Commit 8c1eb039 authored by Lv Zheng's avatar Lv Zheng Committed by Jiri Slaby

ACPI / EC: Fix race condition in ec_transaction_completed()

commit c0d65341 upstream.

There is a race condition in ec_transaction_completed().

When ec_transaction_completed() is called in the GPE handler, it could
return true because of (ec->curr == NULL). Then the wake_up() invocation
could complete the next command unexpectedly since there is no lock between
the 2 invocations. With the previous cleanup, the IBF=0 waiter race need
not be handled any more. It's now safe to return a flag from
advance_condition() to indicate the requirement of wakeup, the flag is
returned from a locked context.

The ec_transaction_completed() is now only invoked by the ec_poll() where
the ec->curr is ensured to be different from NULL.

After cleaning up, the EVT_SCI=1 check should be moved out of the wakeup
condition so that an EVT_SCI raised with (ec->curr == NULL) can trigger a
QR_SC command.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911Reported-and-tested-by: default avatarGareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: default avatarHans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: default avatarBarton Xu <tank.xuhan@gmail.com>
Tested-by: default avatarSteffen Weber <steffen.weber@gmail.com>
Tested-by: default avatarArthur Chen <axchen@nvidia.com>
Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent 208614e5
...@@ -165,16 +165,17 @@ static int ec_transaction_completed(struct acpi_ec *ec) ...@@ -165,16 +165,17 @@ static int ec_transaction_completed(struct acpi_ec *ec)
unsigned long flags; unsigned long flags;
int ret = 0; int ret = 0;
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
if (!ec->curr || (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE)) if (ec->curr && (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE))
ret = 1; ret = 1;
spin_unlock_irqrestore(&ec->lock, flags); spin_unlock_irqrestore(&ec->lock, flags);
return ret; return ret;
} }
static void advance_transaction(struct acpi_ec *ec) static bool advance_transaction(struct acpi_ec *ec)
{ {
struct transaction *t; struct transaction *t;
u8 status; u8 status;
bool wakeup = false;
pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK"); pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK");
status = acpi_ec_read_status(ec); status = acpi_ec_read_status(ec);
...@@ -190,21 +191,25 @@ static void advance_transaction(struct acpi_ec *ec) ...@@ -190,21 +191,25 @@ static void advance_transaction(struct acpi_ec *ec)
} else if (t->rlen > t->ri) { } else if (t->rlen > t->ri) {
if ((status & ACPI_EC_FLAG_OBF) == 1) { if ((status & ACPI_EC_FLAG_OBF) == 1) {
t->rdata[t->ri++] = acpi_ec_read_data(ec); t->rdata[t->ri++] = acpi_ec_read_data(ec);
if (t->rlen == t->ri) if (t->rlen == t->ri) {
t->flags |= ACPI_EC_COMMAND_COMPLETE; t->flags |= ACPI_EC_COMMAND_COMPLETE;
wakeup = true;
}
} else } else
goto err; goto err;
} else if (t->wlen == t->wi && } else if (t->wlen == t->wi &&
(status & ACPI_EC_FLAG_IBF) == 0) (status & ACPI_EC_FLAG_IBF) == 0) {
t->flags |= ACPI_EC_COMMAND_COMPLETE; t->flags |= ACPI_EC_COMMAND_COMPLETE;
return; wakeup = true;
}
return wakeup;
} else { } else {
if ((status & ACPI_EC_FLAG_IBF) == 0) { if ((status & ACPI_EC_FLAG_IBF) == 0) {
acpi_ec_write_cmd(ec, t->command); acpi_ec_write_cmd(ec, t->command);
t->flags |= ACPI_EC_COMMAND_POLL; t->flags |= ACPI_EC_COMMAND_POLL;
} else } else
goto err; goto err;
return; return wakeup;
} }
err: err:
/* /*
...@@ -215,13 +220,14 @@ static void advance_transaction(struct acpi_ec *ec) ...@@ -215,13 +220,14 @@ static void advance_transaction(struct acpi_ec *ec)
if (in_interrupt() && t) if (in_interrupt() && t)
++t->irq_count; ++t->irq_count;
} }
return wakeup;
} }
static void start_transaction(struct acpi_ec *ec) static void start_transaction(struct acpi_ec *ec)
{ {
ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0; ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0;
ec->curr->flags = 0; ec->curr->flags = 0;
advance_transaction(ec); (void)advance_transaction(ec);
} }
static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data); static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data);
...@@ -255,7 +261,7 @@ static int ec_poll(struct acpi_ec *ec) ...@@ -255,7 +261,7 @@ static int ec_poll(struct acpi_ec *ec)
return 0; return 0;
} }
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec); (void)advance_transaction(ec);
spin_unlock_irqrestore(&ec->lock, flags); spin_unlock_irqrestore(&ec->lock, flags);
} while (time_before(jiffies, delay)); } while (time_before(jiffies, delay));
pr_debug(PREFIX "controller reset, restart transaction\n"); pr_debug(PREFIX "controller reset, restart transaction\n");
...@@ -654,12 +660,10 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device, ...@@ -654,12 +660,10 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
struct acpi_ec *ec = data; struct acpi_ec *ec = data;
spin_lock_irqsave(&ec->lock, flags); spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec); if (advance_transaction(ec))
spin_unlock_irqrestore(&ec->lock, flags);
if (ec_transaction_completed(ec)) {
wake_up(&ec->wait); wake_up(&ec->wait);
ec_check_sci(ec, acpi_ec_read_status(ec)); spin_unlock_irqrestore(&ec->lock, flags);
} ec_check_sci(ec, acpi_ec_read_status(ec));
return ACPI_INTERRUPT_HANDLED | ACPI_REENABLE_GPE; return ACPI_INTERRUPT_HANDLED | ACPI_REENABLE_GPE;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment