c27f3d011b
ACPICA commit c9e0116952363b0fa815143dca7e9a2eb4fefa61 The handling of the generic_serial_bus (I2C) and GPIO op_regions in acpi_ev_address_space_dispatch() passes a number of extra parameters to the address-space handler through the address-space Context pointer (instead of using more function parameters). The Context is shared between threads, so if multiple threads try to call the handler for the same address-space at the same time, then a second thread could change the parameters of a first thread while the handler is running for the first thread. An example of this race hitting is the Lenovo Yoga Tablet2 1015L, where there are both attrib_bytes accesses and attrib_byte accesses to the same address-space. The attrib_bytes access stores the number of bytes to transfer in Context->access_length. Where as for the attrib_byte access the number of bytes to transfer is always 1 and field_obj->Field.access_length is unused (so 0). Both types of accesses racing from different threads leads to the following problem: 1. Thread a. starts an attrib_bytes access, stores a non 0 value from field_obj->Field.access_length in Context->access_length 2. Thread b. starts an attrib_byte access, stores 0 in Context->access_length 3. Thread a. calls i2c_acpi_space_handler() (under Linux). Which sees that the access-type is ACPI_GSB_ACCESS_ATTRIB_MULTIBYTE and calls acpi_gsb_i2c_read_bytes(..., Context->access_length) 4. At this point Context->access_length is 0 (set by thread b.) rather then the field_obj->Field.access_length value from thread a. This 0 length reads leads to the following errors being logged: i2c i2c-0: adapter quirk: no zero length (addr 0x0078, size 0, read) i2c i2c-0: i2c read 0 bytes from client@0x78 starting at reg 0x0 failed, error: -95 Note this is just an example of the problems which this race can cause. There are likely many more (sporadic) problems caused by this race. This commit adds a new context_mutex to struct acpi_object_addr_handler and makes acpi_ev_address_space_dispatch() take that mutex when using the shared Context to pass extra parameters to an address-space handler, fixing this race. Note the new mutex must be taken *after* exiting the interpreter, therefor the existing acpi_ex_exit_interpreter() call is moved to above the code which stores the extra parameters in the Context. Link: https://github.com/acpica/acpica/commit/c9e01169 Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Erik Kaneda <erik.kaneda@intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
231 lines
6.3 KiB
C
231 lines
6.3 KiB
C
// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0
|
|
/******************************************************************************
|
|
*
|
|
* Module Name: evxfregn - External Interfaces, ACPI Operation Regions and
|
|
* Address Spaces.
|
|
*
|
|
* Copyright (C) 2000 - 2021, Intel Corp.
|
|
*
|
|
*****************************************************************************/
|
|
|
|
#define EXPORT_ACPI_INTERFACES
|
|
|
|
#include <acpi/acpi.h>
|
|
#include "accommon.h"
|
|
#include "acnamesp.h"
|
|
#include "acevents.h"
|
|
|
|
#define _COMPONENT ACPI_EVENTS
|
|
ACPI_MODULE_NAME("evxfregn")
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* FUNCTION: acpi_install_address_space_handler
|
|
*
|
|
* PARAMETERS: device - Handle for the device
|
|
* space_id - The address space ID
|
|
* handler - Address of the handler
|
|
* setup - Address of the setup function
|
|
* context - Value passed to the handler on each access
|
|
*
|
|
* RETURN: Status
|
|
*
|
|
* DESCRIPTION: Install a handler for all op_regions of a given space_id.
|
|
*
|
|
* NOTE: This function should only be called after acpi_enable_subsystem has
|
|
* been called. This is because any _REG methods associated with the Space ID
|
|
* are executed here, and these methods can only be safely executed after
|
|
* the default handlers have been installed and the hardware has been
|
|
* initialized (via acpi_enable_subsystem.)
|
|
*
|
|
******************************************************************************/
|
|
acpi_status
|
|
acpi_install_address_space_handler(acpi_handle device,
|
|
acpi_adr_space_type space_id,
|
|
acpi_adr_space_handler handler,
|
|
acpi_adr_space_setup setup, void *context)
|
|
{
|
|
struct acpi_namespace_node *node;
|
|
acpi_status status;
|
|
|
|
ACPI_FUNCTION_TRACE(acpi_install_address_space_handler);
|
|
|
|
/* Parameter validation */
|
|
|
|
if (!device) {
|
|
return_ACPI_STATUS(AE_BAD_PARAMETER);
|
|
}
|
|
|
|
status = acpi_ut_acquire_mutex(ACPI_MTX_NAMESPACE);
|
|
if (ACPI_FAILURE(status)) {
|
|
return_ACPI_STATUS(status);
|
|
}
|
|
|
|
/* Convert and validate the device handle */
|
|
|
|
node = acpi_ns_validate_handle(device);
|
|
if (!node) {
|
|
status = AE_BAD_PARAMETER;
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Install the handler for all Regions for this Space ID */
|
|
|
|
status =
|
|
acpi_ev_install_space_handler(node, space_id, handler, setup,
|
|
context);
|
|
if (ACPI_FAILURE(status)) {
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Run all _REG methods for this address space */
|
|
|
|
acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT);
|
|
|
|
unlock_and_exit:
|
|
(void)acpi_ut_release_mutex(ACPI_MTX_NAMESPACE);
|
|
return_ACPI_STATUS(status);
|
|
}
|
|
|
|
ACPI_EXPORT_SYMBOL(acpi_install_address_space_handler)
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* FUNCTION: acpi_remove_address_space_handler
|
|
*
|
|
* PARAMETERS: device - Handle for the device
|
|
* space_id - The address space ID
|
|
* handler - Address of the handler
|
|
*
|
|
* RETURN: Status
|
|
*
|
|
* DESCRIPTION: Remove a previously installed handler.
|
|
*
|
|
******************************************************************************/
|
|
acpi_status
|
|
acpi_remove_address_space_handler(acpi_handle device,
|
|
acpi_adr_space_type space_id,
|
|
acpi_adr_space_handler handler)
|
|
{
|
|
union acpi_operand_object *obj_desc;
|
|
union acpi_operand_object *handler_obj;
|
|
union acpi_operand_object *region_obj;
|
|
union acpi_operand_object **last_obj_ptr;
|
|
struct acpi_namespace_node *node;
|
|
acpi_status status;
|
|
|
|
ACPI_FUNCTION_TRACE(acpi_remove_address_space_handler);
|
|
|
|
/* Parameter validation */
|
|
|
|
if (!device) {
|
|
return_ACPI_STATUS(AE_BAD_PARAMETER);
|
|
}
|
|
|
|
status = acpi_ut_acquire_mutex(ACPI_MTX_NAMESPACE);
|
|
if (ACPI_FAILURE(status)) {
|
|
return_ACPI_STATUS(status);
|
|
}
|
|
|
|
/* Convert and validate the device handle */
|
|
|
|
node = acpi_ns_validate_handle(device);
|
|
if (!node ||
|
|
((node->type != ACPI_TYPE_DEVICE) &&
|
|
(node->type != ACPI_TYPE_PROCESSOR) &&
|
|
(node->type != ACPI_TYPE_THERMAL) &&
|
|
(node != acpi_gbl_root_node))) {
|
|
status = AE_BAD_PARAMETER;
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Make sure the internal object exists */
|
|
|
|
obj_desc = acpi_ns_get_attached_object(node);
|
|
if (!obj_desc) {
|
|
status = AE_NOT_EXIST;
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Find the address handler the user requested */
|
|
|
|
handler_obj = obj_desc->common_notify.handler;
|
|
last_obj_ptr = &obj_desc->common_notify.handler;
|
|
while (handler_obj) {
|
|
|
|
/* We have a handler, see if user requested this one */
|
|
|
|
if (handler_obj->address_space.space_id == space_id) {
|
|
|
|
/* Handler must be the same as the installed handler */
|
|
|
|
if (handler_obj->address_space.handler != handler) {
|
|
status = AE_BAD_PARAMETER;
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Matched space_id, first dereference this in the Regions */
|
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_OPREGION,
|
|
"Removing address handler %p(%p) for region %s "
|
|
"on Device %p(%p)\n",
|
|
handler_obj, handler,
|
|
acpi_ut_get_region_name(space_id),
|
|
node, obj_desc));
|
|
|
|
region_obj = handler_obj->address_space.region_list;
|
|
|
|
/* Walk the handler's region list */
|
|
|
|
while (region_obj) {
|
|
/*
|
|
* First disassociate the handler from the region.
|
|
*
|
|
* NOTE: this doesn't mean that the region goes away
|
|
* The region is just inaccessible as indicated to
|
|
* the _REG method
|
|
*/
|
|
acpi_ev_detach_region(region_obj, TRUE);
|
|
|
|
/*
|
|
* Walk the list: Just grab the head because the
|
|
* detach_region removed the previous head.
|
|
*/
|
|
region_obj =
|
|
handler_obj->address_space.region_list;
|
|
}
|
|
|
|
/* Remove this Handler object from the list */
|
|
|
|
*last_obj_ptr = handler_obj->address_space.next;
|
|
|
|
/* Now we can delete the handler object */
|
|
|
|
acpi_os_release_mutex(handler_obj->address_space.
|
|
context_mutex);
|
|
acpi_ut_remove_reference(handler_obj);
|
|
goto unlock_and_exit;
|
|
}
|
|
|
|
/* Walk the linked list of handlers */
|
|
|
|
last_obj_ptr = &handler_obj->address_space.next;
|
|
handler_obj = handler_obj->address_space.next;
|
|
}
|
|
|
|
/* The handler does not exist */
|
|
|
|
ACPI_DEBUG_PRINT((ACPI_DB_OPREGION,
|
|
"Unable to remove address handler %p for %s(%X), DevNode %p, obj %p\n",
|
|
handler, acpi_ut_get_region_name(space_id), space_id,
|
|
node, obj_desc));
|
|
|
|
status = AE_NOT_EXIST;
|
|
|
|
unlock_and_exit:
|
|
(void)acpi_ut_release_mutex(ACPI_MTX_NAMESPACE);
|
|
return_ACPI_STATUS(status);
|
|
}
|
|
|
|
ACPI_EXPORT_SYMBOL(acpi_remove_address_space_handler)
|