From: Vinod Koul <vinod.koul@intel.com>
To: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
Lars-Peter Clausen <lars@metafoo.de>,
Michal Simek <michal.simek@xilinx.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org,
Kyungmin Park <kyungmin.park@samsung.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
stable@vger.kernel.org
Subject: Re: [RESEND PATCH v2 4/4] dmaengine: pl330: Fix NULL pointer dereference on driver unbind
Date: Tue, 14 Oct 2014 17:33:51 +0530 [thread overview]
Message-ID: <20141014120351.GJ1638@intel.com> (raw)
In-Reply-To: <1411994541-31494-4-git-send-email-k.kozlowski@samsung.com>
On Mon, Sep 29, 2014 at 02:42:21PM +0200, Krzysztof Kozlowski wrote:
> Fix a NULL pointer dereference after unbinding the driver, if channel
> resources were not yet allocated (no call to
> pl330_alloc_chan_resources()):
> $ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind
> [ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null)
> [ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c
> [ 13.622537] pgd = ee284000
> [ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000
> [ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> [ 13.636859] Modules linked in:
> [ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420
> [ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000
> [ 13.654589] PC is at _stop+0x8/0x2c8
> [ 13.658131] LR is at pl330_control+0x70/0x2e8
> [ 13.662468] pc : [<c0206028>] lr : [<c020649c>] psr: 60000093
> [ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70
> [ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000
> [ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800
> [ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000
> [ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
> [ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015
> [ 13.705085] Process sh (pid: 1, stack limit = 0xee888240)
> [ 13.710466] Stack: (0xee889e58 to 0xee88a000)
> [ 13.714808] 9e40: 00000002 eeab6800
> [ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c
> [ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8
> [ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e
> [ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694
> [ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec
> [ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4
> [ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e
> [ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003
> [ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4
> [ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4
> [ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000
> [ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70
> [ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0
> [ 13.829058] [<c0206028>] (_stop) from [<c020649c>] (pl330_control+0x70/0x2e8)
> [ 13.836165] [<c020649c>] (pl330_control) from [<c0208048>] (pl330_remove+0xb0/0xdc)
> [ 13.843800] [<c0208048>] (pl330_remove) from [<c0203c48>] (amba_remove+0x24/0xc0)
> [ 13.851272] [<c0203c48>] (amba_remove) from [<c023f694>] (__device_release_driver+0x70/0xc4)
> [ 13.859685] [<c023f694>] (__device_release_driver) from [<c023f704>] (device_release_driver+0x1c/0x28)
> [ 13.868971] [<c023f704>] (device_release_driver) from [<c023e8ec>] (unbind_store+0x58/0x90)
> [ 13.877303] [<c023e8ec>] (unbind_store) from [<c023e19c>] (drv_attr_store+0x20/0x2c)
> [ 13.885036] [<c023e19c>] (drv_attr_store) from [<c01167e4>] (sysfs_kf_write+0x44/0x48)
> [ 13.892928] [<c01167e4>] (sysfs_kf_write) from [<c0115e88>] (kernfs_fop_write+0xc0/0x17c)
> [ 13.901090] [<c0115e88>] (kernfs_fop_write) from [<c00bfadc>] (vfs_write+0xa0/0x1a8)
> [ 13.908812] [<c00bfadc>] (vfs_write) from [<c00bfdf4>] (SyS_write+0x40/0x8c)
> [ 13.915850] [<c00bfdf4>] (SyS_write) from [<c000e620>] (ret_fast_syscall+0x0/0x30)
> [ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
> [ 13.929467] ---[ end trace 10064e15a5929cf8 ]---
>
> Terminate the thread and free channel resource only if channel resources
> were allocated (thread is not NULL).
>
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
> Cc: <stable@vger.kernel.org>
> Fixes: b3040e40675e ("DMA: PL330: Add dma api driver")
> Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Applied, thanks
--
~Vinod
>
> ---
>
> Changes since v1:
> =================
> 1. Add Lars-Peter Clausen's reviewed-by tag.
> ---
> drivers/dma/pl330.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
> index 4a2caaa0432e..4839bfa74a10 100644
> --- a/drivers/dma/pl330.c
> +++ b/drivers/dma/pl330.c
> @@ -2777,8 +2777,10 @@ static int pl330_remove(struct amba_device *adev)
> list_del(&pch->chan.device_node);
>
> /* Flush the channel */
> - pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> - pl330_free_chan_resources(&pch->chan);
> + if (pch->thread) {
> + pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> + pl330_free_chan_resources(&pch->chan);
> + }
> }
>
> pl330_del(pl330);
> --
> 1.9.1
>
--
next prev parent reply other threads:[~2014-10-14 12:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 12:42 [RESEND PATCH v2 1/4] dmaengine: pl330: Remove non-NULL check for pl330_submit_req parameters Krzysztof Kozlowski
2014-09-29 12:42 ` [RESEND PATCH v2 2/4] dmaengine: pl330: Remove unused 'regs' variable in pl330_submit_req() Krzysztof Kozlowski
2014-10-14 12:02 ` Vinod Koul
2014-09-29 12:42 ` [RESEND PATCH v2 3/4] dmaengine: pl330: Fix NULL pointer dereference on probe failure Krzysztof Kozlowski
2014-10-14 12:03 ` Vinod Koul
2014-09-29 12:42 ` [RESEND PATCH v2 4/4] dmaengine: pl330: Fix NULL pointer dereference on driver unbind Krzysztof Kozlowski
2014-10-14 12:03 ` Vinod Koul [this message]
2014-10-14 11:51 ` [RESEND PATCH v2 1/4] dmaengine: pl330: Remove non-NULL check for pl330_submit_req parameters Vinod Koul
2014-10-14 12:40 ` Lars-Peter Clausen
2014-10-15 7:57 ` Vinod Koul
2014-10-14 12:44 ` Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141014120351.GJ1638@intel.com \
--to=vinod.koul@intel.com \
--cc=b.zolnierkie@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=dan.j.williams@intel.com \
--cc=dmaengine@vger.kernel.org \
--cc=k.kozlowski@samsung.com \
--cc=kyungmin.park@samsung.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=michal.simek@xilinx.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.