
|
|
* @command and @response can point to the same buffer.
|
|
*
|
|
* Returns the actual size of the response frame, or a negative error code.
|
|
*/
|
|
int fcp_avc_transaction(struct fw_unit *unit,
|
|
const void *command, unsigned int command_size,
|
|
void *response, unsigned int response_size,
|
|
unsigned int response_match_bytes)
|
|
{
|
|
struct fcp_transaction t;
|
|
int tcode, ret, tries = 0;
|
|
|
|
t.unit = unit;
|
|
t.response_buffer = response;
|
|
t.response_size = response_size;
|
|
t.response_match_bytes = response_match_bytes;
|
|
t.state = STATE_PENDING;
|
|
init_waitqueue_head(&t.wait);
|
|
t.deferrable = (*(const u8 *)command == 0x00 || *(const u8 *)command == 0x03);
|
|
|
|
spin_lock_irq(&transactions_lock);
|
|
list_add_tail(&t.list, &transactions);
|
|
spin_unlock_irq(&transactions_lock);
|
|
|
|
for (;;) {
|
|
tcode = command_size == 4 ? TCODE_WRITE_QUADLET_REQUEST
|
|
: TCODE_WRITE_BLOCK_REQUEST;
|
|
ret = snd_fw_transaction(t.unit, tcode,
|
|
CSR_REGISTER_BASE + CSR_FCP_COMMAND,
|
|
(void *)command, command_size, 0);
|
|
if (ret < 0)
|
|
break;
|
|
deferred:
|
|
wait_event_timeout(t.wait, t.state != STATE_PENDING,
|
|
msecs_to_jiffies(FCP_TIMEOUT_MS));
|
|
|
|
if (t.state == STATE_DEFERRED) {
|
|
/*
|
|
* 'AV/C General Specification' define no time limit
|
|
* on command completion once an INTERIM response has
|
|
* been sent. but we promise to finish this function
|
|
* for a caller. Here we use FCP_TIMEOUT_MS for next
|
|
* interval. This is not in the specification.
|
|
*/
|
|
t.state = STATE_PENDING;
|
|
goto deferred;
|
|
} else if (t.state == STATE_COMPLETE) {
|
|
ret = t.response_size;
|
|
break;
|
|
} else if (t.state == STATE_BUS_RESET) {
|
|
msleep(ERROR_DELAY_MS);
|
|
} else if (++tries >= ERROR_RETRIES) {
|
|
dev_err(&t.unit->device, "FCP command timed out\n");
|
|
ret = -EIO;
|
|
break;
|
|
}
|
|
}
|
|
|
|
spin_lock_irq(&transactions_lock);
|
|
list_del(&t.list);
|
|
spin_unlock_irq(&transactions_lock);
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(fcp_avc_transaction);
|
|
|
|
/**
|
|
* fcp_bus_reset - inform the target handler about a bus reset
|
|
* @unit: the unit that might be used by fcp_avc_transaction()
|
|
*
|
|
* This function must be called from the driver's .update handler to inform
|
|
* the FCP transaction handler that a bus reset has happened. Any pending FCP
|
|
* transactions are retried.
|
|
*/
|
|
void fcp_bus_reset(struct fw_unit *unit)
|
|
{
|
|
struct fcp_transaction *t;
|
|
|
|
spin_lock_irq(&transactions_lock);
|
|
list_for_each_entry(t, &transactions, list) {
|
|
if (t->unit == unit &&
|
|
(t->state == STATE_PENDING ||
|
|
t->state == STATE_DEFERRED)) {
|
|
t->state = STATE_BUS_RESET;
|
|
wake_up(&t->wait);
|
|
}
|
|
}
|
|
spin_unlock_irq(&transactions_lock);
|
|
}
|
|
EXPORT_SYMBOL(fcp_bus_reset);
|
|
|
|
/* checks whether the response matches the masked bytes in response_buffer */
|
|
static bool is_matching_response(struct fcp_transaction *transaction,
|
|
const void *response, size_t length)
|
|
{
|
|
const u8 *p1, *p2;
|
|
unsigned int mask, i;
|
|
|
|
p1 = response;
|
|
p2 = transaction->response_buffer;
|
|
mask = transaction->response_match_bytes;
|
|
|
|
for (i = 0; ; ++i) {
|
|
if ((mask & 1) && p1[i] != p2[i])
|
|
return false;
|
|
mask >>= 1;
|
|
if (!mask)
|
|
return true;
|
|
if (--length == 0)
|
|
return false;
|
|
}
|
|
}
|
|
|
|
static void fcp_response(struct fw_card *card, struct fw_request *request,
|
|
int tcode, int destination, int source,
|
|
int generation, unsigned long long offset,
|
|
void *data, size_t length, void *callback_data)
|
|
{
|
|
struct fcp_transaction *t;
|
|
unsigned long flags;
|
|
|
|
if (length < 1 || (*(const u8 *)data & 0xf0) != CTS_AVC)
|
|
return;
|
|
|
|
spin_lock_irqsave(&transactions_lock, flags);
|
|
list_for_each_entry(t, &transactions, list) {
|
|
struct fw_device *device = fw_parent_device(t->unit);
|
|
if (device->card != card ||
|
|
device->generation != generation)
|
|
continue;
|
|
smp_rmb(); /* node_id vs. generation */
|
|
if (device->node_id != source)
|
|
continue;
|
|
|
|
if (t->state == STATE_PENDING &&
|
|
is_matching_response(t, data, length)) {
|
|
if (t->deferrable && *(const u8 *)data == 0x0f) {
|
|
t->state = STATE_DEFERRED;
|
|
} else {
|
|
t->state = STATE_COMPLETE;
|
|
t->response_size = min_t(unsigned int, length,
|
|
t->response_size);
|
|
memcpy(t->response_buffer, data,
|
|
t->response_size);
|
|
}
|
|
wake_up(&t->wait);
|
|
}
|
|
}
|
|
spin_unlock_irqrestore(&transactions_lock, flags);
|
|
}
|
|
|
|
static struct fw_address_handler response_register_handler = {
|
|
.length = 0x200,
|
|
.address_callback = fcp_response,
|
|
};
|
|
|
|
static int __init fcp_module_init(void)
|
|
{
|
|
static const struct fw_address_region response_register_region = {
|
|
.start = CSR_REGISTER_BASE + CSR_FCP_RESPONSE,
|
|
.end = CSR_REGISTER_BASE + CSR_FCP_END,
|
|
};
|
|
|
|
fw_core_add_address_handler(&response_register_handler,
|
|
&response_register_region);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void __exit fcp_module_exit(void)
|
|
{
|
|
WARN_ON(!list_empty(&transactions));
|
|
fw_core_remove_address_handler(&response_register_handler);
|
|
}
|
|
|
|
module_init(fcp_module_init);
|
|
module_exit(fcp_module_exit);
|