[PATCH 4.13 014/109] pinctrl: samsung: Fix NULL pointer exception on external interrupts on S3C24xx

From: Greg Kroah-Hartman
Date: Sun Sep 24 2017 - 17:03:23 EST


4.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@xxxxxxxxxx>

commit cee7413d84044a0c1919a7c70a2d761ae24390de upstream.

After commit 8b1bd11c1f8f ("pinctrl: samsung: Add the support the
multiple IORESOURCE_MEM for one pin-bank"), the S3C24xx (and probably
S3C64xx as well) fails:

Unable to handle kernel NULL pointer dereference at virtual address 000000a8
...
(s3c24xx_demux_eint4_7) from [<c004469c>] (__handle_domain_irq+0x6c/0xcc)
(__handle_domain_irq) from [<c0009444>] (s3c24xx_handle_irq+0x6c/0x12c)
(s3c24xx_handle_irq) from [<c000e5fc>] (__irq_svc+0x5c/0x78)

Mentioned commit moved the pointer to controller's base IO memory address
from each controller's driver data (samsung_pinctrl_drv_data) to per-bank
structure (samsung_pin_bank). The external interrupt demux
handlers (s3c24xx_demux_eint()) tried to get this base address from opaque
pointer stored under irq_chip data:

struct irq_data *irqd = irq_desc_get_irq_data(desc);
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
...
pend = readl(bank->eint_base + EINTPEND_REG);

which is wrong because this is hardware irq and it bank was never set
for this irq_chip.

For S3C24xx and S3C64xx, this partially reverts mentioned commit by
bringing back the virt_base stored under each controller's driver data
(samsung_pinctrl_drv_data). This virt_base address will be now
duplicated:
- samsung_pinctrl_drv_data->virt_base: used on S3C24xx and S3C64xx,
- samsung_pin_bank->pctl_base: used on Exynos.

Fixes: 8b1bd11c1f8f ("pinctrl: samsung: Add the support the multiple IORESOURCE_MEM for one pin-bank")
Cc: Sergio Prado <sergio.prado@xxxxxxxxxxxxxx>
Reported-by: Sergio Prado <sergio.prado@xxxxxxxxxxxxxx>
Signed-off-by: Krzysztof Kozlowski <krzk@xxxxxxxxxx>
Tested-by: Lihua Yao <ylhuajnu@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 37 +++++++++++++++------------
drivers/pinctrl/samsung/pinctrl-s3c64xx.c | 40 +++++++++++++-----------------
drivers/pinctrl/samsung/pinctrl-samsung.c | 6 ++++
drivers/pinctrl/samsung/pinctrl-samsung.h | 5 +++
4 files changed, 50 insertions(+), 38 deletions(-)

--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
+++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
@@ -151,7 +151,7 @@ static void s3c24xx_eint_set_function(st
u32 val;

/* Make sure that pin is configured as interrupt */
- reg = bank->pctl_base + bank->pctl_offset;
+ reg = d->virt_base + bank->pctl_offset;
shift = pin * bank_type->fld_width[PINCFG_TYPE_FUNC];
mask = (1 << bank_type->fld_width[PINCFG_TYPE_FUNC]) - 1;

@@ -184,7 +184,7 @@ static int s3c24xx_eint_type(struct irq_
s3c24xx_eint_set_handler(data, type);

/* Set up interrupt trigger */
- reg = bank->eint_base + EINT_REG(index);
+ reg = d->virt_base + EINT_REG(index);
shift = EINT_OFFS(index);

val = readl(reg);
@@ -259,29 +259,32 @@ static void s3c2410_demux_eint0_3(struct
static void s3c2412_eint0_3_ack(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;

unsigned long bitval = 1UL << data->hwirq;
- writel(bitval, bank->eint_base + EINTPEND_REG);
+ writel(bitval, d->virt_base + EINTPEND_REG);
}

static void s3c2412_eint0_3_mask(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned long mask;

- mask = readl(bank->eint_base + EINTMASK_REG);
+ mask = readl(d->virt_base + EINTMASK_REG);
mask |= (1UL << data->hwirq);
- writel(mask, bank->eint_base + EINTMASK_REG);
+ writel(mask, d->virt_base + EINTMASK_REG);
}

static void s3c2412_eint0_3_unmask(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned long mask;

- mask = readl(bank->eint_base + EINTMASK_REG);
+ mask = readl(d->virt_base + EINTMASK_REG);
mask &= ~(1UL << data->hwirq);
- writel(mask, bank->eint_base + EINTMASK_REG);
+ writel(mask, d->virt_base + EINTMASK_REG);
}

static struct irq_chip s3c2412_eint0_3_chip = {
@@ -316,31 +319,34 @@ static void s3c2412_demux_eint0_3(struct
static void s3c24xx_eint_ack(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned char index = bank->eint_offset + data->hwirq;

- writel(1UL << index, bank->eint_base + EINTPEND_REG);
+ writel(1UL << index, d->virt_base + EINTPEND_REG);
}

static void s3c24xx_eint_mask(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned char index = bank->eint_offset + data->hwirq;
unsigned long mask;

- mask = readl(bank->eint_base + EINTMASK_REG);
+ mask = readl(d->virt_base + EINTMASK_REG);
mask |= (1UL << index);
- writel(mask, bank->eint_base + EINTMASK_REG);
+ writel(mask, d->virt_base + EINTMASK_REG);
}

static void s3c24xx_eint_unmask(struct irq_data *data)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(data);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned char index = bank->eint_offset + data->hwirq;
unsigned long mask;

- mask = readl(bank->eint_base + EINTMASK_REG);
+ mask = readl(d->virt_base + EINTMASK_REG);
mask &= ~(1UL << index);
- writel(mask, bank->eint_base + EINTMASK_REG);
+ writel(mask, d->virt_base + EINTMASK_REG);
}

static struct irq_chip s3c24xx_eint_chip = {
@@ -356,14 +362,13 @@ static inline void s3c24xx_demux_eint(st
{
struct s3c24xx_eint_data *data = irq_desc_get_handler_data(desc);
struct irq_chip *chip = irq_desc_get_chip(desc);
- struct irq_data *irqd = irq_desc_get_irq_data(desc);
- struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ struct samsung_pinctrl_drv_data *d = data->drvdata;
unsigned int pend, mask;

chained_irq_enter(chip, desc);

- pend = readl(bank->eint_base + EINTPEND_REG);
- mask = readl(bank->eint_base + EINTMASK_REG);
+ pend = readl(d->virt_base + EINTPEND_REG);
+ mask = readl(d->virt_base + EINTMASK_REG);

pend &= ~mask;
pend &= range;
--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
+++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
@@ -280,7 +280,7 @@ static void s3c64xx_irq_set_function(str
u32 val;

/* Make sure that pin is configured as interrupt */
- reg = bank->pctl_base + bank->pctl_offset;
+ reg = d->virt_base + bank->pctl_offset;
shift = pin;
if (bank_type->fld_width[PINCFG_TYPE_FUNC] * shift >= 32) {
/* 4-bit bank type with 2 con regs */
@@ -308,8 +308,9 @@ static void s3c64xx_irq_set_function(str
static inline void s3c64xx_gpio_irq_set_mask(struct irq_data *irqd, bool mask)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned char index = EINT_OFFS(bank->eint_offset) + irqd->hwirq;
- void __iomem *reg = bank->eint_base + EINTMASK_REG(bank->eint_offset);
+ void __iomem *reg = d->virt_base + EINTMASK_REG(bank->eint_offset);
u32 val;

val = readl(reg);
@@ -333,8 +334,9 @@ static void s3c64xx_gpio_irq_mask(struct
static void s3c64xx_gpio_irq_ack(struct irq_data *irqd)
{
struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
unsigned char index = EINT_OFFS(bank->eint_offset) + irqd->hwirq;
- void __iomem *reg = bank->eint_base + EINTPEND_REG(bank->eint_offset);
+ void __iomem *reg = d->virt_base + EINTPEND_REG(bank->eint_offset);

writel(1 << index, reg);
}
@@ -357,7 +359,7 @@ static int s3c64xx_gpio_irq_set_type(str
s3c64xx_irq_set_handler(irqd, type);

/* Set up interrupt trigger */
- reg = bank->eint_base + EINTCON_REG(bank->eint_offset);
+ reg = d->virt_base + EINTCON_REG(bank->eint_offset);
shift = EINT_OFFS(bank->eint_offset) + irqd->hwirq;
shift = 4 * (shift / 4); /* 4 EINTs per trigger selector */

@@ -409,8 +411,7 @@ static void s3c64xx_eint_gpio_irq(struct
{
struct irq_chip *chip = irq_desc_get_chip(desc);
struct s3c64xx_eint_gpio_data *data = irq_desc_get_handler_data(desc);
- struct irq_data *irqd = irq_desc_get_irq_data(desc);
- struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ struct samsung_pinctrl_drv_data *drvdata = data->drvdata;

chained_irq_enter(chip, desc);

@@ -420,7 +421,7 @@ static void s3c64xx_eint_gpio_irq(struct
unsigned int pin;
unsigned int virq;

- svc = readl(bank->eint_base + SERVICE_REG);
+ svc = readl(drvdata->virt_base + SERVICE_REG);
group = SVC_GROUP(svc);
pin = svc & SVC_NUM_MASK;

@@ -515,15 +516,15 @@ static inline void s3c64xx_eint0_irq_set
{
struct s3c64xx_eint0_domain_data *ddata =
irq_data_get_irq_chip_data(irqd);
- struct samsung_pin_bank *bank = ddata->bank;
+ struct samsung_pinctrl_drv_data *d = ddata->bank->drvdata;
u32 val;

- val = readl(bank->eint_base + EINT0MASK_REG);
+ val = readl(d->virt_base + EINT0MASK_REG);
if (mask)
val |= 1 << ddata->eints[irqd->hwirq];
else
val &= ~(1 << ddata->eints[irqd->hwirq]);
- writel(val, bank->eint_base + EINT0MASK_REG);
+ writel(val, d->virt_base + EINT0MASK_REG);
}

static void s3c64xx_eint0_irq_unmask(struct irq_data *irqd)
@@ -540,10 +541,10 @@ static void s3c64xx_eint0_irq_ack(struct
{
struct s3c64xx_eint0_domain_data *ddata =
irq_data_get_irq_chip_data(irqd);
- struct samsung_pin_bank *bank = ddata->bank;
+ struct samsung_pinctrl_drv_data *d = ddata->bank->drvdata;

writel(1 << ddata->eints[irqd->hwirq],
- bank->eint_base + EINT0PEND_REG);
+ d->virt_base + EINT0PEND_REG);
}

static int s3c64xx_eint0_irq_set_type(struct irq_data *irqd, unsigned int type)
@@ -551,7 +552,7 @@ static int s3c64xx_eint0_irq_set_type(st
struct s3c64xx_eint0_domain_data *ddata =
irq_data_get_irq_chip_data(irqd);
struct samsung_pin_bank *bank = ddata->bank;
- struct samsung_pinctrl_drv_data *d = ddata->bank->drvdata;
+ struct samsung_pinctrl_drv_data *d = bank->drvdata;
void __iomem *reg;
int trigger;
u8 shift;
@@ -566,7 +567,7 @@ static int s3c64xx_eint0_irq_set_type(st
s3c64xx_irq_set_handler(irqd, type);

/* Set up interrupt trigger */
- reg = bank->eint_base + EINT0CON0_REG;
+ reg = d->virt_base + EINT0CON0_REG;
shift = ddata->eints[irqd->hwirq];
if (shift >= EINT_MAX_PER_REG) {
reg += 4;
@@ -598,19 +599,14 @@ static struct irq_chip s3c64xx_eint0_irq
static inline void s3c64xx_irq_demux_eint(struct irq_desc *desc, u32 range)
{
struct irq_chip *chip = irq_desc_get_chip(desc);
- struct irq_data *irqd = irq_desc_get_irq_data(desc);
- struct s3c64xx_eint0_domain_data *ddata =
- irq_data_get_irq_chip_data(irqd);
- struct samsung_pin_bank *bank = ddata->bank;
-
struct s3c64xx_eint0_data *data = irq_desc_get_handler_data(desc);
-
+ struct samsung_pinctrl_drv_data *drvdata = data->drvdata;
unsigned int pend, mask;

chained_irq_enter(chip, desc);

- pend = readl(bank->eint_base + EINT0PEND_REG);
- mask = readl(bank->eint_base + EINT0MASK_REG);
+ pend = readl(drvdata->virt_base + EINT0PEND_REG);
+ mask = readl(drvdata->virt_base + EINT0MASK_REG);

pend = pend & range & ~mask;
pend &= range;
--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
@@ -1013,6 +1013,12 @@ samsung_pinctrl_get_soc_data(struct sams
bank->eint_base = virt_base[0];
bank->pctl_base = virt_base[bdata->pctl_res_idx];
}
+ /*
+ * Legacy platforms should provide only one resource with IO memory.
+ * Store it as virt_base because legacy driver needs to access it
+ * through samsung_pinctrl_drv_data.
+ */
+ d->virt_base = virt_base[0];

for_each_child_of_node(node, np) {
if (!of_find_property(np, "gpio-controller", NULL))
--- a/drivers/pinctrl/samsung/pinctrl-samsung.h
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.h
@@ -247,6 +247,10 @@ struct samsung_pin_ctrl {
/**
* struct samsung_pinctrl_drv_data: wrapper for holding driver data together.
* @node: global list node
+ * @virt_base: register base address of the controller; this will be equal
+ * to each bank samsung_pin_bank->pctl_base and used on legacy
+ * platforms (like S3C24XX or S3C64XX) which has to access the base
+ * through samsung_pinctrl_drv_data, not samsung_pin_bank).
* @dev: device instance representing the controller.
* @irq: interrpt number used by the controller to notify gpio interrupts.
* @ctrl: pin controller instance managed by the driver.
@@ -262,6 +266,7 @@ struct samsung_pin_ctrl {
*/
struct samsung_pinctrl_drv_data {
struct list_head node;
+ void __iomem *virt_base;
struct device *dev;
int irq;