linux-serial.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH V3 0/2] Fix RX cancel command failure
@ 2020-03-06  6:47 satya priya
  2020-03-06  6:47 ` [PATCH V3 1/2] tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe satya priya
  2020-03-06  6:47 ` [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure satya priya
  0 siblings, 2 replies; 7+ messages in thread
From: satya priya @ 2020-03-06  6:47 UTC (permalink / raw)
  To: gregkh
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay,
	msavaliy, satya priya

Changes in V2:
- Add patch to allocate port->rx_fifo buffer in probe to resolve
  NULL pointer dereference crash reported by stephen.

The crash is caused due to set_termios call starting RX engine and RX engine
is sampling some garbage data from line, and by the time startup is called,
we have few data to read but port->rx_fifo buffer is not allocated causing
NULL pointer dereference.

Changes in V3:
- As per Stephen's comment, change the declaration of rx_fifo pointer from u32
  to void.

satya priya (2):
  tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe
  tty: serial: qcom_geni_serial: Fix RX cancel command failure

 drivers/tty/serial/qcom_geni_serial.c | 37 ++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 14 deletions(-)

-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member 
of Code Aurora Forum, hosted by The Linux Foundation


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH V3 1/2] tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe
  2020-03-06  6:47 [PATCH V3 0/2] Fix RX cancel command failure satya priya
@ 2020-03-06  6:47 ` satya priya
  2020-03-06  6:47 ` [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure satya priya
  1 sibling, 0 replies; 7+ messages in thread
From: satya priya @ 2020-03-06  6:47 UTC (permalink / raw)
  To: gregkh
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay,
	msavaliy, satya priya

To fix the RX cancel command failure, rx_fifo buffer needs to be
flushed in stop_rx() by calling handle_rx().In handle_rx() the data
in rx_fifo buffer is read and then dropped, not sent to upper layers.

If set_termios is called before startup, by this time memory is not
allocated to port->rx_fifo buffer, which leads to a NULL pointer
dereference.

To avoid this NULL pointer dereference allocate memory to port->rx_fifo
in probe itself.

Signed-off-by: satya priya <skakit@codeaurora.org>
Reported-by: Stephen Boyd <swboyd@chromium.org>
---
Changes in V3:
- As per Stephen's comment, change the declaration of rx_fifo pointer
  to void pointer.

 drivers/tty/serial/qcom_geni_serial.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
index 191abb1..f74f8a8 100644
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -113,7 +113,7 @@ struct qcom_geni_serial_port {
 	unsigned int baud;
 	unsigned int tx_bytes_pw;
 	unsigned int rx_bytes_pw;
-	u32 *rx_fifo;
+	void *rx_fifo;
 	u32 loopback;
 	bool brk;
 
@@ -504,7 +504,6 @@ static int handle_rx_console(struct uart_port *uport, u32 bytes, bool drop)
 
 static int handle_rx_uart(struct uart_port *uport, u32 bytes, bool drop)
 {
-	unsigned char *buf;
 	struct tty_port *tport;
 	struct qcom_geni_serial_port *port = to_dev_port(uport, uport);
 	u32 num_bytes_pw = port->tx_fifo_width / BITS_PER_BYTE;
@@ -516,8 +515,7 @@ static int handle_rx_uart(struct uart_port *uport, u32 bytes, bool drop)
 	if (drop)
 		return 0;
 
-	buf = (unsigned char *)port->rx_fifo;
-	ret = tty_insert_flip_string(tport, buf, bytes);
+	ret = tty_insert_flip_string(tport, port->rx_fifo, bytes);
 	if (ret != bytes) {
 		dev_err(uport->dev, "%s:Unable to push data ret %d_bytes %d\n",
 				__func__, ret, bytes);
@@ -858,12 +856,6 @@ static int qcom_geni_serial_port_setup(struct uart_port *uport)
 						false, false, true);
 	geni_se_init(&port->se, UART_RX_WM, port->rx_fifo_depth - 2);
 	geni_se_select_mode(&port->se, GENI_SE_FIFO);
-	if (!uart_console(uport)) {
-		port->rx_fifo = devm_kcalloc(uport->dev,
-			port->rx_fifo_depth, sizeof(u32), GFP_KERNEL);
-		if (!port->rx_fifo)
-			return -ENOMEM;
-	}
 	port->setup = true;
 
 	return 0;
@@ -1274,6 +1266,13 @@ static int qcom_geni_serial_probe(struct platform_device *pdev)
 	port->rx_fifo_depth = DEF_FIFO_DEPTH_WORDS;
 	port->tx_fifo_width = DEF_FIFO_WIDTH_BITS;
 
+	if (!console) {
+		port->rx_fifo = devm_kcalloc(uport->dev,
+			port->rx_fifo_depth, sizeof(u32), GFP_KERNEL);
+		if (!port->rx_fifo)
+			return -ENOMEM;
+	}
+
 	port->name = devm_kasprintf(uport->dev, GFP_KERNEL,
 			"qcom_geni_serial_%s%d",
 			uart_console(uport) ? "console" : "uart", uport->line);
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member 
of Code Aurora Forum, hosted by The Linux Foundation


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure
  2020-03-06  6:47 [PATCH V3 0/2] Fix RX cancel command failure satya priya
  2020-03-06  6:47 ` [PATCH V3 1/2] tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe satya priya
@ 2020-03-06  6:47 ` satya priya
  2020-03-09  6:41   ` Stephen Boyd
  2020-03-12  9:10   ` Greg KH
  1 sibling, 2 replies; 7+ messages in thread
From: satya priya @ 2020-03-06  6:47 UTC (permalink / raw)
  To: gregkh
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay,
	msavaliy, satya priya

RX cancel command fails when BT is switched on and off multiple times.

To handle this, poll for the cancel bit in SE_GENI_S_IRQ_STATUS register
instead of SE_GENI_S_CMD_CTRL_REG.

As per the HPG update, handle the RX last bit after cancel command
and flush out the RX FIFO buffer.

Signed-off-by: satya priya <skakit@codeaurora.org>
---
 drivers/tty/serial/qcom_geni_serial.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
index f74f8a8..d5621b6 100644
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -129,6 +129,7 @@ static int handle_rx_console(struct uart_port *uport, u32 bytes, bool drop);
 static int handle_rx_uart(struct uart_port *uport, u32 bytes, bool drop);
 static unsigned int qcom_geni_serial_tx_empty(struct uart_port *port);
 static void qcom_geni_serial_stop_rx(struct uart_port *uport);
+static void qcom_geni_serial_handle_rx(struct uart_port *uport, bool drop);
 
 static const unsigned long root_freq[] = {7372800, 14745600, 19200000, 29491200,
 					32000000, 48000000, 64000000, 80000000,
@@ -597,7 +598,7 @@ static void qcom_geni_serial_stop_rx(struct uart_port *uport)
 	u32 irq_en;
 	u32 status;
 	struct qcom_geni_serial_port *port = to_dev_port(uport, uport);
-	u32 irq_clear = S_CMD_DONE_EN;
+	u32 s_irq_status;
 
 	irq_en = readl(uport->membase + SE_GENI_S_IRQ_EN);
 	irq_en &= ~(S_RX_FIFO_WATERMARK_EN | S_RX_FIFO_LAST_EN);
@@ -613,10 +614,19 @@ static void qcom_geni_serial_stop_rx(struct uart_port *uport)
 		return;
 
 	geni_se_cancel_s_cmd(&port->se);
-	qcom_geni_serial_poll_bit(uport, SE_GENI_S_CMD_CTRL_REG,
-					S_GENI_CMD_CANCEL, false);
+	qcom_geni_serial_poll_bit(uport, SE_GENI_S_IRQ_STATUS,
+					S_CMD_CANCEL_EN, true);
+	/*
+	 * If timeout occurs secondary engine remains active
+	 * and Abort sequence is executed.
+	 */
+	s_irq_status = readl(uport->membase + SE_GENI_S_IRQ_STATUS);
+	/* Flush the Rx buffer */
+	if (s_irq_status & S_RX_FIFO_LAST_EN)
+		qcom_geni_serial_handle_rx(uport, true);
+	writel(s_irq_status, uport->membase + SE_GENI_S_IRQ_CLEAR);
+
 	status = readl(uport->membase + SE_GENI_STATUS);
-	writel(irq_clear, uport->membase + SE_GENI_S_IRQ_CLEAR);
 	if (status & S_GENI_CMD_ACTIVE)
 		qcom_geni_serial_abort_rx(uport);
 }
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member 
of Code Aurora Forum, hosted by The Linux Foundation


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure
  2020-03-06  6:47 ` [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure satya priya
@ 2020-03-09  6:41   ` Stephen Boyd
  2020-03-12  9:10   ` Greg KH
  1 sibling, 0 replies; 7+ messages in thread
From: Stephen Boyd @ 2020-03-09  6:41 UTC (permalink / raw)
  To: gregkh, satya priya
  Cc: mgautam, linux-arm-msm, linux-serial, akashast, rojay, msavaliy,
	satya priya

Quoting satya priya (2020-03-05 22:47:08)
> RX cancel command fails when BT is switched on and off multiple times.
> 
> To handle this, poll for the cancel bit in SE_GENI_S_IRQ_STATUS register
> instead of SE_GENI_S_CMD_CTRL_REG.
> 
> As per the HPG update, handle the RX last bit after cancel command
> and flush out the RX FIFO buffer.
> 
> Signed-off-by: satya priya <skakit@codeaurora.org>
> ---

Reviewed-by: Stephen Boyd <swboyd@chromium.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure
  2020-03-06  6:47 ` [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure satya priya
  2020-03-09  6:41   ` Stephen Boyd
@ 2020-03-12  9:10   ` Greg KH
  2020-03-13 13:53     ` skakit
  1 sibling, 1 reply; 7+ messages in thread
From: Greg KH @ 2020-03-12  9:10 UTC (permalink / raw)
  To: satya priya
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay, msavaliy

On Fri, Mar 06, 2020 at 12:17:08PM +0530, satya priya wrote:
> RX cancel command fails when BT is switched on and off multiple times.
> 
> To handle this, poll for the cancel bit in SE_GENI_S_IRQ_STATUS register
> instead of SE_GENI_S_CMD_CTRL_REG.
> 
> As per the HPG update, handle the RX last bit after cancel command
> and flush out the RX FIFO buffer.
> 
> Signed-off-by: satya priya <skakit@codeaurora.org>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> ---
>  drivers/tty/serial/qcom_geni_serial.c | 18 ++++++++++++++----
>  1 file changed, 14 insertions(+), 4 deletions(-)

This patch didn't apply :(

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure
  2020-03-12  9:10   ` Greg KH
@ 2020-03-13 13:53     ` skakit
  2020-03-14  8:07       ` Greg KH
  0 siblings, 1 reply; 7+ messages in thread
From: skakit @ 2020-03-13 13:53 UTC (permalink / raw)
  To: Greg KH
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay, msavaliy

On 2020-03-12 14:40, Greg KH wrote:
> On Fri, Mar 06, 2020 at 12:17:08PM +0530, satya priya wrote:
>> RX cancel command fails when BT is switched on and off multiple times.
>> 
>> To handle this, poll for the cancel bit in SE_GENI_S_IRQ_STATUS 
>> register
>> instead of SE_GENI_S_CMD_CTRL_REG.
>> 
>> As per the HPG update, handle the RX last bit after cancel command
>> and flush out the RX FIFO buffer.
>> 
>> Signed-off-by: satya priya <skakit@codeaurora.org>
>> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
>> ---
>>  drivers/tty/serial/qcom_geni_serial.c | 18 ++++++++++++++----
>>  1 file changed, 14 insertions(+), 4 deletions(-)
> 
> This patch didn't apply :(

V1 of this patch is already picked in tty-next tree(commit id: 
679aac5ead2f18d223554a52b543e1195e181811). There is no change in this 
patch from V1 to V3[2/2].
There is a crash reported by Stephen with V1, to resolve that we posted 
next versions adding this patch 
https://patchwork.kernel.org/patch/11423231/, that is, V3[1/2]. So now 
only V3[1/2] needs to be picked.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure
  2020-03-13 13:53     ` skakit
@ 2020-03-14  8:07       ` Greg KH
  0 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2020-03-14  8:07 UTC (permalink / raw)
  To: skakit
  Cc: swboyd, mgautam, linux-arm-msm, linux-serial, akashast, rojay, msavaliy

On Fri, Mar 13, 2020 at 07:23:50PM +0530, skakit@codeaurora.org wrote:
> On 2020-03-12 14:40, Greg KH wrote:
> > On Fri, Mar 06, 2020 at 12:17:08PM +0530, satya priya wrote:
> > > RX cancel command fails when BT is switched on and off multiple times.
> > > 
> > > To handle this, poll for the cancel bit in SE_GENI_S_IRQ_STATUS
> > > register
> > > instead of SE_GENI_S_CMD_CTRL_REG.
> > > 
> > > As per the HPG update, handle the RX last bit after cancel command
> > > and flush out the RX FIFO buffer.
> > > 
> > > Signed-off-by: satya priya <skakit@codeaurora.org>
> > > Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> > > ---
> > >  drivers/tty/serial/qcom_geni_serial.c | 18 ++++++++++++++----
> > >  1 file changed, 14 insertions(+), 4 deletions(-)
> > 
> > This patch didn't apply :(
> 
> V1 of this patch is already picked in tty-next tree(commit id:
> 679aac5ead2f18d223554a52b543e1195e181811). There is no change in this patch
> from V1 to V3[2/2].
> There is a crash reported by Stephen with V1, to resolve that we posted next
> versions adding this patch https://patchwork.kernel.org/patch/11423231/,
> that is, V3[1/2]. So now only V3[1/2] needs to be picked.

Ok, and I picked that up already, right?

Please be kind to maintainers and make it obvious what you want them to
do...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-03-15  2:24 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-06  6:47 [PATCH V3 0/2] Fix RX cancel command failure satya priya
2020-03-06  6:47 ` [PATCH V3 1/2] tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe satya priya
2020-03-06  6:47 ` [PATCH V3 2/2] tty: serial: qcom_geni_serial: Fix RX cancel command failure satya priya
2020-03-09  6:41   ` Stephen Boyd
2020-03-12  9:10   ` Greg KH
2020-03-13 13:53     ` skakit
2020-03-14  8:07       ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).