Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.113 2020-12-11T12:23:29+00:00 2020-12-11T12:23:29+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2020-11-18T11:08:21+00:00 urn:sha1:b92738c4f9d31943244147029d88ce19e41c02d4 commit 600c0849cf86b75d86352f59745226273290986a upstream. Paulian reported a crash that happens when a dock is unplugged during hibernation: [78436.228217] thunderbolt 0-1: device disconnected [78436.228365] BUG: kernel NULL pointer dereference, address: 00000000000001e0 ... [78436.228397] RIP: 0010:icm_free_unplugged_children+0x109/0x1a0 ... [78436.228432] Call Trace: [78436.228439] icm_rescan_work+0x24/0x30 [78436.228444] process_one_work+0x1a3/0x3a0 [78436.228449] worker_thread+0x30/0x370 [78436.228454] ? process_one_work+0x3a0/0x3a0 [78436.228457] kthread+0x13d/0x160 [78436.228461] ? kthread_park+0x90/0x90 [78436.228465] ret_from_fork+0x1f/0x30 This happens because remove_unplugged_switch() calls tb_switch_remove() that releases the memory pointed by sw so the following lines reference to a memory that might be released already. Fix this by saving pointer to the parent device before calling tb_switch_remove(). Reported-by: Paulian Bogdan Marinca <paulian@marinca.net> Fixes: 4f7c2e0d8765 ("thunderbolt: Make sure device runtime resume completes before taking domain lock") Cc: stable@vger.kernel.org Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-18T18:20:29+00:00 Jing Xiangfeng jingxiangfeng@huawei.com 2020-10-15T08:40:53+00:00 urn:sha1:1654bf2d9f0e898c43848d2e7e8c9fad47a4614e commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream. ring_request_msix() misses to call ida_simple_remove() in an error path. Add a label 'err_ida_remove' and jump to it. Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support") Cc: stable@vger.kernel.org Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-11-18T18:20:29+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2020-10-07T14:06:17+00:00 urn:sha1:06c1895fe71b14354deb79366cb0dd6fa18a88a5 commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream. The svc->key field is not released as it should be if ida_simple_get() fails so fix that. Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get") Cc: stable@vger.kernel.org Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-02-28T16:22:13+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2020-02-13T09:56:04+00:00 urn:sha1:cfda8551dd599685d25aaee8be2ff604d77c0008 commit 03cd45d2e219301880cabc357e3cf478a500080f upstream. The driver does not populate .reg_read callback for the non-active NVMem because the file is supposed to be write-only. However, it turns out NVMem subsystem does not yet support this and expects that the .reg_read callback is provided. If user reads the binary attribute it triggers NULL pointer dereference like this one: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: bin_attr_nvmem_read+0x64/0x80 kernfs_fop_read+0xa7/0x180 vfs_read+0xbd/0x170 ksys_read+0x5a/0xd0 do_syscall_64+0x43/0x150 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix this in the driver by providing .reg_read callback that always returns an error. Reported-by: Nicholas Johnson <nicholas.johnson-opensource@outlook.com.au> Fixes: e6b245ccd524 ("thunderbolt: Add support for host and device NVM firmware upgrade") Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200213095604.1074-1-mika.westerberg@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-04T21:30:50+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2019-11-11T10:25:44+00:00 urn:sha1:5148c89f9957cf597544f4e3dfb10febe08c2536 commit 7a7ebfa85f4fac349f3ab219538c44efe18b0cf6 upstream. On zang's Dell XPS 13 9370 after Thunderbolt NVM firmware upgrade the Thunderbolt controller did not come back as expected. Only after the system was rebooted it became available again. It is not entirely clear what happened but I suspect the new NVM firmware image authentication failed for some reason. Regardless of this the router needs to be power cycled if NVM authentication fails in order to get it fully functional again. This modifies the driver to issue a power cycle in case the NVM authentication fails immediately when dma_port_flash_update_auth() returns. We also need to call tb_switch_set_uuid() earlier to be able to fetch possible NVM authentication failure when DMA port is added. Link: https://bugzilla.kernel.org/show_bug.cgi?id=205457 Reported-by: zang <dump@tzib.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-10-08T09:08:21+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2019-09-16T14:03:03+00:00 urn:sha1:747125db6dcd8bcc21f13d013f6e6a2acade21ee The read is not needed as we overwrite the returned value in the next line anyway so drop it. Fixes: 3cdb9446a117 ("thunderbolt: Add support for Intel Ice Lake") Reported-by: Nicholas Johnson <nicholas.johnson-opensource@outlook.com.au> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2019-10-08T09:08:21+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2019-09-19T12:28:58+00:00 urn:sha1:6f6709734274aef75058356e029d5e8f86d0d53b When lockdep is enabled, plugging Thunderbolt dock on Dominik's laptop triggers following splat: ====================================================== WARNING: possible circular locking dependency detected 5.3.0-rc6+ #1 Tainted: G T ------------------------------------------------------ pool-/usr/lib/b/1258 is trying to acquire lock: 000000005ab0ad43 (pci_rescan_remove_lock){+.+.}, at: authorized_store+0xe8/0x210 but task is already holding lock: 00000000bfb796b5 (&tb->lock){+.+.}, at: authorized_store+0x7c/0x210 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&tb->lock){+.+.}: __mutex_lock+0xac/0x9a0 tb_domain_add+0x2d/0x130 nhi_probe+0x1dd/0x330 pci_device_probe+0xd2/0x150 really_probe+0xee/0x280 driver_probe_device+0x50/0xc0 bus_for_each_drv+0x84/0xd0 __device_attach+0xe4/0x150 pci_bus_add_device+0x4e/0x70 pci_bus_add_devices+0x2e/0x66 pci_bus_add_devices+0x59/0x66 pci_bus_add_devices+0x59/0x66 enable_slot+0x344/0x450 acpiphp_check_bridge.part.0+0x119/0x150 acpiphp_hotplug_notify+0xaa/0x140 acpi_device_hotplug+0xa2/0x3f0 acpi_hotplug_work_fn+0x1a/0x30 process_one_work+0x234/0x580 worker_thread+0x50/0x3b0 kthread+0x10a/0x140 ret_from_fork+0x3a/0x50 -> #0 (pci_rescan_remove_lock){+.+.}: __lock_acquire+0xe54/0x1ac0 lock_acquire+0xb8/0x1b0 __mutex_lock+0xac/0x9a0 authorized_store+0xe8/0x210 kernfs_fop_write+0x125/0x1b0 vfs_write+0xc2/0x1d0 ksys_write+0x6c/0xf0 do_syscall_64+0x50/0x180 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&tb->lock); lock(pci_rescan_remove_lock); lock(&tb->lock); lock(pci_rescan_remove_lock); *** DEADLOCK *** 5 locks held by pool-/usr/lib/b/1258: #0: 000000003df1a1ad (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x4d/0x60 #1: 0000000095a40b02 (sb_writers#6){.+.+}, at: vfs_write+0x185/0x1d0 #2: 0000000017a7d714 (&of->mutex){+.+.}, at: kernfs_fop_write+0xf2/0x1b0 #3: 000000004f262981 (kn->count#208){.+.+}, at: kernfs_fop_write+0xfa/0x1b0 #4: 00000000bfb796b5 (&tb->lock){+.+.}, at: authorized_store+0x7c/0x210 stack backtrace: CPU: 0 PID: 1258 Comm: pool-/usr/lib/b Tainted: G T 5.3.0-rc6+ #1 On an system using ACPI hotplug the host router gets hotplugged first and then the firmware starts sending notifications about connected devices so the above scenario should not happen in reality. However, after taking a second look at commit a03e828915c0 ("thunderbolt: Serialize PCIe tunnel creation with PCI rescan") that introduced the locking, I don't think it is actually correct. It may have cured the symptom but probably the real root cause was somewhere closer to PCI stack and possibly is already fixed with recent kernels. I also tried to reproduce the original issue with the commit reverted but could not. So to keep lockdep happy and the code bit less complex drop calls to pci_lock_rescan_remove()/pci_unlock_rescan_remove() in tb_switch_set_authorized() effectively reverting a03e828915c0. Link: https://lkml.org/lkml/2019/8/30/513 Fixes: a03e828915c0 ("thunderbolt: Serialize PCIe tunnel creation with PCI rescan") Reported-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2019-10-08T09:08:01+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2019-09-19T11:55:23+00:00 urn:sha1:fd5c46b754d4799afda8dcdd6851e0390aa4961a When we discover existing DP tunnels the code checks whether DP IN adapter port is enabled by calling tb_dp_port_is_enabled() before it continues the discovery process. On Light Ridge (gen 1) controller reading only the first dword of the DP IN config space causes subsequent access to the same DP IN port path config space to fail or return invalid data as can be seen in the below splat: thunderbolt 0000:07:00.0: CFG_ERROR(0:d): Invalid config space or offset Call Trace: tb_cfg_read+0xb9/0xd0 __tb_path_deactivate_hop+0x98/0x210 tb_path_activate+0x228/0x7d0 tb_tunnel_restart+0x95/0x200 tb_handle_hotplug+0x30e/0x630 process_one_work+0x1b4/0x340 worker_thread+0x44/0x3d0 kthread+0xeb/0x120 ? process_one_work+0x340/0x340 ? kthread_park+0xa0/0xa0 ret_from_fork+0x1f/0x30 If both DP In adapter config dwords are read in one go the issue does not reproduce. This is likely firmware bug but we can work it around by always reading the two dwords in one go. There should be no harm for other controllers either so can do it unconditionally. Link: https://lkml.org/lkml/2019/8/28/160 Reported-by: Brad Campbell <lists2009@fnarfbargle.com> Tested-by: Brad Campbell <lists2009@fnarfbargle.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> 2019-08-26T09:15:06+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2018-01-16T20:19:00+00:00 urn:sha1:3cdb9446a117d5d63af823bde6fe6babc312e77b The Thunderbolt controller is integrated into the Ice Lake CPU itself and requires special flows to power it on and off using force power bit in NHI VSEC registers. Runtime PM (RTD3) and Sx flows also differ from the discrete solutions. Now the firmware notifies the driver whether RTD3 entry or exit are possible. The driver is responsible of sending Go2Sx command through link controller mailbox when system enters Sx states (suspend-to-mem/disk). Rest of the ICM firwmare flows follow Titan Ridge. Signed-off-by: Raanan Avargil <raanan.avargil@intel.com> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Reviewed-by: Yehezkel Bernat <YehezkelShB@gmail.com> Tested-by: Mario Limonciello <mario.limonciello@dell.com> 2019-08-26T09:15:01+00:00 Mika Westerberg mika.westerberg@linux.intel.com 2019-02-05T09:51:40+00:00 urn:sha1:3f415e5ee18b0097755afc3ac3a5640b196a239e Ice Lake Thunderbolt controller NVM firmware is part of the BIOS image which means it is not writable through the DMA port anymore. However, we can still read it so we can keep nvm_version and active parts of NVM. This way users still can find out the active NVM version and other potentially useful information directly from Linux. Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> Reviewed-by: Yehezkel Bernat <YehezkelShB@gmail.com> Tested-by: Mario Limonciello <mario.limonciello@dell.com>