mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
424eafe656
When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent
device will not be found, leading to NULL pointer dereference.
That can also be reproduced by unbinding the controller driver and then
loading i2c-cros-ec-tunnel module (or binding the device).
[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058
[ 271.998215] #PF: supervisor read access in kernel mode
[ 272.003351] #PF: error_code(0x0000) - not-present page
[ 272.008485] PGD 0 P4D 0
[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI
[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5
[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC
[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021
[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]
[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9
[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282
[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000
[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00
[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000
[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000
[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10
[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000
[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0
[ 272.129155] Call Trace:
[ 272.131606] <TASK>
[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110
[ 272.137985] platform_probe+0x69/0xa0
[ 272.141652] really_probe+0x152/0x310
[ 272.145318] __driver_probe_device+0x77/0x110
[ 272.149678] driver_probe_device+0x1e/0x190
[ 272.153864] __driver_attach+0x10b/0x1e0
[ 272.157790] ? driver_attach+0x20/0x20
[ 272.161542] bus_for_each_dev+0x107/0x150
[ 272.165553] bus_add_driver+0x15d/0x270
[ 272.169392] driver_register+0x65/0x110
[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]
[ 272.182617] do_one_initcall+0x110/0x350
[ 272.186543] ? security_kernfs_init_security+0x49/0xd0
[ 272.191682] ? __kernfs_new_node+0x1b9/0x240
[ 272.195954] ? security_kernfs_init_security+0x49/0xd0
[ 272.201093] ? __kernfs_new_node+0x1b9/0x240
[ 272.205365] ? kernfs_link_sibling+0x105/0x130
[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0
[ 272.214773] ? kernfs_activate+0x57/0x70
[ 272.218699] ? kernfs_add_one+0x118/0x160
[ 272.222710] ? __kernfs_create_file+0x71/0xa0
[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110
[ 272.232033] ? internal_create_group+0x453/0x4a0
[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0
[ 272.241355] ? __free_frozen_pages+0x1dc/0x420
[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0
[ 272.250505] ? load_module+0x1509/0x16f0
[ 272.254431] do_init_module+0x60/0x230
[ 272.258181] __se_sys_finit_module+0x27a/0x370
[ 272.262627] do_syscall_64+0x6a/0xf0
[ 272.266206] ? do_syscall_64+0x76/0xf0
[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90
[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d
[ 272.279887] RIP: 0033:0x7b9309168d39
[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8
[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39
[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003
[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150
[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000
[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77
[ 272.345428] </TASK>
[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+)
[ 272.364585] gsmi: Log Shutdown Reason 0x03
Returning -EPROBE_DEFER will allow the device to be bound once the
controller is bound, in the case of built-in drivers.
Fixes: 9d230c9e4f ("i2c: ChromeOS EC tunnel driver")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: <stable@vger.kernel.org> # v3.16+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com
322 lines
8 KiB
C
322 lines
8 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
// Expose an I2C passthrough to the ChromeOS EC.
|
|
//
|
|
// Copyright (C) 2013 Google, Inc.
|
|
|
|
#include <linux/acpi.h>
|
|
#include <linux/module.h>
|
|
#include <linux/i2c.h>
|
|
#include <linux/platform_data/cros_ec_commands.h>
|
|
#include <linux/platform_data/cros_ec_proto.h>
|
|
#include <linux/platform_device.h>
|
|
#include <linux/slab.h>
|
|
|
|
#define I2C_MAX_RETRIES 3
|
|
|
|
/**
|
|
* struct ec_i2c_device - Driver data for I2C tunnel
|
|
*
|
|
* @dev: Device node
|
|
* @adap: I2C adapter
|
|
* @ec: Pointer to EC device
|
|
* @remote_bus: The EC bus number we tunnel to on the other side.
|
|
* @request_buf: Buffer for transmitting data; we expect most transfers to fit.
|
|
* @response_buf: Buffer for receiving data; we expect most transfers to fit.
|
|
*/
|
|
|
|
struct ec_i2c_device {
|
|
struct device *dev;
|
|
struct i2c_adapter adap;
|
|
struct cros_ec_device *ec;
|
|
|
|
u16 remote_bus;
|
|
|
|
u8 request_buf[256];
|
|
u8 response_buf[256];
|
|
};
|
|
|
|
/**
|
|
* ec_i2c_count_message - Count bytes needed for ec_i2c_construct_message
|
|
*
|
|
* @i2c_msgs: The i2c messages to read
|
|
* @num: The number of i2c messages.
|
|
*
|
|
* Returns the number of bytes the messages will take up.
|
|
*/
|
|
static int ec_i2c_count_message(const struct i2c_msg i2c_msgs[], int num)
|
|
{
|
|
int i;
|
|
int size;
|
|
|
|
size = sizeof(struct ec_params_i2c_passthru);
|
|
size += num * sizeof(struct ec_params_i2c_passthru_msg);
|
|
for (i = 0; i < num; i++)
|
|
if (!(i2c_msgs[i].flags & I2C_M_RD))
|
|
size += i2c_msgs[i].len;
|
|
|
|
return size;
|
|
}
|
|
|
|
/**
|
|
* ec_i2c_construct_message - construct a message to go to the EC
|
|
*
|
|
* This function effectively stuffs the standard i2c_msg format of Linux into
|
|
* a format that the EC understands.
|
|
*
|
|
* @buf: The buffer to fill. We assume that the buffer is big enough.
|
|
* @i2c_msgs: The i2c messages to read.
|
|
* @num: The number of i2c messages.
|
|
* @bus_num: The remote bus number we want to talk to.
|
|
*
|
|
* Returns 0 or a negative error number.
|
|
*/
|
|
static int ec_i2c_construct_message(u8 *buf, const struct i2c_msg i2c_msgs[],
|
|
int num, u16 bus_num)
|
|
{
|
|
struct ec_params_i2c_passthru *params;
|
|
u8 *out_data;
|
|
int i;
|
|
|
|
out_data = buf + sizeof(struct ec_params_i2c_passthru) +
|
|
num * sizeof(struct ec_params_i2c_passthru_msg);
|
|
|
|
params = (struct ec_params_i2c_passthru *)buf;
|
|
params->port = bus_num;
|
|
params->num_msgs = num;
|
|
for (i = 0; i < num; i++) {
|
|
const struct i2c_msg *i2c_msg = &i2c_msgs[i];
|
|
struct ec_params_i2c_passthru_msg *msg = ¶ms->msg[i];
|
|
|
|
msg->len = i2c_msg->len;
|
|
msg->addr_flags = i2c_msg->addr;
|
|
|
|
if (i2c_msg->flags & I2C_M_TEN)
|
|
return -EINVAL;
|
|
|
|
if (i2c_msg->flags & I2C_M_RD) {
|
|
msg->addr_flags |= EC_I2C_FLAG_READ;
|
|
} else {
|
|
memcpy(out_data, i2c_msg->buf, msg->len);
|
|
out_data += msg->len;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* ec_i2c_count_response - Count bytes needed for ec_i2c_parse_response
|
|
*
|
|
* @i2c_msgs: The i2c messages to fill up.
|
|
* @num: The number of i2c messages expected.
|
|
*
|
|
* Returns the number of response bytes expeced.
|
|
*/
|
|
static int ec_i2c_count_response(struct i2c_msg i2c_msgs[], int num)
|
|
{
|
|
int size;
|
|
int i;
|
|
|
|
size = sizeof(struct ec_response_i2c_passthru);
|
|
for (i = 0; i < num; i++)
|
|
if (i2c_msgs[i].flags & I2C_M_RD)
|
|
size += i2c_msgs[i].len;
|
|
|
|
return size;
|
|
}
|
|
|
|
/**
|
|
* ec_i2c_parse_response - Parse a response from the EC
|
|
*
|
|
* We'll take the EC's response and copy it back into msgs.
|
|
*
|
|
* @buf: The buffer to parse.
|
|
* @i2c_msgs: The i2c messages to fill up.
|
|
* @num: The number of i2c messages; will be modified to include the actual
|
|
* number received.
|
|
*
|
|
* Returns 0 or a negative error number.
|
|
*/
|
|
static int ec_i2c_parse_response(const u8 *buf, struct i2c_msg i2c_msgs[],
|
|
int *num)
|
|
{
|
|
const struct ec_response_i2c_passthru *resp;
|
|
const u8 *in_data;
|
|
int i;
|
|
|
|
in_data = buf + sizeof(struct ec_response_i2c_passthru);
|
|
|
|
resp = (const struct ec_response_i2c_passthru *)buf;
|
|
if (resp->i2c_status & EC_I2C_STATUS_TIMEOUT)
|
|
return -ETIMEDOUT;
|
|
else if (resp->i2c_status & EC_I2C_STATUS_NAK)
|
|
return -ENXIO;
|
|
else if (resp->i2c_status & EC_I2C_STATUS_ERROR)
|
|
return -EIO;
|
|
|
|
/* Other side could send us back fewer messages, but not more */
|
|
if (resp->num_msgs > *num)
|
|
return -EPROTO;
|
|
*num = resp->num_msgs;
|
|
|
|
for (i = 0; i < *num; i++) {
|
|
struct i2c_msg *i2c_msg = &i2c_msgs[i];
|
|
|
|
if (i2c_msgs[i].flags & I2C_M_RD) {
|
|
memcpy(i2c_msg->buf, in_data, i2c_msg->len);
|
|
in_data += i2c_msg->len;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int ec_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg i2c_msgs[],
|
|
int num)
|
|
{
|
|
struct ec_i2c_device *bus = adap->algo_data;
|
|
struct device *dev = bus->dev;
|
|
const u16 bus_num = bus->remote_bus;
|
|
int request_len;
|
|
int response_len;
|
|
int alloc_size;
|
|
int result;
|
|
struct cros_ec_command *msg;
|
|
|
|
request_len = ec_i2c_count_message(i2c_msgs, num);
|
|
if (request_len < 0) {
|
|
dev_warn(dev, "Error constructing message %d\n", request_len);
|
|
return request_len;
|
|
}
|
|
|
|
response_len = ec_i2c_count_response(i2c_msgs, num);
|
|
if (response_len < 0) {
|
|
/* Unexpected; no errors should come when NULL response */
|
|
dev_warn(dev, "Error preparing response %d\n", response_len);
|
|
return response_len;
|
|
}
|
|
|
|
alloc_size = max(request_len, response_len);
|
|
msg = kmalloc(sizeof(*msg) + alloc_size, GFP_KERNEL);
|
|
if (!msg)
|
|
return -ENOMEM;
|
|
|
|
result = ec_i2c_construct_message(msg->data, i2c_msgs, num, bus_num);
|
|
if (result) {
|
|
dev_err(dev, "Error constructing EC i2c message %d\n", result);
|
|
goto exit;
|
|
}
|
|
|
|
msg->version = 0;
|
|
msg->command = EC_CMD_I2C_PASSTHRU;
|
|
msg->outsize = request_len;
|
|
msg->insize = response_len;
|
|
|
|
result = cros_ec_cmd_xfer_status(bus->ec, msg);
|
|
if (result < 0) {
|
|
dev_err(dev, "Error transferring EC i2c message %d\n", result);
|
|
goto exit;
|
|
}
|
|
|
|
result = ec_i2c_parse_response(msg->data, i2c_msgs, &num);
|
|
if (result < 0)
|
|
goto exit;
|
|
|
|
/* Indicate success by saying how many messages were sent */
|
|
result = num;
|
|
exit:
|
|
kfree(msg);
|
|
return result;
|
|
}
|
|
|
|
static u32 ec_i2c_functionality(struct i2c_adapter *adap)
|
|
{
|
|
return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
|
|
}
|
|
|
|
static const struct i2c_algorithm ec_i2c_algorithm = {
|
|
.xfer = ec_i2c_xfer,
|
|
.functionality = ec_i2c_functionality,
|
|
};
|
|
|
|
static int ec_i2c_probe(struct platform_device *pdev)
|
|
{
|
|
struct cros_ec_device *ec = dev_get_drvdata(pdev->dev.parent);
|
|
struct device *dev = &pdev->dev;
|
|
struct ec_i2c_device *bus = NULL;
|
|
u32 remote_bus;
|
|
int err;
|
|
|
|
if (!ec)
|
|
return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n");
|
|
|
|
if (!ec->cmd_xfer) {
|
|
dev_err(dev, "Missing sendrecv\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
bus = devm_kzalloc(dev, sizeof(*bus), GFP_KERNEL);
|
|
if (bus == NULL)
|
|
return -ENOMEM;
|
|
|
|
err = device_property_read_u32(dev, "google,remote-bus", &remote_bus);
|
|
if (err) {
|
|
dev_err(dev, "Couldn't read remote-bus property\n");
|
|
return err;
|
|
}
|
|
bus->remote_bus = remote_bus;
|
|
|
|
bus->ec = ec;
|
|
bus->dev = dev;
|
|
|
|
bus->adap.owner = THIS_MODULE;
|
|
strscpy(bus->adap.name, "cros-ec-i2c-tunnel", sizeof(bus->adap.name));
|
|
bus->adap.algo = &ec_i2c_algorithm;
|
|
bus->adap.algo_data = bus;
|
|
bus->adap.dev.parent = &pdev->dev;
|
|
bus->adap.dev.of_node = pdev->dev.of_node;
|
|
bus->adap.retries = I2C_MAX_RETRIES;
|
|
ACPI_COMPANION_SET(&bus->adap.dev, ACPI_COMPANION(&pdev->dev));
|
|
|
|
err = i2c_add_adapter(&bus->adap);
|
|
if (err)
|
|
return err;
|
|
platform_set_drvdata(pdev, bus);
|
|
|
|
return err;
|
|
}
|
|
|
|
static void ec_i2c_remove(struct platform_device *dev)
|
|
{
|
|
struct ec_i2c_device *bus = platform_get_drvdata(dev);
|
|
|
|
i2c_del_adapter(&bus->adap);
|
|
}
|
|
|
|
static const struct of_device_id cros_ec_i2c_of_match[] __maybe_unused = {
|
|
{ .compatible = "google,cros-ec-i2c-tunnel" },
|
|
{},
|
|
};
|
|
MODULE_DEVICE_TABLE(of, cros_ec_i2c_of_match);
|
|
|
|
static const struct acpi_device_id cros_ec_i2c_tunnel_acpi_id[] __maybe_unused = {
|
|
{ "GOOG0012", 0 },
|
|
{ }
|
|
};
|
|
MODULE_DEVICE_TABLE(acpi, cros_ec_i2c_tunnel_acpi_id);
|
|
|
|
static struct platform_driver ec_i2c_tunnel_driver = {
|
|
.probe = ec_i2c_probe,
|
|
.remove = ec_i2c_remove,
|
|
.driver = {
|
|
.name = "cros-ec-i2c-tunnel",
|
|
.acpi_match_table = ACPI_PTR(cros_ec_i2c_tunnel_acpi_id),
|
|
.of_match_table = of_match_ptr(cros_ec_i2c_of_match),
|
|
},
|
|
};
|
|
|
|
module_platform_driver(ec_i2c_tunnel_driver);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION("EC I2C tunnel driver");
|
|
MODULE_ALIAS("platform:cros-ec-i2c-tunnel");
|