nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

ACPI / EC: Fix race condition in ec_transaction_completed()

Browse source 
There is a race condition in ec_transaction_completed().

When ec_transaction_completed() is called in the GPE handler, it could
return true because of (ec->curr == NULL). Then the wake_up() invocation
could complete the next command unexpectedly since there is no lock between
the 2 invocations. With the previous cleanup, the IBF=0 waiter race need
not be handled any more. It's now safe to return a flag from
advance_condition() to indicate the requirement of wakeup, the flag is
returned from a locked context.

The ec_transaction_completed() is now only invoked by the ec_poll() where
the ec->curr is ensured to be different from NULL.

After cleaning up, the EVT_SCI=1 check should be moved out of the wakeup
condition so that an EVT_SCI raised with (ec->curr == NULL) can trigger a
QR_SC command.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911
Reported-and-tested-by: Gareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: Hans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: Barton Xu <tank.xuhan@gmail.com>
Tested-by: Steffen Weber <steffen.weber@gmail.com>
Tested-by: Arthur Chen <axchen@nvidia.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
This commit is contained in:
Lv Zheng 2014-06-15 08:42:07 +08:00 committed by Rafael J. Wysocki
parent 9b80f0f73a
commit c0d653412f
1 changed files with 17 additions and 13 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

28
drivers/acpi/ec.c
View file

@ -158,16 +158,17 @@ static int ec_transaction_completed(struct acpi_ec *ec)
unsigned long flags; unsigned long flags;
int ret = 0; int ret = 0;
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
if (!ec->curr || (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE)) if (ec->curr && (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE))
ret = 1; ret = 1;
spin_unlock_irqrestore(&ec->lock, flags); spin_unlock_irqrestore(&ec->lock, flags);
return ret; return ret;
} }
static void advance_transaction(struct acpi_ec *ec) static bool advance_transaction(struct acpi_ec *ec)
{ {
struct transaction *t; struct transaction *t;
u8 status; u8 status;
bool wakeup = false;
pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK"); pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK");
status = acpi_ec_read_status(ec); status = acpi_ec_read_status(ec);
@ -183,21 +184,25 @@ static void advance_transaction(struct acpi_ec *ec)
} else if (t->rlen > t->ri) { } else if (t->rlen > t->ri) {
if ((status & ACPI_EC_FLAG_OBF) == 1) { if ((status & ACPI_EC_FLAG_OBF) == 1) {
t->rdata[t->ri++] = acpi_ec_read_data(ec); t->rdata[t->ri++] = acpi_ec_read_data(ec);
if (t->rlen == t->ri) if (t->rlen == t->ri) {
t->flags |= ACPI_EC_COMMAND_COMPLETE; t->flags |= ACPI_EC_COMMAND_COMPLETE;
wakeup = true;
}
} else } else
goto err; goto err;
} else if (t->wlen == t->wi && } else if (t->wlen == t->wi &&
(status & ACPI_EC_FLAG_IBF) == 0) (status & ACPI_EC_FLAG_IBF) == 0) {
t->flags |= ACPI_EC_COMMAND_COMPLETE; t->flags |= ACPI_EC_COMMAND_COMPLETE;
return; wakeup = true;
}
return wakeup;
} else { } else {
if ((status & ACPI_EC_FLAG_IBF) == 0) { if ((status & ACPI_EC_FLAG_IBF) == 0) {
acpi_ec_write_cmd(ec, t->command); acpi_ec_write_cmd(ec, t->command);
t->flags |= ACPI_EC_COMMAND_POLL; t->flags |= ACPI_EC_COMMAND_POLL;
} else } else
goto err; goto err;
return; return wakeup;
} }
err: err:
/* /*
@ -208,13 +213,14 @@ static void advance_transaction(struct acpi_ec *ec)
if (in_interrupt() && t) if (in_interrupt() && t)
++t->irq_count; ++t->irq_count;
} }
return wakeup;
} }
static void start_transaction(struct acpi_ec *ec) static void start_transaction(struct acpi_ec *ec)
{ {
ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0; ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0;
ec->curr->flags = 0; ec->curr->flags = 0;
advance_transaction(ec); (void)advance_transaction(ec);
} }
static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data); static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data);
@ -248,7 +254,7 @@ static int ec_poll(struct acpi_ec *ec)
return 0; return 0;
} }
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec); (void)advance_transaction(ec);
spin_unlock_irqrestore(&ec->lock, flags); spin_unlock_irqrestore(&ec->lock, flags);
} while (time_before(jiffies, delay)); } while (time_before(jiffies, delay));
pr_debug("controller reset, restart transaction\n"); pr_debug("controller reset, restart transaction\n");
@ -627,12 +633,10 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
struct acpi_ec *ec = data; struct acpi_ec *ec = data;
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec); if (advance_transaction(ec))
spin_unlock_irqrestore(&ec->lock, flags);
if (ec_transaction_completed(ec)) {
wake_up(&ec->wait); wake_up(&ec->wait);
spin_unlock_irqrestore(&ec->lock, flags);
ec_check_sci(ec, acpi_ec_read_status(ec)); ec_check_sci(ec, acpi_ec_read_status(ec));
}
return ACPI_INTERRUPT_HANDLED | ACPI_REENABLE_GPE; return ACPI_INTERRUPT_HANDLED | ACPI_REENABLE_GPE;
} }