From: Vinod Koul <vinod.koul@intel.com>
To: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
Lars-Peter Clausen <lars@metafoo.de>,
Michal Simek <michal.simek@xilinx.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org,
Kyungmin Park <kyungmin.park@samsung.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
stable@vger.kernel.org
Subject: Re: [RESEND PATCH v2 3/4] dmaengine: pl330: Fix NULL pointer dereference on probe failure
Date: Tue, 14 Oct 2014 17:33:19 +0530 [thread overview]
Message-ID: <20141014120319.GI1638@intel.com> (raw)
In-Reply-To: <1411994541-31494-3-git-send-email-k.kozlowski@samsung.com>
On Mon, Sep 29, 2014 at 02:42:20PM +0200, Krzysztof Kozlowski wrote:
> If dma_async_device_register() returns error and probe should clean up
> and return error, a NULL pointer exception happens because of
> dereference of not allocated channel thread:
>
> Dmesg log (from early printk):
> dma-pl330 12680000.pdma: unable to register DMAC
> DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null)
> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
> pgd = c0004000
> [0000000c] *pgd=00000000
> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> Modules linked in:
> CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427
> task: ee80a800 ti: ee888000 task.ti: ee888000
> PC is at _stop+0x8/0x2c8
> LR is at pl330_control+0x70/0x2e8
> pc : [<c0205dc8>] lr : [<c020623c>] psr: 60000193
> sp : ee889df8 ip : 00000002 fp : 00000000
> r10: eeac4014 r9 : ee0e62bc r8 : 00000000
> r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000
> r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000
> Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> Control: 10c5387d Table: 4000404a DAC: 00000015
> Process swapper/0 (pid: 1, stack limit = 0xee888240)
> Stack: (0xee889df8 to 0xee88a000)
> 9de0: 00000002 eeac4000
> 9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c
> 9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020
> 9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8
> 9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c
> 9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84
> 9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4
> 9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84
> 9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8
> 9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113
> 9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c
> 9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006
> 9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006
> 9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000
> 9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
> [<c0205dc8>] (_stop) from [<c020623c>] (pl330_control+0x70/0x2e8)
> [<c020623c>] (pl330_control) from [<c0208374>] (pl330_probe+0x594/0x75c)
> [<c0208374>] (pl330_probe) from [<c0203b3c>] (amba_probe+0xb8/0x120)
> [<c0203b3c>] (amba_probe) from [<c023f890>] (driver_probe_device+0x10c/0x22c)
> [<c023f890>] (driver_probe_device) from [<c023fa3c>] (__driver_attach+0x8c/0x90)
> [<c023fa3c>] (__driver_attach) from [<c023e0d4>] (bus_for_each_dev+0x54/0x88)
> [<c023e0d4>] (bus_for_each_dev) from [<c023f094>] (bus_add_driver+0xd4/0x1d0)
> [<c023f094>] (bus_add_driver) from [<c0240064>] (driver_register+0x78/0xf4)
> [<c0240064>] (driver_register) from [<c0008964>] (do_one_initcall+0x80/0x1d0)
> [<c0008964>] (do_one_initcall) from [<c059bcb4>] (kernel_init_freeable+0x108/0x1d4)
> [<c059bcb4>] (kernel_init_freeable) from [<c0400924>] (kernel_init+0x8/0xec)
> [<c0400924>] (kernel_init) from [<c000e7b8>] (ret_from_fork+0x14/0x3c)
> Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
> ---[ end trace c94b2f4f38dff3bf ]---
>
> This happens because the necessary resources were not yet allocated - no
> call to pl330_alloc_chan_resources().
>
> Terminate the thread and free channel resource only if channel thread is not NULL.
>
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
> Cc: <stable@vger.kernel.org>
> Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible")
> Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Applied, thanks
--
~Vinod
>
> ---
>
> Changes since v1:
> =================
> 1. Add Lars-Peter Clausen's reviewed-by tag.
> ---
> drivers/dma/pl330.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
> index 28e3775888a6..4a2caaa0432e 100644
> --- a/drivers/dma/pl330.c
> +++ b/drivers/dma/pl330.c
> @@ -2748,8 +2748,10 @@ probe_err3:
> list_del(&pch->chan.device_node);
>
> /* Flush the channel */
> - pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> - pl330_free_chan_resources(&pch->chan);
> + if (pch->thread) {
> + pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> + pl330_free_chan_resources(&pch->chan);
> + }
> }
> probe_err2:
> pl330_del(pl330);
> --
> 1.9.1
>
--
next prev parent reply other threads:[~2014-10-14 12:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 12:42 [RESEND PATCH v2 1/4] dmaengine: pl330: Remove non-NULL check for pl330_submit_req parameters Krzysztof Kozlowski
2014-09-29 12:42 ` [RESEND PATCH v2 2/4] dmaengine: pl330: Remove unused 'regs' variable in pl330_submit_req() Krzysztof Kozlowski
2014-10-14 12:02 ` Vinod Koul
2014-09-29 12:42 ` [RESEND PATCH v2 3/4] dmaengine: pl330: Fix NULL pointer dereference on probe failure Krzysztof Kozlowski
2014-10-14 12:03 ` Vinod Koul [this message]
2014-09-29 12:42 ` [RESEND PATCH v2 4/4] dmaengine: pl330: Fix NULL pointer dereference on driver unbind Krzysztof Kozlowski
2014-10-14 12:03 ` Vinod Koul
2014-10-14 11:51 ` [RESEND PATCH v2 1/4] dmaengine: pl330: Remove non-NULL check for pl330_submit_req parameters Vinod Koul
2014-10-14 12:40 ` Lars-Peter Clausen
2014-10-15 7:57 ` Vinod Koul
2014-10-14 12:44 ` Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141014120319.GI1638@intel.com \
--to=vinod.koul@intel.com \
--cc=b.zolnierkie@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=dan.j.williams@intel.com \
--cc=dmaengine@vger.kernel.org \
--cc=k.kozlowski@samsung.com \
--cc=kyungmin.park@samsung.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=michal.simek@xilinx.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.