/* * Thunderbolt Cactus Ridge driver - bus logic (NHI independent) * * Copyright (c) 2014 Andreas Noever */ #ifndef TB_H_ #define TB_H_ #include #include "tb_regs.h" #include "ctl.h" /** * struct tb_switch - a thunderbolt switch */ struct tb_switch { struct tb_regs_switch_header config; struct tb_port *ports; struct tb *tb; u64 uid; int cap_plug_events; /* offset, zero if not found */ bool is_unplugged; /* unplugged, will go away */ u8 *drom; }; /** * struct tb_port - a thunderbolt port, part of a tb_switch */ struct tb_port { struct tb_regs_port_header config; struct tb_switch *sw; struct tb_port *remote; /* remote port, NULL if not connected */ int cap_phy; /* offset, zero if not found */ u8 port; /* port number on switch */ bool disabled; /* disabled by eeprom */ struct tb_port *dual_link_port; u8 link_nr:1; }; /** * struct tb_path_hop - routing information for a tb_path * * Hop configuration is always done on the IN port of a switch. * in_port and out_port have to be on the same switch. Packets arriving on * in_port with "hop" = in_hop_index will get routed to through out_port. The * next hop to take (on out_port->remote) is determined by next_hop_index. * * in_counter_index is the index of a counter (in TB_CFG_COUNTERS) on the in * port. */ struct tb_path_hop { struct tb_port *in_port; struct tb_port *out_port; int in_hop_index; int in_counter_index; /* write -1 to disable counters for this hop. */ int next_hop_index; }; /** * enum tb_path_port - path options mask */ enum tb_path_port { TB_PATH_NONE = 0, TB_PATH_SOURCE = 1, /* activate on the first hop (out of src) */ TB_PATH_INTERNAL = 2, /* activate on other hops (not the first/last) */ TB_PATH_DESTINATION = 4, /* activate on the last hop (into dst) */ TB_PATH_ALL = 7, }; /** * struct tb_path - a unidirectional path between two ports * * A path consists of a number of hops (see tb_path_hop). To establish a PCIe * tunnel two paths have to be created between the two PCIe ports. * */ struct tb_path { struct tb *tb; int nfc_credits; /* non flow controlled credits */ enum tb_path_port ingress_shared_buffer; enum tb_path_port egress_shared_buffer; enum tb_path_port ingress_fc_enable; enum tb_path_port egress_fc_enable; int priority:3; int weight:4; bool drop_packages; bool activated; struct tb_path_hop *hops; int path_length; /* number of hops */ }; /** * struct tb - main thunderbolt bus structure */ struct tb { struct mutex lock; /* * Big lock. Must be held when accessing cfg or * any struct tb_switch / struct tb_port. */ struct tb_nhi *nhi; struct tb_ctl *ctl; struct workqueue_struct *wq; /* ordered workqueue for plug events */ struct tb_switch *root_switch; struct list_head tunnel_list; /* list of active PCIe tunnels */ bool hotplug_active; /* * tb_handle_hotplug will stop progressing plug * events and exit if this is not set (it needs to * acquire the lock one more time). Used to drain * wq after cfg has been paused. */ }; /* helper functions & macros */ /** * tb_upstream_port() - return the upstream port of a switch * * Every switch has an upstream port (for the root switch it is the NHI). * * During switch alloc/init tb_upstream_port()->remote may be NULL, even for * non root switches (on the NHI port remote is always NULL). * * Return: Returns the upstream port of the switch. */ static inline struct tb_port *tb_upstream_port(struct tb_switch *sw) { return &sw->ports[sw->config.upstream_port_number]; } static inline u64 tb_route(struct tb_switch *sw) { return ((u64) sw->config.route_hi) << 32 | sw->config.route_lo; } static inline int tb_sw_read(struct tb_switch *sw, void *buffer, enum tb_cfg_space space, u32 offset, u32 length) { return tb_cfg_read(sw->tb->ctl, buffer, tb_route(sw), 0, space, offset, length); } static inline int tb_sw_write(struct tb_switch *sw, void *buffer, enum tb_cfg_space space, u32 offset, u32 length) { return tb_cfg_write(sw->tb->ctl, buffer, tb_route(sw), 0, space, offset, length); } static inline int tb_port_read(struct tb_port *port, void *buffer, enum tb_cfg_space space, u32 offset, u32 length) { return tb_cfg_read(port->sw->tb->ctl, buffer, tb_route(port->sw), port->port, space, offset, length); } static inline int tb_port_write(struct tb_port *port, void *buffer, enum tb_cfg_space space, u32 offset, u32 length) { return tb_cfg_write(port->sw->tb->ctl, buffer, tb_route(port->sw), port->port, space, offset, length); } #define tb_err(tb, fmt, arg...) dev_err(&(tb)->nhi->pdev->dev, fmt, ## arg) #define tb_WARN(tb, fmt, arg...) dev_WARN(&(tb)->nhi->pdev->dev, fmt, ## arg) #define tb_warn(tb, fmt, arg...) dev_warn(&(tb)->nhi->pdev->dev, fmt, ## arg) #define tb_info(tb, fmt, arg...) dev_info(&(tb)->nhi->pdev->dev, fmt, ## arg) #define __TB_SW_PRINT(level, sw, fmt, arg...) \ do { \ struct tb_switch *__sw = (sw); \ level(__sw->tb, "%llx: " fmt, \ tb_route(__sw), ## arg); \ } while (0) #define tb_sw_WARN(sw, fmt, arg...) __TB_SW_PRINT(tb_WARN, sw, fmt, ##arg) #define tb_sw_warn(sw, fmt, arg...) __TB_SW_PRINT(tb_warn, sw, fmt, ##arg) #define tb_sw_info(sw, fmt, arg...) __TB_SW_PRINT(tb_info, sw, fmt, ##arg) #define __TB_PORT_PRINT(level, _port, fmt, arg...) \ do { \ struct tb_port *__port = (_port); \ level(__port->sw->tb, "%llx:%x: " fmt, \ tb_route(__port->sw), __port->port, ## arg); \ } while (0) #define tb_port_WARN(port, fmt, arg...) \ __TB_PORT_PRINT(tb_WARN, port, fmt, ##arg) #define tb_port_warn(port, fmt, arg...) \ __TB_PORT_PRINT(tb_warn, port, fmt, ##arg) #define tb_port_info(port, fmt, arg...) \ __TB_PORT_PRINT(tb_info, port, fmt, ##arg) struct tb *thunderbolt_alloc_and_start(struct tb_nhi *nhi); void thunderbolt_shutdown_and_free(struct tb *tb); void thunderbolt_suspend(struct tb *tb); void thunderbolt_resume(struct tb *tb); struct tb_switch *tb_switch_alloc(struct tb *tb, u64 route); void tb_switch_free(struct tb_switch *sw); void tb_switch_suspend(struct tb_switch *sw); int tb_switch_resume(struct tb_switch *sw); int tb_switch_reset(struct tb *tb, u64 route); void tb_sw_set_unplugged(struct tb_switch *sw); struct tb_switch *get_switch_at_route(struct tb_switch *sw, u64 route); int tb_wait_for_port(struct tb_port *port, bool wait_if_unplugged); int tb_port_add_nfc_credits(struct tb_port *port, int credits); int tb_port_clear_counter(struct tb_port *port, int counter); int tb_find_cap(struct tb_port *port, enum tb_cfg_space space, enum tb_cap cap); struct tb_path *tb_path_alloc(struct tb *tb, int num_hops); void tb_path_free(struct tb_path *path); int tb_path_activate(struct tb_path *path); void tb_path_deactivate(struct tb_path *path); bool tb_path_is_invalid(struct tb_path *path); int tb_drom_read(struct tb_switch *sw); int tb_drom_read_uid_only(struct tb_switch *sw, u64 *uid); static inline int tb_route_length(u64 route) { return (fls64(route) + TB_ROUTE_SHIFT - 1) / TB_ROUTE_SHIFT; } static inline bool tb_is_upstream_port(struct tb_port *port) { return port == tb_upstream_port(port->sw); } /** * tb_downstream_route() - get route to downstream switch * * Port must not be the upstream port (otherwise a loop is created). * * Return: Returns a route to the switch behind @port. */ static inline u64 tb_downstream_route(struct tb_port *port) { return tb_route(port->sw) | ((u64) port->port << (port->sw->config.depth * 8)); } #endif this crash only if the fallback mechanism is used. Since most distributions disable by default using the fallback mechanism (CONFIG_FW_LOADER_USER_HELPER_FALLBACK), this would typicaly mean only 2 drivers which *require* the fallback mechanism could typically incur a crash: drivers/firmware/dell_rbu.c and the drivers/leds/leds-lp55xx-common.c driver. Distributions enabling CONFIG_FW_LOADER_USER_HELPER_FALLBACK by default are obviously more exposed to this crash. The crash happens because after commit 5b029624948d ("firmware: do not use fw_lock for fw_state protection") and subsequent fix commit 5d47ec02c37ea6 ("firmware: Correct handling of fw_state_wait() return value") a race can happen between this cancelation and the firmware fw_state_wait_timeout() being woken up after a state change with which fw_load_abort() as that calls swake_up(). Upon error fw_state_wait_timeout() will also again call fw_load_abort() and trigger a null reference. At first glance we could just fix this with a !buf check on fw_load_abort() before accessing buf->fw_st, however there is a logical issue in having a state machine used for the fallback mechanism and preventing access from it once we abort as its inside the buf (buf->fw_st). The firmware_class.c code is setting the buf to NULL to annotate an abort has occurred. Replace this mechanism by simply using the state check instead. All the other code in place already uses similar checks for aborting as well so no further changes are needed. An oops can be reproduced with the new fw_fallback.sh fallback mechanism cancellation test. Either cancelling the fallback mechanism or the custom fallback mechanism triggers a crash. mcgrof@piggy ~/linux-next/tools/testing/selftests/firmware (git::20170111-fw-fixes)$ sudo ./fw_fallback.sh ./fw_fallback.sh: timeout works ./fw_fallback.sh: firmware comparison works ./fw_fallback.sh: fallback mechanism works [ this then sits here when it is trying the cancellation test ] Kernel log: test_firmware: loading 'nope-test-firmware.bin' misc test_firmware: Direct firmware load for nope-test-firmware.bin failed with error -2 misc test_firmware: Falling back to user helper BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 IP: _request_firmware+0xa27/0xad0 PGD 0 Oops: 0000 [#1] SMP Modules linked in: test_firmware(E) ... etc ... CPU: 1 PID: 1396 Comm: fw_fallback.sh Tainted: G W E 4.10.0-rc3-next-20170111+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.1-0-g8891697-prebuilt.qemu-project.org 04/01/2014 task: ffff9740b27f4340 task.stack: ffffbb15c0bc8000 RIP: 0010:_request_firmware+0xa27/0xad0 RSP: 0018:ffffbb15c0bcbd10 EFLAGS: 00010246 RAX: 00000000fffffffe RBX: ffff9740afe5aa80 RCX: 0000000000000000 RDX: ffff9740b27f4340 RSI: 0000000000000283 RDI: 0000000000000000 RBP: ffffbb15c0bcbd90 R08: ffffbb15c0bcbcd8 R09: 0000000000000000 R10: 0000000894a0d4b1 R11: 000000000000008c R12: ffffffffc0312480 R13: 0000000000000005 R14: ffff9740b1c32400 R15: 00000000000003e8 FS: 00007f8604422700(0000) GS:ffff9740bfc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 000000012164c000 CR4: 00000000000006e0 Call Trace: request_firmware+0x37/0x50 trigger_request_store+0x79/0xd0 [test_firmware] dev_attr_store+0x18/0x30 sysfs_kf_write+0x37/0x40 kernfs_fop_write+0x110/0x1a0 __vfs_write+0x37/0x160 ? _cond_resched+0x1a/0x50 vfs_write+0xb5/0x1a0 SyS_write+0x55/0xc0 ? trace_do_page_fault+0x37/0xd0 entry_SYSCALL_64_fastpath+0x1e/0xad RIP: 0033:0x7f8603f49620 RSP: 002b:00007fff6287b788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055c307b110a0 RCX: 00007f8603f49620 RDX: 0000000000000016 RSI: 000055c3084d8a90 RDI: 0000000000000001 RBP: 0000000000000016 R08: 000000000000c0ff R09: 000055c3084d6336 R10: 000055c307b108b0 R11: 0000000000000246 R12: 000055c307b13c80 R13: 000055c3084d6320 R14: 0000000000000000 R15: 00007fff6287b950 Code: 9f 64 84 e8 9c 61 fe ff b8 f4 ff ff ff e9 6b f9 ff ff 48 c7 c7 40 6b 8d 84 89 45 a8 e8 43 84 18 00 49 8b be 00 03 00 00 8b 45 a8 <83> 7f 38 02 74 08 e8 6e ec ff ff 8b 45 a8 49 c7 86 00 03 00 00 RIP: _request_firmware+0xa27/0xad0 RSP: ffffbb15c0bcbd10 CR2: 0000000000000038 ---[ end trace 6d94ac339c133e6f ]--- Fixes: 5d47ec02c37e ("firmware: Correct handling of fw_state_wait() return value") Reported-and-Tested-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reported-and-Tested-by: Patrick Bruenn <p.bruenn@beckhoff.com> Reported-by: Chris Wilson <chris@chris-wilson.co.uk> CC: <stable@vger.kernel.org> [3.10+] Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/dt-bindings/reset/sun6i-a31-ccu.h')