clk: rockchip: register pll mux before pll itself
diff mbox

Message ID 7060610.CC2Q1RMG2L@phil
State New
Headers show

Commit Message

Heiko Stuebner Aug. 19, 2015, 1:06 p.m. UTC
The structure is xin24m -> pll -> pll-mux (xin24m,pll,xin32k). The pll
does have an init callback to make sure the boot-selected frequency is
using the expected pll settings and resets the same frequency using
the values provided in the driver if necessary.

The setting itself also involves remuxing the pll-mux temporarily to
the xin24m source to let the new pll rate settle. Until now this worked
flawlessly, even when it had the flaw of accessing the mux settings
before the mux actually got registered.

With the recent clock-core conversions this flaw became apparent in
null pointer dereference in
[<c03fc400>] (clk_hw_get_num_parents) from [<c0400df0>] (clk_mux_get_parent+0x14/0xc8)
[<c0400ddc>] (clk_mux_get_parent) from [<c040246c>] (rockchip_rk3066_pll_set_rate+0xd8/0x320)

So to fix that, simply register the pll-mux before the pll, so that
it will be fully initialized when the pll clock executes its init-
callback and possibly touches the pll-mux clock.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
---
This only surfaced with the clk_core changes for 4.3, so should
probably just go on top.

 drivers/clk/rockchip/clk-pll.c | 63 +++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 31 deletions(-)

Comments

Doug Anderson Aug. 24, 2015, 11:03 p.m. UTC | #1
Heiko

On Wed, Aug 19, 2015 at 6:06 AM, Heiko Stuebner <heiko@sntech.de> wrote:
> The structure is xin24m -> pll -> pll-mux (xin24m,pll,xin32k). The pll
> does have an init callback to make sure the boot-selected frequency is
> using the expected pll settings and resets the same frequency using
> the values provided in the driver if necessary.
>
> The setting itself also involves remuxing the pll-mux temporarily to
> the xin24m source to let the new pll rate settle. Until now this worked
> flawlessly, even when it had the flaw of accessing the mux settings
> before the mux actually got registered.
>
> With the recent clock-core conversions this flaw became apparent in
> null pointer dereference in
> [<c03fc400>] (clk_hw_get_num_parents) from [<c0400df0>] (clk_mux_get_parent+0x14/0xc8)
> [<c0400ddc>] (clk_mux_get_parent) from [<c040246c>] (rockchip_rk3066_pll_set_rate+0xd8/0x320)
>
> So to fix that, simply register the pll-mux before the pll, so that
> it will be fully initialized when the pll clock executes its init-
> callback and possibly touches the pll-mux clock.
>
> Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> ---
> This only surfaced with the clk_core changes for 4.3, so should
> probably just go on top.
>
>  drivers/clk/rockchip/clk-pll.c | 63 +++++++++++++++++++++---------------------
>  1 file changed, 32 insertions(+), 31 deletions(-)

Fixes boot crash on rk3288-veyron-jerry on next-20150824.  It'd be
super great to get this landed somewhere so that we can boot linuxnext
again.  :)

Tested-by: Douglas Anderson <dianders@chromium.org>
Stephen Boyd Aug. 24, 2015, 11:43 p.m. UTC | #2
On 08/24, Doug Anderson wrote:
> Heiko
> 
> On Wed, Aug 19, 2015 at 6:06 AM, Heiko Stuebner <heiko@sntech.de> wrote:
> > The structure is xin24m -> pll -> pll-mux (xin24m,pll,xin32k). The pll
> > does have an init callback to make sure the boot-selected frequency is
> > using the expected pll settings and resets the same frequency using
> > the values provided in the driver if necessary.
> >
> > The setting itself also involves remuxing the pll-mux temporarily to
> > the xin24m source to let the new pll rate settle. Until now this worked
> > flawlessly, even when it had the flaw of accessing the mux settings
> > before the mux actually got registered.
> >
> > With the recent clock-core conversions this flaw became apparent in
> > null pointer dereference in
> > [<c03fc400>] (clk_hw_get_num_parents) from [<c0400df0>] (clk_mux_get_parent+0x14/0xc8)
> > [<c0400ddc>] (clk_mux_get_parent) from [<c040246c>] (rockchip_rk3066_pll_set_rate+0xd8/0x320)
> >
> > So to fix that, simply register the pll-mux before the pll, so that
> > it will be fully initialized when the pll clock executes its init-
> > callback and possibly touches the pll-mux clock.
> >
> > Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> > ---
> > This only surfaced with the clk_core changes for 4.3, so should
> > probably just go on top.
> >
> >  drivers/clk/rockchip/clk-pll.c | 63 +++++++++++++++++++++---------------------
> >  1 file changed, 32 insertions(+), 31 deletions(-)
> 
> Fixes boot crash on rk3288-veyron-jerry on next-20150824.  It'd be
> super great to get this landed somewhere so that we can boot linuxnext
> again.  :)
> 
> Tested-by: Douglas Anderson <dianders@chromium.org>

So I understand the fix, but how could it have ever possibly
worked flawlessly? clk_mux_get_parent() should have returned
-EINVAL through that u8 which would have meant that the check in
rockchip_rk3066_pll_set_rate() for cur_parent == PLL_MODE_NORM
would never have been true, and we would never have switched the
PLL mux over. I guess we've been getting away with this because
we don't need to actually switch the mux at this time?
Heiko Stuebner Aug. 25, 2015, 6:53 a.m. UTC | #3
Am Montag, 24. August 2015, 16:43:19 schrieb Stephen Boyd:
> On 08/24, Doug Anderson wrote:
> > Heiko
> > 
> > On Wed, Aug 19, 2015 at 6:06 AM, Heiko Stuebner <heiko@sntech.de> wrote:
> > > The structure is xin24m -> pll -> pll-mux (xin24m,pll,xin32k). The pll
> > > does have an init callback to make sure the boot-selected frequency is
> > > using the expected pll settings and resets the same frequency using
> > > the values provided in the driver if necessary.
> > > 
> > > The setting itself also involves remuxing the pll-mux temporarily to
> > > the xin24m source to let the new pll rate settle. Until now this worked
> > > flawlessly, even when it had the flaw of accessing the mux settings
> > > before the mux actually got registered.
> > > 
> > > With the recent clock-core conversions this flaw became apparent in
> > > null pointer dereference in
> > > [<c03fc400>] (clk_hw_get_num_parents) from [<c0400df0>]
> > > (clk_mux_get_parent+0x14/0xc8) [<c0400ddc>] (clk_mux_get_parent) from
> > > [<c040246c>] (rockchip_rk3066_pll_set_rate+0xd8/0x320)
> > > 
> > > So to fix that, simply register the pll-mux before the pll, so that
> > > it will be fully initialized when the pll clock executes its init-
> > > callback and possibly touches the pll-mux clock.
> > > 
> > > Signed-off-by: Heiko Stuebner <heiko@sntech.de>
> > > ---
> > > This only surfaced with the clk_core changes for 4.3, so should
> > > probably just go on top.
> > > 
> > >  drivers/clk/rockchip/clk-pll.c | 63
> > >  +++++++++++++++++++++--------------------- 1 file changed, 32
> > >  insertions(+), 31 deletions(-)
> > 
> > Fixes boot crash on rk3288-veyron-jerry on next-20150824.  It'd be
> > super great to get this landed somewhere so that we can boot linuxnext
> > again.  :)
> > 
> > Tested-by: Douglas Anderson <dianders@chromium.org>
> 
> So I understand the fix, but how could it have ever possibly
> worked flawlessly? clk_mux_get_parent() should have returned
> -EINVAL through that u8 which would have meant that the check in
> rockchip_rk3066_pll_set_rate() for cur_parent == PLL_MODE_NORM
> would never have been true, and we would never have switched the
> PLL mux over. I guess we've been getting away with this because
> we don't need to actually switch the mux at this time?

The manual mandates the switch away from the pll source before touching the 
pll settings, aka to the slow mode from the 24MHz source. I guess we were 
lucky it simply still worked nevertheless.

In normal rate changes both clocks will have been registered already, so only 
the init callback is affected and also only runs on plls that generate the rate 
from a different settings-touple that what we have in the rate-table, so not 
even all plls normally.
Kevin Hilman Aug. 26, 2015, 9:47 p.m. UTC | #4
On Mon, Aug 24, 2015 at 11:53 PM, Heiko Stuebner <heiko@sntech.de> wrote:
> Am Montag, 24. August 2015, 16:43:19 schrieb Stephen Boyd:
>> On 08/24, Doug Anderson wrote:
>> > Heiko
>> >
>> > On Wed, Aug 19, 2015 at 6:06 AM, Heiko Stuebner <heiko@sntech.de> wrote:
>> > > The structure is xin24m -> pll -> pll-mux (xin24m,pll,xin32k). The pll
>> > > does have an init callback to make sure the boot-selected frequency is
>> > > using the expected pll settings and resets the same frequency using
>> > > the values provided in the driver if necessary.
>> > >
>> > > The setting itself also involves remuxing the pll-mux temporarily to
>> > > the xin24m source to let the new pll rate settle. Until now this worked
>> > > flawlessly, even when it had the flaw of accessing the mux settings
>> > > before the mux actually got registered.
>> > >
>> > > With the recent clock-core conversions this flaw became apparent in
>> > > null pointer dereference in
>> > > [<c03fc400>] (clk_hw_get_num_parents) from [<c0400df0>]
>> > > (clk_mux_get_parent+0x14/0xc8) [<c0400ddc>] (clk_mux_get_parent) from
>> > > [<c040246c>] (rockchip_rk3066_pll_set_rate+0xd8/0x320)
>> > >
>> > > So to fix that, simply register the pll-mux before the pll, so that
>> > > it will be fully initialized when the pll clock executes its init-
>> > > callback and possibly touches the pll-mux clock.
>> > >
>> > > Signed-off-by: Heiko Stuebner <heiko@sntech.de>
>> > > ---
>> > > This only surfaced with the clk_core changes for 4.3, so should
>> > > probably just go on top.
>> > >
>> > >  drivers/clk/rockchip/clk-pll.c | 63
>> > >  +++++++++++++++++++++--------------------- 1 file changed, 32
>> > >  insertions(+), 31 deletions(-)
>> >
>> > Fixes boot crash on rk3288-veyron-jerry on next-20150824.  It'd be
>> > super great to get this landed somewhere so that we can boot linuxnext
>> > again.  :)
>> >
>> > Tested-by: Douglas Anderson <dianders@chromium.org>
>>
>> So I understand the fix, but how could it have ever possibly
>> worked flawlessly? clk_mux_get_parent() should have returned
>> -EINVAL through that u8 which would have meant that the check in
>> rockchip_rk3066_pll_set_rate() for cur_parent == PLL_MODE_NORM
>> would never have been true, and we would never have switched the
>> PLL mux over. I guess we've been getting away with this because
>> we don't need to actually switch the mux at this time?
>
> The manual mandates the switch away from the pll source before touching the
> pll settings, aka to the slow mode from the 24MHz source. I guess we were
> lucky it simply still worked nevertheless.
>
> In normal rate changes both clocks will have been registered already, so only
> the init callback is affected and also only runs on plls that generate the rate
> from a different settings-touple that what we have in the rate-table, so not
> even all plls normally.

FYI... I also confirm this patch is needed to boot linux-next on the
rk3288-veyron-jerry.

Tested-by: Kevin Hilman <khilman@linaro.org>

Kevin

Patch
diff mbox

diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c
index eab4304..7737a1d 100644
--- a/drivers/clk/rockchip/clk-pll.c
+++ b/drivers/clk/rockchip/clk-pll.c
@@ -353,6 +353,35 @@  struct clk *rockchip_clk_register_pll(enum rockchip_pll_type pll_type,
 	if (!pll)
 		return ERR_PTR(-ENOMEM);
 
+	/* create the mux on top of the real pll */
+	pll->pll_mux_ops = &clk_mux_ops;
+	pll_mux = &pll->pll_mux;
+	pll_mux->reg = base + mode_offset;
+	pll_mux->shift = mode_shift;
+	pll_mux->mask = PLL_MODE_MASK;
+	pll_mux->flags = 0;
+	pll_mux->lock = lock;
+	pll_mux->hw.init = &init;
+
+	if (pll_type == pll_rk3066)
+		pll_mux->flags |= CLK_MUX_HIWORD_MASK;
+
+	/* the actual muxing is xin24m, pll-output, xin32k */
+	pll_parents[0] = parent_names[0];
+	pll_parents[1] = pll_name;
+	pll_parents[2] = parent_names[1];
+
+	init.name = name;
+	init.flags = CLK_SET_RATE_PARENT;
+	init.ops = pll->pll_mux_ops;
+	init.parent_names = pll_parents;
+	init.num_parents = ARRAY_SIZE(pll_parents);
+
+	mux_clk = clk_register(NULL, &pll_mux->hw);
+	if (IS_ERR(mux_clk))
+		goto err_mux;
+
+	/* now create the actual pll */
 	init.name = pll_name;
 
 	/* keep all plls untouched for now */
@@ -398,47 +427,19 @@  struct clk *rockchip_clk_register_pll(enum rockchip_pll_type pll_type,
 	pll->flags = clk_pll_flags;
 	pll->lock = lock;
 
-	/* create the mux on top of the real pll */
-	pll->pll_mux_ops = &clk_mux_ops;
-	pll_mux = &pll->pll_mux;
-	pll_mux->reg = base + mode_offset;
-	pll_mux->shift = mode_shift;
-	pll_mux->mask = PLL_MODE_MASK;
-	pll_mux->flags = 0;
-	pll_mux->lock = lock;
-	pll_mux->hw.init = &init;
-
-	if (pll_type == pll_rk3066)
-		pll_mux->flags |= CLK_MUX_HIWORD_MASK;
-
 	pll_clk = clk_register(NULL, &pll->hw);
 	if (IS_ERR(pll_clk)) {
 		pr_err("%s: failed to register pll clock %s : %ld\n",
 			__func__, name, PTR_ERR(pll_clk));
-		mux_clk = pll_clk;
 		goto err_pll;
 	}
 
-	/* the actual muxing is xin24m, pll-output, xin32k */
-	pll_parents[0] = parent_names[0];
-	pll_parents[1] = pll_name;
-	pll_parents[2] = parent_names[1];
-
-	init.name = name;
-	init.flags = CLK_SET_RATE_PARENT;
-	init.ops = pll->pll_mux_ops;
-	init.parent_names = pll_parents;
-	init.num_parents = ARRAY_SIZE(pll_parents);
-
-	mux_clk = clk_register(NULL, &pll_mux->hw);
-	if (IS_ERR(mux_clk))
-		goto err_mux;
-
 	return mux_clk;
 
-err_mux:
-	clk_unregister(pll_clk);
 err_pll:
+	clk_unregister(mux_clk);
+	mux_clk = pll_clk;
+err_mux:
 	kfree(pll);
 	return mux_clk;
 }