提交 17ecac53 编写于 作者: F Finn Thain 提交者: Xie XiuQi

macintosh/adb-iop: Always wait for reply message from IOP

stable inclusion
from stable-5.10.4
commit bbae91abbc27037e59326a9541c8912606665414
bugzilla: 46903

--------------------------------

[ Upstream commit 2c9cfbad ]

A recent patch incorrectly altered the adb-iop state machine behaviour
and introduced a regression that can appear intermittently as a
malfunctioning ADB input device. This seems to be caused when reply
packets from different ADB commands become mixed up, especially during
the adb bus scan. Fix this by unconditionally entering the awaiting_reply
state after sending an explicit command, even when the ADB command won't
generate a reply from the ADB device.

It turns out that the IOP always generates reply messages, even when the
ADB command does not produce a reply packet (e.g. ADB Listen command).
So it's not really the ADB reply packets that are being mixed up, it's the
IOP messages that enclose them. The bug goes like this:

  1. CPU sends a message to the IOP, expecting no response because this
     message contains an ADB Listen command. The ADB command is now
     considered complete.

  2. CPU sends a second message to the IOP, this time expecting a
     response because this message contains an ADB Talk command. This
     ADB command needs a reply before it can be completed.

  3. adb-iop driver receives an IOP message and assumes that it relates
     to the Talk command. It's actually an empty one (with flags ==
     ADB_IOP_EXPLICIT|ADB_IOP_TIMEOUT) for the previous command. The
     Talk command is now considered complete but it gets the wrong reply
     data.

  4. adb-iop driver gets another IOP response message, which contains
     the actual reply data for the Talk command, but this is dropped
     (the driver is no longer in awaiting_reply state).

Cc: Joshua Thompson <funaho@jurai.org>
Fixes: e2954e5f ("macintosh/adb-iop: Implement sending -> idle state transition")
Tested-by: NStan Johnson <userm57@yahoo.com>
Signed-off-by: NFinn Thain <fthain@telegraphics.com.au>
Link: https://lore.kernel.org/r/0f0a25855391e7eaa53a50f651aea0124e8525dd.1605847196.git.fthain@telegraphics.com.auSigned-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
上级 45806b76
......@@ -78,10 +78,7 @@ static void adb_iop_complete(struct iop_msg *msg)
local_irq_save(flags);
if (current_req->reply_expected)
adb_iop_state = awaiting_reply;
else
adb_iop_done();
adb_iop_state = awaiting_reply;
local_irq_restore(flags);
}
......@@ -89,8 +86,9 @@ static void adb_iop_complete(struct iop_msg *msg)
/*
* Listen for ADB messages from the IOP.
*
* This will be called when unsolicited messages (usually replies to TALK
* commands or autopoll packets) are received.
* This will be called when unsolicited IOP messages are received.
* These IOP messages can carry ADB autopoll responses and also occur
* after explicit ADB commands.
*/
static void adb_iop_listen(struct iop_msg *msg)
......@@ -110,8 +108,10 @@ static void adb_iop_listen(struct iop_msg *msg)
if (adb_iop_state == awaiting_reply) {
struct adb_request *req = current_req;
req->reply_len = amsg->count + 1;
memcpy(req->reply, &amsg->cmd, req->reply_len);
if (req->reply_expected) {
req->reply_len = amsg->count + 1;
memcpy(req->reply, &amsg->cmd, req->reply_len);
}
req_done = true;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部