297d716f62
Change the ownership of power_supply structure from each driver
implementing the class to the power supply core.
The patch changes power_supply_register() function thus all drivers
implementing power supply class are adjusted.
Each driver provides the implementation of power supply. However it
should not be the owner of power supply class instance because it is
exposed by core to other subsystems with power_supply_get_by_name().
These other subsystems have no knowledge when the driver will unregister
the power supply. This leads to several issues when driver is unbound -
mostly because user of power supply accesses freed memory.
Instead let the core own the instance of struct 'power_supply'. Other
users of this power supply will still access valid memory because it
will be freed when device reference count reaches 0. Currently this
means "it will leak" but power_supply_put() call in next patches will
solve it.
This solves invalid memory references in following race condition
scenario:
Thread 1: charger manager
Thread 2: power supply driver, used by charger manager
THREAD 1 (charger manager) THREAD 2 (power supply driver)
========================== ==============================
psy = power_supply_get_by_name()
Driver unbind, .remove
power_supply_unregister()
Device fully removed
psy->get_property()
The 'get_property' call is executed in invalid context because the driver was
unbound and struct 'power_supply' memory was freed.
This could be observed easily with charger manager driver (here compiled
with max17040 fuel gauge):
$ cat /sys/devices/virtual/power_supply/cm-battery/capacity &
$ echo "1-0036" > /sys/bus/i2c/drivers/max17040/unbind
[ 55.725123] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 55.732584] pgd = d98d4000
[ 55.734060] [00000000] *pgd=5afa2831, *pte=00000000, *ppte=00000000
[ 55.740318] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
[ 55.746210] Modules linked in:
[ 55.749259] CPU: 1 PID: 2936 Comm: cat Tainted: G W 3.19.0-rc1-next-20141226-00048-gf79f475f3c44-dirty #1496
[ 55.760190] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[ 55.766270] task: d9b76f00 ti: daf54000 task.ti: daf54000
[ 55.771647] PC is at 0x0
[ 55.774182] LR is at charger_get_property+0x2f4/0x36c
[ 55.779201] pc : [<00000000>] lr : [<c034b0b4>] psr: 60000013
[ 55.779201] sp : daf55e90 ip : 00000003 fp : 00000000
[ 55.790657] r10: 00000000 r9 : c06e2878 r8 : d9b26c68
[ 55.795865] r7 : dad81610 r6 : daec7410 r5 : daf55ebc r4 : 00000000
[ 55.802367] r3 : 00000000 r2 : daf55ebc r1 : 0000002a r0 : d9b26c68
[ 55.808879] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 55.815994] Control: 10c5387d Table: 598d406a DAC: 00000015
[ 55.821723] Process cat (pid: 2936, stack limit = 0xdaf54210)
[ 55.827451] Stack: (0xdaf55e90 to 0xdaf56000)
[ 55.831795] 5e80: 60000013 c01459c4 0000002a c06f8ef8
[ 55.839956] 5ea0: db651000 c06f8ef8 daebac00 c04cb668 daebac08 c0346864 00000000 c01459c4
[ 55.848115] 5ec0: d99eaa80 c06f8ef8 00000fff 00001000 db651000 c027f25c c027f240 d99eaa80
[ 55.856274] 5ee0: d9a06c00 c0146218 daf55f18 00001000 d99eaa80 db4c18c0 00000001 00000001
[ 55.864468] 5f00: daf55f80 c0144c78 c0144c54 c0107f90 00015000 d99eaab0 00000000 00000000
[ 55.872603] 5f20: 000051c7 00000000 db4c18c0 c04a9370 00015000 00001000 daf55f80 00001000
[ 55.880763] 5f40: daf54000 00015000 00000000 c00e53dc db4c18c0 c00e548c 0000000d 00008124
[ 55.888937] 5f60: 00000001 00000000 00000000 db4c18c0 db4c18c0 00001000 00015000 c00e5550
[ 55.897099] 5f80: 00000000 00000000 00001000 00001000 00015000 00000003 00000003 c000f364
[ 55.905239] 5fa0: 00000000 c000f1a0 00001000 00015000 00000003 00015000 00001000 0001333c
[ 55.913399] 5fc0: 00001000 00015000 00000003 00000003 00000002 00000000 00000000 00000000
[ 55.921560] 5fe0: 7fffe000 be999850 0000a225 b6f3c19c 60000010 00000003 00000000 00000000
[ 55.929744] [<c034b0b4>] (charger_get_property) from [<c0346864>] (power_supply_show_property+0x48/0x20c)
[ 55.939286] [<c0346864>] (power_supply_show_property) from [<c027f25c>] (dev_attr_show+0x1c/0x48)
[ 55.948130] [<c027f25c>] (dev_attr_show) from [<c0146218>] (sysfs_kf_seq_show+0x84/0x104)
[ 55.956298] [<c0146218>] (sysfs_kf_seq_show) from [<c0144c78>] (kernfs_seq_show+0x24/0x28)
[ 55.964536] [<c0144c78>] (kernfs_seq_show) from [<c0107f90>] (seq_read+0x1b0/0x484)
[ 55.972172] [<c0107f90>] (seq_read) from [<c00e53dc>] (__vfs_read+0x18/0x4c)
[ 55.979188] [<c00e53dc>] (__vfs_read) from [<c00e548c>] (vfs_read+0x7c/0x100)
[ 55.986304] [<c00e548c>] (vfs_read) from [<c00e5550>] (SyS_read+0x40/0x8c)
[ 55.993164] [<c00e5550>] (SyS_read) from [<c000f1a0>] (ret_fast_syscall+0x0/0x48)
[ 56.000626] Code: bad PC value
[ 56.011652] ---[ end trace 7b64343fbdae8ef1 ]---
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
[for the nvec part]
Reviewed-by: Marc Dietrich <marvin24@gmx.de>
[for compal-laptop.c]
Acked-by: Darren Hart <dvhart@linux.intel.com>
[for the mfd part]
Acked-by: Lee Jones <lee.jones@linaro.org>
[for the hid part]
Acked-by: Jiri Kosina <jkosina@suse.cz>
[for the acpi part]
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
377 lines
9.3 KiB
C
377 lines
9.3 KiB
C
#ifndef __HID_WIIMOTE_H
|
|
#define __HID_WIIMOTE_H
|
|
|
|
/*
|
|
* HID driver for Nintendo Wii / Wii U peripherals
|
|
* Copyright (c) 2011-2013 David Herrmann <dh.herrmann@gmail.com>
|
|
*/
|
|
|
|
/*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*/
|
|
|
|
#include <linux/completion.h>
|
|
#include <linux/device.h>
|
|
#include <linux/hid.h>
|
|
#include <linux/input.h>
|
|
#include <linux/leds.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/power_supply.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/timer.h>
|
|
|
|
#define WIIMOTE_NAME "Nintendo Wii Remote"
|
|
#define WIIMOTE_BUFSIZE 32
|
|
|
|
#define WIIPROTO_FLAG_LED1 0x01
|
|
#define WIIPROTO_FLAG_LED2 0x02
|
|
#define WIIPROTO_FLAG_LED3 0x04
|
|
#define WIIPROTO_FLAG_LED4 0x08
|
|
#define WIIPROTO_FLAG_RUMBLE 0x10
|
|
#define WIIPROTO_FLAG_ACCEL 0x20
|
|
#define WIIPROTO_FLAG_IR_BASIC 0x40
|
|
#define WIIPROTO_FLAG_IR_EXT 0x80
|
|
#define WIIPROTO_FLAG_IR_FULL 0xc0 /* IR_BASIC | IR_EXT */
|
|
#define WIIPROTO_FLAG_EXT_PLUGGED 0x0100
|
|
#define WIIPROTO_FLAG_EXT_USED 0x0200
|
|
#define WIIPROTO_FLAG_EXT_ACTIVE 0x0400
|
|
#define WIIPROTO_FLAG_MP_PLUGGED 0x0800
|
|
#define WIIPROTO_FLAG_MP_USED 0x1000
|
|
#define WIIPROTO_FLAG_MP_ACTIVE 0x2000
|
|
#define WIIPROTO_FLAG_EXITING 0x4000
|
|
#define WIIPROTO_FLAG_DRM_LOCKED 0x8000
|
|
#define WIIPROTO_FLAG_BUILTIN_MP 0x010000
|
|
#define WIIPROTO_FLAG_NO_MP 0x020000
|
|
#define WIIPROTO_FLAG_PRO_CALIB_DONE 0x040000
|
|
|
|
#define WIIPROTO_FLAGS_LEDS (WIIPROTO_FLAG_LED1 | WIIPROTO_FLAG_LED2 | \
|
|
WIIPROTO_FLAG_LED3 | WIIPROTO_FLAG_LED4)
|
|
#define WIIPROTO_FLAGS_IR (WIIPROTO_FLAG_IR_BASIC | WIIPROTO_FLAG_IR_EXT | \
|
|
WIIPROTO_FLAG_IR_FULL)
|
|
|
|
/* return flag for led \num */
|
|
#define WIIPROTO_FLAG_LED(num) (WIIPROTO_FLAG_LED1 << (num - 1))
|
|
|
|
enum wiiproto_keys {
|
|
WIIPROTO_KEY_LEFT,
|
|
WIIPROTO_KEY_RIGHT,
|
|
WIIPROTO_KEY_UP,
|
|
WIIPROTO_KEY_DOWN,
|
|
WIIPROTO_KEY_PLUS,
|
|
WIIPROTO_KEY_MINUS,
|
|
WIIPROTO_KEY_ONE,
|
|
WIIPROTO_KEY_TWO,
|
|
WIIPROTO_KEY_A,
|
|
WIIPROTO_KEY_B,
|
|
WIIPROTO_KEY_HOME,
|
|
WIIPROTO_KEY_COUNT
|
|
};
|
|
|
|
enum wiimote_devtype {
|
|
WIIMOTE_DEV_PENDING,
|
|
WIIMOTE_DEV_UNKNOWN,
|
|
WIIMOTE_DEV_GENERIC,
|
|
WIIMOTE_DEV_GEN10,
|
|
WIIMOTE_DEV_GEN20,
|
|
WIIMOTE_DEV_BALANCE_BOARD,
|
|
WIIMOTE_DEV_PRO_CONTROLLER,
|
|
WIIMOTE_DEV_NUM,
|
|
};
|
|
|
|
enum wiimote_exttype {
|
|
WIIMOTE_EXT_NONE,
|
|
WIIMOTE_EXT_UNKNOWN,
|
|
WIIMOTE_EXT_NUNCHUK,
|
|
WIIMOTE_EXT_CLASSIC_CONTROLLER,
|
|
WIIMOTE_EXT_BALANCE_BOARD,
|
|
WIIMOTE_EXT_PRO_CONTROLLER,
|
|
WIIMOTE_EXT_NUM,
|
|
};
|
|
|
|
enum wiimote_mptype {
|
|
WIIMOTE_MP_NONE,
|
|
WIIMOTE_MP_UNKNOWN,
|
|
WIIMOTE_MP_SINGLE,
|
|
WIIMOTE_MP_PASSTHROUGH_NUNCHUK,
|
|
WIIMOTE_MP_PASSTHROUGH_CLASSIC,
|
|
};
|
|
|
|
struct wiimote_buf {
|
|
__u8 data[HID_MAX_BUFFER_SIZE];
|
|
size_t size;
|
|
};
|
|
|
|
struct wiimote_queue {
|
|
spinlock_t lock;
|
|
struct work_struct worker;
|
|
__u8 head;
|
|
__u8 tail;
|
|
struct wiimote_buf outq[WIIMOTE_BUFSIZE];
|
|
};
|
|
|
|
struct wiimote_state {
|
|
spinlock_t lock;
|
|
__u32 flags;
|
|
__u8 accel_split[2];
|
|
__u8 drm;
|
|
__u8 devtype;
|
|
__u8 exttype;
|
|
__u8 mp;
|
|
|
|
/* synchronous cmd requests */
|
|
struct mutex sync;
|
|
struct completion ready;
|
|
int cmd;
|
|
__u32 opt;
|
|
|
|
/* results of synchronous requests */
|
|
__u8 cmd_battery;
|
|
__u8 cmd_err;
|
|
__u8 *cmd_read_buf;
|
|
__u8 cmd_read_size;
|
|
|
|
/* calibration/cache data */
|
|
__u16 calib_bboard[4][3];
|
|
__s16 calib_pro_sticks[4];
|
|
__u8 cache_rumble;
|
|
};
|
|
|
|
struct wiimote_data {
|
|
struct hid_device *hdev;
|
|
struct input_dev *input;
|
|
struct work_struct rumble_worker;
|
|
struct led_classdev *leds[4];
|
|
struct input_dev *accel;
|
|
struct input_dev *ir;
|
|
struct power_supply *battery;
|
|
struct power_supply_desc battery_desc;
|
|
struct input_dev *mp;
|
|
struct timer_list timer;
|
|
struct wiimote_debug *debug;
|
|
|
|
union {
|
|
struct input_dev *input;
|
|
} extension;
|
|
|
|
struct wiimote_queue queue;
|
|
struct wiimote_state state;
|
|
struct work_struct init_worker;
|
|
};
|
|
|
|
/* wiimote modules */
|
|
|
|
enum wiimod_module {
|
|
WIIMOD_KEYS,
|
|
WIIMOD_RUMBLE,
|
|
WIIMOD_BATTERY,
|
|
WIIMOD_LED1,
|
|
WIIMOD_LED2,
|
|
WIIMOD_LED3,
|
|
WIIMOD_LED4,
|
|
WIIMOD_ACCEL,
|
|
WIIMOD_IR,
|
|
WIIMOD_BUILTIN_MP,
|
|
WIIMOD_NO_MP,
|
|
WIIMOD_NUM,
|
|
WIIMOD_NULL = WIIMOD_NUM,
|
|
};
|
|
|
|
#define WIIMOD_FLAG_INPUT 0x0001
|
|
#define WIIMOD_FLAG_EXT8 0x0002
|
|
#define WIIMOD_FLAG_EXT16 0x0004
|
|
|
|
struct wiimod_ops {
|
|
__u16 flags;
|
|
unsigned long arg;
|
|
int (*probe) (const struct wiimod_ops *ops,
|
|
struct wiimote_data *wdata);
|
|
void (*remove) (const struct wiimod_ops *ops,
|
|
struct wiimote_data *wdata);
|
|
|
|
void (*in_keys) (struct wiimote_data *wdata, const __u8 *keys);
|
|
void (*in_accel) (struct wiimote_data *wdata, const __u8 *accel);
|
|
void (*in_ir) (struct wiimote_data *wdata, const __u8 *ir, bool packed,
|
|
unsigned int id);
|
|
void (*in_mp) (struct wiimote_data *wdata, const __u8 *mp);
|
|
void (*in_ext) (struct wiimote_data *wdata, const __u8 *ext);
|
|
};
|
|
|
|
extern const struct wiimod_ops *wiimod_table[WIIMOD_NUM];
|
|
extern const struct wiimod_ops *wiimod_ext_table[WIIMOTE_EXT_NUM];
|
|
extern const struct wiimod_ops wiimod_mp;
|
|
|
|
/* wiimote requests */
|
|
|
|
enum wiiproto_reqs {
|
|
WIIPROTO_REQ_NULL = 0x0,
|
|
WIIPROTO_REQ_RUMBLE = 0x10,
|
|
WIIPROTO_REQ_LED = 0x11,
|
|
WIIPROTO_REQ_DRM = 0x12,
|
|
WIIPROTO_REQ_IR1 = 0x13,
|
|
WIIPROTO_REQ_SREQ = 0x15,
|
|
WIIPROTO_REQ_WMEM = 0x16,
|
|
WIIPROTO_REQ_RMEM = 0x17,
|
|
WIIPROTO_REQ_IR2 = 0x1a,
|
|
WIIPROTO_REQ_STATUS = 0x20,
|
|
WIIPROTO_REQ_DATA = 0x21,
|
|
WIIPROTO_REQ_RETURN = 0x22,
|
|
|
|
/* DRM_K: BB*2 */
|
|
WIIPROTO_REQ_DRM_K = 0x30,
|
|
|
|
/* DRM_KA: BB*2 AA*3 */
|
|
WIIPROTO_REQ_DRM_KA = 0x31,
|
|
|
|
/* DRM_KE: BB*2 EE*8 */
|
|
WIIPROTO_REQ_DRM_KE = 0x32,
|
|
|
|
/* DRM_KAI: BB*2 AA*3 II*12 */
|
|
WIIPROTO_REQ_DRM_KAI = 0x33,
|
|
|
|
/* DRM_KEE: BB*2 EE*19 */
|
|
WIIPROTO_REQ_DRM_KEE = 0x34,
|
|
|
|
/* DRM_KAE: BB*2 AA*3 EE*16 */
|
|
WIIPROTO_REQ_DRM_KAE = 0x35,
|
|
|
|
/* DRM_KIE: BB*2 II*10 EE*9 */
|
|
WIIPROTO_REQ_DRM_KIE = 0x36,
|
|
|
|
/* DRM_KAIE: BB*2 AA*3 II*10 EE*6 */
|
|
WIIPROTO_REQ_DRM_KAIE = 0x37,
|
|
|
|
/* DRM_E: EE*21 */
|
|
WIIPROTO_REQ_DRM_E = 0x3d,
|
|
|
|
/* DRM_SKAI1: BB*2 AA*1 II*18 */
|
|
WIIPROTO_REQ_DRM_SKAI1 = 0x3e,
|
|
|
|
/* DRM_SKAI2: BB*2 AA*1 II*18 */
|
|
WIIPROTO_REQ_DRM_SKAI2 = 0x3f,
|
|
|
|
WIIPROTO_REQ_MAX
|
|
};
|
|
|
|
#define dev_to_wii(pdev) hid_get_drvdata(container_of(pdev, struct hid_device, \
|
|
dev))
|
|
|
|
void __wiimote_schedule(struct wiimote_data *wdata);
|
|
|
|
extern void wiiproto_req_drm(struct wiimote_data *wdata, __u8 drm);
|
|
extern void wiiproto_req_rumble(struct wiimote_data *wdata, __u8 rumble);
|
|
extern void wiiproto_req_leds(struct wiimote_data *wdata, int leds);
|
|
extern void wiiproto_req_status(struct wiimote_data *wdata);
|
|
extern void wiiproto_req_accel(struct wiimote_data *wdata, __u8 accel);
|
|
extern void wiiproto_req_ir1(struct wiimote_data *wdata, __u8 flags);
|
|
extern void wiiproto_req_ir2(struct wiimote_data *wdata, __u8 flags);
|
|
extern int wiimote_cmd_write(struct wiimote_data *wdata, __u32 offset,
|
|
const __u8 *wmem, __u8 size);
|
|
extern ssize_t wiimote_cmd_read(struct wiimote_data *wdata, __u32 offset,
|
|
__u8 *rmem, __u8 size);
|
|
|
|
#define wiiproto_req_rreg(wdata, os, sz) \
|
|
wiiproto_req_rmem((wdata), false, (os), (sz))
|
|
#define wiiproto_req_reeprom(wdata, os, sz) \
|
|
wiiproto_req_rmem((wdata), true, (os), (sz))
|
|
extern void wiiproto_req_rmem(struct wiimote_data *wdata, bool eeprom,
|
|
__u32 offset, __u16 size);
|
|
|
|
#ifdef CONFIG_DEBUG_FS
|
|
|
|
extern int wiidebug_init(struct wiimote_data *wdata);
|
|
extern void wiidebug_deinit(struct wiimote_data *wdata);
|
|
|
|
#else
|
|
|
|
static inline int wiidebug_init(void *u) { return 0; }
|
|
static inline void wiidebug_deinit(void *u) { }
|
|
|
|
#endif
|
|
|
|
/* requires the state.lock spinlock to be held */
|
|
static inline bool wiimote_cmd_pending(struct wiimote_data *wdata, int cmd,
|
|
__u32 opt)
|
|
{
|
|
return wdata->state.cmd == cmd && wdata->state.opt == opt;
|
|
}
|
|
|
|
/* requires the state.lock spinlock to be held */
|
|
static inline void wiimote_cmd_complete(struct wiimote_data *wdata)
|
|
{
|
|
wdata->state.cmd = WIIPROTO_REQ_NULL;
|
|
complete(&wdata->state.ready);
|
|
}
|
|
|
|
/* requires the state.lock spinlock to be held */
|
|
static inline void wiimote_cmd_abort(struct wiimote_data *wdata)
|
|
{
|
|
/* Abort synchronous request by waking up the sleeping caller. But
|
|
* reset the state.cmd field to an invalid value so no further event
|
|
* handlers will work with it. */
|
|
wdata->state.cmd = WIIPROTO_REQ_MAX;
|
|
complete(&wdata->state.ready);
|
|
}
|
|
|
|
static inline int wiimote_cmd_acquire(struct wiimote_data *wdata)
|
|
{
|
|
return mutex_lock_interruptible(&wdata->state.sync) ? -ERESTARTSYS : 0;
|
|
}
|
|
|
|
static inline void wiimote_cmd_acquire_noint(struct wiimote_data *wdata)
|
|
{
|
|
mutex_lock(&wdata->state.sync);
|
|
}
|
|
|
|
/* requires the state.lock spinlock to be held */
|
|
static inline void wiimote_cmd_set(struct wiimote_data *wdata, int cmd,
|
|
__u32 opt)
|
|
{
|
|
reinit_completion(&wdata->state.ready);
|
|
wdata->state.cmd = cmd;
|
|
wdata->state.opt = opt;
|
|
}
|
|
|
|
static inline void wiimote_cmd_release(struct wiimote_data *wdata)
|
|
{
|
|
mutex_unlock(&wdata->state.sync);
|
|
}
|
|
|
|
static inline int wiimote_cmd_wait(struct wiimote_data *wdata)
|
|
{
|
|
int ret;
|
|
|
|
/* The completion acts as implicit memory barrier so we can safely
|
|
* assume that state.cmd is set on success/failure and isn't accessed
|
|
* by any other thread, anymore. */
|
|
|
|
ret = wait_for_completion_interruptible_timeout(&wdata->state.ready, HZ);
|
|
if (ret < 0)
|
|
return -ERESTARTSYS;
|
|
else if (ret == 0)
|
|
return -EIO;
|
|
else if (wdata->state.cmd != WIIPROTO_REQ_NULL)
|
|
return -EIO;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
static inline int wiimote_cmd_wait_noint(struct wiimote_data *wdata)
|
|
{
|
|
unsigned long ret;
|
|
|
|
/* no locking needed; see wiimote_cmd_wait() */
|
|
ret = wait_for_completion_timeout(&wdata->state.ready, HZ);
|
|
if (!ret)
|
|
return -EIO;
|
|
else if (wdata->state.cmd != WIIPROTO_REQ_NULL)
|
|
return -EIO;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
#endif
|