kernel/linux.git/drivers/thunderbolt, branch v4.19.112

thunderbolt: Prevent crash if non-active NVMem file is read

2020-02-28T15:38:44+00:00

commit 03cd45d2e219301880cabc357e3cf478a500080f upstream. The driver does not populate .reg_read callback for the non-active NVMem because the file is supposed to be write-only. However, it turns out NVMem subsystem does not yet support this and expects that the .reg_read callback is provided. If user reads the binary attribute it triggers NULL pointer dereference like this one: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: bin_attr_nvmem_read+0x64/0x80 kernfs_fop_read+0xa7/0x180 vfs_read+0xbd/0x170 ksys_read+0x5a/0xd0 do_syscall_64+0x43/0x150 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix this in the driver by providing .reg_read callback that always returns an error. Reported-by: Nicholas Johnson Fixes: e6b245ccd524 ("thunderbolt: Add support for host and device NVM firmware upgrade") Signed-off-by: Mika Westerberg Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200213095604.1074-1-mika.westerberg@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman

thunderbolt: Power cycle the router if NVM authentication fails

2019-12-05T08:21:27+00:00

commit 7a7ebfa85f4fac349f3ab219538c44efe18b0cf6 upstream. On zang's Dell XPS 13 9370 after Thunderbolt NVM firmware upgrade the Thunderbolt controller did not come back as expected. Only after the system was rebooted it became available again. It is not entirely clear what happened but I suspect the new NVM firmware image authentication failed for some reason. Regardless of this the router needs to be power cycled if NVM authentication fails in order to get it fully functional again. This modifies the driver to issue a power cycle in case the NVM authentication fails immediately when dma_port_flash_update_auth() returns. We also need to call tb_switch_set_uuid() earlier to be able to fetch possible NVM authentication failure when DMA port is added. Link: https://bugzilla.kernel.org/show_bug.cgi?id=205457 Reported-by: zang Cc: stable Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman

thunderbolt: Use 32-bit writes when writing ring producer/consumer

2019-11-06T12:06:12+00:00

[ Upstream commit 943795219d3cb9f8ce6ce51cad3ffe1f61e95c6b ] The register access should be using 32-bit reads/writes according to the datasheet. With the previous generation hardware 16-bit writes have been working but starting with ICL this is not the case anymore so fix producer/consumer register update to use correct width register address. Signed-off-by: Mika Westerberg Reviewed-by: Yehezkel Bernat Tested-by: Mario Limonciello Signed-off-by: Sasha Levin

thunderbolt: property: Fix a NULL pointer dereference

2019-05-31T13:46:31+00:00

[ Upstream commit 106204b56f60abf1bead7dceb88f2be3e34433da ] In case kzalloc fails, the fix releases resources and returns -ENOMEM to avoid the NULL pointer dereference. Signed-off-by: Kangjie Lu Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: Fix to check for kmemdup failure

2019-05-31T13:46:31+00:00

[ Upstream commit 2cc12751cf464a722ff57b54d17d30c84553f9c0 ] Memory allocated via kmemdup might fail and return a NULL pointer. This patch adds a check on the return value of kmemdup and passes the error upstream. Signed-off-by: Aditya Pakki Reviewed-by: Mukesh Ojha Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: Fix to check return value of ida_simple_get

2019-05-31T13:46:31+00:00

[ Upstream commit 9aabb68568b473bf2f0b179d053b403961e42e4d ] In enumerate_services, ida_simple_get on failure can return an error and leaks memory. The patch ensures that the dev_set_name is set on non failure cases, and releases memory during failure. Signed-off-by: Aditya Pakki Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: Fix to check the return value of kmemdup

2019-05-31T13:46:29+00:00

[ Upstream commit fd21b79e541e4666c938a344f3ad2df74b4f5120 ] uuid in add_switch is allocted via kmemdup which can fail. The patch logs the error and cleans up the allocated memory for switch. Signed-off-by: Aditya Pakki Reviewed-by: Mukesh Ojha Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: property: Fix a missing check of kzalloc

2019-05-31T13:46:29+00:00

[ Upstream commit 6183d5a51866f3acdeeb66b75e87d44025b01a55 ] No check is enforced for the return value of kzalloc, which may lead to NULL-pointer dereference. The patch fixes this issue. Signed-off-by: Kangjie Lu Reviewed-by: Mukesh Ojha Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: Take domain lock in switch sysfs attribute callbacks

2019-05-31T13:46:20+00:00

[ Upstream commit 09f11b6c99feaf86a26444bca85dc693b3f58f8b ] switch_lock was introduced because it allowed serialization of device authorization requests from userspace without need to take the big domain lock (tb->lock). This was fine because device authorization with ICM is just one command that is sent to the firmware. Now that we start to handle all tunneling in the driver switch_lock is not enough because we need to walk over the topology to establish paths. For this reason drop switch_lock from the driver completely in favour of big domain lock. There is one complication, though. If userspace is waiting for the lock in tb_switch_set_authorized(), it keeps the device_del() from removing the sysfs attribute because it waits for active users to release the attribute first which leads into following splat: INFO: task kworker/u8:3:73 blocked for more than 61 seconds. Tainted: G W 5.1.0-rc1+ #244 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/u8:3 D12976 73 2 0x80000000 Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Call Trace: ? __schedule+0x2e5/0x740 ? _raw_spin_lock_irqsave+0x12/0x40 ? prepare_to_wait_event+0xc5/0x160 schedule+0x2d/0x80 __kernfs_remove.part.17+0x183/0x1f0 ? finish_wait+0x80/0x80 kernfs_remove_by_name_ns+0x4a/0x90 remove_files.isra.1+0x2b/0x60 sysfs_remove_group+0x38/0x80 sysfs_remove_groups+0x24/0x40 device_remove_attrs+0x3d/0x70 device_del+0x14c/0x360 device_unregister+0x15/0x50 tb_switch_remove+0x9e/0x1d0 [thunderbolt] tb_handle_hotplug+0x119/0x5a0 [thunderbolt] ? process_one_work+0x1b7/0x420 process_one_work+0x1b7/0x420 worker_thread+0x37/0x380 ? _raw_spin_unlock_irqrestore+0xf/0x30 ? process_one_work+0x420/0x420 kthread+0x118/0x130 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x35/0x40 We deal this by following what network stack did for some of their attributes and use mutex_trylock() with restart_syscall(). This makes userspace release the attribute allowing sysfs attribute removal to progress before the write is restarted and eventually fail when the attribute is removed. Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin

thunderbolt: Prevent root port runtime suspend during NVM upgrade

2018-12-17T08:24:36+00:00

[ Upstream commit 1830b6eeda1fed42d85f2388f79c926331a9b2d0 ] During NVM upgrade process the host router is hot-removed for a short while. During this time it is possible that the root port is moved into D3cold which would be fine if the root port could trigger PME on itself. However, many systems actually do not implement it so what happens is that the root port goes into D3cold and never wakes up unless userspace does PCI config space access, such as running 'lscpi'. For this reason we explicitly prevent the root port from runtime suspending during NVM upgrade. Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin